Data Security’s Uncertain Future: What You Need to Know – Futurum Tech Webcast

On this episode of the Futurum Tech Webcast – Interview Series, I am joined by Rubrik’s Steve Stone, Head of Rubrik Zero Labs for a conversation on data security, understanding what role AI plays in data protection, and the importance of data visibility.

Our discussion covers:

• An introduction from Steve Stone as Head of Rubrik Zero Labs and a brief background on how Rubrik Zero Labs came to be
• The role AI plays in data growth
• How organizations are keeping up with data protection and the importance of data visibility
• Key strategies and recommendations cybersecurity leaders can take from Rubrik Zero Labs’ new report

You can check out the Rubrik Zero Labs Report here. To learn more about how to become cyber resilient, register for the Rubrik Zero Labs Summit: The Journey to Secure an Uncertain Future here.

Watch the video below, and be sure to subscribe to our YouTube channel, so you never miss an episode.

Listen to the audio here:

Or grab the audio on your streaming platform of choice here:

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this webcast, we may talk about companies that are publicly traded, and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors, and we ask that you do not treat us as such.

Transcript:

Daniel Newman: Steve Stone, Head of Rubrik Zero Labs, joins me here today to talk a little bit about what’s going on, some new reports, new data, and we’re going to talk about cyber resilience and so much more. Steve, great to have the opportunity to sit down with you.

Steven Stone: Thanks for having me. I’m really excited for this.

Daniel Newman: So give us the background. Tell us a little bit about Rubrik. Give us a little bit about your role as the head of the Rubrik Zero Lab and how Rubrik Zero Labs came to be.

Steven Stone: So really kind of starting off, what we’re really here to do as Rubrik, Rubrik’s goal is to make organizations more resilient by safeguarding their most precious commodity, which is data. We really view everything through the lens of data. So as we look at that larger Rubrik mission, what we do here in Rubrik Zero Labs, we’re your fairly typical threat research element you see at a lot of security companies. Our job’s pretty straightforward. We’re here to understand and prioritize the threat landscape and then convert that to actionable decision points. And our focus is also on data just based on what our parent company in Rubrik does, and that’s what we’re here to do.

Daniel Newman: Such an important role, such an important thing for security companies to be focused on evaluating threats, helping their communities to deal with the rising threat surfaces. And of course, having had conversations across your organization, including with your CEO, Bipul, I can sense the company’s dedication to helping its customers identify and deal with the growing threat landscape. Now this is the third state of data security report since the inaugural RubriK Zero Labs last November. Am I right?

Steven Stone: That’s correct. This is our third one.

Daniel Newman: So talk about how this report differs from the past.

Steven Stone: So what it really comes down to is as we at Zero Labs have really tried to do what a number of other cybersecurity organizations do, which is look at our data, speak with the right leaders in our space, and then put together what we think is an appropriate research topic, those things that are very traditional in cybersecurity, as we started doing those inside of data security, we found that there’s not a lot of really good tangible touch points. So we really had to kind of step back and say, “Let’s put some of those touch points out there in real meaningful ways.” So with that lens, the first report we focused on, what are the impacts to people? As we do data security, how is this impacting our teams, our leaders, our operations? Then with the previous report that we did, we focused on what do we think are some of the important ways to approach data security. How much data are we actually securing? What kind of threats is it facing and what is able to be prioritized inside of that larger topic of data security? And all of those in the last report really with an eye on where are things at today. And what’s been interesting with this newest report, the one we’ve launched this week is we basically took the key findings of that last report and we went to the left and right of that, meaning we basically said, here’s where we’re at today. We wanted to answer this very basic question of is data defensible? In 2023, can we defend our data? So we looked back several years, we understood the trends that got us from yesterday to today, and then we took those same trends and extrapolated them one year and five years forward to say, let’s now answer that question, not just can we defend data today, but this path that we’re on, we’re heading the direction, where is that taking us? And that really became the central premise of this most recent research effort.

