Scott Lucas, Head of Marketing at Concentric Data Risk Monitoring Tool, explains the least-privileges-zero-trust data security imperatives to follow
1. Tell us how you came to be the Head of Marketing at Concentric.
Karthik Krishnan, Concentric’s CEO, and I both worked at Juniper a few years ago. I met him a couple of times there, but were re-introduced late last year by a mutual Juniperian colleague. Karthik gave me the company pitch and I was in!
2. How has your vast experience in the infosec tech domain helped you convince your buyers about the competitive advantage Concentric brings to them in the era of GDPR, CCPA?
Data security buyers, of course, are on a mission to deliver the best possible security for their organizations. But their day-to-day reality is more tactical – they have things to get done and not enough time to do them.
A big part of our value proposition is automation. We use deep learning to secure unstructured data without rules, complex configuration or end-user involvement. That means our customers can dramatically improve their security posture without needing more hours in the day to do it.
3. What are some of the common challenges customers approach Concentric with about securing their unstructured data?
“Least privileges” security is the conceptual engine that drives most of our use cases.
In least privileges, the goal is to limit data access to only those with a need. So, for example, your aim is to limit sharing of sensitive HR files to only those in HR. And, you want to keep M&A documents out of the “all-hands” folder and make sure files shared using anonymous links aren’t business-critical.
The actual use cases our customers solve benefit from thinking in a least privileges way. For example, the SEC mandates that financial institutions with non-public information limit internal access to that information. That’s called an ethical wall or information barrier, and it helps prevent insider trading. Other companies might have completely different goals, such as protecting intellectual property or avoiding leaks of private information (PII/PCI). Each of these use cases benefits from least-privilege strategies.
4. What are some of the unique lessons you have learned from your customers as the Head of Marketing at Concentric AI?
I think I learn something new – or am inspired to think about something in a different way – every time I get a chance to meet with a customer. We just held a webinar with four CISOs, who each had a ton of experience in their respective industries. One of our panelists looks after security for a financial services firm that supports a big network of independent financial advisors. He looks at those advisors in a way I hadn’t considered – they’re not employees, they’re not quite customers, they’re not the public – but he still has to design a security approach that meets the needs of that specific relationship. That made me realize there are some nuances around relationships and security, and that’ll have a big impact on your security needs. You can see that webinar here if you’re interested.
5. What are some of the distinctive key features of Concentric’s data risk monitoring product and how do you differentiate yourself from your competitors?
Our key differentiator is the Risk Distance™ analysis. With Risk Distance, we use deep learning to identify files that differ from their peers in some important, security-relevant way. When a file has “distance” from its peers, that indicates risk – and we can spot it without writing the complex and hard-to-maintain rule sets that have defined data risk management for years.
If you think about it, asking some poor IT staffer to write a rule that’ll spot, for example, a specific type of legal document – and then figure out if it’s at risk – is a no-win situation.
The staffer would:
(1.) need to know how to identify that file among the millions of files the company manages, and then,
(2.) be able to look at the security practices that file has adopted and take a guess at whether those practices are appropriate.
Multiply that task by all the different data types that need protection (we have more than 400 data categories at Concentric) and it’s easy to see why these approaches so often end up in the ditch.
6. What are some of the unintentional data risks that SMBs and other organizations put themselves through by neglecting to follow basic protocol?
I think the least privileges/zero trust data security imperatives (let me just call them LPZT for short) have become the bedrock for many of security’s basic protocols. I mean, security is complex, and there are lots of protocols, but to answer your question let me narrow it down to that.
When SMBs – or really organizations of any size – don’t pay attention to LPZT they create threat surfaces everywhere and for all types of data. The problem is way harder than with structured data. That’s a tractable problem – with structured data you know where your databases are, you know what types of data you have and you can figure out how to lock it down. With unstructured data, end-users are (at least today) making all the security decisions. You’d be shocked (well, maybe not so shocked if you’re on the IT staff) how often Concentric’s preliminary data scans find really scary stuff in all-hands folders or shared with external parties. It’s something every security pro knows exists in their environment. And they know they have to get a handle on it.
