Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.


Kacy Zurkus:
Hello listeners. Welcome to this edition of our RSAC 365 podcast series. Thank you for tuning in. As we heard in our November podcast with members of our program committee, privacy is becoming a prevalent topic across all sectors of the cybersecurity industry. Today, we'll be talking about a new report published by The Rise of Privacy Tech. Hearing more about the findings in their Whitepaper, defining the privacy tech landscape and the mission of the organization as a whole. I'm your host, Kacy Zurkus, content strategist with RSA conference. And I'm lucky to be joined today by Lourdes Turrecha founder and chief privacy tech strategist at The Rise of Privacy Tech. Before we get started, I want to let you know that here at RSAC, we hosts podcast twice a month, which I'm sure you already know, and I encourage you to subscribe, rate and review us on your preferred podcast app so you can be notified when new tracks are posted. And now I'd like to ask Lourdes to take a moment to introduce yourself before we dive into today's topic. Lourdes.


Lourdes Turrecha:
Thank you so much for having me on the RSA 365 podcast today Kacy. It's always a pleasure for me to participate in RSA events. May it be RSA conference USA last year or this year where we explored The Rise of Privacy Tech and its intersection with the cybersecurity space or the RSA webcast? I recall that we had one last year on the importance of privacy teams, just towards the beginning of the pandemic when companies were forced to accelerate their digital transformation and remote work strategy. So thank you for this platform, I'm really grateful for you having me join you today. And hello to the RSA community members who are listening. I'm Lourdes Turrecha, I'm the founder of The Rise of Privacy Tech.


Lourdes Turrecha:
I've been a Silicon Valley cybersecurity and privacy strategist advisor and lawyer. In previous lives, I've counseled more than a hundred tech startups companies and multinational corporations on their privacy and security obligations. So we're talking not just compliance and product design, but also incident and breach response, which included some of the biggest ransomware attacks like WannaCry and NotPetya. So just before founding The Rise of Privacy Tech or TROPT, as we like to abbreviate, I helped build a privacy function that the leading cybersecurity company, Palo Alto networks where my team and I built privacy into cybersecurity products. And today I work mostly with privacy tech companies in the emerging privacy tech landscape. Thanks again, Kacy, for having me today.


Kacy Zurkus:
Of course. And that's super cool background, and we're very excited to have you here and maybe just tell us a little bit more to start us off about the mission of The Rise of Privacy Tech, what it is and what your goals are.


Lourdes Turrecha:
Yeah, absolutely. The Rise of Privacy Tech is the only privacy tech community today. Our mission is to fuel privacy tech and innovation, and we do this by bringing together privacy tech, founders, investors, and domain experts who serve as advisors to some of these emerging privacy tech startups, and the goal of us bringing these key players together is to bridge the existing technical capital and expertise gaps in the emerging privacy tech space. I noticed in my former work life that there were more and more privacy tech founders, investors calling and asking to pick my brain on certain things about products, on privacy strategy and it just wasn't scalable. And during that time I was going through this journey of figuring out what I wanted to do next in my privacy and cybersecurity career. And I was really a little bit sick of most of my clients asking, "Hey, can we get away with this under current privacy law or under current privacy security law?"


Lourdes Turrecha:
And I thought, "That's not how I want to operate. I don't think that really moves the needle when it comes to privacy or security." And so I thought, "Why don't I focus my attention and pay attention to the emerging privacy tech space, which is adjacent to cybersecurity." Cybersecurity has exploded the last 10, 15 years. Privacy tech is just 10 to 15 years behind and we just had our first couple of unicorns in this space whereas a cyber security industry has had multiple account lists of them and some of them even public companies today. So our goal really is to make sure that this emerging privacy tech space takes off and that it becomes as prolific and as widespread as the emerging privacy tech or cyber security landscape.


Kacy Zurkus:
Which I'm hopeful that is happening. As I mentioned, we did a podcast last month with two members of our program committee from the privacy track. And one interesting trend that stands out to me and why I really wanted to do those podcasts with you as a follow up is the way that privacy has really become an integral part of the conversation across so many of the tracks at RSA conference, whether it's identity or anti fraud or law, even the work that you do with DevSecOps and product development. So many submissions had a privacy angle to them, and I'm wondering, "Does that surprise you? Why now?"


