June 22, 2020

Security By Design In The Digital Workspace

Security By Design In The Digital Workspace

In this episode, we discuss security by design and its far-reaching impacts in both the public and private sectors as well as in the home.

Apple Podcasts podcast player badge
Spotify podcast player badge
Google Podcasts podcast player badge
Amazon Music podcast player badge
Overcast podcast player badge
Castro podcast player badge
Stitcher podcast player badge
PocketCasts podcast player badge
TuneIn podcast player badge
Deezer podcast player badge
RadioPublic podcast player badge
YouTube podcast player badge
RSS Feed podcast player badge

In this episode, we interview cybersecurity expert and security-by-design advocate Lorik Sefaj. Lorik is an IT specialist with 10 years of experience in cybersecurity.

We discuss why security needs to be considered from the beginning rather than as an afterthought. We also touch on the relationship between cybersecurity and IT groups within organizations and the balance between functionality, usability, and security. Finally, Ryan and Lorik share how GDPR has impacted their lives.

*This episode was recorded in April. Heather is happy to report that it is no longer snowing in Michigan.

Episode Transcript

Follow us on Twitter: @thedwwpodcast 

Email us: podcast@digitalworkspace.works 

Visit us: www.digitalworkspace.works 

Subscribe to the podcast: click here 


Ryan Purvis  0:00  
Hello, and welcome to the digital workspace works podcast. I'm Ryan Purvis, your host supported by producer Heather Bicknell. In this series, you'll hear stories and opinions from experts in the field story from the frontlines, the problems they face, how they solve them. The years they're focused on from technology, people and processes to the approaches they took, they'll help you to get to the scripts for the digital Express inner workings.

Lorik Sefaj  0:31  
My name is Lorik Sefaj, and I work in the cyber security industry and active in the financial industry out of Zurich. I'm a big advocate of what we call security by design and the idea of reducing cyber risk. Its minimum through through the reduction of the attack surface at the thought of whatever we design like the digital workspace, or other services. And and that's it Started From my side pretty much I I love this field, I think it's very exciting. I think it makes it makes a huge difference. And we are always looking for for good people and good awareness around cyber. So this podcast.

Ryan Purvis  1:16  
Thank you. You mentioned before we start recording that one of the hot topics not discussed was around operational technology security. Did you want to maybe talk a little bit about that?

Lorik Sefaj  1:27  
Yeah, I think I think it's one of those hot topics that nobody really is discussing, at least at a certain level. Right? We are always, you know, as you as you guys know, we're always talking about information technology, right? So we are working in companies or advising companies that that are very much active Information Technology, right and, but we kind of have forgotten about what the corporation technology, Operation technology or operational technology was. You know, you're talking about the bread making machine that delivers bread in the morning to the shops, right and imagine a bad gas attack. And you go to your shop to market and there's no more bread because of operational technology risks or the TriCity grid. And I think that discussion deserves to be elevated. And, and taken very seriously because you're talking about pretty much it say right under embedded systems of control, industrial machine, machinery and there's little been done or that awareness is not only upward should be around operation technology with

Ryan Purvis  2:33  
it doesn't and that's one of the problems with IoT world is is a rush to push products out without taking security into consideration to begin with. And you get situations like that with this guy. There was this camera system that a guy sold online, but there was a flaw in the sense that his relationship with that hardware was never present or broken. So the new person could see All these old recordings, and the old person could still see the camera feed. Because there was no, there was no sort of anonymization there was no refreshing of the hardware, and all those things you would think about what the issue is that you have to think about, if you're thinking about the security part of it. It was, because that takes longer to get the product up.

Lorik Sefaj  3:23  
Yeah, that's one, that's me. Right. And the second part is that most of these embedded systems are actually written in, in C, language derivatives or C, right, and, you know, input filtering and stuff like that can be a very, very big problem.

Heather Bicknell  3:39  
You know, on the operational technology side, you know, I don't know if you have an opinion on this, but, you know, to me, I think about how policy needs to come into this as well and how, you know, governments kind of need to work together with the private sector to make sure that some of these, you know, huge things, you know, the power grid, you know, like, what, what would what would we do so, You know, I guess how do you see, you know, policy factoring into these huge risks?

