Your personal data is everywhere: What can you do about it?

[00:00:00] CS: Every week on Cyber Work, listeners ask us the same question. What cyber security skills should I learn? Well, try this. go to infosecinstitute.com/free to get your free cybersecurity talent development e-book. It's got in depth training plans for the 12 most common roles, including SOC analyst, penetration tester, cloud security engineer, information risk analyst, privacy manager, secure coder and more.

We took notes from employees and a team of subject matter experts to build training plans that align with the most in demand skills. You can use the plans as is, or customize them to create a unique training plan that aligns with your own unique career goals. One more time, just go to infosecinstitute.com/free, or click the link in the description to get your free training plans, plus many more free resources for Cyber Work listeners. Do it. Infosecinstitute.com/free. Now, on with the show.

[INTRODUCTION]

[00:00:57] CS: Today on Cyber Work, Mark Kapczynski of OneRep reminds us of that awful truth most people either don't know about, or don't like to think about. Your personal information, your address, your phone number, your age. All of these things are on the public Internet for anyone to find, including scammers. Mark talks about OneRep’s mission to scrub personal information from these sites, suggest changes that could stop all of this and lets you know about ways that you could base a career in this fight for data privacy and data autonomy. All that and a detour into grade school home computer shenanigans today on Cyber Work.

[INTERVIEW]

[00:01:36] CS: Welcome to this week's episode of the Cyber Work with InfoSec Podcast. Each week, we talk with a different industry thought leader about cybersecurity trends, the way those trends affect the work of InfoSec professionals, while offering tips for breaking in or moving up the ladder in the cybersecurity industry. Mark Kapczynski, right?

[00:01:54] MK: You said it perfectly.

[00:01:55] CS: Beautiful. Mark Kaczynski is the SVP, Senior Vice President of Strategic Partnerships at OneRep. Onerep.com helps consumers protect themselves online by scrubbing their personal information from Google and privacy breaching websites. Mark comes from a strong background in the identity theft protection and consumer credit world. Having spent numerous years at Experian including working on freecreditreport.com and Protect My ID. Mark spent 15 years working in the FinTech/financial services industry, including investment, Yodlee, supporting many different consumer FinTech offerings.

Mark is the former CMO of Gooten, a smart supply chain solution, as well as former CMO of Wrench, the market leader for on-demand car care. He is the Executive Director of the UCLA venture capital fund, supporting innovation by young entrepreneurs. Mark's work with OneRep folds into several pressing concerns for us at InfoSec. Breaches and hacks, of course, are now very much a way of life. There's just no way around that. Most to live some or all of their lives online, get an email once in a while from a trusted company with whom they have an account saying that their data was breached, so you should probably change your password as quickly as possible.

Now you combine that with the ease with which cyber criminals can access some of your most personal data in public and suddenly, something that should be fixable in 30 seconds, like changing your password has the potential to damage multiple aspects of your life. Our discussion will be around getting your personal info about yourself offline as necessary, how this came to be so easily accessible in the first place, and what the fight will be in the future to keep our data out of the public eye. Mark, thanks for joining me today. Welcome to Cyber Work.

[00:03:32] MK: Thanks. Thanks for having me. I'm looking forward to the discussion.

[00:03:35] CS: Awesome. Yup. To get us started, I like to know, you have a pretty long history in in history – in security rather, and also personal ID. How far back does your interest in computer and tech go? What was the initial interest?

[00:03:52] MK: Wow. Well, when I saw the write-up in your questions, I was thinking about that. It actually goes back to, I think, I was in middle school. I grew up in a time when people didn't just instantly have a computer at age four. I grew up at a time when computers were relatively new at home. My dad bought us a computer. I wanted an IBM at the time. I was like, “I wanted an IBM,” but he got us a clone. I got a clone. I wasn't happy. But we got a really good printer.

I actually started selling cheat sheets to my friends at first to help them with school. Because this printer is so high-quality, I could get the font really small and I laminated little cards, so that they could have little cheat sheets on their hand going through school. I actually outsourced the typing to my mom, because she could type a 100 words a minute. My love for computers actually started in probably something I shouldn't have just admitted.

