Intro: 00:01

Are you ready to know what you don't know about Privacy Pros, then you're in the right place.

Intro: 00:06

Welcome to the Privacy Pros Academy podcast by Kazient Privacy Experts. The podcast to launch progress and excel your career as a Privacy Pro.

Intro: 00:17

Hear about the latest news and developments in the world of privacy

Intro: 00:22

Discover fascinating insights from leading global privacy

Intro: 00:25

Professionals and hear real stories and top tips from the people who've been where you want to get to.

Intro: 00:32

We're an official IAPP training partner.

Intro: 00:36

We've trained people in over 137 countries and counting.

Intro: 00:40

So whether you're thinking about starting a career in data privacy or you are an experienced professional, this is the podcast for you.

Jamilla: 00:57

Hi everyone and welcome to the Privacy Pros Academy podcast. My name is Jamilla, and I'm a data privacy analyst at Kazient Privacy Experts. I'm primarily responsible for conducting research on current and upcoming legislation as well as any key developments and decisions by supervisory authorities. With me today is my co-host is Jamal Ahmed who is a Fellow of Information Privacy and CEO at Kazient Privacy Experts. He is an established and comprehensively qualified privacy professional with a demonstrable track record solving enterprise-wide, data privacy and data security challenges for SMEs to complex global organizations. Jamal is a Certified Information Privacy Manager, Certified Information Privacy Professional, Certified EU GDPR practitioner, Master NLP practitioner, Prince II Practitioner and he holds a Bachelor of Arts in business with Law. He is a revered global privacy thought leader, world class trainer, and published author for publications such as Thomson Reuters, The Independent, Euro News, as well as numerous industry publications. He makes regular appearances on the media, on television, radio and in print, and has been dubbed the King of GDPR by the BBC. To date, he has provided privacy and GDPR compliance solutions to organizations across six continents and in over 30 jurisdictions, helping to safeguard the personal data of over a billion data subjects worldwide. Thank you Jamal. Thanks for joining. I'm impressed I got through that without stopping.

Jamal: 02:11

Thank you very much. You always do a great job. You know, I've got some news for us on this episode. We've just smashed through two and a half thousand downloads on the Privacy Pros podcast. So really happy about that.

Jamilla: 02:24

Is that two and a half thousand total downloads?

Jamal: 02:27

There's more than that now. But yes, we've smashed through that milestone now.

Jamilla: 02:30

Yay. Two and a half thousand people worldwide listening. We're in about 50 countries. Is that right?

Jamal: 02:39

Just 53 countries when I checked last night. We're in over 53 countries now. Yeah, it's going out far and wide.

Jamilla: 02:45

I wonder who the furthest away is. If anyone's in New Zealand, I'd like to know, or Hawaii, or just anywhere really far away, I want to know how far away we're reaching. That would be cool. Our guest today, very excited to have him with us. Our guest today is Dimitri Nemirovsky. He is the Co-Founder and COO of Atakama, an innovative data security company that provides a file-level encryption solution like nothing else available on the market. Atakama offers customizable security policies to best fit individualized business needs and use cases. Atakama has raised $10 million+ for the company and has a team size of 26. Dimitri describes himself as a recovering attorney who became a serial entrepreneur. Prior to co-founding Atakama, Dimitri spent 15 years practicing regulatory and enforcement law, most recently at Bingham McCutchen where he represented large financial institutions in high-stakes matters. Wow. Welcome, Dimitri.

Dimitri: 03:48

Well, thank you. Thank you for having me.

Jamilla: 03:50

How long have you been in recovery for?

Dimitri: 03:51

I've been clean for about: 4362

Jamilla: 04:05

It'll be really interesting getting to know a bit more about your change from law, because we do get a lot of, I think, people in the privacy world who are lawyers or trained as lawyers, and then they move into privacy and security. It’ll be really interesting to hear bit more about your story. But first, we always start off with an ice breaker question on this podcast. So today’s is what was the last thing that made you laugh?

Dimitri: 04:26

Well, the last thing that made me laugh was this introduction, I guess the recovering attorney thing. So I have two children, a daughter who is 16 and a son that's 14. And they make me laugh every day. You know, children are unique in that regard. And there was a show that was Kids say the darndest things and it's so true. You know, it's innocent, it's inquisitive with me. That's really my favourite is the kids and the things that they make me do and the way that they make me feel. And more often than not, I appreciate.

