Episode Transcript
Transcripts are displayed as originally observed. Some content, including advertisements may have changed.
Use Ctrl + F to search
1:11
CyberWork and InfoSec would like to introduce you
1:13
to our new Cybersecurity Beginner
1:15
Immersive Boot Camps . They're designed
1:17
to help you gain and enhance your expertise
1:19
in the cybersecurity field . Join our
1:21
live interactive virtual classes led
1:23
by InfoSec's highly skilled instructors , who
1:25
will guide you through the material and provide real-time
1:28
support . And , as part of InfoSec's
1:30
immersives training , each student will have
1:32
access to career coaching aimed
1:34
at helping them start or switch to the cybersecurity
1:37
field . You heard that right . We aren't here
1:39
to just teach you the concept of what a security
1:41
professional does . We want to prepare you
1:43
to enter the job market with a competitive
1:45
edge in six months time . Now
1:48
I've told you about InfoSec certification boot camps
1:50
, and if you're trying to hit your next career target and
1:52
need a certification to do it , that's still your best
1:54
bet . But if you're an entry-level cybersecurity
1:57
professional or want to be , or you're
1:59
switching your career and want to experience a career
2:01
transformation , infosec's
2:08
immersive bootcamps are designed to make you job-ready in six months
2:10
. To learn more , go to infosecinstitutecom . Slash cyberwork all one
2:12
word C-Y-B-E-R-W-R-K and learn more about this exciting
2:15
new way to immerse yourself in learning with InfoSec
2:17
. Now let's begin the show . Okay
2:20
, today on CyberWork , my guest is Raj
2:23
Ananthan Pillai , the CEO of
2:25
Trua , a company that is steeped in the current
2:27
issues around digital credentials and data
2:29
privacy . As you no doubt have heard , at&t
2:32
reported a data breach that compromised personal
2:34
information of approximately 7.6
2:37
million users . Raj discusses
2:39
Trua's mission to leave data thieves holding
2:41
an empty treasure chest You'll know what I mean when you see
2:43
it . He discusses his past work in creating
2:46
TSA PreCheck and gives a bunch of
2:48
great ideas and advice for making sure
2:50
that you're always thinking beyond your current
2:52
position by learning and creating your way
2:54
upward . All that and a whole
2:56
bunch of vitriol about the industry standard collecting
2:59
of social security numbers . Today on
3:01
Cyber Work . Hello
3:06
and welcome to this week's episode of the Cyber
3:09
Work podcast . My guests are a cross
3:11
section of cybersecurity industry thought leaders
3:13
, and our goal is to help you learn about
3:15
cybersecurity trends , the way those trends
3:17
affect the work of infosec professionals , and leave
3:19
you with some tips and advice for breaking
3:21
in or moving up the ladder in the cybersecurity
3:24
industry . My guest today
3:26
, raj Ananthan Pillai , is
3:29
a passionate entrepreneur and visionary
3:31
leader with many years of experience building
3:33
businesses and investing in the future of technological
3:35
innovation . Raj is the founder and
3:37
CEO of Trua , a technology
3:39
company that provides privacy-preserving
3:42
, reusable , verified digital , credential
3:44
solutions that assures trust and safety
3:46
in digital environments , sharing economy , employment
3:49
and workforce background training . Prior
3:52
to founding Trua , raj spent
3:54
13 years as the CEO and
3:56
majority shareholder of Infozen , a
3:58
high-end risk management services company
4:00
, which was successfully sold to a publicly traded
4:02
company in 2017 . Prior to this
4:04
, he served as the chief strategy officer
4:07
of Eplus , a business process automation
4:09
and transformative technology solutions
4:11
company . Raj was also the founder and CEO
4:14
of NetBalance , a venture capital-backed
4:16
multi-million dollar software company , which was
4:18
successfully sold . Raj worked
4:20
at AT&T for many years in various
4:22
technical and management capacities , and we're going to
4:24
definitely get into that today . Raj holds an
4:26
MS in engineering physics , an MS
4:28
in electrical engineering , and holds multiple US
4:31
patents and has authored two books on
4:33
management of technology and services
4:35
. So today's topic we're
4:37
going to be talking about the AT&T
4:40
data breach . This is right out of the headlines
4:42
and is a fairly recent story , and
4:44
Raj has some very good insights into what
4:47
happened and what should happen next here . So , raj , thank
4:49
you so much for joining me today and welcome to CyberWork
4:51
. Thank you for having me
4:53
, chris , my pleasure . So
4:56
, raj , to help our listeners get to know
4:58
you a bit better , I went through some of your accomplishments
5:00
in the introduction here
5:02
, but can you tell me about how you first got interested
5:05
in computers and technology and cybersecurity
5:07
? Was there an initial spark ? Did your family
5:09
have a computer ? Was it at school ? What got
5:11
you excited initially ?
5:13
Well , that's an interesting question . I'm the first one to
5:15
go to college in my family , so
5:17
I didn't have any experience , or I didn't
5:19
touch a computer until I was about 22
5:21
or 23 .
5:22
Yeah , yeah , yeah .
5:23
But I've always been at the intersection
5:26
of business , finance and technology
5:28
. Okay , so I'm fortunate to
5:30
have created many successful
5:33
companies that led me to where
5:35
I am today . Before
5:37
starting TrueUp , as you mentioned
5:40
, I was the CEO of Infozen for over
5:42
13 years . We
5:44
were the developers of reusable
5:46
credentials like TSA
5:49
PreCheck I'm sure most of your listeners might
5:51
be familiar with and complex risk
5:54
management solutions . So
5:56
this experience and work on
5:58
some complex risk avoidance
6:01
programs provided
6:04
me the desire to solve various
6:06
identity and data-related
6:08
issues that are plaguing the industry
6:11
today .