Daniel Newman: Yeah, so first of all, appreciate the backdrop. At Futurum Group, we do a lot of research. We have our own data and intelligence sets as well, and one of the observations that had come out of your previous reports into your future reports matches pretty closely with what we’re seeing, and that’s obviously the exponential rise in data. Now I’ll be candid, I think you’d probably agree with me, Steve, I don’t think we need to do research to know data’s grown. I think if you just look at the workloads and the demand for data, we probably can tell somewhat straightforward that the growth of data is substantial, but it’s getting exponential. And in fact, AI probably has been one of the biggest drivers. I’d love to talk about what you’re seeing in terms of the role that AI is playing in data growth and in particular in the growth of data related to being able to build a meaningful cyber resilience strategy.

Steven Stone: There’s a ton there. We could have an entire conference on just that topic. So I love that question. What I’d say is the first thing is how AI contributed to where we’re at today. One of the things as we went back and looked at how did we get to our current state, and you’re absolutely right, I don’t know a credible research element, which is not saying data’s growing exponentially. We’re just, in essence, arguing over exact numbers and edge cases. We all agree on the directionality and the speed. So one of the things that we’ve been asked quite a bit is how do we get here? And that’s not exclusively because of AI, but AI is a good example of we’re looking for these capabilities in a modern enterprise and they’re completely relying on massive data sets. There is no AI without big data. There’s just not. And then conversely, you really can’t understand and utilize big data without AI. These things have become intrinsically linked. So AI is part of how we got here. It’s one of several types of data sets that have really grown dramatically. But I think of all of those data sets, IoT, wearables is a good example, AI. AI is going to be uniquely suited as we move forward to help us be much more resilient, to help us understand what we’re doing and what we need and what we don’t, and really get after a bunch of those things.

Daniel Newman: So with this in mind though, and apologies, one of my best traits and worst behaviors as a moderator and as an analyst is I ask questions that have 17 parts. So one of the parts-

Steven Stone: You’re preaching to the choir. I’m multi-part Steve.

Daniel Newman: That’s good. So I had a part that I want to make sure you double click on here though. The relationship with this exponential data and AI to what you’re trying to do in data protection, cyber resiliency, the proliferation of AI, of digital transformation, of big data, of data platforms by the way of threats is way faster than ever, but resources haven’t necessarily scaled at that same exponential rate. So can companies keep up? Are they keeping up in terms of what you’re seeing at Rubrik Zero Labs in terms of dealing with data protection and cyber resiliency?

Steven Stone: The analogy I would give as part of that answer is 7X versus 7%. And what I mean by that is we’re seeing data growth at 7X within five years. An organization’s data is going to increase sevenfold in the next five years based on this exponential growth we’re talking about. If we now pivot to analyze data security and its posture, it’s one of the things that we do at Rubrik and we look at it objectively to measure larger trends. That data security score that we assign, and it’s done by the machines, it’s not a questionnaire, it’s not people talking. It’s an actual objective measure of environments, that’s only going to increase by 7% in the next five years. So we’re talking 7X on one hand and then a very incremental 7% increase in data security. So I think the short answer is no. We are not heading in a direction where the growth and the efforts to secure it are going to line up, which I think leads to why we’re going to absolutely need technologies like AI, in particular generative AI. That technology is well suited to go through very large data sets, understand key trends, understand what’s being used, what isn’t, what’s critical, what may not be as critical, and help prioritize those things when we’re going to have not as many resources as we want, not as much budget as we want, and far more data to control than we want. So technology is exactly like AI are going to be, we’re either going to use it to get out of this or we’re going to stay in this situation. I think it’s going to become just that simple.

