Building The Future Show - Radio / TV / Podcast

Jaap Mantel
D&M provides Data Classification & Data Management to assist with Governance, Identification, Security, Compliance and more. I manage the expansion and oversight into the North American Market where we work with our Partners to achieve mutual success and value to our customers.D&M provides Data Classification & Data Management to assist with Governance, Identification, Security, Compliance and more. I manage the expansion and oversight into the North American Market where we work with our Partners to achieve mutual success and value to our customers.

https://dataandmore.com/

Nim Nadarajah
With a resounding legacy spanning over 27 years within the technology realm, I stand as a seasoned luminary in security and transformation leadership, specializing in fortifying the voyage of Web 2.0 and 3.0 enterprises towards secure and triumphant scaling. As the resolute Managing Partner at CriticalMatrix, I dispense the art of Leadership-as-a-Service (vCISO, vCIO), steering the realms of governance, compliance, and strategic foresight to diverse clientele spanning industries and geographies.

https://criticalmatrix.com/

What is Building The Future Show - Radio / TV / Podcast?

AM/FM RADIO/PODCAST & TV SHOW

With millions of listeners a month, Building the Future has quickly become one of the fastest rising nationally syndicated programs. With a focus on interviewing startups, entrepreneurs, investors, CEOs, and more, the show showcases individuals who are realizing their dreams and helping to make our world a better place through technology and innovation.

Welcome to building the Future, hosted by Kevin Horrick. With millions of listeners a month, building the future has quickly become one of the fastest rising programs with a focus on interviewing startups, entrepreneurs, investors, ceos and more. The radio and tv show airs in 15 markets across the globe, including Silicon Valley. For full showtimes, past episodes or to sponsor this show, please visit buildingthefutureshow.com.

Welcome back to the show. Today we have Yap from Datamore and Nim from Critical Matrix, the data security dream team. Guys, welcome to the show.

Thanks for having us.

Thank you.

Yeah, excited to have you both on the show. I think what you guys are doing and obviously everything around security right now is really timely and kind of always has been and probably always will be, especially even more so going forward. But maybe before we dive into exactly what each of you do, maybe let's get to know each one of you a little bit better. And yap, do you want to give us a little bit of a background on yourself, kind of where you grew up, where you went to school, and then how you got to data and more. And then, nim, I'll let you do the same thing.

Sure thing. Well, it's quite a story, but the short version is that I grew up in the Netherlands, where I was born and raised, and I ended up when I was in my, ended up going to England, where I started working for a software vendor called Afpoint and kind of roll into the Microsoft ecosystem there. After that I went to Australia, back to the Netherlands, married a canadian young lady, ended up in BC, and now I've moved to Alberta, Canada, where I live with my four children. Beautiful wife.

School wise, I studied economic economy, I focused a lot on international business management, and I ended up at data more because roughly about 20 years ago I started working for that company at point, started dealing a lot with Sharepoint, and since then I've been in the Microsoft space helping organizations with their setup, their infrastructure, their search, their connectivities and everything else. And that's kind of how I ended up working for data more.

Very cool. Nim, do you want to do the same? Give us a bit of background on yourself?

Sure. I've been sort of in the tech space for about 30 years, came to Canada when I was twelve, was born and raised in the Middle east. My educational background is completely not in this space. I have a geophysics degree and a minor in psychology, but my MBA is in project management and it risk psychology.

Plays a huge role, probably in security.

So it just kind of came into this. My career I always say I've been very lucky. I've been fortunate to do a lot of fun things. Ran the first ever Internet based gold Corp challenge online, where we kind of created a. And you guys know what SETI is, where you kind of look for aliens. But I inverted that model to try to find gold. Working with one of my first careers in Gold Corp. Inc. With Robert McEwen, had a lot of fun there. Then I went into banking, did a lot of fun stuff in banking. Loan loss mitigation, launched a bank, mobile wallets, taking pictures of checks and depositing them, and along the way, decided after working for a global healthcare company, to open our own business and was fortunate enough to have two exits as part of that journey.

So to be able to build two different companies and sell them now focusing a lot on just getting data done correctly within organizations, that is the new gold. I mean, this is what people are after. This is the greatest value asset we have in the fourth industrial revolution. So how do you secure it? How do you protect it? What data do you have? Where is it? This is what I'm passionate about these days.

