Protecting sensitive information: Growing data, regulations and risks

The amount of data organizations hold has exploded — along with the risk it poses. Today’s guest is Very Good Security CEO and co-founder Mahmoud Abdelkader, who wants to solve the problem of sensitive data by removing it from the equation (by replacing it with decoy data). It’s an intriguing idea as having less worry about data security frees resources up to focus on other areas of cybersecurity. Mahmoud talks about the future of data security, how these new solutions do and don’t help with privacy regulations, and what cybersecurity professionals can do to prepare for a future where the amount of data continues to grow every year.

Mahmoud Abdelkader is the CEO and co-founder of Very Good Security. He was previously CTO and co-founder of Balanced Payments (exited to Stripe). Prior to that, Mahmoud designed automated product matching systems at Milo.com (acquired by eBay) and built high-frequency trading systems for Wachovia Securities, now a part of Wells Fargo. With experience ranging from Wall Street to early-stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best-in-class security and compliance attainable for businesses of all sizes.

  • View transcript
    • [00:00:00] CS: Hitch up the wagons and polish your spurs, because it’s high noon, and the searchers are looking for a way into your network. October is National Cyber Security Awareness Month, and Infosec is helping to tame the wild, wild met with our collection of free training resources that will make your employees the masters of the cyber frontier and bring cybersecurity to the forefront of your organization. Go to infosecinstitute.com/ncsam2020 to download our free toolkit containing a stagecoach full of provisions to run a month-long security awareness campaign, including posters, infographics, newsletters, email templates, presentations, and more. Grab Cybersecurity Awareness Month by the horns with this wild bunch of free material from our award-winning LX Labs team.

      Just as the wanted posters in the Wild West help the public recognize the region’s most notorious villains, our free training kit reveals the identities of common cyber threats to help prepare your employees for the real attacks they face. Again, go to infosecinstitute.com/ncsam2020, or click the link in the description to get your free collection of training materials and help spread security awareness.

      Now, let’s begin the show partner.

      [00:01:15] CS: Welcome to this week’s episode of the Cyber Work with Infosec podcast. Each week I sit down with a different industry thought leader and we discuss the latest cybersecurity trends, how those trends are affecting the work of infosec professionals while offering tips for those trying to break in or move up the ladder in the cybersecurity industry.

      Our guest today is Mahmoud Abdelkader, the CEO and cofounder of Very Good Security, or VGS. He was previously CTO and cofounder of Balanced Payments, exited Stripe. Prior to that, Mahmoud designed automated product matching systems at milo.com, acquired by eBay, and built high-frequency trading systems for Wachovia securities, now a part of Wells Fargo. With experience ranging from Wall Street to early stage startups, Mahmoud is passionate about democratizing data security. He started Very Good Security to make best in class security and compliance attainable for businesses of all size.

      So for our show today, we’re going to talk about the problem of sensitive data and the possibility of solving the problem of sensitive data by removing sensitive data from the equation altogether.

      Mahmoud, welcome and thanks for joining us on Cyber Work today.

      [00:02:20] MA: Oh, thank you so much for having me. It’s a pleasure to be here.

      [00:02:23] CS: Okay. So we talked a little bit about your background here. So let’s just kind of open up about that. What first got you interested in things like cybersecurity? And was computers and tech always sort of part of your background?

      [00:02:35] MA: I think yeah. I think I was always just fascinated, obviously, with computers when I was younger. But really, I started my computing background by reverse engineering games, like Age of Empires. I was actually the first few to build the no fog hack for Age of Empires. And it was one of those where I just wanted to be able to get an unfair advantage. And that ultimately led me to reverse engineering, which then let me understand how to work with computers. How computers work. What is the underlying technology that’s driving it from the beneath, it seems there. And that’s kind of like what really kicked off my career in computers.

      [00:03:16] CS: Okay. And where did it go from there? Did you study it in college and everything?

      [00:03:20] MA: Surprisingly, I was fascinated with a ton of topics. Really, I want to be a math and physics major. And my mom suggested after seeing me kind of like spend hours trying to build all these different tools to kind of help me reverse engineer. She’s like, “Why don’t you go into some kind of computer engineering?” And I realized that that was really my passion, was I wanted to understand how to take that to the next level. I didn’t really understand what that was when I first building and just playing around and hacking off some stuff.

