Hi Tom. Tell us about the exciting journey you had in the Security industry. How did you arrive at MediaPRO?
Like so many in the “human side” of cybersecurity, I came in through the side door. After earning a Ph.D. in American Studies at Purdue—and with no interest in staying in academia—I started a book packaging business with my wife. We acting as Managing Editors for specialized encyclopedias, and I also authored six or seven non-fiction books for middle-school and high-school age readers. But book publishing went to hell starting in the early 2000s—thanks to Wikipedia and Google—and I joined MediaPRO, which was building custom web-based training for enterprise clients.
We soon saw there was a growing demand for widespread training in security and privacy, and out of that was born the solution we offer today: a deep library of training, videos, posters, articles, and games, plus a phishing simulator, an LMS, and other tools to support content configuration and customization.
Everything I’ve learned about security and privacy I’ve learned on the job, interacting with colleagues in hundreds of companies who have sought our assistance in reducing human risk. For me, there’s a single thread that ties it all together: I’m fascinated with the ways people learn, and with the challenge of making complicated things simple.
We are living in a very complicated internet era. What are the unique risks that enterprises and individual consumers are susceptible to?
Complicated indeed, and it just got more complicated with this little pandemic that has settled on the world. Truth is, while a lot has changed as a result of the pandemic, there’s a lot that’s the same.
Both enterprises and consumers face similar threats: cybercriminals, nation-states, and insider threats. The most prevalent threat to most of our customers is cybercriminal activity, targeting both enterprises and individuals, and the aims are purely financial. They’re looking to acquire credentials they can sell or to convince people to give up financial assets. Nation-state attacks and insider threats are more of an enterprise concern.
But let’s not overlook another important “threat”: human error. Whether it’s a Sys Admin neglecting to configure the settings on a server correctly and allowing a breach, or an individual failing to use unique credentials having their credit card data stolen, human error is a big source of risk for everyone.
These risks are all still there in the pandemic, but they are exacerbated by the fact that so many people are now working in home environments which may not have the same level of hardening or protection as corporate environments. Individuals are now in charge of their IT infrastructure like never before and that’s a problem that’s keeping a lot of InfoSec and IT people up at night.
What are the business challenges that MediaPRO solves?
MediaPRO has a role in helping companies protect against all the threats I noted. We empower companies to thrive within the uncertainty of the digital world. Message by message, action by action, employee by employee, we engage and inspire people to protect each other and their organizations.
How does MediaPRO actually prepare institutions in their perennial fight against security and privacy attacks?
We provide companies with the content, tools, and services to equip employees to protect themselves and their companies against these threats.
Whether it’s phishing simulation to prepare people to recognize the attacks coming into their inbox at work and at home, training on the full breadth of attacks they should expect and prepare for, or ongoing communications that build confidence in their own ability to identify and thwart attacks, we empower individuals to do the right things.
What can MediaPRO do for a mid-sized US-based SaaS company? What unique security threats are common to this landscape?
SaaS companies face many of the same threats as other companies, but they have the added challenge of building a customer-facing system, their SaaS environment, that must be hardened against these threats.
That means that everyone in the company – Developers, Product Managers, Sales and Marketing, executives, etc.—must understand and support the importance of secure application development practices and efforts like security and privacy by design.
Could you help us with the most contemporary definition of Privacy Culture?
A privacy-aware culture understands that customer and employee data is a critical asset to the business, and that understanding is reflected everywhere in the organization, from the clarity of its public-facing privacy statements to the acumen with which customer-facing representatives discuss personal information with customers, to the data minimization techniques that developers build into software.
You’ll recognize a privacy-aware culture when you find that most employees can explain how protecting data matters in their part of the job.
How has the business world evolved post-GDPR and CCPA?
I think these regulations have brought a really healthy focus on what it means to handle personal information—what it means to collect, store, process, and then delete information. It’s also shifted our attitudes about who “owns” the data that is collected in favor of the consumer, giving people more control over their data.
Nobody puts money in a bank with the thought that the bank can do whatever they want with their money; they expect to be able to see where their money is and withdraw it when they want to. These laws impress a similar dynamic on personal data, and I think that evens the playing field from past practices.
Now, it also means that businesses have a bunch of work to do around their business processes, and that feels like a tax on the business. But for me, it feels like a correction that is long overdue.
COVID-19 has exposed data privacy issues. What kind of measures would MediaPRO propose in such a scenario?
Oh boy. What an explosive issue we have here, and we’re so early in this that there are no definitive answers. Pre-COVID-19 we had grown used to the idea that unlimited data sharing was fraught with risk and that we needed laws like GDPR and CCPA to protect us from the perils of data sharing.
Today, it may be that the widespread sharing of data—intensely personal health data, testing data, and location data—is the only way to make safe the “return to normal” that we all long for. BUT, we’ve grown suspicious if not downright paranoid about the risks of sharing such data, and we fear what could happen if that data falls into the wrong hands.
If nothing else, COVID-19 is only going to increase our collective awareness of the risks associated with sharing personal data and the work that needs to be done to ensure that the data is collected, handled, shared, and deleted appropriately.
For entities collecting data, it becomes critical that you can demonstrate your ability to protect any data you collect and earn the trust of data subject, and for individuals, you must develop the skills to make wise choices about where and how you will provide access to personal information. Make no mistake: we’ve all got a lot to learn to get this right.
Tell us more about your educational programs and how can young professionals leverage these to become security experts.
Our solution is designed to support education across companies and typically includes a mix of required and voluntary content.
Our educational programs are designed to support a company’s goal to create a security- and privacy-aware culture, and that means that we provide a variety of content in a variety of formats, from “conventional” training to funny videos to games to posters.
Awareness program managers use this content to educate their employees and typically use a variety of measures to evaluate whether they are making an impact.
Tag a person from the industry whose answers you would like to see here.
Gabriel Friedlander, Founder of Wizer.
Thank you, Tom! That was fun and hope to see you back on AiThority soon.
Tom Pendergast is the Chief Strategist of MediaPRO’s Adaptive Awareness Framework, an approach to solving an organization’s human problems in security, privacy, and corporate compliance. Tom’s work focuses on identifying the nature of human awareness challenges then developing education programs targeted at bringing about real changes in behavior. He’s a self-described learning nerd in the areas of privacy and security.
Tom has a Ph.D. in American Studies from Purdue University and is the author or editor of 26 books and reference collections. Outside of work, Tom enjoys trail running, climbing mountains, and spending time with his family.