No, very cool. I think it's never been more important, and it'll only continue to get even more important and critical. Right. And people are only going to getting better at trying to get access to the data. The security and the tools are only getting better as well. Right? So is that fair to say?

That's the goal.

All right, so let's dive into kind of what each of you do, and then maybe, yap, you start off with kind of what you're doing at data and more, and then nim, how do you complement that?

Yeah, for sure. So my official title is VP of sales, but I act as a general manager for North America. The organization is an independent software vendor and essentially focuses on data identification, data classification. But also how do we deal with this? And it's an organization that was started by four friends, and it's a european based organization. So back in 2016, GDPR was already on the map. Things were pretty advanced in Europe. And so this started playing a really big role in the identification of data. So what do we have? Where is it? All these different repositories. And so they hired me, essentially, to build up this market here in the US and in Canada. So we deal a lot with either compliance requirements, so people just needed to understand.

So in California, as most of your listeners will know, you've got, of course, the CCPA, you've got all kinds of laws with compliance. You've got one in Utah, one in Montana, one in Colorado. Idaho has its own. Tennessee has its own. And so there's all these different requirements for what can I store, what do I have? So it's not just the identification of data, but also now what do we do with it? How are we compliant? The cool thing in all of this is that when you actually understand what kind of data you have, you also come across some surprises. So you're going to find out, well, what kind of sensitive data do I have? Where exactly is this located? And then you're going to find out that some of the most sensitive data actually has.

Normally we find about six, seven copies of the most sensitive data because it gets shared over email. So you'll find it in exchange, it gets backed up oneDrive or Dropbox or other places. And so you're going to find all these copies of sensitive files floating all over the. So they hired me really to set up the market in North America. So honestly, it's still a little young, but we've got some really amazing partners and NiM is one of them. And we're just growing our partner network, growing the brand, and started to sign up more and more organizations in our company.

Perfect. Nimin, do you want to give us a bit of a background on critical matrix and how you complement data?

And, you know, what we do as a company is governing risk and compliance really well. And Yap and the data and more team have a phenomenal product. But the challenge that we have in the marketplace, especially in the US, is they don't have a singular privacy law that covers all types of data like the Europeans. Figure that out. Let's just make it simple. We're going to create GDPR, everyone. This is what you're stuck with.

Deal with it.

But in the US, we've got all these acronyms like HIPA, FCRA, COPA, VPPA, like there's all these different regulations that come in, and in each state you have a unique way of handling data. But the complexity comes in when I'm a multi state business, having us citizen data or north american data, pulling Canadians into canadian data, into the US, or vice versa, what do you do with it? So we complement data and more. In a way that data and more is the tool that helps you do the discovery. We help you come up with the actions and the so what? And what do you do next and how do you stay safe?

Okay, so can you guys maybe give us some examples of how companies and customers are actually using your technologies and services together?

I'll give you a few examples. We're working with some very large aviation organizations in Florida. We've got some extremely large cruise ships in California. And most of these organizations, they operate in different geographical locations. So an organization like where you got 2030, 40, 50,000 users, they're going to have tenants and data storage locations all over the place. So often they have to look at it through different lenses. Like, what kind of data do I have? Where is it? Where is it located? But then also, how am I dealing with compliancy in California? Well, we're also going to London. Okay. How is it with GDPR? Well, we're also going to Florida. Okay. Now, how do we need to be compliant there? So once we start being able to identify the different sets of data, we're able to make those assessments.

And you can look through different lenses. But in the end of the day, Kevin, a tool is still a tool. So I often like to call Nim the CIO whisperer, just making a joke, of course, of the tv show. But once you have the ability to be able to identify data, and honestly, it's only going to be more and more important. The IDC estimates that 80% of all business information will be unstructured in 2025.

So the trend of where we're going is that it's going to be messier and messier, and every organization that we talk to, we essentially just say, and I like to make this a habit, and people who listen feel free to correct me, but I call out every CIO I talk to, and I do this from the largest companies in the world to the smallest, and I say, you really have no idea what kind of data you have. In the last few years, I have never been corrected, because no one dares to say I do. There's a lot of unstructured data, there's a lot of different platforms, and every time you think you got it sorted out, there's a new product or a new component coming. You use third party tools, and data breaches are increasing like crazy.

So when you're in the process of really bringing structure to the madness, where you can essentially say, it doesn't matter where you are in the cloud or on prem, you're still dragging that f drive and drive or something else around. Being able to identify data, that is one thing, but to really have a strong data governance, to create awareness, not just in the organization, but also the ability to be able to deal with it, that's kind of where Nim and I play a good role. Good part and good complementary services there.