      [00:03:54] CS: It was just something fun for you at that point.

      [00:03:56] MA: Yeah. It was just a hobby, right? But I really thought like these hard sciences was where you had to go. Speaking of the first generation of immigrants, you could tell, the pressure is there. And so definitely it was very – Yeah. But then I went to college, for sure, and I started to really deepen my knowledge of how computers work. How architectures work. And I would say it was not actually in software until my first job, which was right out of college where I joined Wachovia Securities, which is now Wells Fargo Securities after the acquisition by Wells Fargo. And worked with my fascinating colleagues on Wall Street who, really, I guess shaped me to be the engineer that I am today.

      [00:04:37] CS: Okay. So walk me from there to where you are now. We talked about it a little bit, but like what were some of the different sort of transition points where you’re like, “Oh, you sort of veered off in a different direction. This is interesting. I want to check this out. Or I want to check this out. Or, oh, that’s cool. I should learn this thing.”

      [00:04:55] MA: Well, ultimately, if you kind of watch – If you kind of like look at my patterns, I went to infrastructure first. And then I went to an ecommerce site, milo.com, which is effectively combining infrastructure plus ecommerce. And then after that, I went to payments, which was ultimately how do you monetize. And then from payments I went to – Well, it looks like the whole conversations around data security in the first place.

      As you could see my evolution of my career, from Milo, to Balanced, to then building VGS, I realized that the world was changing and our definition of security is becoming paramount and central to what we do today. So today in order for me to provide value for customers, I have to become a data security company. And that’s actually what we realized at Balanced was we had to build a shadow company inside of our actual company itself so that we can build our vision of what payments was.

      And so after that had an exit in 2015, we’ve realized as well that most folks just wanted to have this undifferentiated heavy lifting gone from them so that they can focus on value. And so that’s when we started realizing that security should be a business enabler, not a call center. And ultimately became the thesis for how our product works today and why we’re very excited to be working on VGS.

      [00:06:24] CS: Okay. Yeah, I want to talk about – We sort of walk right past this. But I want to kind of open it up a little bit more again. So in our discussion before the show, you noted that, as you said, data security systems put in place 10+ years ago aren’t keeping up with the massive amounts of data processed today leading to increased hacks and breaches.

      One of the first things I usually like to ask about is how the business has changed since you first entered. So in this case, that’s an extra crucial question. So give me a then and now as you were just discussing with some of these things. Bug give me a then and now on what data security systems were like back then and what they didn’t implement or couldn’t have known about and what data systems and data quantities would be like today if they hadn’t —

      [00:07:05] MA: Yeah. I think there are a variety of factors that go into that, right? When we were securing our systems 10 years ago, we didn’t really have the connectivity or the belief that we can just call a function over the internet, right? Today with RPC, today with all these different APIs and all these smart IoT devices that we have today, data is being exchanged at rates previously never seen before. Every year we create more data than we’ve previously created for all the years before combined.

      [00:07:37] CS: Yeah, unbelievable.

      [00:07:39] MA: Yeah. It’s pretty unbelievable. So ask yourself, how is it possible that the approach of translating what we did with putting security guards or having point solutions. How does that translate in the digital world where data moves at a speed where we can barely keep up? As a result, we just have to come at it with a different approach. There’s no longer a way where I can buy and protect the perimeter, because that doesn’t mean you’re safe.

      The old age advice of being able to be in control is to minimize risk is now actually more of a liability, right? And also, this is compounded by the fact that when we saw Google and the way they were able to use heterogeneous computing to be able to do like MapReduce or extract value from their data, every company wanted to become a data company, obviously, as we know. And so they started acquiring all these different data, all these different datasets and trying to extract and analyze this information. 10 years ago, that was all the rage. It still is today. But now we have these privacy laws and regulations that have been passed that are effectively causing what we previously put into our balance sheet as an asset is not mostly a liability.

      And the idea is if we were to understand where were the transformational shift that happened before in the history of humanity, it’s when we digitized banking. Before, you and I would be carrying cash, or cowrie shells, or gold bullions. And if somebody held us up and took that from us, that was gone. And so by building trust infrastructure and removing the value of money from the physical possession of money itself, we’re able to build the commerce foundations and the trust foundations that enable the economy today. And that’s the big realization with VGS. The business has changed over the past 5 years because we’re starting to understand what is the de-risking of data look like in the same manner that we’ve de-risked transactions and money today. Does that make sense?

