EP 9: A CISO Perspective on Privacy, Security, & Data w/ Anne Hardy

ABOUT THIS EPISODE

Privacy and security go hand-in-hand…but sometimes, they can contradict each other. How could this conflict influence organizations?

In Episode 9 of #UnleashIT, we spoke with Anne Hardy, CISO at Talend, about how shifting attitudes towards data can affect privacy, security, and enterprise architecture in organizations. 

A huge component of Anne’s role is communication. She knows exactly how to reassure her peers that their data is safe, teach them to be more conscious about data, and keep track of changing attitudes towards data management and governance.

In this episode, we discussed how to quell people’s fears about data security, how to treat data like any other asset, what it really takes to shift to the cloud, and whether the 2020s will usher in the rebirth of the CIO.

To hear this interview and many more like it, subscribe to the Unleash IT Podcast on Apple Podcasts, Spotify, or our website.

We are moving to the point where people start to realize that data needs to be managed like any other assets. Welcome to unleash it, a podcast where we discuss the experiences and ideas behind what's working in enterprise architecture and digital transformation within the IT landscape. Unlock Your Business has digital capabilities. Transform your enterprise architecture. Unleash it. Let's get into the show. Hi and welcome to today's edition. But Unleash I T. I'm very happy to welcome our guests and Hardy, who's the chief information security officer at talent and welcome. Thank you, thank you, and so much for inviting me. Glad to be here. Great. So why don't you tell us a little bit about your background? I usually like to start off by at least getting some of the backgrounds, because some of the CIOS and the CISOS that I've met are all very, very different the way they got into the position they are today. So if you can start this by telling us a little bit about your background, would be great. Yeah, thank you. So, yeah, my background is seems very strange a lot of people because I've done a lot of things. So I started as engineer, software engineer, in the Telco Industry and I did that for a while actually. So I started in France, where I got my education, and I start to work for big company. I'll cattell of the time. So I was stept to engineer for three years and with my husband, with French as well, we decided to explore new horizons by leaving France and we came from to us for the first time. So we end that's when I joined another company, which was nottel networks, Canadian company in the Bay area, in the San Fransco area, and I was a suffare engineer for a few years and I got my first management job maybe two years in. I don't remember exactly, but still the very technical programming mostly. Then I switched and it was mostly by chains. I switched to more research positions. So we were working on it was called advanced technologies, who were like doing product types and building stuff that we were trying to present to the product teams just to give them new ideas about things to do. But then, yeah, I was I think I never really wanted to become a manager of the time, but I just happened to me and after a while I started to like it. So so I've been in management since then and then different things. At some point I did an NBA because I felt, you know, I've learned management on the job, but I guess I need more. I did I did some sort of education because I'm not sure I've learned it the right way. So I went to do an MBA. Then I went to work for Venture Capital Company for one and a half years. Yeah, which I mean, why, super interesting. But after a you and a half I felt, you know, I'm just disconnected from the real stuff and I want to go back in industry, and I went. That's when I started the eight industry. So I left. That's was a beginning of my life in the eight industries and I joined sap, even though during the NBA everybody was saying, well, I say pep, I...

...said yet the time was already the enemy of businesses, you know, because they were kind of forcing people to walk the way say p systems will built right. So, but I joined there and it was great adventure. I stayed there for twelve years and I did different things. So that's where I really started to diversify. So I started in research, then I worked in marketing, then I worked at the end for the CEO, working more employee culture and things like that. Great, great learned a lot to the point where at some point I decided to start my own company. So I'm started my own company after I say P and company was called walk rise. Did that for three years and we were building a platform to help companies understand the well being of people at work, so collecting data about emotions of people at work and trying to give a dash work back to managers so that they could do something about it, because we felt like, you know, the employee service that you get at work don't really work. So, anyway, that's not just a feeling. I think a lot of people agree. But so we were on a mission to improve that. But what happened to us is that we understood that not and most of the company were not ready for this information. So, even though people say, Oh, you know, people are what really matters. Yeah, it was more on paper and so when, at the time, people were getting information or insight from us about how people were doing, it was how things to realize that people were not doing so well. So what do you do about it? And then it was difficult. So anyway, so we didn't make enough money and then I that's when I switch to see. So, which was interesting for me because, so I'm don't I had on security in France my fort three years at the SAP. I was managing a security research team and somehow, yeah, I felt like when I start to discuss with companies about what's next for me after work rise, a lot of companies were orisonating and say, Oh, you've worked in security. I mean maybe that's and I was like yeah, maybe that's right actually. And you know what, it's super interesting because for me, even though I don't, I don't think I'm a security experts, but the work that I did across many types of jobs and organizational departments in companies is really helping me because security is very transversal. So security touches every part of the business and it helps me to have the perspective of let's say, people in Engineering, people in marketing, people in operations, to because I can work with them because I've been there. Right. So it's reper hopeful because actually I think, I mean the more I do the se soul job, the more I feel like actually, the work of the seas is really is a mix of a lot of things, but it has a lot to do with internal marketing. HMM. So understanding how people work and what they have to do is really critical. So anyway. So that's why I am so I've joined, I've done my first see soul job to start up in San Francisco. was in two thousand and nineteen, and I decided to join talent in general this year. So I've been on the job here, I turned, for nine months almost. Write. He tell us a little bit about our talent does. So tennant is data company. So we help people make data useful, and so that's we have a suite of products in the...