Jamilla: 04:55

That, especially that age. They're just trying to think for themselves, maybe too much. Yeah. I've got little siblings who are 13, 12 and eleven, and I went and took them all three of them out last week, and I'm still exhausted.

Dimitri: 05:08

Exactly. Yeah, but you had the opportunity to give them back. I can't give my children back.

Jamilla: 05:14

That's true. It did make me kind of go and apologize to my parents. Sorry, I didn't realize how difficult it was.

Dimitri: 05:22

Exactly.

Jamilla: 05:24

But no, it's great. So we had a little bit about Atakama in the introduction, but can you tell us a bit more about how it works?

Dimitri: 05:31

Of course. So what's interesting about encryption, if you think about encryption as a technology, right. Encryption has been around for thousands of years. Right. You look back to the C periods and the Romans and Caesar. People used encryption back then. Right. It was a cipher. You would switch around a few letters. Granted, back then, not everyone read, but those who did, you would try to trick them. And the whole purpose of encryption is to prevent the unauthorized third party from being able to use whatever it is that you've encrypted. And encryption has been incredibly useful. It's been purposeful over the millennia’s that it's been around. And fast forward to the 20th century, encryption became something that became a necessity within the digital domain, right? We may not know it, everyone on this video call may not know it, but we use encryption on a daily basis. When we unlock our smartphones, when we unlock our computers, we're decrypting the contents of the information that is on those devices. And that's cool. And encryption is really important to privacy, to security. Generally speaking. The problem with encryption is, from a technology standpoint, we've really diminished the power of encryption. Here's what I mean. Specifically, by virtue of the fact that we've logged into our machines, we've entered our username and password, we've effectively wholesaled decrypted all of the contents on the hard drive within our machine. So you go from 100% secure to 0% secure. As soon as you logged in everything's available to you. So why have encryption providers, why have the computer manufacturers made it so simple? Well, because from an end user standpoint, the UX UI around encryption has to be seamless, has to be transparent. Otherwise, guess what? No one's going to want to use it. Or they'll find they'll circumvent ways of having to follow the policies and procedure set out with encryption. And so by connecting encryption to a really seamless UX UI, you really diminish the power of encryption. What we've done is when we designed Atakama we said to ourselves, how can we design a system that is not tied to those credentials, that is not tied to those identity and access management, username and password credentials? And what we said to ourselves was, can we split encryption keys? Right? Can we cut them up and split them out? Very akin to public private key pairings, right? So if you look at everyone talks about bitcoin and blockchain these days, if you think about it, you have this public poke ledger. You have the value of over a trillion dollars, and it's being secured by splitting keys, right? You as a key holder, you have the private key associated with the public key. If you lose that private key, you pretty much lose access to your Bitcoin. But the power there really is the fact that it's open and we can dare the whole world, and in fact, the whole world is being dared, go ahead, try to access this thing that is being secured by this public private key pair. We said to ourselves, well, can we do the same thing conceptually to passwords, right? So if you think of an encryption key, encryption key really is a password. And we said to ourselves, yeah, we think we can do it. And the way we've done it is with our software, each file, or each object, if you will, is encrypted with its own unique encryption key. And we utilize an AES standard with 250. Right? So it's not like we come up with our own encryption algorithm. We basically repurpose what is considered military grade encryption, that encryption keys then cut up into those pieces and distributed across physical devices controlled by the user. So instead of having to remember a password, instead of relying on your username and password or any central key store or any central identity and access management system, you're relying on your physical devices. So if you think of an attack in the way most attacks these days are perpetrated, it's really social engineering attack. It's trying to fish someone, trying to get them to click on something. You introduce that element into the environment, and now they pretty much have free reign. Well, with our solution, even if I give you my login credentials, you'd be able to log into my machine, log into my cloud storage where I keep all my files, you'd be able to see all my information, but you wouldn't be able to decrypt it. And that's because with our software, you need to recombine those key shards, some of which are on your phone, some of which are on your computer. And unless you're able to combine them, you'll never be able to decrypt. So if you look at the attack surface, we flipped it on its head. So I literally would need to steal someone's computer and their smartphone or hack into someone's computer and their smartphone. Not impossible, but incredibly complex in order to be able to decrypt anything.

Jamilla: 10:10

That's really interesting. Especially the other day, I got a lot of notifications through Safari saying, oh, this password has been involved in a breach. This password is unsafe. So had I used your software, I wouldn’t have had to sit there, start changing passwords, trying to remember, oh, this one's going to be slightly different, or this one I put a capital in.

