Kevin Dunne of Pathlock: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
An Interview With Jason Remillard
Move to Least Privileged Access and Just-in-Time provisioning: oftentimes, the risk surface of an application grows over time, as users accrue permissions via role changes and temporary assignments. Organizations need to constantly revisit what permissions users need, and what they are actually using, so they can reduce the potential risk in their environment. Where possible, they should provide sensitive permissions exactly when they are needed, just for the amount of time they are needed to complete a task.
As a part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Kevin Dunne.
Kevin Dunne is the President of Pathlock. He has a deep interest in digital transformation and enabling businesses to unlock additional efficiency through the application of new technologies. He closely follows the emerging trends in cybersecurity and governance, risk, and compliance, to understand how they impact business operations.
Kevin comes to Pathlock from Tricentis, where he led strategic initiatives and corporate development. During his 7 years there, he led several acquisitions and served as General Manager of their community products portfolio. As one of the first employees at Tricentis, Kevin saw many facets of the business working in sales, customer support, marketing, and product management on their journey from first paying customer to $100m+ in annual recurring revenue.
Kevin holds a Bachelor of Science degree from Vanderbilt University.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Connecticut before moving to New Jersey for high school, and down to Nashville, Tennessee to study Engineering Science at Vanderbilt University. After college, I joined Deloitte as a Business Technology Analyst, implementing Oracle EBS at several large customer engagements. After 1 year at Deloitte, I decided I wanted to get involved in a smaller company and joined QASymphony as the 2nd employee in the US to grow the awareness and sales of a great software. That became a career changing move, as QASymphony grew to over 150 employees, merged with Tricentis, and now is the de facto leader in software testing with over 1,000 employees worldwide. About 6 months ago, I joined up with some prior investor colleagues from Tricentis and joined Pathlock as President. I am very grateful for the opportunity to join a great company in an extremely exciting space.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
A few years ago, when the legislation around GDPR was passed, I remember being at QASymphony and being involved in the project to get GDPR compliant. Even as a smaller, 150 person company, the project was intensive and involved. I remember thinking, if this is what it takes for a company of our size to be compliant, I can only imagine what it must entail at larger companies. I knew from then on that I would need to get involved with a company that could truly help companies to solve these critical and complex problems.
Can you share the most interesting story that happened to you since you began this fascinating career?
Recently, I had the chance to contribute a featured article on insider threat prevention to Dark Reading, which is one of the foremost publications in cybersecurity. Just a few months ago, I could not have imagined being able to provide content of value to practitioners in this space. What many fail to realize is that you can quickly grasp the concepts related to a new industry if you are passionate about it, and you speak with enough experts. Luckily, I have been able to meet some of the foremost CISO’s and security practitioners, including Rick Howard, Paul Calatayud, Anthony Johnson, and Mike Connly, who have helped immensely in understanding the space and getting up to speed on the unique opportunity ahead for Pathlock.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Shortly after joining QASymphony we hired a new CEO, Dave Keil, who was brought in to help standardize and scale the business we were growing at QASymphony. During his first week, he took me out to lunch, where he quickly was able to determine that I was unsure about making the transition to a smaller company. He shared invaluable advice — to embrace the uncertainty of working in a small company and to take everything one step at a time. His ask was to give him 6 months before considering leaving for another role, and in return, he’d give me his full support if I decided to do so. Fortunately, 6 months later QASymphony was sustaining a healthy amount of growth and I was hooked on startup life for good. Without the success at QASymphony and Tricentis, I would not have been prepared to make the jump to Pathlock and explore the cybersecurity market.
Are you working on any exciting new projects now? How do you think that will help people?
Pathlock recently unveiled version 5.0 of its flagship solution, which enforces 360-degree protection enabling zero trust for more than 140 enterprise applications. The platform is the first of its kind to combine access governance, data loss prevention and user behavior analytics enabling security, finance, IT, and GRC teams to secure critical business applications against insider threats and efficiently meet their ever-growing regulatory compliance obligations — all within one single interface.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
I think the number one factor in thriving at work is to find something that you are passionate about and you feel brings value to customers and the broader community. In my experience, all jobs will have their ups and downs, but having that perspective about the mission you are serving is what will push you to deliver and go the extra mile, even when you may not feel motivated to. I’ve found burn out most often happens when employees are being pushed to go beyond their limits, and don’t feel there is an intrinsic reward to doing so.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The cybersecurity industry has a wealth of opportunities, I would argue more than any other market out there today. In specific, the space checks 3 boxes which are extremely difficult to find in one package:
1. Cybersecurity is mission critical to all organizations: whether it be entities like the federal government dealing with the fallout of the SolarWinds attack, or the Colonial Pipeline being taken off line due to a ransomware attack, companies in all industries, public and private, hold cybersecurity as a topmost concern.
