Zeke Testa of CYTRIO: Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information
Clear ownership internally for data privacy. Typically, multiple people and multiple teams are involved. Too many “cooks in the kitchen” deflect responsibility and can be confusing. Shared responsibility among different departments can also cause neglect. Nobody wants to own it. Everyone thinks they own it. One team thinks the other team owns it. Ownership of data privacy needs to be clear.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Zeke Testa.
Zeke Testa is Sr. Director at CYTRIO, a data privacy compliance company that addresses mid-sized companies’ challenges of meeting increasing data privacy regulations. He is passionate about doing right for the consumer, particularly when it comes to data privacy, security, and protecting customers’ personal information (PI). At CYTRIO, he touches multiple aspects of the business, working closely with organizations to ensure they have the right solutions to help them comply with data privacy regulations such as CCPA, CPRA, VCDPA, and CPA. Zeke previously held various sales positions at cloud-native endpoint protection company Carbon Black, acquired by VMware. He has a bachelor’s degree in marketing from Babson College.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Sure, I grew up outside of Boston. I was a very competitive kid who loved sports and being outside and active. Hockey became a big passion of mine, and I was fortunate to play at Babson College in Wellesley, Massachusetts. Then, I was able to live my dream of actually getting to play professionally for a bit. However, I realized pretty quickly that playing hockey was not going to be sustainable for the long-term for me. So, I got into coaching, and that’s where I met my wife. She was coaching and getting her MBA at Babson. Ultimately, my life goals were to provide the support to my family in the way that I felt supported by my parents growing up. Financially, coaching was going to be tough for me to reach those personal goals. I started looking into the corporate world and was connected with someone who worked at a company called Bit9 + Carbon Black about a sales position. At the time, I had no idea what they did, and I didn’t know what an endpoint was, though the company focused on endpoint security. My eyes opened pretty quickly to this whole different world of the digital age and digital footprint. What do you do with information once it’s out there? How are companies protecting it? How are companies implementing technologies to protect data that’s out there? So, it was a whirlwind how I landed in the cybersecurity market. I didn’t know anything about it before getting into it. But once I started, I was quickly hooked and really fell in love with the industry.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
I really stumbled across the cybersecurity space. Transitioning out of coaching hockey as a career, I was looking for a great company with great people, and I happened to find it in the cybersecurity space. We provided an endpoint security product for our customers. At the time I interviewed for a sales job, I didn’t even know what an endpoint was. Fortunately, I got the opportunity to get behind the curtains and see and learn about the business. I saw how vulnerable our personal data is — our personal information like name, date of birth, address, social security numbers, credit card information, email, user names, password. This information is really our identity, and it’s very vulnerable. It didn’t take long for me to know this was the career path I wanted to pursue.
Can you share the most interesting story that happened to you since you began your career?
While at Carbon Black, I had been working with the City of Lagrange in Georgia for about four months and they hadn’t really made a significant investment in cybersecurity software. One day after they told me that the project had been pushed out another six months, I got a phone call at six o’clock in the morning. The city had a really bad data breach and all their systems were down. Their 911 phone systems were down so anyone who tried to make an emergency phone call for help couldn’t get through. Ambulances couldn’t contact dispatchers to say they were arriving at the hospital. This was impacting people’s lives — in terms of life or death.
Coming from the sales world, I get trained in what happens in these types of situations, but never fully grasped what the impact would be for the people involved. I’ve never been an incident responder or a security engineer or an information security officer. I couldn’t possibly understand what their day-to-day is like, but that was the first time where I saw first-hand how disruptive a breach like this was to the security team and to the citizens of Lagrange.
I felt such empathy for my contact on the security team, because this was going to be a really tough time ahead. He was getting the air mattress out and sleeping in the office to get this mess cleaned up, working full days over the weekend. For me, this opened my eyes to the fact that cybersecurity isn’t just a job. You can really make a difference in preventing these types of situations happening to other cities, companies, and individuals. This situation really brought out the human element.
Early on in my sales career, I was thinking, this is fun. We’re selling software. This was the first time it hit me that there is a ripple effect of enormous magnitude. And, it hit hard. This incident changed the way I thought about what I was doing in my career.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
One of my mentors and former manager at Carbon Black, Janet McHallam was incredibly influential and supportive in my career. She was such a strong leader and sales professional. I tried to be a sponge around her as much as possible. One thing that she said to me early on that has always stuck with me was to always be genuinely curious. Whether it’s in sales or in life, just be genuinely curious. That’s probably not anything earth shattering, but it really got through to me. We are taught to ask questions, handle objections, think about the different outcomes, and plan ahead. And what do we not do when we’re doing that? We’re not listening. She really helped me to remove that barrier of how you see yourself isn’t necessarily how you have to be. Just be yourself, and be naturally invested in genuinely being curious in what you’re hearing and what you’re talking about and who you’re speaking to. I found that by doing that, you learn, you grow, you develop. You put yourself in others’ shoes more. That was really influential and impactful for me — just be genuinely curious. This taught me a lot about not only my own role within the company I work for, but also allowed me to get a better understanding of what our customers and partners are dealing with on a daily basis with regards to security and privacy.
