27. Colin Bitterfield - Head of Security (Acting CISO) People Data Labs
Hello everyone, and welcome to another episode of the security podcast in Silicon Valley. I'm here today with a very special guest, Colin Bitterfield, the head of security at PeopleDataLabs. Welcome to the show, Colin. Thank you.
I'm looking forward to telling you all about all the great work we're doing here and how we're going to be the leader in this space in security. And that is our goal. Sounds very ambitious. Just to share with our listeners a little bit about your background.
It looks like you came up through the engineering side of the house. If you're on your LinkedIn, it looks like your first gig was with Sun Microsystems, the systems engineer. You worked for the National Security Agency for a bit, then joined the U. S.
Army Reserves. You were a G-26 staff officer, intelligence and communications, along with a lot of very specific gigs in U. S. First Army and then U.
S. Army Cyber Command. You were an information service officer there, chief of the data collections branch. Other roles in the Army Cyber Command include you were an operations officer, a cyber warfare analyst, a senior cyber warfare analyst, and took some adjunct professorships.
Then it looks like you cut into private industry as a principal infrastructure security engineer at Blackboard, the D. C. area. It is.
I retired out of the Army in 2015. And I joined, I was tired of working in the basements of buildings. And I wanted some windows. So I went to the startup space, which Blackboard is still a startup.
And I helped them spin up their enterprise security division. And we wound up going through FedRAMP certification, all of that kind of cool stuff. I set up all the SIEM and the vulnerability management systems and hardening guides and all kinds of cool stuff. Before that, I did five years as a cyber warfare officer.
I had a big chunk of my life in the intelligence community. Wow. And after the war started in 2001, I gave up my civilian career, went back onto active duty. And I served there until 2015.
Wow. I retired out of the military in 2015 and went back into civilian, into the civilian world. I've been working with computers since the 70s. My dad was an engineer and I spent most of my childhood in a lab learning how to overclock systems that were in the megahertz.
We went from a half a megahertz to one megahertz back in the day. So I've been playing with this technology for like my whole life. I came to People Data Labs last March and I was supposed to be an engineer. And the next thing I know, I'm the head of security, running the IT and security department.
And the C staff here is extremely serious about being the leader in security. They gave me a corporate credit card and said, whatever you need, make it happen. Be the best. And here come all the things.
That was a really. . . Yeah, exactly.
I spent a fair amount of money in that first couple of months. I've heard that story many times, but I've never heard it in the context of just one day. So that's very impressive. You got the job.
You're starting on, I think it was like a Tuesday or something. And yeah, here's your corporate credit card. Like literally, first day you got your corporate credit card and we want to be the best in security. In the Army, we're used to like taking very short instructions and turning them into things.
You want to be SOC 2 in six months? Fine. We'll be SOC 2 in six months. And we achieved that.
And one of the coolest parts was we just went through an ISO certification, which by the way, is about 10 times harder than SOC. I don't know whoever said that SOC was hard. ISO, we had 20 people interviewed by the auditors. We had to show hundreds of pages of documentation.
But what was really cool is the auditors actually sent us back a fairly nice compliment about how well prepared we were and how everything was ready. I guess that's some of the military experience about being prepared for inspections. Absolutely. So before we go deeper into that, I want to share a very public, warm, and authentic thank you for your service and all of the time that you've spent in the military serving.
I know that going forward, information and cybersecurity are going to be a big part of conflicts and having the best and the brightest help protect the country is extremely important. So a huge thank you, Colin. I appreciate that. And I had a lot of good experiences in the military.
I served for 27 years. Yeah, that's amazing. I come from a little bit of some military in my family too. And so I understand some of the sacrifices that have to be made.
I don't regret anything I've done in the military. Neither did my father nor my grandfather. My grandfather served World War I and my father, Vietnam, and now my son serves. Wow.
Long family of service. I'm the, I was the only one that was a career though. My son may be a career, but my father and grandfather were to those wars. But one of the things the military teaches you is how to stay focused and keep your eye on a target.
And that really helps in security. You and I were chatting earlier about dealing with people. Sometimes people want to talk about everything, but the issue. It can take a while to dig in.
And so what really, I think helped us achieve this certification was keeping things focused and not getting sidetracked by all the things that can happen. Like the 10, 000 vendors that call you every week. Wow. I get a lot of calls.
