“I Love Being Monitored Online,” Said No Employee Ever

What do you do if your boss gave you a corporate laptop and you fear they installed some tracking software? Should you wipe the drive or simply quit?

This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Mike Johnson. Our sponsored guest is Purandar Das (@dasgp), co-founder and president, Sotero.

Got feedback? Join the conversation on LinkedIn.

Huge thanks to our sponsor, Sotero

Today’s compliance requirements require a security mindset that focuses on the data itself. We can’t truly protect sensitive data when our solutions only provide protection at the network, application or database level. The good news is that you can now protect the actual data itself. Click to learn how.

Full transcript

Voiceover

Ten second security tip. Go.

Purandar Das

Simplify security, adopt a single data security product for all of your data assets, it’s supposed to maintaining a multitude of products that requite a lot of skills and resources.

Voiceover

It’s time to begin the CISO Security Vendor Relationship podcast.

David Spark

Welcome to the CISO Security Vendor Relationship pod-cast. My name is David Spark, I am the producer of the CISO series and joining me, he joined me from day one when we did this, more than three years ago, it’s Mike Johnson. Mike [UNSURE OF WORD] I ever want to hear the sound of your voice.

Mike Johnson

And here I am still after all this time David.

David Spark

Hmm hmm, cannot get rid of you.

Mike Johnson

You cannot get rid of me. Try as you might, try as you might.

David Spark

We’re available at cisoseries.com. By the way, by the time this episode airs I feel confident that our new website will be going up. We’ve been working on it and actually I feel we’re recording this in late October and hopefully by the time this episode airs you will see a brand new website.

Mike Johnson

What can possibly go wrong?

David Spark

Nothing goes wrong. Everyone has flawless web launches don’t they?

Mike Johnson

All the time, every time.

David Spark

Nothing ever goes wrong.

Mike Johnson

It’s all good.

David Spark

Our sponsor for the very last episode of 2021, I’m very excited that they are because they’ve been a phenomenal sponsor through 2021, is Sotero and in fact they’re responsible for bringing our guest we’ll invite in just a second. But I want to ask you Mike, we’ve been doing this now for three years but I specifically want to talk about 2021. 2021 was still a pandemic year so you were already sort of deep in the pandemic experience unfortunately for all of us, looking back at like say January what do you think was the biggest sort of change or learning maybe you had over the year?

Mike Johnson

I really think when I reflect back on 2021 and it all started at the very end of 2020 is really just the rise and the focus of supply chain security. It kind of all went back and started with solar winds and then we got exchange and then we got exchanged and then we got exchanged and then we got, there was that managed IT Services company that the hits have just kind of kept on coming time and time again and that’s been, I really think an eye opener. A lot of us have been talking about this for a while but it was now front page news, like literally on the front page of the newspapers. They were talking about cyber security because of the supply chain and all of the issues along that way. If I were to put my finger on one thing for this year, that would be the one that I’d put my finger on.

David Spark

Yeah and the thing that I’ve mentioned before on this show is the fact that cyber news does not just break in the cyber traits anymore, it breaks on the mainstream news and so that’s why we’re kind of being seen as front and center now. Well that is a good point and I think the big story behind that was how good you can do your own protection but if your third parties are not playing well and your third parties third parties are not playing well you could be leaving yourself open to something that you have no clue about.

Mike Johnson

Or worse you don’t even know who your third parties are.

David Spark

Right and that’s the third parties third parties too situation.

Mike Johnson

You don’t know where your data is, you don’t know who has the keys to it and how well they’re protecting those keys.

David Spark

And we have a perfect guest to be on for discussing just this issue because he deals a lot with encryption, we’re going to get into encryption on this episode and not the simple kind of encryption that we all know, the at rest encryption but the in use type of encryption but more on that later. But let me first introduce him. He’s been on our video chats before, he’s been awesome on that and now he’s on this very episode. It is our sponsor guest Purandar Das the co-founder and President of Sotero. Purandar, thank you so much for joining us.

Purandar Das

Thank you for having me David.

What’s the motivation to do this?