...clouds. That's really help companies to make sure that the data can be trusted, can be used and is available to make the best decisions. So yeah, so what are your challenges right now? Like O that chief information security. So yeah, a lot. So when I so, when I start in January, what was I mean? I had my you know, I mean it took us, it took me a few weeks just to collect a lot information about so what's going on? Right? You know, you start, you observe, you see things and you just make a state of the land. Right. So ran directs and what's happened and then I had my draft strategy that I presented to the CEO and to management and then covered its right. So of course, I mean it's I wouldn't say that the list of topics and subjects that I had changed, but the priorities had to change, right. So there were certainly like more focus on risk management, more focus on making sure that people could be safe walking from home and also the company was safe, also with people working from them. So there were a few things that journey became like, Oh, this is really urgent and important for me now to look at now. So yeah, so there are a lot of so challenges. I think the yeah, the year was definitely eventful. I had to spend a lot of time trying to address like, I wouldn't say fires, but there were a lot of people internally, I mean at the executive level or customers, really concerned about so, what's what's happening? And you know, it's like people were there was so much disruption that when there is disruption, people start to US sense of questions and there is a lot of panic. So I had to spend a lot of time actually reassuring people, I mean just customers, executives. Yes, we are doing the right thing, even though, I mean sometimes it was, you know, as se sus, we like to you know, we make plans, we prepare, we have policies, we put things in place, we make sure that we are ready for I mean we try to be as ready as possible for anything happening. We covered, yeah, a lot of things that happen we were not ready for. Right. So, I mean I would not want to be transparent about that because I'm hopefully for the Transparan because I don't think ever anybody was ready for that. Right. It's it was just scale and the impact and touching everything at the same time was just very difficult for everyone and suddenly you just like have to switch here completely and accept to do things that because it's urgent, it's important, the business has to go on. Right. So, as a security person, you cannot close everything and you can say no, you cannot do that because it's not secure. You have to accept that. Yeah, maybe you do it and then you fix after o rind, which was a new way of working for me. Yeah, but I think a lot for a lot of it organizations right, because you go steady pace and all the sudden you had such disruption. Yeah, and a lot of a lot of the people I've been talking with this...

...is actually accelerated their migration to the cloud, yes, but only actually made accelerations towards digital transformation. You know, where they were thinking maybe two, three years out, now that that's all been compressed and getting it done and getting it done now. But yeah, it self that that causes a lot of destruction to yeah, it's destruction now. So I mean it's I mean you want, when you move to the cloud, you kind of delegate the risk and the liability to someone else, but the same time you still have to manage it. You want to make sure that if you push things to someone else and to a third party, a new vendor which is now responsible for a lot of things, you still have to make sure that they can they you can trust them right, so they have the right security things in place and things like that. And so it's really it really forces you to think about in charms of risk. It's not just about the risk that's what you're managing causes, but also how do you manage the risk of your partners, your vendors, your suppliers? So you just like have I mean those things are to I have to accelerate as well, and I think a lot of people don't realize that. They Oh, yeah, let's move to the cloud. Is Much easier, much simpler. But yeah, you still have to put a lot of things in place to make sure that, yeah, you your cloud providers, how doing the right thing for you, and I teast at the level that you want them to be. Yeah, so we have several clients that are multi cloud environments. Yeah, multi vendors. Does that add yet another layer of complexity, because you might have a us, you might have Google, you might have a yeah, yeah, so we have yeah, we use a WS Asia and Google, I mean the big ones. I mean, it gives, while he gives you, like some just say safety net, right, because I mean you can play with one or the other. It's more to maintain, right, or want to manage, because you have to make sure that those providers, I mean, although they are big ones, right, I mean I wouldn't worry too much about Amazon or Microsoft or Google, for the because they are not. I mean, they do what they need to do, but but the same time, yeah, it's more work on your side and you have to make sure that the security posture that you have in the cloud environments is to right level on the three of them and they don't. You don't manage the same I mean you don't manage security the same way on Google or Asia or Amazon. Rights and right, it's right, it's so it's complexity, deffinitely, but also some sort of safety at the same time. Yeah, it's what I'd like to talk about is the balance that see cells have regards to data accessibility and managing and controlling that data. So how do you make it so that employees have access to the data that they need to make business critical decisions? How do you make sure that it's accurate information and how do you make sure that that maintains some security? Do you have like a framework that you're using to make sure that there is that balance of accessibility as well as compliance? Yeah, it's a very difficult topic. So and we have, I mean we have some products that help with that. So we have started recently, when...