[00:05:00] CS: I think, there’s actual limitations as whatever your grade school was. I think you're good to go now. I guess from a technical standpoint, what was the difference between the clone and the IBM in terms of what one could do and couldn't do?

[00:05:13] MK: Part of it, I was young, so everyone wanted the name brand, cool –

[00:05:17] CS: It was like designer jeans or whatever. It's like, “Mom, you got me OshKosh, and I wanted Ringwood.”

[00:05:21] MK: The IBM screen was green, and it looked cool. My screen was Amber. You would come over like, “Oh, what's wrong with your computer? It's Amber.”

[00:05:33] CS: Oh, yeah. We're definitely the same generation. I remember the green touchscreens at the library. You'd be filing up like you’re getting dinner. Your career path is an interesting one, as it covers stints in credit security with Experian and freecreditreport.com mentorship and startup advice, and even streaming content from the early days of streaming. We're talking ’95 to 02, people. What are some of the throughlines of all these different types of work? What's the satisfaction you get out of all of these various types of jobs?

[00:06:03] MK: Yeah. It's interesting, because the way I – I went to UCLA. The way I paid my way through college was I wrote software. It was the best paying job you could get at the time. In particular, I learned how to build databases. Right from the beginning, I would say, I learned to appreciate data, data collection, data storage. Because I was in the film industry, everything was still analog, or very physical, right? You had a piece of film. You had videotape. The idea of wow, I'm working in the software industry with data and the film industry and TV industry is all analog. Why hasn't it progressed?

I think, that was really the throughline of how do we bring these legacy industries, legacy ways of doing things, analog ways of doing things into using truly data? How do you then help those industries master the use of it? I used to work for Microsoft in ’95 to 2002. That was so much fun, because we were at the forefront of helping people learn how to digitize the moving image, creating data, managing it all, securing it all with things like digital rights management, so that then we could distribute it all the way out to the consumer. It was a really exciting time.

[00:07:32] CS: That's really interesting, too, because I've had guests – well, you're also in the financial tech industry as well, and we've had a fair number of people in healthcare. All of them have had a similar – and around the same time, I suppose, but a similar before-after point of this was an industry that worked in paper and typewriters and analog. Then it was that massive amount of effort and also, just playing persuasion to get them to understand why we got to get all these medical records digitized and shareable. It sounds like it's the same with the film industry and the financial industry and so forth.

[00:08:12] MK: Yeah. Well, after Microsoft, I started a software company. I got venture funded. Our whole mission was to build a system that could record the moving image, right from the camera on a set at highest quality levels, right to commoditized spinning hard drives. Turn it right into data from the beginning. Part of the reason or motivation to start that was I think, Star Wars Episode Two had just been released at about that time. George Lucas was talking about how it was all digital. I was like, “No, it's not. You shot on digital videotape. You didn't shoot on data.” We need to have data, not digital video. It's like this personal challenge of we’re going to create data. We're not going to create digital videotape. That emotion of managing data was great.

[00:09:09] CS: I imagine, there's not a lot of digital videotape left in Hollywood at this point, right?

[00:09:13] MK: Not at this point. A lot of the cameras – in particular, there's a camera called the Red Camera that just records right to data and it was very cost-efficient to purchase and use. Then all the big providers, like Panavision and Ari all moved to data. Now, finding film was an art form.

[00:09:35] CS: Yeah. Oh, yeah. That's where my love lies. We have a repertory theater here in Chicago and I saw a 70-millimeter screening of [inaudible 00:09:44] and it was extraordinary. Yeah. I also love a good, cold David Lynch digital affairs. As stated at the top of the show, OneRep is a service that helps its clients remove their personal information from over a 150 common websites. To start things rolling, what types of personal data do you typically see collecting on the public Internet? Are we talking addresses, phone numbers, even social security numbers? How did we get to this point? Is this a failure of data privacy regulation, or a lot of back-alley shenanigans, or just a case of nobody minding the store?