00:04:14:15

David Spark

During the pandemic do you believe there were innovations in cyber security that met those now visible needs because we had far more visible needs during the pandemic. So I hear from CISOs again and again that they’re looking for new ways to solve old problems. Now I’ll start with you Mike, can you give me examples of how everyone was chasing a solution in one direction and one or more players came about with a new attack that changed the dynamic or maybe even the industry and I’ll ask, you know, tag onto this, how does this history of security innovation inform the industry’s ability to innovate in the future?

Mike Johnson

So three examples come to mind here. The first was back in the day the way that you solved security was you deployed anti-virus, it was corporate anti-virus and that was all you needed to do.

David Spark

And wouldn’t it be nice if we were all backed up?

Mike Johnson

Oh gosh, it was such a simple time. We were so naive back then.

David Spark

I would say also the attackers were pretty naive as well.

Mike Johnson

That’s also true. Everyone was naive all at the same time. There was a much simpler time. Back then we had EDR emerge with CrowdStrike and Silenced. You had these two companies kind of come out of nowhere and really elevate the concept and escalate EDR as a product. And then you had Microsoft come along and build Defender into Windows combined with EDR that killed the traditional anti-virus. When was the last time someone asked you about your anti-virus, that’s not a thing anymore. So that’s one area. That’s one place where we’ve seen a solution that everyone was really excited about and it’s just gone, we don’t even talk about it anymore.

Mike Johnson

On top of that you’ve seen the pivot to Cloud security. We’ve got more companies that they’ve moved their infrastructure to the Cloud, EDR is more mature as a concept so actually EDR’s not as interesting anymore, that’s starting to kind of step out of the limelight. What we’re seeing more and more is companies covering Cloud Security and this was in case of new environments the Cloud bringing forth the need for new tools. So that happened, that was number two. And the third, this one’s both older and more recent was I remember back in 2009 Google released a paper called Beyond Corp and it kind of changed the way that I thought about security and it is really the basis of what we now call zero trust. That was when essentially zero trust was “invented”, they didn’t call it that back then but the concepts really started when Google tested that amongst themselves, that’s now become product [UNSURE OF WORD]. It’s almost standard these days if you’re building a new environment you’re using a zero trust like architecture and all of that goes back that at the time very novel attacks when we first saw nation states directly attacking private companies.

David Spark

Alright Purandar I’m throwing this to you. Can you give me some examples of how industry you felt was changed?

Purandar Das

Yeah I think, I mean if you think about identity access management that’s one of the areas that’s gone through some of the biggest [UNSURE OF WORD] changes right and if you went back five, seven, eight years ago everybody had to remember, at least a handful of user credentials right. Today nobody remembers more than one and that’s essentially the evolution that identity access management has gone through whether it’s single sign on or another frame work, [INAUDIBLE]. What’s that enabled organizations and people to do is eliminate that sprawl right of credentials that you needed to log into applications within a single environment. I foresee that evolution happening at the consumer level. This happened at the enterprise level. I foresee a similar metamorphosis happening at the consumer level where there will be frameworks that enable you to securely access and use multiple applications and not have to remember the 15.

David Spark

But don’t we have that with like signing on through like Google or your Facebook or Twitter account in a sense?

Purandar Das

Yeah it has happened but we saw the limitations of that with the recent Facebook outage right. Once Facebook was down you couldn’t access a lot of the services or applications or platforms that you’d used Facebook to sign on. So I think we’re going to require something that’s much more sustainable, much more stable as consumers. I mean really it’s no secret that it’s going to be impossible to remember the user credentials and passwords especially with the complexity that’s now required to be secured, across the day to day applications that consumers are using. Second one I’d say is log management and analytics right. I mean if you think about the evolution has splunk that was essentially driven by the huge volumes of data that’s been generated, which is true across the board.

