1:11

CyberWork and InfoSec would like to introduce you

1:13

to our new Cybersecurity Beginner

1:15

Immersive Boot Camps . They're designed

1:17

to help you gain and enhance your expertise

1:19

in the cybersecurity field . Join our

1:21

live interactive virtual classes led

1:23

by InfoSec's highly skilled instructors , who

1:25

will guide you through the material and provide real-time

1:28

support . And , as part of InfoSec's

1:30

immersives training , each student will have

1:32

access to career coaching aimed

1:34

at helping them start or switch to the cybersecurity

1:37

field . You heard that right . We aren't here

1:39

to just teach you the concept of what a security

1:41

professional does . We want to prepare you

1:43

to enter the job market with a competitive

1:45

edge in six months time . Now

1:48

I've told you about InfoSec certification boot camps

1:50

, and if you're trying to hit your next career target and

1:52

need a certification to do it , that's still your best

1:54

bet . But if you're an entry-level cybersecurity

1:57

professional or want to be , or you're

1:59

switching your career and want to experience a career

2:01

transformation , infosec's

2:08

immersive bootcamps are designed to make you job-ready in six months

2:10

. To learn more , go to infosecinstitutecom . Slash cyberwork all one

2:12

word C-Y-B-E-R-W-R-K and learn more about this exciting

2:15

new way to immerse yourself in learning with InfoSec

2:17

. Now let's begin the show . Okay

2:20

, today on CyberWork , my guest is Raj

2:23

Ananthan Pillai , the CEO of

2:25

Trua , a company that is steeped in the current

2:27

issues around digital credentials and data

2:29

privacy . As you no doubt have heard , at&t

2:32

reported a data breach that compromised personal

2:34

information of approximately 7.6

2:37

million users . Raj discusses

2:39

Trua's mission to leave data thieves holding

2:41

an empty treasure chest You'll know what I mean when you see

2:43

it . He discusses his past work in creating

2:46

TSA PreCheck and gives a bunch of

2:48

great ideas and advice for making sure

2:50

that you're always thinking beyond your current

2:52

position by learning and creating your way

2:54

upward . All that and a whole

2:56

bunch of vitriol about the industry standard collecting

2:59

of social security numbers . Today on

3:01

Cyber Work . Hello

3:06

and welcome to this week's episode of the Cyber

3:09

Work podcast . My guests are a cross

3:11

section of cybersecurity industry thought leaders

3:13

, and our goal is to help you learn about

3:15

cybersecurity trends , the way those trends

3:17

affect the work of infosec professionals , and leave

3:19

you with some tips and advice for breaking

3:21

in or moving up the ladder in the cybersecurity

3:24

industry . My guest today

3:26

, raj Ananthan Pillai , is

3:29

a passionate entrepreneur and visionary

3:31

leader with many years of experience building

3:33

businesses and investing in the future of technological

3:35

innovation . Raj is the founder and

3:37

CEO of Trua , a technology

3:39

company that provides privacy-preserving

3:42

, reusable , verified digital , credential

3:44

solutions that assures trust and safety

3:46

in digital environments , sharing economy , employment

3:49

and workforce background training . Prior

3:52

to founding Trua , raj spent

3:54

13 years as the CEO and

3:56

majority shareholder of Infozen , a

3:58

high-end risk management services company

4:00

, which was successfully sold to a publicly traded

4:02

company in 2017 . Prior to this

4:04

, he served as the chief strategy officer

4:07

of Eplus , a business process automation

4:09

and transformative technology solutions

4:11

company . Raj was also the founder and CEO

4:14

of NetBalance , a venture capital-backed

4:16

multi-million dollar software company , which was

4:18

successfully sold . Raj worked

4:20

at AT&T for many years in various

4:22

technical and management capacities , and we're going to

4:24

definitely get into that today . Raj holds an

4:26

MS in engineering physics , an MS

4:28

in electrical engineering , and holds multiple US

4:31

patents and has authored two books on

4:33

management of technology and services

4:35

. So today's topic we're

4:37

going to be talking about the AT&T

4:40

data breach . This is right out of the headlines

4:42

and is a fairly recent story , and

4:44

Raj has some very good insights into what

4:47

happened and what should happen next here . So , raj , thank

4:49

you so much for joining me today and welcome to CyberWork

4:51

. Thank you for having me

4:53

, chris , my pleasure . So

4:56

, raj , to help our listeners get to know

4:58

you a bit better , I went through some of your accomplishments

5:00

in the introduction here

5:02

, but can you tell me about how you first got interested

5:05

in computers and technology and cybersecurity

5:07

? Was there an initial spark ? Did your family

5:09

have a computer ? Was it at school ? What got

5:11

you excited initially ?

5:13

Well , that's an interesting question . I'm the first one to

5:15

go to college in my family , so

5:17

I didn't have any experience , or I didn't

5:19

touch a computer until I was about 22

5:21

or 23 .

5:22

Yeah , yeah , yeah .

5:23

But I've always been at the intersection

5:26

of business , finance and technology

5:28

. Okay , so I'm fortunate to

5:30

have created many successful

5:33

companies that led me to where

5:35

I am today . Before

5:37

starting TrueUp , as you mentioned

5:40

, I was the CEO of Infozen for over

5:42

13 years . We

5:44

were the developers of reusable

5:46

credentials like TSA

5:49

PreCheck I'm sure most of your listeners might

5:51

be familiar with and complex risk

5:54

management solutions . So

5:56

this experience and work on

5:58

some complex risk avoidance

6:01

programs provided

6:04

me the desire to solve various

6:06

identity and data-related

6:08

issues that are plaguing the industry

6:11

today .