Lorik Sefaj  4:05  
I mean, especially operational technology.

I think it does, unfortunately, does require a bit of a political discussion or political approach, not a big fan of regulation. But it does deserve a political discussion. That's what I meant when I said elevate the discussion with that level of certain, you know, policy experts or policy makers, at the government level, probably right, or institutional level, government institutional level, right? Because I don't think that's really happening. And so, it has to, it has to have a bit of a pragmatic approach come down to where possible, right?

Ryan Purvis  4:51  
You know, it's very difficult to deal with that. I mean, if you just think about the amount of devices that are built in in this Asian factory, Because most of stuff is coming out of China, probably in Taipei, Taiwan. someone buys it on Alibaba or Amazon. It gets shipped in here and a little bright, a little brown box. And no one's checking that box really says you're not getting enforcement there. They're blaming internet traffic here. And that happens to be a backdoor into your personal

Unknown Speaker  5:25  
Wi Fi.

Ryan Purvis  5:28  
How would you even begin to start that without having some sort of draconian, every box that comes in has to be tested and being tested?

Lorik Sefaj  5:38  
can be very tricky, I think. Yeah. And then some of these frameworks, propel these frameworks published, right, that must be a winning 35 at least some of these things, right? I mean, we all know, you know what first line of defense, defense, defense control ours and we already applying them anyways to information technology and the variable That way actually maybe sometimes even too much. Sometimes, depending on the industry you're in, we are regulating so much that that that somehow cyber is being driven through through compliance to regulators. And I think that's really wrong and actually dangerous because that's not how hackers operate.

Ryan Purvis  6:18  
expensive. You get back onto old legacy environments

Lorik Sefaj  6:26  
or whatever in that area. But But I think some of that some of the good stuff of, of regulations or policy needs to come into the, into the IoT or into the operational technology world, right. I don't know how far how mature that area is, but I'm really I'm not hearing I'm reading too much about it right. Now.

Ryan Purvis  6:48  
You mentioned the example. I mean, I've been dreaming about a enabled coffee machine. Thought Cuz I mean a look a lot of these machines you like I wouldn't espresso machine so you have to go put the capsule in would be really nice some mornings we have the capsule it was just really and then to sit by my my feet going on the scale in the in the bathroom before I take my shower. So by the time I went downstairs the coffee's been brewed. And it's cooled down to the point that I can just drink it as opposed to slim to put the capitalist drink, etc.

Heather Bicknell  7:26  
So yeah, Ryan I tried to buy something like this at one point, there was a product and IoT coffeemaker not quite as sophisticated as that of course, but you know, where you could program it from your phone. And there is you know, a Kickstarter for it. And it never It was like years of just waiting for this product to actually ship and be released and it never was. So I just thought it was funny that you brought up that example because I had attempted

Ryan Purvis  7:57  
but it's it's one of those things That, it's the whole thing about the digital world is trying to bring disjointed things together seamlessly. And to make it more comfortable. Well, it's less friction and one of those things is reducing your manual effort. I mean, if we think about this in the enterprise world, you're trying to reduce the number of tickets being created for poor performance, or something to their their thing. But if you save someone two minutes for making their coffee, so that is a necessarily a huge financial benefit, but a comfort benefit. For the most part.

Heather Bicknell  8:34  
Yeah, like what do you What's your kind of take on the, you know, the, because a lot of times we're exchanging convenience for privacy, right? When it comes to a lot of IoT solutions, at least in the home.

Lorik Sefaj  8:48  
From from a privacy perspective, over to the principle of privacy. So, for your holy grail, right, it's sacred and

that has to be protected

by design, first of all, But if people choose to them, right? If consumers choose to then really have the kind of invasion at their homes, then you know, their choice. Right. But I don't think it should be. It should not be a whitelist approach, right? It's something like we go in and we design something that does not take care of privacy, and then we turn and then we switch it off, right? privacy has to be switched on by design, right? So your coffeemaker is already locked and loaded with all the necessary policies to protect your privacy possible, possible. And then the user can choose to open it up just like we do in real life, right with a real identity. So no real hope, right? We let people in they're not overly inara. Right. So all these concepts as we have, you know, and I know in a state of law, in the Western world, right, or most, most western world, we should be able to replicate the same income So not just from the privacy and data protection point of view are possible, you know? Yeah, I guess that makes sense.