David Spark

Without a product and a platform or a framework like that it would’ve been impossible to draw any kind of intelligence or analytics from the huge volumes of data that’s been generated. Mike alluded to Cloud Security, I mean there’s been so much innovation and so many things related to Cloud whether it’s CASB’s to monitor and manage who’s accessing what, to actual provisioning and privileges and privilege resolution on the Cloud and I think that’s going to go through much more evolution to simplify the stack. There are client products available across the spectrum today but the flip side of that is exposing almost impossible challenges in terms of complexity and product sprawl for organizations to effectively adopt and use.

Why is everyone talking about this now?

00:10:18:05

David Spark

In a very confessional post on thee cybersecurity subreddit user, get ready for this, get ready for this name Mike because I know you’re a big fan of subreddits names.

Mike Johnson

Yes.

David Spark

The name is Major Mistake 1 2 3 and when you hear what I describe you are going to realize I think this might have been a temporary account that was created just for this post.

Mike Johnson

Probably.

David Spark

So user MajorMistake123 is eagerly seeking help in a post titled “I’m an Idiot”. The individual admitted to sending an email containing 10s of social security numbers to 10s of users outside of profusely apologizing what can they, that being Major Mistake, do for the effector users. Now Major Mistake 1 2 3 did report the issue immediately but I should note that the individual is not [UNSURE OF WORD], they’re actually an office administrator. And also most of the responses to the I’m an Idiot query came down hard on the security team claiming that they should’ve had a system in place to revenge such an incident from happening. So let me start with Purandar, what’s your advice for I’m an Idiot and are you on the side of all these common saying ‘hey it’s not your fault Major Mistake 1 2 3, something should have been in place to not let something like this happen’ and what would’ve been that thing in place?

Purandar Das

I certainly sympathize with the user that made this mistake. If you think about the day to day pressures that people are under right and the people that they relate to or the people they work with, it’s extremely easy under stress or duress to make a decision like that right. I mean it’s a person that you’ve communicated or you think you’ve communicated all the time, you trust them, it’s unintentional. Another aspect of this, the complexity, the number of interactions, the volume of data that flows back and forth between organization amplify the opportunities for people to make mistakes. It is going to be about automation, it is going to be about helping people eliminate errors. Like with any other system we’re in the midst of a stage where a lot of automation and intelligence needs to be applied to security and it’s not about the complex security and application interactions and stuff, it’s about giving people some kind of protection with the basic day to day tasks.

David Spark

So we can isolate this one task. This person put 10s of social security number, like what could be done to protect this from happening again?

Purandar Das

I mean there are multiple things right. I mean there could be an email filter that says there are no attachments in plain text ever going up right, I mean that’s one. Social security numbers being able to extract them and keep them on a device, that needs to be eliminated.

David Spark

That’s pretty easy to identify are social security numbers.

Purandar Das

Yeah. I mean there are pattern detections, there are already deal piece of data loss prevention things that will scan for social security numbers or credit card numbers. So there are a lot of things that can be done but I mean obviously that user carries the burden of having made a mistake like this. At least I will say this, the user raised their hands and said I did it, what can be done here to help. This happens so many times so people don’t even acknowledge it or are not even aware that it’s happened.

David Spark

The good thing is this person did acknowledge it and did tell the team. My feelings what might be good advice to them is to print out this entire thread and show it to the security team. Alright let me throw this to you Mike. What’s your advice for this person?

Mike Johnson

So first of all I really agree with Purandar and with a lot of the posts that really highlight the need to allow employees to make mistakes but it not causing a problem. Like if they had attached these social security numbers or whatever it was and the email system caught that and prevented that mistake from actually amplifying, that would’ve been great. So I really liked all that focus. It could’ve easily been a finger pointing exercise and why did you make this mistake. What I do think is reporting it to IT, very good way to. I would also report it to the legal team. You could assume that the IT team would do that but you’re not entirely sure. The legal team is the one who makes sure that this really gets handled appropriately. They’re the ones who determine the impact to the company, what needs to really happen from there because at the end of the day for those 10 users or however many it was or people whose data was compromised, they view it as the company made a mistake.. they don’t view it as this individual make a mistake.

Mike Johnson

It was a person representing a company made mistake. And that’s for the lawyers to get in on and help figure out what are the next steps. So that’s in addition to what they did, reporting it to IT, I would suggest reporting it to the legal team as well.