6:11

Yeah , yeah , now that's

6:14

really cool . I'm going to come back to that , but I do want

6:16

to talk about your professional background , if

6:18

you don't mind you . You mentioned it in

6:20

your intro and I was reading through your some

6:22

of your your LinkedIn experiences profiles , like

6:24

you're definitely someone who's been comfortable

6:27

and capable in CEO positions for a very

6:29

long time , and whether it's software development

6:31

companies , venture capital firms , financial

6:34

advisory groups , all the way to your current role as CEO

6:36

of Trua . You know you

6:38

have been

6:40

a CEO for as long as I can see , so can

6:42

you talk about what draws you to

6:45

the role of chief executive officer and

6:47

, if there is any

6:49

, what is a commonality that might have linked

6:51

all of the work you've done at these

6:53

different types of commercial sectors

6:56

?

6:56

Oh , wow , that's an interesting question

6:59

. Well , I've been a CEO

7:01

for 20 , 25 plus years

7:03

. Though I wasn't necessarily

7:05

looking for a CEO role anywhere

7:07

, these opportunities seem

7:10

to arise when I wanted to take on challenges

7:12

and solve problems . I've

7:14

always been driven by a desire

7:17

to solve problems and lead such endeavors

7:19

. My career actually began

7:22

at AT&T , where I started as a

7:24

member of the technical staff . So

7:26

when I first joined the company , someone told

7:29

me it would take at least seven to eight

7:31

years before I'd be considered for my first

7:33

promotion . Wow , take at least

7:35

seven to eight years before I'd be considered for my first promotion

7:37

. So , determined to beat those odds , I proactively sought

7:39

out opportunities to expand my experience

7:42

and approved . I

7:44

could fast track that timeline . One

7:47

day a senior executive stopped by my desk

7:49

, intrigued by how I

7:51

was innovative and thinking out of the box

7:53

. Back in those days Bell Labs , at&t

7:55

there is a traditional approach

7:57

to your research , your development efforts

8:01

and so on and so forth . I was always sort

8:03

of thinking out of the box . And

8:05

then a few months later , he called

8:08

me into his office and I thought he was going to fire me

8:10

. But he actually said you

8:12

know , I would recommend you

8:14

for my promotion . That was just about

8:16

three and a half years after I joined the company to

8:19

a different division , though . So

8:21

then I would manage others and work

8:24

to create a new system to solve a major

8:26

global problem that AT&T

8:28

was facing when they bought parts

8:31

of Western Union and they were trying to consolidate

8:33

the business . So

8:40

within a few months , after sort of working on that system , the press was very interested in

8:42

interviewing me about my processes and how I got done such

8:44

a massive project in

8:46

less than a year . That was unheard

8:48

of at AT&T , so I read a

8:51

book about it and how to

8:53

solve complex problems

8:55

. It's to have that focus

8:57

and the desire to succeed all the time

8:59

. So instead of waiting for my next

9:01

promotion at AT&T , I transitioned

9:04

to a smaller company to take on bigger

9:06

management and technology challenges . Right

9:08

, ok , this began a pattern

9:10

of scaling down in company size and

9:13

eventually starting my own companies .

9:16

Yeah .

9:16

Yeah , but productively . Seeking out opportunities to

9:18

innovate and demonstrate my capabilities

9:20

, I was able to fast track my career

9:23

progression and eventually become a senior

9:25

.

9:25

Yeah , no , that's very interesting

9:27

. There's something to be said , for

9:30

if you're in too big of a company , there's only you only

9:32

have so much headway that you can do . And so if you're in too big of a company , there's only you only

9:34

have so much headway that you can do . And so if you start working at

9:37

a more business manageable scale

9:39

, you can . You can rise higher and faster . Now

9:41

I wanted to ask you about

9:43

. You said that you were in a position

9:45

that you didn't feel had

9:48

a lot of . It wasn't moving for you

9:50

fast enough , and so you thought

9:52

of some new ways to sort of get yourself

9:54

noticed , to try some out of the box things

9:56

. Can you talk a little bit about some of the

9:58

projects that you were undertaking

10:01

and were these kind of on the side of what you were

10:03

already doing at work ? Were these kind of like night projects

10:05

, Like what was , what were you doing to sort of fast

10:07

track yourself in that way ?

10:08

Well it's , I had

10:11

a systemic approach to everything

10:13

, right ? If you're referring

10:15

to my times at AT&T , yes , but

10:19

AT&T had a method , so everybody was following

10:21

that method . I was sort of a rebel and

10:24

I would go around different

10:26

processes and sort

10:29

of test it out , because

10:31

over there , if you recall , back then

10:33

every development was sort

10:35

of a methodical , you know , water

10:38

flow approach , and I had

10:40

thought about agile development

10:42

quote unquote back then , when

10:44

nobody knew how to spell agile . So

10:48

I was doing some of those kinds of stuff

10:50

, quickly testing out something and working

10:52

with other people who are developing hey , can

10:54

you code this for me , come up with a requirement

10:57

? And so on and so forth . And

10:59

that's how I started getting

11:01

more what

11:04

I call entrenched with the problem-solving

11:06

capability .