I joined, to use our own product to really make an inventory of our data and make sure we know where things are right. So starting where you know where your sensitive data as you know where the data that you need to protect most is whether it's from your employees or your customers, and so there is a place where you record this, and so it's yeah, it's it's super difficult and as people have more software, more access to things, I mean people, they store a lot of data. So, I mean it's very hard right now, I think, for a company to manage data because they've never, I mean most of companies, I've never managed right. Yeah, we've always saw, yeah, that is convenient, so right, but we never thought about data as an asset, and I think we are moving to the point where people start to realize that data needs to be managed like any other assets. It's like, I mean like equipment, right, that you need to protect, or like, I mean documents. I mean people have thought about documents, right, or contract things like that, but data, it's like it's a new thing and just having creating a data governance program is complicated because it cuts across the entire company and it's not to also a job that and responsiblity that is owned by all the traditional roles you have in company. Right. Where do you put Thatta Governance do you need? So we have a lot of companies, actually most of our customers, have achieved that officer, which I think it's a it's a new, trendy role, right, it's, but it's super important, I think, that people start to understand that, yeah, data needs to be managed and they're good practice that people can follow from asset management, other assets, right, that we manage, whether in it or other places in the organization. So to give you so I've I've been like leading a program just to make sure that we are better at governing data and we should best practices, just because also we have product that help our customers do that. So we are trying to just to be applying the best practice that our customers also like to use for running our data. And it's not just because it has to be there, it's also for compliance reason. I mean we mentioned at the beginning, right. So GDPR, and we are being a challenge, is European and American. Right. So we were founded by French people and the company now is headquartered in the US, but there are a lot, still a lot of European we have a lot of European customers. So GDPR is ready been a key compliance framework for us to comply to. Yeah, and so for for COMP I mean for compliance, we have to be able to show two people that we know where the data is, we can give them a collection of all the data we have about them, we can also remove it and we have just a time frame, I think for Gdpi is forty five days. So we have to be able to give them a collect and of all data that we have about them in less and forty five day and we have also have...

...to be able to prove to them that we have deleted all the data. So this is yeah, and so this is in order for companies to be able to scale to this new laws and regulation, you have to be able to go round the data. So I think it's mandatorally and that's requires really reorganizing your company in a way that allows this. And so we've started this at tenant recently and we still, I mean we're still looking on that. So it's not magic all rights. You cannot just like say, Oh, yeah, sure, we do that. And even though we have products, even though we are in the industry, I mean we are not yet at the level that I wish we were at. So you'll bring them there. Sure, O them there now, I think. I mean, honess, I mean you are asking which framework we use. So I work a lot with governor and they have talked to a lot of analysts consume a lot of information from them. So they have their diffinitly best practice industry and there very good advices also. I mean we walk a lot on with from ISO standards and with also a lot of in there. I mean so there is there is tons of information device, but it's just a matter of organizing yourself to be able to do it and thinking that way, and it takes time. It's really I mean we are taking at the beginning about digital transformation and moving to the cloud, but thinking about data as well is also big change. So we serve enterprise architects. They're the big part of our audience. Well, hones the enterprise architect fit into here your data framework and and managing the overall that you know it landscape and how data it's going to be integrated within that landscape. Yeah, so for me I see I mean I don't want the data governance to just belonging to it. I think it's much bigger than it. So like security, right, it's a for me and those data governance, cyber security, there are business decision just not it. I mean the lot of so it's used to be. All of this used to be like, Oh, yeah, I'm this is architecture and about technology and things like that. No, it's much more than that, because those two topics are really very touching about business risks. They are touching business race. So they are really so you have to drive them understanding what up the risk you are ready to take and then derive this into maybe architectures, maybe processes, policies and things like that. But it's much bigger. So I mean so, Yes, enterprise architecture has to play a role in supporting those bigger things. Right, that to do cross it. But it's for me, it's just like it's a different level. So it's with the plights of business owners. So you yes, if marketing has data, if engineering has data, if human resources have data, we all have to be accountable for the data and how we how we use it, how we work with it and take some accountability and responsibility as the data owners for whatever applications we might be using to and there is yeah, and there is a lot of awareness that has...

