The Actionable Futurist® Podcast

S4 Episode 4: Michael Kaczmarek Former VP Products @ Neustar on the Domain Name System

March 03, 2022 The Actionable Futurist® Andrew Grill Season 4 Episode 4
The Actionable Futurist® Podcast
S4 Episode 4: Michael Kaczmarek Former VP Products @ Neustar on the Domain Name System
Show Notes Transcript

When we think about the components that go together to make the internet work we probably think of browsers and IP addresses but there is one critical component that brings it together - the Domain Name System or DNS. It's the reason behind when you type cnn.com you end up on the right website.

The design of DNS is more than 30 years old, but still is a critical point of the internet today.

In October 2021, a misconfiguration error caused Facebook to disappear from the internet for nearly 7 hours.
 
To understand the notion of DNS better, we spoke with Michael Kaczmarek who is the former VP of Product Management at Neustar Security Solutions

Michael directed the research efforts into distributed denial of service attacks and DNS trends for Neustar working closely with the cross-functional team to publish insights on changes in the cybersecurity landscape.

Prior to joining Neustar, Michael was with Verisign for more than 18 years where he served in various capacities including VP of product management and marketing.

Prior to Verisign, he was a systems engineering manager for Lockheed Martin in charge of their Solid Rocket Motor Disposition in Russia Program.

Michael is a Ponemon Fellow and holds a Bachelor of Science in aerospace engineering from the University of Maryland and a Master of Engineering in environmental engineering from Johns Hopkins University.

In this wide-ranging discussion, we looked at 

  • How Distributed Denial of Service (DDoS) attacks are on the rise
  • How AI can be used to detect cyber threats
  • What the Internet 3.0 might look like
  • What the Facebook 2021 outage tells us about DNS
  • What to look for in a DNS provider
  • Why every business owner should care about DNS
  • The top3 cybersecurity trends
  • New threats such as API security
  • Analysis of a real DNS hack
  • Why Cybersecurity needs to concern every board
  • Three top cybersecurity tips

If you are truly digitally curious, then you will want to listen to this episode in full.

More about Michael

LinkedIn
Twitter
Neustar Security Solutions


Your Host: Actionable Futurist® & Chief Futurist Andrew Grill
For more on Andrew - what he speaks about and recent talks, please visit ActionableFuturist.com

Andrew's Social Channels
Andrew on LinkedIn
@AndrewGrill on Twitter
@Andrew.Grill on Instagram
Keynote speeches here
Andrew's upcoming book

Intro:

Welcome to The Actionable Futurist podcast a show all about the near term future with practical and actionable advice from a range of global experts to help you stay ahead of the curve. Every episode answers the question what's the future on with voices and opinions that need to be heard. Your host is international keynote speaker and The Actionable Futurist Andrew Grill.

Andrew Grill:

Today's guest is Michael Kaczmarek, who was the VP of Product Management at New Star security solutions. He's responsible for formulating the vision, defining the strategy and executing the tactics needed for the successful launch and expansion of products into new and existing markets. Michael directs the research efforts into distributed denial of service attacks DDoS and DNS trends for Newstar, working closely with the cross functional team to publish insights on changes in the cybersecurity landscape. Prior to joining Newstar, Michael was with VeriSign for more than 18 years, where he served in various capacities, including VP of Product Management and Marketing. Prior to VeriSign, he was a systems engineering manager for Lockheed Martin in charge of their solid rocket motor disposition in Russia programme. Michael is also upon fellow and holds a Bachelor of Science in aerospace engineering from the University of Maryland, and a Master of Engineering in environmental engineering from John Hopkins University. Now, today, we're going to be talking about some topics that MIT people never deal with, such as DNS, and DDoS, as part of a broader talk about cybersecurity. But for our listeners today, what is DNS? And why is it become so mission critical to protect for companies of any size,

Michael Kaczmarek:

DNS has always been described as the phonebook of the internet. Now, when you think about it, in today's terms, right now, no one gets a phone book anymore, no one pretty much even knows what the phonebook is. And a lot of respects, you don't see the big block show up at your house any longer. And you're paging through to go and find something to look at a name and find out what the number is you dial. Think about it as the the key piece that does that translation of the in the network routing information into a natural language. So in a lot of cases, nobody's going to remember that 172 217 1568 is the IP address for Google, you're just going to type in WWE google.com into your browser. And so it's it's very critical mission critical component, and it's really a primary component of the fabric of how the internet works today.

