Uncovering Hidden Risks 10.26.22
Ep 4 | 10.26.22

How Compliance, Data Protection, and Privacy Come Together


Erica Toelle: Hello, and welcome to "Uncovering Hidden Risks," a new podcast from Microsoft where we explore how organizations can take a holistic approach to data protection and reduce their overall risk. I'm your host, Erica Toelle, senior product marketing manager on the Microsoft Purview team. And now, let's get into this week's episode.

Erica Toelle: Welcome to another episode of the "Uncovering Hidden Risks" podcast. Today, we're taking a closer look at a top industry trend, which is the convergence of compliance, data protection and privacy requirements. Traditionally, these areas have been viewed as separate efforts, often driven by independent teams. Now, due to changes in regulations and increased cybersecurity risk, these areas are converging. What does this mean for our chief information security officers, which we're going to shorten to CISO in this episode, and chief compliance officers? Let's find out in today's episode. To help us explore this topic, today's guest host is Hammad Rajjoub. Hammad is the director of product strategy and marketing management on the Microsoft Purview team. He helps to build our compliance, risk and privacy ecosystem here at Microsoft. Hammad is also responsible for the Microsoft Purview partner ecosystem. Hey, Hammad. Thank you so much for joining us today. 

Hammad Rajjoub: Hey, Erica. Thank you so much for having me. I'm super glad to be here. Today's topic, as you know, is very interesting and close to my heart. We are seeing this convergence of compliance, data protection and privacy - all of those things coming together. This is requiring us really take an approach that considers an ecosystem of our solutions and our partners. So I'm really looking forward to this discussion today. 

Erica Toelle: Excellent. Thanks, Hammad. Let's introduce today's guest. Alym Rayani leads product marketing management for compliance, privacy and risk management solutions at Microsoft. In this role, he works closely with engineering leadership to drive product strategy in roadmap, while also overseeing the product value proposition, marketing efforts and customer experience. Alym, welcome to the podcast. 

Alym Rayani: Thanks, Erica and Hammad. I'm really happy to be here. I've worked in security, on and off, for a while now. Actually, my first job was on the identity team at Microsoft about 15 years ago, working on multi-factor authentication. And as we think about security and compliance and identity coming together, it's very aligned to sort of my personal, professional mission, which is to safeguard the world's data. And I just wanted to say to the listeners, thank you for what you do every day to protect data. So I'm really - I feel really privileged to be here with this group. 

Erica Toelle: Excellent. So, Alym, to kick things off, when we refer to the convergence of compliance, data protection and privacy, what are we really talking about? 

Alym Rayani: Yeah, in the past, you know, these were roles in different teams, that were rolling up to different leaders. For example, data protection rolled up to security. Compliance was more closely aligned to the legal teams. And then privacy either didn't exist or was part of maybe legal or the data protection officer. And, Erica, as you alluded to upfront, regulations have changed. And actually, GDPR was one of the things that really put these things on the map together because that regulation actually brings together security, compliance, privacy, of course. And so now we're seeing these roles work more closely together. They may still report in to different areas of the business, but their day-to-day work is converging. The number of data repositories they're responsible for - each of them has to have some level of responsibility for - is increasing. And so it really requires a collaborative approach to security, compliance and privacy. 

Hammad Rajjoub: Absolutely right, Alym. So that evolution is happening right in front of our eyes. And if we kind of put ourselves into the shoes of CISOs or privacy officers or chief compliance officers, what are the challenges that they are seeing with this convergence and constant evolution? 

Alym Rayani: Yeah. I mean, the fact that data has been growing exponentially, that's been a challenge for all of those roles, so to speak. But from a people and process perspective, that increase in data that these teams need to manage, it really hasn't been matched by an increase in resources, right? And particularly in, you know, the most recent macroeconomic conditions, a lot of teams are being asked to do more with the same or less in many instances. And that's a real challenge, I'm sure, for our listeners and for many folks out there. And so on the technology side, teams are finding that their technology toolset may not support this convergence, this integration across these scenarios. 

Alym Rayani: So I - just a couple of examples here. One is, someone responsible for data protection, they may need to configure multiple solutions just to encrypt content across structured databases, some sort of collaboration tool or even just preventing data loss on, you know, their devices, on their end points, if you will, which requires configuration three times. And that's a challenge. That's a lot of work to do when you're asked to being - to do more with less. And then when you need to do things like, you know, search that content, from a legal perspective, you have non-technical personas that have to go and search that content, and it's encrypted and they can't get to it. They can't do their jobs on e-discovery or some other scenario. You know, it's really challenging. And so we, as a community, have to help them with that. 

