Data Protection

Podcast: ‘You Can Never Have Too Much Encryption’

Play the latest episode
Apr 30, 2019
31 minutes


Listen to the Security Intelligence Podcast wherever you get your podcasts.

Podcast: ‘You Can Never Have Too Much Encryption’
April 30, 2019
| |
21 min read

Listen to this podcast on Apple Podcasts, Soundcloud or wherever you find your favorite audio content.

On this week’s SecurityIntelligence podcast, co-hosts Pam Cobb and David Moulton connect with Stephanie Balaouras, research director for the security and risk team at Forrester Research, to tackle the critical topic of enterprise encryption. How are companies doing right now? What’s informing their data defense strategies? And what’s next for corporate cryptography?

The Pitfalls of Piecemeal Protection

Corporate data breaches remain commonplace. A recent Forrester study found that 68 percent of enterprises reported a breach over the last 12 months. According to Balaouras, “That’s just the ones that know that they currently have a breach. For those that don’t know they have a breach, we actually think that the percentage is even higher.”

Still, Balaouras notes that “security teams have adopted every form of encryption that’s available,” from full-disk options to database and cloud solutions. The challenge? “What you’ll find is that it’s actually really not pervasive throughout the entire environment; you’ll find pockets of it.”

This kind of piecemeal protection is made worse when companies feel overwhelmed by the scope of cybersecurity issues and “use that as an excuse to never actually start in the first place because they just think it’s impossible.” For Balaouras, a unified approach is critical; unified policies can both streamline implementation and simplify integration.

Encryption Drives Competitive Advantage

Emerging regulatory expectations are driving encryption adoption. Balaouras points to the General Data Protection Regulation (GDPR) and upcoming legislation such as the California Consumer Privacy Act (CCPA), which will take effect in 2020. But she also notes that encryption technologies are now being repositioned as competitive advantages in a marketplace driven by consumer expectations of data privacy — companies like Apple are able to charge premium prices for their devices because of their continuing focus on privacy.

Building a Holistic Encryption Strategy

So how can companies conquer the inertia and make strides toward a holistic encryption strategy? Balaouras advises a three-step framework: Define the data itself, analyze it for additional context, and defend and protect that data.

Encryption is just one of the many strategies that come into play during the final step. Data protection can range from archiving and deleting data all the way to implementing strong identity and access management protocols. But whatever elements end up comprising your data protection strategy, as Balaouras says, “You can never have too much encryption.”

Download the Forrester Report on using advanced encryption for data security

Episode Transcript

Pam: This week, we’re diving into data. In their annual security survey, Forrester Research asked 3,000 respondents if they’ve suffered a security breach in the last 12 months. More than 68 percent said yes.

Now mathematically, that figure isn’t surprising, at least to me. 68 percent is the common one standard deviation on a classic bell curve. Bell curves aside, David, did that statistic surprise you?

David: Not really. Data security is a tough thing to do and tough to do well. And if you think about it, companies have been gathering data for so long. They have so much data. Maybe they don’t even know what they have, or what kind of data that they have. Of course, there are going to be attacks, of course there are going to be losses of that data.

Pam: And I think, too, when you think about a data breach, could be anything from an insider attack, or even an inadvertent insider leak or a database misconfiguration, or, you know, someone left the good old floppy drive on the subway.

David: Floppy drive, Pam?

Pam: Well, you know, yes. USB, floppy drive, all kinds of…all the ways that we store data, even, you know, the box of paperwork that was left in the car and the car got stolen. So I mean, it could be anything when we think about what breach regulations are now in terms of disclosure, policies and all the new things that we’re seeing in the market.

David: Exactly. Data’s pervasive and this is a tough challenge. But I think there’s some things that companies can do to protect themselves and to have a little better hygiene overall, right, that idea of a security fundamental. It all starts with data and how you think about it.

Pam: That’s exactly why, in this episode, we’re going to dive deeper into how data protection, including a strategy around encryption, can help you in the face of a security breach.

