3 basic things to know about your data, according to Xerox's CISO

Dan Patterson interviews Xerox CISO Alissa Abdullah about protecting sensitive data from adversaries. They also discuss the recent Marriott hack, privacy, ransomware, machine learning, and IoT.

3 basic things to know about your data, according to Xerox's CISO

CNET and CBS News Senior Producer Dan Patterson sat down with Xerox CISO Alissa Abdullah to discuss the best ways companies, and consumers, can secure sensitive data from adversaries trying to obtain it. The following is an edited transcript of the interview.

Dan Patterson: I think we can have a million conversations that all are kind of the same, about how to prevent or how to protect your data and how to protect yourself, especially if you're an enterprise company, from adversaries. I wanna look at one in particular which is the Marriott hack that recently happened, and it was recently revealed that China may have been behind this.

Whether China is behind this or not, how are we seeing private enterprise companies respond to this massive spike of threat that may be state-level and far more sophisticated than you're capable of defending?

Alissa Abdullah: So I think that publicly, everyone is focused on nation states going after nation states. From a CISO perspective, we've always known that nation states target private industry as well. We have good competitive data, we've got really good IP [Intellectual Property] data. I remember in various organizations that I've worked or I've been around, hearing various stories about a nation state trying to get into a Fortune 500 company's computer system to find out the size of a screw for something that they were building.

SEE: Information security policy template download (Tech Pro Research)

Not to revolutionize anything, but if they could find that screw and sell it on the black market, or do it in their country a little differently with fewer enhancements, then they could replicate, and that's how we get counterfeit or black market products that are very similar to what we are selling now in Fortune 500 industries now, are kind of selling.

I look at it from that perspective. I look at it from the perspective of, nation states penetrating public sector just as much as they penetrate private sector. We just don't talk about it as much in private sector. We just don't talk about it and focus on it a lot in private sector. But it is well known. I think it's not a big secret, and I think anyone who thinks that what's happened with Marriott, or even if you think about, any other breach that has happened, it's not big news to a CISO because we know the threat surface.

And that's always shifting, right? It's always shifting, and it's shifting based on not just your vendor, or your third-party vendor population, because that could introduce different threats, a different threat profile. Your customers, that can introduce a different threat profile. The products you sell can introduce a different threat profile. The politicism around your company, the politics around your company, can introduce something a little bit differently as well.

And so they're different, I think different avenues that enable those threats.

Dan Patterson: Just out of curiosity, because I'm a nerd for machine learning and for security. How sophisticated is China and countries like China? When I think about them, they're almost--maybe this is the wrong term--but I do think of them as a black box. Where they have technological capabilities that I think are pretty astounding, but I don't know what they are.

Alissa Abdullah: So I try not to focus on one, because if you focus on one, you're going to miss some of the others. I think there is highly-skilled cybersecurity adversarial talent around the world. There are pockets in different countries, but if we focus on what the hottest topic is right now, we're going to miss the country that is in the dark, that is wanting to be in the dark, because now they're focused on something else and we're going to be attacked by some other country. I just don't feed into, a lot of times, that conversation.

Dan Patterson: That is the smart answer, that's the right answer. It's not the answer that's satisfying, but I totally understand why. Let's go back to machine learning and let's talk a little bit about your business, Xerox. You kind of are the first IoT company, at least when we think about printers and machines in an office.

Tell us about the next 18-36 months when it comes to, not just IoT, not just machine learning, but the confluence of those things with security.

Alissa Abdullah: So I am thinking right now about the digitization of things. So we talk about the internet of things, but we're now focused on, how are those things being now digitized and our ability to accept them? I look at them in the WIIFM effect, What's In It For Me. And that's how we decide who is going to accept, or the pace of acceptance for Internet of Things. I look at it from a perspective of the workplace.