Crazy SaaS startup applications. I'm like, I don't even know where the problem is you're trying to solve, but sure. I'll listen to you for five minutes. I get that on a pretty regular basis.
Very generous with your time. I give those calls like 30 seconds. I try to actually respond to everybody that emails me in a polite way. Thank you, but no thank you.
But I try to at least actually respond. Acknowledge the humanity behind the hustle, behind the person trying to. I guess they have good intentions. They're trying to help change the world for the better.
And sometimes it's just a different perspective and different set of values that drive it. My dad, my parents taught me to be polite. And I think ghosting people and not responding is impolite. I've had some guys send me some really nice sales pitches.
One guy wrote me like a, I don't know, like a whiteboard, like one of those little cartoony things. He was like doing this. I'm like, I love your ad. I don't need your software, but I love your ad.
And I wrote back to him and said that. But I do. It's like when we were interviewing, I actually reviewed, I don't know how many hundreds of resumes for positions. And even though I reviewed them all, no matter what the applicant tracking system said, because one of the problems is a lot of people don't know how to write a resume, especially for security.
It's really privileged that about 14 of my students had applied. I had, when I was asked to rehire, I went, I wrote job descriptions specifically for entry level for a program I was teaching. So basically if they graduated the program, they were fully qualified for the job because so many students talk about how they can't get a job. They go through a certification program, but people want them to be a purple unicorn or a dancing squirrel.
And what they're, the entry level positions really aren't entry level. Yeah. So I was very careful. I wrote a job description for somebody who had a year or two of IT experience and wanted to break into security and wound up actually hiring one of my students from University of Miami.
And the guy is incredible. Are they with you at the People Data Labs? He is. This is Victor Santo.
He is an incredible young man. He thinks like a senior person. He just needs experience. And he's incredibly good.
I've got another guy, Ruben, who worked for a game company for a long time. Really experienced. We have a really good team. One of the engineers on my team has been there since the company started, Sean Thon.
He's been there since the, he was, he was employee number seven. And he's now on my team. Also incredibly gifted. The, the thing that's really nice at People Data Labs is the whole company is a single team.
No matter what department you're in, part of the corporate culture is you don't need to ask permission to talk to somebody, just go talk to them. And so there's a lot of really fast action that can happen, especially when you need to deal with an issue. We've been very lucky. Our space is a crowd on the data space, but our intention to set ourselves apart is to literally be the best in security.
So the customers trust us. And we've been seeing that pay dividends. The SOC certification, the ISO certification has allowed us to interact with much larger companies and they trust us because we're taking the time to do everything right. That's right.
It's been a really nice journey. And additional security maturity with those certifications demonstrated through those certifications. I think a lot of people like really struggle with the certification piece of security. Yeah.
And I'm curious, did you happen to use like a vendor to help navigate those requirements? We did. Was it Vanta by chance or? It was Vanta.
Vanta was great. I deal with Michelle over there. It's a great company. In the last year and a half, I think they have tripled or quadrupled the number of tests they provide.
And now they've gone from SOC to an ISO into GDPR and CCPA. And I think FedRAMP is coming up next. By next year, we plan to be certified ISO 2717 and 2718 for privacy and GDPR. Because we have a growing business model in Europe.
So we're trying to really get the certifications under control and completely certified. We hired a head of privacy about six, seven months ago. Doing an incredible job making sure we're compliant with everything to do with privacy. And we really do everything we say we're doing, which is really nice.
I like the candor of that. That's good. I think a big piece of being in the security space is our most valuable currency is really trust. It is.
What's really nice is we use a couple of different vendors to help us with that. Wistic is another one. So our salespeople directly from Salesforce can send out a SOC 2 or an ISO certification directly to a customer. And part of the philosophy that I have and that my department has is to make security part of the revenue cycle, not just an expense category.
So about 30% of our time is answering RFPs. And RFPs are a real valuable lesson for security people to see what your customer wants. And a lot of people don't pay attention to that. So the first month or so I was at the company, I'm reviewing all of the RFPs and anything that was in RFP a customer wanted, I put it on a list and made sure we did it.
Literally now when a customer asks us, do you do this or do you do that? We can say yes almost without any exception across the board everywhere. So some things we might do a little differently, like our breach notification is 48 hours. Some customers request 24, but that's like the differential between what we do and what the customer wants.
