Listen to learn more about the cross-sections of privacy, security, risk, and compliance.
"Privacy is not about things we want to hide. Hiding implies that the other side has a right to see what I'm trying to hide. Privacy means I can control what I share."
Privacy rights are often unpinned from security, but they’re critical to recapture for our personal lives. Adrianus Warmenhoven (Defensive Strategist and Threat Intelligence Manager at NordVPN) sits down with Host and Principal Security Analyst Jen Stone (MCIS, CISSP, CISA, QSA) to discuss a wide-ranging conversation about privacy, security, risk, and compliance.
Listen to learn:
Resources:
Download our Guide to PCI Compliance! - https://www.securitymetrics.com/lp/pci/pci-guide
Download our Guide to HIPAA Compliance! - https://www.securitymetrics.com/lp/hipaa/hipaa-guide
[Disclaimer] Before implementing any policies or procedures you hear about on this or any other episodes, make sure to talk to your legal department, IT department, and any other department assisting with your data security and compliance efforts.
Hello, and welcome back to the Security Metrics podcast. My name is Jen Stone. I'm one of the principal security analysts here at Security Metrics. Very excited about the topic today, and I think you're going to enjoy it too. I have Adriana Zuormenhoven with me.
We're going to be speaking about a wide range of topics surrounding privacy, security, perhaps compliance. But first, I want to read you, Adriana Zuormenhoven with me. We're going to be speaking about a wide range of topics surrounding privacy, security, perhaps compliance. But first, I want to read you, Adriana Zuormenhoven with you He's a defensive strategist and threat intelligence manager at NordVPN.
He's responsible for getting the most relevant indicators of compromiser IOCs, malware samples, and their indicators in generally mapping out the threat landscape for the customer company's customers. In the past, he's been involved in pioneering endeavors in IT since the early nineteen nineties, collaborated in setting up the first Dutch anti cybercrime branch organization for ISPs, as well as being part of the MTN lead designer for one of the first free ISPs in the Netherlands. Co designer of supercomputing, hardware and running projects for Dutch governmental organizations.
For various international companies, he's done security reviews and given advice on how to deal with active threats and extortion.
He has given various presentations at security conferences on security and privacy, as well as lectures at universities about these matters. Being an outspoken and strong privacy advocate, he fully understands the tension between the need for lawful interception and the need for anonymity on the Internet. Adriana, welcome, and thank you. I'm honored that you would would come on the show and talk to me today.
And thank you for having me.
That that sounds such a lot, of what I've been doing. But the fun is it's not even a fraction of what I've really been doing. Security is such a broad field, and that that makes it fun. Don't you think?
Absolutely. You know, and that's it also makes it hard to tell people when they say to me, I wanna be in cybersecurity. What should I do? And I go, what do you wanna do?
Yeah. Anything.
What's your favorite part of of cybersecurity?
Well, for for me, it it it's to be honest, it it it's mostly the hacking part, but also the understanding part. I I've also which was not in the bio, but I've played around with with airplanes and then airfields, with with megawatt battery systems.
You get to touch everything. And then and you can go into, an in-depth in an organization and and and see where there's some hooks and and and and and, some nooks and crannies where where some some adversary might hide in, or you can see, in industry where there's some some flaws.
And the best part for me is I get to learn the profession of the people that I'm trying to protect, at least a big part of it. I I get to see it from up close. I you because you really need to understand what's going on in the factory to be able, to secure it. And that's the fun part for me.
I I like that as well.
Sometimes we'll have a customer that says, well, we have retail, fuel dispensers out in the middle of nowhere. Are you okay with with, you know, reviewing those? And and my answer is, well, of course, middle of nowhere, that sounds great. Let's do that.
Yes. But at the same time, there are businesses and and the way even similar businesses accomplish security against similar threats can be wildly different.
No.
It also has a bit about company culture. We we we get a lot of people that move freshly to, let's say, things like Azure or or Google Cloud or Amazon, and we'll see that most of those will handle, security measures quite similarly because they get the playbooks from those vendors.
However, if you already have a big IT culture in in in your company or, in your factory manufacturing processes, the security used to be bolt on. It it it wasn't something that that's native. And and and you see that that most newer company startups, they will do security native also because of the playbooks of those vendors. But for, most of the existing, companies, it was a bolt on part. It it it it Frankensteined itself into the processes some way.