Okay, Nima, anything to add to that?

No. Yap, really summarize it nicely. I mean, one fun story. I'll give you a canadian example, just to put that north american context, in large commercial real estate, customer that has a global footprint is investigating data within the organization and profiling what is it that each user has in the company linked to them that is a company asset, and then determining, using data and more, how much risk each person carries by department by function, because we're able to tell them, hey, look, so and so has all these passports or driver's licenses, or credit card information, or employee information in their email, in their onedrive, and teams in their file server, wherever it may be in the company.

And now you can actually look at risk through a different lens, which every CFO likes to understand when it comes to risk management, is how much risk do we have per employee? Who are our riskiest employees? And if something goes wrong, how quickly can we say what was associated with these people that got breached, and how severe is our data leak? Because what we're doing is bringing transparency to what unstructured data exists within your company. A lot of people don't have that lens today.

Yeah, that makes a lot of sense. And it's probably. You get this question all the time, but where do people start with this? Because obviously there's going to be people listening where it's just like solopreneurs all the way up to maybe some large enterprise and kind of everywhere in between. So where do people start? Because obviously it's easier to implement security day one, when it's just me, but if I've been operating for a number of years, and now I'm starting to think about this, it's a lot more challenging. So can you maybe give us some thoughts around that?

Sure. So my first question to any organization is, implement security is great, but what exactly are you securing? And nobody, like, think about it yourself, Kevin. Every car agency, car rental, or you buy something or you go to your bank, how do they ask you to provide information? It's all email. So then how do they store it? Well, surprisingly, there's a lot of file drives or third party systems. And when you look at the average cyber attacks, 40% of the hackers are actually fully focused on the SME market, small to medium organizations. Why? Because they're more likely to give away their information. Because nowadays, particularly with AI, people need to understand is that usually when, or maybe I should take it back a few years, because our association with hackers is that people sit behind a computer and trying to hack your server.

But nowadays hackers just log in. All they need is just your credentials and they log in. And we see this everywhere. But it's also a multifaceted operation because now we're also dealing with third parties, organizations that host your software, your tools, your everything. So this week, for example, a whole province in Canada, in Nova Scotia, they used a tool called move it to move their data. And in the process, a lot of their data and the customers data, over 100,000 users was compromised. So now they have to go through what many organizations are going through is what happened, what do we have? And there's at least 26,000 students that got compromised. There's a whole bunch of pension plans. There's even as simple as a parking ticket was compromised. Now luckily, no sin number was compromised, which is amazing.

But we're going to see a lot of cyber threats. Like AI is absolutely fantastic. When you apply it to the right data modeling, it can be absolutely phenomenal, but it's also used in a lot of wrong ways. And you now have entire platforms that are branded as hacker as a service. So the phishing emails are going to be significantly more advanced, particularly as the next few months go by. So you can almost anticipate, just assume, that members of your organization are going to be compromised. And it's not some big white server. I mean, it might happen, but it's not some big server blowout. It's people literally just logging in.

So one of the things that now is coming from Europe that we have in GDPR but not yet in every state or province in Canada, is just legislation of what do we do with it, because then you have to identify what does one person have access to in my system. So instead of just building these ten, five or 50 layers of protection, you now need to be able to identify what does a user have access to when they are compromised, what files have been compromised, what do they have access to within these files, who is mentioned and anything else. So the game is changing a little bit where almost instead of implementing security, as you said, we need to now anticipate of when I get compromised, when a person logs in that isn't that person, what are my consequences?

And this is part of the GDPR legislation that is now making its way down into the north american continent. But those are all questions that have to be asked and that's not even dealing with any of the normal daily tasks from HR and just the ability to make data driven decisions. It's something that everyone's talking about, but no one's able to do.

That's right on point, Jeff, because when you asked that question, what came to my mind was secure. All the things. That little meme of that girl in a pink dress jumping, screaming, that's what every CISO is doing. Secure all the things. But when you ask them what are, you know, that really doesn't help when something goes wrong, when compliance wants to know specifically what went wrong, what was missing and where did it go? And for the solopreneurs and all the kind of smaller companies that are listening in and saying, hey, security is big, it's expensive, it's hairy, I don't know what to do. No, it's not. It starts with you taking responsibility for data. So that means if you're going to partner with somebody, ask them about their data posture, what are they doing for you or your client?