[00:10:18] MK: Yeah. Probably a little bit of all that. Let me take the first part first. What data is out there? It's primarily all your personal information, minus things like your social security number. Different than a data breach, like we’re talking about at the opening. Data breaches typically have your bank accounts, your driver's license, your passport, your social security number. But they don't have much PII associated with it. It's a list of names and numbers. That's usually it.

What you have on these, what are known as people search websites, so sites like White Pages, and Spokeo, and MyLife and Unverified, all these kinds of sites, they have what I think of as the rest of your story. If your data has data been exposed in a data breach, the fraudsters can simply go to these people search sites and get the rest of the information that they need in order to start creating accounts and so on. They get your name, they get your full name, they get your prior names, like if you were married, or divorced or so on. They get all your addresses, so they know where you live. They get your date of birth. They get your age. They get your phone numbers. They get all of that. They get your relatives.

[00:11:35] CS: I think, you can sometimes even see yeah, family connections and stuff, too, right?

[00:11:39] MK: That's right. That's right. The way it works is they need that rest of the that information to build out their virtual profile, or fo profile on your synthetic identity is what other people caught. That then they can go try to create a bank account, or a credit card account and so on. Probably with your background, you probably know, and certainly me working at Experian, when you go create these new accounts where you can actually create true fraud, financial fraud, you have to go through something called out of wallet questions, which are these are the questions that only you should know. They're typically like, did you live at this address? That personal information.

All of that personal information to get past these account opening procedures are on the people search sites. Between a data breach and a people search site, a fraudster has more than enough information to commit fraud.

[00:12:39] CS: Yeah. If you can say, what sites, or places online are the worst perpetrators in this regard of making data public? What's the upside for them to do this, too?

[00:12:49] MK: Yeah. Sadly, they're all bad, because they all have the same information. The ones that are worse are the big – what I classify as the bigger ones. By bigger, I mean, more traffic. The way these sites get traffic is through search engine optimization. It's bad enough that they are buying all this data and stockpiling it and selling it, but then they publish it in a way where they create HTML pages with deep links. Google can crawl and scrape all this information, and then have it show up in Google search results. The biggest ones are the ones that have mastered SEO, so that they show up on page one, page two, page three of your search results. Those are the Spokeos, the MyLifes, Unverified, Instant Checkmate, White Pages and so on. Intelius, the big six there.

[00:13:48] CS: What are the financial gains? You said that they sell this information. How does the money flow in these types of scenarios?

[00:13:58] MK: Yeah. I mean, sadly, most of these are scams of some sort, where they try to get the consumer to sign up for a monthly paid membership and then they just keep hitting the credit card every single month. Most of the way these sites work is they're so concerned about chargeback rates, because most people don't want these services, they somehow are misled into signing up for them. Then they have to fight the customer service process to get their account closed and their money returned. If you're worried more about chargeback rate than building a good service, you're probably a scam. That's what the majority of these things are.

[00:14:45] CS: Okay, so to that end, we're going to talk a little bit about your product here as well. But I just want to know in general, what is the process with or without your service, what is the process of getting your personal information removed from sites like this? Is this something that you have to do an appeal, or a petition, or contact someone by phone, or what have you?

[00:15:10] MK: I'll say, the process has gotten better. Now, most of the process is purely online in some form, where the consumer – Take one step back. If you go to any one of these people's search websites, now at the bottom of the page, there's a ‘do not sell my information’ link. The consumer would need to click on that link, and then jump through a bunch of hoops to figure out what profiles that they want. They have to key in the different URLs, they have a bunch of different things that they need to do. Funny enough, submit their personal information, so that then it can be, in essence, removed or opted out.

Usually, it's a combination of the consumer has to find the profiles that they want removed, and then fill out a form and then submit the form. Then usually, they're sent an email where they either have to acknowledge the email, or click on a link in an email to complete the process. It can be quite cumbersome, I’ll say.