2. Cybersecurity is always evolving: bad actors continue to invent new ways to exploit organizations, forcing the industry to invent new solutions to protecting critical data, infrastructure, and applications
3. Cybersecurity is challenging: the stakes are high, and the threats are always evolving, which forces you to continue evolving and learning about new topics in the space to stay relevant and ahead of the bad actors.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
Employees are the lifeblood of any organization, but they can also be one of the biggest risks to business continuity. When security professionals think about the insider threat, they typically think of loyal employees who quickly become malicious insiders, poised to do damage to the company or customers through fraud, data loss, or intentional disruption of business process. While disgruntled employees are a risk, even happy employees can have their credentials compromised through brute force, phishing, or other types of attacks. With many business systems moving to the public cloud, all a bad actor needs is a compromised credential with privileges to get into a system and cause irreparable harm.
With applications migrating to the cloud, employees, vendors and contractors are now more likely to connect their personal, unmanaged devices to business applications. In turn, IT and security teams have little or no insight on user activities in cloud applications. As a result, it becomes more important than ever to have visibility into account creations, authorization changes, application modifications and transaction executions to detect malicious or fraudulent activities, manage auditing and satisfy compliance.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I have not yet had to be personally involved with a cybersecurity breach — but I am sure that opportunity will be presented in the future!
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
As an individual user, I think some great tools to get familiar with and use to protect your personal accounts are:
1. Password Manager (LastPass): make sure you are using strong passwords, rotating them often, and not saving them in emails or local files. All of these things are asking for compromised credentials and identity theft.
2. Credit Activity Monitoring (CreditKarma): get notified in real time of any credit inquiries, new credit accounts created, or changes to your credit score, which can occur when your critical accounts are compromised by bad actors.
3. Data Breach Scanner (Have I Been Pwned): search to see if any of your accounts have been compromised in a data breach, and if your current password is sitting on the dark web. If so, you can be alerted and change to a new password.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter”software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Companies typically go through a crawl-walk-run evolution to their cybersecurity strategy, going through the following three phases:
1. Basic Maturity: the technology group within a company will implement basic software such as SSO, team collaboration tools, and basic data encryption to try to keep the organization secure, with minimal effort involved
2. Intermediate Maturity: the technology, finance, or legal group within a company will contract with a vCISO for part time, contracted advice on how to improve cybersecurity practices and keep the company compliant. Companies will typically begin to explore introductory compliance initiatives, depending on what compliance frameworks apply in their industry.
3. Advanced Maturity: the company hires a dedicated CISO, and potentially supporting personnel, who will take ownership of driving cybersecurity initiatives throughout the organization. Companies will drive adherence to one or more compliance frameworks, and look to implement a more continuous approach to their security posture.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
Large organizations that have critical customer, employee, or financial data should assume that they are either currently breached or the target of a breach. There are many potential signs of a breach, which are constantly evolving and make it difficult to detect a breach. Regardless, some of the most common patterns people check for when trying to identify potential breaches are:
1. Impossible traveler scenarios: where a user logs in from a particular location, then logs in later from another location which it would be impossible to travel to in that amount of time (eg. user logs in in New York City, then 2 hours later logs in from Shanghai)
2. Unusual time or location: where a user typically performs actions during a set period in a given location, then suddenly begins using a system at a different time or from a different location (eg. user always works M-F 9–5am from New York City, then suddenly logs in on Saturday at 3am)
3. Unusual behavior: where a user typically performs duties related to something, and suddenly begins performing behavior that is outside of that pattern (eg. user typically performs account payable activities for US based accounts, then suddenly starts trying to perform accounts receivable activity for EMEA based accounts)
4. Dormant accounts: where an account has not been used for a long period of time, and suddenly begins to be used frequently for several actions.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Access orchestration is continuously analyzing access and activities to create a real time, comprehensive picture of risk. Armed with accurate information, you can create a systematic method to identify, evaluate, and prioritize the access-related risk facing your organization. A key aspect of risk-based security is understanding the impact of risk decisions. Access orchestration helps you measure your risk exposure in real-time in terms of tangible, financial impact to your business. Instead of surfacing millions of exceptions and estimating their potential impact, you can see actual access violations and pinpoint users and applications that need attention. You can take immediate action to remediate risk where it matters and see your financial exposure decrease.
How have recent privacy measures like The California Consumer Privacy Act (CCPA), CPRA GDPR and other related laws affected your business? How do you think they might affect business in general?
GDPR requirements have impacted compliance and forced an evolution in the privacy landscape. With potential penalties of up to €20 million, or 4% of the worldwide annual revenue, GDPR has pushed organizations to better protect the personal data with which they have been entrusted.
Even now many organizations still struggle to comply and are at various stages in their GDPR journey. According to an April study from Possible Now, only about a quarter of U.S. companies are fully compliant with GDPR.
In addition to GDPR, organizations now need to comply with newer data protection laws and breach notification regulations — many influenced by GDPR. The recent increase in data protection laws has placed stringent requirements on companies before they move any data about a citizen out of that citizen’s country.
