Revolutionizing digital identity, data privacy and data security | Guest Raj Ananthanpillai

Show Notes

Today on Cyber Work, my guest is Raj Ananthanpillai, CEO of Trua, a company that is steeped in the current issues around digital credentials and data privacy. As you’ve no doubt heard, AT&T reported a data breach that compromised the personal information of approximately 7.6 million users! Ananthanpillai discusses Trua’s mission to leave data thieves holding an empty treasure chest, discusses his past work in creating TSA PreCheck and gives a bunch of great ideas and advice for making sure that you’re always thinking beyond your current position by learning and creating your way upward! All that, and a WHOLE bunch of vitriol at the industry-standard collecting of social security numbers, today on Cyber Work!

0:00 - Revolutionizing data privacy
4:20 - How Ananthanpillai got into cybersecurity
6:11 - Work as a cybersecurity CEO
9:25 - Fast tracking in cybersecurity roles
11:08 - Take your first steps in cybersecurity work
13:01 - Founding Trua
17:50 - New digital security protocols
21:10 - AT&T data breach
27:03 - How to stay safe from data breaches
29:58 - How to work in data privacy
35:14 - Skill gaps in data privacy work
37:05 - Best cybersecurity career advice
38:26 - Learn more about Trua
41:00 - Outro

– Get your FREE cybersecurity training resources: https://www.infosecinstitute.com/free
– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

Chapters

• 1:11: Cybersecurity Boot Camps and Data Breaches
• 5:37: CEO's Path to Innovation and Trust
• 14:14: Protecting Personal Data From Fraud
• 21:17: At&T Data Breach and Privacy Advice
• 32:03: Evolving Technologies and Data Emancipation
• 41:44: Cybersecurity Training and Resources

Transcript

Chris Sienko: 1:11

CyberWork and InfoSec would like to introduce you to our new Cybersecurity Beginner Immersive Boot Camps. They're designed to help you gain and enhance your expertise in the cybersecurity field. Join our live interactive virtual classes led by InfoSec's highly skilled instructors, who will guide you through the material and provide real-time support. And, as part of InfoSec's immersives training, each student will have access to career coaching aimed at helping them start or switch to the cybersecurity field. You heard that right. We aren't here to just teach you the concept of what a security professional does. We want to prepare you to enter the job market with a competitive edge in six months time. Now I've told you about InfoSec certification boot camps, and if you're trying to hit your next career target and need a certification to do it, that's still your best bet. But if you're an entry-level cybersecurity professional or want to be, or you're switching your career and want to experience a career transformation, infosec's immersive bootcamps are designed to make you job-ready in six months. To learn more, go to infosecinstitutecom. Slash cyberwork all one word C-Y-B-E-R-W-R-K and learn more about this exciting new way to immerse yourself in learning with InfoSec.

Chris Sienko: 2:18

Now let's begin the show. Okay, today on CyberWork, my guest is Raj Ananthan Pillai, the CEO of Trua, a company that is steeped in the current issues around digital credentials and data privacy. As you no doubt have heard, at&t reported a data breach that compromised personal information of approximately 7.6 million users. Raj discusses Trua's mission to leave data thieves holding an empty treasure chest You'll know what I mean when you see it. He discusses his past work in creating TSA PreCheck and gives a bunch of great ideas and advice for making sure that you're always thinking beyond your current position by learning and creating your way upward. All that and a whole bunch of vitriol about the industry standard collecting of social security numbers. Today on Cyber Work.

Chris Sienko: 3:06

Hello and welcome to this week's episode of the Cyber Work podcast. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends, the way those trends affect the work of infosec professionals, and leave you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry. My guest today, raj Ananthan Pillai, is a passionate entrepreneur and visionary leader with many years of experience building businesses and investing in the future of technological innovation. Raj is the founder and CEO of Trua, a technology company that provides privacy-preserving, reusable, verified digital, credential solutions that assures trust and safety in digital environments, sharing economy, employment and workforce background training. Prior to founding Trua, raj spent 13 years as the CEO and majority shareholder of Infozen, a high-end risk management services company, which was successfully sold to a publicly traded company in 2017. Prior to this, he served as the chief strategy officer of Eplus, a business process automation and transformative technology solutions company. Raj was also the founder and CEO of NetBalance, a venture capital-backed multi-million dollar software company, which was successfully sold.