Daniel Newman: Yeah, I think you’re absolutely right. And by the way, I love that analogy. There was one I used to use on the customer experience side, I called it the 88 rule. You said the 77, I did the 88, and it was that 80% of companies believed that their products are truly differentiated, but only 8% of consumers or customers did. These are the kind of what I always call, it’s the gap, mind the gap. If you’ve ever been to the UK, mind the gap, the gap is often in terms of we live inside these vacuums. Well, security is a big vacuum at times, and the people that are fighting the fight on the fronts really do tend to understand this stuff. The people approving the budgets and in the boardroom often kind of look at it more like an insurance policy, like, hey, what’s the least we can possibly spend to be secure? And as we know, it’s really not an if you’re going to deal with security or a breach, it’s when. So it’s kind of funny that we’re still having this conflict at times. But listen, I guess it’s until you’ve seen the impact firsthand, it was like when your dad tells you to do something or your mom and then you had to mess it up. First you had to touch the stove before you actually realize maybe I’m not going to touch the burner again. That seems to be a lot of company’s strategies with cyber. It’s like, well wait until it’s completely broken or until they get ransomware or something like that. Hopefully what you’re doing in Rubrik Zero Labs can help with this. By the way, it’s also a data visibility challenge. So you can have the tools, you can have the technology, but I think it was in your data itself, you said 98% of the external organizations believe they currently have significant data visibility challenges. So we talked about exponential data. I’m guessing that’s the root cause, the exponential nature of data, the disparate destinations and where data exists. But I’d love to get your take, Steve, on how you are advising organizations, or at least what you’re seeing organizations do successfully to improve visibility.

Steven Stone: So I think there’s a few things. I think the first is understanding how visibility relates to decision making. And I know that’s not a technology, I know that’s a very base answer, but it’s true. You’ll make as good of a decision as informed as you are. I come out of the service, I come out of the US intelligence community where those are vital things. You want to be as empowered and informed before a decision is possible. And I think in the private sector in all things that we used to consider IT, we’re learning those. We’re learning how to leverage that capability. So when we talk about how to actually improve it, I think the very first test is, does your visibility match all aspects of your hybrid environment? And I say hybrid environment fairly confidently, and I think that’s one of the first challenges. We tend to think and talk about an organization as having an environment. That’s just not true anymore. And we can argue if it was ever true, but it’s not today. Organizations have a mix of on-premises environments, plural, we talk about cloud, but we actually probably mean multiple clouds per organization. And then we’ve got all these SaaS applications that we’re using more and more and more in our businesses and our operations. So the first question we always ask is, can you see across all three of those elements of your hybrid environment and then can you bring that visibility together? And I made that sound really easy, and it’s not. It’s actually technically very challenging, but that’s the first step. Have the same level of visibility across all of the places you’re operationalizing data.

Daniel Newman: And so I’ll give you a little bit more on that by the way. Digital transformation, kind of a buzzword, right? You’d agree with this. But we’ve studied this extensively. I’ve written seven books about it in AI and human machines as well as transformation. And what I’ll tell you is we found that the technology is rarely the cause of failed transformation efforts. So when you kind of gave an example and you said it sounds maybe not the most technical, most transformation failures actually come from its people and its processes. It’s actually not the technology. So people love the people process technology, but the tech is the thing that tends to be the most stable in terms of those three things. And this is extensive research on our end that has actually found this. So let me ask you this. Most companies, I think in your survey, more than half, had material losses in 2022. Data losses. I think it was more than half. I mean, it seems unsustainable. I mean, what does that mean? What does that mean for everybody else if our data’s constantly in a state of insecurity?

Steven Stone: I think it means three distinct things. The first is when we talk about that question, one of the things that we do at Rubrik Zero Labs is we try really hard to interweave different data sets to give a more cohesive view. So we use Rubrik telemetry, which anytime you use your own data that you’re creating as an entity, you’ve got data bias. So we intentionally worked with 1600 organizations that were not Rubrik clients. We wanted that absolute different worldview from the one that we have. And that’s where that 98% comes from. We asked those 1600 organizations, and most of those were senior leaders, half of those were CIOs, CISOs by position, and the other half were one level down below that, the VPs and senior directors that report into them. So we asked them, how many of you lost sensitive data last year? And we use that material loss because it has a actual legal meaning. It means, was it a regulatory or framework data affected? And 53%, so just over half said that they had a material loss of sensitive data last year. First thing that means, we’re talking about senior leaders. So we’re not talking about something small. We’re not talking about your CIS admin and someone talking to you about an email that went somewhere. That’s not what we’re talking about. We’re talking about the kind of data loss a CIO and a CISO is aware of. So that’s part number one.