Dimitri: 10:29

That’s eventually the big picture of what we hope to accomplish is really the ability to we walk around with these devices in the palms of our hands, which are really supercomputers. Right? Again, probably 99% of the population uses them for social media, but they are, at the end of the day, supercomputers in the palms of our hands. And the power of having, you as an individual and your authentication as an example or the ability to log in somewhere, be distributed across your physical devices is way more secure than anything currently existing in the market. And big picture for Atakama, we want to be that company that secures the individual.

Jamal: 11:07

That sounds like an amazing solution to a very real and a very risky problems that a lot of businesses are facing. What's the ideal kind of size of business that you're working with at the moment?

Dimitri: 11:17

f the organization, let's say: 1500

Jamal: 12:46

Great. Thanks for explaining that to me. It’s really interesting, our audience is primarily people interested in really having a thriving career as a privacy professional. And there's data privacy and there's data security. In your opinion, what's the difference between data privacy and data security?

Dimitri: 13:01

any individual, if I surveyed: 1000

Jamal: 15:26

That's a great explanation, and I'm sure all the privacy pros listening would really appreciate that. For us to just summarize what you've said in a nutshell is, what you're saying is, look, hey, when you're in your role as a privacy professional, what you need to understand is two different things. So from the individual side, they're more interested in their privacy. They're more interested in how their information is going to be used, how it's going to be monitored, how it’s going to be shared on an individual basis. But when you're representing the business, whether you have a client or you're in house, the business is concerned about keeping that information safe, keeping the information that we process, that we collect. How do we keep that safe? How do we protect that from going missing? How do we protect that from unauthorized access? And that's where data security comes in. And that's the primary difference far as you’re concerned between data privacy and data security. Now, the other interesting thing, Dimitri, is we said, look, even in security, there's a difference between information security and cybersecurity. And as privacy professionals who are so concerned about privacy, privacy, privacy all the time, we leave infosec to the infosec guys. But it would be really great for you to help our audience out, help our listeners out by giving a bit more of an understanding of the difference between information security and cyber security.

Dimitri: 16:36

You know, you just mentioned the term infosec. You don't hear that term anymore. You hear cyber. Cyber, cyber, cyber, cyber. No one says info sec. That's to our collective detriment. Simply speaking, information security is a subset of cybersecurity, right? If you look up the definition of cybersecurity, right, you started a computer science course, computer science 101 or something like that, that talks about cybersecurity. Cybersecurity is there to protect the systems, to protect the network, to protect the hardware, to protect communications that are inbound and outbound, right? It's everything having to do with the perimeter. So if you think of cybersecurity as the castle with a really thick wall, with a really tall fence with a really deep moat, that is cyber security. How do I keep the adversary from gaining access to my perimeter? I want to keep them out. That's cybersecurity. Generally speaking, information security is what's within that castle, what's within the vault within that castle. How do I protect the treasure that's being safeguarded in that vault within the castle? So that's the analogy. Now let's break it down and think about it in computer science terms. I have a network. And we know that no matter how buttoned up your cyber security tech stack may be. No matter how good your policies and procedures may be. No matter how well you administer those policies and procedures. The weakest link in every cybersecurity program will fail eventually by virtue of the fact that there's a human involved in the process. No matter how many times you tell that individual, don't click on this link, don't open that email, double check before you act, they will inevitably click on that link. They will do something that will allow the adversary to gain access to your network, to breach your system somehow. So that is cyber security. How do I prevent that attack from happening? What the attacker does after the fact, yes, there are cybersecurity solutions. that the intrusion detection, the ability to really quarantine the attacker, things that can be done. But ultimately, that cyber tech stack is there to prevent that adversary from gaining access to your systems. Information security, being a subset of cybersecurity, must be laser focused on protecting the data. You have to establish an information security program that assumes that the adversary has already penetrated, has made their way into the perimeter. That's the mindset. If you don't have that mindset, if you don't view information security through that lens, you've already failed. Because if you're walking around and saying, there but for the grace of God, I'm good. I've got it covered, you will suffer devastating results. There's no two ways about it. You have to build a program that just assumes from the start that an adversary has already broken into that environment okay. And how do you do that? How do you focus on the data in a way that is disconnected from your cybersecurity controls? If they are connected, if your information security solutions are connected to your cyber security solutions and one of those fails, right? If you propped up that building on one pillar and that pillar breaks, that building is going to collapse. You need multiple pillars and they cannot be connected. And therein lies the challenge, right? And not only is it challenging from just an implementation standpoint, how do you implement these products, these processes in a way that doesn't deprecate the workload, doesn't create all types of frictions? You still need your users to operate. You still need your users to be able to be productive, right? You can shut down completely from the internet, right? You can say, hey, we're not going to be connected at all. You'll go out of business the next day. We are a connected society and every business needs to be connected. But there are tons of challenges there. And the other part of this is cybersecurity information security one of the most thankless jobs in the world, unfortunately, is being the Chief Information Security officer because no one's patting you on the back and saying, hey, you did a tremendous job today because we didn't get hacked. The only time anyone's talking to you is after the fact, after the attack has happened and they're questioning you and saying, hey, why didn't you do this and the other thing? And this poor professional is saying, well remember when we had this discussion? I was asking for more budgets, that I could deploy these additional tools and we said no. And I said, I told you so. Well, here we are.