It wasn't allowed to to, wreck the productivity because productivity was still number one and and and this is how you can see that, not all security solutions are fit for for every company.
Mhmm.
And some of them don't even apply to them. And so, sometimes I'll run into groups that say, well, we're following this security standard.
But they but they've done it in odd ways because they were following a checkbox where Yes.
Some of the things didn't apply. And so they created some issues for themselves, because they didn't know how does everything fit together. I I find that asking them for a a data flow, what is the data you're trying to protect, and how does it flow through your systems, tends to be one good way to look at how are they protecting it.
I I I totally agree. I I really love, now let me just make make small sides there. I come from from the hands on IT and security and hacker guys. And and, from the age where people say, used the source, Luke, and and and didn't write any documentation, any kind of stuff.
So I I'm I'm really practically minded, but I I completely understand how frameworks like, for instance, ISO twenty seven thousand one.
Mhmm.
I I quite like that because it's, in in my opinion, it's small enough to be practical, practically implemented. And you can ask exactly those questions as you just said. You can ask them in a nice compartmentalized way, and I can explain it to them why we are doing this. And then and, it's a nice compact framework for that. And if you explain people why you are doing this, then they suddenly start understanding, oh, okay. This might even be beneficial for me. And I've I've seen more than one company transform by adopting the framework, but really getting into the spirit of the framework, not just, as you just mentioned, having a checkbox and and and getting the sticker from from, the auditor saying we are certified.
Right.
But really understand why is it isn't in in in this standard. This goes for all of these standards. Mhmm. It might look like a big bureaucratic exercise until you really understand what it's all about. And and and then you get into the spirit. Right. This is in my feeling how you should adopt a standard not by picking one that has the most, best reviews or just read about it, feel if it if if the framework fits with you and and and your motivation, and then get into the spirit of it because then it will really help you.
Right.
That's my opinion.
No. I think I think you're spot on there. I think where people, really shine is, like you said, get getting the spirit of the security and and using a framework to drive that that sense, throughout what people are doing. Where I find people struggle is where if they have to meet a specific, compliance effort and they want to do it in the most minimal way possible, they don't understand the value of of these the framework in in improving their security stance. I think that's where where sometimes groups kind of fall, in into bad behaviors.
And it typically starts at the c level. I know that that you have done a lot of work with, c CIOs, CS, and CSOs on how to develop security programs. How do you is there a way to foster that appreciate appreciation for security at the higher levels, or is that something that that is kind of inherent to an individual?
It there's one part that that's hard to change.
If the c level personalities, do not have the whole of of the company, but just driving for for specific, metric like productivity or performance, it can be hard to get it in. But if you spend enough time with them and explain to them, and this is a trick I use, explain to them everything we don't cover with our security plan or checkboxes or whatever you want to call it means automatic risk acceptance by you, the rest of the c level.
Yes.
You would be surprised you would be surprised how quickly you get a budget or or or projects up and running, when you explain some of the risk like, okay.
We don't have the backup. If we don't get a backup at the end of the year or you don't, allow it, the budget or any of the projects, it means you accept the risk for this. This is the risk.
Wow. It goes really fast.
For sure.
This is this the thing you know you need to know.
That I I love that because that that acceptance of risk should be at the c level. That's where business decisions happen. But a lot of times, I see the the, security, team or security guy or girl, you know, the person in that position, they don't take the time to understand the business implications of the security challenges that they're they're facing, instead of expressing it in business terms so that that risk can be recognized and the decision can be made at the right levels, they'll either try and make the decision themselves, which leaves that person open to to some pretty high risk for the decision making. Or Yeah. Or it makes it so that things don't get addressed because they haven't been, fully expressed at the business level. Do you see that kind of gap in a lot of the organizations that you've worked with?
Yes. I see, a lot of or or security officers. Well, the security officers are not not a good example. I'll get to that. I see them being picked because they are good in cybersecurity.
This is not a good fit.
They can be a part of the security office or or or security group or whatever you want to call it, but the CISO, the the the the or the or the leader of the security team, it doesn't matter, really needs to be a, understanding the business first approach.
Mhmm.
And understanding that, at the C level, this person has a specific task. Getting those things done, not understanding and and and and, making the firewall rules themselves. If you're a small company, of course, this can be done. But I see, the the these picks have been done in in the last, let's say, decade, because of the wrong, wholly wrong reasons.