Heather Bicknell  10:10  
No, it does. And I think I guess for me, you know, when thinking about some of these consumer technologies, I feel like there are things that are, you know, more and more, you know, that connect to Wi Fi or that, you know, some, you know, grandmother out there, you know, using their Google Home or, you know, whatever they don't, you know, there's a lack of awareness. I think, on the consumer side, sometimes that you know, what these technologies are, you know, recording, potentially about you.

Lorik Sefaj  10:36  
Yeah, I mean, I think there was a massive lack of the loans. Right, and this is why, like I said, unfortunately, we needed discussion, but we need a political level discussion, and that's why I'm saying unfortunate, right, because wherever government plays that role, it becomes a bit of a big question. Regulations come and play. Right. So a lot of these companies, unfortunately have misused You know, the users in that sense, and some accepted blindly some, some do some don't care. But I think that's that's that's dangerous, right? I mean, like I said, You don't just let people in your house or have people in your house by design, right? People don't just like that, that you're having some kind of control. So I think I think a lot of analogies are missing there and people are not getting the full view of this right.

Ryan Purvis  11:32  
Education is also missing. So something is missing school. And depending on the size of the organization that you're in, you may or may not get that that sort of, you know, computer based training that that's enforcing some levels and not know that there's a victory point of regulations. People that have worked in banking will be you know, beaten up regularly by some sort of information security training. But if you will, Another industry where that's not such a big deal was unregulated, then you probably won't see any of that sort of stuff, which means you don't take it back.

Unknown Speaker  12:09  
And that's a bit unfortunate.

Ryan Purvis  12:11  
Yeah, and I mean, that's that's the problem is that you don't if you don't grow up with that as a culture, and it doesn't feel fit to your personal areas as well, that's usually the way the attack happens. Because that's the that's the soft point, the banks got enough money or the, the big corporate have enough money to defend as much as they can. But the weakness is at the consumer level.

Heather Bicknell  12:33  
Yeah, I guess, you know, from the education side is to I think it's kind of there's a conundrum, as well, that, you know, a lot of the young people who are growing up, you know, smartphone in hand from a very young age and who will be very familiar with this technology also never knew a life before they were, you know, before their whole lives are online already. Like there's no concept of maybe trading over your privacy. It almost would be More reclaiming it at some point, you know, when you become an adult So yeah, I guess I don't know if there's Yeah, if solution there if you have any thoughts, but um, I feel like it's kind of the you have the older, older generations who, you know, aren't creating that policy, that educational awareness and then you have the youth who are just becoming normalized to how things are.

Lorik Sefaj  13:26  
Or, or you just do it. Right. Right.


You put privacy and security also at the center of your value proposal. I think an interesting company who has been doing this or started doing this and the recent two to three years is Apple right. I think they've kind of taken this upon themselves in putting putting the idea of privacy and security first or by design that we've seen it with the FBI case back then right there. Go remover Apple did not cave in. And then we've seen, we've seen other moves at governmental levels in California started this year in January, maybe, I don't know, which was but there was another act of privacy and data Privacy Act, which was pumped up around. This just got into a segue now, and this is a very new thing in the United States, right, because the data protection laws are very loose and very much state based. There is movement happening around that area. You have to balance it out properly. And this is why coming bringing it back to technolog technology discussion, or an engineering discussion,

security by design

must take place during during the design of the of whatever service you're putting together, right and and it delivers value. So the value value driven it's a value proposition. It's huge, right?

Ryan Purvis  15:00  
So why why do you think that most organizations still have cyber as a separate tower within technology as opposed to point like, like, if I look in any project that I worked on, you know, we sort of worked on our own to the point that we, we deliver what you're supposed to deliver. And then you'd find out here's another project being run by the cyber guys and bear in mind, I work for cyber as well. Which would be almost contrary or opposite to what you just built. Because they are taken from a security point of view as opposed to a functionality usability point of view.