Chris Sienko: 4:20

Raj worked at AT&T for many years in various technical and management capacities, and we're going to definitely get into that today. Raj holds an MS in engineering physics, an MS in electrical engineering, and holds multiple US patents and has authored two books on management of technology and services. So today's topic we're going to be talking about the AT&T data breach. This is right out of the headlines and is a fairly recent story, and Raj has some very good insights into what happened and what should happen next here. So, raj, thank you so much for joining me today and welcome to CyberWork. Thank you for having me, chris, my pleasure. So, raj, to help our listeners get to know you a bit better, I went through some of your accomplishments in the introduction here, but can you tell me about how you first got interested in computers and technology and cybersecurity? Was there an initial spark? Did your family have a computer? Was it at school? What got you excited initially?

Raj Ananthanpillai: 5:13

Well, that's an interesting question. I'm the first one to go to college in my family, so I didn't have any experience, or I didn't touch a computer until I was about 22 or 23.

Chris Sienko: 5:22

Yeah, yeah, yeah.

Raj Ananthanpillai: 5:23

But I've always been at the intersection of business, finance and technology. Okay, so I'm fortunate to have created many successful companies that led me to where I am today. Before starting TrueUp, as you mentioned, I was the CEO of Infozen for over 13 years. We were the developers of reusable credentials like TSA PreCheck I'm sure most of your listeners might be familiar with and complex risk management solutions. So this experience and work on some complex risk avoidance programs provided me the desire to solve various identity and data-related issues that are plaguing the industry today.

Chris Sienko: 6:11

Yeah, yeah, now that's really cool. I'm going to come back to that, but I do want to talk about your professional background, if you don't mind you. You mentioned it in your intro and I was reading through your some of your your LinkedIn experiences profiles, like you're definitely someone who's been comfortable and capable in CEO positions for a very long time, and whether it's software development companies, venture capital firms, financial advisory groups, all the way to your current role as CEO of Trua. You know you have been a CEO for as long as I can see, so can you talk about what draws you to the role of chief executive officer and, if there is any, what is a commonality that might have linked all of the work you've done at these different types of commercial sectors?

Raj Ananthanpillai: 6:56

Oh, wow, that's an interesting question. Well, I've been a CEO for 20, 25 plus years. Though I wasn't necessarily looking for a CEO role anywhere, these opportunities seem to arise when I wanted to take on challenges and solve problems. I've always been driven by a desire to solve problems and lead such endeavors. My career actually began at AT&T, where I started as a member of the technical staff. So when I first joined the company, someone told me it would take at least seven to eight years before I'd be considered for my first promotion. Wow, take at least seven to eight years before I'd be considered for my first promotion. So, determined to beat those odds, I proactively sought out opportunities to expand my experience and approved. I could fast track that timeline.

Raj Ananthanpillai: 7:47

One day a senior executive stopped by my desk, intrigued by how I was innovative and thinking out of the box. Back in those days Bell Labs, at&t there is a traditional approach to your research, your development efforts and so on and so forth. I was always sort of thinking out of the box. And then a few months later, he called me into his office and I thought he was going to fire me. But he actually said you know, I would recommend you for my promotion.

Raj Ananthanpillai: 8:16

That was just about three and a half years after I joined the company to a different division, though. So then I would manage others and work to create a new system to solve a major global problem that AT&T was facing when they bought parts of Western Union and they were trying to consolidate the business. So within a few months, after sort of working on that system, the press was very interested in interviewing me about my processes and how I got done such a massive project in less than a year. That was unheard of at AT&T, so I read a book about it and how to solve complex problems. It's to have that focus and the desire to succeed all the time. So instead of waiting for my next promotion at AT&T, I transitioned to a smaller company to take on bigger management and technology challenges. Right, ok, this began a pattern of scaling down in company size and eventually starting my own companies.

Chris Sienko: 9:16

Yeah.

Raj Ananthanpillai: 9:16

Yeah, but productively. Seeking out opportunities to innovate and demonstrate my capabilities, I was able to fast track my career progression and eventually become a senior.

Chris Sienko: 9:25

Yeah, no, that's very interesting. There's something to be said, for if you're in too big of a company, there's only you only have so much headway that you can do. And so if you're in too big of a company, there's only you only have so much headway that you can do. And so if you start working at a more business manageable scale, you can. You can rise higher and faster. Now I wanted to ask you about. You said that you were in a position that you didn't feel had a lot of. It wasn't moving for you fast enough, and so you thought of some new ways to sort of get yourself noticed, to try some out of the box things. Can you talk a little bit about some of the projects that you were undertaking and were these kind of on the side of what you were already doing at work? Were these kind of like night projects, Like what was, what were you doing to sort of fast track yourself in that way?