Lourdes Turrecha:
That's a really great observation. And my short answer is no, I'm not surprised at all. There's hosts reasons for that. First is privacy's about people, specifically information privacy is concerned with individual power and control over their personal information. And so I can't think of any company that doesn't process personal information, may be of their customers, their customers' customers, their prospects, their own employees, their partners, their contractors, and so on. So for that reason privacy is pervasive and although most companies ignored privacy for decades. My second reason for not being surprised is that we built up decades worth of privacy technical debt that we were bound to pay back this amounting privacy technical debt is partly what gave price to the emerging privacy tech space. It's the reason why many founders, engineers who had to work with legal council, privacy council with audit, with GRC functions on privacy and security obligations.


Lourdes Turrecha:
They really have had to say, "Hey, these are serious privacy technical problems, and we need solutions to them." And there just weren't solutions in the market, but because of things global data protection loss and the developing customer demand for privacy solutions, I'm not surprised at all that you're seeing this trend with privacy being so pervasive, not just in RSA, but within organizations and in the media. And even at the highest level in government, and even in big tech, we see companies like Apple, for instance, really lean into privacy and use privacy as a competitive differentiator. The third reason where I'm not surprised is that privacy is so cross-functional.


Lourdes Turrecha:
So it's not just about the GRC folks or the privacy and audit and compliance people. It's also about the engineers and the developers, and sometimes the business folks, because another trend, in addition to the legal, the laws all over the world that are being passed, or the developers wanting more products, we're also seeing business people try to quantify the value of privacy and try to put privacy in the value of personal data on under balance sheets. So cross-functional privacy is about people, it's pervasive and you've just had [inaudible 00:08:19] the privacy technical debt, that it was bound to this answer the question of, "Oh, why now?"


Kacy Zurkus:
Yeah. And I also wonder too, is it that privacy is something that business minded folks who aren't technical can understand, right? There has been so many conversations about how to talk to your board about cybersecurity and get the budget you need. And privacy sort of is a foot in the door to that, right? Because it's a conversation that people can understand. It relates to them to your point that there's a lot of personal data that's been collected and we've been building this big debt. And so it's sort of that, foot in the door to get people to understand.


Lourdes Turrecha:
That's such a great observation. And it really ties to one of the RSA themes that we had. Was it last year or this year? There's a human element to it, right? Not just in security, but in privacy, because privacy is about people and their power and control over their personal information. There really is that part of it that makes it relatable to everyone. So amazing observation. And we are seeing that same trend at the board level when it comes to conversations about companies and their privacy brands and what they're going to do about their position of privacy.


Kacy Zurkus:
And speaking of making things relatable, I really appreciated the Whitepaper. And I want to talk about that for a minute. The title again is The Rise of Privacy Tech Defining the Privacy Tech Landscape. And it was just recently published, was it last month, I think? So can you talk a little bit-


Lourdes Turrecha:
Yes.


Kacy Zurkus:
About... What a collection of group members that participated and contributed to this paper. I would love it if you could give us a little bit of a glimpse into the backstory a little bit about the group members, the process of working together to write the paper, maybe how long did it take, some of the key findings that are important for non privacy professionals to be picking up on here?


Lourdes Turrecha:
Yeah, absolutely. And thank you for bringing it up. One of the projects that we have been prioritizing at The Rise of Privacy Tech is the Whitepaper you mentioned, which is the defining the Privacy Tech Landscape Whitepaper, which [inaudible 00:10:38] foundational Whitepaper on the Privacy Tech Landscape. And the reason why we wanted to push this out is because we've had so many conversations, countless with investors, with founders, with customer buyers, where we just weren't speaking the same language. We were talking past each other. And this goes back to the cross-functional nature of privacy, right? Like lawyers and engineers and audit people and business people speak different languages. And so we thought it would be really good for the industry to help fuel the privacy tech industry to sit down and say, "What do you mean by privacy tech and what are the different categories that we're seeing?"


