March 16, 2022

Everything Is Data w/ Paola Saibine

by Cyber Ranch

Show Notes

In the episode, Allan is joined by the Principal at Teknion Data Solutions, Paola Saibene, to bring clarity to an often misunderstood topic: data governance. Paola helps to distinguish the difference between data governance and data management, examines the intersection between data ethics and cybersecurity, and explores the best methodology for applying risk frameworks. Lastly, she takes time to express the importance of being people focused and “humanizing” cybersecurity.

 

Guest Bio:

Paola Saibene is the Principal at Teknion Data Solutions, Former CISO, CEO, VP of Enterprise Risk Management, Data Privacy Officer, Strategy Officer, CTO, and CIO.  

Links:

Stay in touch with Paola Saibene on LinkedIn  

Follow Allan Alford on LinkedIn and Twitter

Purchase a Cyber Ranch Podcast T-Shirt at the Hacker Valley Store

Learn more about Hacker Valley Studio and The Cyber Ranch Podcast

Sponsored by our good friends at  Axonius



Transcript

Paola Saibene:

I really adopted always, a litigation lens and starting with legal and working it all backwards. So the ecosystem of risk requires that every department is involved to some extent. If I'm just a front-end person in CRM collecting the data at that point, I have to be careful to a certain degree because any mistakes potentially can be tied to my ability.

Allan Alford:

Howdy y'all and welcome to the Cyber Ranch Podcast. That's Paola Saibine, principal at Teknion Data Solutions, former CISO, CEO, VP of enterprise risk management, data privacy officer, strategy officer, CTO and CIO. Paola has in short, held many leadership roles in many organizations. It is because of this diverse background that I brought her onto the show to talk about data governance. She brings a very unique perspective, no set of perspectives, to the challenge. Paola, thank you so much for coming on Down to the Ranch.

Paola Saibene:

Delighted to be here. Thank you.

Cyber Ranch:

Welcome to the Cyber Ranch Podcast, recorded under the big blue skies of Texas, where one CISO explores the cybersecurity landscape with the help of friends and experts. Here's your host, Allan Alford.

Allan Alford:

So normally this is the part of the show where I would ask the guests to briefly give me their background in cyber. But I think in the case of this show, what's so interesting is, you're not cyber background. You've been a CEO and a CTO and a CIO and a CISO and I really want to hear a little bit about all of that and how you feel like that ties into cyber?

Paola Saibene:

Actually, that was only for the last 27 years. So prior to that, I had two other careers. I started in the humanities side, which was very helpful to understand the psychology behind cyber issues. Right? So when I began in technology, I literally started from the bottom, cabling in a data center.

Allan Alford:

Okay.

Paola Saibene:

And then with those 400 mainframes and coding there, as well, so I've worked really, almost all levels of operation. And then I moved a few years later into the strategic initiatives. I worked for government as well as the private sector and nonprofit and education, which I consider a beast all to itself. And the lenses that I adopted came in to tech already with a bit of a business lens and a humanities' lens. I was a psychologist before and a literature professor. So I understood the user. Right?

Allan Alford:

Wow.

Paola Saibene:

That was my ticket. I understood the user and the pain they would go through in everything related to tech. And I was able to put that lens on and as I entered the database administration and networking and security compliance, everything within compliance in those days, which just bundled up privacy and security, et cetera. By the time I made it to the first CTO role, I had the sense that we needed to treat people as customers, that our security controls and practices needed to be such, that they had to know the why. Knowing the why from the very beginning, led our users to go a long way.

Paola Saibene:

Likewise, for the strategic initiatives as a CIO in large places, it wasn't being able to match truly the concept of why we're innovating so much with a very bottom line, a day in the life of the end-user and how that would have to be transformed tactically and tangibly for them to be able to say, "Oh, I get it. I know what you're doing, that's a big thing." The strategy officer then, so I did all of the very exciting pieces I think, as far as innovation and innovation was a big one. We had the very first government private cloud 19 years ago.

Allan Alford:

Oh, wow.

Paola Saibene:

And it came, the very first ones, so people came actually to take pictures from several big companies that were our vendors. And also, we had virtual desktops in 60 languages, also 19 years ago. So that any one of our soldiers across the world could come in and log in and get SQL training or get data center training or networking training through those virtual desktops.