Lorik Sefaj  15:38  
I mean, requires a bit of maturity in general, right, I think I think certain organizations are very mature. And, and, you know, have an established strong, you know, cyber risk posture or awareness and and I believe that, like you said, financial companies do have that, and we do that. Right. We're doing it better and better. But in general, I think it's only lack of it's really lack of knowing things by knowing the total lack of education in the field. Right? It's, it has to go a little bit back to to education itself. You know, education is conservative, right? at school. In computer science, you barely rarely do security by design that doesn't even exist with security oriented design principles come very late on when you start already. when when when you graduate and you store the applying stuff. I think that's a bit too late. So I think it has to answer your question. I think it has a lot to do with education as well. Ryan, right.

We are technologists. But you know,

we are missing a big part of that educational aspect. It comes to security. It's like you driving a car without a driver's license. analogy from years ago, right. You build your project. And around and everything, but you have a driver in there who doesn't really have a drive.

Something that hasn't been done properly.

Ryan Purvis  17:09  
Yeah, this actually makes me laugh, I'm thinking about the amount of tutorials that I've done, you know, in education where, you know, you're writing the simplest example of, of, of code to do something. For when you get to the real world, none of that stuff is useful, because nothing's ever that simple. And you don't think about security or any of those things because your, your tutorials are already, you know, meant to be concept of Not, not practically experienced. That makes

Lorik Sefaj  17:45  
it very, very implicit, right, it's very implicit. And somehow everybody magically things are already gonna be secure. Nobody's going to do anything about it. Right, and that happens all the time. He didn't really fully answer your question. Education, maturity depends on the firepower, right? I mean, getting security SMEs and building up a security service does constitute enough. Right? So again, that risk, risk driven approach, we have a risk driven approach, or can you completely neglect that kind of risk and still be resilient with your services? find that the, if that's the answer, then that's great. But all of these discussions need to happen at the beginning

to start

and that's what I'm advocating a lot for.

Heather Bicknell  18:36  
How do organizations go from this legacy mindset to moving towards security as design? Is that a matter of bringing in new people or changing the culture or you know, what would you recommend?

Lorik Sefaj  18:50  
I think it's a combination, right?

It's a combination of, you know, trusting your security people and I You know, I'm fortunate fortunate to have that in the area where I have management that really understands, you know, the the aspects of cyber and allows us to work closely together in designing these things like that, right the way I mentioned. But I think the industry itself needs to start selling security as a value proposition, right, all of the already part of the service. And that's why I refer back to Apple. I really like the way that it's on the latest fad. Maybe not like he mentioned privacy, and they mentioned that security is something that we take care of. And having that from a service provider that literally has nothing to do with security. I think it's interesting, like I said, for one, for one, the product is designed without having to go to another vendor and buy something and add it on top. And something that's becoming heavier and heavier, right, because of course, there's an entire industry out there, but it's handy to do it later on. It's nicer and cleaner, it's more elegant to do the beginning. So, I think I think, you know, the value proposition side of things, Heather, actually, as part of the design process, you know, understanding what is actually the value of this product, out of out of out of this, you know, out of all this, right, and you can actually sell that as part of the holistic product or service, whatever you're doing.

Ryan Purvis  20:35  
How do you balance means that trial usability, functionality and security and dependencies and trade offs between them? How do you avoid going into an over secure hours, we may rephrase that. So. So you have to do the service. What are the services that's let's say it's a VDI platform to provide users with the most desktop And when you start out designing the service, you're already thinking about delivering the VDI platform because you're gonna have people in the office every day. Now we're in the COVID-19 pandemic. And you your design was initially only planned for a certain percentage of people working remotely. But now pretty much the entire organization is working remotely. Do you try and conceive that possibility? Right? In the beginning, you know, hundred percent remote working? Would you sort of draw a line and say, well, we have to accept it. When we get to that we'll have to redesign or approach to design the What would you think in that scenario?