...to be brought into companies to help people understand. Yeah, why do they need to be conscious about data? I mean, and it's a difficult topic, because you cannot expect people to be experts in privacy or security or data whatever related risk of things like that. But at the same time they have to be aware, I mean, we're enough so that they shoot from the business right, because you can. And the end, I think I like to see my I mean my vision for my job is to enable people to be safe, right, and not really control all the security stuff. I mean, I want them to be able to make safe judgments all along the way. So we have to become and I think, as it organizations or security leaders, we have to come to a point where we become a service organization enabling everyone to be the best right. So you have to build this and I think, I mean I'm still struggling sometimes to feel where does privacy belong? And Right now at tenant we have privacy is separate from security, which I think is a good thing. At the same time we have so many interactions, so we have so our privacy, our data, privacy of history is in legal team, but I work so much with her it's just like we are because, I mean, you see, I mean privacy and securities, they go hand in hand, but sometimes they also contradict each other, right, because you can put some sometime security controlice place, like camera, things like that, and they are mating in privacy. Right. So you have also too. So it's a very interesting to I love this world actually, because it's super complicated. You know, so many things to do, something things to sold. But yeah, to answer your question, it's difficult and enterprise, like Chitecture, I think, is a part of the story. Right, right, it really. It is playing so much more of a role these two and I keep thinking that the s are going to be the the year of the CIO or the rebirth of information technology, not so much as as just a service, you know, like standing up a crm system, but much more so driving the business using technology is that enabler. And what I'm saying is a lot of it. People like I'm not a technologist, I'm a marketing person at heart. I started out as an engineer too, so some technology background. What I find is, you know, I don't know necessarily the best technologies to help me achieve my goals. I need I need the technical wisdom that the it organization can bring me to make sure it's safe that I'm getting out the business outcomes that I'm looking for. I think more and more its evolving into this much more consultative organization that's helping drive business change through technology initiatives. Yeah, so it's really becoming much more of a central core than it has in the past couple of decades, the whole of core, I think. I think, I mean what we see now is CIO's have to become more visionary, they have to become closer to also the business units to really understand their use cases and give them guidance...

...on what they could use and also enabling them to use it at the same time as they are. I mean there is also a thing that is happening in, I think, for for it organizations that they have to become less controlling as well, because with the clouds and with people, I mean you can potentially sign up and use whatever you want and you don't, and it's okay, right. Sometimes you don't want. I don't want to become the bottom neck and have to inspect the security of everything people use, but they want to be in a position where I'm able to monitor what's going on and I'm able to edit and understand and help people to get better. But I don't want to prevent right. I mean there are certain applications, for example, of certain services that you could potentially use and they're not be risked for the company, and why would I prevent you from using them? Right? So that's the that's the thing. That's a struggle that I think a lot of it organizations are going through. Is that how much, I mean I've been talking recently about shadow it. How much should be allowed? Right? You want certain types of shadow I t because you don't want to be like controlling and managing everything, but you want to make sure that the shadow it is exposed. Right. So it's not it's no longer more in the shadows, but it's like kind of allowed. It's front of the culture of the company that you allow certain types of it business led it or gray I or ever, in your organization. It's super interesting for cee Io's, I think, right now, because I mean as they I mean with Covid I think actually this is funny because I always say with difficulties are always comes like, you know, opportunities for rethinking what you're doing, and I think that's what's happening. So, while I'm not very happy with two thousand and twenty because it's been super hard for a lot of things. It's an interesting opportunity for a lot of organizations. We think about what they are doing and how they have been doing things. Sureffic well, and thanks so much for joining us. It's been low. You, you, and let's hope that two thousand and twenty one is a much better here. Yes, let's cross our fingers and we're going to have much more fun next year. Yeah, doing things and I think, yeah, I missed the human prop of things and it's just like it's tough when you hire people and you never met with them and you can get yeah, it's just you see them on zoom and that's all lines. Yeah, it's a difficult, difficult here different. Yeah, we'll get through this. Yeah, we'll get through this. You've been listening to unleash. I T to ensure that you never miss an episode. Subscribe to the show in your favorite podcast player. If you'd like to learn more about enterprise architecture and tools to help unleash your businesses digital capabilities, visit lean ix dotnet. Thank you so much for listening. Until next time,.

In-Stream Audio Search

NEW

Search across all episodes within this podcast

Episodes (24)