 Hey, welcome back everybody. Jeffery here with theCUBE. We are at the place that you should be. Where is that? You say, LinkedIn's new downtown San Francisco headquarters, a day to privacy day 2018. It's a small but growing event, talking really about privacy. You know, we talk a lot about security all the time, but privacy is this kind of other piece of security. And ironically, it's often security that's used as a tool to kind of knock privacy down. So it's an interesting relationship. We're really excited to be joined by our first guest, Michelle Denady. We had around last year, terrific conversation. She's the chief privacy officer at Cisco and a keynote speaker here, Michelle. Great to see you again. Great to see you and happy privacy day. Thank you, thank you. So it's been a year. What has kind of changed on the landscape from a year ago? Well, we have this little thing called GDPR. Oh, that's right. You know, it's this little thing, the general data protection regulation. It's been an, it was enacted almost two years ago. It will be enforced May 25, 2018. So everyone's getting ready. It's not Y2K. It's the beginning of a whole new era in data. But the potential penalties, direct penalties. Y2K, you had a lot of indirect penalties if the computers went down that night. But this has significant financial penalties that are spelled out very clearly, multiples of revenue. Absolutely. So what are people doing? How are they getting ready? Obviously the Y2K great example was, it was a scramble. New one really knew what was going to happen. So what are people doing to get ready for this? Yeah, I think it's, I like the analogy. It ends because January one after 2000, we figured it out. Right, right. Or it didn't happen because of our prep work. In this case, we have had 20 years of lead time. 1995, 1998, we had major pieces of legislation saying, know thy data, know where it's going, value it and secure it, and make sure your users know where and what it is. We didn't do a whole lot about it. There were niche market people like myself who said, oh my gosh, this is really important. But now the rest of the world has to wake up and pay attention because 4% of global turnover is not chump change in a multi-billion dollar business. And in a small business, it could be the only available revenue stream that you wanted to spend innovating rather than recovering. But the difficulty again as we've talked about before is not as much the companies. I mean, obviously the companies have a financial responsibility, but the people on the end of the data will hit the yula as we talked about before without thinking about it. They're walking around sharing all this information. They're logging in to public wifi's and we actually even just got a note at theCUBE the other day, asking us what our impact are. Are we getting personal information when we're filming stuff that's going out live over the internet? So I think there's a kind of weird implication. I wish I could like feel sad for that, but there's a part of my privacy soul that's like, yes, people should be asking, what are you doing with my image after this? How will you repurpose this video? Who are my users looking at it? I actually think it's difficult at first to get started, but once you know how to do it, it's like being a nutritionist and a chef all in one. Think about the days before nutrition labels for food. When it was first required and very high penalties of the same quanta of the GDPR and some of these other Asiatic countries are the same, people simply didn't know what they were eating. People couldn't take care of their health and look for gluten-free or vitamin E or vitamin A or Omega or whatever. Now it's a differentiator. Now to get there, people had to test food. They had to understand sources. They had to look at organics and pesticides and say this is something that the populace wants and look at the innovation in even something as basic and integral to your humanity as food. Now we're looking at what is the story that we're sharing with one another and can we put the same effort in to get the same benefits out? Putting together a nutrition label for your data, understanding the mechanisms, understanding the lifecycle flow, it's everything and is it a pain in the took us sometimes? You betcha, why do it? A, you're gonna get punished if you don't, but more importantly, B, it's the gateway to innovation. Right, it's just funny. We talked to a gal in a security show and she's got 100% hit rate. She did this at Black Hat, social engineering access to anything. Basically by calling, being a sweetheart and asking the right questions and getting access to people's things. So where does that fit in terms of the company responsibility when they're putting everything as much as they can in their place? Here, like at AWS too, you'll hear, somebody has security breach at AWS. What wasn't the security of the AWS system? It was somebody didn't hit a toggle switch in the right position. So it's pretty complex versus if you're a food manufacturer, hopefully you have pretty good controls as to what you put in the food and then you can come back and define. So it's a really complicated problem when it's the users who you're trying to protect that are often the people that are causing the most problem. Absolutely and every analogy has its failures, right? Right, right. We'll stick with food for a while. No, I like the food one. Right, it's something you don't understand. Why is your case kind of old, right? Yeah, yeah, but think about like, have we made, I was gonna use a brand name, spray on cheese chip, have we made that illegal? That stuff is terrible for your body. We have an obesity crisis here in North America, certainly in other parts of the world. And yet we let people choose what they're putting into their bodies. At the same time, we're educating consumers about what the new food chart should look like. We're listening to maybe sugar isn't as good as we thought it was and maybe fat isn't as bad. So giving people some modicum of control doesn't mean that people are always gonna make the right choices, but at least we give them a running chance by being able to test and separate and be accountable for at least what we put into the ingredients. Right, right. Okay, so what are some of the things you're working on at Cisco? I think you said before we got on there, you have a new report, published study. I do. What's