6:11
Yeah , yeah , now that's
6:14
really cool . I'm going to come back to that , but I do want
6:16
to talk about your professional background , if
6:18
you don't mind you . You mentioned it in
6:20
your intro and I was reading through your some
6:22
of your your LinkedIn experiences profiles , like
6:24
you're definitely someone who's been comfortable
6:27
and capable in CEO positions for a very
6:29
long time , and whether it's software development
6:31
companies , venture capital firms , financial
6:34
advisory groups , all the way to your current role as CEO
6:36
of Trua . You know you
6:38
have been
6:40
a CEO for as long as I can see , so can
6:42
you talk about what draws you to
6:45
the role of chief executive officer and
6:47
, if there is any
6:49
, what is a commonality that might have linked
6:51
all of the work you've done at these
6:53
different types of commercial sectors
6:56
?
6:56
Oh , wow , that's an interesting question
6:59
. Well , I've been a CEO
7:01
for 20 , 25 plus years
7:03
. Though I wasn't necessarily
7:05
looking for a CEO role anywhere
7:07
, these opportunities seem
7:10
to arise when I wanted to take on challenges
7:12
and solve problems . I've
7:14
always been driven by a desire
7:17
to solve problems and lead such endeavors
7:19
. My career actually began
7:22
at AT&T , where I started as a
7:24
member of the technical staff . So
7:26
when I first joined the company , someone told
7:29
me it would take at least seven to eight
7:31
years before I'd be considered for my first
7:33
promotion . Wow , take at least
7:35
seven to eight years before I'd be considered for my first promotion
7:37
. So , determined to beat those odds , I proactively sought
7:39
out opportunities to expand my experience
7:42
and approved . I
7:44
could fast track that timeline . One
7:47
day a senior executive stopped by my desk
7:49
, intrigued by how I
7:51
was innovative and thinking out of the box
7:53
. Back in those days Bell Labs , at&t
7:55
there is a traditional approach
7:57
to your research , your development efforts
8:01
and so on and so forth . I was always sort
8:03
of thinking out of the box . And
8:05
then a few months later , he called
8:08
me into his office and I thought he was going to fire me
8:10
. But he actually said you
8:12
know , I would recommend you
8:14
for my promotion . That was just about
8:16
three and a half years after I joined the company to
8:19
a different division , though . So
8:21
then I would manage others and work
8:24
to create a new system to solve a major
8:26
global problem that AT&T
8:28
was facing when they bought parts
8:31
of Western Union and they were trying to consolidate
8:33
the business . So
8:40
within a few months , after sort of working on that system , the press was very interested in
8:42
interviewing me about my processes and how I got done such
8:44
a massive project in
8:46
less than a year . That was unheard
8:48
of at AT&T , so I read a
8:51
book about it and how to
8:53
solve complex problems
8:55
. It's to have that focus
8:57
and the desire to succeed all the time
8:59
. So instead of waiting for my next
9:01
promotion at AT&T , I transitioned
9:04
to a smaller company to take on bigger
9:06
management and technology challenges . Right
9:08
, ok , this began a pattern
9:10
of scaling down in company size and
9:13
eventually starting my own companies .
9:16
Yeah .
9:16
Yeah , but productively . Seeking out opportunities to
9:18
innovate and demonstrate my capabilities
9:20
, I was able to fast track my career
9:23
progression and eventually become a senior
9:25
.
9:25
Yeah , no , that's very interesting
9:27
. There's something to be said , for
9:30
if you're in too big of a company , there's only you only
9:32
have so much headway that you can do . And so if you're in too big of a company , there's only you only
9:34
have so much headway that you can do . And so if you start working at
9:37
a more business manageable scale
9:39
, you can . You can rise higher and faster . Now
9:41
I wanted to ask you about
9:43
. You said that you were in a position
9:45
that you didn't feel had
9:48
a lot of . It wasn't moving for you
9:50
fast enough , and so you thought
9:52
of some new ways to sort of get yourself
9:54
noticed , to try some out of the box things
9:56
. Can you talk a little bit about some of the
9:58
projects that you were undertaking
10:01
and were these kind of on the side of what you were
10:03
already doing at work ? Were these kind of like night projects
10:05
, Like what was , what were you doing to sort of fast
10:07
track yourself in that way ?
10:08
Well it's , I had
10:11
a systemic approach to everything
10:13
, right ? If you're referring
10:15
to my times at AT&T , yes , but
10:19
AT&T had a method , so everybody was following
10:21
that method . I was sort of a rebel and
10:24
I would go around different
10:26
processes and sort
10:29
of test it out , because
10:31
over there , if you recall , back then
10:33
every development was sort
10:35
of a methodical , you know , water
10:38
flow approach , and I had
10:40
thought about agile development
10:42
quote unquote back then , when
10:44
nobody knew how to spell agile . So
10:48
I was doing some of those kinds of stuff
10:50
, quickly testing out something and working
10:52
with other people who are developing hey , can
10:54
you code this for me , come up with a requirement
10:57
? And so on and so forth . And
10:59
that's how I started getting
11:01
more what
11:04
I call entrenched with the problem-solving
11:06
capability .