Raj Ananthanpillai: 10:08

Well it's, I had a systemic approach to everything, right? If you're referring to my times at AT&T, yes, but AT&T had a method, so everybody was following that method. I was sort of a rebel and I would go around different processes and sort of test it out, because over there, if you recall, back then every development was sort of a methodical, you know, water flow approach, and I had thought about agile development quote unquote back then, when nobody knew how to spell agile. So I was doing some of those kinds of stuff, quickly testing out something and working with other people who are developing hey, can you code this for me, come up with a requirement? And so on and so forth. And that's how I started getting more what I call entrenched with the problem-solving capability.

Chris Sienko: 11:08

Yeah, Now do you think you could sort of summarize this impulse of yours? You said you're very systematic in your thinking. I mean, for someone who's just getting started and is looking to, as you say, rise faster and sort of move out of a stagnant position, like what would you say is like the first step to sort of thinking like this and sort of moving beyond where you are and engaging in this kind of out-of-the-box thinking.

Raj Ananthanpillai: 11:34

Well, you have to have a purpose in life, right? What is it that you're trying to achieve? Not just you know, as I said, about the CEO thing, right, it's not the title that I was going after, it's what you do when you're the CEO, right.

Raj Ananthanpillai: 11:45

Sometimes, when you are your own boss, you can dictate how things are done. And, yes, you want to bring along other people with you, but at the same time, you are the visionary, you are the one that is providing the purpose for the organization. Right, and say, hey, we want to solve this problem, because we see this problem without any solution, it's rudderless. People are doing the same thing over and over again without any results. So, if you think about it, right, most big companies are very compartmentalized. They are serialized and compartmentalized. So nobody wants to go out of those boxes and say, hey, why are we doing that way? It's the age-old question everything. And then keep going to that.

Chris Sienko: 12:31

Yeah, big companies like that are like a gigantic machine Everyone's afraid of like. If you change out one cog or one flywheel, you're going to like. It's going to just break everything apart. So it's better to.

Raj Ananthanpillai: 12:41

Just Because they're afraid, right, they're afraid, and so the first thing I always tell people is be secure with yourself, right, and you know you can if you work hard and try hard. This is the best country in the world, right? If you work hard and try hard, this is the best country in the world, right? If you work hard and do the best you can, you'll always succeed. Yeah, as an immigrant, that's what I learned, right?

Chris Sienko: 13:01

Amazing, yeah, amazing, inspiring. I love it. Now, to that end, I want to ask you about founding Trua, your company that has developed a patented full spectrum enterprise insider threat and trust screening solution. Now you've been sort of working towards this with Infozen and so forth, but what was it like starting this company and were there any unexpected challenges along the way?

Raj Ananthanpillai: 13:22

Well, I'll tell you a little bit about how we got to right. So trust is the most powerful and sought after currency in society today. For sure, as a society we have moved from trust everyone. Remember many, many couple of decades. Three decades ago we were trusting everybody. And then we said okay, trust but verify right. And now we are on to verify first and then trust.

Chris Sienko: 13:49

Yes.

Raj Ananthanpillai: 13:55

That is a big sea change. In a matter of 20, 30, 40 years. That's a big, gigantic change because of various technological innovations. You would think, with lots of technology coming out, you would think that trust will be a nice, earned, credential or earned currency. But no, Today nobody trusts anybody. Now we can talk about AI at some point, but with that, everybody's trying to fake and hack their way into anything and everything.

Raj Ananthanpillai: 14:22

So that is the biggest driver for me as to how do we do this, given the state of mind-boggling data breaches and for us the major trigger was the. There was a major credit bureau data breach a few years ago where 150 million consumers personal sensitive data was exposed, and we set out to disrupt that current paradigm of collecting sensitive personal information all the time to make decisions, whether it's employment, credit, benefits, services or any combination thereof. So the first thing is what's your social, what's your data burden, what's your? You know they start gobbling up all of that personal sensitive information. So that's where we have developed a solution that sort of disrupts the and solves that challenge of the traditional paradigm of third parties doing all of this stuff. Can you talk about that a little bit? Yeah, so we've been living and breathing, as I mentioned before identity data. For the last 15 plus years In our previous company, we are the developers of TSA, PreCheck and other very highly secure digital credential programs.