11:08

Yeah , Now do you

11:10

think you could sort of summarize this

11:13

impulse of yours ? You said you're very systematic

11:15

in your thinking . I mean , for someone who's just getting

11:18

started and is looking to , as

11:20

you say , rise faster and

11:22

sort of move out of a stagnant

11:24

position , like what would you say

11:26

is like the first step to sort of thinking like

11:28

this and sort of moving beyond

11:30

where you are and engaging

11:33

in this kind of out-of-the-box thinking .

11:34

Well , you have to have a purpose in life , right ? What is it that

11:36

you're trying to achieve ? Not just you know , as

11:38

I said , about the CEO thing , right

11:40

, it's not the title that I was going

11:42

after , it's what you do when you're the

11:44

CEO , right . Sometimes , when you are

11:46

your own boss , you can

11:48

dictate how things are done . And

11:51

, yes , you want to bring along

11:53

other people with you , but

11:55

at the same time , you are the visionary

11:58

, you are the one that is providing the purpose

12:00

for the organization . Right , and say , hey

12:02

, we want to solve this problem , because we see

12:04

this problem without any

12:06

solution , it's rudderless . People

12:08

are doing the same thing over and over again

12:10

without any results . So , if

12:13

you think about it , right , most big companies

12:15

are very compartmentalized . They

12:17

are serialized and compartmentalized

12:19

. So nobody wants to go out

12:21

of those boxes and say , hey , why

12:24

are we doing that way ? It's the

12:26

age-old question everything . And

12:28

then keep going to that .

12:31

Yeah , big companies like that are like a gigantic

12:33

machine Everyone's afraid of like . If you change

12:35

out one cog or one flywheel , you're going to like

12:38

. It's going to just break everything apart

12:40

. So it's better to .

12:41

Just Because they're afraid , right , they're afraid , and

12:43

so the first thing I always tell people is

12:45

be secure with yourself , right

12:47

, and you know you

12:49

can if you work hard and try hard . This

12:52

is the best country in the world , right

12:54

? If you work hard and try hard , this is the best country

12:56

in the world , right ? If you work hard and do the best you can

12:59

, you'll always succeed . Yeah , as an immigrant , that's what I learned

13:01

, right ?

13:01

Amazing , yeah , amazing , inspiring

13:04

. I love it . Now , to that end

13:06

, I want to ask you about founding Trua

13:08

, your company that has developed a patented full spectrum

13:10

enterprise insider threat and trust screening

13:13

solution . Now you've been sort

13:15

of working towards this with Infozen and

13:17

so forth , but what was it like starting this

13:19

company and were there any unexpected challenges

13:21

along the way ?

13:22

Well , I'll tell you a little bit about how we got to

13:24

right . So trust is the most

13:26

powerful and sought

13:28

after currency in society today . For

13:31

sure , as a society we

13:33

have moved from trust everyone

13:35

. Remember many , many couple of decades . Three

13:37

decades ago we were trusting everybody

13:39

. And then we said okay , trust but verify

13:42

right . And now we

13:44

are on to verify

13:47

first and then trust .

13:49

Yes .

13:55

That is a big sea change . In a matter of 20 , 30 , 40 years . That's a big , gigantic

13:57

change because of various technological innovations

14:00

. You would think , with lots of technology

14:03

coming out , you would think that trust will

14:05

be a nice

14:07

, earned , credential or

14:10

earned currency . But no , Today

14:12

nobody trusts anybody . Now

14:14

we can talk about AI at some point

14:16

, but with that , everybody's

14:18

trying to fake and hack their way

14:20

into anything and everything . So that

14:23

is the biggest driver for me

14:25

as to how do we do this , given

14:27

the state of mind-boggling data

14:29

breaches and for us the major

14:32

trigger was the . There

14:34

was a major credit bureau data

14:37

breach a few years ago where 150

14:40

million consumers personal

14:43

sensitive data was exposed , and

14:47

we set out to disrupt that current paradigm

14:49

of collecting sensitive

14:52

personal information all the time

14:54

to make decisions , whether it's employment

14:56

, credit , benefits , services

14:58

or any combination thereof . So the

15:00

first thing is what's your social , what's your data burden

15:03

, what's your ? You know they start gobbling up all

15:05

of that personal sensitive information . So

15:07

that's where we have developed a solution

15:10

that sort of disrupts the and

15:12

solves that challenge of

15:14

the traditional paradigm of third parties

15:16

doing all of this stuff . Can you talk

15:18

about that a little bit ? Yeah , so

15:21

we've been living and breathing , as

15:23

I mentioned before identity data

15:25

. For the last 15 plus years In our

15:27

previous company , we are the developers of TSA

15:30

, PreCheck and other very highly secure

15:33

digital credential programs

15:35

. We are the first one

15:37

to look at the data ecosystem

15:39

with a person-centric view , with

15:43

a privacy at its core . That is

15:45

the most important thing . I've always been a private

15:47

person . If you see , I personally

15:49

don't have any social handles

15:52

. I have LinkedIn , but other than that I

15:54

don't have a thing , Because people

15:56

tend to think , oh , it's free . If

15:59

something is free , you are the product

16:01

. That's right . Be aware of it . Don't

16:04

ever expect any privacy . Don't ever expect

16:06

, because you will be lured into giving more

16:09

and more personal information . First it will be a free

16:11

Gmail account and then it'll be something

16:13

else , and then they say , hey , oh , now it's

16:15

a trusting relationship . Now suck up more

16:17

and more sensitive data that is

16:19

near and dear to your own personal identity

16:22

. So , with our extensive background

16:24

and research and product development on behalf

16:26

of major corporations and

16:28

US intelligence agencies . We

16:31

work with Homeland Security a lot . We

16:33

have been able to flip the entire

16:35

identity verification and

16:37

screening process on its head and

16:40

create a solution that is purpose-built

16:43

for consumers . This is the

16:45

most important thing to take ownership

16:47

and protect their own data by

16:50

providing high assurance to organizations

16:52

that seek to verify and screen individuals

16:55

.