And it's not much. And our goal is to really say yes to everything. And part of the thing that we started in the company more than a year ago was I got to talk to the whole company. I said, listen, security is here to say yes.
Our first answer to everybody in this company is yes. Just ask us. Our goal is to help you do whatever you want to do, but do it in a secure and responsible manner. And we rarely say no to anything.
But because we're open and people know that people will call us up and they'll say, Hey, is this a phishing email or should I be doing this or any number of questions? And they're not hiding anything. And that gives us a tremendous leap on solving problems before they happen. I think in a lot of companies, we've seen as the department of no, and if people don't want to bring an issue up because they're afraid they're going to get shut down or it'll affect their velocity.
But we've been able to establish trust not only with our customers, but our internal engineering departments and product and marketing almost across the board. So you built up that trust and then from that confidence that you're part of the delivery components. So people bring difficult problems to you and are optimistic of getting something aligned with the aggressive timelines that maybe are presented from a business perspective. So that's amazing.
That's that actually takes a lot of very dedicated, focused hard work. I know that firsthand. I always like to joke that there's two types of security people in the world. The type where there's one type where you will walk into a meeting room and everyone will go, Oh no, so-and-so is here.
And they're going to say no. And they're going to push back on the timelines and ask all of us to build all these things into this product. And it's going to just impact everything like in a negative sense. And there's another type of security person that will walk into that exact same meeting room that have exactly the same goals.
But they'll be perceived as a collaborator or someone who's going to work with the aggressive timelines and isolate out exactly what needs to be in the MVP and help deliver those things. And it may even end up pushing the timelines back a little bit to get some of those critical features in, but it's all in the perception that's different between these two. You may actually be effective at influencing change in your organization, but building that relationship around trust and delivery as opposed to control and arbitrary structure makes a huge difference. Yeah.
And our engineers on our team will actually go out, we have a platform and they're running behind on a project. We'll help them. If they need to put a security control in and they're just running behind because of a deliverable, our engineers will just roll up their sleeves and help with the work. And that's what I mean about the whole company operating as a team.
Because a year ago, we were 56 people-ish. Now we're 150 people. At 50 people, everybody was like rolling up sleeves and getting stuff done. And it's like, I was going through the ISO certification.
The auditor wanted to talk to the C staff. So I slack the CEO of the company and he hops on the meeting like 10 minutes later. That's the kind of support we're getting from our C staff. They will drop everything if we need them for something.
And if somebody needs something done, we get it done for them. Sometimes it's okay. What do you need? What help do you need?
It's like I tell our salespeople, if you need me on a call with a customer to talk to a CISO, I will hop on a call with any customer you want, anytime you want to close the deal. Because by shortening the revenue cycle, one of the goals in our department is to affect the revenue cycle by taking away the objections of security. Because that's about a third of most sales. Yes.
Do you have a SOC? Do you have this? Do you do that? There's like questionnaires of the yin yang of 500 questions and such.
And our goal is to take that away in the first 10 minutes of the customer meeting. Here's everything you need, Mr. Customer. Here's our SOC 2.
Here's our ISO. Here's our VSA questions. Everything you need so that the sales cycle is not impacted at all by security questions. In fact, the opposite.
You can turn those security teams and those potential customer deals into your biggest champions. Exactly. And so we really do see about a third of our time spent on helping the sales team. One of the first things I did was prepare questions and answers for the sales team so that everybody was giving the customers the correct and the same answer, not guessing.
Right. So we prepared a number of pages in our internal system and it'd say, okay, we have a SOC 2. This is what it means. Here's our policies.
Here's what we do. Here's what we don't do. And we prepared a bunch of sales materials. It was like one of the first things I did in the first month was prepare sales materials.
You wouldn't think that there was so much writing with security, but there is. Um, but by doing so, we've gotten huge support from the entire sales team, from the platform team. And it's made a huge difference. I remember going into the SOC 2 audit and we had a week and we had to get everybody in the company security awareness trained and policy signed off on.
And the entire company worked on it for two days till the entire company was done. Wow. That's the kind of teamwork we have. That sounds like an amazing group of people.
Right. And you sound like you're very effective at what you do. You're very putting all of your great experience to use, but there's also passion behind it. I can tell.
And so I'm, I love learning. I'm super curious and I'm sure our listeners are, how did you first get into security? Was there something that drew you into this field? I'm not exactly sure about the security.