Erica Toelle: Yeah, absolutely. Alym, I know you have the opportunity to talk to a lot of our customers and CISOs. The things you just talked about seem like really big challenges that need to be overcome with a lot of moving parts. What are you hearing that CISOs are tackling first? How are they approaching this problem? 

Alym Rayani: Yeah, there's a few things that I hear. So the first thing, I would say, overall - and actually, the CISO is, in many times, in security teams are accountable for this, but there's a deep partnership with privacy and compliance, which is just understand what their data landscape looks like. You know, there's just a lot of folks out there who say, you know what? I just don't understand what my data landscape looks like, where my data is sitting, and that's risk. And that doesn't - you know, that's something I'm accountable for. And so that's one thing we see. The other thing we see is there's a very, very immediate need to start with protecting and guarding that data, right? And that means they're starting with a center, like, information protection. Can I encrypt data? Can I classify it correctly? Data loss prevention - can I help prevent that data from leaving endpoints? 

Alym Rayani: In the sort of pandemic/post-pandemic world, we had this immediate, remote-work situation that happened for many organizations, and now it's turned into hybrid. And from a control-plane perspective, if you're a security person, you're like, wow, I have to deal with now devices going everywhere. Some are managed. Some are unmanaged. Data's flying everywhere. And so there is this deep, immediate need to tackle these areas - information protection, data loss prevention, insider risk, insider threats, you know, those kinds of things, and to have that holistic data protection strategy. 

Alym Rayani: And, of course, those things are closely tied to compliance and privacy, right? From a compliance perspective, in an industry like financial services, you are required to take care of data a certain way. From a privacy perspective, if you lose that data or if it gets compromised - that's customer data, employee data - there's real challenges there to data related to people. So, you know, these areas are really high value for our security communities and our CISOs to tackle. And that's often, you know, what I hear when I spend time with customers. And so, how do we create quick wins for them, where they can immediately get some protection in place as they're going and, you know, sort of taking that holistic approach? 

Hammad Rajjoub: Just continuing the theme, Alym, like, I hear you say, a couple of questions come to my mind. As we kind of put the lens of like, hey, data is becoming so pervasive. It is exploding. It's on premise. It's hybrid. It's multi-cloud. There's third-party SaaS applications. It's just - it's everywhere, right? So then how do we think about - if data is our most important asset, how are CISOs thinking about data protection? The additional dimension of privacy regulations, like, your conversation around GDPR and how it is becoming - regulations are also becoming pervasive. There's a California act coming up. U.S. has multiple initiatives. Different geographies are coming up with their own regulations and requirements. How is this change or influence strategy, from a CISO perspective - how are CISOs thinking about this? 

Alym Rayani: Yeah. I mean, I would say, first of all, it's a real challenge. And so I just want to first acknowledge the challenge that our listeners are going through on this. You know, in a previous life, before Microsoft, I was an IT admin, and we didn't have a security team, so you kind of did everything. I was the exchange admin. I was the AD admin. I was the security person. And in that world, we had desktops sitting underneath people's desks, and they didn't leave the premises, right? 

Alym Rayani: We didn't have as - we had - obviously, we had internet access. I'm not that old. But we had internet access. But we had a very sort of controlled and closed network, so to speak. Life was a lot easier - right? - in terms of if you had to protect that data. 

Alym Rayani: And the first thing I say is, many CISOs are dealing with - and other teams - are dealing with a physics problem - right? - which is, data is exploding, and it's traveling everywhere. And you know what? I don't think the regulatory bodies care where your data is located. They want you to protect it, and they want you to guard it no matter where it's located. And so this could be a repository that's, you know, a structured data system, like a SQL database sitting on the back end. It could be unstructured. Like, it could be data that is communicated over Twitter in a direct message or over Teams or whatever. But regardless of what that is, that data is important and needs to be cared for, right? And so I think that's a real challenge. 