16:56

So this product is aimed specifically

16:59

at individual consumers rather

17:01

than enterprises .

17:02

No , this is coming through the businesses . We

17:05

are now focusing on businesses

17:07

to adopt this and say , hey , you don't

17:09

need to collect this information Got

17:11

it All that you care about is verifying

17:13

the individual right Majority

17:15

of the cases . Why do you have to keep like

17:17

a gym when you try to get a gym membership

17:20

? They want your social security . I said why

17:22

they don't need

17:24

a social security number when

17:27

you go to a healthcare hospital . Why

17:29

do they need your social security number ? They're

17:31

not looking to look out for your credit report

17:33

. They should be keying

17:36

off of other attributes , not social or

17:38

other personal stuff . So this person-centric

17:41

approach ensures that individuals

17:43

have the ability to protect their

17:45

privacy and maintain control

17:48

over their sensory personal data .

17:50

So I get the sense that I've heard this a little

17:52

bit before that this is an attempt

17:54

to sort of break out of the security question

17:56

method of verification . Is that right ? It's

17:58

like they want your social security

18:00

so that they can say what are the last four of your social security

18:03

, or you know , so that they you know , which

18:06

is starting to feel like the Stone Ages in terms of

18:08

verification at this point .

18:09

Oh , yeah , that

18:16

verification industry is still called KVA , knowledge-based authentication

18:18

.

18:18

Exactly what color was your car in 1995 ? Yes , first teacher .

18:20

That data is already in the public domain . When

18:23

all these big breaches happen , all that information

18:25

is already in the public domain . You can mimic and

18:27

create a synthetic ID . We

18:30

need to start moving towards facial

18:33

. That's a key thing . Genuine presence

18:35

, facial we can talk about

18:37

it at some point . That is the way

18:39

it is going to be the implication

18:41

of this innovation where you

18:43

carry your own credential , you get

18:45

it verified once and then all that

18:47

the business is interested in is they need

18:49

to verify that you are who you say you are , that could be . And . Or hey

18:51

, I've verified a social security , the business's interest in it . They need to verify

18:54

that you are who you say you are right , that could be . And or hey , I've verified his

18:56

social security number . I've verified the date

18:58

of birth , I've verified the residence history

19:00

or the current address , but they

19:02

didn't need to know what that is . They

19:04

just need to know that it has been verified . And

19:06

, by the way , here's your liveness detection

19:08

or live picture of yourself , right ? So

19:11

, because the only thing you can have is

19:13

the only form of real

19:16

world identity is some

19:19

form of government issued ID . That's

19:22

what everybody takes , that's what everybody

19:24

starts off with . And now people

19:26

have started scamming

19:28

that and you have fake IDs , and so on and so

19:30

forth . Scamming

19:33

that and you have fake IDs , and so on and so forth . So you need to get all of that

19:35

started out up front once and then reuse it over and over

19:37

again , without ever giving out your

19:40

personal information like social or data work

19:42

.

19:42

Yeah , I think that that serves kind of a double purpose

19:45

, in that a lot

19:47

of these places are holding or

19:49

collecting sensitive data like this under

19:51

the auspices of what we need to be able

19:53

to verify , it's you . But once you take

19:56

that completely off the table , then they

19:58

might well have been storing it for other uses , other

20:00

types of analytics , other types of it is tempting

20:02

, right , it is tempting , even if they don't have

20:05

any nefarious thing , but they have to store

20:07

it , right ?

20:07

So what you have done is now you have scored a

20:10

million people's identity in one database

20:12

and it's easy for hackers to do it

20:14

. But if you flip it now

20:16

, those million people have

20:18

their own data stored in their own device

20:20

and

20:23

hackers have to attempt a million times to get

20:25

one , whereas the traditional method

20:28

they have to just go to the company and , hey , I'm

20:30

going to attack this big gym

20:32

that has a lot of treasure trove information

20:34

. Exactly . So you

20:36

are flipping it , distributing that information

20:39

. Yes , you know . If you think about

20:41

it , social security number was designed

20:43

for predominantly three things early on

20:46

right , wages for taxes

20:48

. Right , you have to file your taxes and social and then government

20:50

benefits for taxes . Right , you have to file your taxes the social , and then

20:52

government benefits , and then employment

20:54

or employment wages . Right

20:56

, those are the only three things . But look

20:58

at it .

21:04

Every Tom , dick and Harry now wants SSN , yep , why Credit ratings ?

21:06

And they have the part of it because that's the current mindset . You have

21:08

to really question that status quo .

21:10

Yeah Well , speaking of treasure

21:12

troves up for the taking , we're

21:14

going to talk about a recent story

21:17

here . Our topic today is AT&T's

21:19

recent report and disclosure of a data breach that

21:22

happened to them . They determined and announced

21:24

that quote . At&t data-specific

21:26

fields were contained in a dataset released

21:28

on the dark web approximately two weeks ago

21:30

. According to their disclosure quote , the data set

21:33

appears to be from 2019 or earlier

21:35

, impacting approximately 7.6

21:37

million current AT&T account

21:39

holders and approximately 65.4 million

21:41

former account holders . So how

21:43

much do we know about this data breach ? If

21:46

we're looking at just their release , it seems

21:48

like they're talking about a robust investigation

21:51

without naming names or identifying ports of entry

21:53

. But what is your best understanding of how these

21:55

data sets made it to the dark web ?