Allan Alford:

That's awesome.

Paola Saibene:

So we did exciting things. And then of course, that rubbed off on everything else that happened in my career later. I have been a fan of Gardener for a long time. I adopted a lot of their maverick approaches and that was helpful. But always with a mindset, since I also had to be the security officer with, of the mindset of being obsessed with caring about the people inside the data from a privacy perspective and also the assets of the enterprise, especially working in government.

Paola Saibene:

So the multi lens approach helped a lot, by the time I took roles as POVM enterprise risk management, as well as a privacy officer, because now I could see how shackling it can be to innovation, to operations, to throw extra controls and all of these frameworks at them without blending them ever so well and balancing them to make them feel that they want to adopt it. So in privacy, it was especially useful to have the business and innovation lens as we had to implement GDPR and to CPA, et cetera, et cetera. So I've been really blessed.

Allan Alford:

Right. Right. Well, this is awesome. You've had an amazing career and an amazing journey. And it ties into our conversation today, which is about data governance. And I guess with all that background and all that perspective, and to your point you made about, hey, this isn't data, this is information about people. Right? That's so important that we cherish that awareness and keep that in the forefront of our mind. But let's talk about the difference between data governance and data management with your model?

Paola Saibene:

Yes.

Allan Alford:

Because I suspect there's a big difference there?

Paola Saibene:

Big difference. 15 years ago, not so much so, in fact, the frameworks that you would see back then were very much integrated. You still have the Data Governance Institute with its approach of data governance that looks a lot like a hub to data management components, whether that is either architecture or metadata or quality or content or access security. And as you go through that DMA model, it is vetted, it is good, there's nothing wrong with it, but modern data governance requires a whole lot more. And that is understanding the connection to stewardship, the connection to ERM, the connection to legal, to compliance, to innovation, to project management, to AI, to ML, to digital ethics.

Allan Alford:

Yeah.

Paola Saibene:

And all of that forms part of what a data governance program should contain the ecosystem of currents.

Allan Alford:

So what our data ethics and how to do they feed into cybersecurity?

Paola Saibene:

Data ethics touches the life cycle management of data, everything from capture, all the way to disposition or purging or archival, et cetera, final disposition. Along that journey, you have a lot of people that get to touch that data, transform it, use it, store it, et cetera. And they're not well versed in the purpose and the value of that data because they don't necessarily have visibility to the entire life cycle. Much less for instance, somebody in operations that is entering the data, how is it going to end up in a data science model or in analytics, prescriptive analysis. Right? So ethic has to do with making sure that everybody is aligning their habits, because the word ethics actually is habits in Greek or customs.

Allan Alford:

Oh, interesting.

Paola Saibene:

That they're aligning their habits to what the ultimate destination of purpose is going to be of the data. So even using something as simple as always CD principles. And I'm talking about data that is normally not related to people, less and less important is the sensor data unless it comes back and relates back to people. Because what cyber security then has the power to do, which cannot do without understanding the value of the data is cyber, I will try to cover too much. We'll try to throw too much investment, it's too expensive to protect the data in a way that they deem according to the classification they see that it needs.

Paola Saibene:

Whereas what can happen, is that with the right sub classification of that data, then cyber can begin to put a risk management approach and check of course, with the right parties, but maybe have degrees of how much effort they put into protecting those assets. So the ethics is an alignment of the custom, so the habits, and in my opinion, utilizing FTC as well as a legal lens, because the FTC will come back to you and ask you questions about what you have done with data? One of those components is security and the lawyers of course, are going to come back asking for a defensible posture in all aspects of the life cycle of the data. And the ethics will naturally bubble up when they get to see gaps along the way.

Allan Alford:

Okay. You bring up a point here that I want to hone in on a little bit, which is the cybersecurity practitioners, they start with a classification system and then impose controls based on that. And it's almost like they're stopping there and missing this whole bigger world of ethics.

Paola Saibene:

Yeah.