This is the Security Intelligence Podcast, where we discuss cybersecurity industry analysis, tips and success stories. I’m Pam Cobb.

David: And I’m David Moulton. This episode, we spoke with Stephanie Balaouras, research director for the Security and Risk team at Forrester Research. Stephanie explained why organizations have no excuse to start implementing a data protection strategy and can benefit from a holistic approach to encryption. Here’s our conversation.

Pam: So, Stephanie, welcome. Thank you for joining us as a guest. Can you introduce yourself and share a bit about your role?

Stephanie:Sure, and thanks for having me. I’m looking forward to this. My name is Stephanie Balaouras. I’m the research director for the security and risk team at Forrester Research. I manage the team, I set the research agenda. I work with all the analysts who cover everything from enterprise risk management all the way through to cybersecurity.

David: How important is encryption given today’s data breaches and threat landscape?

Stephanie: Yeah, it’s become more important than ever. You know, every year my team and I we do an analysis of the largest breaches and privacy abuses of the previous year. And what we always find is that the extent of the breach, or the impact of the breach could have drastically been limited if the data in question had been encrypted. And in some cases as well, if your data had been encrypted, you don’t necessarily have to report it under certain breach notification requirements, whether it’s here in the United States or even under GDPR in the EU.

If the data had been encrypted, and that there’s a limited chance that any kind of customer data had been exposed, because there’s no way for a cybercriminal to actually monetize or use that data maliciously, then you don’t actually have to report it.

It also helps to reduce both security and privacy concerns if you’re hosting data with a third party, especially if you’re maintaining the keys. This way, whether it was a malicious insider at a third party or whether it was, you know, an unfriendly government or a foreign government that wanted to access the data, they actually wouldn’t be able to access the data if it was encrypted. And you had control of the keys because otherwise they would have to control…they would have to gain control of the keys from you.

Just to give you a sense of the scale of the problems. Well, in our annual security survey, we asked 3,000 respondents like whether they had suffered a breach in the last 12 months and more than 68 percent said yes, and that’s just the ones that know that they currently have a breach. For those that don’t know have a breach, we actually think that the percentage is even higher than that.

Pam: So given all these breaches and you know, the 68 percent, which even knowing and suspecting that’s under-reported, how has user perception of encryption changed over time?

Stephanie: Yeah, that’s an interesting question. It has and it hasn’t changed. The good news, so according to that same survey that I had referenced is, you’ll find that security teams have adopted every form of encryption that’s available, full-disk encryption, database encryption, cloud encryption, you name it, they say that they have it somewhere in the enterprise.

But when you work closely with clients, you know, doing advisory or consulting or just, you know, interviewing them for research, what you’ll find is it’s actually really not pervasive throughout the entire environment; you’ll find pockets of it. So we’ll typically find that full-disk encryption has become pretty pervasive on laptops because that’s sort of a no-brainer given how many laptops are lost or stolen every year.

And maybe you’ll find some pretty savvy business owners or application owners who actually have adopted database encryption to protect specific fields within a database that might have customer data in it. But not enough enterprises are actually taking a holistic approach where they really step back and look at their environment and they inventory their environment, and they classify customer data throughout the environment and they ensure that everything that is the most sensitive is really encrypted in every system of record, and even throughout all of their file systems.

The unfortunate thing is, is that there’s still perceptions that encryption is complicated, that it’s processing intensive, that the key management can be very, very difficult. And these are conversations that normally I would have had 10 years ago, but I’m still having them today and I’m educating security professionals about how much encryption has changed. So, yeah, it’s kind of mix there unfortunately.

Pam: So you’ve talked about key management and some of the problems in just trying to get a hold on encryption practices. Are those really the biggest challenges? Or are there other business practices that are keeping people from adopting encryption as a standard?