Jamal: 21:07

We can prevent all that with Atakama, can't we?

Dimitri: 21:10

Some of it. Any solution that purports to be jack of all trades, run away, that's Microsoft, right? Microsoft will sell you those E Five, E Seven licenses and say, we can do everything from soup to nuts, all you need is us. And of course everyone uses Microsoft. But if you rely entirely again going back to that analogy with the one pillar, there's a fallacy there. You should not rely on one system, you should not rely on one approach to your solutions that is very dangerous, especially with Microsoft, with the fact that you can compromise an admin’s credentials and once you do, all types of issues can result because of that.

Jamilla: 21:47

You mentioned a little bit about Microsoft being kind of a jack of all trades, master of none. And how does a start up like yourselves will be a very successful start-up raising 10 million how do you compete with giants such as Microsoft?

Dimitri: 22:01

rver was offline? This is not: 1995

Jamilla: 24:28

That would be a very interesting YouTube video you doing the Pepsi Challenge with Microsoft. I'll definitely watch that. That's official. We'll challenge them. If anyone from Microsoft is listening, let's challenge them.

Dimitri: 24:39

Times Square.

Jamilla: 24:42

Yes Jamal can we have a company trip to New York?

Jamal: 24:44

Let's do it. Let's do it. Let us know when.

Jamilla: 24:48

There we go. We'll be there supporting you. Dmitri, ecellent. In your introduction, we described you as a recovering attorney. So what is it that made you make the jump from law to data security?

Dimitri: 25:00

So I actually took my first coding course in 8th grade in middle school and have my entire life loved computer science, loved coding, always stuck with it. Obviously, I lost my way sometime after graduating college and went to law school and business school. And it's funny if you think of law firms and the information that law firms are privy to, it's really everything out there, right? Law firms represent companies in every industry, every vertical and more often than not the information that's available to them is it's just outsized compared to any other industry or any other company. And what I came across in my practice of law was just that I would on a daily basis see the fact that we would ingest terabytes, ultimately petabytes of information belonging to others. And law firms, this has changed, obviously, but going back to, let's say the early aughts didn't focus on it, that was not a thing, cybersecurity. Meanwhile, they're sitting on amazing information that to an adversary would be nothing short of the treasure trove, right? That would be the honeypot of information. And law firms, as we know do suffer attacks. But for me it was always a situation where following technology understanding benefits of cybersecurity, the lax view of cybersecurity, the lax view of technology at law firms, their technology library, they're always the last ones to integrate new technology because it's budgetary, right for them, they view it as an expense that doesn't really help them perform. But I perceived an opportunity in the market. I saw that that cybersecurity was not taken seriously by many organizations, and I made the leap. I was lucky enough to me and my co-founder build a tremendous team of computer engineers, right? Our team is phenomenal. They love cryptology and the fact that we're working on something that is so complex on the back end but so simple from a UX UI, there's nothing else out there like it. And that to me the challenges that you mentioned how do I deal with the fact that there's a Microsoft out there and who am I? That to an attorney building something as opposed to helping someone build something or after the fact something has gone really bad and now you're being called in to try to salvage the situation. It's a really big difference. But to be clear, I did enjoy practicing law. I did it 15 years, I enjoyed my colleagues, I enjoyed the clients that I work with and it is an incredibly respectable profession but to me it was just taking that week and doing something which brings new challenges every day, some of which keep me up at night in a positive way, but nevertheless are extraordinarily challenging.