I was always interested. I was one of those kids who grew up when hackers weren't bad people. There were people who just wanted to explore the world around them and the technology that was evolving. It's a different kind of group than what hackers are today.
And my dad was an engineer in this biotech lab and we were constantly taking things apart and putting them together and making them do things that were new. I got a real passion for that when I was like under 10. And then in the late nineties, I got into the ISP business and I could see that there were a lot of misconfiguration issues leading to security problems. Yeah.
There was this, I can't remember the name of the company. It was a router, Ascend routers. That was it. They were really big for a while.
I don't know whatever happened to them, but they vanished. And I remember we were working on an ISP and we logged into an IP address by accident, like the wrong IP address. And we had a root on somebody else's router. I'm like, this is not a good thing.
Oops. And so we contacted them, let them know that they were, they had the default password on there. You could just log into the router and make serious changes to a core router and they had no security on it. And that was like 95, 96, that timeframe.
Yep. And I could see the writing on the wall. And then I wound up working for this company, a team consulting group out of Charleston, Massachusetts. And they needed help with a security run on Novell as Novell was transitioning from IPX to NWIP, IP addresses basically.
So I helped them develop the routing scheme and their security. And I kind of got a knack for it. And at the same time, I was working in the intelligence community in the Army Reserve. So security and intelligence work together.
It's the same logic. It's very similar. And I just kind of evolved into that. And then in 2010, I was at First Army doing knowledge management.
And I got a chance to move over to what was the GNAS, which will become Army Cyber Command a year later. And that was a great opportunity that I took to stand up a new command. And so it was a really good thing. But I've always been interested in computers and seeing how they work and how to make them work better.
Yeah. Yeah. And it's funny, one way to look at security through the lens of QA, the traditional quality of cards, it's answering the question, hey, does this thing do what we intend it to do? And security through a very similar QA lens is asking a very similar question, but slightly different in that, does this thing do things that we don't intend it to do?
And picking something apart just to understand it and to see what can you do with it? Is it is actually something that I hear quite often and it draws in this passion just to understand. It's really is. And cybersecurity is a lot like warfare.
Although people don't always equate it that way. Everything that you do in a cyber attack is very much like Roman military tactics, probing, cavalry actions and things like that. So the military training I received really relates directly into the cybersecurity because you're looking at how things happen. What are the tactics?
What are the responses? When you're doing cyber warfare in a combat environment, which I did in Iraq, it's a very different world because you have different levels of things you can do that are just not possible in the civilian sector. Like shutting off an entire country from the internet. If you want to, we could do that or stopping an attack by dropping a bomb on the bad guys.
Can't do that in the civilian world. You can do that in the military, but it's very much the same thing as you would look at tactics. So if you like to play a game, like the perfect general, it's a lot like how a hacker looks at it. What's the first thing he tries to do?
Enumerate and probe your defenses. See what you're doing. Hackers are just people who read the manual better than the owner. Most of the time, if you look at most of the attacks, they're based on vulnerabilities that are known.
People should have put the mitigating controls in and forgot or just didn't get to it. Look at the colonial pipeline. No patch, just 10 years. What did you expect?
And the other thing I look at security is, is it's a lot like riding a motorcycle. It's not a matter of if it's a matter of when, right? Because the bad guy only has to be right once. You have to be right every day.
That's right. But part of the trust mechanism in cybersecurity is to make sure you did everything right every day so that your customers still trust you, even if there was an issue. And I know that doesn't quite sound like where cybersecurity is, but you have to do everything right so that you can actually say you did it right too from a trust. So we patch everything.
We update everything. We do mobile device management. Everything that needs to be done, we do it. And there's a couple of reasons why that most people escape them.
Like one of the things that people don't understand is why do I do security awareness training? I know what the bad guys are doing, right? How many times have you heard that? And I have these crazy engineers, right?
And so they'll say that to me. I know what I'm doing. Okay, here's the problem. What you don't know is if you don't take the cybersecurity awareness, our insurance won't pay off if there's a problem.
So go take your training. I don't care if you know everything. I need a report that says you did the training so that if we ever have a problem, the insurance company pays and our customers still trust us. Right.
So you're going to do that. And you're also going to take secure coding principles and secure design principles. Every engineer in our company takes by design training in addition to their security awareness training. I even contacted our insurance company to make sure there were no hidden, what do you want us to take?