Whether it's an IT vendor, a business supplier, a third party that's offering you services, ask the questions. And if you take responsibility for the data that you're going to be brokering in your business, whether you're one person or 1000 people, that's where it begins. So start by asking questions so that you're doing your best to be data aware and data secure.

Okay, no, that makes sense. But some of this, obviously this stuff's a lot easier if you're more technical. What if you're not technical? What should I be asking as a non and technical person about actually caring about this stuff and starting to make my business into a security focused company?

I'll take that one first. Yep, it's simple. There's some basic consumer rights in the US, and they rotate around about nine different points. And it's the right to access data, right? Who has the right to access this information? The right to correct data. So if I gave you the wrong information, I should be able to correct it. The right to delete, if I choose for you to no longer be associated with me in any way, make me disappear in your system. The right to opt out of certain data processing and the right to portability, to take my data somewhere else where I want to go. Opting out of sales, opt in for sensitive processing.

So if you're asking for my SSN or if you're a mortgage broker and you want my tax information, well, you have to ask me first to explicitly use that information and then opt out of automated decision making. So if I don't want you to use my data for AI, I should be able to tell you what to and not to do with it, and then private right of action. So the information that you and I are sharing together are all confidential, and we both have to discuss how it's going to be used and what it's going to be used for. These are simple questions that every sort of state driven data compliance framework is looking at right now. The states that have kind of adopted this are California, Colorado, Connecticut, Indiana, Iowa, Montana, Tennessee, Utah and Virginia.

But shortly behind them are sort of Delaware and New Hampshire. And some of the other states are kind of trailing a little bit behind. But these are basic questions, and even GDPR follows the same principle.

It's also an interesting one when you're talking about data. Also be aware that not all data is equal. There's all kinds of different types of data, different sensitivity levels. You got consumer data, you got PII data, you got health information data, you got data that you're allowed to store, but only for a certain amount of time. There's consumer data. It really depends also on what you're doing and what you're building and how you're using it.

So start with the assumption that not all data is equal, and then be able to provide policies, not just of this is how we want to work, but enforcement of how we want to work, how we must work, and really how we're able to work and having a vision is absolutely great, but the days are over where essentially you're building a frankenstein of servers and all kinds of applications, and you're just hoping for the best. All conversations that we have nowadays, people have their own systems, their own file drives, and 90% of the migrations that we currently encounter is people trying to get off it. Now, the original plan of SharePoint, at least back in the days of WSS and Moss and everybody else, was really about the centralization of data forms and processes.

And it's not just about the data you have, it's also where you have it and who do you give access to? So what we actually find more and more is organizations that are being targeted by their own vendors for marketing purposes. So without giving you any names, there's vendors where you pay them to store your data. And it's, of course, some super fancy proprietary system. And in some cases, what we find is that those vendors start emailing their customers. In the case of, for example, a CRM system, they start emailing the emails that they find in their own system and be like, hey, did you know that you can communicate better with Kevin if you're also on this platform? So your data is now used against you if you don't manage or store it accurately.

And then of course you can start talking about the whole system of Google versus Microsoft. Where do you go system based, or do you go more into everything is provided for you kind of system, but people build their own Frankenstein, whether that means that you have 20 different systems, 20 different tools, and there's definitely an argument to be made, but there's also a point across where it's too far and it will work against you, particularly if you're managing company and people come and go, and suddenly the next person, they inherit this Frankenstein that you built, and you're gone. And as an owner of the company, you now have, for example, new CISO, new CIO, or director of it, and they have to deal with this thing you're built and they don't know what it is. So they inherit this whole cluster of problems.

They can't delete it because they don't know what's in it. And then you find in that 15 years later, they're still dragging around this Frankenstein and they don't know what to do with it. So a lot of the conversations that we have is more, again, about bringing back what really matters, what really is important, decentralization of data forms and processes, but also limiting risk, accepting that not all data is equal, to assign the right locations for the right sets of data. And then when you apply your components of security, you actually know what you're protecting. And those are a lot of the conversations that we're currently having.

Okay, it makes sense. And I've thought about this a lot, and you probably get this question a lot too. And especially coming from a startup perspective, I know when people want to delete their account, they basically expect they're completely wiped out of the system. In reality, a lot of companies actually just deactivate them because the idea is if they end up coming back, everybody gets, or not. Maybe I should not say everybody, but a lot of people get angry that they can't just pick up where they left off, even if it's been years. Do you agree with that? Or what are your thoughts around that? And how should software implement what I just outlined? Or should it's just like, no, you said you deleted it's gone. Sorry.