Raj Ananthanpillai: 15:36

We are the first one to look at the data ecosystem with a person-centric view, with a privacy at its core. That is the most important thing. I've always been a private person. If you see, I personally don't have any social handles. I have LinkedIn, but other than that I don't have a thing, Because people tend to think, oh, it's free. If something is free, you are the product. That's right. Be aware of it. Don't ever expect any privacy. Don't ever expect, because you will be lured into giving more and more personal information. First it will be a free Gmail account and then it'll be something else, and then they say, hey, oh, now it's a trusting relationship. Now suck up more and more sensitive data that is near and dear to your own personal identity.

Raj Ananthanpillai: 16:22

So, with our extensive background and research and product development on behalf of major corporations and US intelligence agencies. We work with Homeland Security a lot. We have been able to flip the entire identity verification and screening process on its head and create a solution that is purpose-built for consumers. This is the most important thing to take ownership and protect their own data by providing high assurance to organizations that seek to verify and screen individuals.

Chris Sienko: 16:56

So this product is aimed specifically at individual consumers rather than enterprises.

Raj Ananthanpillai: 17:02

No, this is coming through the businesses. We are now focusing on businesses to adopt this and say, hey, you don't need to collect this information Got it All that you care about is verifying the individual right Majority of the cases.

Raj Ananthanpillai: 17:16

Why do you have to keep like a gym when you try to get a gym membership? They want your social security. I said why they don't need a social security number when you go to a healthcare hospital. Why do they need your social security number? They're not looking to look out for your credit report. They should be keying off of other attributes, not social or other personal stuff. So this person-centric approach ensures that individuals have the ability to protect their privacy and maintain control over their sensory personal data.

Chris Sienko: 17:50

So I get the sense that I've heard this a little bit before that this is an attempt to sort of break out of the security question method of verification. Is that right? It's like they want your social security so that they can say what are the last four of your social security, or you know, so that they you know, which is starting to feel like the Stone Ages in terms of verification at this point.

Raj Ananthanpillai: 18:09

Oh, yeah, that verification industry is still called KVA, knowledge-based authentication.

Chris Sienko: 18:18

Exactly what color was your car in 1995? Yes, first teacher.

Raj Ananthanpillai: 18:20

That data is already in the public domain. When all these big breaches happen, all that information is already in the public domain. You can mimic and create a synthetic ID.

Raj Ananthanpillai: 18:30

We need to start moving towards facial. That's a key thing. Genuine presence, facial we can talk about it at some point. That is the way it is going to be the implication of this innovation where you carry your own credential, you get it verified once and then all that the business is interested in is they need to verify that you are who you say you are, that could be. And. Or hey, I've verified a social security, the business's interest in it. They need to verify that you are who you say you are right, that could be. And or hey, I've verified his social security number. I've verified the date of birth, I've verified the residence history or the current address, but they didn't need to know what that is. They just need to know that it has been verified.

Raj Ananthanpillai: 19:06

And, by the way, here's your liveness detection or live picture of yourself, right? So, because the only thing you can have is the only form of real world identity is some form of government issued ID. That's what everybody takes, that's what everybody starts off with. And now people have started scamming that and you have fake IDs, and so on and so forth. Scamming that and you have fake IDs, and so on and so forth. So you need to get all of that started out up front once and then reuse it over and over again, without ever giving out your personal information like social or data work.

Chris Sienko: 19:42

Yeah, I think that that serves kind of a double purpose, in that a lot of these places are holding or collecting sensitive data like this under the auspices of what we need to be able to verify, it's you. But once you take that completely off the table, then they might well have been storing it for other uses, other types of analytics, other types of it is tempting, right, it is tempting, even if they don't have any nefarious thing, but they have to store it, right?

Raj Ananthanpillai: 20:07

So what you have done is now you have scored a million people's identity in one database and it's easy for hackers to do it. But if you flip it now, those million people have their own data stored in their own device and hackers have to attempt a million times to get one, whereas the traditional method they have to just go to the company and, hey, I'm going to attack this big gym that has a lot of treasure trove information. Exactly. So you are flipping it, distributing that information. Yes, you know. If you think about it, social security number was designed for predominantly three things early on right, wages for taxes. Right, you have to file your taxes and social and then government benefits for taxes. Right, you have to file your taxes the social, and then government benefits, and then employment or employment wages. Right, those are the only three things. But look at it.