They just picked somebody who was an excellent pen tester or or who might have guessed, I don't know, the CEO's, password. And I thought, this is somebody who knows something about cybersecurity.
We put this person in in charge of it, and that person is is either completely bored out of the skull or or, it it is wholly overwhelmed with with all this business stuff and and and process and and and all these things and and and vendors and and law and and everything else you have to do, to get get your some security in your to your business.
So I see that quite a lot and people who have been promoted from from security upwards.
For all the real cybersecurity people who who really like to do all the hacking incident response, malware analysis, either OSINT, whatever. I can tell you one thing, not a lot of you are going to be happy in a CISO position even though it means more money and more prestige Yep.
For some people, I think. But you will not be happy there because none of the things that make you happy in cybersecurity, almost none of them will be in that position.
Absolutely.
They do and when they do, it means, well, there's a big problem and and you will have to do a crisis management at the moment so you can't enjoy it anyway. So I I agree.
When I took this position, one of the things I was told was there there there is no management, pathway from this position. And I said, good.
I don't want one. And then less than a year later, they said, okay. So there's this management position. I said, absolutely not Because I'm finally old enough in my in in my career to realize I love the hands on, problem solving.
I love the interaction with the, security and IT folks. I love being an individual contributor. And everything about the management to the business piece, it takes a different mindset, and and it's not something that I have. I think there's some people who love that.
They love the the business management. They love the the the strategic thinking and the planning. And, I just fall asleep in those meetings.
The the the there's really a lot of reading, reading all this. In in in Europe, it's all this EU stuff, regulations, which you have to keep track of, like GDPR, but you also now need to check-in in which clouds, we put stuff.
Then we need when we classify different pieces of data, which are, should not fall under the US Cloud Act, you have to be careful. So that there's a lot of this.
If you like tinkering with, more abstract level stuff, yeah, security office, CSO, management, that's fine. But in in in all all the time, I I'm I think I maybe spent couple of days at the maximum really at, looking at at at some screens telling me something. Because for everything else, we had the SOC. We have the security office.
Right. We have, all the other people doing their stuff, and we had lots of meetings. And and this is also the boring stuff. You need to do all keep your ISMS, up to date and and make sure it's it's kind of being a scrum master, but for security, actually, because you said, okay.
We have this incident. How far are we?
Is it is it close? Is it fixed? Is it mitigated?
So yeah. The but the thing is, it's still a crucial thing to do. Yes. Even though it it's it's boring to to to the hardcore cybersecurity people. It it it's still crucial to do because it it it talks about rollouts over a large parts of your company. It it it talks about getting budgets from from, the other from CFO.
It it it's about getting the right contacts with the secret services if you have a large company because if there's a nation state, entry, you don't want to have just any random cybersecurity company. You really want to have your, country's, secret services by your side.
All of those things make it exciting again and and make it very relevant, but it's simply a different breed of people that that that need to sit need to be sitting there.
And I think that's important for a person to know about themselves when they're first looking at cybersecurity as a career because if you point yourself down, a path that isn't going to be satisfying to you personally, it doesn't matter how much the the people around you think it's a great idea or a great job or it's it's what you personally can excel in and and take on and and enjoy work every day. I wanna go back to what you said about, GDPR and and some of these things. I think this the a similar corollary here in the US is HIPAA and the Canadian privacy law. These these are are regulations that, a lot of groups when they start saying, oh, now I have to look at regulations.
How are they different from standards? One of the big things is requirements for security officers and or privacy officers.
And and like you said, sometimes the person who who, misses the meeting on who's gonna be the privacy officer gets to be the privacy officer. Right? And so so when when we look at what is the I I think it's because people don't understand the importance of privacy.
This episode is brought to you by the Security Metrics Academy. If you're interested in learning more about cybersecurity, privacy, compliance, related topics, we have a ton of free courses. Just go to securitymetrics dot com and search for the academy. It'll come right up. What are your thoughts on privacy, security, and how those two things maybe, fit together?
I'm in the lucky position of of having been, a CSUN for the largest wholly Dutch owned cybersecurity company called Tesorion. And then after that, I was with North, and with North security, North VPN.