21:57

So , based on the available information right

22:00

, I don't have anything inside information it

22:02

appears that the AT&T data breach

22:04

is still an investigation by the company . The

22:06

specific language used

22:08

in their public statements is quite

22:10

curious and raise some questions

22:12

.

22:13

Okay .

22:14

The fact that they mentioned a data-specific

22:17

set being released on the dark

22:19

web is an unusual detail

22:21

. Typically , when

22:23

a data breach occurs , the compromised information

22:25

is more comprehensive dataset

22:27

. That means you take the whole database

22:30

, not just one pieces of data , rather

22:33

than just specific fields from a database

22:35

. This level

22:38

of specificity suggests

22:40

, I think , the possibility

22:43

of an insider leak rather than

22:45

an outsider . The

22:47

types of sensitive information that were

22:49

exposed are certainly concerning Social

22:52

security numbers , full name , email

22:54

and mailing addresses , phone numbers

22:56

, data worth and AT&T account details

22:59

. You can question every one of those

23:01

data as to why AT&T had

23:04

them to start with . I

23:06

mean , oh , I want to do a credit check . Okay , you

23:08

had the credit check , but you could have destroyed

23:11

all of that . Why do you still there ? Why

23:15

do you need my date of birth

23:17

? You already verified

23:19

that I'm over 18 to buy a phone or whatever it

23:21

is that I did they want to send you a birthday card

23:23

?

23:24

What ?

23:24

is that going to do ? Because those are the

23:26

more and more sensitive information . So

23:30

that's where I think you know information

23:33

can be extremely valuable for

23:36

cyber criminals and can enable

23:38

identity theft , phishing scams and other

23:40

malicious activities down the road .

23:42

Yeah , now I mean , how do you feel you

23:44

know this is obviously no one's idea

23:46

of a good outcome , but

23:48

how do you feel about how AT&T is

23:51

handling it thus far ?

23:53

That's the best right . It's one of those big data breaches

23:55

they are unfortunately they're getting more

23:57

headlines because AT&T right

23:59

. If it happened to your regional

24:02

phone company , nobody would talk about it

24:04

because it's a national brand . It is AT&T

24:06

the good old Mar-Bell

24:08

right . It's been around since Graham

24:10

Bell right . So everybody knows about AT&T

24:12

. So

24:15

that's probably why it's getting a little bit more attention

24:17

. But the unusual nature of the breach , with

24:19

only certain data fields being compromised

24:21

, certainly a head-scratcher for me . It's

24:23

possible that AT&T is still

24:25

investigating the source and extent of the leak , but

24:29

their statements are

24:31

very vague and specific at the same time

24:33

, just kind of concerning .

24:35

Okay . Well , again , I'm asking

24:38

you to rely too much on a crystal ball about

24:40

information that you don't know . But

24:42

can you think of any ways

24:45

? I guess the only answer is don't

24:47

have the data in the first place . But if it was an

24:49

insider , what are some ways that

24:51

could keep even someone who works

24:53

for the company out of that particular

24:56

treasure trove in the way that this was exploited ?

25:01

Well , the insider threat is a big deal , right

25:03

. It is Something that you have to constantly

25:05

monitor . You have to figure it out who's

25:08

doing that , whether they're in their blackmail

25:10

or whether they bought out or they're , you

25:12

know they usually have some signals

25:14

, right . You know the insiders . You

25:17

know they got into

25:19

financial trouble and say hey , I can give you some

25:21

data . And to

25:23

a what I call a hacker broker , right

25:28

, and say , hey , you know , here's a bunch of data and you can do , oh , okay , I'll give you $10,000

25:30

for that , so I'll pay off my debt . What

25:33

if I just don't know that right ? That's an interesting

25:35

question . That's there's always a

25:38

motive and a method , right

25:40

. So the sensitive personal data exposed

25:42

in the AT&T breach , including

25:44

hard to change identifiers like social

25:46

, enables criminals to conduct

25:49

large-scale thefts and scams . The

25:54

real danger is going to be not immediately

25:56

, right . It's a delayed impact

25:58

of such breaches . Hackers and

26:00

data buyers often wait until

26:03

the initial approval subsides

26:05

before crafting targeted scams

26:08

, leaving consumers vulnerable as

26:11

they have forgotten about the incident . Watch it , because

26:13

people are not talking about the incident

26:15

that happened in 2017

26:18

, I think , that big credit

26:20

bureau data breach . 150

26:23

million consumers

26:26

in the United States got their data

26:28

compromised and we are still paying

26:30

. So they don't go

26:32

right after because they know everybody is going to

26:34

get a one-year free monitoring after

26:36

a breach . That is absolutely

26:38

of zero use to you . Yes , exactly

26:41

, hackers have figured out a

26:44

better motive and say , okay , I'm going to wait out at

26:46

least a year and then

26:48

I'll start my thing , because they have plenty to

26:50

work with until then . This

26:53

is all trying to get

26:55

prepared for two years from now . Hey

26:57

, I'm running out of data , so

27:00

that's the kind of stuff .