11:08
Yeah , Now do you
11:10
think you could sort of summarize this
11:13
impulse of yours ? You said you're very systematic
11:15
in your thinking . I mean , for someone who's just getting
11:18
started and is looking to , as
11:20
you say , rise faster and
11:22
sort of move out of a stagnant
11:24
position , like what would you say
11:26
is like the first step to sort of thinking like
11:28
this and sort of moving beyond
11:30
where you are and engaging
11:33
in this kind of out-of-the-box thinking .
11:34
Well , you have to have a purpose in life , right ? What is it that
11:36
you're trying to achieve ? Not just you know , as
11:38
I said , about the CEO thing , right
11:40
, it's not the title that I was going
11:42
after , it's what you do when you're the
11:44
CEO , right . Sometimes , when you are
11:46
your own boss , you can
11:48
dictate how things are done . And
11:51
, yes , you want to bring along
11:53
other people with you , but
11:55
at the same time , you are the visionary
11:58
, you are the one that is providing the purpose
12:00
for the organization . Right , and say , hey
12:02
, we want to solve this problem , because we see
12:04
this problem without any
12:06
solution , it's rudderless . People
12:08
are doing the same thing over and over again
12:10
without any results . So , if
12:13
you think about it , right , most big companies
12:15
are very compartmentalized . They
12:17
are serialized and compartmentalized
12:19
. So nobody wants to go out
12:21
of those boxes and say , hey , why
12:24
are we doing that way ? It's the
12:26
age-old question everything . And
12:28
then keep going to that .
12:31
Yeah , big companies like that are like a gigantic
12:33
machine Everyone's afraid of like . If you change
12:35
out one cog or one flywheel , you're going to like
12:38
. It's going to just break everything apart
12:40
. So it's better to .
12:41
Just Because they're afraid , right , they're afraid , and
12:43
so the first thing I always tell people is
12:45
be secure with yourself , right
12:47
, and you know you
12:49
can if you work hard and try hard . This
12:52
is the best country in the world , right
12:54
? If you work hard and try hard , this is the best country
12:56
in the world , right ? If you work hard and do the best you can
12:59
, you'll always succeed . Yeah , as an immigrant , that's what I learned
13:01
, right ?
13:01
Amazing , yeah , amazing , inspiring
13:04
. I love it . Now , to that end
13:06
, I want to ask you about founding Trua
13:08
, your company that has developed a patented full spectrum
13:10
enterprise insider threat and trust screening
13:13
solution . Now you've been sort
13:15
of working towards this with Infozen and
13:17
so forth , but what was it like starting this
13:19
company and were there any unexpected challenges
13:21
along the way ?
13:22
Well , I'll tell you a little bit about how we got to
13:24
right . So trust is the most
13:26
powerful and sought
13:28
after currency in society today . For
13:31
sure , as a society we
13:33
have moved from trust everyone
13:35
. Remember many , many couple of decades . Three
13:37
decades ago we were trusting everybody
13:39
. And then we said okay , trust but verify
13:42
right . And now we
13:44
are on to verify
13:47
first and then trust .
13:49
Yes .
13:55
That is a big sea change . In a matter of 20 , 30 , 40 years . That's a big , gigantic
13:57
change because of various technological innovations
14:00
. You would think , with lots of technology
14:03
coming out , you would think that trust will
14:05
be a nice
14:07
, earned , credential or
14:10
earned currency . But no , Today
14:12
nobody trusts anybody . Now
14:14
we can talk about AI at some point
14:16
, but with that , everybody's
14:18
trying to fake and hack their way
14:20
into anything and everything . So that
14:23
is the biggest driver for me
14:25
as to how do we do this , given
14:27
the state of mind-boggling data
14:29
breaches and for us the major
14:32
trigger was the . There
14:34
was a major credit bureau data
14:37
breach a few years ago where 150
14:40
million consumers personal
14:43
sensitive data was exposed , and
14:47
we set out to disrupt that current paradigm
14:49
of collecting sensitive
14:52
personal information all the time
14:54
to make decisions , whether it's employment
14:56
, credit , benefits , services
14:58
or any combination thereof . So the
15:00
first thing is what's your social , what's your data burden
15:03
, what's your ? You know they start gobbling up all
15:05
of that personal sensitive information . So
15:07
that's where we have developed a solution
15:10
that sort of disrupts the and
15:12
solves that challenge of
15:14
the traditional paradigm of third parties
15:16
doing all of this stuff . Can you talk
15:18
about that a little bit ? Yeah , so
15:21
we've been living and breathing , as
15:23
I mentioned before identity data
15:25
. For the last 15 plus years In our
15:27
previous company , we are the developers of TSA
15:30
, PreCheck and other very highly secure
15:33
digital credential programs
15:35
. We are the first one
15:37
to look at the data ecosystem
15:39
with a person-centric view , with
15:43
a privacy at its core . That is
15:45
the most important thing . I've always been a private
15:47
person . If you see , I personally
15:49
don't have any social handles
15:52
. I have LinkedIn , but other than that I
15:54
don't have a thing , Because people
15:56
tend to think , oh , it's free . If
15:59
something is free , you are the product
16:01
. That's right . Be aware of it . Don't
16:04
ever expect any privacy . Don't ever expect
16:06
, because you will be lured into giving more
16:09
and more personal information . First it will be a free
16:11
Gmail account and then it'll be something
16:13
else , and then they say , hey , oh , now it's
16:15
a trusting relationship . Now suck up more
16:17
and more sensitive data that is
16:19
near and dear to your own personal identity
16:22
. So , with our extensive background
16:24
and research and product development on behalf
16:26
of major corporations and
16:28
US intelligence agencies . We
16:31
work with Homeland Security a lot . We
16:33
have been able to flip the entire
16:35
identity verification and
16:37
screening process on its head and
16:40
create a solution that is purpose-built
16:43
for consumers . This is the
16:45
most important thing to take ownership
16:47
and protect their own data by
16:50
providing high assurance to organizations
16:52
that seek to verify and screen individuals
16:55
.