going on? I'm ashamed, Jeff, to be so excited about data, but I'm excited about data. Everybody's excited about data. Absolutely. Let's geek out for a moment. Get dirty with data. So what did you find out? So we actually did the first metrics reporting, correlating data privacy maturity models and asking customers, 3,000 customers plus in 20 different countries from companies of all sizes, SMBs to very large corpse, are you experiencing a slow down based on the fears of privacy and security problems? And we found that 68% of these questions said yes, indeed we are, and we asked them, what is the average timing of slowing down closing business based on these fears? And we found a big spread from over 16 and a half weeks all the way down to two weeks. And we said, that's interesting. We asked that same set of customers, where would you put yourself on a zero to five ad hoc to optimized privacy maturity model? And what we found was if you were even middle of the road, a three or a four, to having some awareness, having some basic tools, you can lower your risk of loss by up to 70%. So that's not a core, I'm making it sound like it's a causation, it's just a correlation, but it was such a strong one that when we ran the data last year, I didn't run the report because we weren't sure enough. So we ran it again and got the same quantum with a larger sample size. And so now I feel pretty confident that the self reporting of data maturity is related to closing business more efficiently and faster on the upside and limiting your losses on the downside. So where are the holes? What's the easiest way to get from a zero or a one to a three or, I don't even say three or four, two or three in terms of behaviors, actions, things that people can do. I'm scratching on my geeky legal underbelly here. And I'm gonna say it depends, Jeff. Of course, of course. You know, couching this and I'm not your lawyer and blah, blah, blah. No forward-looking statements. All those no forward-looking statements. Well, all four weeks, what the heck? We're looking forward, not backwards, but it really does depend on your organization. So Cisco, my company, we are known for engineering. In fact, on the downside of our brand, we're known for having trouble letting go until everything's perfect. So sometimes it's slower than you want because we want it to be so perfect. So in that culture, my coming into the engineering with their Bonafides and their pride in their brand, that's where I start to attack with privacy engineering education and looking at specs and requirements for the products and services. So hitting my company where it lives in engineering was a great place to start to build in maturity. In a company like a large telco or healthcare or highly regulated industry, come from the legal aspect, start with compliance if that's what is effective for your organization. So look at where you are in your organization and then hit it there first and then you can fill it up, document those policies, make sure training is fun. Don't be afraid to embarrass yourself. It's kind of my mantra these days. Be a storyteller, make it personal to your employees and your customers and then actually care. I mean, it's a weird thing to say, right? You actually should give a relationship with people. So when you look at kind of how companies moved up that curve from last year to this year, was it a significant movement? Was it more than you thought? Less than you thought? Is it appropriate for what's coming up? So we haven't tracked individual companies time over time because it's a double blind study. So it's survey data and the survey numbers are statistically relevant that when you have a greater level of less ad hoc and more routinized systems, more privacy policies that are stated in transparent, more tools and technologies implemented, measured, tested and more board level engagement, you start to see that even if you have a cyber risk, the chances that it's over 500,000 per event goes down precipitously. And if you, again, if you are at that kind of mid range level of maturity, you can take off 70% of the lag time and go from about four months of closing a deal that has privacy and security implications to somewhere around two to three weeks. That's a lot of time and time in business is everything. We run by the quarter. Yeah, well, if you don't sell it today, you'd never get today back. You might sell it tomorrow, but you never get today back. All right, so we just flipped the calendar. I can't believe it's 2018. That's a whole different conversation. So what are your priorities for 2018 as you look forward? Oh my gosh, so I am hungry for privacy engineering to become a non-niche topic. We're going out to universities. We're going out to high schools. We're doing innovation challenges within Cisco to make innovating around data a competitive advantage for everyone and come up with a common language so that if you're a user interface guy, you're thinking about data control and the stories that you're telling about what the real value is behind your thing. If you are a compliance guy or girl, how do I efficiently measure? How do I come back again in three months without having compliance fatigue? Because after the first couple of days of enforcement of GDPR and some of these other laws coming to force, it's really easy to say, well, it didn't hit me, I got no problem now. And that is not the attitude I want people to take. I want them to take real ownership over this information. So it's very analogous to what's happening in security in terms of just baking it in all the way. It's not a walled garden. You can't defend the perimeter anymore, but it's got to be baked into everything. It's no mistake that it's like the security world. They're about 25 years ahead of us in data privacy and protection. My boss is our chief trust officer who formerly was our CISO. So I am absolutely free-riding on all the progress that the security people have made. And we're just really complimenting each other's skills and getting out into other parts of the business in addition to the technical part of the business. Exciting times. Yeah, it's going to be fun. All right, well, great to catch up. And we'll let you go unfortunately we're out of time, but we'll see you in 2019. Data privacy day. Data privacy day. She's Michelle Denady. I'm Jeff Frick. You're watching theCUBE. Thanks for tuning in from Data Privacy Day 2018.