27:03

Yeah , well , that was what I was going to ask next and you

27:05

kind of answered it partly for me , which

27:07

is is that , yeah , I feel like every other

27:09

week now I'm getting an email or

27:11

a text saying , yeah , we

27:13

got breached , and it's , and it is things like

27:15

you know , I'm getting notifications

27:17

that my CPAP machine somehow they

27:19

leaked like personal information from that

27:21

, which again like , why do you have that ? You know

27:23

, but and it's always that sort

27:25

of you know , if it's change

27:27

your password , fine , I'll change my password

27:30

, it's not that hard . But when

27:32

it's , you know , here's a free

27:34

year of credit monitoring on us , you

27:37

know . You know that something much bigger

27:39

happens . So I guess , from a consumer

27:42

standpoint , raj , do you have any advice

27:44

to sort of keep

27:46

yourself out of the sort

27:48

of blast area of these constant sort

27:50

of breaches ? You

27:53

know , what do you recommend ?

27:54

for people who are getting sick of this . There has to

27:56

be a consumer

27:59

revolution , for lack of a better word . Yeah

28:01

, because enough is enough . Sometimes

28:04

we are way too compliant and

28:06

just giving out information . There

28:08

are two reasons for that , right . Some of

28:10

it is because we sign

28:12

up for everything that is free . How

28:15

many people when you check out these days

28:17

hey , can you give us

28:19

your email ? We'll give you instantly 5%

28:22

. But that 5%

28:24

let's assume the person is buying $50

28:27

worth of some goods and they're getting their email

28:29

, right . 5% of $50

28:31

is $2.50, . Let's assume

28:33

, as an example , right , they

28:36

would have blow $5 walking

28:38

out of the building to buy a cappuccino somewhere

28:40

, so they've already lost that

28:42

savings , but they've already

28:44

given out one free thing that

28:46

the vendor wanted

28:48

. And then they want to start sending you more

28:51

information , then more information . So they'll

28:53

start saying , hey , and then you start trusting

28:55

them and then you start giving out more

28:58

information . Hey , I know this place , ok

29:00

, let me buy something online . And you

29:02

put in your credit card information and

29:04

you put in your date of birth for verification

29:06

, or whatever it is . And whatever they do right

29:09

, that is how

29:11

the cycle starts going and

29:14

it never stops . So I

29:17

suggest that be wary of every

29:19

data sharing and question

29:21

everything . Question , question , question

29:23

.

29:26

Yeah , which I think they try to sort

29:28

of wear you down with , all of the sort of terms

29:31

of service that are 80 pages long and every

29:33

time you log onto the site they want you to accept cookies

29:36

again and again . Yeah

29:38

, I mean , I think it is kind of

29:40

you know , they're also waiting

29:42

you out in terms of hoping

29:44

that you'll get this is their best interest

29:46

, right ?

29:49

So if you think about it right , you

29:51

know the regulations are all a mess , right

29:53

? They're trying to band-aid the same process

29:56

. So , anyway , we can talk

29:58

all day .

29:58

Well , so I want to pivot over . The

30:03

purpose of our podcast here obviously is to help students and new cybersecurity professionals

30:05

sharpen the skills that they need to enter

30:07

the cybersecurity industry , and also

30:09

people who are from other walks

30:12

of life who might want to change careers to cybersecurity

30:15

later on . These are all people that listen

30:17

to our show and they're looking for your

30:19

insight . So , speaking to listeners who might want

30:21

to do work in these areas privacy

30:24

, identity management , identity verification

30:26

, data privacy , data collection what

30:28

types of hands-on work or training or

30:30

education or certifications or

30:33

just projects should they

30:35

be working on to make them ready

30:38

to do the work in this particular field ?

30:42

Wow . Okay , that's a lot

30:44

. I

30:47

can try and summarize a little bit Sure . So

30:49

the field of data privacy and security

30:51

is deeply entrenched , with

30:54

well-established infrastructure , processes

30:57

and methods . Right . So

30:59

to drive meaningful change , we

31:02

must be willing to challenge the status quo

31:04

, as I mentioned before , rather than simply

31:06

repeating the same approaches and expecting

31:08

different results . This is not just

31:11

a matter of insanity , but also a symptom

31:13

of laziness and a lack of thorough

31:15

analysis . To truly

31:17

address the current challenges , we need

31:19

to scrutinize the existing process

31:22

. How is it being done today ? Understand

31:24

the regulatory landscape , because , unfortunately

31:26

, regulation pays a big sum . Familiarize

31:29

yourselves with the latest regulations

31:31

surrounding privacy , security and consumer

31:34

rights . Identify any gaps

31:36

or outdated elements in the existing regulatory

31:38

framework , because that's how you can

31:40

be creative . That's how you can come up with some

31:42

aha moments . Carefully

31:46

examine each step of the current data

31:49

collection , storage and protection process

31:51

. This is a big , big , big issue

31:53

in the United States right now , and worldwide

31:55

as well . Question the rationale

31:58

and assumption behind these

32:00

longstanding methods . Right

32:02

. Recognize that our

32:04

technologies have evolved rapidly

32:06

, while many of the underlying processes

32:09

have remained stagnant . Think about it

32:11

why are still third

32:14

parties doing all of the verification

32:16

? We have democratized so many things

32:18

in our lives , whether it's

32:20

a hotel to Airbnb

32:23

or buying a

32:25

car on your phone . We have democratized

32:27

. We have taken out all of the middlemen

32:30

in many of the processes

32:32

. It should be the same thing . I

32:34

call it data emancipation . Right

32:36

, Free up the data that belongs to the

32:38

consumer . Let them be the guardians

32:41

of it as well . Co-opt them to . Hey

32:43

, this is your data . It's in your best

32:45

interest to keep it with

32:48

you and just share it when you need it

32:50

. That will eliminate

32:52

a whole bunch of these data proliferation

32:55

and hackers are going to really

32:57

, really have a tough time

33:00

. I always say that the

33:02

hackers are moving at lightning speed

33:04

while we are still trying

33:07

to go with our neighborhood

33:09

road speed .