Allan Alford:

And to your point, this whole bigger risk perspective that may not be there simply by way of classification plus controls. So I'm thinking about risk frameworks like ISO 31,000, COSO, et cetera. What's the best methodology for applying those frameworks because if cyber security can be blind in how it does it, maybe the frameworks are the there to help guide, but maybe they're being applied in a blind fashion too. So how does that break down ISO 31,000, COSO, walk me through what that looks like?

Paola Saibene:

From the board all the way down. So COSO, normally is a principle based framework that is used by boards and then audit picks up from there, they use a version of COSO as well. The ISO 31,000 is one of the more popular risk management frameworks and it includes everything, operation, finance, strategy, technology, et cetera, but it sets the tone for cybersecurity. If risk management produces their risks for the year and they place cyber at the top or cyber as number 405, then you are maybe not getting your marching orders, but you're getting a sense of how important your investment in tools, of how the kinds of people that you might be able to tap into, how much help are you going to get and what is your scope? So an alignment with risk, in addition to understanding your position that year for the organization, but an alignment with risk also tells you, there might be severe concerns on the financial side or their partnerships that the board is considering.

Paola Saibene:

You can be proactive and if those partnerships are coming up and they're revealed as high risk by ERM or RM, then cybersecurity can begin to prepare mechanisms of mitigating the potential operationalization of that partnership. So it's having alignment, alignment, alignment, and feeding up as well, not just receiving orders down, but feeding up into risk and being able to educate them as to what is really happening in business terms and having them calibrate their assessment for the board based on that. So that it is one well aligned report. What normally happens in the absence of that, is that risk declares, non-cyber, non-technical risks and there comes cyber on this side and IT declaring theirs. And then now the board hears, "Okay, I have two big pools of problems. I can only focus on one or one and a half, so something's got to give."

Allan Alford:

Right.

Paola Saibene:

And that is not the most intelligent way of approaching it.

Allan Alford:

Yeah. And I've even seen in bigger organizations where the ERM and the cyber risk pools, as you describe them, hit the table and disagree in places.

Paola Saibene:

That's right.

Allan Alford:

Where ERM is like, "Oh, this isn't a big risk at all." And cyber comes in going, "No, no, no, this is the biggest risk in the world because it's on this unpatched server and da, da, da, da."

Paola Saibene:

You can't have that.

Allan Alford:

And now the board doesn't know what they're doing there either, like, "How do I possibly respond to contradictory?" Never go before the board with contradictory evidence. Right?

Paola Saibene:

Exactly.

Allan Alford:

And I guess your strategy here with these framework alignments is exactly preventing that problem too. Right?

Paola Saibene:

Control by control, such as the beauty of having controls in all of these frameworks is you can deconstruct them and begin to align them. Just recently, we were helping a client get the ITG, the COVID, as well as ISO 38,500 and just matching it to data governance controls-

Allan Alford:

Right.

Paola Saibene:

... and see which ones. So a subset now, is completely integrated and you can do the same thing with privacy and with risk, et cetera.

Allan Alford:

I love that. All right, let's get into the more technical details here a little bit. I'm thinking about structured metadata. And I'm thinking about how, if we've got this tiered nesting of frameworks and we've got ISO 31,000 here and we've got COSO here and we've got this alignment and ERM and cyber are talking to each other now. What is the role of structured metadata in all of that to help keep that alignment in place? Right? Can't that help too?

Paola Saibene:

It does. That's at the core of it because now you can report in unison. So normally, metadata is captured in simple terms like definition or format of the data, very, very basic. That is the representational aspect of the data and some semantics. But what is not normally captured that is super useful, is the context. So if this is data that is going to end up in key reports 10 layers above, then all of a sudden, they belong to decision making processes. And now the importance of that data, they're mapped to certain risks, they're mapped to certain issues with privacy, with security, and that can be just entered into the metadata. So that if you have a good catalog, for instance, a platform ML based catalog, you can simply query on the data that is associated with certain ISO 31,000 risk control. Everything is data. Right?

Allan Alford:

Right.

Paola Saibene:

If you have issues with privacy in a particular country or a particular state let's say, different regulations, now you can also start tagging your data in such a way that you know, what is within this system? What's the quantity of data? How much of this relates to our risk and our controls, that we have a gap of, that we have fulfillment of? How is it governed?