It’s time to play What’s Worst.

00:15:27:12

David Spark

Alright Purandar, you’ve played variations of this on our video chat, are you familiar with the original version we play on this show?

Purandar Das

Yes I am.

David Spark

Alright good. I always make Mike answer first and I always like it when the guest disagree with Mike, so get ready for this. This comes from [UNSURE OF NAME], he’s over at Epic, a former guest on this show. So that means Purandar you can send in some what’s worse scenarios as well. We take them from past guests. Alright Mike here’s the situation. What’s worse doing business with a partner or a customer that makes you answer a 500 questionnaire with evidence weekly alright.

Mike Johnson

Oh gosh.

David Spark

That sounds horrible. Wait to the other option. Sounds pretty bad or agreeing to a contract that states you will never have a data breach?

Mike Johnson

Wow.

David Spark

This is a good one, I like this one.

Mike Johnson

These are a pair of zingers. So what you’ve got is a company– so I’m assuming that the opposite case is here, like the first one they’re obligating you to never have a breach. They’re obligating you to.

David Spark

Right they’re not obligating to you never have a breach but man you are going to be doing busy work forever.

Mike Johnson

Yes just on a regular basis, here’s whats happening, here’s what’s going on and it probably just bogs you down entirely like versus another one like you do nothing, you have no obligations for that company but.

David Spark

You’ve got a contract that you’re going to violate for sure.

Mike Johnson

So I will remind everyone that I am not a lawyer, please consult your lawyer on this answer.

David Spark

I understand your wife is a lawyer so they can consult her.

Mike Johnson

I can consult her. I would advise others to consult their own lawyers.

David Spark

Okay.

Mike Johnson

So this one’s actually pretty easy for me.

David Spark

Really.

Mike Johnson

Like now that I’ve kind of thought it through, bought myself the time as I repeated back the question.

David Spark

By the way this is Mike’s technique for those who aren’t regulars to the show, buys himself a lot of time just essentially repeating what I said.

Mike Johnson

Just jabbering. So the signing of contract that says I will not have a breach, the limitation of damages is okay well you leave, you no longer a customer and we’re releasing you from the contract. Okay, you know, it sucks, it would be annoying but it’s at least not dragging the entire team down and you have to think about what is your likelihood of a breach. It might be a very very low likelihood, not going to a zero. Very low likelihood. So that’s probably the safer one to go with and also it’s going to be one that’s a lot less work, having to update a customer once a week.

David Spark

Will you have any other time to do anything else?

Mike Johnson

I don’t know what I would do. Frankly I would spend six months building the automation in order to respond to all of these and then have the automation talk to them every week but that’s.

David Spark

But I see a data breach could be company crippling, like not just you lose a customer, there could be company crippling.

Mike Johnson

But at the same time signing a contract doesn’t mean a breach won’t happen right. All that it’s saying is that particular contract that I’ve signed I won’t have a breach. If I have a breach that’s a different situation.

David Spark

That’s a good point right there.

Mike Johnson

And while the other contracts, different situation.

David Spark

Purandar I throw this to you. Do you agree or disagree with Mike?

Purandar Das

Let me normalize those two options for economical perspective first right. You either suffer a data breach and go through the financial and legal consequences or you spend enough money to truly build a system that’s out of reach, let’s say 99.9% of the time and secure it from a breach right. The flip side of that is you spend the same money and ramp up a team to do nothing but communicate the security policies on a weekly basis. So they’re equally bad. In terms of company reputation I’d rather ramp up a team and communicate weekly that way we’ve got revenue, we’ve also insulated ourselves in the event of a breach because there’s no consequences from a customer perspective. So I’d say signing the contract saying they wouldn’t be a breach is probably worst.

David Spark

So you’re saying that it’s worst. So you’re saying the opposite of Mike.

Purandar Das

I’m saying the opposite of Mike, yeah.

David Spark

You’re saying the opposite of Mike. Alright way to go. I appreciate that Purandar. So Mike he disagrees with you.

Mike Johnson

That’s good.