Stephanie: One of the biggest challenges is just sort of the inertia against getting started. I’ll hear from clients quite a bit that they feel daunted by the amount of data they actually have in their environment. So they don’t know where to start. So imagine you’re a very large enterprise, you’re, you know, Global 2000, you have petabytes of information, both structured and unstructured. And so, you know, when someone like me gives you advice that the first thing to do is to inventory and classify that information, it just seems like an incredible mountain to climb when you have petabytes of information.

So what happens is they’ll use that as an excuse to never actually start in the first place because they just think it’s impossible. But in reality, you just need to start small and continue, you don’t need to try to inventory and classify all of your information at once.

I’ve had one client that who was a global construction firm that operated in 53 countries globally. They took a country by country approach. I’ve seen others take a line of business unit approach where they go business unit by business unit. Or they might actually start by focusing on their most important applications, their most important business processes. So that’s one of the biggest challenges, just the excuse to not get started and getting over that hurdle.

And maybe you choose that you’re not going to go back and start trying to encrypt all of your historical information, but you want to pick a point in time where going forward you’re going to start. That’s another approach as well.

The other thing I would say is you want to keep your classification simple. I’ve seen enterprises come up with as many as 10 classifications. Again, you’re overcomplicating things. I think three levels, four levels maximum, something like public, internal and confidential.

And anything that’s highly regulated—so for example, something that’s considered personally identifiable information under GDPR, under the California Consumer Privacy Act, or under HIPAA, or PCI—that information plus anything that you consider your most, like, sensitive intellectual property, the information that really makes you different or provides a competitive advantage, your trade secrets, your designs or code, also anything that lays out strategy, or potential M&A targets, that’s the information that you put into that top level category as confidential. And that’s where you want to focus on applying encryption. So, you know, to me, if you keep it simple, you start small, and you scale, you keep your classification simple, that’ll really get over a lot of the challenges.

David: What are some of the key use cases you’re seeing in the market for encryption today?

Stephanie: Yeah, so some of what I mentioned before, you know, protecting customer data, a lot of it does have to do with compliance. But I think the savviest companies are doing it because they know consumers actually care about privacy. That’s sort of a misperception, I think, in the market today that consumers don’t care about privacy.

We’ve actually seen the opposite, which is as a result of all these breaches, as a result of all this high profile news of, you know, big companies really abusing their data, consumers are getting very, very privacy savvy. And I think the savvy companies are on to that and, you know, they’re using encryption to protect data, not just from cybercriminals, but even from internal privacy abuses, or even from a partner abusing the data in the wrong way.

The other big use case is actually the cloud. And there are some additional considerations for cloud because there’s different approaches to encrypting data in the cloud. And most large enterprises that I know have some sort of cloud strategy. They will remain some sort of hybrid approach, but they’re moving a lot of data and applications and processing to the cloud. And so you can encrypt data on its way to the cloud using a third party solution, like a cloud security gateway solution.

And the benefit of that is it’s actually encrypting the data before it even gets to the cloud provider. It’s storing it encrypted in the cloud provider’s environment, and they’re giving you control of the encryption keys. There are the cloud providers themselves that actually have some native encryption capabilities as well. But if you consider that approach, you have to insist that that cloud provider has the ability to give you the ability to control the encryption keys.

Because with the cloud, you’re protecting for a couple of things. You’re protecting for security, but as well as for privacy. So from a security perspective, whether it’s an external attacker targeting the cloud provider, or whether it’s actually a malicious actor within the cloud provider, you want to prevent unauthorized access to the data or ensure that, you know, somebody does try to steal it, they can’t monetize it, or use it in some way that would hurt your customers and hurt you.

But you’re also giving your firm a lot of privacy assurances. So for example, I have a lot of European clients that are actually a little cautious of using U.S. headquartered cloud providers, even if that U.S. headquartered cloud provider has data centers in continental Europe. They’re still worried that, you know, the U.S. government could have access to that data.

So when the data is encrypted, and then you’re maintaining the keys, if any government wants to access that data, they’ll need to come to you with a warrant, or whatever the proper legal process is. But they wouldn’t be able to just kind of get backdoor access into that data.