We kind of try not to know anything about the users. So really privacy minded. The difference was as a CISO or as security, you think that you want to see and know everything like DPI, all, the things, and then, I want logs of everything and then then okay. The good thing is we had a really strong, data protection officer, or data privacy officer who who was holding us back. But I can understand because security, you kind of want this whole Panopticon style thing where you can see everything happening, and then you can put in all the, behavioral analysis against it.
And from the privacy standpoint, you want none of these things to happen.
And there there needs to be a mill ground.
I want to start first by setting one thing straight, what is, in my opinion, what privacy means.
Privacy is not about things you want to hide because hiding means, or it implies that the other side already has a right to see whatever I'm I'm trying to hide Mhmm. And and and post actively trying to put it away.
To me, privacy means I'm in control of what I share.
And it means if you if I have nothing to hide, I can share everything I want. And then people that say to me, I have nothing to hide, I say to them, great. Share everything you want. I don't care, as long as it's your decision.
And this goes also, for other things in in in privacy. If I don't want to share some things, I should not have to, defend everything.
Privacy should not be, the things that I'm able to defend, because it simply should not be allowed by law to to for other people to to simply grab everything. It's it's like, you suddenly have to defend all the stuff in your house because, hey, you didn't defend, me grabbing this face or or or this laptop or whatever from from your house. It's really an odd mindset that we have about privacy at the moment. So for me, it it it really means people should be in control of what they share. If they press the button saying, share everything, okay, it's your decision.
Having said that, from security standpoint, of course, we want to see everything. And the reason why we want to do that is because malware and and hackers have become smarter.
This also one really important thing I say to people that, our opponents are really smart people. They might have different life goals and different objectives, but they're also smart people. They're not not not dumb or or or some, ogre somewhere. They're smart. So from security standpoint, you understand this and you see that, there's a lot of intelligence ways they get into our networks, into our machines, or, they do people doing exfiltration in that. So as a from security standpoint, you want to to see everything.
And from a stand as a price standpoint, you basically don't want to see a thing unless somebody really expressly shares it with you.
I found that those two can really, sit next to each other because it's not a problem.
Because you can with your, people, with Tesoyo, we also had very privacy minded, people working with us. And what you do is you talk to them and you ask them, explain to them why they should, agree to share some of their, at least, business, traffic or have a DPI installed.
And if they say, I don't agree, then you explain the problem. Like, okay, that means from your machine, I cannot see if there's specific, patterns of or or behavior. Like, let's say for instance, your system sends data to a nonexistent network printer at three o'clock in the weekend at at three o'clock in the morning in the weekend, to the nonexistent printer in China. That's something really sus really suspicious. Don't you agree?
But if we don't see it, your machine will continue do that, and and you will and and this means just a bit more work for the security company, for the security office.
And and, you don't have you don't have to brutally, violate the privacy of somebody to get your security. You really have to make people defenders as well. The thing with, for instance, Nord, which is the complete difference, we simply don't want to know anything about any of the users.
And this goes so far that, we have no logging and we have the biggest part of our development discussions are actually how do we not inadvertently, know something about our users. So there's a lot of focus on on on on not even accidentally knowing, and and identifying users.
But that goes because of, it's our product. If our users use our product, we don't want to know anything, so we they are still in control of what they're sharing. And if they go to a website through our services and still log in with our credentials, which means they're making themselves, identifiable Mhmm. It's their decision. It should not be our decision. And the same, again, when we go back to the security company, you can talk to the people and then you can say, well, you can have not not act you cannot have access to specific resources unless I can see these kind of things because this is my threat landscape. This is the threat model I built around it.
You're violating it, so this is why I need to see this this this thing. You can talk with these people and you still have can have people be in control of what they want to share.
I I really like how you phrase that because I think that, I guess for a lot of reasons, privacy is not protected, especially in the US. It's there's a lot more, focus on privacy in the EU that but in the United States, we have these, agreements and privacy notifications and things from these companies where, basically, it's if you choose to use the the the, the service, you have no expectation of privacy.
And and the expectation of privacy, I think, especially people who grew up, on the Internet, seems to be that they they, a, have no expectation or, b, don't know how to reclaim privacy because their entire lives have been have been put put up there. So at this point, with the with the massive violations in privacy throughout the the technical space, is there any way to put that genie back in the bottle? Is there any way to reclaim our privacy at this point?
It will take a longer time, I think.