David Spark

That’s fine.

Mike Johnson

They both really suck.

David Spark

They both stink. We’re in agreement on that.

00:20:04:02

Voiceover

Please, enough. No more.

David Spark

Today’s topic is encryption and I’m going to start with you Mike. Mike what have you heard enough about with encryption and what would you actually like to hear a lot more?

Mike Johnson

I think the thing I hear too much about and it’s because it’s well understood is data at rest encryption in the Cloud. It’s almost push button.

David Spark

I mean it’s decades old.

Mike Johnson

Yes. It’s been around a long time and we understand that, we don’t need to talk more about it, I get that. But what I would like to hear more about and this genuinely isn’t intended as a softball, it really I would like to hear more about it is encryption of data in use. We just don’t talk about it very much because everyone dismisses it as too hard and I think maybe there’s some trade off questions in terms of the value, whether it really is that hard. So we just don’t hear enough about it and that’s what I would like to hear more about is how do we encrypt data and use.

David Spark

You have just literally set it up perfectly for our guest, quite perfectly because that is his [INAUDIBLE]. So I will ask you Purandar, even though I know you want to speak to what he just said, I want to know what you’ve heard enough about with encryption and what you’d like to hear a lot more.

Purandar Das

Yeah what I’ve heard enough about encryption is people saying, they use encryption and they’re secure. Most of the people that talk about it have no clue what they’re talking about. When they talk about encryption they rarely realize, if ever, that they use encryption address which really provides protection against somebody walking into a data center and taking a disk that the data’s stored on or making the copy of the file. I mean when did that last happen? When did you ever here of somebody walk into a data center and walk away with a disk?

David Spark

Those are definitely the hacks we hear about today.

Purandar Das

Right but you just said it David, hacks are still happening and there’s a reason for that. It’s because data in use is not encrypted.

David Spark

And explain it for those people to understand, why is dating use not encrypted?

Purandar Das

See it’s been a hard problem to solve especially been a harder problem to solve at scale and encryption address has been the lazy approach to providing a semblance of protection to be in compliance from a regulatory perspective. It was never actually, I mean nobody takes that seriously as a way to protect data in years. The academic research that’s been performed for encryption in years has always focused on doing something that’s really relevant to maybe 1 or 2% of the actual use cases out there. It’s been about providing arithmetic or mathematical support for operations. When you think about what the bulk of the sensitive data is, it’s actually characters and strengths. It’s your social security number, it’s credit card number, it’s your name, address, it’s birth dates, that medical IDs. It’s never been about numeric attributes. That actually has been a big reason for this whole confusion about why encryption end use has not worked.

David Spark

Well let’s jump to what you’re doing at Sotero. Explain. Because I mean you have an encryption in use solution and what is it exactly you’re doing.

Purandar Das

So essentially I mean very simply we keep data that’s being operated on or query of used encrypted while those queries are running. So what we’re doing is elevating encryption based protection for data at rest to data in use. So if you were to go and run a query on the database that’s protected by Sotero those attributes in there, the sensitive protected attributes would never be decrypted on the database site. So if somebody were to get to the database, whoever it is right, outside of an uproot user that’s been validated and permitted by Sotero, all they would see are encrypted attributes. That’s the core of what we’re doing. Now going back to what we started off at the very beginning right, encryption has been hard to implement especially when you think about the many many storage technologies, the fact that it’s mostly now hybrid, some of it on premise, some of it in the Cloud [INAUDIBLE] Clouds.

Purandar Das

There are no products that say we can give you protection for all of your data assets anywhere that you have them, that essentially is Sotero’s mission. We want to provide and we are providing a single product for organizations to adopt to protect all of their data anywhere, all the time. So again summarizing two things. One is we keep data as we’re using them, second it doesn’t matter what data format, what storage technology you use we will help you keep that data secure with a single product.

David Spark

And I’m going to ask the obvious question a lot of people or who are listening to is what they’re asking is about performance hit. Encryption causes performance issues, if we’re doing it on the fly got to assume that it’s going to be performance hits, what have you seen, what is your bench mark testing on this?