[00:16:18] CS: Yeah. There's so many of them that –

[00:16:21] MK: There's hundreds. I mean, that's the problem is you'd be spending all day every day doing this.

[00:16:29] CS: One of the big ads that I see on podcasts these days is for services that scroll through all of your subscriptions each month and let you know what you're paying for, that you might not know about, and then they do the auto unsubscribe to it. Is this a similar thing where your service goes through the hoop jumping, or has it down to a science where it can fill out the form? Okay.

[00:16:54] MK: Yeah. I’ll first off say, the people search sites are not our friend. I mean, it's not for – We don't have a direct relationship with them where we give them a list, and they're nice guys and they process it for us. They’re there the enemy. We automate the process to fill out all these forms, or we’ll find the profiles, fill out the forms, click on the emails. We create fake emails, so that we take on all the requests, and then we process all of that on behalf of our paid members, or our consumers, so that they don't have to do a single thing.

The challenge with it is it's not instant. The removals can take time. We are constantly monitoring for the removal to actually be processed, and then be able to ensure when we tell one of our consumers that yes, in fact, you have been removed. We know with confidence that yes, we have been successful at doing that. We take that very seriously. Yeah, it's a fully automated process to go through. We're up to about 160 websites, on our way to about 200 over the next few months.

[00:18:06] CS: Got it. Now, does this service also include things like doxing and other malicious forms of dissemination of private information? Or is this mostly just these services?

[00:18:15] MK: I'll say for OneRep, it is only these people search websites. Doxing some of these things maybe outcomes of the data being available on the people search websites. I was talking with a client the other day about this. The reality is, there's only so much we can do. We're like level one, level two of your defense. If there's a fraudster, or a stalker, or someone who really intends to cause some form of harm, we're going to make it more difficult. It's like putting the ADP sign out in front of your house. It’s probably easier to go to the next house.

[00:18:57] CS: Exactly.

[00:18:59] MK: We try to make it harder for fraudsters to commit fraud against our members. Unfortunately, they'll try to go find someone else that's an easier target. If someone's highly motivated in our polarized world that we live in these days, it's really tough to stop stuff like that.

[00:19:19] CS: Sure. I discussed a few possible scenarios at the top of the show, where having your private information publicly available can take a worrying situation, like a breach of a company's password and account and to its customers and turn into something more nefarious. Can you give me some other examples that you've seen of public data on these sites being used to bad ends?

[00:19:38] MK: Sure. Yeah. I mean, sadly, it's the use case for this data with fraudsters and criminals and so on has just only grown. One of the things that we're seeing, so I'll give you two or three. One example is employees at companies that interact with the public in certain way. Think of it like healthcare workers, or lawyers, doctors and so on. They're doing work, they're interacting with the public. Then the public may not like what they're doing, or they feel that they've been wronged in some way.

The public can easily now go look you up on Google, find your personal information on one of the people search sites and now show up at your doorstep. That's what's really scary. The notion of stalking has really increased. That's both a private sector and public sector. The second use case that we've been seeing is, with our public sector clients, think of it like social workers. We have one district here in California, where there are 500 social workers on our platform. This is life threatening. These people are doing work for the city. They’re trying to help families. People react in different ways. They don't like outcomes, so they try to take matters into their own hand and that's a real problem.

We work we work with a lot of police departments and things like that. Same thing. Where it's like, they're involved in some incident. Next thing you know, someone's googling the officer's name to try to find out how to harass them, or their family. People who are doing work every day should not be harassed at home for their job. We're seeing our business booming in the employee benefits space, and then this public sector space. Then interestingly, we've been seen an uptick in just retail as well, where customer service agents are being harassed. This big notion centers around harassment, whether it's online harassment, or physical harassment at your house, is probably one of the biggest things that we're seeing right now. Then in a whole another bucket – Sorry, for being long winded here.

[00:22:03] CS: Please. No, this is great. Yeah.