33:10

Yes , exactly , yeah . Yeah . A

33:12

lie can get around the world three times while truth

33:15

is getting its shoes on . Yeah , so

33:17

I think that's a really good advice and just

33:19

to sort of hammer that home , obviously InfoSec

33:22

would like you to , you know , do the work

33:24

of learning things like identity management

33:26

and access management and all the

33:29

good juicy tech stuff , but at the same time

33:31

, make sure that you are doing the

33:33

reading in terms of the

33:35

larger sort of global implications

33:37

. That's what you're saying Basically , like understand where

33:39

it's going .

33:40

Study up the landscape . Understand

33:42

it Right , and then take as many wherever

33:45

it's available small projects , big

33:47

projects . Try to solve right . Try

33:50

to think about put yourself in those

33:52

shoes and then not just be

33:54

waiting for somebody to define a problem and say

33:56

hey , why are we ? doing this way ? Why is this

33:58

? You know our digital landscape

34:00

has expanded so much , but we're still

34:02

stuck in the you know

34:05

50s and 60s method of collecting

34:07

data and having a third party store

34:10

it in different databases . Why haven't we

34:12

democratized the data and then decentralized

34:14

it right ? Those are all various

34:17

things that you can educate

34:19

and then embrace the co-opting

34:21

of the consumers in guarding their own data

34:23

.

34:23

It is their data .

34:24

Yes , yeah , social

34:27

security number and date of birth is assigned to you

34:29

. It is never assigned to a third party . And

34:32

they somehow managed to get it and

34:34

they have it , and now they are bartering

34:36

and selling that information over and over again

34:38

.

34:39

Yeah , absolutely , and yeah

34:41

, I think that's really great

34:43

advice . Yeah , absolutely .

34:45

And we have other things right . We don't go

34:47

to you know

34:49

, every time you want to drive . You don't go to drive a

34:52

DMV to buy a license right , you

34:54

drive it once you drive it Same thing

34:57

with TSA PreCheck . You don't , you know , once you

34:59

get it , reuse it as long as it is current

35:01

and active and , you know , always live , that's

35:03

all that matters . So why haven't we applied that

35:05

to identity verification ? Because

35:07

that's where most of the people collect that

35:09

personal information , store it and then

35:11

for no reason , it gets

35:13

compromised .

35:14

Yeah , I think some of those project ideas are really good

35:17

and I think also the idea of no

35:19

matter how early you are into the game

35:21

and you're in your learning , to not be afraid to

35:23

take big swings in terms of trying to solve big

35:25

problems . I think

35:28

companies or employers are not going to care if

35:30

you solve the problem of identity . Obviously

35:35

you're not going to if you've been doing this for two years . But they want to see that

35:37

you are sort of looking at these problems and suggesting solutions

35:39

or suggesting fixes . And

35:41

to that end , I guess , Raj , are there

35:44

particular skills gaps among people who are

35:46

trying to get hired into these positions that

35:48

you're trying to fill ? I mean , I

35:51

know you probably hire people all the time . Are there

35:53

certain skill areas or qualifications

35:55

that you consistently see lacking , that you'd like to see more

35:57

universal , even if it is things like big

35:59

box thinking like that ?

36:01

Developing analytical skills , and

36:03

STEM and engineering education is of

36:06

paramount importance in this field . We

36:08

lack those things analytical skills

36:11

and engineering . If you have , even if you

36:13

go through two years of engineering , right

36:15

, you start developing that thing about

36:17

challenging the notion , working out

36:19

all of those things , immerse yourself in practical

36:22

training and projects wherever they may be

36:24

offered . Studying just a

36:26

textbook does not help you in this field . The hackers

36:28

, as I said , are moving at lightning speed

36:30

and we sometimes seem to be stuck in our local

36:32

road speeds . So it is very

36:35

important to be on top of things . And

36:38

you know , even in community college

36:40

, right , if you don't have a

36:43

means to go to a community college , even

36:45

if you have high school , finish your high school

36:47

. High school is the minimum currency

36:49

you need , especially if you're

36:51

in this field , because there are other

36:54

fields that may not require a college

36:56

diploma , but in this field

36:58

, you do need a little bit of awareness

37:00

of the landscape , because digital landscape

37:03

is very complex .

37:05

Yeah , absolutely . I think those are

37:07

all really great pieces

37:09

of advice . So before I let you go , raj , can

37:11

you tell our listeners it

37:13

sounds like you kind of make the career advice

37:15

, but can you tell our listeners the best piece of career advice you

37:17

ever received , whether from a mentor or

37:19

a teacher or colleague ?

37:22

That's a good one . So a professor

37:25

that I really liked many

37:27

years ago you

37:30

know I was bidding goodbye

37:32

as I was graduating

37:34

he said always have a goal

37:37

and try to achieve them and

37:39

repeat them until you're tired , until

37:43

you're tired , until you're tired . That

37:45

means yeah , because you will have

37:47

a goal even at 90 years old

37:50

. The goal could be just I want to get up tomorrow without

37:52

backache , right , yeah ? right right I'm

37:54

saying right , so keep

37:57

having a goal and then

37:59

achieve it . Right , not just have

38:01

a goal and then , uh , I didn't make it

38:03

right . Yes , you'll be making mistakes , that's

38:05

okay . Without making mistakes you'll never

38:07

learn , as you know , right , but

38:09

don't repeat the same mistake .