16:56
So this product is aimed specifically
16:59
at individual consumers rather
17:01
than enterprises .
17:02
No , this is coming through the businesses . We
17:05
are now focusing on businesses
17:07
to adopt this and say , hey , you don't
17:09
need to collect this information Got
17:11
it All that you care about is verifying
17:13
the individual right Majority
17:15
of the cases . Why do you have to keep like
17:17
a gym when you try to get a gym membership
17:20
? They want your social security . I said why
17:22
they don't need
17:24
a social security number when
17:27
you go to a healthcare hospital . Why
17:29
do they need your social security number ? They're
17:31
not looking to look out for your credit report
17:33
. They should be keying
17:36
off of other attributes , not social or
17:38
other personal stuff . So this person-centric
17:41
approach ensures that individuals
17:43
have the ability to protect their
17:45
privacy and maintain control
17:48
over their sensory personal data .
17:50
So I get the sense that I've heard this a little
17:52
bit before that this is an attempt
17:54
to sort of break out of the security question
17:56
method of verification . Is that right ? It's
17:58
like they want your social security
18:00
so that they can say what are the last four of your social security
18:03
, or you know , so that they you know , which
18:06
is starting to feel like the Stone Ages in terms of
18:08
verification at this point .
18:09
Oh , yeah , that
18:16
verification industry is still called KVA , knowledge-based authentication
18:18
.
18:18
Exactly what color was your car in 1995 ? Yes , first teacher .
18:20
That data is already in the public domain . When
18:23
all these big breaches happen , all that information
18:25
is already in the public domain . You can mimic and
18:27
create a synthetic ID . We
18:30
need to start moving towards facial
18:33
. That's a key thing . Genuine presence
18:35
, facial we can talk about
18:37
it at some point . That is the way
18:39
it is going to be the implication
18:41
of this innovation where you
18:43
carry your own credential , you get
18:45
it verified once and then all that
18:47
the business is interested in is they need
18:49
to verify that you are who you say you are , that could be . And . Or hey
18:51
, I've verified a social security , the business's interest in it . They need to verify
18:54
that you are who you say you are right , that could be . And or hey , I've verified his
18:56
social security number . I've verified the date
18:58
of birth , I've verified the residence history
19:00
or the current address , but they
19:02
didn't need to know what that is . They
19:04
just need to know that it has been verified . And
19:06
, by the way , here's your liveness detection
19:08
or live picture of yourself , right ? So
19:11
, because the only thing you can have is
19:13
the only form of real
19:16
world identity is some
19:19
form of government issued ID . That's
19:22
what everybody takes , that's what everybody
19:24
starts off with . And now people
19:26
have started scamming
19:28
that and you have fake IDs , and so on and so
19:30
forth . Scamming
19:33
that and you have fake IDs , and so on and so forth . So you need to get all of that
19:35
started out up front once and then reuse it over and over
19:37
again , without ever giving out your
19:40
personal information like social or data work
19:42
.
19:42
Yeah , I think that that serves kind of a double purpose
19:45
, in that a lot
19:47
of these places are holding or
19:49
collecting sensitive data like this under
19:51
the auspices of what we need to be able
19:53
to verify , it's you . But once you take
19:56
that completely off the table , then they
19:58
might well have been storing it for other uses , other
20:00
types of analytics , other types of it is tempting
20:02
, right , it is tempting , even if they don't have
20:05
any nefarious thing , but they have to store
20:07
it , right ?
20:07
So what you have done is now you have scored a
20:10
million people's identity in one database
20:12
and it's easy for hackers to do it
20:14
. But if you flip it now
20:16
, those million people have
20:18
their own data stored in their own device
20:20
and
20:23
hackers have to attempt a million times to get
20:25
one , whereas the traditional method
20:28
they have to just go to the company and , hey , I'm
20:30
going to attack this big gym
20:32
that has a lot of treasure trove information
20:34
. Exactly . So you
20:36
are flipping it , distributing that information
20:39
. Yes , you know . If you think about
20:41
it , social security number was designed
20:43
for predominantly three things early on
20:46
right , wages for taxes
20:48
. Right , you have to file your taxes and social and then government
20:50
benefits for taxes . Right , you have to file your taxes the social , and then
20:52
government benefits , and then employment
20:54
or employment wages . Right
20:56
, those are the only three things . But look
20:58
at it .
21:04
Every Tom , dick and Harry now wants SSN , yep , why Credit ratings ?
21:06
And they have the part of it because that's the current mindset . You have
21:08
to really question that status quo .
21:10
Yeah Well , speaking of treasure
21:12
troves up for the taking , we're
21:14
going to talk about a recent story
21:17
here . Our topic today is AT&T's
21:19
recent report and disclosure of a data breach that
21:22
happened to them . They determined and announced
21:24
that quote . At&t data-specific
21:26
fields were contained in a dataset released
21:28
on the dark web approximately two weeks ago
21:30
. According to their disclosure quote , the data set
21:33
appears to be from 2019 or earlier
21:35
, impacting approximately 7.6
21:37
million current AT&T account
21:39
holders and approximately 65.4 million
21:41
former account holders . So how
21:43
much do we know about this data breach ? If
21:46
we're looking at just their release , it seems
21:48
like they're talking about a robust investigation
21:51
without naming names or identifying ports of entry
21:53
. But what is your best understanding of how these
21:55
data sets made it to the dark web ?