Yeah, there's of course a legal component and there's of course a practical component. So in Europe you have the right to be forgotten and it doesn't just apply to your name. So, for example, I work for data more and I jump ship or go somewhere else. Or get fired or something happens, I have the right to be forgotten. That means that not just my account needs to be deactivated, any private emails, but also any attributes, anything documents, or any application where my form of PIi information is relevant. So my name, legal name, phone number, different email addresses, those type of things, they may not exist outside of a specific HR system, but the reality is very simple. People don't know what they don't know. And that seems very cliche.

But if they don't even know what kind of security levels and security data they have in their own systems, how do you expect them to know where my legal name shows up or my passport number shows up, or my credit card information shows up or details about my salary, ethnicity, or any form of PII information shows up? The answer is they simply don't know.

That's a good point, Jeff, because a lot of companies use a tool called active directory, and it's easier to just disable somebody after they resign. Quick get. And, you know, I can't tell you the countless number of times you've gone to an organization and there are a history of terminated employees, some deceased employees, and their active directory is intact, their mail folders are intact, and guess what? They've been backing it up for the last 15 years as well, right? So when you look at it holistically, it's not just for privacy sake, but it's also for relevance sake, because you don't want to get caught with data that's 15 years old and irrelevant.

If the sort of duration of validity of that data is no more than seven years, you probably should have a policy to, a retention policy within your organization to talk about, what are we doing with it? These are things that people forget. And Yap is absolutely right because they just put it away, think it's disabling, it is fine. And then they get caught with information that is completely irrelevant and well past its time. It starts with establishing some hygiene rules and policies in which these things need to be handled. Data is a serious matter. Don't take it for granted.

But also from a practical point of view, we're talking about legalities here, like, what are you allowed to do and what are your rights and these type of things. But every CIO that I've ever spoken to gets tons and tons of requests from HR, and it's all about the right to be forgotten. Like, what do you have on this person? So when we have these conversations with the CIOs and we're like, no.

Well, we identify and we classify any of your data, we enhance your security, but we also enable you to really identify what do you have on a person according to attribute 12345, the ability to be able to pull up reports like this over all your data and all your repositories in practically 10 seconds, instead of having four or five guys on a team working full time on requests like this. It's something that doesn't yet exist, at least that I know of. In North America, there's a lot of organizations that provide search tools, right? We're going to crawl your entire system, come back three days from now, and we'll show you what we've got. And so there's a big conversation now about how do we actually move from searchability to findability. Because being able to search is fantastic.

There's tons of organizations that claim to be able to do so, but how do you actually identify, and how do you actually find everything that you need to know related to your data? And those, honestly, are super interesting conversations that we have, because it's one of those options that is fairly new into North America, but it's going to become relevant extremely fast, not just from a functional point of view, like, hey, I need to know what I have on a person because it applies to so many different levels from a user point of view, an HR point of view, compliance point of view, but also you can really help to identify what happens in a data breach. Oh, this person got fished, and basically their credentials, they've been logging in, they've had access to whatever they have access to.

To be able to identify that in a matter of minutes, to be able to identify what data is compromised and who is impacted within a few hours, is absolutely gold. And when we explain this is something where the average CIO just starts sitting back and starts paying extreme attention because these are not necessarily tools that they have access today.

Okay, but how do you actually do that? Because it's easier said than done. And I would put myself in an example. Is a perfect example is I have my own computer and I consult for a bunch of companies, right? And they all have different security policies. I'm on a Mac, I'm on a Windows machine, I have android phone, I have an iPhone, I have an iPad. So I'm a pain in the ass, just as one person, never mind a company of tens or hundreds of employees, right? So how do you manage internal, external, multiple devices? Because Chrome, I can store all the password, whether I use a third party password management solution. Chrome stores some passwords that are my personal ones, stuff I work on and that kind of thing. So how do you actually handle and kind of grapple with that?

Because that's incredibly complicated.

Yeah, well, you're entering the space of user versus company data and user management versus company management. So we operate very strongly on the server or the company organizational side of things. So we don't necessarily have access to your data, your laptop. We don't make any of those connections. We simply help organizations to structure their data on their servers the way data is structured and unstructured data. But you're going to enter a conversation, like you mentioned, the example, I store stuff on my laptop. Well, even on your laptop you can activate a function called indexation and it basically says, do you want to index these files so you can find them quicker? And that's essentially the conversation that we have with organizations because when you enter the search space in the findability space, they have a few different options.