Lorik Sefaj  21:43  
To answer the first part of your question, right. How do you design accordingly without killing usability and functionality and performance, right. Again, I think companies and even small companies even you know, little service providers, They still need some kind of risk management framework. A small one doesn't mean anything complicated. And by that, I mean a risk management framework. But I'm doing too many complicated details around a framework that allows you to ask certain questions about how critical is my environment? Am I can I be so resilient, that it goes down? How am I regulated around data? Do I care so much about data? What kind of agreements Do I have with my users by consumers around the area? So, you know categories like criticality, and then probably most importantly, if we keep it, keep it type of discussion. That framework should allow you to ask the question of or define what is my attack surface, right? Every time you design every time you design a service, being at an end user service or whatever, you are going to expose it to some text that was always exposed to an attacker, it will expose them attack surface right? And out of that, there are some ways to do that. Again, security from this top mitigating mitigating principle. So, of course, the attack surface of a VDI face platform is different. If it's higher, I cannot say probably a little bit higher than a corporate device from, from a, from a cyber perspective, maybe, right. But, you know, in this case, if you have good access management or good access controls like the FE then actually, you know, you're able to gain quite a lot even in the VDI environment. I'm not gonna go into details of that word, but, you know, you already know what you're gonna have your data, you know, stored in a data center and even streaming stuff and having some strong to FA even if you get a, you know, a piece of bad malware on your BYOD you know, data exfiltration will not be that easy right printing screen. When and and and, you know, the core stuff, the data will still have the the attacker will still have some work right? Of course it will have an important footprint. But access to that data will take some work to get to similar in the corporate device. I mean, what if you What if it gets stolen? I don't have enough on the encryption young done your homework properly. And and and, and they managed to break into your data, right get your time. So what I'm saying is without without solution eyes, you know, without saying what's good or bad or what's really dependent on your risk posture and the attack surface. So to answer this fully, you do on small to medium risk management framework. You don't want to overload it, because we know what happens when it becomes too big right? You then become fully compliance driven and you kind of lose touch with really what is what attackers are doing. So you want to keep a thread Bay. Yeah. You want to be an entity. Come construct and based on that the work, right?

Ryan Purvis  25:03  
I guess I'm trying to say you can't build a Rolls Royce at the beginning, obviously, to get from A to B, but if you need to get to a B, and you need to consider a little bit about your path, your journey, that your regular industries you need to meet the regulatory requirements. Those things will be factored in when you design as opposed to trying to conceive every possible scenario in your design, which means you end up building this, you know, unusable thing.

Lorik Sefaj  25:34  
And that's why you need that's why you need good security. So me, not everybody, the security of me. Everybody seems to be one. If you look at the industry these days, everybody has some kind of evangelist or has had 20 years of security experience, blah, blah, blah. And then when you really go down deep learning or applying some of the security principles, So that's also a key thing. Right? So this is why, you know, going back to what you're asking for, what does it take to make this happen across the horizontal? Well, you know, it does cost some money, right? This is why it's a risk to risk based discussion for some people, can I can I neglect this, whereas can still be resilient? And run by services? And find if that's the answer, right, if you have to be answered, but for question to happen. Yeah. So, you know, you need to have a nice follow of people that know a little bit of risk management, so that they can put put together a risk management framework, a simple one, something that's applicable, right to risk management frameworks that allow you to have transparent controls and measure those controls. And talking in from from the construct construct is pretty much on mechanical control. Right. And then out of those controls, we have the security as the guys who can build technologies or underline or apply them. those technologies include favorites from within Or, you know, antivirus, whatever you want to call it. So that does take a bit of effort both in the sourcing and, and investment.

Ryan Purvis  27:12  
As soon as the level of what you design is very real test regularly, whatever that cadence is, looking for improvements and optimizations and adapting it to really was changing landscape in the sense of relations and technology.

Lorik Sefaj  27:29  
Just like just like any product or service don't have a life cycle. I mean, even maintain it, and why not have security as part of that lifecycle discussion? Why not?

Ryan Purvis  27:42  
what it should be? I don't think it is. And I think I think a lot of I mean, if I look at some of the challenges, I've got my own career, you know, often when you're trying to explain to a non technical person, why you need a big team, and I say big a little relative to this A product. And one of those people needs to be a security person who's not necessarily nurses not necessarily double had to get something else in the team. Because there's so many things to look for. That is it is a full time job. And all they're seeing is the cost of another person in the team. It is a difficult thing to get across sometimes for something that should be fairly obvious. We look at the amount of attacks that occur every every minute alone every year.