[00:22:04] MK: In a whole another bucket, the dating industry is going through a lot of this right now. You've probably seen some shows on Netflix and so on that have characterized this. The dating industry is one where someone who's online dating goes in with this open heart, I'm wearing my heart on my sleeve, I want to truly find my mate. Then they end up getting stalked, or harassed, because –

[00:22:30] CS: Right. Romance punch.

[00:22:33] MK: Yeah. One party doesn't know how to take no for an answer. Or, like you say, someone's pretending to be someone they're not, and wants to defraud them of money and so on. Between employee public-private sector, retail, dating, obviously, the general consumer. We're seeing, sadly, so an uptick in this, I guess, need.

[00:23:01] CS: Right. From a personal security standpoint, can you talk about if there even are any ways that users can reduce the number of places where their info can get leaked in the first place? Because obviously, your service patches the holes in the bucket, but is there a way of users being able to stop pouring so much water into that leaky bucket in the first place? Is there, don't opt in your address when you're ordering things. Does stuff like that have any claims?

[00:23:28] MK: Yeah. It all does. You're absolutely on the right track. As a consumer is navigating the Internet and they want to watch free movie trailers, or enter a contest for a sweepstakes, you really got to stop doing that. You almost have to game the game, which is you almost have to create your own fake identity with a fake date of birth and fake address and fake emails and fake phone numbers. Even get a burner phone number if you're going to do that, and be able to reduce the volume of public information that you're sharing, or your personal information that you're sharing.

Because one of your earlier questions was, where does this all come from? Ultimately, all of this data rolls up into companies like LexisNexis and Transunion, where they're buying all of this data that has been submitted to the data collector companies. The sweepstakes company is collecting all the data. They can't do anything with it, so they sell it to people like TransUnion, or LexisNexis. Then LexisNexis, TransUnion, they pull in more data from more of these kinds of data collectors, clean it all up, and then they sell it to the people search companies.

They're the ones that are actually – I don't know how it's possible a company like TransUnion can sell my personal information to these people search companies without my approval. That's the real problem here.

[00:25:12] CS: Right. I've also heard, I don't know if this is even recommended or not, but people say just as a matter of course, as you're signing up for things, change the spelling of your last name by a letter or two, or add an apartment. Just fog your general information enough that –

[00:25:34] MK: I'll say this. You have to do more than just a little bit. More than just changing a letter to – You really almost have to come up with a whole new name and a whole new address. Because even if you're off by a letter or two, these people search sites don't care about true identities. I used to work for Experian and say what you want about Experian. We least tried really hard to make sure, this is your credit report and only you can access it. We tried to have all the rigors of true identity verification. The people search guys don't care about that. They commingle data, like your name can be spelled off even a little bit and they'll still show up as part of a search, because they have some fuzzy logic around it. If you really want to do this, you truly have to create your own synthetic identity that you use on the Internet, because all this data will be sold behind the scenes.

[00:26:38] CS: Okay. Well, that brings me to my next question about a larger solution. What are some changes, either from a legal or regulatory standpoint, or even a tech standpoint that you'd like to see that would do a better job at keeping private info actually private?

[00:26:52] MK: To me, it's two things, very quickly, which are how do these large entities that are publicly traded allowed to sell my personal information without my approval in bulk to other companies? The government needs to regulate that and make it mandated that you can't just sell bulk personal information to companies. That to me is number one. Number two is Google should not be allowed to publish this openly on the Internet. They should not be able to publish a phone number or an address on the Internet openly. Stop those two things, the majority of this problem goes away.

[00:27:34] CS: Yeah. No, it's astonishing. You can look up, see how a relative's doing or whatever when you Google them. One of the first things you get is their whitepages.com listing, or whatever. Yeah. It’s like, grandpa.

[00:27:50] MK: These people search sites, but they're really just marketing engines. I mean, they're just buying data from whoever. They don't have a lot of rigor.

[00:27:59] CS: They’re not necessarily Snidely Whiplash twisting their mustache and tackling. This is a really good source of income, I suppose for them.

[00:28:06] MK: It's very profitable. Because their traffic is free, because it's SEO, and then they can charge whatever, $20 a month. There's low overhead, and they're not putting a lot of investment in tech to really ID proof people and so on.