You can use queries, you can use federated search, and essentially you can activate crawlers. And what they do, in short, is they just start scanning everything that they can scan and provide you the results according to your query, right? So you say, I want to find a passport. So it might go through some files, it might pick up some text, it might pick up a title, and then you'll get some results. And based on those results, then you can define what you want to do with it. What makes us difference is that we work with some of military agencies and secret agencies. And the reason is simple. We have index station servers that exist within your firewall so the data doesn't leave your organization. We connect to your different repositories. No agents needed.

We just use service accounts and we start indexing every piece of data that you have. So every file gets tackled, every piece of metadata associated with a file gets indexed. Every picture we encounter gets OCR. So we see a picture, it's called one to three, four, five, but we find out it's actually a passport. So we pick up the name, any form of relevant data that we have. So we end up with an index of your repositories in your firewall. Doesn't go anywhere. And then one of the cool things we've done is we spent the last seven years building a classification engine. And essentially it exists of a compilation of rules and anti rules of what exactly is a passport. And so it's not just, oh, look, we picked up the name passport in a file. This must be a passport.

No, there's a whole collection of, well, it must have a name, it must have a picture, it must have this or that. And the same applies to schools, unions, or even rhetoric like, what is sexual content? Or when you email a boss, like, hey, this is how money I make. When do we pick it up? So there's also a lot of anti rules or false positives that we've been collecting, and we've got this in about a dozen languages. So when you have people emailing back and forth in Spanish or French or Portuguese or English, it really doesn't matter. It's about a dozen different collections. So we have millions of lines of codes and we classify everything, and then we present the data on the spot through different lenses.

So when we talk to these big geographical locations, we just apply a lens to CCPA and we can say, okay, we can apply, for example, you have some tenants in California. Here's how compliant you are according to CCPA. Well, okay, great. But we also have GDPR data. Okay, so we look at it through a GDPR lens. Oh, we also want to know where my most sensitive or my most secure amounts of data, and then we look at it through a different lens. And so the ability to be able to index data allows you to provide lightning quick access to any search results that you might have.

Got it. Okay. And then do you allow certain people to VPN into this data, or how do you access that outside of the organization?

Well, we don't want to have any access outside of the organization, but basically it's a management tool that provides you any and all insights on what do I have, where is it located and what do we want to do with it? So that's usually where Nim comes in because he works with a lot of cios. And it's like, okay, now we have a dashboard. We're going to present to you any and all types of data based on different lenses that we have. Now, what are we going to do about it? So do we need to delete certain data? Do we need to archive it? Are we migrating? What was the purpose of this exercise? Do you need a tool to manage it? And so those are a lot of the most interesting conversation that we have.

Got it.

Kevin, over the last couple of generations, we've had some significant cultural shifts in the business of technology. Right? Cultural shifts to adopt the Internet, cultural shift to move to the cloud, cultural shift for IoT and sensors. And we're kind of in that space now because we've commoditized data so greatly in everything that we've done in this now fourth industrial revolution. It's all about data. Data, right? So the next cultural paradigm shift is creating the culture of being a data driven organization. That change is tremendous because we've all just taken data for granted. I mean, you said so yourself. You got a tablet, a phone, a Mac, a pc, and two different watches, and they're all gathering all kinds of data on everything that you do.

But we as a species never sat down and said, hey, so what's the big deal with all this data that we're gathering about ourselves? Right. And that's the era we're entering right now. It's huge.

Yeah. Interesting. It's really complex, right. And I guess in some ways there's going to be. I put myself in this category is like certain companies I trust more with my data than others, I'm willing to give certain companies more of my data. And it's really almost dependent on the person and their comfort level with things. Right.

You got to question everything, because even your mortgage broker asking you to send your income verification over email to their gmail or their business email is kind of sketchy because you don't know how that information is being handled, managed and stored and where it's sitting and whether or not it's being destroyed after its intended purpose. Okay. These are questions to ask, but okay.

If they say, yeah, it's fine. Is there anything I can.

Show me.

Okay.