Lorik Sefaj  28:35  
Indeed, right. I think it's, again, it's a risk driven discussion, value driven question, do you want to sell securities value or are you don't? I think I think, like I said, I think cybersecurity or cyber risk is a risk, a risk in society. Right? First and foremost. Is it a risk to information technology based companies, absolutely, or interested? companies that do Information Technology.

We will not even be having a discussion

from time to time

Ryan Purvis  29:14  
and is a level of education. I think the accelerated capability now that you can go build an app or you can go provide a service using some sort of cloud back end means that most people don't understand the underlying components that make up that service. Which mean they don't really understand what the possible weaknesses of or where they're exposed as users, you know, so they share that picture on which product is away. They have a conversation I think is confidential, but actually it's not. You look at the zoom. Started was picked out a couple weeks ago, where you could jump on any call you wanted, as long as you had the number

Lorik Sefaj  30:00  
could be any any company or government. Sorry, let's put it this way any government agency that uses closed source, web conferencing technology is asking for trouble. Right? They really are people trouble. I mean, I would never be if I was a government agency, I will set up my my open, open source phase service, set up my service inside and have it and have it run. I seriously do not understand how this could be a good idea. Again, this is why because, again, because the risk driven approach was not configured or did not execute properly. Right. There is a couple of very cool conferencing or web conferencing, whatever you call it out there that are completely open source. You can see what the code is doing. It's been reviewed by millions of people or 100. People, you could easily set it up at home and you have a very nice, transparent product for you and you know exactly what it's doing right Why this is why this may not happen again, because what we've discussed before, because the German approach, it's not the chariot, right? Or, or people don't get away with it. But you thought this way, right, you got

Ryan Purvis  31:15  
this political discussion, but I but I think one of the biggest problems with governments is they're not they're not typically people that are around for a long time. They've you know, the president or prime minister or whatever the designation is voted in for a five year term, or I think, I think that we'll find it terms generally. They spend the first year probably undoing a lot of what the other person did before them. So they can show some wins. And they spend two years actually doing something maybe, and this in the next few years, to try to get back in again for the second term, because their lack of power, they're likely and this is a very cynical view of politics. But the problem with that is that there's never a long term strategy to consider these sorts of things. So you don't have a CTO CIO CCC. equivalent, who's there for a long time because they all they'll politicians in the end, trying to to keep their own agendas going really don't think is maybe that all

Unknown Speaker  32:11  

Lorik Sefaj  32:13  
Yeah. I mean, I think that's also I mean,

I think we're seeing it right now how politics is failing us anyways. Right? Which is great, because both are efficient in how supposed to be doing they're supposed to, they're supposed to follow our interest and care about our interests and not millionaires, and that's the political discussion there. But I really do hope that these unprecedented times we're going through right now, do you make some changes and again, cybersecurity or cyber warfare is not something that you can, you can you can fix by trusting others or each other, right? It's actually war. It's a military discipline. Right, I'm hearing things that are we are collaborating with this country in this country in that country.

Actually, that's not how it works.

Ryan Purvis  33:13  
I mean, it's not it's not geographically based.

Lorik Sefaj  33:17  
That's one thing. And second thing is, it's a weapon. I don't think people just share share information about their weapon systems like that. And, and every company that I've seen doing it, it's, I always get frustrated when I think we are sharing our runbook on how our sock operates these and that, and it's just ridiculous to me, especially at the governmental level. It's ridiculous to me, right. And, but anyway, that's how it is right now. I guess we'll take it we'll take another crisis

or at the major incident for people to make up

for World War What does it take for this to happen? Well,

postmortem right after the fact, a lot of man wake up, and then they and then they go ahead. And again, that depends how resilient are you? How much can you pay? Or how much can you afford? Can you afford the damage? Right? I think I think a great example of these things in our recent history around cyber, it's really the nature of the wanna cry kind of

situations where

a lot of damage was done, company got away with it, some companies managed to hide the true costs, and then move on. You know, the trends.