Jamal: 27:48

It's great. I'm sure you were passionate about law to begin with, to able to do it for 15 years but then you found your new passion. It's really inspiring to hear, and you jumped in with both feet and you're really living the dream and doing what you love and loving what you do.

Dimitri: 28:00

I'll let you know how it works out tbd.

Jamilla: 28:02

We get a lot of people, I think, in the industry, we've had a few on our podcast who have. Started off in law, moved into data protection, data privacy. Are you seeing a lot of crossovers from when you worked in law to where you are now?

Dimitri: 28:15

I don't know that I see a lot of crossovers, but I definitely see a burgeoning practice area where a lot more law firms now have lawyers dedicated to cybersecurity. They have lawyers dedicated to privacy, they have lawyers dedicated to the disaster response. Right. You've been hacked now what? Now you need to deal with the regulators. Now you need to deal with your customers. Now you need to follow these rules. The landscape has really changed, and I saw that evolve. Like, the past ten years has been an incredible uptake in the number of lawyers that are focused on privacy, cyber security, incident response. So those practices and lawyers that are focused on that space, it's definitely unprecedented, the growth in that particular field.

Jamilla: 28:55

And can you see that only growing in the future?

Dimitri: 28:58

Absolutely. If you look at the rules and regulations that are being promulgated around the world, they're very difficult to navigate. Right. I'll give you an example. There's a regulation in New York that very few people know about. It's called the Shield Act. And the Shield Act basically says that if you do any business in New York now, how do you define business in New York? So if I'm an ecommerce retailer in the Netherlands, and I sold something to a customer in New York, well, guess what? I've done business in New York. I've never stepped foot in New York, but I've sold my goods to someone in New York. Therefore, I've done business in New York. I'm now subject to the Shield act. And the Shield Act says any information you collect from residents of New York, you need to safeguard. So it's very similar to GDPR, and the Netherlands is already following GDPR, so you're probably okay in that regard. Right. But think about that on a global scale. There's this esoteric rule promulgated in a state within the United States, and it basically says anyone doing business in this state with any of our residents is subject to this regulation. And if I surveyed the world and said, hey, how many of you know about this Shield Act in New York? People would be like, what are you talking about? In fact, people in New York don't know about the Shield Act. What's going to happen is what happens with many regulations is regulation through enforcement or regulation through the benefit of hindsight. And the regulators, they perceive an opportunity, go after someone in an enforcement action, they're going to exert some kind of penalty or fine, and they're going to say, well, you should have known because the rule is clear cut without providing any guidance, without really publicizing how to comply with this particular regulation. So this is just the beginning. It really is the tip of the iceberg. I think we're going to see more regulations hopefully in the United States, I hope that the federal government comes out with something that is uniform across the country similar to GDPR, as opposed to having to comply with different regulations state to state, which is always a nightmare in the United States. Right. Having to comply with both federal and state level regulations becomes a nightmare.

Jamilla: 31:03

Do you think that is something that will happen? Do you think the government will introduce something at a federal level?

Dimitri: 31:08

I do. I don't know if you saw what Biden did a couple of weeks ago. He came out with an executive order to federal agencies, primarily around how best to comply with cyber security and the need to take cybersecurity more seriously, highlighted the fact that everyone should be following some kind of two factor authentication model. He mentioned encryption multiple times for data at rest and data in transit. So these things are being taken more seriously, not just because the federal government has been soloing recently right. This is the reality. The adversaries are very intelligent. They're only getting better at what they do. And the fact is, whether you're an individual or an entity, a corporation, cybersecurity, or a government entity for that matter, this is the reality. It's here to stay. It's going to get worse. There is no cure to this ailing problem that affects all of us globally. It will continue. By the way, a lot of these attacks, as we know, are perpetrated by nations. Right. So when you have a nation state really financing these attacks, it's a profitable business for these attackers.

Jamilla: 32:16

Are they financing attacks on individuals or businesses and organizations and governments?

Dimitri: 32:22

I would say they're all intertwined. Right. Because if you attack a government agency, you attack a business. I just got a letter from my accountant, hey, we were hacked and your information was taken. Oh, by the way, here's a code to one of these monitoring sites and sign up for the next twelve months. And you should also freeze your credit agency. Really? It's horrible. So yeah, everyone, no matter what, whether directly or indirectly, is going to be impacted. Right. So if a government agency that has my information gets attacked, who is the ultimate victim? Yeah, the government agency but no, it rolls down to me as the individual because now my information is out there. So this is a problem that's not easily solvable, but something that we as both individuals and as corporations, entities, enterprises need to deal with, it needs to be front of minds. The budgets need to be there. And as they say, profession as a privacy professional and this is the field you want to be in, it will only continue to grow. And I think job security is certainly there if you want it.