7. Are the frameworks for data risk monitoring different for SMBs and enterprises? What are your top 3 suggestions for infosec teams in both?
LPZT strategies are needed in every size of organization. It’s really more of a question of capabilities and resources. Smaller organizations really need the leverage AI can give them. Without it they sometimes can’t even tackle the problem. Larger organizations usually can at least try but, as I mentioned earlier, these rules-based approaches take on a life of their own. So here are a few thoughts (in no particular order):
- Leverage. That means exploring and adopting labor-saving, AI-based technologies and looking at cloud solutions (for security and more).
- Focus. There’s no way you’ll eat the entire elephant at once. So, pick your most critical data and establish some traction there first. If you get it right, you might find it’s easier to expand from a working foundation.
- Think laterally. Are there some core technologies that can contribute to multiple security initiatives? LPZT, for example, can help you with privacy protection and data walls.
- Refresh/renew. You’ve probably made plenty of security investments that seemed like a good idea at the time – but you need to ask yourself if newer approaches could give you lower ongoing costs (even if you end up abandoning some sunk costs).
- Innovate. AI’s going to start delivering some real value over the next 5 years. Identify your top security pain points and start watching the space for AI-driven disruptors.
- Think platform. Sometimes thinking about discrete projects can blind you to the potential for foundational solutions that contribute to many security use cases.
8. How do you keep track of the use of AI in the data security space vis-à-vis your competitors?
I’m lucky to work with a couple of Engineering leaders who are really open and a ton of fun to talk to. That’s one of the best things about a startup – there aren’t really any barriers between us and I benefit from what they’ve heard or read. And, of course, I spend time keeping tabs on big news in the space, product announcements and marketing initiatives and other happenings.
9. Are there any upcoming upgrades or tech developments that Concentric will be taking up in the upcoming year?
Of course! We have a few exciting things to announce in the next couple of months. I can’t really spoil the surprise right now though.
10. Please share a recent piece of content (can be a video, podcast, blog, movie, webinar) that resonated the most with you with respect to data security, or AI and deep learning or your work in general?
Karthik, my CEO, has talked with Byron Acohido a few times in the last six months or so. I really like Acohido’s blend of almost in-the-weeds security strategy with broader social issues. We recently posted Byron and Karthik’s interview here, and you can see Byron’s original blog here (where he quotes Karthik, Jack Dorsey, Mark Zuckerberg and “mafiaboy”). I love his writing – approachable, thoughtful and always timely. Worth a read!
11. What is your go-to strategy that brings technology and the human side of marketing together?
Marketing can frustrate people when it’s too technical or too high level. I like to focus on the “middle message”, which is where technology meets business problems. It’s not enough to say you save a customer time and money (although every good solution does). It’s not enough to beat the drum about the amazing new technology you’ve developed (even if you have every right to be proud of it). Good marketing connects those two worlds together with language that connects the technology to business benefits. The right balance, in other words, between tech speak and high-level business benefits.
12. What is that one quote that has stayed with you throughout your professional life?
“The pencil is mightier than the pen” from “Zen and the Art of Motorcycle Maintenance”
Head of Marketing at Concentric
Scott leads the Marketing efforts for Concentric AI. Before Concentric, he launched Lacework into the DevSecOps space, learned the ropes from some really smart AI guys and wrote a blog comparing security to blind men examining an elephant. He consulted for Shape Security, where he scared himself silly by engaging in dark web research without any professional guidance. At Juniper Networks, Scott ran the technology alliances program and herded an army of eager authentication vendors into something resembling a program. He led Juniper’s branch office Security Marketing team, where he experienced the triumphs and tragedies of an OS transition first-hand. He’s worked for Motorola, Cisco and Extreme Networks as well as a few startups along the way. All told, he’s been in the technology industry for nearly 30 years. Scott holds an MBA from Stanford and a BSEE from the University of Missouri-Rolla.