Pam: So what are some of those key requirements and best practices that you’d advise companies to do in terms of using encryption to secure data both in the cloud or on premise?

Stephanie: So I think one of the things is to maybe take a step back and look for a more unified approach. As I mentioned earlier, there is…if you look at our data, there’s very widespread adoption of encryption. But I would say it’s been a piecemeal approach where, you know, they’ll evaluate one vendor for full-disk encryption, they’ll evaluate a different vendor for email encryption, yet another vendor for cloud, yet another vendor for database. So they’ve taken a very kind of point product and piecemeal approach to it, when you really should have a unified strategy. And you should have some unified policies.

And there are going to be situations where you have to employ different solutions for what you’re intending to encrypt. Because whether you’re intending to encrypt disk, or removable media, or files or email, or structured content in some system record, and of course, like the cloud, there might actually be situations where you do need a point product. But increasingly, you’ll actually find that there are vendors that actually have a lot of these capabilities within their portfolio, and sometimes within the same platform. And increasingly, you’ll find vendors that can actually offer you good enterprise key management across all of these different point solutions, so that your security team doesn’t have to use multiple key management solutions.

So I think that would be one of my biggest pieces of advice: take a step back before you keep investing in a whole bunch of individual point products, even if they might be best of breed because you can reduce a lot of complexity and you can simplify key management if you can take a more holistic approach where you’re reducing the number of vendors, and you’re actually using enterprise key management instead of a whole bunch of one-off solutions.

David: Are you seeing companies position privacy via their encryption capabilities as a competitive advantage?

Stephanie: Yeah, so I would say that the answer to that is definitely yes. As I mentioned earlier, I think the savviest companies realize that customers are changing their perceptions around privacy, that privacy is not dead.

In fact, we’ve seen the opposite. We have data that suggests that across North America as well as Europe and other parts of the world, there are large percentages of consumers that have stopped a transaction midstream, or switched providers because they’ve had concerns about privacy or even in an individual transaction, like how their data was going to be used. So you’re seeing a lot of companies actually leading with privacy directly in their marketing, which historically they haven’t done.

David: You know, earlier, you made a comment, and I’m curious to chase it a little bit. On the one hand, you’ve got a regulation that says you need to encrypt your data for compliance, but not too much, because then the government doesn’t have access to it and/or can’t see it. How do companies deal with that tension?

Stephanie: Yeah, so I don’t think you can never have too much encryption. So in the case of concerns about government access to encrypted data, you just follow the law. So the government, whether it’s the U.S. government or some other government, they have legitimate interest in accessing information, whether it might be for national security or it might be part of a criminal investigation, as long as they’re following the law. So they’re getting the appropriate warrants or they’re following the appropriate legal processes. You know, they do have some legitimate interest in access to sensitive information that you might have.

But I think for like any security pro who works at a large enterprise, you know, who’s listening to the podcast, you know, you follow the law, but there’s never too much encryption. We say…at Forrester we say that encryption covers up a multitude of sins. So it’s…again, that’s my advice, never too much encryption. As long as you have…it’s all about key management. As long as you feel good about your key management processes, then you can never have too much encryption.

Pam: Good point. So, if we bring it back around to the idea that there’s never enough encryption, and companies are continuing to move data to the cloud, what are some of those best practices in migration, while they’re making use of it, and how can they make use of encryption in that process?

Stephanie: Yeah, so migrating to the cloud is interesting. Actually, this is a pretty frequent inquiry and challenge. If you’re – I know I’ve been talking a lot about large enterprises but yeah – if you’re a large enterprise, you often have thousands of applications and you have petabytes of information. So as part of your migration process to the cloud, there has to be some rationalization of your existing environment. You’re not just going to move your mess, your current mass on prem, and just move your mess to the cloud.

It’s sort of like when you buy a new house, like when you’re buying a new house, and you’re just starting to like move, before you move you’re kind of purging everything you have. You’re throwing away clothes you don’t need any more. You’re cherry picking your best furniture, you don’t bring your entire mess to the new house, you kind of use it as an opportunity to kind of clean house.