[00:28:21] CS: Right. Now, if I were to give you the magic gavel and you could just regulate your dream legislation around this into law, what would it look like in terms of – because we have such a patchwork system of law and regulation around the Internet anyway, largely. I mean, we could go all day on that about the actual tech literacy of people in our legislature. What would it look like in terms of really sticking? Because there's so many regulations, like GDPR and stuff, where it's like, well-intended, there's ways around it, what have you. What would your ironclad version of this look like?

[00:29:00] MK: Yeah. I think, one of the number one things that has to happen with the regulation is that I as a consumer and a citizen of this country, I have to have the right to own my data. In America, you don't actually own your data. The company that collects it owns it. it's shame on you if you gave it to that company. I think it has to start with the just change of philosophy, which is like, I need to be able to assert my right that this is my data, and you can't do anything with it without my permission.

To me, that solves it right there, if I own the rights to my own data. Unfortunately, you give your data to Amazon, Amazon owns it. You give your data to Netflix, Netflix owns it. You give it to some online sweepstakes thing, they own it and they're selling it, and they put in the terms and conditions that by giving them your data, they can sell it.

[00:30:04] CS: On page 47 of the terms and conditions.

[00:30:06] MK: Yeah, exactly. I think, it's got to start with that fundamental foundation that in America, Americans own their data. You can't do anything with it, unless you have their permission.

[00:30:21] CS: Can you talk at all about the way that some of the – because again, this is very patchwork, but GDPR, CCPA and some of the other regulatory data privacy frameworks are coming up and the right to be forgotten and the right to – you're not owning your data, necessarily, but there are there are places where a misuse of your data, I suppose, can be can be turned into fines and so forth. Do you think that there is an umbrella version of this that could happen someday that turns the tide? Or does it really have to be an untouchable style, crackdown?

[00:30:58] MK: I'll say this. I think, I'm very bullish on the future with web 3.0, and Metaverse, the notion of smart contracts, where you actually have the technical infrastructure to enforce the rights. I think, the thing that happens now is there's no way to – Even if the government said, “Yes, Mark. You own your own data.” There's no way for me to actually execute on that in any way. It's like, as soon as I give it to a company and they bury the terms and conditions, it's like, great, you gave me the data anyway.

I think we have to have that evolution of technology, combined with policy that would, I think, capture this. I guess, I'm bullish on this notion of I in the future can truly own my identity. Then I have the ease of technology to assert my identity, or share my identity. Because right now, the tech stack doesn't really exist. I mean, you have Apple making inroads to hide email addresses and phone numbers, and that's great. It's just not comprehensive enough. There's so many ways around it.

[00:32:17] CS: It seems like a lot of the terms and conditions, I agree to the above that it's a yes or no thing. You're either agreeing to this thing, or you're not using the service. I mean, certainly –

[00:32:30] MK: Right. Very black or white.

[00:32:31] CS: Yeah. In your OS or whatever, Microsoft will say, “Can we take some of your data to use for testing purposes?” You can say, “No, you might not,” and you click the button. But there's not really that binary on a lot of these. You're either opting in, or you just don't have Apple TV.

[00:32:51] MK: That’s right.

[00:32:51] CS: Yeah. You want me to watch Ted Lasso. Yeah.

[00:32:54] MK: Exactly. You're right. I think, people have tried different concoctions to try to work around this, but I don't know. Nothing's really worked today. The government as a whole, the federal government hasn't been really supportive. We don't have a chief privacy officer in America. We don't have someone innately looking out for this problem, or issue and trying to find solutions. I think, what you're going to have is in the future, hopefully, powered by the blockchain, with smart contracts, a virtual identity that I can have and enforce my rights around that, but it's going to take a long time for all the systems to get caught up, and so on. It comes down to even going to a grocery store and being able to, how do I assert my right at the grocery store with my driver's license that they're just now staring at?