Jamilla: 33:23

And is there a difference that you're seeing in terms of when there are cybersecurity threats to an individual versus for an organization? So for example, in the UK, because of the coronavirus. We've had a lot of rise in text messaging scams and people clicking them and putting in their information. Royal Mail has been a victim of it. Is there a difference that you're seeing in, is there certain cyber security crimes that are increasing?

Dimitri: 33:50

The social engineering attacks that are being perpetrated against individuals right. When they're hoping to accomplish at the end of the day is a little different. So the attacks may be similar. Where you get that link and it looks real. That email looks real. It's funny. I just read Facebook sued I forget which company. It was a company that as part of its training, they registered certain domain names that look like a real Facebook domain. Right? And the purpose behind that was to train the workforce or to train individuals, so that when you receive an email, don't just assume that it's a legitimate email. And Facebook basically sued them and said, no, you can't do that. So it's kind of like it's trademark and I understand why Facebook did it, but you can also understand why this company was doing what they were doing. But ultimately, at the end of the day, these attacks are real and whether they're being perpetrated on an individual and certainly an uptick, given the COVID issue. But ultimately, the attack is different from the standpoint of when you attack an individual, what you're hoping to do is literally it's a smash and grab, right? How do I get this guy's pin code so I could take the money out of his bank and get out of here? Whereas with an entity, it's higher stakes. You're going to break in and you're going to be clandestine with respect to what you're doing there. You're not going to smash and grab, you're going to stay there. You're going to stealthily look for the information, the honeypot, once you find it, or you want to bide your time, you want to exfiltrate certain data and then basically tell them, oh, by the way, I have all this stuff, and here's the ransom. So the outcome is different, but the attack surface, the attacking vector, is somewhat similar.

Jamilla: 35:26

It's really interesting that you mentioned about the training and the URLs that are similar to Facebook. At my university, on Prime Day and Black Friday, they will send emails looking like they're from Amazon. And if you're a student who clicks on that link, you have to do mandatory IT training. So I got it. I found it on Prime Day. I was looking at it, I was thinking, I did buy something from Amazon, but this looks a bit fishy.

Dimitri: 35:53

Yeah, and that's what it is, right? And that's what they try to do. Because, look, you're busy, you're working throughout the course of the day and an email comes in, I'm guilty of it, right? I take a short trip. I basically look at it, my screen and go away. And sometimes you get into trouble doing that. Legitimately, not necessarily cyber trouble. But someone else says, what are you talking about? That's not what I meant. Like, oh, yeah, sorry, wasn't paying attention. But yeah, that's exactly what they're trying to do. It's like, oh, Amazon redeem your gift card. Yeah, I’ll redeem my $20 gift card and all of a sudden exactly, your bank account has been siphoned.

Jamilla: 36:30

Yeah, we've spoken a little bit about the cyber security, to threats to individuals or organizations, but what are the kind of most dangerous ones? What are the ones that keep you up at night?

Dimitri: 36:39

It's the ones that you don't know of. And this is what tends to happen with some of these big attacks, right? And by the way, a lot of these attacks that we read about, it's not even the entity that was the one that was attacked, right? So what tends to happen is it's a third party service provider and the third party service provider is doing something with your systems or has access to your system somehow. And that's why there's a big push right now to make sure that a lot of these solutions that are SaaS based are secure. Because if one of your service providers has been attacked and the service provider has access to your systems, well, guess what? Now you've introduced that adversary into your systems, unwittingly, unknowingly and that's dangerous, right? And that's concerning because, okay, now I, as a security professional, have to ensure that not only are my systems buttoned up, but how do I ensure that my systems that are also engaged with these other systems that are intertwined, that are connected, that my users are using on a daily basis, are not used as an attack vector, as an entry point into my systems? So it amplifies the problem. And it's one thing to say, okay, I control my environment. I have a good sense of what's going on here. I have a good understanding of what my potential issues are. But now you have to also be appreciative and ask your third-party service providers that you're dealing with, how do I know that they're secure? How do I know that they're following the policies that they represented to me, that they're following. So that, again, it's like, well, I can attest to what I'm doing, but how do I attest to what someone else is doing? So very concerning. Man, security practitioners, they really have it hard.