21:57
So , based on the available information right
22:00
, I don't have anything inside information it
22:02
appears that the AT&T data breach
22:04
is still an investigation by the company . The
22:06
specific language used
22:08
in their public statements is quite
22:10
curious and raise some questions
22:12
.
22:13
Okay .
22:14
The fact that they mentioned a data-specific
22:17
set being released on the dark
22:19
web is an unusual detail
22:21
. Typically , when
22:23
a data breach occurs , the compromised information
22:25
is more comprehensive dataset
22:27
. That means you take the whole database
22:30
, not just one pieces of data , rather
22:33
than just specific fields from a database
22:35
. This level
22:38
of specificity suggests
22:40
, I think , the possibility
22:43
of an insider leak rather than
22:45
an outsider . The
22:47
types of sensitive information that were
22:49
exposed are certainly concerning Social
22:52
security numbers , full name , email
22:54
and mailing addresses , phone numbers
22:56
, data worth and AT&T account details
22:59
. You can question every one of those
23:01
data as to why AT&T had
23:04
them to start with . I
23:06
mean , oh , I want to do a credit check . Okay , you
23:08
had the credit check , but you could have destroyed
23:11
all of that . Why do you still there ? Why
23:15
do you need my date of birth
23:17
? You already verified
23:19
that I'm over 18 to buy a phone or whatever it
23:21
is that I did they want to send you a birthday card
23:23
?
23:24
What ?
23:24
is that going to do ? Because those are the
23:26
more and more sensitive information . So
23:30
that's where I think you know information
23:33
can be extremely valuable for
23:36
cyber criminals and can enable
23:38
identity theft , phishing scams and other
23:40
malicious activities down the road .
23:42
Yeah , now I mean , how do you feel you
23:44
know this is obviously no one's idea
23:46
of a good outcome , but
23:48
how do you feel about how AT&T is
23:51
handling it thus far ?
23:53
That's the best right . It's one of those big data breaches
23:55
they are unfortunately they're getting more
23:57
headlines because AT&T right
23:59
. If it happened to your regional
24:02
phone company , nobody would talk about it
24:04
because it's a national brand . It is AT&T
24:06
the good old Mar-Bell
24:08
right . It's been around since Graham
24:10
Bell right . So everybody knows about AT&T
24:12
. So
24:15
that's probably why it's getting a little bit more attention
24:17
. But the unusual nature of the breach , with
24:19
only certain data fields being compromised
24:21
, certainly a head-scratcher for me . It's
24:23
possible that AT&T is still
24:25
investigating the source and extent of the leak , but
24:29
their statements are
24:31
very vague and specific at the same time
24:33
, just kind of concerning .
24:35
Okay . Well , again , I'm asking
24:38
you to rely too much on a crystal ball about
24:40
information that you don't know . But
24:42
can you think of any ways
24:45
? I guess the only answer is don't
24:47
have the data in the first place . But if it was an
24:49
insider , what are some ways that
24:51
could keep even someone who works
24:53
for the company out of that particular
24:56
treasure trove in the way that this was exploited ?
25:01
Well , the insider threat is a big deal , right
25:03
. It is Something that you have to constantly
25:05
monitor . You have to figure it out who's
25:08
doing that , whether they're in their blackmail
25:10
or whether they bought out or they're , you
25:12
know they usually have some signals
25:14
, right . You know the insiders . You
25:17
know they got into
25:19
financial trouble and say hey , I can give you some
25:21
data . And to
25:23
a what I call a hacker broker , right
25:28
, and say , hey , you know , here's a bunch of data and you can do , oh , okay , I'll give you $10,000
25:30
for that , so I'll pay off my debt . What
25:33
if I just don't know that right ? That's an interesting
25:35
question . That's there's always a
25:38
motive and a method , right
25:40
. So the sensitive personal data exposed
25:42
in the AT&T breach , including
25:44
hard to change identifiers like social
25:46
, enables criminals to conduct
25:49
large-scale thefts and scams . The
25:54
real danger is going to be not immediately
25:56
, right . It's a delayed impact
25:58
of such breaches . Hackers and
26:00
data buyers often wait until
26:03
the initial approval subsides
26:05
before crafting targeted scams
26:08
, leaving consumers vulnerable as
26:11
they have forgotten about the incident . Watch it , because
26:13
people are not talking about the incident
26:15
that happened in 2017
26:18
, I think , that big credit
26:20
bureau data breach . 150
26:23
million consumers
26:26
in the United States got their data
26:28
compromised and we are still paying
26:30
. So they don't go
26:32
right after because they know everybody is going to
26:34
get a one-year free monitoring after
26:36
a breach . That is absolutely
26:38
of zero use to you . Yes , exactly
26:41
, hackers have figured out a
26:44
better motive and say , okay , I'm going to wait out at
26:46
least a year and then
26:48
I'll start my thing , because they have plenty to
26:50
work with until then . This
26:53
is all trying to get
26:55
prepared for two years from now . Hey
26:57
, I'm running out of data , so
27:00
that's the kind of stuff .