Same thing is true when you migrate to the cloud. You’re going to rationalize your applications. You’re going to enforce some standardization across your environment when it comes to architecture. That’s the perfect opportunity as well to do the same thing with your data.

As you’re going through that sort of application rationalization and consolidation, the standardization across your environment, that’s the perfect time also to do the same thing in terms of inventorying your information, archiving anything that needs to be archived, deleting anything that can be defensively deleted, classifying everything that’s left and implying encryption to the most sensitive information. It’s the… I think actually migrating the cloud can actually be the perfect impetus to those companies that have been reluctant to just get started, like I mentioned earlier.

Pam: Okay. So with encryption as one pillar of a data protection strategy, how should companies be incorporating encryption as part of their broader data protection plans?

Stephanie: Yeah, data protection…encryption is essential but data protection is part of a…is a bigger strategy. At Forrester, we sort of break it down. We have this framework for data security and control.

We break it down into three areas. First is defining the data itself. And that’s everything that I was talking about earlier in terms of doing discovery and inventory and classification. Because you can’t even begin to apply encryption until you understand what you have in the first place. So that’s sort of step one is defining the data.

The second step is analyzing the data further, but beyond that basic classification, for additional like business context and even external insights about the changing risks to the data itself. So you want to go beyond your initial classification and have some additional business as well as external context about the risks as well as the value of the data that you have. And then from there, you really start talking about defending it and protecting it. And this definitely includes encryption, but it also includes things like archiving it, you know. So you want to archive information that you don’t need to have in production systems.

In many cases, you actually want to delete data. I know that’s really unusual but…for most companies to think about, like, oh, I need everything. No, if you could defensively delete it, you should delete it. It also includes restricting access to the data with really strong identity management and access solutions. That’s another thing that we’ll often find too, is when we’re looking back at past breaches, which is you could actually stop a lot of breaches in their tracks if there had been really good identity and access management in place.

Minimizing any kind of accidental leakage of data with data loss prevention solutions. And then having a really strong obfuscation strategy that includes things like encryption. If you put all of that together, you have a really, really strong, really strong data protection strategy.

Pam: So aside from understanding what data they have, what else can companies do to get started in this process of building this comprehensive strategy?

Stephanie: I would say what I said earlier, which is don’t be…don’t come up with too many excuses not to get started. I think the biggest pitfall to avoid is that you just don’t get started. You look at the mountains of data that you have, decide that it’s an impossible task, and you don’t get going.

You take an incremental approach to your environment, and you gradually begin to encrypt as many systems and key pieces of data as you can.

Again, I think that’s the… And you could take that framework and you can apply that incrementally as well. So again, you don’t have to discover and inventory and classify everything in your environment. You can do it business unit by business unit or even process by process or even country by country.

And don’t skip those steps either. You know, you really have to know what you have classify it, get that additional context. Take a holistic approach. Again, encryption is great, but think about restricting access, think about archiving what you don’t need. Think about definitely deleting what you don’t need. So if you take that holistic approach, together with encryption, I think you’re in really good shape.

David: Stephanie, a couple of weeks ago, we talked to Caleb here at IBM, and he used this term called “cyber fitness” and I thought it was an interesting one. And I feel like you’ve touched on some of the same themes and I’m wondering if there are companies that actually practice or put themselves through the paces of making sure that they’re fit, their hygiene’s good.

You mentioned this idea of don’t let anything be an excuse to not get started, and that sounds like good advice whether you’re going to, you know, encrypt your data or assess your data or start in the gym. Can you talk about how companies are getting themselves motivated to actually get started? What you’ve seen work, what sorts of incentives or programs companies have, that have been effective at jumpstarting and getting over that first hurdle?

Stephanie: Yeah, it’s interesting, that first hurdle. It can definitely help when there’s sort of tone at the top. We’ve seen a lot of companies now have like the head of security, the CISO, not actually report directly to the CEO, that’s actually becoming really common, not necessarily CIO. Or if they still report to the CIO, they now have a dotted line relationship to the board.