Are you working on any exciting new projects now? How do you think that will help people?
At CYTRIO, we are working on an exciting data privacy rights management platform to reduce the time it takes for companies to respond to data subject access requests (DSARs) for the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), the General Data Protection Regulation (GDPR), and others. A DSAR is a request to an organization from a consumer about their personal information the organization is collecting and using. Consumers have a few options and choices that they can request of a company (Right to Know/Access, Right to Delete/Erasure, Right to Correct, etc.). We are on the cusp of this becoming a real problem for privacy teams. I say this because there’s more awareness around data privacy, and more consumers want more control over their data.
There’s a bridge between companies and their consumers. Different companies have different outlooks on how to approach this bridge. The government is stepping in to hold these companies accountable. Consumers want to hold them accountable. Companies now need to make it accessible for their consumers. Once these data requests really start increasing, that’s going to put a lot of strain on privacy teams. With CYTRIO’s platform, we’re hoping to lessen the burden for those teams, while also improving increasing transparency and loyalty with their consumer bases. We want to make their work easier for them without sacrificing the integrity of their business and transparency in the relationship with their consumers. Our data privacy rights management platform automates the DSAR response process and helps privacy teams deal with ever-changing regulations while avoiding the risk of noncompliance or regulatory fines.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
There are all the things most of us know to do like have a hobby and spend time with family. Something that I have learned which is a bit different and helps me is don’t get too high with the highs and don’t get too low with the lows. And, it’s not as simple as it sounds. But, I think it keeps you more even keeled and puts things into perspective. Not everything is going to fall your way 100% of the time, and everything is not going to go against you 100% of the time. But if your mentality or your attitude is attached to a specific moment, you’re setting yourself up for disappointment one way or another. It’s great to celebrate the wins, but always keep yourself in kind of a middle headspace where you enjoy it, but don’t let it disrupt your day. If things are going well, you celebrate, but you keep pushing forward. It’s important to keep things in perspective.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Data privacy management is becoming increasingly complex with the emergence of data privacy regulations across the world. GDPR was at the forefront. State-level regulations like the California Consumer Privacy Act of 2018 (CCPA), the California Privacy Rights Act of 2020 (CPRA), the Virginia Consumer Data Protection Act (VCDPA) of 2021, and the Colorado Privacy Act (CPA) of 2021 are severely impacting or are going to severely impact bottom lines for noncompliance with hefty fines and reputational loss.
There are two key themes that companies should be thinking about in terms of what they should be doing from a legal standpoint: transparency and accountability. Companies are required to disclose the type of information they collect from consumers, what the business purposes are for collecting that type of information, and if they intend to sell or share that data with other companies. Accountability refers to the different security and governance measures that companies have to have to protect that data. Also, it’s important for companies to want to have accountability over their consumers’ data, or their partners’ or customers’ or employees’ data, because that builds trust and loyalty. What we’re starting to see is that more consumers are more likely to do business with a company that has this top of mind. Consumers want to know their data is being handled with integrity, and that it’s secure. This is a true sign of integrity, which is important as we increasingly shift to a more digital world.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
There’s significant gray area around this question. “It depends” is not a great answer, but it’s the reality.
What is the company doing with the information they collect? If it serves a genuine business purpose that is not harmful to the consumer or what the consumer wants in terms of that service, it shouldn’t need to be destroyed if it’s been there for a certain amount of time. What’s most important is for companies to let their consumers have control over that option. The best practice for a company should be to provide their consumers with an easy and fast way to make that decision on their own.
Every individual might look at their data and their identity differently. So, I think rather than having the company make that decision on behalf of the consumer, give the consumer their rights and allow the consumer to make that decision and give them options to be able to tell the company what to do with their data. And that’s really why we have these privacy laws coming into place. I think it comes down to being at the forefront of consumer choice.
In the face of this changing landscape, how has your data retention policy evolved over the years?