Chris Sienko: 21:04

Every Tom, dick and Harry now wants SSN, yep, why Credit ratings?

Raj Ananthanpillai: 21:06

And they have the part of it because that's the current mindset. You have to really question that status quo.

Chris Sienko: 21:10

Yeah Well, speaking of treasure troves up for the taking, we're going to talk about a recent story here. Our topic today is AT&T's recent report and disclosure of a data breach that happened to them. They determined and announced that quote. At&t data-specific fields were contained in a dataset released on the dark web approximately two weeks ago. According to their disclosure quote, the data set appears to be from 2019 or earlier, impacting approximately 7.6 million current AT&T account holders and approximately 65.4 million former account holders. So how much do we know about this data breach? If we're looking at just their release, it seems like they're talking about a robust investigation without naming names or identifying ports of entry. But what is your best understanding of how these data sets made it to the dark web?

Raj Ananthanpillai: 21:57

So, based on the available information right, I don't have anything inside information it appears that the AT&T data breach is still an investigation by the company. The specific language used in their public statements is quite curious and raise some questions.

Chris Sienko: 22:13

Okay.

Raj Ananthanpillai: 22:14

The fact that they mentioned a data-specific set being released on the dark web is an unusual detail. Typically, when a data breach occurs, the compromised information is more comprehensive dataset. That means you take the whole database, not just one pieces of data, rather than just specific fields from a database. This level of specificity suggests, I think, the possibility of an insider leak rather than an outsider. The types of sensitive information that were exposed are certainly concerning Social security numbers, full name, email and mailing addresses, phone numbers, data worth and AT&T account details. You can question every one of those data as to why AT&T had them to start with. I mean, oh, I want to do a credit check. Okay, you had the credit check, but you could have destroyed all of that. Why do you still there? Why do you need my date of birth? You already verified that I'm over 18 to buy a phone or whatever it is that I did they want to send you a birthday card?

Chris Sienko: 23:24

What?

Raj Ananthanpillai: 23:24

is that going to do? Because those are the more and more sensitive information. So that's where I think you know information can be extremely valuable for cyber criminals and can enable identity theft, phishing scams and other malicious activities down the road.

Chris Sienko: 23:42

Yeah, now I mean, how do you feel you know this is obviously no one's idea of a good outcome, but how do you feel about how AT&T is handling it thus far?

Raj Ananthanpillai: 23:53

That's the best right. It's one of those big data breaches they are unfortunately they're getting more headlines because AT&T right. If it happened to your regional phone company, nobody would talk about it because it's a national brand. It is AT&T the good old Mar-Bell right. It's been around since Graham Bell right. So everybody knows about AT&T. So that's probably why it's getting a little bit more attention. But the unusual nature of the breach, with only certain data fields being compromised, certainly a head-scratcher for me. It's possible that AT&T is still investigating the source and extent of the leak, but their statements are very vague and specific at the same time, just kind of concerning.

Chris Sienko: 24:35

Okay. Well, again, I'm asking you to rely too much on a crystal ball about information that you don't know. But can you think of any ways? I guess the only answer is don't have the data in the first place. But if it was an insider, what are some ways that could keep even someone who works for the company out of that particular treasure trove in the way that this was exploited?

Raj Ananthanpillai: 25:01

Well, the insider threat is a big deal, right. It is Something that you have to constantly monitor. You have to figure it out who's doing that, whether they're in their blackmail or whether they bought out or they're, you know they usually have some signals, right. You know the insiders. You know they got into financial trouble and say hey, I can give you some data.

Raj Ananthanpillai: 25:22

And to a what I call a hacker broker, right, and say, hey, you know, here's a bunch of data and you can do, oh, okay, I'll give you $10,000 for that, so I'll pay off my debt. What if I just don't know that right? That's an interesting question. That's there's always a motive and a method, right. So the sensitive personal data exposed in the AT&T breach, including hard to change identifiers like social, enables criminals to conduct large-scale thefts and scams. The real danger is going to be not immediately, right. It's a delayed impact of such breaches.

Raj Ananthanpillai: 26:00

Hackers and data buyers often wait until the initial approval subsides before crafting targeted scams, leaving consumers vulnerable as they have forgotten about the incident. Watch it, because people are not talking about the incident that happened in 2017, I think, that big credit bureau data breach. 150 million consumers in the United States got their data compromised and we are still paying. So they don't go right after because they know everybody is going to get a one-year free monitoring after a breach. That is absolutely of zero use to you. Yes, exactly, hackers have figured out a better motive and say, okay, I'm going to wait out at least a year and then I'll start my thing, because they have plenty to work with until then. This is all trying to get prepared for two years from now. Hey, I'm running out of data, so that's the kind of stuff.