You tell me what you ever you want from the insurance perspective and I'll make sure we get it. Right. And I actually heard back from them and they gave me a little list of things. I'm like, yeah, we're already doing those, but I still verified it.
I don't know how many security people actually call their cybersecurity insurance company and find out what the requirements are or even look at the policy. I wound up reviewing our policy last November and it was good enough. I didn't like it. So I actually talked to our CEO and I said, hey, I want to bump up our cybersecurity insurance to 2 million and I want a better policy.
Nice. So it covers more and it has a larger liability panel. Yeah. People don't realize what the cost of anything could be.
And sometimes, so part of my job is to make sure the company, I usually joke about that, is make sure we're not on the Wall Street Journal above the fold. You don't want to be there. No. No.
No. And, but it's how many cyber professionals do you think have actually looked at the insurance that's protecting them? Yeah. I wouldn't be able to say how many do and how many don't.
The, it's an important part of that blanket coverage. Right. Just to make sure you're dotting your I's and you're crossing your T's. And it's just like you'd never drive a car without insurance because a very brief lapse in judgment, an innocent mistake could really bring a lot of harm to people.
So the way I, the way we look at it is we want to do everything right. We're not just saying we're doing it. We're doing it. And part of that is to make sure that the organization is protected and our customers trust us.
And I've gotten into several meetings with customers. They're like, can you show me this? Sure. What would you like to say?
Yep. Vanta is really good because it allows us to email a trust report showing the controls on a 24 seven basis to our customers. And we do take advantage of that occasionally with some bigger customers. They really want to see stuff.
Yep. And we can provide it pretty much instantaneously. Every salesperson in our company can send a SOC 2 or an ISO certification in like less than 10 minutes. And it does automatic NDAs for everything that's required.
And the customer has all the security documentation they need, usually in the first meeting with a salesperson. It really takes it out of the loop. No, that's a very powerful position to put the sales folks in that coupled with all of the sort of the scripts that it sounds that you help write, giving them all the ammunition that they need. Really?
Yeah. I mean, the thing is when I first got here and a customer would ask you, they always have a list of questions that somebody read off of a Google page. Do you have a disaster recovery plan? Do you have a COOP plan?
Do you have this? Do you have that? Do you have the other thing? It was taking several weeks to get the customer the information that they wanted to make the decision to buy because it was a back and forth, a continuous back and forth with NDAs.
By taking that out of the loop, usually we don't hear from the customer a second time after the salesperson has sent them over the security package. I have only on rare occasion had a really big customer with a validation company behind them. They'll ask some more questions, but it's pretty rare. So it's a good position.
It actually shows a lot of value for security because a lot of companies look at security as an expense category, not as a revenue category. That's right. And by helping the sales team, we shift that position. So it's a lot easier to get funding for things we want.
And like I said, our C staff, if I really need something, I get it. Sometimes I have to wait a couple of weeks, but not longer than that. No, it sounds like Vanta is an easy justification for an event. Game changer.
It's a game changer. Game changer. So what's the best day that you've had in your journey so far at People Data Labs? Tomorrow.
The next day. The next day. Okay. So it's in the future.
I look forward to my job every day. Every day is something new. Every day is a new challenge. And none of it's bad.
Every time somebody asks for something, I'm like, yeah, here it is. We got it ready for you. Part of the work I used to do in the military was to dream up what bad guys would do and then solve it before they did it. And so we try to stay ahead of what the customers are asking for, what the industry is doing.
And so I haven't had an occasion yet. I'm sure it'll happen, but I haven't had one yet where a salesperson says, do you have this? And the answer is usually here it is and here's a link or we drop it into Slack and they have it in a couple of minutes. Every day is a good day here.
I'm working with incredible people who are incredibly focused on what they're doing. I literally have zero pushback from any engineer on security requirements. I have total support from the C staff and executive leadership committee to the things we're working on. What else could you ask for as a cyber professional?
This is going to make my next question extremely boring then because you probably don't have one. But was there a worse day in your journey so far? No. There's been some challenging days.
I can tell you going through an ISO audit for a week and it's all hours a day preparing for it for the week prior. It was tiring. I was tired. Sure.
But it didn't feel bad. I haven't had any bad days where I go, oh my God, I don't want to go to work. I've never had a day like that. Not in almost two years now.