[00:33:55] CS: Right. The focus of the show, Cyber Work, is work in the cybersecurity industry and how to get into it. You had jobs and a lot of different phases of data privacy, security, IT, tech, marketing, the film industry. Can you talk about some of the jobs that are available to people who want to help people get their lives back, compare damage, shut down this type of misuse of private data? For our listeners, where would you suggest they get started if they want to join the fight?

[00:34:27] MK: Yeah. I mean, I think the number one thing you got to do is you get to learn about what's happening in how all this stuff works. I was very fortunate that I worked for Experian. It was still one of my favorite places to work. I never thought I would work at a credit bureau, but it turned out to be just an amazing opportunity. I would encourage people to find that entry level job, where they're thrust into the world of InfoSec, consumer data protection and so on. You can do it from either the true, just pure InfoSec security perspective, if you're into that side of things. My route was more of, I came through the marketing channel.

The marketing channel with Experian was about, okay, what data can we use to market to people? How do we protect people's privacy when they come to our site to sign up for our services? Then, how do we go basically scour the Internet, dark web and other places to find where people's information has been leaked? I got to see it from a different eye. I think, that really helped me understand the problem larger than just simply looking at it from like, oh, here's how some malware got on a system and is harvesting data.

I think, you might want to actually encourage people to look into marketing roles that have the requirement to work with data. There's a lot of ad networks and companies like that, that take privacy very seriously, are now dealing with GDPR and CCPA and other things. Those are great places where you learn about the impact of consumer data, consumer privacy, and what you have to do to secure all that information. I think, the more you can understand the real-world nature of the problem, I think that's what's going to help you the most.

[00:36:33] CS: I mean, that's awesome advice and that's a big part of what we talked about here is we're really, at this point, trying to encourage people. Because tech, people are going to tech and the security people are going to security. They're already excited about it. They've been hacking since they were four-years-old. They've been doing this, they've been doing that. A lot of people are very intimidated, because they think, “If I haven't hacked in my local credit union when I was six-years-old, how can I ever catch up? I'm 50-years-old. I'm an auto mechanic, I'm this and that.” Can you talk about what some of the baseline of tech knowledge that you had? I mean, you're an outlier example. What do you think someone coming into it now really needs to know apart from marketing skills, writing skills, soft skills?

[00:37:19] MK: Yeah. You got to know data. What I mean by that is you have to understand the concepts of data. The example I used earlier is this is the way a fraudster works is they'll get the data, breach data. Now, they got a list of names and some social security number, or bank account. Not much you can do with that on a standalone basis. Then, they have to start understanding how you append data to that, to build out the rest of the story. I think, that's what you do certainly in marketing when you're targeting people is you start with a small set of data, and then you start to append data around it.

If you understand that concept of okay, I have a small set of data. How do I enrich it, or append elements to it? I think that'll help you a lot. I certainly know from my background, when I go back from film school days, because I was developing databases, you learn that structure of okay, I got a couple of columns of data here. I got to somehow link it to this column here. I need a common key between them, so that I can join and create that append. I think, understanding the basics of how data gets joined together, I think, actually is really, really powerful.

[00:38:44] CS: Okay, that's interesting. Yeah, we just had a live webinar on data privacy and the constellation of privacy certifications for different countries and so forth. That sounds like that's connected, but it's still a little step sideways. You're looking at the data in the petri dish and how it replicates and moves, rather than necessarily being the person who understands the chart of yes, no, yes, no. This is acceptable in Canada. This isn't and so forth.

[00:39:17] MK: Well, I mean, to that point, there's three or four disciplines, right? There's the true hardcore security, encryption, all that side of it. What you were just referring to, which is the legal policy privacy side. There's the marketing side, which is like, how do I use this? Then there's the software developer side of it, to understand how it even could magically come together. In some ways, you got to know a little bit about all of those things to really be successful as you progress.

[00:39:52] CS: If you are hiring someone for a team who's working on this stuff, what are things that make their resume float to the top of the pile? What do you need to see on it?