The road to GDPR compliance includes classification and monitoring of personal data. However, identifying, indexing and effectively tracking activities against GDPR-regulated data in large complex business landscapes requires actionable visibility into data managed across legacy, custom-built and commercial business applications and databases. Pathlock’s Application Security Monitoring solution accelerates detection of potential data breaches with non-disruptive data discovery as well as rapid auditing and reporting of user activities across business applications. Pathlock streamlines compliance with global data breach notification while also proactively capturing the evidence to support post-breach investigations.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Enterprise security and user provisioning remain complicated and challenging undertakings. Many organizations typically have some on-boarding processes to ensure that the new employees, contractors and vendors have the right access to corporate services. However, often there is not a sufficiently mature process for the deprovisioning of users as part of the off-boarding process. In addition, manual controls are not enough for granting/revoking permissions, reviewing user access and auditing the user activities at a granular level for all users and especially for super users handling emergency and firefighter activities.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
A recent survey from IBM Security found that more than half of the respondents have not been provided with updated or new security policies on how to securely work from home. The survey also found that 53% of remote employees are using their personal laptops and computers for business operations — and 61% say their employer hasn’t provided tools to properly secure those devices.
Now combine that with a Ponemon study found that the insider is responsible for 60–80% of all breaches, and the total average cost for an inside breach is $8.76 million. So companies are providing more access to applications in order to maintain productivity during the pandemic while losing their ability to track that access, which paves the way for the inside threat.
One way to prevent the insider threat is in the way you manage privileged users. A privileged user is someone who has administrative type access to critical systems. They have the ability to perform countless system administration tasks and even may have the ability to change security policies. They may have access to business-critical data, including employee and customer information, intellectual property, finances and more. Because of this, hackers want those accounts and insiders can easily take advantage of them. And the more privileged users that are created, the more difficult it is to track what’s going on in your systems.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Implementing IAM (Identity and Access Management): Enterprises are spending trillions on cutting-edge applications to manage their business. But these solutions fail to validate what users do with this access across all of their systems in real-time. Investing in digital transformation and new applications without the proper IAM controls to secure the business critical data in those applications leaves companies at a massive risk of data breach, fraud or audit issues.. These risks leak revenue and productivity on the back-end due to improper access, control, and security — not to mention the administrative hours wasted on user scouting and policy attribution. That’s where IAM comes into play. It patches security holes, upholds regulatory standards, and ensures business users can access applications when they need them. Additionally, IAM reshapes how you think about identity. Instead of access revolving around a single application, IAM gives each user a unique identity that can be tracked and manage across your IT stack and business processes.
2. Use Continuous Monitoring Solutions to Quantify Actual Risk Exposure: companies are often quick to provide new employees with access to critical business systems, but they are flying blind to what users do with those permissions. Typically, controls are only monitored once a year, showing a point in time view of what risk exists at a given period of time. Organizations should move to a continuous controls monitoring program, where all risks are constantly monitored in real-time, but looking at what users are doing with their permissions (activity) rather than just looking at the permissions themselves.
3. Move to Least Privileged Access and Just-in-Time provisioning: oftentimes, the risk surface of an application grows over time, as users accrue permissions via role changes and temporary assignments. Organizations need to constantly revisit what permissions users need, and what they are actually using, so they can reduce the potential risk in their environment. Where possible, they should provide sensitive permissions exactly when they are needed, just for the amount of time they are needed to complete a task.
4. Add Business Application Visibility to the SOC: SIEM tools are often rich with information about what users are doing on the network and with their devices. However, much of the suspicious, dangerous activity is happening at Layer 7, within applications. 77% of the world’s transactions run on SAP alone, so companies should make sure their critical business applications are integrated and visible within the SOC. Activity within business applications is critical information for understanding what the complete risk potential of a user might be.
5. Protect Critical Data in Structured Data Stores: most critical business data lives in packaged applications — whether it be customer data in a CRM like Salesforce, Employee data in an HRM like SuccessFactors, or Financial Data in a system like SAP. Data privacy regulations such as GDPR, CCPA, and HIPAA require organizations to protect the sensitive data they store, so they can report on the data they are storing and who has accessed that data recently. The applications and structured data stores are the assets which need the most protection and oversight, not the unstructured data stores with the individual documents containing sensitive data, as they have the highest concentration of risk.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
Pathlock recently began a pivotal chapter in the history of our company under a new name. With a new name, we are ushering in an expanded vision of what security in a post pandemic world will require. As the last year has unfolded, we have seen a tremendous acceleration in interest in unified access orchestration solutions to secure critical data, employing a Zero Trust philosophy. We acknowledge that simply maintaining compliance is often not enough — we need to push the boundary to ensure that we can enable digital transformation safely, so companies can adapt to the ever-changing landscape without taking on unnecessary risk.
How can our readers further follow your work online?
https://www.linkedin.com/company/pathlock/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
About the Interviewer: Jason Remillard is the CEO of Data443 Risk Mitigation, Inc. (Publicly Traded as Symbol: ATDS). Data443 is a leading Data Privacy and Security company with over 40,000 customers worldwide.
Formerly of Deutsche Bank, TD Bank, RBC Bank, IBM, Dell/Quest Software, TUCOWS and others, Jason has been in information and data security for over 30 years with customers in virtually every country in the world.
Trusted to deliver — All Things Data Security — he is leading the charge in bringing data privacy as affordable, deployable and realistic solutions that every business owner can take advantage of.