Andrew Grill:

That's fascinating. It was designed probably more than 30 years ago, and the fourth thought that the designers had back then when are printed and what have you, because they would never probably predicted the explosion of how it would work. But it seems to stood the test of time. problem though, is now we've got bad actors that are coming in and trying to disrupt things. DDoS is another term How would you describe that to my mum

Michael Kaczmarek:

DDoS, or distributed denial of service attacks are just these attacks that overwhelmed systems. So if I was this, ascribe it to your mom, I would think about it from this perspective. Let's say she's going to go out to see Manchester United, she's going to take the tube to Old Trafford, she's got no issues getting there not a problem, it's very easy. After the match, she wants to take it home. But all of a sudden, there's this mass of people now trying to get to the train. And she stuck way in the back, she can't get to the train, she knows that eventually, she'll get there. And it just takes a lot longer. It takes a lot of time until all of the other individuals get on the train, she finally gets on the train, she gets home. Think about online resources exactly in the same way that trains could be your online resources. So when there are so many requests for those online resources, eventually over time, the either the application or the pipe gets flooded with those with so many of those requests that you just can't get any good transactions through. So a DDoS attack in essence is intended to overwhelm either the bandwidth or the applications themselves, so that valid transactions never make it through. So just like your mom would never be able to get on wouldn't be able to get on the train until the bad traffic or the other traffic in front of her died down. Good transactions can't get through the city through the system or the network to be able to be processed in order for them to be taken to be handled.

Andrew Grill:

Now we've heard a lot about ransom attacks and ransomware but you say that ransom related DDoS attacks are more than a threat and ransomware and you've done some research. What did the research highlight?

Michael Kaczmarek:

It's interesting. We've started to see a lot more ransom related DDoS attacks and what a ransom related DDoS attack is simply put it's a it is extortion based camp Hane that intends to drive some level of money for not doing an attack or not doing a DDoS attack on your infrastructure. And we see about three to five of these a week that are coming through. And really what it is is is simply puts you get a note, a note shows up in your email. And typically it is your someone claiming to be one of these very large cybercrime syndicates, that then state that if you don't pay them some level of Bitcoin, they will then attack your infrastructure, and to the reference some few other attacks that they may or may not have done, just to throw fear, they then also go through and possibly may do a smaller attack, to demonstrate that they are truly that they mean business. But then most of the times, the large attack never shows up when they go away. And if they do have a large attack, then hopefully you're with your your DDoS mitigation provider who can go through and handle that on your behalf.

Andrew Grill:

So the role of the chief security officer is now becoming more important because he or she has to protect against this but also mitigate, can you use techniques like AI to predict when this is going to happen and see whether you might be a possible target.

Michael Kaczmarek:

It's interesting when you think of things like you ransom DDoS attacks, you think of the various types of deals, text AI can help in a lot of cases, because what AI can do is help discern patterns that are in the traffic and look for anomaly. So if your traffic is always on are going always under mitigation, what we call it are always going through a network or a mitigation provider. What happens is they're always looking at the traffic, they're always evaluating it. And so as a result, if you're always looking and always evaluated in traffic, you can basically profile or pattern what is considered normal behaviour, normal traffic. What AI can do and can help with is then when you start to see these allow Malays pop up, you can then make a determination of what was that? And what was its intent? Was it a blip of just some bad traffic that you don't have to worry about? Or was it someone actually testing the mettle of the system first, to see, hey, are they susceptible to this type of attack. And if that's the case, then they could it could AI can then recommend or provide an alert of which then a manager could come in or an operator could come in and put in place certain protections that could then mitigate or filter out that traffic before then it becomes a problem. So AI can help in a lot of ways when you think about it, because it can help find some of the things that you may not be able to see because of the the traffic going through the infrastructure and the amount of noise and a lot of cases that show up as a part of just running day to day operations online. Sure, so AI is actually very beneficial when you go through and think about these types of threats online and various other types of threats that occur. The when you're going through, typically a lot of organisations will put their traffic, what we call always all mitigation, they're always being mitigated as always going through the network provider. What AI can do is go through and look at the traffic continuously analyse it. And then if it sees anomalies, it can identify those so it can flag it very quickly alert, then an operator and that operator can then go through and put the appropriate mitigations in place. With without AI in a lot of cases you're looking because AI can help profile the traffic when you think about it, it can get it can get a baseline, it could say this is what we expect your normal traffic to look like anything beyond that then could potentially be a threat. So without it, in a lot of cases, you're now dependent on the operator and their eyes to go through and possibly see these anomalies and potentially pick them up. And in a lot of cases they will in a lot of cases they may not. And in those situations, a lot of times these little blips that pop in are sometimes a bad actor testing the mettle of the system, looking for a threat.