Nothing even in the not not even the upgrade of specs is fast. Even though we as people are getting used to having things fast, this will take some time. The first thing I think is is what what's really important is that people understand that their digital persona, the digital ID, the thing that that's being violated with the privacy stuff, is actually, by and large, more real than their meat persona. And then people don't like this when I say this, but I can prove it.
When was the last time you have had an interaction with a company? You're not even going to your bank anymore.
Your digital ID is, there's so little interaction between you and the rest of the world as a person Mhmm.
Mostly with your friends, your colleagues that that's about it. But all decisions, all transactions, almost all of them are done digitally. So your digital persona is to all extensive purposes, more real than than than than your physical personas. If you were to die right now, I really don't hope so, but if you were and you have all these automation set up, a lot of companies will not notice until somebody tells them.
Right.
You will for for them, you will still be alive. So it means people should really understand that their digital persona, that their digital ID is horribly important. It it it's it's like people are stabbing it and and and beating it up all the time online and people don't care. But but if somebody pushes you in in in the streets, they all get worked up about this.
But you really your digital persona is something you should really take care of. And and and this in in the rest of the world, this is you. Mhmm. It it's it's not this physical person behind the keyboard.
No. Your your digital ID. The the thing that that needs privacy. That that that that's to you.
And, once we got that realization back, we start make we might start valuing it, again. And I think that they should start with with educational system because in the educational system, we're still in the consumption phase. We tell kids about, how to use stuff and and and how to create an account and and and then, how not to, interact with other people. We tell them nothing about their digital persona, which suddenly, that that age kind of splits off from their physical being and which they are now nurturing.
There's nothing about that. And, we don't work with them and saying, okay. If you, go to Facebook, it means all this nice stuff. Or if you go to TikTok, all these nice videos, but it means something for you.
And and and we don't teach them that. This is the first step. As soon as we get, to this understanding that the Internet and and and and digitization means we saw we suddenly have an extra part on on our being, not our body, but we have an extra part on which needs protection, then we can start, with that. Because then, the realization will be that all these privacy infringing apps, they might not so not be so good.
And you really should view it, with with the same thing as as, how to say it, bad hygiene. So so so Right. People, once they feel they feel it really well because hygiene means an attack on my physical body and and they should should view that, like privacy infringement is is just also an attack on on on my body.
Right.
And so it will take a little time.
I think you're right. I think people don't recognize that that they have a right to that privacy. They have a right to decide how their interactions online, happen. They have a right to what who takes their information, does things with it. And at this point, I don't think that that is a well understood, position.
So I hope that that is something that that because we can't put things in place to really support that position until more people understand and believe that. So I hear that you have, some interesting future developments. What's where where's, your career taking you next?
I'll be joining ZeroCopen, which is, of course, arguably, the the best hackers in the world. At least, we run bug bounties with them, and we do a lot of security work for larger companies. But also if you have devices, if you have legal stuff, you can ask, the the, the, the, Cerro Cotto to have a look at it. For me, it's it's really a change of pace and and going back to my well, not not really roots, but going back to to to doing it some some hacking stuff and and really delving deep into the technical stuff. I've having been mostly at the higher level and then and the and the process level for the last couple of years.
I really want to get into my keyboard and then and see a lot of code again and then and that kind of stuff. So I'm I'm really would looking forward to that.
Saying that, I really love the people at Nord. It it has the best, I'm sorry. I need to advertise it. If you want to start a carrier and you're in Europe, join Nord. There's lots of vacancies there, and it's it's one of the best jump boards for for young people because they support you.
There's this excellent vibe.
It's fun. It it I can't say it any differently. It's fun.
It's great. Well, I I've I've been a fan of NordVPN for for several years, and used it personally. And and so it's good to hear that the that the company itself has such, praise from you personally. So, I really appreciate you coming and talking to us today about privacy and security, critical topics. And you have such a unique and, rich understanding of the topic that it's been well worth my time today. Thank you very much.
Thank you for having me.
Thank you for joining me today. I really enjoyed this topic. I hope you did too. Please, make sure you check out our back catalog. We have about three years now of videos out there for you on some very interesting things. They run the gamut from privacy to security to compliance and kind of everything related to that. Talk to you again next time.
Thanks for watching. To watch more episodes of Security Metrics podcast, click on the box on the left. If you prefer to listen to this podcast, it's available on all your favorite podcast platforms. See you on the slopes.
.svg)