27:03
Yeah , well , that was what I was going to ask next and you
27:05
kind of answered it partly for me , which
27:07
is is that , yeah , I feel like every other
27:09
week now I'm getting an email or
27:11
a text saying , yeah , we
27:13
got breached , and it's , and it is things like
27:15
you know , I'm getting notifications
27:17
that my CPAP machine somehow they
27:19
leaked like personal information from that
27:21
, which again like , why do you have that ? You know
27:23
, but and it's always that sort
27:25
of you know , if it's change
27:27
your password , fine , I'll change my password
27:30
, it's not that hard . But when
27:32
it's , you know , here's a free
27:34
year of credit monitoring on us , you
27:37
know . You know that something much bigger
27:39
happens . So I guess , from a consumer
27:42
standpoint , raj , do you have any advice
27:44
to sort of keep
27:46
yourself out of the sort
27:48
of blast area of these constant sort
27:50
of breaches ? You
27:53
know , what do you recommend ?
27:54
for people who are getting sick of this . There has to
27:56
be a consumer
27:59
revolution , for lack of a better word . Yeah
28:01
, because enough is enough . Sometimes
28:04
we are way too compliant and
28:06
just giving out information . There
28:08
are two reasons for that , right . Some of
28:10
it is because we sign
28:12
up for everything that is free . How
28:15
many people when you check out these days
28:17
hey , can you give us
28:19
your email ? We'll give you instantly 5%
28:22
. But that 5%
28:24
let's assume the person is buying $50
28:27
worth of some goods and they're getting their email
28:29
, right . 5% of $50
28:31
is $2.50, . Let's assume
28:33
, as an example , right , they
28:36
would have blow $5 walking
28:38
out of the building to buy a cappuccino somewhere
28:40
, so they've already lost that
28:42
savings , but they've already
28:44
given out one free thing that
28:46
the vendor wanted
28:48
. And then they want to start sending you more
28:51
information , then more information . So they'll
28:53
start saying , hey , and then you start trusting
28:55
them and then you start giving out more
28:58
information . Hey , I know this place , ok
29:00
, let me buy something online . And you
29:02
put in your credit card information and
29:04
you put in your date of birth for verification
29:06
, or whatever it is . And whatever they do right
29:09
, that is how
29:11
the cycle starts going and
29:14
it never stops . So I
29:17
suggest that be wary of every
29:19
data sharing and question
29:21
everything . Question , question , question
29:23
.
29:26
Yeah , which I think they try to sort
29:28
of wear you down with , all of the sort of terms
29:31
of service that are 80 pages long and every
29:33
time you log onto the site they want you to accept cookies
29:36
again and again . Yeah
29:38
, I mean , I think it is kind of
29:40
you know , they're also waiting
29:42
you out in terms of hoping
29:44
that you'll get this is their best interest
29:46
, right ?
29:49
So if you think about it right , you
29:51
know the regulations are all a mess , right
29:53
? They're trying to band-aid the same process
29:56
. So , anyway , we can talk
29:58
all day .
29:58
Well , so I want to pivot over . The
30:03
purpose of our podcast here obviously is to help students and new cybersecurity professionals
30:05
sharpen the skills that they need to enter
30:07
the cybersecurity industry , and also
30:09
people who are from other walks
30:12
of life who might want to change careers to cybersecurity
30:15
later on . These are all people that listen
30:17
to our show and they're looking for your
30:19
insight . So , speaking to listeners who might want
30:21
to do work in these areas privacy
30:24
, identity management , identity verification
30:26
, data privacy , data collection what
30:28
types of hands-on work or training or
30:30
education or certifications or
30:33
just projects should they
30:35
be working on to make them ready
30:38
to do the work in this particular field ?
30:42
Wow . Okay , that's a lot
30:44
. I
30:47
can try and summarize a little bit Sure . So
30:49
the field of data privacy and security
30:51
is deeply entrenched , with
30:54
well-established infrastructure , processes
30:57
and methods . Right . So
30:59
to drive meaningful change , we
31:02
must be willing to challenge the status quo
31:04
, as I mentioned before , rather than simply
31:06
repeating the same approaches and expecting
31:08
different results . This is not just
31:11
a matter of insanity , but also a symptom
31:13
of laziness and a lack of thorough
31:15
analysis . To truly
31:17
address the current challenges , we need
31:19
to scrutinize the existing process
31:22
. How is it being done today ? Understand
31:24
the regulatory landscape , because , unfortunately
31:26
, regulation pays a big sum . Familiarize
31:29
yourselves with the latest regulations
31:31
surrounding privacy , security and consumer
31:34
rights . Identify any gaps
31:36
or outdated elements in the existing regulatory
31:38
framework , because that's how you can
31:40
be creative . That's how you can come up with some
31:42
aha moments . Carefully
31:46
examine each step of the current data
31:49
collection , storage and protection process
31:51
. This is a big , big , big issue
31:53
in the United States right now , and worldwide
31:55
as well . Question the rationale
31:58
and assumption behind these
32:00
longstanding methods . Right
32:02
. Recognize that our
32:04
technologies have evolved rapidly
32:06
, while many of the underlying processes
32:09
have remained stagnant . Think about it
32:11
why are still third
32:14
parties doing all of the verification
32:16
? We have democratized so many things
32:18
in our lives , whether it's
32:20
a hotel to Airbnb
32:23
or buying a
32:25
car on your phone . We have democratized
32:27
. We have taken out all of the middlemen
32:30
in many of the processes
32:32
. It should be the same thing . I
32:34
call it data emancipation . Right
32:36
, Free up the data that belongs to the
32:38
consumer . Let them be the guardians
32:41
of it as well . Co-opt them to . Hey
32:43
, this is your data . It's in your best
32:45
interest to keep it with
32:48
you and just share it when you need it
32:50
. That will eliminate
32:52
a whole bunch of these data proliferation
32:55
and hackers are going to really
32:57
, really have a tough time
33:00
. I always say that the
33:02
hackers are moving at lightning speed
33:04
while we are still trying
33:07
to go with our neighborhood
33:09
road speed .