Andrew Grill:

We mentioned that the DNS protocol has been built into the internet for 30 plus years. So maybe it's time for an overhaul. What does the internet 3.0 look like? Is it all sitting on a blockchain?

Michael Kaczmarek:

What's the future of the Internet look like? So it's interesting question. A lot of people have speculated about that. And I've also speculate on the fact of is blockchain one of those items that also comes into play? DNS and blockchain are very well suited to each other when you think about it. And if you actually rewind back and look at the way the internet used to operate way back in the days of the ARPANET before the DNS infrastructure, the domain name system was put in place. It pretty much ran Unlike a ledger, there was a host dot txt file that was continuously updated on a daily basis, maybe even twice a day, they would add in IP addresses and then a host a name that was defined for the natural language of how to find that IP online. But the problem came is that that ledger got so big that it couldn't be actually maintained and distributed on an every day, it would take too long to get it out to everyone. And as hosts were being added so much, it became just overwhelming to manage. So aim comes pomoc, a Pietrus, back in 1986. And he proposes DNS, the domain name system infrastructure, which provided a nice hierarchy, a very simple, clean way to manage this and allow organisations to handle all the various other hosts on their back end without having to distribute this file. So now you fast forward to blockchain technology. And you think about and say, well, DNS and a ledger, which takes a registry in new DNS runs with a registry provider, a registry is a very centralised group that people do a look up from on how to find their DNS. And they distribute that file to a number of sites that around the world that they host. Well, now, if you think about blockchain, if you add DNS and you put an entry into DNS, and that entry becomes in the ledger, and then as part of that ledger, it's validated, you can look it up and it's decentralised, even essence, going back to something that was done 3530 or 40 years ago, but has high applicability, because it can maintain ever it's decentralised number one, it can distribute around very quickly, very easily. You don't have to worry about a single point of failure as well potentially impacting. And if you think about there are some groups like Aetherium is doing this right now with the dot eth top level domain, which you can't get to unless you configure a second route in your system. And then also another group like namecoin is trying this out to use DNS and the blockchain technology use blockchain technology with respect to management of DNS, as well as the management of their coin. So it's, there's a lot of possibilities with it. But I think that the systems we have today, when you think about Internet routing, you think about TCP IP, you think about DNS, they're so ingrained in everything that we do. It's just it would be it's so difficult to rip and replace. So you have to manage maintain from worry or you, there's there hasn't become a problem significant enough, like what happened back in the, you know, 35 years ago, 40 years ago of distributing a file that makes it difficult to say, Oh, my God, we have to come up with a new technology to replace DNS. It's pretty, it's pretty resilient when you think about it. And it's, in essence, it's it's almost elegant in its design, and how well it stood the test of time.

Andrew Grill:

So you make a good point that DNS is kind of hidden, but it's now so important. And even though the last few months, consumers have become aware of how the internet can break, Content Delivery Network CDN, there have been a couple of outages there where websites just stopped working, and everyone thought have they been hacked. And more recently, our friends at Facebook had some issues as well. Now, we may never know exactly what happened there. I'm sure they're doing a lot of root cause analysis. But are those good examples to highlight how important this infrastructure is to everyday life?

