ESG's Jon Oltsik talks with CMO Jerry Skurla of Bay Dynamics about SOAPA and Cybersecurity. This is part 1 of a 2-part series.
Read the related ESG Blog: SOAPA Video with Bay Dynamics (Part 1)
Part two of this two-part series is available here
Announcer: The following is an ESG 360 video.
Jon: Welcome to another SOAPA video. I'm here with Jerry Skurla, CMO of Bay Dynamics. Jerry, welcome.
Jerry: Jon, thanks for having us.
Jon: Glad to have you. So Bay Dynamics sits in an interesting position. It sits, sort of, at this intersection between security and risk management. Tell me about that.
Jerry: Well risk is a very interesting term these days. The traditional security definition of risk is impact times probability, and what we're seeing is forward thinking CEOS are changing that a little bit. They're trying to accelerate their digital businesses via digital transformation, and they tend to think a little bit more about what's a good risk to accept and what's a bad risk. So part of what Bay Dynamics is seeing is security professionals need to shift their idea of the risk model, as well, because their job is to help their organization grow its digital business in a proactive way, as an enabler to the business. Not just a you can't do that, kind of, negative person.
Jerry: So we're seeing lots of people, CSOs and their security teams, work through that mind shift change.
Jon: That's an interesting point, because what I've noticed in the past is that companies really struggle to quantify risk, especially with digital assets, with applications and things. So what do you see? Is that true and how are you addressing that?
Jerry: Yeah, no, it's absolutely true and part of what happens sometimes is people get too focused on the numbers. Right? Is it 27.28365%? There's a huge staffing crisis within ciphers as you've talked about many times.
Jon: Yeah. Absolutely, yeah.
Jerry: SOAPA is an architecture that should help relieve that in the future through automation and analytics and such. What we're trying to focus on with people around quantifying risks is today. What are the most important things I could do today, in these next 8 to 10 hours, to decrease my overall risk? So, you know, we're not talking seven decimal points of accuracy. I want to know of the 30,000 things I could deal with today, what 3 would make the most immediate impact on my business.
Jon: Yeah, that's...the whole prioritization of risk is really crucial and one of the issues that I see is that risk is not a discreet domain. You've got the security team involved, you've got the risk team, the GRC team or the compliance team, you've got IT operations. How do you help bridge that collaboration between those groups?
Jerry: Yeah, no, and that's a very real question and that's true whether you're a giant organization or even a small organization. Right? One of the things we look at is technology platforms that let all of those organizations see a common set of data. A, you know, common version of truth, if you will, so then they can make collaborative decisions. One of the biggest problems in any organization like that is data silos, right?
Jon: Yeah, yeah.
Jerry: IT thinks this is the issue, security sees this, finance sees this, and part of what Bay Dynamics has worked on for many years is platforms that allow, you know, application owners, for example, to see what vulnerability issues may pop up themselves, versus security people chasing them to get things fixed. So it's that sharing of information with a common version of truth that enables that collaboration.
Jon: Yeah, that's a good point because people do use different tools, they have different processes, they interpret the data differently, so if you have a common framework or a common data set that's a good start. Now I've got ask you. It's 2018, we've got GDPR deadlines coming up in May...
Jerry: Oh yeah.
Jon: ...and so tell me how that's impacting your business.
Jerry: Yeah, no, GDPR is triggering a lot of interesting discussions, really, for two reasons. Number one, and I don't know if people know this, but Article 22 of GDPR speaks specifically about using behavioral analytics to protect EU citizen data. And what's interesting is its the intersection of security and privacy, and it specifically states that fully automated behavioral analytics cannot be used to make a decision on an EU citizen's data or behavior. So that is creating a lot of questions. You know, we talked recently with a large retailer here in Massachusetts who was looking for analytics help around their attempts at GDPR compliance, and in the room was a security individual and a privacy individual. So that's really becoming important.
Second key thing that we've learned is each of the 28 EU countries has their own way to enforce GDPR. So it's very interesting times in security and I think it creates a lot of excellent questions for people, because it's, really, the first formal requirement to talk about privacy of data for an individual, regardless of where it is.
Jon: Yeah. I'm a big fan. I think we here in the United States will learn from GDPR, but I also like what you said. Advanced analytics, artificial intelligence, it's a helper app and we need to understand that in security and we'll talk about that. Can you stick around for part two of our video?
Jerry: Absolutely, Jon.
Jon: Okay. Well stay tuned for more videos and look at our website for more material on SOAPA.