Chris Sienko: 27:03

Yeah, well, that was what I was going to ask next and you kind of answered it partly for me, which is is that, yeah, I feel like every other week now I'm getting an email or a text saying, yeah, we got breached, and it's, and it is things like you know, I'm getting notifications that my CPAP machine somehow they leaked like personal information from that, which again like, why do you have that? You know, but and it's always that sort of you know, if it's change your password, fine, I'll change my password, it's not that hard. But when it's, you know, here's a free year of credit monitoring on us, you know. You know that something much bigger happens. So I guess, from a consumer standpoint, raj, do you have any advice to sort of keep yourself out of the sort of blast area of these constant sort of breaches? You know, what do you recommend?

Raj Ananthanpillai: 27:54

for people who are getting sick of this. There has to be a consumer revolution, for lack of a better word. Yeah, because enough is enough. Sometimes we are way too compliant and just giving out information. There are two reasons for that, right. Some of it is because we sign up for everything that is free.

Raj Ananthanpillai: 28:15

How many people when you check out these days hey, can you give us your email? We'll give you instantly 5%. But that 5% let's assume the person is buying $50 worth of some goods and they're getting their email, right. 5% of $50 is $2.50,. Let's assume, as an example, right, they would have blow $5 walking out of the building to buy a cappuccino somewhere, so they've already lost that savings, but they've already given out one free thing that the vendor wanted. And then they want to start sending you more information, then more information. So they'll start saying, hey, and then you start trusting them and then you start giving out more information. Hey, I know this place, ok, let me buy something online. And you put in your credit card information and you put in your date of birth for verification, or whatever it is.

Raj Ananthanpillai: 29:07

And whatever they do right, that is how the cycle starts going and it never stops. So I suggest that be wary of every data sharing and question everything. Question, question, question.

Chris Sienko: 29:26

Yeah, which I think they try to sort of wear you down with, all of the sort of terms of service that are 80 pages long and every time you log onto the site they want you to accept cookies again and again. Yeah, I mean, I think it is kind of you know, they're also waiting you out in terms of hoping that you'll get this is their best interest, right?

Raj Ananthanpillai: 29:49

So if you think about it right, you know the regulations are all a mess, right? They're trying to band-aid the same process. So, anyway, we can talk all day.

Chris Sienko: 29:58

Well, so I want to pivot over. The purpose of our podcast here obviously is to help students and new cybersecurity professionals sharpen the skills that they need to enter the cybersecurity industry, and also people who are from other walks of life who might want to change careers to cybersecurity later on. These are all people that listen to our show and they're looking for your insight. So, speaking to listeners who might want to do work in these areas privacy, identity management, identity verification, data privacy, data collection what types of hands-on work or training or education or certifications or just projects should they be working on to make them ready to do the work in this particular field?

Raj Ananthanpillai: 30:42

Wow. Okay, that's a lot. I can try and summarize a little bit Sure. So the field of data privacy and security is deeply entrenched, with well-established infrastructure, processes and methods. Right. So to drive meaningful change, we must be willing to challenge the status quo, as I mentioned before, rather than simply repeating the same approaches and expecting different results. This is not just a matter of insanity, but also a symptom of laziness and a lack of thorough analysis. To truly address the current challenges, we need to scrutinize the existing process. How is it being done today? Understand the regulatory landscape, because, unfortunately, regulation pays a big sum. Familiarize yourselves with the latest regulations surrounding privacy, security and consumer rights. Identify any gaps or outdated elements in the existing regulatory framework, because that's how you can be creative. That's how you can come up with some aha moments.

Raj Ananthanpillai: 31:46

Carefully examine each step of the current data collection, storage and protection process. This is a big, big, big issue in the United States right now, and worldwide as well. Question the rationale and assumption behind these longstanding methods. Right. Recognize that our technologies have evolved rapidly, while many of the underlying processes have remained stagnant. Think about it why are still third parties doing all of the verification?