      [00:09:44] CS: It does make sense. Yeah. So where do you see standard dev security practices as sort of falling down the worst right now in 2020? What are some things that you think should be obvious but are being haphazardly implemented if at all?

      [00:09:56] MA: Yeah. I think that’s a very good question. I think ultimately some of the control – Basically, the biggest realization and some of the most sophisticated CISOs will tell you that compliance doesn’t equal security, right? And so just by checking the box doesn’t mean you’re secure.

      [00:10:11] CS: Oh, sure. Yeah, we comment that all the time. Yeah.

      [00:10:13] MA: Right. So by enforcing the operation and saying by being secure you should be able to inherent compliance. It’s a byproduct of having security posture, right? And so folks who just think like, “Let me just secure the perimeter. Let me buy another firewall. Let me upgrade my systems.” That’s not a security solution. We have to understand the algebra that goes into why we need to secure our data in the first place. And then from there, realize, “Well, why do we even need it in the first place?”

      The best prevention is to not have anything worth stealing. So if you can have the value of our data without having the actual data itself, it’s solves the problem that we’re all trying to do. Because another bridge, or a larger wall, or more moat, or barbed wire, that’s not going to solve the problem, because somebody else will have a more sophisticated attack against your defenses. And as time goes on, what you have now has to be upgraded. What we need to see is we need to stop thinking of DIY and we start to adapting and realizing that it’s just better if we become business enablers and become more of a risk management organization rather than controlling and securing ourselves. It’s just ridiculous to expect every company to be able to build their own bank fault. So why do we expect them to secure their data in the same way? Does that make sense?

      [00:11:41] CS: It does. Yeah. I mean, that leads perfectly to my next question here. So we start with the very intriguing notion of best way to remove the problem with sensitive data is to remove the sensitive data altogether. And you just mentioned that as well. So what does that mean exactly in a practical sense and how is that implemented? Could you sort of walk me through the technical ramifications of how that works?

      [00:12:06] MA: Yeah, absolutely. I mean, I think the first thing we need to take step back here and just understand the why. Why do customers need – Why do enterprises need the data in the first place, right? Why do they need to be able to do that? It’s usually to achieve a business outcome. For example, if you went in a site and you gave your social security number or identifier or national ID, it’s typically so that the provider on the other side would go run a credit, check on it, or understand what your worthiness is. And so typically that’s the reason why they have to hold the data in the first place.

      So we have developed really great solutions for data at rest as well as data in motion obviously with TLS 1.3 and all the different ideas that protect the data in motion. But really when data is in use to extract the values when it becomes most vulnerable, right? So if you start to enumerate how data is actually used today, most companies use it, A, to identify it so that they can effectively use some kind of like very simple statistical analysis like group, join, or something where you can effectively tokenize the data. That will help you do that as well.

      But at the same time, they also want to be able to use it and send it all the third-party providers and basically just exchange that data for value instead. So what VGS decided to think about was, “Well, if you never have the data and if it enters your system and VGS effectively starts to redirect just the sensitive fields of a payload to VGS and synthetically replace them inline, then your applications never have to speak VGS or speak tokens or anything like that, right?

      And so it becomes very interesting, because now your applications don’t need to change. It’s schema preserving, and we don’t use format preserving encryption. We will create synthetic data that basically mimics the underlying data itself. So there’s no mathematical relation at all.

      And so that’s very important to understand, because that data becomes meaningless, but also you should control the generation of that data yourself. So if you wanted to have machine learning properties, you can preserve that. If you wanted to be able to have the same length preserving properties, you can preserve that. The whole point is your application and the developers should not really realize that they’re operating on sensitive data, because you don’t need to, right? Just like if I’m operating on a flask with a glove box, it doesn’t mean that I’m not touching the flask or I’m touching the viral component. I’m effectively still working on it, right?