When you have business executives in the board that have become savvy about security, and they make security everybody’s responsibility at the organization, not just the CISO and not just the security team, I really think that starts to change the culture. And you’ll see a change in the “fitness” of the organization over time.

Yeah, in fact, if you look at some of the companies that actually have had the big mega breaches, that those are some of the biggest changes that they’ll make. They change reporting relationships and they make security everybody’s responsibility within the organization.

And for the security pros listening to the podcast, I know that I think we’d all like to have that. But I think if you could think of it as security, not just being the sole responsibility of the security team, but how you could start to work with line of business owners, as well as the company’s direct employees about instilling a culture of security awareness. You can’t do this alone.

David: Yeah, I like the idea that this can’t just be a technical or a person that’s got their hands on the technology. It’s got to be a cultural shift and leadership really counts.

Stephanie: Yeah. In fact, I saw the new CISO of Maersk on stage at IBM Think with Ginny Rometty. And that was actually one of the things that he said was different after their ransomware attack. They made security everybody’s responsibility throughout the organization. And they’re still on that kind of cultural journey but that was one of the biggest changes that they made. And then he said that there was some resistance at first, but they knew after what they had suffered — you know, that ransomware attack led to an outage of several days and it cost them hundreds of millions of dollars, and they’re never gonna let that happen again — that changing the culture of the company, was one of the biggest lessons after that.

David: Right. Yeah, they talked about how cybersecurity becomes a competitive differentiation for the Maersk business. And I think that was a really interesting high profile, you know, line in the sand that they made. And certainly data protection has got to be a big piece of that.

Pam: So Stephanie, to close out, can you just say a few words about key data protection challenges that you’re hearing about today, and how you see the changing threat landscape in the context of data security?

Stephanie: Sure. I would say, yeah, the threat landscape is constantly evolving. I mean, that’s almost trite, I mean, everybody knows that. The interesting thing about data protection, though, is it’s not just the external attackers. You know, external attackers are probably responsible for a good 30 percent to 40 percent of the breaches. Another, like 30 percent to 40 percent is actually internal.

So it could be internal malicious actors, it could be employees making accidental mistakes or sometimes it’s actually a combination of both, which is an employee knows that they’re violating policy but they’re doing so…they think they are well meaning because they’re just trying to get their job done. So they’ll do something like email themselves a file with sensitive information so they can work on it at home. And then the remaining breaches actually come from also third parties and things like lost or stolen devices.

So it’s not just the external attackers. A lot, a lot of breaches are actually a result of insiders. And again, a holistic data protection strategy will help you address every one of those scenarios: third parties, malicious actors, you know, employees not using their best judgment as well as the external attackers. So it’s not just the threat landscape, the external threat landscape, it’s the internal one that you’ve got to worry about as well.

David: Absolutely. And can you share one data protection strategy recommendation and one technology recommendation that our listeners should start thinking about?

Stephanie: Yeah, one data protection strategy… Again, I would, you know, follow the framework, that three step framework where it’s first you define your data. That means knowing what you have and where it’s stored and what the value of it is to your business. You know, keep your classifications really simple. Don’t come up with like five million classifications, keep it to three or four.

Make sure you understand as much context about that information as you can. So actually, the discussion we just had about really understanding both the external threat landscape as well as the internal threat landscape is an important one.

Delete and archive as much data as you can, fight your business against data hoarding. And then apply encryption to everything that’s left over. And oh, I should say also have a really strong identity and access management strategy as well, that includes two factor authentication.

You do all that, you encrypt your sensitive data, you have really limited access to that data. And then you make everybody log on with two factor authentication, you could prevent the vast majority of breaches. And then if anybody gets in, you could actually really limit the damage of the breach.

Pam: Thanks so much, Stephanie, we really enjoyed this conversation and hearing your point of view on data protection and encryption.