Jamal: 38:24

On that topic, I want to ask you a question. What was your initial reaction when you read about the Kaseya attack?

Dimitri: 38:29

nd, period. Stand behind that: 1000

Jamilla: 41:03

Yes. That doesn't make a lot of sense.

Jamal: 41:06

I still don't understand why companies insist on encrypting stuff only to send you the password in another email. It just completely baffles me.

Dimitri: 41:17

rience from the standpoint of: 1995

Jamilla: 42:16

Absolutely right. Well, Dimitri, what is the greatest challenge that you have faced in your career and how did you overcome it?

Dimitri: 42:25

I'm still facing it. It's the only way I can answer that question. When you leave a job which offered incredible stability and you jump in all the way on the deep end right and become an entrepreneur. It’s incredibly gratifying in certain respects, but the challenges are, I hope, surmountable, but I'm still climbing that mountain. And so, like every start up founder, you hope to be successful, you want to become that unicorn. And so the challenges faced there are tremendous. And being that we are a cybersecurity provider, solution provider, it is also such a noisy space, there's so much out there. Every computer science major thinks that they're going to come out to market with the newest innovative technology, and sometimes they have it. But because there's so much noise out there, because there are so many legacy products that the security professionals think that they have solved for, it's also important to mention something, five years ago, if I went to college and said, I want to become a chief information security officer, college would say, you mean you want to be an IT professional? No, I want to be a chief information security. That was not a thing. It's changing and more schools are offering those programs, but it's a relatively new profession in the sense of being a security practitioner, cyber security practitioner. It's a relatively because they would literally, companies would pick from the IT staff and say, well, you're an IT administrator now, you're head of security. Wait, that's not what you do, you do understand IT doesn't mean what you think it means. And so those are really the challenges and a lot of these folks that we deal with on a daily basis, they're not purists. What I mean is they're not pure chief information security officers. Right. And sometimes they look at things through the lens of an IT administrator and don't fully appreciate the risks, whereas others are all over it. They get it. Right. So I hope that answers your question. But yeah, hyper challenging.

Jamal: 44:29

was really, until I say about: 2018

Dimitri: 45:37

That's right. I fully agree.

Jamilla: 45:39

The last question for you, Dmitri, before I give you the opportunity to ask Jamal a question. What are your top tips for privacy and security professionals who want to take their career to the next level?

Dimitri: 45:49

It really dovetails with what Jamal just said, which is learn everything you can about what the current regulations are and where the pain points are for those companies trying to deal with those regulations. That's where the rubber meets the road, because if you're a professional, you need to understand your trade. And your trade is basically right now, it's focused on complying with those regulations. So fully understanding the confines within which those regulations have been promulgated and how companies are dealing with those regulations, how they are complying with those regulations, and what they need to do, what are the best practices? So to be a superstar in the space, right, you have to be informed. You have to be informed and know how not only what's required, but how do you resolve those requirements, how do you deal with those rules and regulations in a way where it makes sense, can actually be executable. And again, this is super important, and I think a lot of professionals don't appreciate this. You cannot be a bull in a China shop. What do I mean by that? You cannot come into an organization to the business people and say, we're going to change everything from the workflow standpoint, because if we do it this way, we will be completely in compliance, etc, etc, etc, etc. But you have to remember that the businesspeople are motivated by profit and to be motivated by profit, they're not going to want to change workflows. So you have to appreciate, you have to work within their environment in a way that will allow them to continue to function, be productive, but still comply. So very challenging. But if you get it right, you will be a superstar rock star in that space.

Jamal: 47:38

Yeah, thank you for that, Dmitri. It's actually exactly what we teach at the Privacy Pros Academy is, number one, you need to be a master, and you need to understand how not just knowledge, by reading books, sending webinars, understand how does it actually apply in my work, how does it apply in my role, how does it apply to the organization? And the only way to really learn how to apply is to attend live trainings, is to speak to people who knows is to find the mentor and to speak to experienced people who can really share those stories and those experiences with you. So that's the first part of it. And the second part of it is, as you said, is you can't just come in and expect to change everything or can't just create Cookie classic templates that you've bought somewhere, that you somewhere, and expect an organization to change everything. To fit into that, you have to find bespoke solutions that are pragmatic and practical for that specific organization to address that specific problem, so that you protect the organization from any reputational damage, any loss of data, and you really protect them, but also by making sure that you impact and help the bottom line. The business is there for a specific reason. If it's a profitable business, they're there to make profit. If it's not a non-profit business, they're there to make an impact. And your job is to come in and understand the privacy or the cybersecurity risks and really protect our business from exposing themselves and mitigate against any risk they have in the most pragmatic and practical way that makes the business continue and raises them to the next level.

