Jonathan Pressman of TruSight: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity

An Interview With Jason Remillard

Proactively plan and test for data breaches: Have scenario-based processes in place to address potential data breaches and periodically train/test to ensure you are fully prepared if a breach is identified.

As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jonathan Pressman, CEO of TruSight.

Pressman leads TruSight, the industry’s leading third-party risk management (TPRM) utility platform, facilitating efficient, cost-effective collection and consumption of validated risk data. He has more than two decades of experience in the financial services industry, with a focus on technology solutions in risk and compliance. Prior to joining TruSight as global head of business development, Pressman spent over eight years with IHS Markit (NYSE:INFO) in senior sales roles. Jonathan began his career at a national privately-held wealth management firm where he served as a managing principal for over a decade.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I grew up in a very supportive environment with the good fortune of having an extraordinary role model in my mother, who built a successful career — several, actually — despite not having the advantage of a college education. At an early age, I was diagnosed with severe ADHD and food allergies. In the 1970s, ADHD was largely misunderstood and generally treated with pharmaceuticals, which had an adverse impact on my personality and did little to resolve the underlying problem. My mother quickly drew the connection between how my diet affected my behavior and took it upon herself to find holistic and alternative methods to help me. She became very knowledgeable about and involved in alternative medicine and organic foods and ended up starting a food co-op in our garage and teaching natural food cooking classes out of our living room.

She was so successful that one of the food distributors that serviced the co-op hired her, and she ultimately became the head of sales for a national food manufacturing company, traveling around the country opening new markets for her job (which is what I do today — you might say the apple does not fall far from the tree). After a successful career in sales, my mother felt compelled to get back to her roots by reinventing herself again and became a personal trainer/fitness instructor and life coach, which she continues today.

Watching my mother succeed — first as an entrepreneur, then as a businesswoman and now in an entirely new field — has been inspirational and given me the confidence to reinvent myself throughout my career.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

There is no one thing I can put my finger on that led me to this career, but rather a particular set of skills that is adaptable to almost any industry and being in the right place at the right time. I have an aptitude for quickly understanding complex ideas and translating them into sellable products. To be effective in sales you need to spend 80 percent of your time listening, which is something I believe I do well. I have an understanding of, and empathy for, customers’ pain points and objectives, which makes me successful in opening new markets and acquiring customers, which drives revenue. Leveraging these core competencies has enabled me to succeed in multiple roles, selling different products across various industries, resulting in the non-linear path that has brought me to where I am today, leading TruSight as the CEO.

Can you share the most interesting story that happened to you since you began this fascinating career?

Sure, it is actually a lesson I learned very early on in my career when I was working in wealth management. I was in my early 20’s right around the time Starbucks was going public. Someone very close to me had been involved with the company during its early days and had a relationship with its founder. Like most 20-year-olds, I was pretty naive, short-sighted and easily impressed by money. I remember talking to this person, with whom I am very close, and commenting about the wealth created by Starbucks going public, and saying something along the lines of, “If I just made all that money, I would retire and spend the rest of my life skiing and mountain biking.”

His response was, “You will never achieve that level of success if you are focused solely on the monetary outcome. Building a successful business is about having conviction and passion for the problems you are trying to solve or services you are creating to transform an industry or segment of an industry.” That feedback forced me to reevaluate my priorities. As I matured, that conversation would reverberate every time I took on a new challenge, evaluated a new role or looked at a partnership. Was I passionate about what I was going to take on? Could I be happy doing this even if the economic outcome was not totally known and did I believe in the business? My passion for solving problems and building great products that support our customers is the driving force behind everything we do here at TruSight.

None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?

Several people have been incredibly helpful and supportive throughout my journey. Early in my career, someone very close to me who has also been a father figure imparted five words that have become the foundation of everything I do to this day: those words are It’s all about the work. He taught me that while success can be measured by many things, obtaining success is highly dependent on the effort you put into it every day.

I also have a very close friend who has been very influential in helping to shape the direction of my career over the last 10 years through education, professional introductions and collaboration across market infrastructure, data and analytics. He continues to be an important sounding board for me and is one of the people I turn to for advice on anything from board management to product development.

Are you working on any exciting new projects now? How do you think that will help people?

We recently launched a new technology platform at TruSight that will allow us to create innovative new data products and functionality that have not been seen in the third-party risk management space before. Incorporated into our new platform are tools that will enable our customers to connect to the TruSight utility and leverage our data more efficiently and cost-effectively. In addition, we are partnering with some of the most significant and widely used workflow tools that are utilized by third-party risk, procurement and operational risk professionals across financial services to ensure that the organizations that rely on our validated data can readily access and consume it.

What advice would you give to your colleagues to help them to thrive and not “burn out”?

Exercise, exercise, exercise! I have been into endurance sports for all of my adult life, and I find exercise is critical in helping me maintain my mental health and keeping me fit to meet the day-to-day challenges. Beyond that, my advice would be to find the right balance between working hard and working efficiently. Maintain emotional equilibrium and — above all — make sure to invest time and attention in the relationships with people who matter most to you.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?

The continued proliferation of cybersecurity regulations around the globe is a significant driver for our business at TruSight. As increased legislation around third-party and vendor risk requires financial services companies to do due diligence to remain compliant, these companies are turning to TruSight to help streamline the third-party risk assessment process.