We store data for the minimum amount required by the regulations like GDPR and CCPA. For the types of data that we store and collect, everything is encrypted. It’s all metadata. So, we’re not ever accessing any of our customers’ actual PI data, but we continue to support the necessary requirements that are outlined in upcoming legislation. We work with our clients on ways they are able to extend that if they so choose for business purposes, abiding by the law.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
At CYTRIO, we don’t store any sensitive personal information from customers in our back end. Again, it’s all metadata. It’s encrypted. It’s built with security at the forefront. For our customers, we offer a few different methods for them to store their data while using our platform. We make sure that no actual data is stored, solely metadata. When we use our cloud scanner, nothing is stored locally to CYTRIO.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
I think the emergence of privacy regulations is a great thing. As we continue to expand in the digital era, it’s important to have policies and protocols in place and requirements for companies to implement around handling consumer data. It’s a good thing that more states are coming out with privacy rights laws for their citizens and consumers. It’s a positive trend. And it’s not like we’re going to have 50 different state laws that are completely different. From a company perspective, it’s manageable. Many states are using what has worked with California and are coming up with their own version for their own state. As a citizen, I’m excited about it. For companies, it poses more risk with all these regulations, but that’s why it’s important to have a technology partner to help easily ensure compliance.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
Tools are definitely maturing. I don’t have any that I would necessarily recommend, but I definitely think technology companies have gotten better with data retention. And I think a lot of people are trying to figure out what do we do once we have that data stored. How are we taking action against that data? If there’s data that you’re not using and there’s no business need for it, there’s no need to have that data there. Data retention companies have been really good at being able to help companies use the data they’re collecting for business purposes, and that’s great. If you don’t have any need for any particular data, then there’s no need to keep it.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
If anything, these types of headlines motivate companies to keep pushing themselves to get better, to continue to innovate, to improve. This impacts our customers in a very meaningful way. We are all in the fight together, to help prevent security incidents or security breaches from taking place. The more we can collaborate and innovate, the better our collective goal will be to win the fight against hackers.
At CYTRIO, we’ve built security into the foundation of our platform. One of our co-founders and Chief Privacy Officer, Pankaj Parekh, has a deep security background. He, along with the rest of the team, is always keeping innovation and security for the consumer at the forefront.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Clear ownership internally for data privacy. Typically, multiple people and multiple teams are involved. Too many “cooks in the kitchen” deflect responsibility and can be confusing. Shared responsibility among different departments can also cause neglect. Nobody wants to own it. Everyone thinks they own it. One team thinks the other team owns it. Ownership of data privacy needs to be clear.
- Do you know where all of your data resides? Where is all your data located? What types of data is being stored? Who has access to it? This is where data mapping and accessibility come in to play. Have you done a thorough investigation of all of your data sources? Once you get that baseline, you can start putting strong policies and procedures in place. Knowing where all of your data resides can really mitigate risk.
- Prepare, Practice, Perform. 1) Prepare: Do you have a privacy program plan? Do you have a plan for responding to a DSAR? Does your team know their roles in the event that an incident happens where they get a request that does come through? 2) Practice: Have you tested that plan and can you test for a “worst case” of that plan? 3) Perform: See your privacy program in action when an actual request has been submitted. Have you practiced a hypothetical situation if you were to receive requests to test your plan? You can improve or change anything in your process.
- Proactive vs. Reactive. Having spent the past 7+ years in security and data, I’ve seen too many companies react to incidents versus having a proactive plan for when those negative events occur. This is a much less stressful way to protect your data and comply with regulations. Don’t wait for an incident to happen. Take action now and get ahead of it.
- Collaborate and educate. The more we talk and share and inform, the better everyone gets at protecting consumer data. That’s a customer talking to a vendor, that’s a vendor talking to another vendor. This helps all of us become more aware of the challenges consumers and clients face. I think the more we can share information and collaborate with one another, the better off everyone will be, including vendors, customers, consumers, and citizens. Plus, what worked 12 months ago might not be effective today. Educate yourself on new best practices and innovative ways to handle data privacy.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-) (Think, simple, fast, effective and something everyone can do!)
I think we all need more time off. There’s been this increased benefit from companies of unlimited Paid Time Off (PTO), though I’m not sure that is the best policy. I think we definitely need a minimum of mandatory days off. If you have 4 weeks of vacation, you take 4 weeks. If you don’t think you are going to lose your vacation time, what’s the incentive to take it? Time off, yes. But we all get so busy. I think we need a mandatory minimum days off policy or we risk not taking enough time off, leading to burn out.
How can our readers further follow your work online?
https://www.linkedin.com/in/zeke-testa-0900434a/
https://www.linkedin.com/company/cytrio/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!