Allan Alford:

Right.

Paola Saibene:

It's especially useful with ransomware because the board asks one question, "What is the real loss here?" I get it, there is data in systems and it sounds like it's really important, but what's the monetary value of that?

Allan Alford:

Right.

Paola Saibene:

And when you have the metadata ranking these data sets, now you can give a much better answer.

Allan Alford:

So you're ranking, not just on contextual, like when you say context, you're blowing that out to everything. It's data that contains information about a citizen of California, maybe we'll say, or it's data that's going to be used in Texas or it's data that is going to be advertised all the way up to the board level reporting that's generated from a smaller financial team and works its way at the food chain.

Paola Saibene:

Exactly.

Allan Alford:

All of that contextual information helps you to put a value on the data.

Paola Saibene:

And also the dimensions of quality. Some data is only being treated for maybe two or three dimensions. Other kinds of data need about nine dimensions of quality when it's that important. So that's when you throw in more effort and time and that quality aspect allows you then to be able to, if you wanted to share with partners with the appropriate clauses or develop your own marketplace inside of the company for that data, et cetera, it has a lot of possibilities. So the effort is not wasted.

Allan Alford:

Yeah. And I'm sitting here picturing a dynamics set of structured metadata fields where some of them may not be populated, all of them might be populated. In some cases it's daunting.

Paola Saibene:

Right.

Allan Alford:

And I can see where you're saying ML is your friend here?

Paola Saibene:

Yes.

Allan Alford:

Let's pause right there and hear a brief word from our sponsor.

Hacker Valley Media:

Axonius has crossed the CAASM, the first company to solve this cyber security asset management problem. Gartner has recognized cyber asset attack surface management, CAASM, as a category in their hype cycle for Network Security, 2021 Report. Axonius gives its customers a comprehensive, always up to date, asset inventory to help uncover security gaps and automates as much of the manual remediation as you want. Take a look at Axonius and give your team's time back to work on the high value cyber initiatives they were trained to do.

Allan Alford:

So how about stepping back and looking at the big picture, a holistic ecosystem of risk? What is that in the context of this kind of data, in the context of this kind of metadata, in the context of where the data might get used and how it might flow and what value it really has? We're talking about a holistic ecosystem of risk, and I'm asking you too, to wear all those lenses that you've got and I know that's a very big question, but give me your best shot?

Paola Saibene:

I think I changed to my opinion over the years, and that is after working with legal. So after working very tightly with them, I really adopted always a litigation lens and starting with legal and working it all backwards. So the ecosystem of risk requires that every department is involved to some extent. Right? If I'm just a front-end person in CRM collecting the data at that point, I have to be careful to a certain degree because any mistakes potentially can be tied to my ability in cyber, I'm going to be asked about the soundness of the frameworks and how much, is it reasonable, et cetera? How is it defensible against the law? But overall, industry sector, sensitivity from the board on certain issues, getting a very fair legal profile is important. Getting a legal profile is not easy and most lawyers will not write it down.

Allan Alford:

Right.

Paola Saibene:

Because that's me saying, "Well, you worry about this, but don't worry about that." Right? That's not something that you're going to have written down. But you do get a sense from conversations with them, as to what they can focus on and some things, they've got to let go. They just don't have enough lawyers in the organization to take care of absolutely everything. So matching that, what are those things and harmonize that all the way down. So that you can put, its the opposite of the valuation of the meta tag, so that you can put the right amount of effort that will be valued by all the parties. Because what happens is, that privacy comes knocking down the door with robots or with other DPIAs and people are saying, "Well, we have very few customers in Europe."

Allan Alford:

Right.

Paola Saibene:

Right? "And we only make 5 million a year in that country in Europe and what are you doing bothering us?" So they don't see it as valuable.

Allan Alford:

Right.

Paola Saibene:

And that is because everybody's looking at it from their business perspective-

Allan Alford:

Right.

Paola Saibene:

... or their technical perspective, somebody has to be the conductor.

Allan Alford:

Yeah.

Paola Saibene:

And the conductor, even though the lawyers don't see themselves as that at all, they say, "Well, that's just data and tech." But you can glean from their position, their posture and then work it backwards and nobody's going to say, "Well, I don't care what the legal counsel says."