[00:40:02] MK: Yeah. I don't know if people like my answer, but probably, sadly, not much. The number one thing I look for when I hire people into this data space is you have to be naturally curious. If you're not naturally curious, then you're just doing a job. Data, there isn't the magic answer right upfront, you have to have this natural curiosity to go find and explore things and figure out where things might have come from and how things got connected together. That's something you have to talk through with people more than finding on a resume.

Because as you know, people can list tons of credentials. They can have tons of certifications. All that's great. But if you're not naturally curious, you're just waiting for someone else to direct you as to what to do. I love to hire people who are naturally curious. Love, also, testing. I was working with a client and I was like, “Hey, are you AB testing these things?” At Experian, we tested everything. That's probably why I love that job so much was because it taught me that rigor of you have to be able to test things and optimize, and not just take what you see for granted. I think those are really two elements of I guess, if I had to see something on a resume, it would be that they have knowledge about AB testing and had a lot of skill sets around testing.

[00:41:44] CS: Yeah. You would need to see more of a narrative than a list of abbreviations.

[00:41:47] MK: Yeah, exactly.

[00:41:48] CS: Okay. Well, I think that's a good place to wrap up. As we wrap up today, John, could you – we talked about a bit, but could you tell us a bit more about OnePro and some of the ways your customers are using it? Also, if OnePro has any big projects, or innovations, or changes on the on the horizon that you want to talk about?

[00:42:04] MK: Sure. Yeah. It's OneRep.

[00:42:07] CS: Oh, OneRep. OneRep. I’m sorry. Typo, typo, typo. Okay, yeah.

[00:42:15] MK: It’s OneRep. Yeah. I mean, I think the interesting thing there is, again, the all the different now use cases. A lot of people think of this functionalities like, “Oh, it's just a pure consumer thing. It's just for consumers.” It's really not. This whole employee base with like I said, people coming in from different job classifications, whether it's public sector, or private sector, where they have interactions with the public, and the public responds in a negative way.

We really want to make sure that people know that this is bigger than just someone simply concerned about their privacy. It's much bigger impact. Employers need to take this much more seriously and look at offering this functionality as a employee benefit. We have a lot of companies coming to us going, “Hey, we want to show that we're doing something for our employees.” This is a great way to do so.

I'll also say, the dating space is something that's there's so much fraud in that space that we really need to encourage people that before they start online dating, get your information scrubbed before you just jump in and start trying to meet people and potentially have issues there. From the OneRep standpoint, as a platform and so on over the next couple of months, you see us get to about 200 or more websites that we scrub from. Then we just are constantly adding into – We're a SaaS software at the end of the day. Into the platform to just keep adding value for consumers and now for businesses.

[00:43:59] CS: All right. Well, one last question for all the beans here. If people want to know more about Mark Kapczynski, or OneRep, where should they go online?

[00:44:08] MK: Well, most people find me on LinkedIn. Not too many Mark Kapczynskis out there. Just find me on LinkedIn. Happy to connect with folks. For OneRep, just come to onerep.com. O-N-E-R-E-P.com.

[00:44:22] CS: Beautiful. Mark, thank you for your time and insights. This is so much fun.

[00:44:26] MK: Awesome. Love the conversation. Thanks for having me on.

[00:44:28] CS: My pleasure. As always, I like to thank everyone here who is listening to and supporting the show. The episodes of the Cyber Work Podcast are available every Monday at 1 p.m. central, both on video at our YouTube page and on audio wherever you get your podcasts.

I want to make sure that you all know that we have a lot more than weekly interviews and cybersecurity careers to offer you. You can also learn cybersecurity for free on our InfoSec skills platform. Just go to infosecinstitute.com/free and create an account and you can start learning right now. We've got 10 free cybersecurity foundation courses, six cybersecurity leadership courses, 11 courses on digital forensics, 11 courses on incident response, seven on security architecture, DevSecOps, Python, JavaScript, ICS data security fundamentals and more. Just go to infosecinstitute.com/free and start learning today.

Thanks once again to Mark Kapczynski and OneRep. Thank you all so much for watching and listening. We'll speak to you next week.

[END]