SEE: IoT and the security challenges that tech companies face (TechRepublic)

And now, what does the workplace look like for Xerox? We think about the printer environment, the printer environment is probably one of the most neglected environments. I've been in many conferences and I've asked people, how many of you updated the firmware in your printer? And they were like, 'what? I didn't even know I needed to do that.'

You think about your thermostat. I have a smart thermostat. Do we update the firmware on the thermostat? No, we probably don't even think about it. And we're hoping that companies now are smart enough to push those things to us, because it should be easier than it was before. Each year, we should make it easier and easier.

But when I think about now, the Internet of Things, the next 18 months, the next 24 months, I'm also thinking about the ransomware of things, how it affects us the most.

Dan Patterson: It's relatable, yeah.

Alissa Abdullah: And I think that's where you look at, well companies that are being breached are ones that are really, really impacting people. Before, it used to be a business problem. It's not a business problem anymore. It's a people problem. Everyone, no matter what, where you are, you're concerned about your data, your personal data.

So I think, just on another conversation, I think privacy is going to be the next security. That's going to be the next big topic that everyone is going to be talking about. Because that's what makes most sense to them, that's how it's really been affecting them. So you think about, in the future, the ransomware of things and where Xerox plays, or where any Internet of Things company plays a role.

It plays a role because now we've got access to more data, that data is now going to affect more people, and then the adversary is gonna try to attack the data set. Adversaries, even though they're attacking hardware, they're really trying to attack the data. The data is really more profitable on the black market, than anything else. So that's how you sum up this whole conversation, is with a data security conversation.

And whether that's business data or whether that's personal data, and now we know at work people do a little bit of both. People go on their personal email and their business email. They're doing banking, they may have to pay a bill. Or they may be paying the bills of the company. But there's so much gray area in-between there that we have to make sure that the data is protected, the systems are protected, that our people are protected, that their information is protected. There's just so many different avenues there.

Dan Patterson: Dr. Alissa Abdullah, I feel like we could have this conversation all day long, I have so much to learn from you. I have one, final question. I need your help, I have a favor to ask you.

Every time I talk to people in technology, and especially business technology, we're speaking the same language. We understand the Internet of Things, we understand privacy, we understand data. Because these are the macro-trends that are shaping our industries.

When I talk to normal people, consumers, and especially when I talk to my editor who wants me to relate all of this to normal people and consumers, how do you make privacy data, IoT, and security understandable in a way that people care about it? That it's relatable?

Alissa Abdullah: There's two things I want to say about that: I go back to the 'what's in it for me?' That's how you make it relatable. You talk really about personal data, how personal data is effected. Have people start thinking about, and now over-sensationalizing the aspect of data. You have people now who say, 'Oh, no, I don't want to give my social security number out!' Your social security number is already out there--that's a done deal.

But, we have to make sure that people take ownership over tracking as much as they can. Where their data is, who they allowed to access it. What is this company going to do with your data? When it's time to cut an account off, cut the account off. Don't leave email accounts--people have email accounts from, 'Oh, I remember when I started an xyz.com account years ago.' Did you really shut that account down? Did you clean that out? Things like that.

Because those data repositories are still sitting there. And even though you think that data doesn't matter, it does matter. Because that's the repository, or that's the data lake that the adversary is going toward, to make you believe that they know who you are, that they're your friend. That they were your long time high school classmate you really don't remember at this age.

The other part that I want to say is, the consumer shouldn't know a lot about security. We as vendors, we as the tech people, we're supposed to be the smart tech people that make it easy. There's some areas where we've overdone it, we've overdone the technology and the processes, we need to pull that back in. Because we can overextend it from a different perspective and make it easier to consume. And if we make it easier to consume, then we don't have to teach people about rootkits, right? I don't want to teach my grandmother, I don't want to teach my mom and dad about a rootkit.

I want to just tell them, hey, this company is good. They have your data protected. These are the five basic things, or three basic things you need to know about your data: You need to track it, you need to know when your account expires, what they're going to do with your data, XYZ. I want to leave it at that.

Also see