Lourdes Turrecha:
So we defined privacy tech, which are technological solutions to privacy problems. We introduced the privacy tech stack, which are the categories that we're seeing today in the privacy tech space. And we talked to some of the user buyers and some founders and some experts, domain experts in privacy. And these are the folks that really made up the working group that worked on this Whitepaper. So we have privacy engineering leaders like Nishant Bhajaria who leads privacy engineering at Uber, but has worked at countless of other Silicon valley tech companies on privacy engineering and Michelle Kennedy, who I know is a big RSA supporter and speaker in the past who has been CPO at big cybersecurity companies like Cisco and Sun and Intel. And then, we had Debra Farber who also similarly comes from their privacy space is an expert.


Lourdes Turrecha:
So we have [inaudible 00:12:15] founders, like [inaudible 00:12:19] and Caroline McCaffery. So we really had people who were thinking about privacy tech, because there's a hole of privacy professionals. And most of them, I would say 90% of them are really focused on what's developing, coming out of Europe or coming out of you see when it comes to the loss and that's important for it, but we also need more experts paying attention to the tech side of privacy. And we picked those people who are in the forefront of the privacy tech space. And we worked with those folks and I think it was between April and October. So the working group met between that time, at least monthly, sometimes twice a month, it was very collaborative. And last month in November, we've published our findings from the work that we did between April and October.


Kacy Zurkus:
So one thing that I also found really interesting and timely about the Whitepaper is that each month we try to have a focus theme for our editorial content and December's theme is identity. And I received and read the Whitepaper and sure enough, it draws comparisons between privacy and adjacent industries. There are many conclusions that you draw about privacy and identity management. So I'd love it if you could give some insight to our listeners into those behind the scenes conversations that went on specific to identity management, was there discord and how did the group members eventually find consensus?


Lourdes Turrecha:
So one of the things that we really wanted to be mindful of is to not just define and categorize privacy tech, but to also position it in relation to its primary adjacent industries. And so one of the debates that we had was what about these security solutions or these identity management solutions? Are they privacy tech? And we really wanted to be mindful and say, "Hey, there are solutions that intersect both privacy and privacy tech and identity management or privacy and cyber security." But we want to honor that these industries existed and are even further ahead than privacy tech and borrowed from identity management when it came to the sections that talked about identity management.


Lourdes Turrecha:
So we talked about how some of the solutions overlap with privacy tech because these solutions overlapping identity management, privacy techs fall for problems relating to individual control over their identity. Some of the accuracy of personal information relating to their identity, secure access tied to identity based personal information. And so we are seeing those solutions in this space. That said, there are a host of other identity management solutions that have nothing to do with privacy, or we're not built with privacy in mind or predate the emerging privacy tech industry.


Kacy Zurkus:
And so, the Whitepaper talks about the intersection of privacy tech and identity management solutions, as you mentioned, it's what you label as identity management for privacy. And a quote the paper here, "Privacy is a growing component of identity management programs and incorporating privacy into these programs is becoming strategic for organizations who want to protect both their users and their companies. Privacy goals can be achieved through identity management by verifying user identities, with authentication solutions and through awareness and education. These tools are used throughout the data life cycle." So my goal as part of this conversation is to make this paper more than informative. I want some actionable advice for our listeners. So I'm hoping that you can offer some actionable steps that our listeners can take toward that end of achieving privacy goals through identity management.


Lourdes Turrecha:
Thank you for that. And that's such an amazing goal. Thank you for prompting me to answer this question. I think it's really important that identity management teams who may not sit within privacy or legal, or that may be their own function under the CSOs organization or the CIO or CTOs organization. I think it's really important that they work closely with not just privacy teams, but security teams and legal teams to make sure that privacy is designed into their identity management programs. Privacy, so cross-functional, it affects not just the security, not just legal, it also affects HR. And it's equally true for identity management regardless of where it sits within an organization. So some of the things that they could do is obviously go figure out who owns the privacy function in your organization and work closely with them. That's one of the first things that I do when I work within an organization is I look to see, who are my biggest allies, right?


Lourdes Turrecha:
So I introduce myself to the CISO, to the CIOs organization, to the CTOs organization and want to make sure that my privacy goals are aligned with theirs. And I think similarly identity management program professionals can do the same thing because there are goals that they share with the privacy function. So that's probably the first step is do that. The second one is when they're picking their identity management solutions, I think it would be very important for them to not just look at what the identity management functionality, but also how they built privacy into those solutions. I would ask questions about privacy by design and engineering and what their position on that is. Companies that have mature positions and privacy by design and engineering.