      And then the other things becomes I can then exchange it by pushing – And this is the key, by pushing my business logic to the data to operate in a secured environment instead of pulling the data out to run my operations on it. And when you inverse that, it becomes a much easier problem to solve and to secure and you start basically controlling who has access to the data. Where is it being sent? And you create all these lineage, and all of that feeds into the context by how we reissue the data. And that’s how we’re able to secure it. Does that make sense? No code change is needed. But we do inverse the way you think about the data in the first place instead of pulling the data out to operate on it, you push your business logic to the data instead. And that is what unlocks the value. Does that make sense?

      [00:15:23] CS: I think so. Yeah. So give me a sense of the synthetic equivalent of the sensitive. I mean, like using the example like a social security number. So you have like an encrypted sort of alternate version of the social number on your own system that you sort of translate between the two?

      [00:15:41] MA: Yeah. So really the value ad of VGS is the whole encryption key rotation part is effectively managed by our platform for you so you don’t have to worry about that. The region storage is managed for you so you now that the data never leaves the sovereign nation that the data originated in. So you don’t have to worry about that.

      But by just creating an algorithm to create fake data instead, then we can generate let’s say a fake social security number, and it’s not a real social security number. So it could have properties like, say, “Hey, this social security number might be let’s say generated from New York city,” by understand what a social security number actually entails and what these numbers mean. For example, like if the social security number starts with like 060, you might say that’s coming from a county in New York.

      So what we do is we say, “Cool, let’s bring all the counties of New York City and find a county that is not the same exact county. But say a little bit further north or south or east or west of that.” Take the rest of that social security number and create a different social security number that represents the unique identifier, but not the real social security number. Does that make sense?

      By using these attributes to actually feed into the data generation, you could create synthetic look alikes that have the feel and look of real data, but actually are not the real data. Your application has no idea. Does that make sense?

      [00:16:59] CS: I think so. I mean, is that an extra level of deterrence in the sense that like if a hacker does get into your system and they steal all the synthetic data, is it there with the idea that if they try to hack in and they don’t see any data, then they’re like – This way they might think, “Oh, I actually got something.” But if there’s nothing there, then they’re like, “Oh, it must be hosted offsite.” Something like that?

      [00:17:23] MA: Exactly. They didn’t even know. They’re like, “I stole some data. It some properties that might look like a real data.” But unless they actually send it somewhere else to verify, like for example –

      [00:17:32] CS: Until they start using the social security numbers and seeing none of them work. Yeah. Okay.

      [00:17:35] MA: Correct. Start thinking about, “Okay. Wow! That’s interesting. What if when they send that data, can VGS then enforce network properties?” Now you’re starting to see the power. We can crate canary properties of that data so that we get notified where it went, right? So I can go tell a law enforcement agency how they can go in and trace exactly where that data originated from. From where? Who generated it? What applications? You can start to really be able to put a timeline on how a breach happened. And that can only exist if you tap connectivity and network properties with the data that you’re generating today.

      The easiest example is to think about a one-time use email, right? You could still send email to it. It will receive it. But the next time I send an email to it, it doesn’t get there, right? And so the whole idea is that I can generate synthetic properties, but also network properties as well, which is why we diverged from the concept of tokenization and said, “This is basically –” We call it aliases, because can bind the alias to a particular application that’s requesting a user or a developer, whoever it is that’s needed. Does that make sense?

      [00:18:44] CS: I think so. Yeah. So to that end, does that mean sort of from a cryptography sense that it’s more secure because it’s not being sort of randomly generated by – Because you’re saying that like the sort of encryption of it or the artificialization of it is coming from sort of real things. Like you say, moving one county up or one county down. You’re using these kind of irrational but rational sort of indicators there. Does that sort of increase the complexity of the ability to sort of decrypt it?

      [00:19:17] MA: Yeah. So there’s no mathematical one-to-one relationship between them. It’s effectively just two parallel operations. One, the encryption is done using best at class and accept the security standards based on all the different requirements that are needed. But then the second part is there’s a second parallel operation that happens where we synthetically generate the property of the data giving your inputs.

      So you might say I want something that does reflect a real county, but it’s not the real county. Let’s say my age is 28. I can generate something that’s 29, or let’s say 25, right? And so the idea is like within some kind of acceptable range, to deplete a privacy budget. So the whole point of the generation of the data is it separates from the underlying value itself. So there’s no mathematical relationship. The encryption part has been separated, but the artificial generation of that data has no underlying relationships. So there’s nothing to decrypt, right?