Raj Ananthanpillai: 32:16

We have democratized so many things in our lives, whether it's a hotel to Airbnb or buying a car on your phone. We have democratized. We have taken out all of the middlemen in many of the processes. It should be the same thing. I call it data emancipation. Right, Free up the data that belongs to the consumer. Let them be the guardians of it as well. Co-opt them to. Hey, this is your data. It's in your best interest to keep it with you and just share it when you need it. That will eliminate a whole bunch of these data proliferation and hackers are going to really, really have a tough time. I always say that the hackers are moving at lightning speed while we are still trying to go with our neighborhood road speed.

Chris Sienko: 33:10

Yes, exactly, yeah. Yeah. A lie can get around the world three times while truth is getting its shoes on. Yeah, so I think that's a really good advice and just to sort of hammer that home, obviously InfoSec would like you to, you know, do the work of learning things like identity management and access management and all the good juicy tech stuff, but at the same time, make sure that you are doing the reading in terms of the larger sort of global implications. That's what you're saying Basically, like understand where it's going.

Raj Ananthanpillai: 33:40

Study up the landscape. Understand it Right, and then take as many wherever it's available small projects, big projects. Try to solve right. Try to think about put yourself in those shoes and then not just be waiting for somebody to define a problem and say hey, why are we?

Raj Ananthanpillai: 33:57

doing this way? Why is this? You know our digital landscape has expanded so much, but we're still stuck in the you know 50s and 60s method of collecting data and having a third party store it in different databases. Why haven't we democratized the data and then decentralized it right? Those are all various things that you can educate and then embrace the co-opting of the consumers in guarding their own data.

Chris Sienko: 34:23

It is their data.

Raj Ananthanpillai: 34:24

Yes, yeah, social security number and date of birth is assigned to you. It is never assigned to a third party. And they somehow managed to get it and they have it, and now they are bartering and selling that information over and over again.

Chris Sienko: 34:39

Yeah, absolutely, and yeah, I think that's really great advice. Yeah, absolutely.

Raj Ananthanpillai: 34:45

And we have other things right. We don't go to you know, every time you want to drive. You don't go to drive a DMV to buy a license right, you drive it once you drive it Same thing with TSA PreCheck. You don't, you know, once you get it, reuse it as long as it is current and active and, you know, always live, that's all that matters. So why haven't we applied that to identity verification? Because that's where most of the people collect that personal information, store it and then for no reason, it gets compromised.

Chris Sienko: 35:14

Yeah, I think some of those project ideas are really good and I think also the idea of no matter how early you are into the game and you're in your learning, to not be afraid to take big swings in terms of trying to solve big problems. I think companies or employers are not going to care if you solve the problem of identity. Obviously you're not going to if you've been doing this for two years. But they want to see that you are sort of looking at these problems and suggesting solutions or suggesting fixes. And to that end, I guess, Raj, are there particular skills gaps among people who are trying to get hired into these positions that you're trying to fill? I mean, I know you probably hire people all the time. Are there certain skill areas or qualifications that you consistently see lacking, that you'd like to see more universal, even if it is things like big box thinking like that?

Raj Ananthanpillai: 36:01

Developing analytical skills, and STEM and engineering education is of paramount importance in this field. We lack those things analytical skills and engineering. If you have, even if you go through two years of engineering, right, you start developing that thing about challenging the notion, working out all of those things, immerse yourself in practical training and projects wherever they may be offered. Studying just a textbook does not help you in this field. The hackers, as I said, are moving at lightning speed and we sometimes seem to be stuck in our local road speeds. So it is very important to be on top of things. And you know, even in community college, right, if you don't have a means to go to a community college, even if you have high school, finish your high school. High school is the minimum currency you need, especially if you're in this field, because there are other fields that may not require a college diploma, but in this field, you do need a little bit of awareness of the landscape, because digital landscape is very complex.

Chris Sienko: 37:05

Yeah, absolutely. I think those are all really great pieces of advice. So before I let you go, raj, can you tell our listeners it sounds like you kind of make the career advice, but can you tell our listeners the best piece of career advice you ever received, whether from a mentor or a teacher or colleague?

Raj Ananthanpillai: 37:22

That's a good one. So a professor that I really liked many years ago you know I was bidding goodbye as I was graduating he said always have a goal and try to achieve them and repeat them until you're tired, until you're tired, until you're tired. That means yeah, because you will have a goal even at 90 years old. The goal could be just I want to get up tomorrow without backache, right, yeah?