I like the creativity and engagement required by this job. Cybersecurity sits at the intersection of data and technology, and it requires a level of creativity and engagement with stakeholders on both sides of our dual-sided market — the third-party service providers and the financial institutions — to develop a true understanding of pain points they are trying to solve for and the risks they are trying to mitigate. This has led to opportunities to create rewarding partnerships with organizations one would not typically expect to partner with.

I also like the diversity of backgrounds of the people who work in this industry. To design solutions that meet evolving regulations, risks and drive operational efficiency, you must bring together people with different backgrounds and skillsets to successfully execute and bring these solutions to market. Having the privilege of designing our organizational structure puts me at the center of engaging with people of diverse backgrounds and varying degrees of experience, which is incredibly exciting.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?

I believe that environmental risks such as the threat to our power grid, our drinking water and other critical infrastructure are underestimated. There has been a tremendous focus on the monetary impact of cyber-attacks on banks and corporations, but as we have learned from COVID-19, we were ill-prepared to address the speed and materiality of that crisis on society.

Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

There have been many, but one, in particular, stands out because of the breadth of the exposure (millions of customers) and level of effort/expense it took to determine those impacted and provide an appropriate response (notification, free credit monitoring service, reimbursement for losses, etc.). The main takeaways were the need to:

• Have data management processes in place to quickly identify impacted parties.
• Understand the risks to information protection and ensuring that the appropriate and effective controls are in place.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

• Encryption: Encodes data in an unreadable format (in storage and transit).
• Access and authentication controls: Ensures access to data is appropriate (need-to-know) and the user’s identity is verified.
• Security monitoring: Proactively detects potential threats and breaches.
• Vulnerability scanning and penetration testing: Identifies vulnerabilities in networks or applications that could be exploited.
• Data loss prevention: Inspects and prevents data loss outside the network.
• Anti-virus/anti-spyware/anti-malware software: Prevents infections on corporate devices that could result in data exposure.

How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?

There are several resources available. Cyber-rating companies can be leveraged to monitor as small or as large a portfolio of suppliers as required. TruSight provides validated third-party risk data that can be curated according to the level and maturity of an organization’s third-party risk assessment program. Some organizations provide outsourced CISO services.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be “amiss”?

Social engineering attacks, phishing and malware are increasingly common threats we all face. People should err on the side of caution and be suspicious of emails that have generic greetings, and/or have misspellings and weird formatting, and they should never download or open an attachment from an unknown source. Some emails may contain fraudulent hyperlinks that look like legitimate ones but will infect the user’s device with malware if clicked.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

Unfortunately, if you must think “what should I do” after a breach is identified, you are likely too late. Preparation is the key. Every organization that processes sensitive information needs to:

• Know their data — classification of information sensitivity, where it resides, how it is protected.
• Have a fully trained staff that knows how to identify a potential breach and how to immediately initiate the appropriate protocols.
• Have an incident response plan in place with step-by-step instructions for everything from standing up the incident response team, determining the nature and scope of the incident, isolating the impact, evidence gathering, notification requirements, root cause analysis and final remediation.
• Perform ongoing testing of information security and cybersecurity controls that prevent/detect potential breaches.

With those controls in place, in the eventuality of a potential breach, the company can simply follow protocol.

How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA, GDPR and other related laws affected your business? How do you think they might affect business in general?

Evolving regulations like the CCPA, CPRA and GDPR are drivers of our business. Financial services companies need to know that their vendors and third-party partners are in compliance with these regulations, and our job at TruSight is to assess that these third parties have controls in place to effectively address CCPA, CPRA and GDPR.

What are the most common data security and cybersecurity mistakes you have seen companies make?

I think the main mistake is not properly educating employees. A lot of data security breaches have behavioral causes, so raising employees’ awareness of cybersecurity and teaching them preventive behavior such as avoiding clicking on links from people they do not know and not opening attachments if they are not from a credible or trusted source, would prevent many cybersecurity issues.

Since the COVID-19 pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?

Working from home has presented data security challenges and forced a lot of companies to be more conscientious about having protocols and technologies in place to secure personal Wi-Fi networks and the collaboration tools people use to perform their jobs. Companies must ensure that there are well-defined controls inside the organization and throughout the remote workforce.

Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)

1. Know your environment: Understand what data you have and its associated sensitivity, how that data is processed, what systems process/store/transmit sensitive data, how it is protected and known risks.
2. Train, train and train: A workforce that is well-trained and tested on cybersecurity risks, controls and company protocol is key to data protection.
3. Robust testing of information security and cybersecurity controls: Perform ongoing testing of control design and effectiveness to ensure residual risk is within risk tolerance.
4. Risk management: Develop effective processes to continuously re-evaluate the risk landscape internally as processes/technology/people change and externally as new threats are identified.
5. Proactively plan and test for data breaches: Have scenario-based processes in place to address potential data breaches and periodically train/test to ensure you are fully prepared if a breach is identified.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)

I would encourage people to be kinder to one another and to have a greater level of tolerance for different points of view.

How can our readers further follow your work online?

Readers can connect with me on LinkedIn, follow TruSight on LinkedIn or visit our website.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!