      [00:20:13] CS: Is it sort of like the idea, like they always say, like if you want to make yourself more safe against things like whenever you fill out a new form, like do different variations of your last name or your age. It’s sort of works on that same principle then basically?

      [00:20:26] MA: Yeah. Yeah. Exactly. Exactly. And so if we go through – Like for example, we can even understand that, “Hey, if your name is Mark Johnson, replace it with like Jane Doe.” And so it becomes like a gender switch too. Do you see like what I’m saying? So by being super specific –

      [00:20:40] CS: Yeah. Maybe more factors than just one change or whatever.

      [00:20:42] MA: Yeah. The mentions that create can give you different permutations, which then generates a signature on that data itself. And that’s really the property that VGS really values. I think it’s a differentiator in the way we work with data today.

      [00:20:56] CS: Does implementing a plan like this require any sort of restructure of company’s data security department?

      [00:21:02] MA: That’s a good point, right? I think ultimately it doesn’t require you to restructure it. But it does require you to think about why do you need the data in the first place. It requires you to think how do I basically instead of going decentralized, going towards centralized the sensitive data itself and make it as transparent to the IT and developer environments that I have to support from a functional product support perspective. But really, you don’t have to restructure it. But it is supposed to give you efficiencies to start thinking about, “Okay, now that I don’t need to worry about my data being breached, can I start training my employees or my colleagues no phishing or more interesting attacks that might have more human elements on it?”

      Again, I would like to reduce the difficult parts of securing data. This is a part of the vision of VGS. Let’s reduce the difficult parts of securing the data and get to the meat and potatoes and how we can build a property security culture. Does that make sense?

      [00:22:06] CS: Sure. Yeah. So talk more about that. What does that sort of – Another question I had was what does that free up your sort of data security department to do?

      [00:22:14] MA: Yeah. So now your security organization might be understaffed or having trouble recruiting the right talent. There’s always a cybersecurity shortage, right? They can focus a lot more on things like DDoS attacks, protecting against and teaching against ransomware, or email security, things that potentially with bigger factors, but have always been in lieu, but have always been, “Hey, let’s focus on data security first and protect our data from hackers.” But this gives them the ability to start really stepping back and understanding what threats they need to think about from a security organization. Again, not that data security piece, but more about what’s the cybersecurity posture of the company. Do my vendors have the same level of cybersecurity? When I exchange my data, how can I create lineage? These are all things that are super critical that the organization needs so step back and think about. Not just how do I redeploy some HSMs or how do I make some new encryption? So that’s the real value that we give our customers here. Giving them the ability to think more about how do I strategically position the environment to become more of a business driver rather than traditionally a call center, right?

      [00:23:23] CS: So how does this data security plan fit with things like privacy issues around GDPR and CCPA or New York Shield or whatever? Does this work within those sort of compliance requirements? Does it change things? Does it change the way you have to sort of make yourself compliant when you’re not sort of securing data onsite like that? Or is that still a whole other set of rules?

      [00:23:45] MA: The idea here is obviously these important laws are – If you take it again, since I’m coming from a payments background, I see the similarities and the way we’re starting to govern data today in the same way that the financial infrastructure regulators govern the movement of money today, right? Think about how the treasury department manages the money movements from state-to-state. For example, if you don’t know, you have to get – To do a money service business, you have to get 48 different licenses from 50 states. 48. So that’s basically the same thing as saying the CCPA or the New York Shield ACT, GDPR has enforcements from different federal governments.

      And so every county in every state is going to pass equivalent laws. And so one of the greatest things about being a portfolio company from Andreessen Horowitz is Mark Andreessen’s software eating the world was a classic essay that talks about the software movement and the revolution that we’re going in. But as we have the world changing, software has to change as well, right?

      So when we think about data security plans, it’s not just about privacy issues, but it’s about how the applications are handling that data so that they can satisfy and speak the protocols that are needed to satisfy these compliances, right? So if I collect your social security number again, then I need to be able to also track it, understand it, tie to your identity. And then also be able to remove it on your request from all of my systems, right? I need to be able to tell you exactly how I used it, because that is now your right. To do that, I have to change the way my software is built. Or you can use something like VGS, drops it in, and it starts to track the data’s movement because it’s in the ingress and the egress operations. Does that make sense?