Michael Kaczmarek:

Facebook is an interesting example, because it demonstrates how intertwined everything is as well. So what we know from a Facebook perspective is the fact that there are a lot of routes fell offline or may have been deleted, may have been pulled, not 100% Sure really don't know Facebook hasn't disclosed exactly what occurred. And that's true could have been a process failure for when it could have been a fat finger. Regardless, a lot of routes disappeared on the internet. And when the routes disappeared on the internet, it means now all of a sudden, you can't get to that location online, will now take that further, people initially thought that this may have been a DNS issue. Well, DNS has a thing that's kind of built into the protocol that's configured is what's called it's called negative caching. And so what happens is really what that is, is that says, hey, I'm going to go look for a site, and I'm going to go look for an answer. And if I don't get an answer to that location, then I'm going to wait a prescribed period of time to try for that answer again. And when that happens, it then decides that the current answer is no longer valid. I'll wait again and I'll test again and if I don't find it, I'll just continue to serve up no answer until I now get an answer back. So then when you go through and you start looking at the DNS and you start doing digs around that to find out what weight is are there is there DNS down you get no response, you start to wonder, was this a DNS problem? It is opposed to a networking problem. And a lot of people don't understand how intertwined these two things are. That one can have an impact on the other very significantly. And so the Facebook issue that occurred, made it, it kind of, oh, you raised a lot of this stuff that says, hey, you know, the these systems are very much dependent on each other. And unless you have a good understanding of how they both work, and how they all work, you're going to find yourself in a situation possibly chasing the wrong problem,

Andrew Grill:

as Google and others are now looking at all sorts of signals to rank sites, speeds become an important factor, not just the speed of the website, and how fast queries get back. But also, now do you believe that DNS speed is a decision factor? Or do you believe all DNS servers are pretty fast these days?

Michael Kaczmarek:

You know, what's interesting with DNS is we call it the holy trinity of decisions, right? It's performance, which is speed, its availability, which goes into uptime, and then it's the security. So speed isn't just the, the one factor speed does come into play, because people will immediately go through, will check on, you know, various sites and say, Well, who is the fastest provider that's out there, and then they will start from there. The things that the non, you know, savvy user will come to the realisation is that, if I'm running on that website, or I'm using that performance engine to test, well, some of these providers also host those performance engines. So literally, that servers sitting right in their network, that doesn't make them the fastest, it just makes them the fastest for that site. So you have to look into account performance you have to look into and when you're looking at performance, what is the global footprint? What is you know, how far how diverse are they with respect to geography and serviceability? You should look at availability, what is their performance over time? How long have they been up? Do they offer 100% SLA for availability? And then what do they do from a security perspective? And how do they do they can they support things like domain name security or Domain Name System Security, can they they have tools in place that can ensure to protect from things like domain hijacking and account authorizations or controls that manage the API's and API requests API is a lot of different factors should fit because you go in before choosing a DNS provider, and it shouldn't just be speedy, a lot

Andrew Grill:

of people listening to this probably don't even know what their DNS provider is. They're probably using their ISP, which is hard coded in there. They may be using a public DNS provider like yours, or Google or CloudFlare, or one dot 1.1. And one of those I hate because I'm a geek, I use my own I hosted on on one of your competitor sites. I've got some control over that. But should the average small and medium business actually care about DNS?

Michael Kaczmarek:

Oh, yeah. And if you think of it, because as we've mentioned, it's so ingrained in everything you do, DNS tends to be the one piece for especially for small and medium business, that's a sedative, forget it. In a lot of cases, you when you think about DNS, DNS is another one of the applications or tools that a your IT guy has to manage in a small company. So it's they're managing that they're managing Salesforce, they're managing your ticketing system, they're going through and dealing with your PC and the operating system. It's one of, you know, probably 50 applications, they're having to maintain and manage on a daily basis. And so DNS sometimes tends to be that one system that they'll configure Active Directory, they'll put their domains in, they'll turn it on, they'll punch it, PUNCH the enter button, and boom, let it go. And they don't really go back and look at it until they have a problem. And in some cases, they also don't do appropriate hygiene around the DNS, they may stand a website up or microsite up for let's say, a campaign, but then never turn it back down. So there's things that they do that they're doing to you, because they know they have to get it done. They have to flip it on, but they're not necessarily keeping it up to date. So DNS is just is, you know, we've talked about, it's critical to the fabric of the internet, you've got to make sure that you're at least giving it some level of attention beyond just well, I've set up my domain name I've turned it on and it appears to be working, let's leave it alone. And don't touch it. Now you got to go back in and keep looking at it. You know every once in a while to make sure that things are still functioning the way you would like.