I mean, I had it out with my mortgage broker a couple of weeks ago. I was just like, dude, show me. Prove it to me. Oh, well, I work for a big bank. No, that's not good enough. Show me the policy. What happens to this? Where is it sitting? And I actually got them to send me an email after everything got sorted out, saying, I hereby are notifying you that all the data that you had shared with me is now deleted and no longer in my possession. Interesting, because now if something goes wrong and my data did get breached, I have it in writing.

Smart. Interesting. So you basically need to look out for yourself with everything that you do, which is, I guess, not really any different than before.

Yeah, exactly.

But it just gets more real. Like every hotel, every car dealership, anyone that deals with tremendous amount of PIA information. And there's a lot of these third party brokers, and they're all small shops, like what Nim said, with their own little Gmail accounts. And it makes total sense because it enhances competition, which means you can keep the prices down, but everything has a cost.

Yeah, well, and how many big organizations or governments or cities or whatever have been kind of ransom hacked in the last few years. Right. And a lot of them have to pay it because they have no choice.

Yeah, we actually deal with some of the companies that are going down. We actually also deal with some of the companies that hire us to be able to do exactly that. We got hacked now, but we deal with it. Even for small companies, the average cost of a cyberattacks is about 200k. For big ones, it's at least 6 million.

Wow.

And when you think about it, in North America, there are roughly 450 cyber threats every minute. And at the moment, at least 60% of organizations do not have any form of prevention plan. And with AI now being released to the world and all the hackers just jumping the gun, they're not waiting for us to do anything. And you can train, I get it. And yes, it's completely relevant and it's super important. But there comes a point, and I think we're there, where you can't train against this anymore. It's too much. And the waves that are coming our way, it's simply too much like the Russians and other countries, they do not share our values, they don't operate the same way, and they're just going to go absolutely bananas and they're going to use all of these tools.

And our organizations are still stuck in 2020.

In the same train of thought. When we're talking about state sanctioned attacks and focused attacks on NATO countries from non NATO countries or countries that are currently challenging NATO organizations and NATO countries, this is a major issue that is happening worldwide. If you look at the total number of attacks per day, the United States, Canada, Israel, London, sorry, England. Receive. I mean, it's mind blowing statistics, but the reason that I find that we as individuals struggle with cybersecurity is because we are not coming together to form sort of a wall of strength. Instead, we're finding reasons to dodge the bullet of, should I spend more, do more, pay more attention? Because this is a lot of work, or I don't thoroughly understand it. Versus the bad guys. They're working together. I mean, look at ransomware organizations like Klopp.

These are franchise organizations where bad actors work together, share the ransoms. But, dude, they got HR departments, finance departments, they've got a sales team and a recruiting team. They have come together cohesively and functioning in this ecosystem to come after us. But instead of working as a team, we sort of individualize ourselves. And there is this whole thing of cyber shaming or victim shaming, where when something goes wrong, we as individuals feel shy, scared, not sure of the consequences. We don't engage law enforcement. These are all things that work against us because if we do talk about it, we're going to educate each other. If we do raise our hand and say we need help, we are going to be stronger together. If we engage law enforcement, we're now allowing them to see the big picture of the threat landscape holistically.

These are all important things that we need to start doing again. It comes back to us creating a society of data driven culture. It is a paradigm shift that's happening right now.

I 100% agree with what you just said, but what I've heard from companies that have gone through breaches, and I think even there's been well known companies that have gone under because they had a breach, because they went public with it. So I think a lot of companies don't want to tell people because it ruins their business. And I'm not saying that's the right answer. It's just that's what I've heard from people. What are your thoughts around that? Because that's tricky.

Right.

With legislation coming around, they're not going to have a choice other than to talk about it.

Got it.

Right.

Okay. That's kind of what I figured you'd say. And I think makes sense. Right. Like, what are you going to do?

Power rolls?

But it's honestly like nima saying, it's almost sad. And like you're saying the shaming of the shaming culture, it becomes a problem because we are now promoting to hide our problems. We are now pretending that they don't exist so we can exist. And when you think about even in the last two to three months, companies like anthropology, Bad Bath and Yon, Best Buy, Tim Hortons, Home Depot, Lulu Mammon, bad smart, they all suffered from this. And because they're big enough, they have to report it to the legislature. But this happens.

Every grocery store right up here, we got a $48 million post insurance breach cost.

Wow.

With Sobeys, that's a lot of money.