Alym Rayani: And so, you know, if we look at that - I think it was one of our Microsoft security partners. I think it was Netskope. They analyzed anonymous customer data, of course, anonymous data. And they showed that organizations in that kind of mid-range even, not even just the higher-end organizations that we expect to be very mature, but in the mid-range - so, you know, employees between 500 and 2,000 - they had an average of almost 700 distinct cloud apps in use, right? That means that data is flowing through all those apps. And many times, it's so those employees can get their jobs done. And so the days of, like, shutting the door and saying, hey, you can't use certain apps to collaborate - I believe those days are gone. 

Alym Rayani: And so what you really need to do is embrace that and say, protection, compliance, privacy needs to travel with that data. Can you expire that data remotely - right? - even though it's traveling, you know? And that's some - we at Microsoft have been working on that. But I know that's a big thing, top of mind, because you kind of accept the fact that data is going to flow through these different apps. And by the way, that number's up, right? That number keeps growing. I think it's grown 20% in the last couple of years. And so that alone just gives you an idea, at least for what I think many of our listeners are faced with - right? - what many of our CISOs - like, how do I stay in compliance, ensure privacy and protect intellectual property with this complex data landscape? 

Erica Toelle: Wow. That statistic is quite humbling. I can only imagine the large number of cloud apps that must be in use for organizations with more, like, 15,000-plus employees. So maybe switching to a more regulatory focus, what's the answer for CISOs to stay in compliance with all the regulations that are coming online? 

Alym Rayani: Yeah. I think, you know, one of the things we talked about upfront is a convergence, so maybe I'll start there, which is, when I talk to CISOs, many of them are already doing great things, which is they're collaborating proactively with folks in their legal departments, their compliance departments, their privacy departments. So they're really understanding those needs. And so that's kind of the first step, is, what does your board look like - right? - so to speak, that you collaborate with? And I think just doing that is a great first step. 

Alym Rayani: And they're asking, where does that - you talked a little bit about sort of understanding data - where does that high-risk, high-value data live? - and if there are enough sort of layers of security protecting it, or if it's, you know, what we call dark in the data world, which means ungoverned, unprotected, sort of sitting out there, right? And so I think a lot of that's happening. Do they have tools to analyze data or patterns for behavior that could be risky, in terms of where the data is flowing, right? Do they have a data-loss prevention policy? It's one of the best first things you can do, is - many tools nowadays have a way to automatically sort of classify data. 

Alym Rayani: You know, we know - in the United States, we know a Social Security number is a very sensitive thing. So putting a basic - to use acronyms - DLP policy in place for Social Security numbers is a very low-hanging fruit that you can tackle that would immediately put you in a better state than you were the day before that policy was in place, right? And so there's a lot of low-hanging fruit, where they can tackle that with something like data loss prevention, but also then evaluating their existing sort of data protection policies, you know? They're asking which point solutions are for a specific repository versus a platform - right? - that can tackle that no matter where that data lives. And that's a strategic shift, to move from managing a point solution to managing a platform to make their - make lives easier for their teams. 

Alym Rayani: And so finding that balance across a number of data protection solutions and how they maintain those things is really important. And then one last thing I would add is, I feel like the role of our security teams and CISOs in general has been greatly elevated in importance in the organization over the past few years, certainly over the past 10 - but even the past few. And I think that there's even a lot of influence from CISOs and security teams and folks on this call to - even into IT - what tools should the organization be using for collaboration? Are there tools that the organization could use for productivity that are secure by default, so to speak, and that they can layer on security? I think that's also an important role for CISOs. And they play sort of the protector of the entire organization and many them have to report into the board. And if they can feel better if they're using a secure collaboration and productivity platform, that makes their lives easier and makes it easier for users to do their jobs, right? 

Hammad Rajjoub: That's an amazing set of insights, Alym. Definitely makes sense. Let's continue that, like the - we talked about the why, the what, the how of it, like, in terms of solutioning. So if we put the solutioning hat on, from a CISO perspective, what should CISOs be really looking for in a end-to-end data protection technology solutions/stack? How should they think about it? 

Alym Rayani: Yeah. I mean, of course, I'm biased working at Microsoft. So I love our tools. So I'd be - my - the marketing part of my job - I would not be good at it if I didn't say, hey, I love our stuff. But this is a question that I get pretty often from CISOs that I talk to and sort of consult with. And one thing that I say to them is, you know, the thing we can predict is that we know the world will continue to change. And so the principled approach to this is to pick a toolset that is adapting with the world and the way it's changing. That's sort of what I say is, like, as you think about where you want to go, that's one thing. 