33:10
Yes , exactly , yeah . Yeah . A
33:12
lie can get around the world three times while truth
33:15
is getting its shoes on . Yeah , so
33:17
I think that's a really good advice and just
33:19
to sort of hammer that home , obviously InfoSec
33:22
would like you to , you know , do the work
33:24
of learning things like identity management
33:26
and access management and all the
33:29
good juicy tech stuff , but at the same time
33:31
, make sure that you are doing the
33:33
reading in terms of the
33:35
larger sort of global implications
33:37
. That's what you're saying Basically , like understand where
33:39
it's going .
33:40
Study up the landscape . Understand
33:42
it Right , and then take as many wherever
33:45
it's available small projects , big
33:47
projects . Try to solve right . Try
33:50
to think about put yourself in those
33:52
shoes and then not just be
33:54
waiting for somebody to define a problem and say
33:56
hey , why are we ? doing this way ? Why is this
33:58
? You know our digital landscape
34:00
has expanded so much , but we're still
34:02
stuck in the you know
34:05
50s and 60s method of collecting
34:07
data and having a third party store
34:10
it in different databases . Why haven't we
34:12
democratized the data and then decentralized
34:14
it right ? Those are all various
34:17
things that you can educate
34:19
and then embrace the co-opting
34:21
of the consumers in guarding their own data
34:23
.
34:23
It is their data .
34:24
Yes , yeah , social
34:27
security number and date of birth is assigned to you
34:29
. It is never assigned to a third party . And
34:32
they somehow managed to get it and
34:34
they have it , and now they are bartering
34:36
and selling that information over and over again
34:38
.
34:39
Yeah , absolutely , and yeah
34:41
, I think that's really great
34:43
advice . Yeah , absolutely .
34:45
And we have other things right . We don't go
34:47
to you know
34:49
, every time you want to drive . You don't go to drive a
34:52
DMV to buy a license right , you
34:54
drive it once you drive it Same thing
34:57
with TSA PreCheck . You don't , you know , once you
34:59
get it , reuse it as long as it is current
35:01
and active and , you know , always live , that's
35:03
all that matters . So why haven't we applied that
35:05
to identity verification ? Because
35:07
that's where most of the people collect that
35:09
personal information , store it and then
35:11
for no reason , it gets
35:13
compromised .
35:14
Yeah , I think some of those project ideas are really good
35:17
and I think also the idea of no
35:19
matter how early you are into the game
35:21
and you're in your learning , to not be afraid to
35:23
take big swings in terms of trying to solve big
35:25
problems . I think
35:28
companies or employers are not going to care if
35:30
you solve the problem of identity . Obviously
35:35
you're not going to if you've been doing this for two years . But they want to see that
35:37
you are sort of looking at these problems and suggesting solutions
35:39
or suggesting fixes . And
35:41
to that end , I guess , Raj , are there
35:44
particular skills gaps among people who are
35:46
trying to get hired into these positions that
35:48
you're trying to fill ? I mean , I
35:51
know you probably hire people all the time . Are there
35:53
certain skill areas or qualifications
35:55
that you consistently see lacking , that you'd like to see more
35:57
universal , even if it is things like big
35:59
box thinking like that ?
36:01
Developing analytical skills , and
36:03
STEM and engineering education is of
36:06
paramount importance in this field . We
36:08
lack those things analytical skills
36:11
and engineering . If you have , even if you
36:13
go through two years of engineering , right
36:15
, you start developing that thing about
36:17
challenging the notion , working out
36:19
all of those things , immerse yourself in practical
36:22
training and projects wherever they may be
36:24
offered . Studying just a
36:26
textbook does not help you in this field . The hackers
36:28
, as I said , are moving at lightning speed
36:30
and we sometimes seem to be stuck in our local
36:32
road speeds . So it is very
36:35
important to be on top of things . And
36:38
you know , even in community college
36:40
, right , if you don't have a
36:43
means to go to a community college , even
36:45
if you have high school , finish your high school
36:47
. High school is the minimum currency
36:49
you need , especially if you're
36:51
in this field , because there are other
36:54
fields that may not require a college
36:56
diploma , but in this field
36:58
, you do need a little bit of awareness
37:00
of the landscape , because digital landscape
37:03
is very complex .
37:05
Yeah , absolutely . I think those are
37:07
all really great pieces
37:09
of advice . So before I let you go , raj , can
37:11
you tell our listeners it
37:13
sounds like you kind of make the career advice
37:15
, but can you tell our listeners the best piece of career advice you
37:17
ever received , whether from a mentor or
37:19
a teacher or colleague ?
37:22
That's a good one . So a professor
37:25
that I really liked many
37:27
years ago you
37:30
know I was bidding goodbye
37:32
as I was graduating
37:34
he said always have a goal
37:37
and try to achieve them and
37:39
repeat them until you're tired , until
37:43
you're tired , until you're tired . That
37:45
means yeah , because you will have
37:47
a goal even at 90 years old
37:50
. The goal could be just I want to get up tomorrow without
37:52
backache , right , yeah ? right right I'm
37:54
saying right , so keep
37:57
having a goal and then
37:59
achieve it . Right , not just have
38:01
a goal and then , uh , I didn't make it
38:03
right . Yes , you'll be making mistakes , that's
38:05
okay . Without making mistakes you'll never
38:07
learn , as you know , right , but
38:09
don't repeat the same mistake .