Andrew Grill:

So this is a really specialised area even though it's sort of set and forget you need to know what you're doing. So what career advice would you give someone who is looking at going into it going into technology? Where are the hot areas and where would you suggest someone should focus if they were looking at a career in this this space?

Michael Kaczmarek:

Cybersecurity is always is a hot area. When you look at everything that the analysts are telling you there's going to be probably two to two and a half million available jobs by 2023. In the industry, but where I would recommend a lot of people vo always get enamoured. You know, these days with I'm going to build up, I want to be a programmer, I want to write code. And that's great. That you know, to go into, but if I, you know, I tell people and I, you know, if people ask me, where do they think should go into networking is probably one of the best areas in my opinion. And the reason is, is that there's, I find these days that are very few people who truly understand how the network's work. And if you understand that component, the true backbone of how the internet and how things online work, you understand networking, you'll understand routing, you'll understand DNS, you'll be writing code, you'll be writing scripts, you can pretty much then write your own job from that point on, you'll be extremely valuable, because very few people truly understand how the basics work, and how it all interacts together. And those individuals are extremely valuable when you look at those them in the marketplace these days.

Andrew Grill:

So you mentioned that cybersecurity is hot. So what top three cybersecurity trends should we be looking for

Michael Kaczmarek:

the things that we're seeing, and that year, at least we're talking about around cybersecurity are number one, these ransom DDoS attacks, they're not going away. And we're seeing more and more of these and primarily because of the fact that they're so easy to do and to launch, because you can, you just have to go get a booter stressor, you send a ransom note, you pop off a short attack and hope that somebody pays you. And if not, well, then you just go to the next guy, you don't have to social engineer, you don't have to crack into a website, you don't have to try to get your software I'm planning to do so much that sometimes ransomware takes to get to to run a ransom DDoS attack. And because we're seeing so many more of these letters coming in, we expect this trend to continue 22 The second thing is more targeted DDoS types of attacks and not just targeted towards organisations but targeted towards the individuals. When you think about the hybrid workforce that we're we're in now that you could COVID and Pandemic accelerated. They say that the way we would do business six plus years, 10 years. So this isn't going away. But these attacks are going to change from targeting a large organisation or large building your large corporation to starting to target what we call a small islands of security. They're going to look for individuals potentially, you know where high valuable into high value individuals and target their home. In some cases, you're going to start seeing protections possibly down in those areas. And then the third comes in around API security. API's are really the key fabric of how things communicate online. Everything that happens happens across an API, an application programming interface. So your online website, your phone, app, etc, will communicate to something else across an API. API security is key beyond when you're looking at things like bots, and you're looking at various types of attacks. If you can attack the API, and you can stuff credentials, or you can go through and masquerade as someone else you can get into the system, you can wreak havoc, more and more attacks are going to happen at the API layer. And that infrastructure that we see as opposed to just trying to take down the you overall online presence. And because of the fact that so many of these are intertwined, you may make a call to the web server to serve up the content, but then have to make another API call on the backend to pull the content that you're you're want to display or ads or various other things. The API's themselves are another area that is going to be a key focus in 22. Yeah, the

Andrew Grill:

API thing is a really new threat. I run a WordPress instal, I've got a bunch of security systems on there. So I can see live traffic even before we came on, I got an alert that there was a high rate of attacks, I went on there and I saw where people are trying to attack and what they're trying to do, and it was being mitigated, but I know what I'm doing. So the average person probably is oblivious to the fact that their websites being attacked all day, every day. You made an interesting point. Now with distributed workforce because of the pandemic, we've got more people working from home more often. And you mentioned rightly, that we're seeing key individuals who are being targeted. So how important is two factor authentication and password management as that last mile of cyber defences for any organisation?