      [00:25:44] CS: Yeah. Yeah, it does. Again, there are aspects of the compliance regulations around right to be forgotten and stuff, which doesn’t sort of fall under this purvue. There’s the privacy of making sure it’s secure on site, but there are also other things that the company is still going to have to deal with in terms of like when they decide to delete the information or how they decide to use it or things like that. So it’s sort of two different things.

      Based on your experience in the field and your view of that field in 5 years or more, what are some things that people who want to become data security professionals now should start learning to prepare themselves for the accelerating changes of the features especially if your plan goes under way?

      [00:26:22] MA: Yeah.

      [00:26:24] CS: What does the position look like in 5 years do you think?

      [00:26:27] MA: Again, I think we need to start thinking about how data security can be used as a differentiator. Do we still trust as a business that our consumers – That consumers can trust us as institutions that are trustworthy, right? I think, ultimately, the whole point of data security is not only to secure the data itself, but ultimately is to ensure trust for consumers to do more business with us, right? And I fundamentally believe it is a competitive differentiator when you do take security seriously. Not just lip service. But when you say, “I do take it seriously,” and it’s one of those things where we will protect it, because we value our relationship with you, customer, right?

      To me, that’s the value ad. In 5 years, we need to think about where the security, where data security professionals who are starting today, they need to think about how they can always drive business value. Not just argue about what is the most and latest encryption that might work, right? I think we need to talk more about how can we instill agility into our business while maintaining the credibility that it’s expected of us from customers. And that requires you now to marry technical understanding, but also how new applications will be developed so that we can transform digitally. And COVID is accelerating this. COVID is accelerating the ability for us to be able to say we’re no longer going to have a security guard, because that security guard is sheltering-in-place. Do you understand? The idea becomes, “Okay, how do I a remote workforce? Is the VPN still the way that protect my network? What does your trust look like?” And all of these different things are going to become very critical in the future, where we are going to be using them. So I think if I were to advice someone getting into the field, is definitely read up on where the world is going where we don’t have the idea of a physical location anymore.

      [00:28:20] CS: Yeah. Okay. So that end, what types of – Apart from reading stuff? What types of skills or experiences or training or certs do you think potential data security professionals should be trying to highlight on their resume? As you said, like what types of learning? Because I mean it sounds like you’re really sort of emphasizing some fairly abstract learning in the sense of like speculative in the way that the industry is going to go. What do you recommend in that regard?

      [00:28:45] MA: I think every type of data security professional needs to put themselves in the shoes of an attacker. And so I think if I were starting today, I think I’m able to articulate all these things a lot better, because I’ve been there on the other side to see how I would be able to potentially approach something from that regard. So do we really trust a pen test? Do we really trust a vulnerability scan? What is zero day look like? How do I tell the signals of being indicators of compromise? What does that mean?

      I think being able to put ourselves and go through different capture the flag exercises or being able to even get involved with reverse engineering. I think being able to just have a very shallow, not deep, but just shallow experience where we can able to speak about these things at a high-level allows us to really start tying in better understanding of how we can holistically approach a data security – Become a data security professional. I don’t think any type of certification is going to solve this problem in the future. I think it’s going to be more about what can we do to emulate the attacker and what can we do to put ourselves in the mindset of if an attacker can do this, how do I prevent it? Does that make sense?

      [00:29:59] CS: Yeah. To that end, another thing we like to really hammer away on here is advice for people who might be working in some aspect of cybersecurity but are trying to make a lateral move into some sort of aspect of dev security, whether they’re working on a help desk now or whether they’re reading all files or pen testing or doing some other thing. What are some skillsets? It sounds like you’ve already kind of given some for amateurs, and they probably apply here too. But what are some things you recommend for people who are already in the industry but are looking to sort of move in this direction?

      [00:30:32] MA: I’m always available. And the info sec community can sometimes seem very jarring, because not everybody thinks like there’s potentially some kind of – It seems like it’s a little standoffs, but it’s not. Most people actually do want to mentor and help. So asking folks who are doing that is very important. But I think ultimately, as folks enter space, it’s just really all about attitude. It’s all about attitude. It’s really about not giving up. And so the point of as you go into this space, being able to just get in and share some of these insights. Go do a bug bounty. Go help. Do a security audit and just hop on IOC or any of these Slack rooms and kind of talk through that. I think you’ll be able to start to realize and get a taste of what a day-to-day looks like. And then that is a great example to translate your skillsets into a professional career in data security.