38:11
Yeah , don't repeat the same mistake . Don't
38:14
get complacent with the idea that you can't
38:16
do something . I suppose , just keep trying if you fail
38:18
.
38:19
This is the best country for that . This
38:21
country offers you the opportunity to succeed
38:24
. Yeah .
38:26
Now as we wrap up . Raj
38:28
, you talked about Trua a bit . If you want
38:30
to talk more about what your platform
38:32
does and you know a bit more
38:34
about the product , feel free to do so before we wrap up
38:36
here .
38:37
Okay , so
38:39
thank you for that . Trua's reusable fully
38:42
verified digital credential right
38:44
Eliminates fundamental risk posed
38:47
by individuals repeatedly providing
38:49
sensitive personal information . This
38:52
reusable verified credential natively
38:55
safeguards individuals'
38:57
private information , thus reducing the risk
38:59
of data breaches for organizations
39:02
and consumers' identity theft To
39:05
us , technology ensures a high level
39:07
of assurance and security in
39:09
interaction across various digital channels
39:11
and modes , while saving organizations
39:14
billions of dollars because they don't
39:16
have to collect , store and card and
39:19
have cyber insurance all
39:21
kinds of stuff that you have to pay .
39:23
They have to pay out settlements all the time .
39:25
Yep litigation compliance all of those things you have to pay out settlements
39:27
all the time . Yep Right Negation compliance all of those things
39:29
you can minimize , yeah
39:31
, Drastically .
39:32
Yeah , moving towards having a an empty
39:34
treasure chest here , yeah , Because the
39:37
hackers can come in .
39:38
They have nothing there , Right ? It's all
39:40
in the people's hands .
39:41
Yeah , absolutely it's . It's . It's happening
39:43
in the moment , and that's it .
39:44
On demand , getting it and then verify
39:46
. That's it . You don't store anything , you don't keep
39:49
anything .
39:50
Great One . Last question here if our listeners
39:52
want to learn more about you , Raj , or
39:54
especially about Trua I mean , you said you're on LinkedIn
39:56
, but where should they look online for Trua ?
39:58
Obviously , I'm on LinkedIn . Linkedin for Trua
40:01
is also Trua , and
40:04
Truamecom is our website
40:06
. There's plenty of information . Go under resources
40:08
. I've written
40:10
a lot extensively about various facets
40:13
of society and whether
40:15
it's the dating side , how you know the
40:18
dating is legit , or
40:21
hiring somebody to come and work in
40:23
your house . How do you know all of those things right
40:25
? So , without collecting
40:27
personal information , how do you accomplish
40:30
the need for verification or
40:32
security screening ? And that's what
40:34
I talk extensively . Twitter
40:38
is at Truva , underscore me . Facebook
40:41
is Truva me . Instagram
40:43
is hashtag Truva
40:45
score . Linkedin is Truva . And Medium
40:48
we also have a
40:50
Medium where we have a lot of articles there .
40:52
And Truva . Okay , and Truva is spelled T-R-U-A
40:54
correct .
40:54
T-R-U-A . Truva and our website
40:56
is TruvaMeet T-R-U-A-M-Ecom
40:59
.
41:00
Fabulous , all right . Well , thank you so much for joining me today
41:02
, raj . This was incredibly informative
41:04
and a lot of fun . Thank you , chris
41:07
, for having me , and thank you to
41:09
everyone who watches and listens and writes into
41:11
the podcast with feedback . If you have any topics you'd
41:13
like us to cover or guests you'd like to see on the show
41:15
, just put them in the comments below
41:17
. We are trying to get through them as best we can
41:19
, but before we go , don't forget infosecinstitutecom
41:23
slash free , where you can get a whole bunch of free
41:25
and exclusive stuff for cyber work listeners . This
41:27
includes a trailer for our new security awareness
41:29
training series , work bites , which is smartly
41:31
scripted and hilariously active set of videos
41:34
, uh , in which a very strange office
41:36
staffed by a pirate , a zombie , an alien , a fairy
41:38
princess , a vampire and others navigate
41:40
their way through the age-old struggles of yore
41:42
whether it's not clicking on the treasure map . Someone
41:44
just emailed you making sure your nocturnal
41:46
vampiric accounting work at the hotel is VPN
41:48
secured and realizing that even if
41:50
you have a face as recognizable as the office's
41:53
terrifying IT guy Boneslicer , we
41:55
still can't buzz you in without your key card . Anyway
41:57
, go to the site and check out the trailer . We
41:59
can also go to infoseginstitutecom slash
42:02
free for your free cybersecurity
42:04
talent development ebook . Here you'll find
42:06
in-depth training plans and strategies for
42:09
the 12 most common security roles , including
42:11
SOC analyst , pen tester , cloud security
42:13
engineer , information risk analyst , privacy manager
42:16
, secure coder , ics professional
42:18
and more . One more time infosecinstitutecom
42:21
slash free and yes , the link is in the description
42:23
below as well . One last time
42:25
, thank you so much to Raj and
42:27
Ananthan Pillai and Trua , and
42:30
thank you so much for watching and listening and
42:32
until next week . This is Chris Sanko signing off , saying
42:34
happy learning .
Podchaser is the ultimate destination for podcast data, search, and discovery. Learn More