Part number two, there was almost no specific type of affected data that became more dominant. It was a mix of PCI and healthcare and HIPAA. You name a data categorization, and we saw them all about equal, and we go through those in the report. I won’t beat the drum on which of those because they’re all about the same. So I think that tells us all data is facing about the same level of risk. And then the third thing is, and I think this is probably the most important, we often talk about loss of data in the context of hacking events, especially in my background. I come from threat intelligence event response. That’s the space I’ve spent my career in. But as we ask these leaders, what’s leading to this? It’s a mix. It’s ransomware, it’s espionage hacking, it’s production outages. We have machine failures that then open up data to exposure. We have misconfigurations and deployments, we have malicious insiders, we have accidental insiders. So what I think when we put all that together, those three points, what we’re saying is we have too much data with too many ways that it’s being leaked and that leads to too much risk. That’s a problem we can start getting our arms around once we understand the scope and scale of that.

Daniel Newman: Yeah. You bring up some very good points and in conversations that I’m having talking to boards’ CEOs, risk management is huge. You heard me before say this continuum of as little as we need to, how much insurance do we have to buy? All the way to one breach in our entire company’s longevity is now at stake. And I think the slant of the scale is moving more to the right, meaning that longevity, meaning once there’s no real way to get back trust. And there’s been endless studies as you’ve probably seen from pure companies and industry analysts and firms that have basically shown the everlasting impact of a breach on customer trust, on relationships, on total customer lifetime value, things like that. At the same time though, like you said, smaller than necessary growth of investment, what does your survey indicate about managing risk? Does it indicate that the challenge is well understood and is it just a financial thing or what is it saying?

Steven Stone: So I think if we combine those data points we got from those external organizations, the Rubrik telemetry, I would even go back to the previous two reports. And I don’t think anything I’m going to say would be out of line with your own organization’s research or any of these other great cybersecurity organizations out there. I think it really comes down to, and again, I’ll make it overly basic. I think we have the wrong framework, especially when we’re talking about risk, which is the right idea. We’ve been, and I’ll speak for myself, I mean, having been in this business for over 20 years, it’s been about preventing all the breaches. It’s been about securing everything. It’s the castle mentality that we’ve all largely agreed isn’t holding up. Building a bigger wall, a deeper moat, it’s not working. And everyone’s heard all those analogies. But the one I would offer up, and what I think the research in this report really squarely tells us is it’s the wrong analogy. We should be thinking about defending caravans versus castles. And the reason I say a caravan is you start making radically different decisions. You don’t have to secure everything. There’s no convoy or a caravan that the plan has ever been everything that leaves point A and goes to point B has to get there. That’s not how it works. You’re going to have breakdowns. If you’re in a combat situation, you’re going to have attacks, you’re going to run out of gas. There’s a million things that go wrong and you prepare for those.

The other part is, and I think this is a great touch point back to your core question, when you have to physically move stuff, you start paying attention to how much you’re moving. And we think about that from a data perspective, we are almost undoubtedly carrying too much weight. And that doesn’t matter when you’re in a castle because you just put it all in storage. But when you’ve got to move it, when you’ve got to load it on your back or put it in a vehicle and pack it up, you start figuring out pretty quickly, I need this. I don’t need that. Do I need 17 water bottles? Probably not. I probably only need one or two. And you start running through these decisions and you start building a much more resilient operation. You can’t defend everything. We’ve got to stop trying. And I think data’s a perfect example. All data’s not created equal. We do not care about all data to the same level. And I think when we stop thinking about securing a castle and start thinking about how we defend the most critical assets in transit, all of those points start becoming much more obvious than we’ve, to this date, let them be.

Daniel Newman: So first of all, thank you for all this, Steve. It’s great to get your insights both as a former practitioner and now as someone leading this research. But I do want to sort of ask maybe two more questions. The first is going to be really about the how. How do you now with all this knowledge, with your own experience, with the data at your disposal, how are you recommending companies, organizations to really invest and move forward in a way that’s sustainable, that’s, let’s call it, relatively affordable? What are the steps to put them on the path? What recommendations do you make to these leaders to stay on the path?