Alym Rayani: And so what does that mean? What are some key things in there? Well, you know, you want to have a toolset where, obviously, you are picking a vendor that's committed to keeping up with things like multi-cloud, multi-platform, all the things that are evolving. You know, the ecosystem, I think - I'd love to talk about that in a little bit. But you - you're keeping up with that kind of thing. But also tools that will leverage things that will extend your security team's capabilities. So, you know, we can't manually classify everything. We can't create every policy. So, you know, leverage a tool that has something like machine learning in it - right? - to help that security team keep up with the volume of data. It can learn to protect, right? That's really, really important. It can identify patterns, so we're not manually doing that. So that's one. 

Alym Rayani: The other one that I say is really important - and there's a few more, but I'll try to summarize - is picking a tool that's end-user friendly. Make it easy for end users to protect data, right? Can you suggest a data classification for them when they're in, you know, a Word document? Can you automatically protect it for them and then give them the flexibility to collaborate on a protected document? That's really important. So make it end user-friendly friendly because we all know that if we don't choose tools that balance productivity and security, end users will find different ways to be productive, right? And they may not always be secure. And so that's a really important thing, I think, for CISOs to consider. And that's where, again, influencing IT is really important, as well, right? 

Alym Rayani: And then I would say that, you know, the third one is make sure it's integrated. You know, if I were to summarize to three - picking a data-loss prevention solution that not only does endpoint but takes care of teams, takes care of, you know, your email solution, takes care of your cloud apps - like we talked about, the 700 cloud apps. You know, picking a solution that is sort of end-to-end makes your life easier because you get into the write the policy once, enforce in many places versus one of the things I hear from CISOs - oh, I have to write the policy here, here and here every time something changes. And, you know, also, does that solution embrace the ecosystem? You know, this is kind of where I want to go a little bit. But does it embrace the ecosystem? Can it work with the apps that the customer is using but also other solutions that might help classify and protect data? And so you want to take that ecosystem approach, and - in addition to all the other things we talked about. So those are probably three that I would encourage folks to consider. 

Hammad Rajjoub: Yeah, those are awesome points, Alym, and I'm glad that you mentioned the thinking around ecosystem. So let's just kind of pull in a little bit more. How do you think about customers looking at solutions that are walled gardens versus an ecosystem, extensible set of platform and product capabilities? How do you think about that? 

Alym Rayani: Yeah, gosh, the walled garden term reminds me of my engineering days. It's funny. And I think, to a point, you know, we were discussing earlier, I think the days of the walled garden are gone. There might be some, I don't know, government things that might be still walled garden in some scenarios. But for the 99.9% of us all out there, that concept no longer exists. You know, the - when I was an IT person crawling under desks, managing desktops, that's - that world is gone, right? We're all mobile. We're all over. And so I think, you know, it also plays an ecosystem because you kind of want to accept the fact that your security solution has to work with other systems, so to speak, other software, other apps, right? And so APIs are really essential for interoperability. 

Alym Rayani: One of the things we've done, in the Microsoft 365 days and now evolved to the Microsoft Purview days, is we've actually embraced APIs and other systems. And we've written connectors on top of those APIs to pull in that data. And so that - the idea that you can embrace the API, whether the security team wants to write to it directly or they want to leverage some connector that actually pulls things from an API - really important. And they enable those partners - you know, and we do this in Microsoft Purview - enable those partners to build on top of your solution - right? - to embrace the - it's all about meeting the customer scenario, which is never going to be one solution all the time. It's, you know, a mix of things. It's a heterogeneous environment, so to speak. And so that also enables folks, who - I know some security teams, they want to build stuff in-house, and they just want to pull it from an API. Maybe they've got a SIM that is - you know, they built themselves and they want to pull from an API. They want to pull a DLP event. They can do that. And so that's also essential for flexibility and future-proofing, as we think about, you know, where the world is going. 

Erica Toelle: Thanks, Alym. So maybe bringing it back to our theme of convergence - you spoke earlier about how CISOs are collaborating with compliance and privacy roles. Could you maybe talk a little bit more about that and maybe even the risks of not collaborating? 

Alym Rayani: Yeah, it's a great comment. I think - I consider it almost essential now, I would just say, from the perspective of how the world has evolved. In some cases it's just required, when you have regulations that absolutely just require it. And so I think if CISOs aren't speaking to their counterparts in compliance and privacy and governance, then at best, there are lost opportunities for cost savings, for saving their employees' time, making their lives better. That's the best-case scenario. The worst case is, it can be really hard for - to do their jobs - for them to do their jobs. Like, how could you ensure that you're meeting a regulation or a customer requirement if you're not collaborating across those? 

