Q: Welcome Brian. We’re excited to have you join us and share your views on modern data+AI security. Can you give us a quick introduction to yourself?
A: I’m Brian Castagna. I’m the Chief Information Security Officer at Perkin Elmer, and I lead a global security team for our company in protecting our business. We’re manufacturing and services.
Q: You’ve had a very successful career in cybersecurity to end up where you are, but how did your career get started?
A: My career journey began in 2004 and Enron just fell. And it was the first year of Sarbanes Oxley 404. So I was a part of a small group at KPMG that was in the IT audit profession and doing our IT audits for SOX 404. Now, I vividly remember driving my Volvo station wagon into the Waldorf Astoria valet and hopping out in my skin tight suit in a panic because I was 22, I’m at the Waldorf Astoria, and there’s a valet and I have no idea what I’m doing. And that was, you know, a start of a career journey, working at KPMG and Price Waterhouse (PWC) and at the time, a company called SAS 70 Solutions, which was a startup for SAS 70 audits for technology companies. And I did my work in IT audit and public accounting. So at about this point in my career, I figured out that people do not like auditors, and I wanted to not just find the problem, but I wanted to fix it. So a mentor of mine, Doug Graham, hired me at EMC, and that was my first security job. So we’re around 2011, 2012, and since then I’ve been building and scaling security programs, mostly at venture backed companies, typically B2B, typically SaaS companies, and typically high growth.
Q: Obviously you have a lot on your plate, as the CISO with applications, cloud, endpoints, networks, email, third parties all needing to be secured. Similar to all these where dedicated security platforms have emerged to meet your needs, Do organizations need dedicated tools, such as DSPM focused solely on protecting data?
A: Yes, absolutely. My SOC manager once told me, Brian, it’s all about the data. Now, when I think about data security, I ask myself, why are we in security? Like, what are we here to protect? And we spend a lot of our time chasing vulnerabilities, chasing access management issues, but why are we doing that? Why are we concerned about vulnerabilities? Well, we’re concerned about it because it’s gonna lead to potentially data leakage or data loss, potentially the data theft. It could be leading to a ransomware of our data or a very sensitive data loss around PHI or PII. Same thing for access management. Why do we care about access management? We care about access management because somebody unauthorized can access what? Our data, right? Or somebody could access our data and then take our data. So when I think about, does data earn that spot, you know, with endpoints, with network, I say absolutely yes. Now, are there use cases where it’s a little bit less important about the data? I think so, right? You can say that. Let’s say DDoS, for example. DDoS attack, what’s the issue? Availability. However, when you think about it, availability to what? Availability to the data.I feel very strongly that data security posture management technology is required technology for all of us. And why? Because it protects what matters. It protects our crown jewels, the data.
Q: Ownership of data is an interesting debate – a lot of time organizations and specific users in the organizations are really custodians of the data, and not the owner. How does that complexity translate to the security of it? Who should own data security within an organization?
A: When you think about data security, I’m responsible for protecting the data as a CISO, but the business owns the data. And, you know, that relationship and the way that we work together i s really, really critical. So for example, you know, business stakeholders within IT and engineering, for example, they’re gonna manage the data stores. From the legal team, you know, they’re responsible for data from a regulatory perspective, right? Whether that’s GDPR or other regulations. You know, a CFO, they’re very concerned about public company data, for example, and the financials. And other stakeholders like research and development, intellectual property, you know, that can be the keys to the kingdom, the crown jewels, right, for the company’s data. So it’s very much a partnership and a shared responsibility.
Q: Do you have any advice for what things other CISO’s should ask when looking for a DSPM vendor?
A: So when talking to a DSPM vendor, there’s three things that I would focus on. One, scale. Are we talking about DSPM being able to handle gigabytes of data or petabytes of data? How about within a data warehouse? And selecting a DSPM vendor that can scale like your business does and the type of data requirements you have is critically important. Second, deployment models. Having flexibility for either a SaaS deployment or an on-prem deployment, whether that’s deployed within your cloud infrastructure or whether that’s deployed on-prem within your infrastructure that is on-prem. Having that flexibility, I think, is critically important. And that helps both meet requirements from your security team, as well as providing compliance requirements and flexibility as well. And three, think about enterprise compliance. And enterprise compliance is extremely important for all of your security tools, and especially your DSPM. So making sure that they have audits such as a SOC2, right, for a SaaS model, or if you’re gonna be deploying within your own infrastructure, can they support FedRAMP, for example.
Q: Obviously it’s important to evaluate your DSPM performance before rolling it out – there is a lot of good marketing hiding poor technology out there. What are the important attributes that you look for in a DSPM?
A: So one thing that I think is really important in DSPM is how precise is your DSPM. You don’t want false positives going to your SOC. So if you had a number that looks like a social security number, but really isn’t, and then your SOC is running around trying to figure out if there was a data leakage incident and where, that’s a waste of your time, and it’s a waste of the security team’s time. So being able to have technology that does have that level of precision is really, really important for your SOC and for your team.
So when you’re thinking about precision for your DSPM, it’s not just about being precise about identifying the data types that you have that are sensitive. It’s about the mapping between those data types and who’s accessing them. And that precision, being able to really see that there really was access or there really wasn’t, and with a high degree of confidence, know that that’s not a false positive, is super, super important.
Q: So we’ve had DLP tools and data classification tools that claim to solve data security previously. In your mind, how do you think about DSPM and these other tools?