Allan Alford:

That's interesting you put that at lens first because I had an epiphany at one point in my cyber career. I was dealing with legal all the time obviously, by the time I was a CISO, I was well familiar with dealing with general counsel and various members of the legal team. And I reached a point relatively early on in my cyber career, where I realized, these guys are advisors and I don't have to take their advice. They've got an opinion coming through their lens from their perspective.

Paola Saibene:

Right.

Allan Alford:

And so it's interesting that you're grabbing the legal lens and saying, this is the one we're going to use as the primary and drive it all through there because I wonder how much of the rest of the business has that same will? I don't have to take that advice, kind of mindset with it.

Paola Saibene:

It is true. But I think that they probably hold the biggest hammer out of all. When the legal council says something has to be done, I've never been in an organization that said, "No, I'm not going to do that."

Allan Alford:

Right.

Paola Saibene:

They'll be reluctant people.

Allan Alford:

The legal put down. Right?

Paola Saibene:

Yeah.

Allan Alford:

Yeah, I get that. I get that. Okay. So the various C-suite roles then all have, with regards to this whole data government's challenge, they've all got their own pain points. Right? Walk me through a little bit about CEO, CFO, general counsel, CISO, CIO. Everybody's got their different pain point and we've got to come up with a solution that solves everyone's pain. So walk through, what are the pain points and how are we solving it with this governance model?

Paola Saibene:

Yeah. On the CIO side, I think that visibility definitely for the CIO and CTO, all of those shadow IT things that are going on. Right? So not just applications but data in those applications. And how are you going to really have a strategy that this not going to be surprised or torpedoed a year later or six months later, by all these data sets that you had no idea that existed out there because they're not confessing them or declaring. So governance is a way of, and there are many names, you can say data maturity, you can call it whatever because governance sounds so dry. But through governance and asking all of the right business questions, you can begin to at least create the habit on the part of the users of data at whatever level, to come to the same pool and declare and tell the story.

Paola Saibene:

So when they come and tell the story about the data, somebody will say, "Whoa, what? Why are you using that data for making these decisions? You're supposed to be using something else." So I think that was a struggle that early on, it was attempted to be overcome just without tools and it requires tools. It requires platforms, people to come and socialize the data, the democratize the data, work in a social collaboration kind of place. As I did as a privacy officer, you are obsessed, governance comes in with a journey, so you want lineage. Lineage is your number one. Right? And wow, it's not that easy to get that lineage also without good tools.

Allan Alford:

Right.

Paola Saibene:

And lineage also is, you have to start having the analysts declare how they're going to use, that it is just obfuscated.

Allan Alford:

Right.

Paola Saibene:

Right? It's not anonymized, "Oh, we'll just mask it a little bit." Well that doesn't quite count. You're joining it to 30 other data sets and making decisions on it, but it's crossing borders. So lineage is a big deal. As enterprise risk management officer, I think that the biggest asset that governance can bring is that certainty and assurance that at least a lot of eyes are on it. And if too few eyes are on the data, then you begin to get a sense that, I don't even know if the retention schedule for that is actually valid or being honored. Right?

Allan Alford:

Right.

Paola Saibene:

You don't trust it as much. And then just from a CEO perspective, from a more holistic package, is that integrity of the data. What is that level of trust and governance? Yes, policies and procedures, but policies and procedures in place doesn't mean people are following the policies and the procedures in place. They need to really understand that. The example I always like to give is, there's somebody that catches the fish or somebody that goes to the pier and buys the fish fresh but then you don't know whether it ends up in a vitamin or in fish powder or in a restaurant.

Allan Alford:

Right.

Paola Saibene:

Right? So there's got to be that communication back and forth, no matter which role you're in, that tells a story, "Oh, this one is just meant for fish powder, you don't have to take care of it that much. This one is going to end up whole on a plate in a fancy restaurant, so I've got to make sure that the shape and the size and everything is well done."

Allan Alford:

That's a great metaphor actually. You've covered it I think. And we already talked about general counsel actually in the earlier question. So I think we've got a lock on those perspectives. That's really fascinating. So here's where it gets twisty for me because you mentioned ethics and talked about the Greek roots of the word and the fact that it's actually habits and behaviors. Right?