Heather Bicknell  34:36  
So, you both you both, you know, you have the GDPR legislation, right? How is that has that changed? You know, things in your kind of, you know, your day to day life, is that something that you know, has has changed the culture the right to be forgotten, kind of option like how how big has that kind of From a personal level,

Lorik Sefaj  35:02  
I mean, I really curious to see how it goes those cups and we have faith in Europe. Right? He talks about a website, every single website I with it, you have to tailor your cookies and tracking. I seriously hate it. And why because the internet was not designed with people being friendly and loving each other in place. That's not how it was designed, right? And the security experts and the fact that we are just as a barbaric as we used to always be, was not something that was really kept in mind. So we now on top of the internet, we've put regulations in place, which are very difficult to execute, and very unfriendly and very uneven. I mean, the triangle around performance usability or security, whatever you want to call it, run the Eugene Eugene, you GDPR awesome example of how You screw up website usability. Right. Very nice one. how effective it is? I don't know, I think I think we need data. Right. I don't have an answer. how effective it is how many people? I think the How long has it been? It's been a year two since the internet thing I don't know. To know. It'll be great to get some data on, you know, how many requests for the right to be forgotten how many, whatever, right. So that we actually have an idea of how effective this thing was. I mean, the right to be forgotten. Yeah. I mean, those are the kind of cool stuff you want to have, right?

I don't want to have my name on the internet for

more than a year, it should be doable, right? Um, but I mean, the right to be forgotten is, you know, again,

how do you implement this stuff, right?

We need the data we need to understand a little bit how effective it was. And I can't really comment right now, I think, I think, again, whatever whatever constitute the privacy of individuals is important framework need to put in place. How good how badly This was done or executed or implemented. Right now, I really can't say, apart from the top off that I get every time it's perfect.

Ryan Purvis  37:25  
I mean, like any of these things that they put in place for the people that don't have the good of everyone else in mind. So you know, it's affected lots of usability and lots of lots of projects that I've been involved in have have spent extra time just making sure they are they are compliant when, in essence, they didn't have to be before and it wasn't actually a necessary objective on the project but because they don't want to get fined for anything because fines are pretty heavy. Now. You know, Had to burnt out. And it probably cost the project sometimes successful a bit of a bit output, and they put out because of, you know, spending money on this extra analysis work. Saying that I think you you have to have these sorts of things. And I think you need to have,

Unknown Speaker  38:22  
again, it goes back to

Ryan Purvis  38:23  
security, by design into lighting, you have to have some of these guys providing solutions as it goes and to be fair, where they are actually held accountable, because for a long time they weren't held accountable. And if they got breached, or or lost some data before it was I will see sorry. But now they've had to to strengthen their platforms and do the right things. And in that sense, I'm happy to take the pain, if it means that they are held accountable.

Lorik Sefaj  38:54  
Yeah, fully agree. And that's exactly. I think to answer your question. Oh, Heather. I think what bigger improvement has been around such relations is really the aspect of accountability. Now you know somebody who feels accountabilities right feel now if, if and what happens if they get breached, that's a different story, right? If they run away, or they get away with it or whatever, I don't care but of, of, Hey, I'm delivering a service to people to individuals. And I also have to be accountable for these kind of aspects. That's an important notional an important principle. And that symbol, we exist strong as it as, as it did two lines point. And, you know, make sense. How interesting how you can execute it. That's a that's a bit of a different discussion, and I don't think we have enough time to do this. But uh, yeah, execution can be messy. Especially. Especially. I mean, there's Not doing us a favor, right? These people who run regulations and all that stuff, the policies of they have their own kind of mastery of it, they do it in a way that nobody sends it anyway. And then I mean, that stuff should be nicely interchangeable. Actually policies like this. Well, they should be machine readable for us. Right? We should be able to look at the codecs of EU GDP are and and automate some of us implementation. But I don't think it's gonna happen because a lot of people in the legal industry will probably do our jobs because they are sending to us how that stuff works, right, but shouldn't be that clear and straightforward way. Yeah.

I mean, I know right?

Ryan Purvis  40:55  
idea to logically I think, sorry, here. I mean, it's like it's like the tax systems, you know, you have systems that are that are that are as complicated as they have to be in order to keep people busy. Whereas if you were just taking a quarter of a percent of every transaction, you would earn far more money and have far less admin. And everyone would pay a tax.