Purandar Das

So that’s the good news. From a bench mark perspective we’re able to come to within 1 or 2% of unencrypted data performance.

David Spark

So it’s 1 or 2% slower than unencrypted.

Purandar Das

Slower than unencrypted or plain text [INAUDIBLE].

David Spark

Okay so pretty much barely noticeable.

Purandar Das

Yeah and the reason we’re able to do that is a result of many factors. Like one is obviously the architecture of the product, our technology team has been phenomenal in architecting it for heavy loads, for heavy volumes et cetera but also keep in mind that technology has evolved pretty dramatically over the last decade. Computing capacity today is magnitudes better than what it used to be 10 years ago. That gives us the platform to be able to scale and achieve the performance that we need to, do make us be feasible in today’s use cases.

If you’re not paranoid yet here’s your chance.

00:26:09:16

David Spark

On the privacy subreddit a user just received a computer from their boss that no programs on it yet they’re suspicious that their boss might be monitoring them. Most people said to assume that you were being monitored on company assets and not to do anything personal on that work computer. Basic good advice I would say as well. Others said if there’s nothing on it, why not just wipe the whole darn thing out with the first install of the operating system. But then another regular said there’s nothing you could do as they maybe tracking you in ways that would upstream to your device. And another rhetoric question, why did they take the job if they’re suspicious or didn’t agree with the terms of employment. Mike I’m starting with you, what’s your advice for this individual?

Mike Johnson

So I’d say start with reading the company policies and every company has, well generally every company has their security policies.

David Spark

Really small companies might not have it.

Mike Johnson

Right, right but they’re probably also not the ones who are mailing laptops around at the same time.

David Spark

That’s true.

Mike Johnson

But really pay attention to privacy policy. That privacy policy essentially by law, depending on where you are, but generally by law has to describe the type of monitoring that the company does and if it’s like security monitoring there’s likely security monitoring software and that’s kind of normal. That’s how a company protects its own assets. At the same time if the company has no policies or if they don’t disclose the monitoring, go ask HR about it, you can even ask your boss and see how they react. I think it’s unlikely that the boss is monitoring your every move. I mean I get the paranoia but the boss probably has a jot to do, they probably have other things to do [UNSURE OF WORD] watch your every.

David Spark

Right but they can also go back and look at logs. I will also point out laws are different in the US then they are in certain areas of Europe.

Mike Johnson

Absolutely.

David Spark

So this kind of behavior is very much not allowed, like in Germany you can’t do this kind of thing.

Mike Johnson

And in the US if you have Californian employees, a lot of those same restrictions apply and usually a company will just hey let’s have the same policy everywhere.

David Spark

Usually that, by the way and we’re seeing this again and again, whichever state or now country has the most stringent policy, it’s like well let’s just make this across the board because essentially all the cards are going to fall in this direction eventually.

Mike Johnson

It’s the lowest common [INAUDIBLE]. You don’t want to have to have the special case, it’s generally not that hard to comply with those sets of regulations as long as they’re not just completely crazy, that way you can just say everyone’s getting the benefit from this and that’s also the direction that everyone, all the regulations, all the laws are heading at the same time.

David Spark

Alright Purandar I throw it to you. First, have you sent laptops to your employees and do you track them?

Purandar Das

I’m sorry repeat that again David

David Spark

Do you send laptops to your employees and do you track them?

Purandar Das

No we don’t track them.

David Spark

What’s your advice for this individual?

Purandar Das

Here’s a couple of perspectives right. One is certainly understand the privacy policy right. I mean the privacy policy is so you’re aware of what the organization can do and will do. There are two other things to add that pop up to mind as we discuss this that one is legally that laptop is the property of company, so is the network right. I would equate that to you being given a company car as part of your job and you deciding to use it for private travel which obviously wouldn’t do unless the company said it was okay for you to do it. The third thing I would ask is if you were on a company laptop, what exactly are you going to do that you’re worried that you’re going to be tracked. It is company laptop right. If you’re on your job, you’re committed to providing whatever number of hours working for the company, what are you going to do that you’re worried that the company is going to track.

