[MUSIC] Privacy is important, but so is data security and information Governance. We are joined by Matt Krull of IBM. Welcome Matt. >> Thank you. >> Tell me a little bit about what you do at IBM. >> I work in IBM Security Business Unit. I'm a business unit executive. Covering North America for our identity and access sales teams. I've been with IBM security since 2001, so I've kind of seen the industry grow up and mature and be in this spot where we are right now with almost every day, you read in the Wall Street Journal that something bad has happened. In relevance to data security. >> How do you kinda frame up the whole subject of data security? >> IBm has released a CISO study, that's Chief Information Security Officer study. We publish one annually. And there's some interesting results of that. 61% of CEOs, 61% of the people That we're dealing with running companies. Their biggest threat to their brand is data security. 50% of these executives do not understand, or don't know the risk mitigation strategy. IE, what happens if something goes bad, or are they properly covered? And 30% of even admitted. That they don't have a strategy at all. >> Are there different ways that CEOs or CIOs are approaching the whole subject of data security? >> Well sure, there's kind of a maturity model. This same CISO study that we did in 2012 highlighted there are really three categories of security departments. There are the reactors, there are the protectors, and then there are the influencers. The reactors are the ones where an event happens, we have to go buy a product, plug it in and we're secure. >> So they're doing it after the event happens. They're reacting to it and then trying to fix the, plug the hole in the dam. >> Right, and then they end up with a multitude of products. We have one company with 85 security products from 45 different vendors. The next group are the protectors. And they may have a plan that they're kind of bunkered down in their shell, maybe in the basement of their building, and they're saying, we're secure. However, you get back to the CEO or the board and the board is not aware of that strategy. That's a big problem because I will talk about in a little bit. The board and your CEO really needs to be aware of the strategy and be a part of the strategy. >> Okay >> And then the last category of course is the influencers.Those are security professionals who are interacting >> At a CEO or a board level and they're being open and honest of where we stand with security, where we have flaws with security, and this is a much better approach than trying to either bunker up or trying to either just react to the latest and greatest threat. >> That's really a nice way to frame it up. The key, though, it sounds like I gotta have a plan to really do data governance right. How does that work? >> Well, first of all, you have to understand that if you're not an expert in data security, you can't be the creator of that plan. You have to know, I teach a lot to our IBM Technical teams or IBM sales teams or IBM customer teams, you have a plethora of people that are available to you. And by bringing someone who knows data security on your team, you're actually making yourself much smarter. So the first thing I would do is to fully understand where you are as an individual or a company as it relates to data security. And don't be afraid to go out and get help from outside professionals to help you build the security strategy. >> So what you're saying is that I really don't know where the limits are, I need to get an expert. For it to do that. Can you give me a good example of a company that might have stumbled into a problem because they really didn't realize the extent of data security? >> I have a great example. About a year ago, one of our technical reps, he was sitting in just watching a football game on a Sunday night. I think it was January, it was an NFL playoff game or something. And he got a phone call from one of his customers. A good friend they've worked together for a long time. Then he said can you be here tomorrow? Well it was noted in the Wall Street Journal that another retailer was breached and a couple of other retailers they thought were breached. And this retailer was afraid that they were releasing credit card numbers out to the public. So while we couldn't get there on Sunday we were there on Monday and over the course of three days we worked diligently to determine that this retailer was not releasing credit card information to the public. My technical rep came back and said, this was a great experience. I've never sat in a room working with a team and, on an hourly call, updating the CEO. Cuz that CEO was nervous that he'd have to go to the Wall Street Journal and give a statement about credit cards being released. That's not the way you wanna do it. You don't wanna call a vendor really be at the goodwill of that vendor to show up as quickly as possible and out of goodwill prove that you're clean. You want to have a contract with an emergency services security firm, that you can call up on a Saturday night and they have people stationed to get in right away to help you. That's part of planning. >> Information governance in more than just technology and software. It's also people and how you're interacting with the data. Is that correct? >> That's correct yes. You could put all of the technology in place that you want. But your least common denominator actually are either your customers or your employees. We have a great story of a chief security officer. It goes through the anatomy of a breach. You know, alarms start sounding, and everybody's panicked and somebody's getting mad. And the story goes, then we cut to a different scene where this chief security officer was getting coffee that morning,and the coffee ask for his email address as part of the loyalty chain. And of course, while he's sitting there sipping his cup of coffee on his corporate owned phone, he went to the loyalty chain's site. >> Mm-hm. >> Because they sent him an email. >> Okay. >> Well, guess what? As the story goes, the coffee house was in cahoots with some bad guys. >> Mm-hm. And they just happened to find the right fish in their fishing scheme. They were able, by going to the website, put malware on that phone, and when he walked back into the office, he was able to provide the little niche. The hackers needed to get in, and cause a data security breach. But that's just a case of you have to train your employees to be smart. >> Right. >> You have to train your kids to be smart. You have to train your parents to be smart. If you get an email and says click here, don't click there unless it's a trusted source. >> Right. If you don't know where it's from, don't hit the button and start something that could be really bad. >> But it's also having the controls in place, in case you hit that button your systems know that you're hitting the button and going to a bad site. And hopefully preventing that bad site. Many people have made this mistake. We correlate that data, we put it into our systems and then hopefully prevent the next person or company from making that same mistake. >> Matt this is great information, but if there is one piece of advice you'd give to our participants what would that be? The best advice I can give you is to have a plan for your data security governance. Know what your depth and breadth is. Know what tools you're using. Know what your emergency services provider is. But also, not if, but when you're attacked, have a plan in place. Have a chain of command in place, and know the one person that you need to go to, to lead you through that time of crisis. That one person in an instant becomes the most important person in your company right then and there. >> That's great advice. Also I wanna thank you for putting the videos, as well as the CISO study into the toolkit so our participants can learn more about data security and information governance. Thank you, Matt. >> Thank you. [MUSIC]