And my team is the same. Everybody on my team, I get Slack messages like at crazy hours. I never, nobody's ever required to answer in them outside of normal hours. If you post something out there, it gets answered pretty quick.
It's just, it's really nice working on an A team where everybody knows what they're doing and everything's working. Part of the thing that I worked with our, with my team was I tell my team, if you can fix it, if you need help, ask for it. And if you make a mistake, we'll fix it together. But just handle it.
And so there's no mother may I, can I do this or can I, if you know how to do it, do it. Yep. And as a result, our velocity, we're running about on all IT tickets across the board of every kind, about a 40 minute resolution time. That's incredible.
And almost unheard of. Right now we have no open tickets in our queue. Cause I'm actually, I can see it right now on my other screen, no open tickets. And so the next ticket that comes in, it'll get answered probably in a few minutes.
Depends on who's watching it, of course. But everybody in the company is very, very happy about the service they're getting. And onboarding time is very short. This has been great policies.
If you need something to do your job, buy it expensive. Pretty much. Yep. And we're a remote company.
We're never going to be back in offices. We have an office in California and San Francisco, our headquarters. And we have another one in New York for FinTech, but no one's required to be there. That's for bringing customers in or working collaboratively.
We're a remote company and we have the best and brightest from all over the country. Half my team is on the East coast. Half my team is on the West coast. We all work together without any issues.
That sounds like a super healthy culture. I know. Team building is one of those things that leaders often take very seriously. Do you have a favorite interview question and what is it that you really try to get at?
So one of the things, and I teach this to my students as well. One of the things that tells me whether somebody's serious about this is what's their side project. What are they doing in IT that they're not required to do? Like I do 3D printing and I program Arduinos and I make all kinds of cool stuff.
And I built some stuff for my buddy sailboat. Yep. That's my side gig. I love doing that stuff.
Yep. If somebody doesn't have a pet project that they're working on or some new technology they're learning, they're probably not a good fit for the team. Everybody on my team has something they're doing like that. One, it could be anything, but what language are you learning?
Something. And in the interview, and it's like this, if you love the work, you're doing that. If you are just doing a job, you're not doing that. And it's an easy way to weed people out.
Yeah, that's fair. 100%. I always say that the best engineers in the world, I'll always have some sort of side hustle or a side project or new technology or a hobby that they're poking at. Just to understand.
Learn. And appreciate. And in my department, all the engineers have four hours a day dedicated to learning anything they want. Wow.
Every week you got four hours on Friday. They, we staff it so that nobody, we always have coverage, but if you want to take a class, anything, you want to learn Mongo. We're not even using Mongo, learn Mongo. You want to learn Oracle, learn Oracle.
You want to learn Python, learn Go, whatever you want to learn. But spend four hours a week improving your professional skills. Amazing. And that's kind of lesson learned from the army about it's called officer development of the ODP program, which is everybody should be being a better professional all the time.
And it's a great thing. And I pay for, I don't know, for some people it's cloud guru. Some people it's LinkedIn learning. There's another one, but everybody has access to an Amazon account if they want to do some Amazon work.
But the idea is to be a better professional every week. It'd be better at your job. Yep. Growth mindset.
And I'm sure it's the same in other departments. I just can't speak for other departments. I'm, I imagine that it's probably not too far off. And it sounds like a very healthy culture.
There are people data labs just in general. So I beat the front. It was missing. I watched the platform team playing on Oculus games together as a team after hours.
I watch all kinds of stuff. We had a great company get together down in Texas for the whole company a bunch of months ago. I don't remember. I think it was April-ish.
No. December-ish maybe. There's so much that happens every day. Me keeping a timeline on it's a little hard.
But we leverage our tools. And in a philosophy way, we make sure that we're using the vendor best practices. So we actually review them. We take a look at them.
Like I said, we're a NIST heavy shop. But we're also an Amazon customer for our infrastructure. So we make sure that we're following all the best practices of Amazon too. Perfect.
So if we fast forward into the future, and I'll let you decide like how far into the future you'd like to pass forward. But is there something, is there a gap or a tool or maybe a service that could fill this gapper that you wish someone would just step forward and build already that you haven't had an opportunity really to fill yourself? Or seem like a good solution for you? I'd like a couple of our vendors to grow a little bit.
But right now, we're focused on that page that Amazon has with all their certifications. Yep. And it's a giant page. It is.