Lorik Sefaj  41:19  
I mean, the amount of red tape and bureaucracy we have doesn't really help in executing security by design either, right? Or executing nice and proper and high quality services that that that individuals deserve. Right, there's so much red tape.

Anyways, so

Heather Bicknell  41:39  
yeah, I know, I know, we need to wrap up in a few minutes here. But you know, one of the things I know we'd wanted to discuss and I think this goes back to Lauric. you'd mentioned you know, the ability to remove your name from the web and I know you you know, kind of have you know, your personal philosophy on Things like social media. And yeah, I guess if you know, we only have a few minutes, but and I don't know, you probably have a ton to say on this topic, but I kind of wanted just to hear about your, you know, your personal online web presence and your thoughts there.

Lorik Sefaj  42:17  
Yeah, I mean, again, this sort of side, right, this whole podcast from my side is pretty much a personal philosophy opinion. I'm just trying to give whatever I think, Well, you know, that kind of work, me and my colleagues and friends, I'm just trying to express it here. The best way possible. So you know, take everything with a grain of salt as with everything. Capitalism is an important part of our discussion as to social media and, and, and stuff like that, right. I mean, I grew up I was lucky to grow up grew up and in the family surrounded by people who early on, managed to provide me with information technology. threats we had, you know, internet only back in 97 and 9897 97 I was poking over the whole the whole idea of being present of the internet and talk to people and chatting and sharing stuff. And having the first met conference calls already 1999 to two apps that already existed and and touchscreens and Wi Fi. You know, I was very much lucky to be part of that stuff, right? So when all the new stuff came out, or the more math oriented stuff came out, but I wasn't really that impressed. Never really impressed me anymore. Right? I mean, we used to back in the day I don't know if you guys remember we used to do we used to use geo cities from your home and that's how we shared stuff. People had the left side you put the pictures in there. And juicy This was awesome, right? It was like the the static Facebook of things. I'd say that I really enjoyed it, you know, we would make our website and share them around.

So we kind of were already interacting in a way

10 years ago, even more

so and that's where I kept it. So when when the new stuff came out, although I consider myself I think I fall within the millennium, you know, I really don't I never really was that impressed by the idea of giving away my details to everybody. My cup of tea, you know, I tried to keep, I tried to keep just enough out there, and

Ryan Purvis  44:41  
thanks for making the time again. And everything is good in Switzerland, and it's one of those countries that seems to have quite a high ratio of cases versus population. So

Lorik Sefaj  44:53  

And hopefully, it will get better soon. No. Are you are you me Taylor?

Heather Bicknell  45:03  
No, I'm in. I'm in the US. I'm in the Midwest and Michigan.

Unknown Speaker  45:08  

Unknown Speaker  45:10  
Very cool.

Unknown Speaker  45:11  
It's snowing here.

Unknown Speaker  45:13  
Oh, so Well,

Heather Bicknell  45:15  
I know. I mean, I'm inside all the time. So it doesn't affect me as much, but it's kind of sad.

Lorik Sefaj  45:21  
Not like Michigan have like the coldest winters in the United States from what I heard like

Heather Bicknell  45:29  
yeah, I think Alaska probably takes the cake for that. But we're pretty bad winners. So it's still continuing half the year's winner But anyway, it's been great. talking with you, Lark. evergreen.

Lorik Sefaj  45:44  
You absolutely have a lovely day English man.

Heather Bicknell  45:49  
Let's do it again sometime. Cool.

Ryan Purvis  45:52  
Thanks again.

Lorik Sefaj  45:53  
Hey, Ryan.

Ryan Purvis  45:58  
Thank you for listening to today's episode. The big news app producer editor. Thank you, Heather. for your hard work on this episode. Please subscribe to the series and rate us on iTunes or the Google Play Store. Follow us on Twitter at WWE podcast. The show notes and transcripts will be available on the website www digital works best works. Please also visit our website www digital works best works, and subscribe to our newsletter. And lastly, if you found this episode useful, please share with your friends or colleagues.

Transcribed by https://otter.ai

Lorik SefajProfile Photo

Lorik Sefaj

Senior IT Service Manager focused on IT security for a global financial institution

IT specialist with 10 years of experience in the Cyber
Security field.