38:11

Yeah , don't repeat the same mistake . Don't

38:14

get complacent with the idea that you can't

38:16

do something . I suppose , just keep trying if you fail

38:18

.

38:19

This is the best country for that . This

38:21

country offers you the opportunity to succeed

38:24

. Yeah .

38:26

Now as we wrap up . Raj

38:28

, you talked about Trua a bit . If you want

38:30

to talk more about what your platform

38:32

does and you know a bit more

38:34

about the product , feel free to do so before we wrap up

38:36

here .

38:37

Okay , so

38:39

thank you for that . Trua's reusable fully

38:42

verified digital credential right

38:44

Eliminates fundamental risk posed

38:47

by individuals repeatedly providing

38:49

sensitive personal information . This

38:52

reusable verified credential natively

38:55

safeguards individuals'

38:57

private information , thus reducing the risk

38:59

of data breaches for organizations

39:02

and consumers' identity theft To

39:05

us , technology ensures a high level

39:07

of assurance and security in

39:09

interaction across various digital channels

39:11

and modes , while saving organizations

39:14

billions of dollars because they don't

39:16

have to collect , store and card and

39:19

have cyber insurance all

39:21

kinds of stuff that you have to pay .

39:23

They have to pay out settlements all the time .

39:25

Yep litigation compliance all of those things you have to pay out settlements

39:27

all the time . Yep Right Negation compliance all of those things

39:29

you can minimize , yeah

39:31

, Drastically .

39:32

Yeah , moving towards having a an empty

39:34

treasure chest here , yeah , Because the

39:37

hackers can come in .

39:38

They have nothing there , Right ? It's all

39:40

in the people's hands .

39:41

Yeah , absolutely it's . It's . It's happening

39:43

in the moment , and that's it .

39:44

On demand , getting it and then verify

39:46

. That's it . You don't store anything , you don't keep

39:49

anything .

39:50

Great One . Last question here if our listeners

39:52

want to learn more about you , Raj , or

39:54

especially about Trua I mean , you said you're on LinkedIn

39:56

, but where should they look online for Trua ?

39:58

Obviously , I'm on LinkedIn . Linkedin for Trua

40:01

is also Trua , and

40:04

Truamecom is our website

40:06

. There's plenty of information . Go under resources

40:08

. I've written

40:10

a lot extensively about various facets

40:13

of society and whether

40:15

it's the dating side , how you know the

40:18

dating is legit , or

40:21

hiring somebody to come and work in

40:23

your house . How do you know all of those things right

40:25

? So , without collecting

40:27

personal information , how do you accomplish

40:30

the need for verification or

40:32

security screening ? And that's what

40:34

I talk extensively . Twitter

40:38

is at Truva , underscore me . Facebook

40:41

is Truva me . Instagram

40:43

is hashtag Truva

40:45

score . Linkedin is Truva . And Medium

40:48

we also have a

40:50

Medium where we have a lot of articles there .

40:52

And Truva . Okay , and Truva is spelled T-R-U-A

40:54

correct .

40:54

T-R-U-A . Truva and our website

40:56

is TruvaMeet T-R-U-A-M-Ecom

40:59

.

41:00

Fabulous , all right . Well , thank you so much for joining me today

41:02

, raj . This was incredibly informative

41:04

and a lot of fun . Thank you , chris

41:07

, for having me , and thank you to

41:09

everyone who watches and listens and writes into

41:11

the podcast with feedback . If you have any topics you'd

41:13

like us to cover or guests you'd like to see on the show

41:15

, just put them in the comments below

41:17

. We are trying to get through them as best we can

41:19

, but before we go , don't forget infosecinstitutecom

41:23

slash free , where you can get a whole bunch of free

41:25

and exclusive stuff for cyber work listeners . This

41:27

includes a trailer for our new security awareness

41:29

training series , work bites , which is smartly

41:31

scripted and hilariously active set of videos

41:34

, uh , in which a very strange office

41:36

staffed by a pirate , a zombie , an alien , a fairy

41:38

princess , a vampire and others navigate

41:40

their way through the age-old struggles of yore

41:42

whether it's not clicking on the treasure map . Someone

41:44

just emailed you making sure your nocturnal

41:46

vampiric accounting work at the hotel is VPN

41:48

secured and realizing that even if

41:50

you have a face as recognizable as the office's

41:53

terrifying IT guy Boneslicer , we

41:55

still can't buzz you in without your key card . Anyway

41:57

, go to the site and check out the trailer . We

41:59

can also go to infoseginstitutecom slash

42:02

free for your free cybersecurity

42:04

talent development ebook . Here you'll find

42:06

in-depth training plans and strategies for

42:09

the 12 most common security roles , including

42:11

SOC analyst , pen tester , cloud security

42:13

engineer , information risk analyst , privacy manager

42:16

, secure coder , ics professional

42:18

and more . One more time infosecinstitutecom

42:21

slash free and yes , the link is in the description

42:23

below as well . One last time

42:25

, thank you so much to Raj and

42:27

Ananthan Pillai and Trua , and

42:30

thank you so much for watching and listening and

42:32

until next week . This is Chris Sanko signing off , saying

42:34

happy learning .