Michael Kaczmarek:

It's huge. And you think about this and I'll put it in a perspective of I'll I'll throw a quick story in of what happened to a friend of mine about Two months ago. So multi factor authentication, two factor authentication, credential management, any one of these things around account hygiene is essential in cybersecurity, someone can get access to the credential, or they can pop the system and get access into and get collect a number of credentials. They can wreak tonnes of havoc, they can have their way. Think about it from a domain hijack. If I have access, if I get the credential, to your DNS system, or to your registrar who manages your DNS on your behalf, or even, let's say your Managed DNS provider, I now can go in and redirect, I can make changes to that DNS and I can redirect you to another location, I'll give a simple story that kind of puts us in perspective for just an individual. And you can think about it from a corporation. So I have a friend, he's tech savvy, he's running his own domain, text me in the middle of the night. It's around like midnight, freaking out that someone has hijacked his DNS. Everybody's gonna sit there say, oh, somebody hijacked your DNS, no big deal. What you don't realise is that your DNS also manages your mail. And you can redirect mail. So what somebody did was they went in their popped his provider changes, mail settings, so that they weren't only just sending mail to him, they were sending mail to a bad actor to their site. They're going in and they're flooding him with tonnes of spam. He's not 100% sure what's going on until he realises all of a sudden he's seeing money disappear out of his bank account. Well, if you own the DNS, you go in there and you change and you reroute mail, you can then go into the bank and say I forgot my password. And guess what happens when you say I forgot my password? You say send me an email, you get an email. Well, now the bad actor is looking for the email. He now goes in and geyser he goes in and changes your password. And then he starts moving money away. We got him back online fixed all this DNS, we switched him over to a different provider got things stabilised, that he got his money back. But this is a small case that says with an individual, think about that happens now put this in perspective of a very large organisation. Somebody pops your DNS, reroutes it to somewhere or even watches and mirrors it. You can the things that can happen and that problems that it can cause online are immense. So when we go back about multi factor authentic Rewinding back to your question about multi factor authentication, it's critical to always go through and make sure that you're you implemented some form either through a various authenticator, Google Authenticator, Microsoft authenticator, you name it, Okta, a different different one, heck, even even your basic SMS, texting, text me a code before making a change is better than nothing. Make sure that you're going through and cleaning out old accounts, make sure that you're watching that who has access to create accounts, that they're not creating child accounts that potentially could be things that are could be a bad actor on there. Keep track of all recovery emails, potentially they're on there, make sure they're you try to keep them from being personal emails that are set up. tonnes of stuff that you've got to do when you're looking at this, but your multi factor authentication account hygiene is essential when managing cybersecurity. It's, you know, one of the first things you should do right off the bat. You'll give

Andrew Grill:

me some more anecdotes later this morning. I'm talking to a group of lawyers and one of my public service announcements is about two FA there's actually a website to FA dot directory, which lists all the well known websites, whether they have to FA how to turn it on and those sort of things. And just mentally thinking I have all of my registrar's and all of my DNS providers also have to FA turned on so I'm not immune to being hacked, but it's just a bit harder. So I'm glad I'm practising my medicine. They're just on the theme of cybersecurity and the risk and the threat. Our boards now seeing the risk of cyber to their business, do you think,

Michael Kaczmarek:

oh, without a doubt, and it's a key topic on the on board meetings because cybersecurity and released, the security of your organisation is critical to your revenue. It's critical to your reputation and it's critical to your brand. You end up in any one of those situations where someone has either stolen information has published it online has been able to compromise the system creates concern in in your consumer. And as a result questions the brand calls into question then your ability and your resilience to maintain an online presence. And then or even protect your data and your information. And as a result, customers then tend to go elsewhere, which then impacts revenue. It is a key topic at board meetings. This the amount of span the amount of risk that they're willing to assume. And the amount of risk that you're you're you're taking either mitigating all of those are topics now at board meetings. And so the CSO, and that role is become a very critical component with respect to an organisation. So cert, the CSO be sitting on the board, that's going to vary with respect to various other organisations. But I do believe a CSO should be an independent individual within the company. And the reason is, is that the CSO is the one person who can hold everyone in the organisation accountable. It's it will hold. The CSO will can hold engineering accountable for best coding practices, they will hold the operations team accountable to ensure you're maintaining patch levels, good account hygiene, good operations, etc, ensuring security, they hold product accountable to make sure that you're not compromising critical fixes for other things that need to get done. Within, you know, within the product lifecycle in the product roadmap, they're going to hold HR accountable to make sure you're protecting the data and you're protecting individuals information, finance to make sure that you're not leaking sensitive information, every part of the organisation is subject to controls around cybersecurity and protecting some level of information or the systems or the business as it is. And so a CSO is a very critical role, because they need to make sure that they're defining the processes, and defining the standards at which the organisation is going to to adhere to and making sure they hold them accountable, he makes