      [00:31:30] CS: Okay. So as we wrap up today, you’ve told us a fair amount about Very Good Security and your platform and your model and stuff, but could you tell me some projects or products that the company is working on right now that are exciting too?

      [00:31:42] MA: Absolutely. So one of the things we’re trying to understand is twofold. One is, is it possible when you separate the data from the transaction provider to be able to add best execution on the value that you’re actually trying to generate with the data itself? A very high-level example. If I’m running a credit score on you, is it possible that with VGS – Because we’ve seen people connect to many different credit providers on our platform. Is it possible to have those credit providers give you best cost execution so that you can route to the best credit score provider for you that will give you the most information at the lowest cost?

      And so by thinking about, by separating the data from a transaction provider, it really starts to open up a significant portion of how to embed value very quickly. And we think that’s a massive revenue driver for companies that want to separate, again, the data from the transaction provider first, right? Again, more value, less focused on what parts of the data are secured? And so how it’s used, that allows us to really focus on driving further value into our organizational – Into the customers that we use today. Is that helpful? Is that helpful to think about kind of like a cool idea?

      [00:33:09] CS: Works for me. Yeah. So last question, if people want to know more about Mahmoud Abdelkader or VGS, where they can go and find you online?

      [00:33:18] MA: They could always go to my website, mahmoudimus.com. I actually got that name after watching Gladiator.

      [00:33:26] CS: Oh, yeah.

      [00:33:27] MA: It was Maximus. I was like, “Oh, that’s my new name, Mahmoudimus.”

      [00:33:30] CS: I love it. Okay. Mahmoudimus.com.

      [00:33:31] MA: Yeah. If you go to mahmoudimus.com, just I-M-U-S at the end of Mahmoud. And then click on Twitter and just shoot me an email. Or give me a tweet or even just you could find us at verygoodsecurity.com. I rotate on support. So when the intercom thing comes up, I might be the one that responds to you.

      [00:33:52] CS: Oh, it’s awesome. And you’re keeping it street level.

      [00:33:53] MA: Yeah, absolutely. Absolutely. I have to see how people ask. How people will –

      [00:33:57] CS: Got to know what the questions are before you can answer.

      [00:33:58] MA: That’s right. That’s right.

      [00:33:59] CS: Thanks. All right, Mahmoud, thank you for joining us today on Cyber Work. This was really fascinating.

      [00:34:04] MA: Thank you so much for having me. I’m super glad to be here.

      [00:34:07] CS: My pleasure. And thank you as ever for all of you for listening and watching. If you enjoyed today’s video, you can find many more of them on our YouTube page. Just go to youtube.com and type in Cyber Work with Infosec to check out our collection of tutorials, interviews and past webinars. If you’d rather have us in your ears during your workday, all of our videos are also available as audio podcasts. Just search Cyber Work with Infosec in you podcast catcher of choice. And thank you all of you who have been rating and reviewing. It really does help out. If you haven’t yet, whatever platform you’re on, whether it’s Stitcher, or iTunes, or Spotify, we would love a five-star and a review if you think we’re worth of it. As a reminder, to download our free Wild Wild Net security awareness campaign, including posters, infographics, newsletters, email, templates, presentations and more to keep your employees safe, go to infosecinstitute.com/ncsam2020. That’s infosecinstitute.com/ncsam2020 to go get it all.

      Thank you once again to Mahmoud Abdelkader, and thank you all again for watching and listening. We will speak to you next week.

Cyber Work listeners get a free month of Infosec Skills.

Use code “cyberwork” to get access to hundreds of IT and security courses today.

Get Started

About Cyber Work

Knowledge is your best defense against cybercrime. Each week on Cyber Work, host Chris Sienko sits down with a new industry thought leader to discuss the latest cybersecurity trends — and how those trends are affecting the work of infosec professionals. Together we’ll empower everyone with the knowledge to stay one step ahead of the bad guys.

Cyber Work listeners get a free month of Infosec Skills!

Use code "cyberwork" to get 30 days of unlimited cybersecurity training.