 Hey, welcome to another post tweet jam takeaways and Dana. Thanks so much for joining today. It's a pleasure to be here with you, Christian. Thanks for having me. So why don't you introduce yourself and then we'll just jump into the topic here. Sure. I'm Dana Simberkoff and I am the Chief Risk Privacy and Information Security Officer at AppPoint. The topic today is perfect for you. It's the Making Collaboration Secure. I know that with the questions, we'll run through each of those today and I think that the, I hear my dog upstairs as we're recording, but as I'm interested in hearing people's opinions about what they're doing, it's always interesting to get some validation of things that we're doing or to identify your arguments for and against. I think what's interesting, the research that I've participated in firsthand over the last decade, year after year after year, whether we're talking about a specific tool or platform like SharePoint or Microsoft Teams, when we're talking about broader knowledge management space, and inside and outside the Microsoft ecosystem, security has been the number one concern all that time. In fact, a startup that I was in back in 2001, 2002, as we had a hosted collaboration platform where we had the dedicated Cloud Platforms. We weren't referring to it as Cloud, but a dedicated environment. Cloud is just somebody else's computer, yeah, okay. Yeah, but we had that environment and trying to get those first customers to adopt SaaS solutions and things. Again, it was all about security and back then, it was probably more true that they could be more secure, their policies were stricter, their standards were higher than a lot of the service providers. We've come a long way though. Yeah. I mean, I was chatting with somebody the other day about the evolution of IT, and IT teams were really created when there was everything in a room in your company, and that's where all your servers stood, and all of the hardware and software was really contained and managed by you inside of your environment. There has been a huge evolution in all of those things. Well, let's jump right in. So question number one, we asked, is collaboration security an active component of your internal and customer planning? Why or why not? Yeah. I mean, I think that you need to make this a priority inside of your organization, and certainly at App Point, it's part of our culture, it's part of our message, because I think that you have to balance security concerns and build them in, build in security by design into whatever you're doing, because people only share things that they are comfortable sharing. If they share information or work together on a project, that leads to data leak or inappropriate access to information, then that kills confidence. Not only can it create regulatory and legal problems for your company, but it erodes employee confidence, customer confidence, and shareholder confidence too. So I think it's a fundamental component. It's almost like a three-legged stool, where security and collaboration have to work together to enable the business to function. Well, and if you're having as part of your change management practices, as you're part of your governance body, that as you're developing solutions, again, whether you're building your intranet and your content data management policies internally or building a product that you're going to go out and sell. If you have all of those players at the table that can answer the question, like, what's great that you came up with these features, but here are some of the risks from a security standpoint, is there a different approach to providing that feature or solving that requirement, that allows to be compliant and secure? Yeah. Well, I'll tell you that from a security perspective, if you make things so secure that you impact usability, then your end-users will go around your system. So you really want to make it easier for people to do the right thing than the wrong thing, and you want to build the better future inside of your technology stack with controls that allow people to drive that car faster. I use the analogy all the time to brakes on cars. People think they're there to slow you down, but the first cars were invented without brakes, and you had to drive really slowly and carefully. And without seat belts. Exactly. No brakes and no seat belts. Exactly. So those things, those are the brakes and security and privacy controls are the controls that allow us to optimize our use of data to drive faster, to really excel in our businesses, whatever they are in without those controls, we have huge risk that makes it untenable to go forward. Well, question two is right on this point is, would you say your organization prioritizes usability over security or vice versa and why? Because I kind of jokingly commented in there about this, it's the chicken or the egg, like which do you do around approaching this? And that's why it needs to be this iterative process. It needs to be an ongoing conversation. Yeah, I mean, I think they're inextricably intertwined, so I'm not even sure that that's a question that can be answered. I kind of think about it in a slightly different way. You have to say what you do and do what you say and be able to prove it. So you have to balance, again, those security priorities with what the purpose of your application is and if you build a room that no one can get into and out of, then nobody's gonna go in or out of the room. Maybe that's the requirements, that's what you want. Yeah, I mean, if you're building Fort Knox, right? I mean, that's- It's gonna have my Star Wars figure collection in that room. I think the reality is, look, we can't protect everything from everyone, so you have to take a very pragmatic approach to prioritizing what you're protecting from whom. Because the other thing as security professionals is, we have to get it right 100% of the time. And everybody else, that may be creating a threat, whether it's intentional or unintentional insider or outsider. And most problems come from unintentional insiders that are just doing their jobs and making mistakes. They only have to make one mistake. They only have to click the wrong link once and every company has somebody that will click anything. They only have to click that one time to put everything in jeopardy. So there's no perfect security and I think you have to find that balancing act. I remember I was doing a session in San Francisco giving a talk and I asked the question into the room of does anybody here who believes that they have a 100% secure environment? We're talking about SharePoint at the time, SharePoint environment, one hand went up. But I'm like, all right, I have to hear this. She says, all of my users have read-only access or view-only access. Yeah. And I was like, okay, well, even then I would argue. You could take a picture, right? That's right. Yeah, there's other interesting. And then we started joking about, if not for these end users, if we could have an end user free environment, that would be that room that no one could access that is just exists that's out there that has my Star Wars figure collection. Exactly, total automation, no human intervention, but that's not the world we want to live in, right? No, no. Well, question three is, what are your primary collaboration security concerns and how are you mitigating those risks? So what does keep you up at night? What risks? Well, I think there's pretty foundational concepts, right? It's the one that I already mentioned, which is you have to say what you do and do what you say and prove it. But then I think it really then fills on a more practical level to data. What kind of data do you manage? How do you create it, collect it, use it, share it and end of life it? Where does it live? What are the containers it lives in? How are they managed? How are they provisioned? And people who has access to data, do you have least privileged access? How can data be shared externally internally? So it's really the information, the place and the method of transmission where data is stored at rest or in motion and then ultimately archived and then people. But all three of those things are equally important. I also think at a foundational level, we protect what we treasure and we improve what we measure, right? So if you don't know what you have then and you can't measure your ability to protect it, then it's very difficult to improve. That's one of those concepts that I might go back to business school and operations management class learning about W. Edwards Deming and the process of that continual improvement, so the Kaizen concept. But what that forces you to look is like, look, we're meeting our requirements and fine. They're like, there's no alarms going off, things are moving along fine, but as people are using it, you're finding other opportunities. You know, we've misclassified some information, so the measurements were correct, but we didn't have everything in there. And so by constantly looking at, constantly refining, constantly asking those questions and improving upon that, there's always something to go and do. New data is always coming in, users understanding of what they have access to, what they don't have access to. Those things change, the technologies of course that we use change and evolve so that we need to constantly be reviewing and iterating on that strategy. Yeah, I think it's very similar to the role which came into fashion a couple of years ago now, but this idea of a chief data officer whose job it is to optimize and make sure that we have quantitative and qualitative, really good functioning and performing data that integrity of information is very similar to the security framework. We wanna make sure that we're protecting and curating the right information and that it's getting into the right hands, right? You wanna give access to what they should have and now not give them access to what they shouldn't have. