In an interview with SafetyDetectives, Mike Scott, CISO at Immuta, discusses his 25-year career in IT, security, and privacy. He highlights his role in developing Immuta’s security program and emphasizes the company’s focus on data access, security, and governance. Scott addresses evolving challenges in data security, including data localization, cloud migration, and the increasing reliance on third parties. He also underscores the importance of data governance and the potential of AI and machine learning in enhancing data security, stressing the need for careful risk management and policy development.
Can you talk about your journey and your current role as the CISO at Immuta?
I’ve been in the IT, security, and privacy profession for a little over 25 years. Of that, 15 years have been purely focused on cybersecurity and cybersecurity leadership.
Prior to joining Immuta, I was the CISO at Wendy’s, and I also served in security leadership roles at NCR and Optiv.
In these roles, I served as a consultant working with both cloud-enabled companies and historically data center-based organizations, helping their executive teams build out or mature their security and privacy programs.
I’ve been with Immuta for three years. Since my time of joining, I built the security program as it sits today, which has been SOC 2 Type 2 tested and is now ISO 27001/27701 certified. Our program is focused on security by design and the “shift left” mentality. By implementing security by design and applying security as early as possible, we have found that our backend maintenance and management have been noticeably reduced from a vulnerability management standpoint.
What are the main services offered by Immuta?
We help companies manage their current data access, security, and governance challenges. This allows them to strengthen their controls, which allows for rapid, secure, and scalable access to their cloud data products. This ultimately unlocks the full potential and value of their data.
We do this through our data security platform, which has three main components:
- Discover: Immuta Discover automatically and continuously discovers structured data in cloud data platforms to provide visibility of all sensitive data, which is critical for building data policies to protect the data and analyze its usage.
- Secure: Immuta’s data security and access control allow data-driven organizations to simplify operations, improve data security, and unlock data’s value – without creating bottlenecks.
- Detect: Immuta Detect provides timely insights into risky user data access behavior for enhanced cloud data security posture management.
When it comes to data security today, the biggest thing I see is giving security, compliance, and data teams the ability to confidently and safely achieve value with the data in a way that they have not been able to before. This is mainly due to compliance and legal restrictions and the ability to confidently know that they’re properly managing their data. With our platform, we are helping organizations unlock value from their cloud data by providing sensitive data discovery, security and access control, and activity monitoring. With better data security and simpler operations, organizations can get the right data to the right people so they can build more data products, collaborate, share data, and create new revenue streams.
How has the data security landscape evolved in recent years and how do you expect it to evolve in the coming year?
There’s a lot of things we’re seeing.
- Data localization requirements are becoming more pressing. Now, a growing number of companies are dictated as to where they can store data based on certain geographic jurisdictions or other various legal and/or privacy requirements. From an Immuta standpoint, the ability to deliver products not only externally but internally as a company to different regions and following the applicable rules was definitely a big change and something that requires ongoing care and feeding.
- We are seeing an increase in the dependence on third parties across all sizes of organizations and industry sectors. It’s clear that internal technology teams can’t accomplish the same amount of work at scale with on-prem solutions as they can in the cloud. This means the cloud and its corresponding partners are becoming common requirements for platforms and companies, which adds additional risk. Organizations tend to move quickly, but it’s important that business leaders take the time to evaluate and compare the security capabilities of these vendors to ensure they are not introducing an unacceptable level of risk to their data.
- Despite the fact that, as an industry, we’ve been talking about cloud migration and adoption for years, many organizations are just now starting to make a significant transition, and with that comes a lot more hesitation and skepticism around cloud data security. I’ve worked with incredibly large customers who are really just now considering moving sensitive data workflows and workloads into the cloud. As we go down the scale and get into the enterprise and mid-sized enterprise customers, there’s still some hesitation about moving to the cloud. That being said, what I’ve seen during my time at Immuta is that being cloud-native has given us a lot of advantages. We could not have achieved what we have achieved in my three years had we been stuck in a traditional brick-and-mortar data center-type environment and been beholden to 3-5-year depreciation cycles financially.
What role does data governance play in ensuring data security and compliance, and how can organizations establish effective data governance policies?
Data governance is a critical capacity within an organization. Not only does it provide better regulatory compliance and security, but it also empowers the business to make choices in a more real-time manner and innovate in a safe environment.
It’s something that requires cross-team and cross-business collaboration and has to have a top-down agreement to be successful. To start, organizations have to measure their overall data security and privacy maturity. This provides them with a baseline and also an understanding of what their capabilities are, where their weaknesses exist, and how their employees understand data governance and how they use data.
Once you have that assessment and a real understanding of what you’re doing now and how it aligns with your business goals, then it’s about aligning with stakeholders – data engineers, architects, business owners, CISO, privacy leaders, etc. – to start looking at what the investment model looks like and how you solve those challenges because that can be unique for every business and the data that we work with.
Then, you have to decide on a framework. Ultimately, ask yourself, how are we going to define requirements? How are we going to take and evaluate new use cases? How do we do that in a repeatable way that does not hamper innovation?
This leads to the final step, which is looking for platforms that are going to help your data governance framework. The right platform can help the team get a quicker and better understanding of your challenges and apply some controls or some audits that allow you to move more methodically as you go forward versus having to do rapid, last-minute changes in the moment.
The most important thing to keep in mind, however, is even once you have a platform in place and you’ve got data governance policies in motion, there’s continual training needed to help democratize the understanding of how to use data and when to be concerned about data. Mainly, you’re trying to build an army here, right? You’re trying to take that security and compliance function and roll it all the way down to the data users if practical. This is a really long journey.
In your experience, what are the key considerations when it comes to securing data in cloud environments, and how does Immuta assist in this regard?
Security is fundamentally about risk management. When considering the cloud, it’s crucial to evaluate what specific actions you are taking within that space. For example, if you’re utilizing data storage capabilities such as data lakes, those may present significant challenges and risks compared to a single database with limited PII. Each example requires a different level of risk analysis.
Immuta, in this context, plays a vital role, particularly in the aspect of discovery. The ability to gain visibility and awareness of the existing data is paramount. Questions such as “Do I have Personally Identifiable Information (PII) in this data lake?” or “Is there company confidential information stored here?” need to be addressed. This level of visibility is crucial, and it aligns with one of the critical controls initially proposed by the SANS Institute – inventory. Understanding what you have and the associated risks is the first step.
Educating users stands out as another critical aspect of data security. Data security and privacy experts cannot monitor every transaction or be present in every meeting. Because of this, empowering users with the knowledge to identify potential risks and bring them to the attention of the team is critical. This not only informs policy development but also influences investment and funding for security projects.
After identifying sensitive data, the next step is prioritization. Immuta assists in classification, policy establishment, and the consistent application of rules across various unique data stores. Whether you’re dealing with Databricks, Snowflake, AWS or other platforms, uniformity is key. However, customers must also have a clear understanding of their risks and priorities to maximize their investment.
Considering the future of access controls, particularly in the context of evolving concepts like Zero Trust, it’s evident that simple role-based access controls may not suffice. Being part of a particular department should not automatically grant access to all associated data. Some data sets may contain sensitive information, and relying solely on traditional role-based access control (RBAC) may pose challenges. While Immuta offers attribute-based access control (ABAC) capabilities, it requires a certain level of organizational maturity to utilize effectively.
Can you talk a little bit more about your perspective on the role of AI and machine learning when it comes to enhancing data security and threat detection?
We’re still at a point where traditional AI and machine learning (ML) have a lot of positive benefits for security teams, including, but not limited to, fraud detection, predictive maintenance, and automated risk analysis. Traditional AI and ML have a huge place in security and data tooling. As with anything, there are risks, but they seem to be much lower at this time.
However, generative AI definitely brings a lot more complexity to risk, and I think a lot of organizations are going to try to avoid that in the next year. Mainly because there are so many unknowns, including risks beyond security and legal. There’s also data quality, and how do you govern it to avoid bias? There is a lot of pre-work to safely and effectively use generative AI.
We’re going to continue to see traditional AI and ML be the most applicable and the most useful for companies over the next few years. That’s because we have huge volumes of data and a tremendous velocity of data that we need tools to help us find moments of insight out of as close to real-time as possible. How do you take 2 billion records and decide if there’s something going wrong in your environment? This is where we’re going to see AI and ML excel.
In turn, this is going to create a ton of conversation and distraction for the first few months of the year as companies try to figure out what their policies are going to be, how they can say yes in a safe way versus avoiding things that create undue risk, and just getting other teams to understand what the differences are between traditional AI versus GenAI, ML, and large language models.
That’s probably going to delay a little innovation in the beginning if companies are not really focused now on getting those policies in place and making sure that their teams can really act as they go forward. My advice is to focus on two things:
- Evaluate risk: this is how we operate as security professionals; what’s the risk to the business versus what’s the reward, and how can we enable the business?
- Determine if the risk is worth taking: Ultimately, for AI, people are going to use the technology. ChatGPT is a great example. Knowing this, organizations should prioritize getting policies in place to address how it is being used, and they should also focus on educating teams about not only the best way to use the technology but also the potential risks that exist. For ChatGPT, it should be really clear to teams what data can and cannot be inputted into it and what happens with the data once it’s inputted into the system.