Andrew Grill:

some really good points, there's not just the reputational risk and what consumers might feel about a brand that leaks data in my part of the world. GDPR rules show that if you don't mitigate a data breach, and you're found to be liable, it's actually 4% of global revenues, they'll find you. So it becomes quite expensive to to not look after your data, it is

Michael Kaczmarek:

a key thing and is a key word with respect to it's not only when you think about it about managing the data within your organisation, so someone's HR records, or someone's personally identifiable information. But then also think about it from a product perspective with the data that you're collecting tonnes of data with every product that's out there. And so it's a matter of you have to think about how do you put privacy first, when you're developing products when you're developing and coding and how you're managing that? Because every one of those pieces becomes a critical component with respect to how are you going to service a product? How are you going to use the data that you're collecting to provide to create artefacts that you could potentially sell and manage that are not going to expose? Let's say someone's PII personally identifiable information? That's not going to put the company at risk? How if you find PII? Do you delete it? Do you manage it? Do you protect it? Do you ensure that now you're complying with regulations? These are all things that over the last five plus years we've all had to work with when GDPR coming out, you've got CCPA here in the United States, there's a number of new regulations that have shown up, all of which go around the fact of managing and end users data. But it's interesting that we have a saying on the product side of the house that says if the products free, you're the product. And why we say that is the fact that it's you're giving away you always give away some piece of data or something, you have to be careful about. Why would something be free if they're not using something else that you're providing them to monetize and gain data? And you know, could it be ads? Could it be click throughs. But could it be the information you're actually having to give to get something in return? It's a very big thing. I think it's good legislation. I think it's good because over time, it's going to allow us on the product side to create more products that are protecting the end user and protecting individuals but also ensure that we're doing things that are in the best interests in the long run.

Andrew Grill:

That saying about the value exchange the one I use is the product is free. The product is me path is a great one. almost out of time so what I have with all my guesses I run you through a quick fire round a quick answers a good answer iPhone or Android.

Michael Kaczmarek:

I use iPhone,

Andrew Grill:

PC or Mac.

Michael Kaczmarek:

Your biggest hope for 2022 I think that I can stop wearing a mask when I walk around. The fpu

Andrew Grill:

is most on your phone. Uber Eats What are you reading at the moment?

Michael Kaczmarek:

I'm actually rereading 1984 by George Orwell,

Andrew Grill:

final question in the quick fire round. How do you want to be remembered?

Michael Kaczmarek:

As a great question? I'd actually like to be remembered as someone who's helped others be their best not just me be my best.

Andrew Grill:

So as this is the actionable futures podcast What three things should our listeners do today when it comes to protecting themselves and their company from attacks? Great

Michael Kaczmarek:

question. I think one is you have to be your organisation Should make sure they're being proactive. Don't just look at cybersecurity as being something that you can do later that you can deal with that in the event when something happens, I'll take advantage of be proactive with respect to security. The second thing I would say is go through and make sure that you're understanding you're protecting what's most important to you. There's various systems services, tools that are out there that are going to protect various parts of your infrastructure, even your infrastructure, whole look to the most important parts of your infrastructure, and make sure you protect that first. And then the third thing I would say is, be prepared. Look, be future proof. Don't focus on just the here and now the issues you have today. If you're looking at security holistically, meaning being proactive, if you're then looking at what's important to your business, you can then put the tools and systems and pieces in place that are going to help you be prepared for the future threats that are going to happen not just the ones that are here now.

Andrew Grill:

Macula fashion a discussion today. How can people find out more about you and your work?

Michael Kaczmarek:

You can go to www dot new star.com to look for the stuff that we're doing online or you can look me up on LinkedIn and Twitter. I'm at MGK CZ.

Andrew Grill:

Michael, thanks so much for your time today. I really enjoyed the discussion and stay safe online.

Outro:

Thank you. You too. Thank you for listening to The Actionable Futurist Podcast. You can find all of our previous shows as actionable futurist.com. And if you like what you've heard on the show, please consider subscribing via your favourite podcast app so you never miss an episode. You can find out more about Andrew and how he helps corporates navigate a disruptive digital world with keynote speeches and C suite workshops delivered in person or virtually at actionablefuturist.com. Until next time, this has been The Actionable Futurist Podcast