Yep. That's what we want to do for People Data Labs. We want to have all those same kind of certifications so that in the space, we look just like that. And what we're doing now is we're planning which certifications in what order.
So the next ones, like I was telling you earlier, are 27, 017 and 18 in ISO plus GDPR and CCPA separately. Although those are very complementary control things. And the idea is to maintain, not only just have customer trust, but to maintain. And the vendor we have, Vanta, they've been growing very rapidly into these spaces.
So when I was a little worried that, hey, what's next? I looked over at Vanta the next week and there's 12 new things that they're putting together for different kinds of certifications. Nice. We took the time to go through WISTIC and answer all of the various questionnaires, even if we're not certified in them.
Are doing the VSA, the Vendor Security Alliance. Every questionnaire that's pretty much available to us, we filled out in that form. So if a customer asks for any of them, we can provide them pretty quickly. I joke with our salespeople, if you want to be FedRAM certified, get me a customer and who will sponsor us.
And we'll get there. Yeah. The only thing we're missing is an SSP and a customer. What's the, what's SSP staffer for all?
It's the security document that you need for FedRAM. Basically it's every security control you have and how you're doing it. And it'll take a couple of days to write something like that, maybe a week, but that's all we would need. Yup.
No, I love how your sense of focus is being driven by a strong need on the business side of the house and how you see security as a mechanism to open up new growth for the company. We're doing work every day for new possibilities. Like researching how we're going to integrate customers with Azure and Databricks. We've already started integrating customers with Snowflake.
So we have certain customers. They like to work in Snowflake. We put our data sets up there and they can attach to us on Snowflake. Databricks, Azure buckets.
We're doing all kinds of things with any technology that we can possibly leverage to help the salespeople sell more. And we're already working on connecting GCP and other places. Like I said, 30% of our time is spent helping the company on the revenue side by anticipating needs. No, it sounds like people data labs is very fortunate to have such a strong leader, to be able to help them connect the dots between what's going on in the security side of the house.
I just to stay out of the news for the wrong reasons, but really facilitate the continued success and growth of the company. It's so nice. It feels good. And the salespeople do thank us, all of us, not just me.
It's a whole team thing, but they do thank us for it and they are appreciative. And so are the customers because we can give them honest, straightforward, easy to digest answers. It's not this, but not that. And it's not a complicated answer.
It's do you do data at rest? Yes. Everywhere. Yep.
Do you do data in transit encryption? Yes. Everywhere. All levels.
So, so I said, security through simplicity is not having different rules for different areas. It's applying the same rules everywhere. No, that's amazing. And that's, that's a big part of making security work in organization.
I'm curious, would you like to leave our listeners with any pearls of wisdom or maybe advice for a younger Colin that you never had the opportunity to hear yourself from mentor, but you'd like to share with our listeners. Don't micromanage your team. Don't micromanage your team. That's a good one.
I would second that. Hire people better than yourself. Oh, that's the best part of building a team is you get a, I don't see the thing is on, on my team, we all have different skills, but all the skills mesh to make us all better together. So there are skills I just don't have.
One of them team members is far better at Google than I am. And another one is better at various databases than I am, but we all have these complimentary skills that work together. I don't think that any of us could do it alone, but together we were able to accomplish some great things. How many companies can say they did ISO certification to standard in six months?
Probably not very many at all. I don't think so. And that's a testament to the team and to the company as a whole. It's not just like, it's not just me.
It's not just my team. It's the whole company pulling together when necessary to get things done. And I think that's the thing. My advice to people is don't be so full of yourself and get past yourself.
In the military, we used to say that when the team is successful, the credit goes to the team and the blame goes to the leader. Yep. I'm really strong about telling my people, if they make a mistake, we're just going to fix it together and nobody's going to get in trouble. Just be honest and sincere in your work.
A mistake happens. We really haven't had anything of any major level, but I think that gives people the freedom to use initiative and to solve problems. And that helps our velocity because they're not worried. Are they going to get punished if they take a risk or if they fix something, if they stretch a little?
I think smart people, autonomy and a strong sense of ownership and respect to go off and do great things. It is essential for bringing, helping teams realize their full potential and individuals in those teams too. Yeah. And that would be my advice.
Just, and the other one would be pick a standard. I was just in a CISO round table with some Amazon people and the companies that are the most successful, the ones that are picking a standard in a way. And adhering to it, not chasing a certification. So whether it's CIS or ISO or whatever the standard is, we're using NIST.