Paola Saibene:

Yes.

Allan Alford:

As we go through this entire data governance and data management and data maturity journey and all these various things that all roll up, we'll stick with the word governance, we've been using it so far. As it all rolls up to good data governance, we also have the fact that monetization of data is on the table. Gartner has predicted that 65% of organizations are going to monetize their data by 2023. Now we're talking about ethics and habits on a really big scale, so what's the implications there?

Paola Saibene:

That's right, huge. So monetization is a word that also covers, just for intrinsic purposes, you can create efficiencies within the organization, that is still under the umbrella of monetization. But a lot of folks are going to data marts and selling data. Individuals are selling their own data in data marts. A fascinating aspect of data monetization is that, I think that there was a whole lot more concern about doing this right and having properly governed data, properly curated, quality control on the data, two, three years ago. What I see today in the data marketplace is that there are systems that claim that they will do that for you, they will clean it up, they will just do some very basic meta tagging and formatting, et cetera. There are organizations that under the name of research, was a huge umbrella or public interest or public need, public safety.

Paola Saibene:

There's a lot of data sharing. Maybe they're not exchanging money along the way, but they're definitely sharing aggressively. I don't see a whole lot of care, just in very simple terms, what other decisions that are going to be made on the individuals, inside of those data sets? How will their lives change as a result of that? It's not just for marketing purposes or to offer you better products, but it could easily end up, it does, in making decisions about how much you can get in certain industries or how far you can go and that becomes dangerous. So a heavy education on the life cycle management and on the purpose limitations and on consent, very basic things, go far in making people say, "Hmm, monetization, I'm not quite sure."

Allan Alford:

Right.

Paola Saibene:

And if you get a lawyer to become very well versed in the different buckets of monetization and how it deconstructs at a level where they're going to need to be responding for this, then also they can put a lot of checks and balances along the way, if they're not brought in at the tail end with assurances that look good on people that are brought in through the process. I think that Gardner is correct that the trend is heavy on monetizations, but we as consumers of a lot of this, we, as those that are having a voice on what we do with data, can definitely create momentum that makes people be a whole lot more careful.

Allan Alford:

I like that. I have one last question I ask every guest on the show and it's interesting because normally the question is, what have you learned outside of cyber that has helped you in cyber? That's the question, but in your case, I'm sitting here thinking, this entire show is stuff you've learned outside of cyber that is helping you in cyber. So hopefully, you can from all of this and all these perspectives that again, CEO, chief privacy, officer CTO, CISO, CIO, I'm hoping you can pick your favorite and you mentioned the legal lens, as well. Hopefully, somewhere in all of that is your one favorite fact. What did you learn outside of cybersecurity that helps you in cybersecurity?

Paola Saibene:

People need to understand why it is important and they need to have faith that all of that effort is actually going to be helpful. So I learned that telling stories about those that are very affected, actually inspires people to be careful altruistically over somebody else's records. I learned that bringing the world in to the controls and not having them just as controls that get interpreted, or get applied and get audited, but having them as, "Let's follow what happens to people along these records."

Allan Alford:

Right, right.

Paola Saibene:

And then all of a sudden, it's a very different picture, because then that's your mom, your dad, your uncle, your neighbor, that they're traveling through that data. They're traversing through that data and you are applying controls in a way that is now, you're much more careful. Now you're not putting everybody in a group in your ad. Right?

Allan Alford:

Right.

Paola Saibene:

Now, you're just parsing it a bit more and you're asking more questions, "Are you sure you should have access to this or that? I know you're in the same department, but that doesn't mean you need to see all of that."

Allan Alford:

Right.

Paola Saibene:

So slowly but surely, from the bottom up, I think that you can have a gigantic impact by humanizing cyber.

Allan Alford:

Oh, what a brilliant answer. I love that. I love that so much. Well, Paola Saibine, thank you so much for coming on Down to the Ranch. Thank you listeners. Y'all be good now.

Everything Is Data w/ Paola Saibine

March 16, 2022 Cyber Ranch

00:00:00