Stephanie: Well, thank you so much. It was great being here and thanks for having me.

David: Thanks, Stephanie.

Pam: So, David, one of the points that I love that Stephanie made is the importance of forgetting data. And it’s something we even talked about at Think this year in San Francisco. I’m curious, do you have a real-world example of how that can apply?

David: I do. As Stephanie talked about the ways that companies collect data and then try to classify it, and specifically talked about the need to forget or get rid of data all I could think about was our eight-year-old son, and he’s trying to clean his room. He’s got so much stuff in there and he’s struggling with it.

And I ask, “What are you doing? Why are you keeping this? You haven’t played with this toy or this magazine for months or maybe even years.” And starting by throwing out all the garbage, all the things you don’t need, makes the scale of the problem smaller. And if it works for an eight-year-old in his bedroom, I think that it works for anyone or any company. As you scale up, get rid of the garbage, get rid of the risk, make the task easier.

Pam: Yeah. I really think that, you know, her advice was just get started, but that still can feel a little overwhelming to companies. And if we look at, well, okay if I just get started, but what do I look at first? Do I just stand in the middle of my room and spin in circles until something catches my eye ? From my perspective, and I’ve gone through that with my kids as well, we’re looking at the oldest thing first of, “Okay, you’re now 15, do you need this thing from when you were 8?”

David: Exactly. You know, do you really need the chew toy from when you were a baby? Maybe not at the 15-year-old keeping that, but those are the kinds of things that I run into. And I would wonder if you’re looking at some of the data, it’s got to have a certain level of value.

But that value has a half-life or it diminishes over time. And if you’re hanging on to it and the amount of risk of hanging on to it goes up, you know there’s cost to migrating it and storing it, archiving it, those sorts of things. You’ve got to hit a point where it’s got a negative for you, it’s more risk than value and it’s time for it to go.

Pam: I think that’s exactly the point you were trying to make with my floppy drive comment earlier.

David: You’re right.

Pam: More risk than its worth.

David: I mean, how do you even get a floppy? How do you even read a floppy? That’s amazing. I don’t even have I don’t even have spinning disks or anything for DVD. And here at IBM, I’m not even sure we can plug in a USB.

Pam: That’s a standard hard drive as opposed to a solid state that most Macs have now.

Pam: So when we think about forgetting data in spring cleaning, I think one of the trends that I’m really going to be happy to say goodbye to because it’s — you know, here in the Northern Hemisphere, where we are, it’s coming up on spring — is saying goodbye to some of the doom and gloom that we see in media. And we talked about that before when we talked about Tone Analyzer provided by Watson here at IBM. So I’m curious, David, do you have any recent experience or analysis that we could draw from?

David: Yeah, I took a look at the Tone Analyzer again, for some of the top security articles and it’s consistent. It isn’t moving towards joy on the spectrum and that’s…it’s got to change, right?

I think that’s one of the things that if we want to be able to attract people to our industry, not have a level of burnout or frustration, we’ve got to start to see more of the language moving towards something that is hopeful. And, you know, there’s a lot of good work going on in security, a lot of good work going on with our partners and customers out there. And right now, I don’t think that the reporting reflects it.

And part of that is it’s not rewarded. You know, doom and gloom, the FUD, the fear, uncertainty and doubt, that certainly draws eyeballs in, but I don’t think that it’s the type of thing that’s in the long term going to be sustainable. So if spring cleaning is getting rid of the FUD, I’m all for it.

Pam: Well, that is it for this episode. Our thanks to Stephanie Balaouras for joining us as a guest.

David: Listen and subscribe to the Security Intelligence Podcast on iTunes, Spotify, SoundCloud, Google Podcasts or Stitcher. For more security stories visit or follow IBM Security on Twitter and LinkedIn. Thanks for listening.

Douglas Bonderud
Freelance Writer

A freelance writer for three years, Doug Bonderud is a Western Canadian with expertise in the fields of technology and innovation. In addition to working for...
read more

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
Press play to continue listening
00:00 00:00