Dimitri: 49:02

Great. It's a great way to characterize it.

Jamilla: 49:04

The last part of our podcast. Dimitri, it's over to you for a question. Anything you want to know about Jamal?

Dimitri: 49:10

Two questions. The first one, is Ted Lasso as popular in the UK as it is in the United States?

Jamilla: 49:16

I can answer that one because my mom and stepdad have been watching it on my Apple TV account, which I may now use Atakama to make sure they can't access my password anymore. Yes. I think people are enjoying it. Have you watched it, Jamal?

Jamal: 49:31

No. What is it? Tell me more.

Jamilla: 49:36

I think he was an American football coach in the US and he's come over. It's a sitcom and he is coaching a British football team. I think it's in, like, Essex or something. All right, it’s quite funny. Ted Lasso.

Jamal: 49:52

Ted Lasso. All right, I'll keep an eye out for you. I hardly watch a TV or TV program, but when I have the time, me and the missus will definitely give it a go.

Dimitri: 50:01

And then so another question is, how do you take something out of the realm of academia and really convey the practical aspects of something, right? How do you take it out of the book and bring it to life?

Jamal: 50:14

So I would say the best thing for that is to attend the live training. And basically that's why we say, okay, look, this is what the law says and this is what the regulations say. This is what the academic said about what does that mean in practice? And then talk about it and talk about experiences where we can share, say, okay, this is how we applied in this situation, this is how it applied in that situation. And what would you do here? And really make sure that the academic side of it is implemented. And I think probably the most valuable thing about the IAPP training certifications that we do, and more importantly, through the practical assignments that we do, the Privacy Pros accelerator program is taking the academic knowledge and really breaking it down so they understand, what does this mean when I go to practice? What does this mean in my practice as a privacy professional? And I think that's probably why we are seeing the kind of results we have with some of the students. People actually really value the fact that we're taking what they've learned in the books, and sometimes they didn't even understand what they didn't understand, or they misunderstood it. And when you apply into practice, when you talk about how it applies in situations and scenarios or in the previous examples, they can really get their mind around it and suddenly it starts coming alive for them. So hopefully that answers your question Dimitri.

Dimitri: 51:25

Great. Yes, thank you.

Jamilla: 51:26

Great. Well, thank you so much, both joining us to meet you. Really enjoyed speaking with you and finding out a lot more about the world of cyber security and about Atakama. So thank you so much for joining us.

Jamal: 51:38

Yes, thank you. Thank you so much, Dimitri. And if people want to find out more about Atakama, so we have professionals all over the world, and many of them will be looking for solutions to really help safeguard their businesses. And Atakama sounds like an ideal solution for them. How can they find out more information?

Dimitri: 51:55

You can go to our website, which is www.atakama.com or feel free to email us at info@atakama.com

Jamal: 52:07

If someone wants to link with you. Are you available on LinkedIn or how can they get in contact with you?

Dimitri: 52:10

I am on LinkedIn. I am on LinkedIn.

Jamal: 52:12

All right, so we will make sure that we link all of those into the podcast. So you can stop listening to the podcast now and you can go into the bottom of the description and you can link in with Dimitri. Make sure you also link into our Facebook group. It's the Privacy Pros academy. It's a private Facebook group where we have tons of resources and knowledge and you get to network with likeminded people. And I really look forward to meeting you there.

Jamilla: 52:36

Great, thank you so much.

Outro: 52:39

If you enjoyed this episode, be sure to subscribe like and share so you're notified when a new episode is released.

Outro: 52:47

Remember to join the Privacy Pros Academy Facebook group where we answer your questions.

Outro: 52:52

Thank you so much for listening. I hope you're leading with some great things that will add value on your journey as a world class privacy pro.

Outro: 52:59

Please leave us a four or five star review, and if you'd like to.

Outro: 53:02

Appear on a future episode of our

Outro: 53:04

Podcast, or have a suggestion for a topic you'd like to hear more about.

Outro: 53:08

Please send an email to team@kazient.co.uk

Outro: 53:13

Until next time, peace be with you.