Have that standard that you're applying and stick to that. And it's a lot easier to get the certifications. Don't just either don't try to do each certification as an individual endeavor. Do security as a whole.
A holistic approach to security. Most of the controls you implement, if you implement NIST 800, which is the U. S. national standard.
If you implement that at the, even at the basic or the moderate low or moderate level, you hit all the buttons for 90% of everything. And then it's just a little bit of adjusting for the certification. And that's how we were able to do it. Yeah.
What taught me that was a long time ago. I looked at a matrix. I was working on a high trust thing for a medical customer. Yep.
And I had a matrix that had all the different certifications and controls mapped to each other. And I looked at, I'm like, oh, I get this. There are certain controls that are just universal across all the standards, all the certifications. So just go for those.
It's easier. And I'm sure faster too. At the end of the day, when you're looking at the bigger picture. Can maybe help our listeners understand a little bit.
I'm sure you looked at different vendors when you decided on Vanta. How did you? I'd like me to say I did, but the company had just acquired Vanta as a tool, I don't know, two weeks before I got there. Oh, I see.
So the decision was made for you and you. It was made for me, but I did have the autonomy to change it if I wanted to. I have looked at Drata, which is the biggest competitor. And I've heard good things about it.
And in the round table, there were a number of companies using both Vanta and Drata and had similar experiences. It's just, we have a very long learning curve with, and everybody knows how to use it. It's tightly integrated to all of our systems. But I would have, if I needed to change it, I have that autonomy.
I just would have to go to the C staff and say, I want to do this and give them a good idea. And they'd say, go ahead and do it. But I don't have a good reason and it's working beautifully, but there are other tools. It's not the only one.
I've heard good things about Drata. I can say good things about Vanta for certain. I could also say we wouldn't have achieved the certification as quickly without it. It really does help you focus your efforts.
Do they do the standards as well as the certifications that you were just? They do. They just started. They're going to, they have an estate, 853.
They're spinning up. They're moving into a whole space of new things. And that's really encouraging because it's really lining up with our business goals. Perfect.
And being able to send your trust report out to all your customers is a really big feature, especially in that sales revenue cycle. Oh, I imagine it is a hundred percent. Even in the consumer space, this sort of thing is starting to take hold with apps on the app store, sharing how they use certain types of information or if they're tracking or third party services. That's the beginnings of, you know, you're in the B2B space and all of your reports are going out to other companies that have huge security teams behind them, looking at their vendors that they're using.
But even in the consumer space, there's a refreshing revamp towards privacy and security controls. Yeah. We're very serious about privacy here. We are really serious about it.
We adhere to all of the requirements for GDPR and CCPA and NYPA. We do all of our DSARs in accordance with the rules. We do it exactly the way it's supposed to be done. And we don't deviate, not even a little bit.
And we have a dedicated privacy team that is very serious about it. I know that sounds, um, it sounds like a future that I wouldn't mind looking at. Um, or companies to behave like this. It's easier to be honest about that.
I say that in a case. I know that sounds weird, but it's easier to be direct and honest and move in this path than it is to have all these crazy stuff. Look what happened to Uber recently. Didn't they just get hit with some kind of a massive fine for hiding evidence or something?
Reading the news. Reading the news. I think their CISO is actually facing criminal charges. Now at this point, wasn't he found guilty?
And then the next phase of the trial is going to be all about sentencing. Yeah. So yeah, there's some serious repercussions if you're. Yeah.
He's being convicted on covering up a 2016 data breach. Just pick it up just to make sure I got my numbers correctly. Yep. And they paid the hackers ransom of a hundred thousand dollars.
Yep. Yep. So I wrote a watch post on the difference between a bug bounty and a bribe. A bribe.
A bribe. Yes. Um, the thing is, I know that everybody is people data labs is doing it right and doing it honestly. I absolutely know that for a fact.
And that makes me feel good. I mean, I, I, going on before I got there and it'll be going on long after I leave, but that is our culture to be honest and to do things the right way. This was amazing. I just want to say thank you and express my absolute gratitude for you jumping on the show and sharing some of your experiences with myself and all of our listeners here.
And thank our listeners for tuning in for this episode of the security podcast in Silicon Valley. So a huge thanks Colin. You're welcome John. Good talking to you.