Raj Ananthanpillai: 37:53

right right I'm saying right, so keep having a goal and then achieve it. Right, not just have a goal and then, uh, I didn't make it right. Yes, you'll be making mistakes, that's okay. Without making mistakes you'll never learn, as you know, right, but don't repeat the same mistake.

Chris Sienko: 38:11

Yeah, don't repeat the same mistake. Don't get complacent with the idea that you can't do something. I suppose, just keep trying if you fail.

Raj Ananthanpillai: 38:19

This is the best country for that. This country offers you the opportunity to succeed. Yeah.

Chris Sienko: 38:26

Now as we wrap up. Raj, you talked about Trua a bit. If you want to talk more about what your platform does and you know a bit more about the product, feel free to do so before we wrap up here.

Raj Ananthanpillai: 38:37

Okay, so thank you for that. Trua's reusable fully verified digital credential right Eliminates fundamental risk posed by individuals repeatedly providing sensitive personal information. This reusable verified credential natively safeguards individuals' private information, thus reducing the risk of data breaches for organizations and consumers' identity theft To us, technology ensures a high level of assurance and security in interaction across various digital channels and modes, while saving organizations billions of dollars because they don't have to collect, store and card and have cyber insurance all kinds of stuff that you have to pay.

Chris Sienko: 39:23

They have to pay out settlements all the time.

Raj Ananthanpillai: 39:25

Yep litigation compliance all of those things you have to pay out settlements all the time. Yep Right Negation compliance all of those things you can minimize, yeah, Drastically.

Chris Sienko: 39:32

Yeah, moving towards having a an empty treasure chest here, yeah, Because the hackers can come in.

Raj Ananthanpillai: 39:38

They have nothing there, Right? It's all in the people's hands.

Chris Sienko: 39:41

Yeah, absolutely it's. It's. It's happening in the moment, and that's it.

Raj Ananthanpillai: 39:44

On demand, getting it and then verify. That's it. You don't store anything, you don't keep anything.

Chris Sienko: 39:50

Great One. Last question here if our listeners want to learn more about you, Raj, or especially about Trua I mean, you said you're on LinkedIn, but where should they look online for Trua?

Raj Ananthanpillai: 39:58

Obviously, I'm on LinkedIn. Linkedin for Trua is also Trua, and Truamecom is our website. There's plenty of information. Go under resources. I've written a lot extensively about various facets of society and whether it's the dating side, how you know the dating is legit, or hiring somebody to come and work in your house. How do you know all of those things right? So, without collecting personal information, how do you accomplish the need for verification or security screening? And that's what I talk extensively. Twitter is at Truva, underscore me. Facebook is Truva me. Instagram is hashtag Truva score. Linkedin is Truva. And Medium we also have a Medium where we have a lot of articles there.

Chris Sienko: 40:52

And Truva. Okay, and Truva is spelled T-R-U-A correct.

Raj Ananthanpillai: 40:54

T-R-U-A. Truva and our website is TruvaMeet T-R-U-A-M-Ecom.

Chris Sienko: 41:00

Fabulous, all right. Well, thank you so much for joining me today, raj. This was incredibly informative and a lot of fun. Thank you, chris, for having me, and thank you to everyone who watches and listens and writes into the podcast with feedback. If you have any topics you'd like us to cover or guests you'd like to see on the show, just put them in the comments below. We are trying to get through them as best we can, but before we go, don't forget infosecinstitutecom slash free, where you can get a whole bunch of free and exclusive stuff for cyber work listeners.

Chris Sienko: 41:27

This includes a trailer for our new security awareness training series, work bites, which is smartly scripted and hilariously active set of videos, uh, in which a very strange office staffed by a pirate, a zombie, an alien, a fairy princess, a vampire and others navigate their way through the age-old struggles of yore whether it's not clicking on the treasure map.

Chris Sienko: 41:44

Someone just emailed you making sure your nocturnal vampiric accounting work at the hotel is VPN secured and realizing that even if you have a face as recognizable as the office's terrifying IT guy Boneslicer, we still can't buzz you in without your key card. Anyway, go to the site and check out the trailer. We can also go to infoseginstitutecom slash free for your free cybersecurity talent development ebook. Here you'll find in-depth training plans and strategies for the 12 most common security roles, including SOC analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ics professional and more. One more time infosecinstitutecom slash free and yes, the link is in the description below as well. One last time, thank you so much to Raj and Ananthan Pillai and Trua, and thank you so much for watching and listening and until next week. This is Chris Sanko signing off, saying happy learning.