David Spark

We would hope they’d have another computer that they could do their personal stuff on.

Purandar Das

Right. I mean if you really want to do something that you don’t want anybody to know, you should do it on your own laptop and take the necessary precautions not try to do it on a company property. That would be my thing.

David Spark

That I think is the bottom line advice on this which, by the way, just as in general like you’re essentially putting yourself in hot water if you’re doing personal stuff on the company equipment.

Purandar Das

Exactly. But let’s take a different perspective of it right. What about an employee doing something on company property and being able to track them, make sure they don’t it, what about the information that the company’s collected from all of their employees? Where’s the commitment from them to keep that secure? I think that ought to be the flip side of this [UNSURE OF WORD] and were there– which you alluded to is the California and the Germany regulations, that’s essentially what they’re trying to do. Is saying first don’t collect information that you don’t need. Second is if you do collect it make sure you live up to your commitment to keep it secure, if not you will be hit with financial penalties that you actually feel, so that it makes you accountable for protecting the data and the information that you’re committed to collect.

David Spark

And that’s a good point too. Close today’s conversation Purandar, good advice. Just behave like you would expect your company to want you to behave on company equipment. I’m going to close this show up. Purandar I’m gong to let you have the last word and, by the way, we ask all our guests if they’re hiring, so make sure you have answer for that and if you have any specific offers for our audience with Sotero, please let us know. I want to thank your company Sotero for sponsoring this and also just in general being a phenomenal sponsor of the CISO series. First Mike, any last words?

Mike Johnson

Purandar thank you for joining us today. It was really great, you know, getting to meet you and having this conversation and really kind of meeting of the minds especially when it comes to mistakes that employees make and recognizing that people are humans and that your systems and your environment should be able to handle that. But also I really wanted to come back to something that you had just said about the commitment from the company to keep the data that they collect from employees secure. I really appreciate you bringing up that point and I think that’s something that we need to keep in mind. Whenever you’re gathering anything from your employees most likely because it’s required, you have to do some sort of background checks or if you’re doing health care. There’s any number of things that you would do but you really need to make sure that you’re living up to your promises to your employees and securing that data.

Mike Johnson

So thank you explicitly for calling that out but thank for joining us and I also really appreciated the education on data and use encryption.

Purandar Das

Mike thank you it was a pleasure talking to you as well. Thank you.

David Spark

So Purandar, are you hiring?

Purandar Das

Yes we are.

David Spark

And do you have a specific offer for our audience for data in use encryption solution that Sotero offers.

Purandar Das

We are offering free six months trial of our product.

David Spark

Ooh that is substantial.

Purandar Das

Yep. We will give you full technical support for any platform of your choice, help you get set up and we will show you how easy it is to secure your information whether it’s on premise on the Clouds. So reach out to us at www.soterosoft.com.

David Spark

S o t e r o s o f t as in sotero software but just the soft part .com.

Purandar Das

That’s correct David, yep.

David Spark

Now met me ask you say one of our listeners accidentally sent 10s of social security numbers out would you tech support be able to help them with that?

Purandar Das

If it’s already been sent out, it’s probably too late.

David Spark

But if they were using Sotero Soft it would probably be encrypted.

Purandar Das

They wouldn’t have to worry about it because the data would be encrypted, it will be enabled somebody do decrypt and look at the data.

David Spark

Good point. Alright thank you so much for Purandar. Thank you very much Mike. Thank you to Sotero as well and thank you to our audience as always for participating and contributing and listening to the CISO Security Vendor Relationship pod-cast.

Voiceover

That wraps up another episode. If you haven’t subscribed to the podcast, please do. If you’re already a subscriber, write a review. This show thrives on your input. Head over to cisoseries.com, and you’ll see plenty of ways to participate, including recording a question or comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at david@cisoseries.com. Thank you for listening to the “CISO/Security Vendor Relationship Podcast.”

David Spark
David Spark is the founder of CISO Series where he produces and co-hosts many of the shows. Spark is a veteran tech journalist having appeared in dozens of media outlets for almost three decades.