Alym Rayani: So let me give you an example of a job. Right? So we talked a little bit about encryption. If we don't plan for e-discovery, as an example, where the legal team has to go through and do discovery on something - maybe it's an external thing, maybe it's an internal thing. If we don't plan for that in our data-protection strategy, we could actually really make it very challenging for legal teams in those organizations to go search data - right? - because they actually won't be able to go and find the data that's relevant for that investigation or, in some cases, that case and - because it's encrypted. 

Alym Rayani: And so, you know, you want to think about how you're collaborating and thinking about the requirements of how the data's being - data is the lifeblood of organizations. Right? And when you're the protector of that data, you've got to ensure protection, but you've got to ensure that business process can continue. Right? And so that's an example of where, if you don't collaborate, you can end up with a situation where e-discovery is sort of inoperable, which would not be a great scenario, creates risk for the organization. And so we could add unnecessary, time-consuming steps to the workflow, make it really challenging. Instead, had they considered that from the beginning, they could have chosen an encryption solution, so to speak, that includes the ability to provide encryption keys or decrypt in the e-discovery workflow. Right? 

Alym Rayani: And this is where my point about integration is really important. These scenarios are starting to - you know, they are starting to be overlapping. And so you want to choose the things that allow you to complete those scenarios - the productivity sort of, so to speak, but also the security. And this is just one example of sort of unintended consequences. And what we've done when I've talked to customers is we've encouraged them to modernize their solutions. Right? When you modernize your solution, you can choose an e-discovery solution that is integrated with your DLP system, your information protection system. It understands labels. If you're doing e-discovery, knowing a document's confidential - labeled as confidential - it actually makes your life a lot easier in the search. Right? You can actually get your search a lot more precise when you do that. So I just think there's so much upside to this collaboration and this convergence and how we approach things as an organization. And that's what we do at Microsoft. You know, we've embraced that at Microsoft for our own folks that complete these scenarios. 

Erica Toelle: I feel like this topic of convergence of compliance and privacy and data protection is something that we could talk about all day. But unfortunately, we're about out of time. So, Alym, it's time for the question we ask all of our guests. What's your personal motto, or what are some words that you live by? 

Alym Rayani: Yeah. I mean, first of all, yeah, I agree. We could talk all day about it. I'd love for any of your listeners to reach out. I'm just - I love to just sort of go into the details on this. But it's sort of related to my personal motto, which is - I don't know if I'd call it an official personal motto, but I'd say that for me, the way I try to approach my life is to just be all-in, whether I am coaching my kids - I coach their ice hockey team. That means I am researching, you know, practice plans and game plans and really just living it in the moment. I'm there with the kids, embracing what their experience is like, as I go through that - or, you know, when I'm with my wife and we get to - you know, we're going to be celebrating our anniversary soon. It's just - we're just totally in the moment, living that. 

Alym Rayani: Or when I'm, you know, really digging into technology and trying to figure out, hey, where do we go on data protection, just learning a ton and just being all-in, being present - I have found by doing that, I feel like I'm maximizing my time but just really fulfill it. It's really fulfilling to just be all-in and focused in a world where there are so many things going on all the time. And so that's kind of the way I approach things. And I hope that I can continue to do that and continue to make the people that I interact with when I'm doing that feel like, you know, that's the most important thing for me at that moment because, you know, it really is. 

Erica Toelle: Perfect. Thank you so much, Alym, for joining us today on the "Uncovering Hidden Risks" podcast. And thank you, Hammad, for joining us as the guest host. 

Hammad Rajjoub: Thanks for having us. 

Alym Rayani: Thank you so much for having me. And thank you to the listeners for all the work you do. And I hope to meet you soon. 

Erica Toelle: We had a great time uncovering hidden risks with you today. Keep an eye out for our next episode. And don't forget to tweet us @MSFTSecurity or email us at uhr@microsoft.com. We want to know the topics you'd like to hear on a future episode. Be sure to subscribe to "Uncovering Hidden Risks" on your favorite podcast platform. And you can catch up on past episodes on our website, uncoveringhiddenrisks.com. Until then, remember that opportunity and risk come in pairs, and it's up to you where to focus.