Steven Stone: Yeah, I’d give three distinct recommendations. First, this one will be short because we already discussed it, is visibility. Spend and pay attention to visibility because that’s going to have demonstrable impacts when you need it the most. Any crisis scenario, hacking, disaster, you name it, that visibility is going to pay off in exponential ways. So visibility, number one. Number two, I think controlled growth in paying attention to that. Not to go right back to the visibility, but it is part of that, understanding and growing according to a plan. One of the things we talk about in this report is hybrid environments and how they’re changing. Cloud is going to overtake on-premises for the dominant part of a hybrid environment. That’s going to happen. Hybrid is still going to include on-premises. SaaS in five years is going to look like cloud does today. So let’s be more intentional about how we’re growing in those areas. So we can control spend, we can make sure we’re investing in the right areas. We can take security tools that we’re used to on premises and make sure they apply to cloud and SaaS. I mean, these very intentional decisions versus just, let’s just keep doing what we’re doing. We’ll spin up more AWS buckets or another Azure instance and we’ll figure it out later. We’ve got to get ahead of that. And then the third part is democratizing security. And what I really mean by that is senior leaders other than the CISO have distinct decision points and own different parts of risk. I’ll go back to your question around the material loss of data. That material loss assessment should not be done by the CISO. That’s a legal decision. That’s a governance and compliance decision. So what is a material loss of data by mere definition has to include the CISO and likely your chief legal officer. So by bringing in more of the existing talent, you’re bringing in more resources, more capability, and now you can really start moving quicker. And so we really focus on those three things. Visibility, be intentional on your growth, and democratize security.

Daniel Newman: I love it. So with a little bit of time we have left, I’d love to just get a little more on what you plan to do in the Rubrik Zero lab and how you plan to continue to evolve. Obviously everyone wants to hear about the data and your reports and your research and threats. What’s next for you?

Steven Stone: So the first thing we want to do is we want to stress test these findings. One of the things that we’ve been frankly fairly lucky to have, the leadership buy-in and the larger community buy-in, has been data security is fairly opaque as a topic. So each of these reports really try to stress test with our own organizations, with external organizations, with working groups, we want to know how does this match the realities other organizations see and then adjust where there’s disparities and closed deltas. That’ll be the first thing we’ll do. Second thing we want to do is we want to keep on this progression of drilling down farther. We want to keep taking things one more step deeper. And so what we’d like to work on next is how do we look at specific threats against specific types of data? And again, where is that going? And the last thing we’re pretty excited to do is really continue working with more and more partner organizations and other organizations. As an example, our last report, we worked with four other cybersecurity organizations to round out the dataset. This one is just Rubrik and then these external organizations. But now we want to figure out how do we take our view and combine that with other organizations that are working on the same overall threat landscape, but from different perspectives and start building a more cohesive picture for everybody. I just think that all hands on deck and all experts giving their particular slice of the pie is going to make it better for everyone else.

Daniel Newman: I think that’s a great way to end this. And I really do appreciate, Steve, you spending some time and walking through what you’re doing there at Rubrik Zero Labs. It’s been really a challenging time for the industry and with so much growth and data, the threats have been palpable. Having said that, it’s also a competitive differentiation. It’s a competitive advantage if you can stay in front of it, if you can keep your company and the data that you run your business on safe, and it’s business technology and people like you that are helping to make this possible. So thanks so much for making time and spending some time with me here today.

Steven Stone: Well, thank you Daniel. This has been great. Really appreciate it.

Author Information

Daniel Newman

Daniel is the CEO of The Futurum Group. Living his life at the intersection of people and technology, Daniel works with the world’s largest technology brands exploring Digital Transformation and how it is influencing the enterprise.

From the leading edge of AI to global technology policy, Daniel makes the connections between business, people and tech that are required for companies to benefit most from their technology investments. Daniel is a top 5 globally ranked industry analyst and his ideas are regularly cited or shared in television appearances by CNBC, Bloomberg, Wall Street Journal and hundreds of other sites around the world.

A 7x Best-Selling Author including his most recent book “Human/Machine.” Daniel is also a Forbes and MarketWatch (Dow Jones) contributor.

An MBA and Former Graduate Adjunct Faculty, Daniel is an Austin Texas transplant after 40 years in Chicago. His speaking takes him around the world each year as he shares his vision of the role technology will play in our future.