A: In today’s security market, there’s a lot of technologies now that you turn them on and they work, right? And as a CISO, selecting vendors that have the ability to be easily configured, easily up, right, and easy to maintain is critically important for my security program. Now, when I think about DLP and DSPM, you know, DLP, I’m thinking about protecting Word documents going through emails, right? When I think about DSPM, I’m thinking about the breadth and the depth of the capabilities really being so much more than that. And, you know, that can be protecting SaaS applications, cloud data stores, on-prem data, and the ability to protect those crown jewels.
When you think about data classification tools, for example, you’re identifying sensitive data types, but without linkage to identities, whether they’re human or machine, about who’s accessing that data, the value of that technology is really limited.
Now, what I find great about Symmetry Systems, right, and going through a demo with them, is having ah-ha and then ah-crap moments. So the ah-ha moment is I didn’t realize I had all of this PHI and PII in a cloud bucket. The ah-crap moment is I didn’t realize that there was unauthorized users within my organization that can access that data, or machine identities that can access that data. So those types of moments, right, are critical when you select a vendor and have a demo. You know, another ah-ha moment that I’ve had with Symmetry is not just the types of data in those buckets, but say it’s dormant data and it hasn’t been used. And if you have dormant data sitting, that presents both a security risk, but it’s a financial risk, right, and a financial opportunity. So when you’re pitching your CFO, right, and you want to save on cloud costs, well, we have, you know, 25% of our data that we haven’t used in two years. Let’s talk to the business, right, as part of that partnership. Do we really need the data or not? And if we don’t, that’s a financial win for the company on top of the security win.
Q: What are examples of outcomes that a CISO should expect and be aiming to achieve with DSPM?
A: So to be successful in securing your data, it’s gonna be an iterative process, right?
And you need to find out where you’ve started as a baseline first, and for a lot of organizations, you know, the baseline where you’re at is not great. And that’s pretty normal for a lot of different companies. Now, first is the cleanup process that you’ll be doing, and both the data and the identities. And let’s say, you know, there’s to % of your data that can clean up. It’s in the wrong place. You’re not accessing it like you need to be from a security perspective. And that is the first step and the first iterative improvement. Second, I would say is the monitoring and sort of the ongoing monitoring of that data that you’ve cleaned up and who’s accessing it and when, and whether they should be accessing it. Now, longer term, as you’re moving towards a more optimized state, you know, thinking about it from the perspective of, am I able to leverage the work that I’ve done to further compliance, to further regulatory requirements that I need to meet about my data? And then can I use the work that I’ve done to present to auditors? And that’s a huge value proposition that I feel with DSPM is important as you get through into that optimized state. And, you know, the other part is you’re reducing business risk. I mean, that’s the reality of it, whether it’s from a security perspective, whether you’re improving from a financial perspective and getting rid of that data. And that’s a win for the entire company.
Q: What is the impact on your broader cybersecurity program?
A: There’s a lot of different technologies within our cybersecurity tool chain. And the important part is that those technologies are not noisy and are not finding false positives. So by utilizing a DSPM to help understand where your data is, who’s accessing it, and clean it up, that’s gonna improve our entire security posture. And it’s gonna help us with the rest of our tool chain, whether that’s our SIEM or our CSPM.
Q: What role do you think AI technology will play in threats to data security?
A: AI is here to stay. And if we use Microsoft Copilot as an example, business stakeholders are putting different data types into Copilot. Now, from a CISO’s perspective, there’s some policy enforcement requirements that we can try to enforce. However, what you really need is the ability to see who’s putting what type of data in that LLM and whether it’s sensitive or not. So in the healthcare space, if someone’s putting in by accident PHI into Copilot, you want the ability to see who’s putting that data in there, what type of data it is, and if they’ve made changes to that data.
With the intersection of DSPM and AI, one huge value proposition is the ability to create custom classifiers. So for example, let’s say intellectual property is very, very important to my business, such as CAD files or different specifications. The ability to train your DSPM to identify those as sensitive data types is a huge value proposition and really is gonna help enhance your security posture as an organization.
Q: Are there any specific implications to healthcare?
A: The intersection between data security posture management and AI I feel is a critical junction point for us to protect really, really sensitive data types in industries like healthcare. And I’ll use the example of the 23andMe hack. I send my DNA off to andMe because I wanna find out if I’m Italian, when you can clearly tell I’m Italian. And subsequently, my genomic data is leaked. And that doesn’t just impact me. It can impact my children, my grandchildren, their grandchildren. And what does that mean? It means in 2052, my grandchild might not be getting health insurance or life insurance or something like that. And that’s a crazy threat model to think about. That’s a crazy risk associated with health data. And the other things that I think about when I think about less extreme use cases, let’s talk about hospitals, health systems. Let’s talk about data providers that are processing PHI, my PHI or your PHI. And is that data properly protected? And maybe they have a DLP technology. Maybe it’s a Word doc and that stops it from going out to the bad guy or bad girl. But what about the object stores? What about the on-prem data? What about the years of data sprawl? So DSPM, I feel like is a must have for healthcare companies.
When you think about the regulatory and compliance requirements within the healthcare space, let’s think about regulatory law perspective with HIPAA and then compliance requirements with HITRUST. And our ability to say that we’re meeting those requirements is really dependent upon knowing where the health data is. And if you don’t know where your protected health information is, how can you really get compliant with that? So that is a critically important part of how I view DSPM and the value proposition with both HIPAA compliance and HITRUST compliance.