Yeah. That's interesting. The other thing that I want your guys'thoughts on, because we're kind of coming to the end, is a lot of people think it's kind of a one and done thing. Like security is very much ongoing. Just like building new features in your application, you need to be ongoing. And it surprises me how many people don't think about it like that. Do you want to talk more about just, like, the ongoing maintenance and testing and kind of all the things that go into that?

Yeah, I'll give my 5 seconds, and then you can finish it with your genius right in at this moment. And it's not all doom and gloom, right? So we're not just trying to paint a terrible picture. What we want to do is we want to help organizations with the identification and classification of data, which is always ongoing because you're always going to have new forms of data. But once you get on top of it, then it's almost like an incremental form of maintenance that doesn't have to. It's kind of like cleaning your room. Right now. You're looking at. You're a hoarder. Everyone I talk to, you simply, you're a hoarder. You watch TLC or your kids or whatever, you're a hoarder. And what we want to do is we want to clean up your room. We want to be able to identify it.

And then when something falls, we just clean it up within the next few months. And it's not one of those things because data just keeps coming in and you're always going to have change. Like the only thing certain that is change. Right. So we need to stay on top of it. And the second you let go of it, then, yeah, then that's where the problems really begin.

Makes sense.

You got it?

Yep.

I mean, Kevin, I got a question for you. Do you work out?

Yes.

You hesitated a bit.

Well, it's not as consistent as I would like it to be. I'm working on it.

That's what I wanted to hear. That's the answer I wanted to hear. It's not as consistent as I'd wish. Because how many things in life do you know that got better on its own or without generated results, without some sort of discipline and consistency? Not a lot of things. You want to lose that 20 pounds, you want to get that summer six back. There's a sacrifice involved in getting there. And the moment we start taking data hygiene and data health, we stop taking it for granted and we start looking at this as something that is truly important, measurable, monitorable, manageable, and has a result driven outcome for ourselves as people and as our business and as a society. This is when we're going to get better.

So just like going to the gym every day, just like making know you don't sit there eating KFC all day. Let's look at security with that same lens. What more can we do every day to establish discipline? What more every day could we do to establish consistency? How can I change my mindset that says data is a priority? Just asking yourself when you're filling out a form, and somebody says to you on the form, hey, give me the three digits on the back of your credit card. You got to be able to look up and say, dude, you don't need the three digits on my credit card. That's a secret code that only I need to have when I have the plastic in front of me. Right. That CVV code, you should not be giving that out at all.

A lot of people don't know that. A lot of vendors don't know that. So they ask for it on the phone or on forms and online. So just one example. Discipline, consistency, attitude of change.

Yeah, makes a lot of sense. Any other advice from either one of you, or both of you, and anything else that you want to mention to.

Close out the show, maybe you want to go first.

I got one thing I'll throw in. I'd say ask for help. You know what? If you heard something in this show and you think, you know what? I want more clarity. I don't understand it. There are no stupid questions. So reach out to Kevin. Reach out to us. There's no cost, guys, to talk and help each other and share information so we get better as a society. So ask for help.

Yeah, my $0.05 is. It doesn't have to cost an arm and a leg either. But it is about structure and systemic change, and we want to help. So data more is able to help, particularly on the side of data, and welcome any conversation about it.

Perfect, guys. Well, how about we close the show with each of you giving, where people can get more information about each one of you and any other links you want to mention.

Sure, Nim.

Happy to do that, guys. So, yeah, nim@criticalmatrix.com. Criticalmatrix.com or look me up on know. I'm advisory first. I'll answer any questions anytime, all day long, to help everyone make more informed decisions on how to be safer and be more successful at your business.

Yeah, so, yap, you can look me up on LinkedIn as well. It's spelled J-A-A-P. There's not too many of those around, so you should be able to find me. And data more is committed to make the world a better place. So, particularly if you are a non for profit, we got extreme discounts because we're not necessarily in it for the money. Obviously we're not a non for profit. Yes, we have bills, but particularly if you're non for profit, please let us know, because if you truly make the world a better place, then we absolutely want to help you.

Very cool. And I'll post all the links in the show notes as well. But Yap and Nim, I really appreciate both of you taking the time out of your day to be on the show, and I look forward to keeping in touch with both of you and have a good rest of your day.

Thanks for having us.

Gavin thanks for having us.

Kevin thanks guys.

Thanks for listening. Please visit our website at buildingthefutures show to join the free community, sign up for our newsletter, or to sponsor the show. The music is done by electric Mantra. You can check him out@electricmontra.com and keep building the future.