Lourdes Turrecha:
We usually have a data sheet on that or a Whitepaper explaining how they built their product in this case, their identity management products and solutions with privacy in mind and that would be my second step that I would recommend identity management professionals would do if they wanted to further privacy when it comes to their identity management program. So one is more internal and is more of an organizational process type of recommendation. And the other one is a vendor type of recommendation when they're picking their identity management solutions.


Kacy Zurkus:
Excellent. So break down silos and validate your [inaudible 00:18:50]. Right?


Lourdes Turrecha:
Yeah.


Kacy Zurkus:
Check that supply chain.


Lourdes Turrecha:
Yeah.


Kacy Zurkus:
Yeah, for sure. So let's pull back the lens a little bit because we've definitely covered the intersection of privacy tech and identity management industries. Can you talk a little bit about the intersection of cybersecurity and privacy tech?


Lourdes Turrecha:
This is one of my favorite conversations and full disclosure we did talk about this in length at RSA last year, but since working on the Whitepaper, we have matured our position in this and our thoughts on this. Privacy and cybersecurity are perhaps the closest overlapping industries, but they're not one in the same both cyber security and privacy tech products protect personal information. But as we know, cyber security goes beyond protecting personal information and extends more broadly to protecting systems, networks, devices, infrastructure in their entirety, and other types of data, not just personal information, could be your trade secrets, your crown jewels, and other types of information that is important to an organization.


Lourdes Turrecha:
Conversely, privacy also goes beyond just protecting or securing information. It also solves for, or asks other types of questions and inquiries beyond security. Privacy is involved with transparency. So how much disclosure you give to individuals about your processing of their data. It also asks questions about data minimization, how you make sure that you're processing the least amount of information necessary for your purpose. And there's noting. I mean, I come from the cybersecurity industry. There's noting that cybersecurity are not privacy preserving by default. And on the contrary, if they're not designed and engineered with privacy in mind, some of these tools often raise privacy issues like surveillance and over collection of personal information.


Kacy Zurkus:
Which is so important. I am one of those minds of, "I'm not a technical background, but these are the [inaudible 00:20:56] human element things are the things that I can wrap my head around." And I understand that there's a counter to that as you point out, the cybersecurity tools are intended to protect a lot more, more than just my personal data, but I hope that we're moving toward a world where we can do both right? Lourdes, I want to thank you again for joining us today. It's always such a pleasure to have you with us. Before we wrap up, do you have any parting words for our listeners?


Lourdes Turrecha:
Oh, thank you so much. And I think I would just agree to your last comment, which is, I think we are moving the needle and you guys at RSA have done this work for years and years when it comes to cyber security and obviously privacy with privacy increasingly becoming a part of the agenda at RSA. And so I think we all have our roles to play when it comes to moving the needle on privacy and cybersecurity and identity management. And I'm excited to have been able to work with RSA and you Kacy in particular, a couple of handful of times when it comes to spreading awareness on these topics. And so thank you for having me today.


Lourdes Turrecha:
If anyone in the privacy tech space, maybe you might be a founder, who's trying to build privacy solutions to privacy problems or an investor who wants to invest in this space and privacy tech products or a privacy domain expert who wants to advise these companies. We are building a community for privacy tech, key players like you and so come chat with us at the rights of privacy tech. If you're interested in how the emerging Privacy Tech Landscape is shaping up, please check out our Whitepaper too. We worked so hard on defining and categorizing and exploring some of the trends that we're seeing in this nascent, but really exciting space. And Kacy, thank you for having me today. I'm so grateful.


Kacy Zurkus:
Of course, always a pleasure to have you. Thank you so much for joining us. Listeners, thank you for tuning in. To find products and solutions related to privacy and identity management, we invite you to visit RSAconference.com/marketplace. Here you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist you with your specific needs. Please keep the conversation going on your social channels, using the hashtag RSA and be sure to visit RSAconference.com for new content posted year round. Thank you all. And be well.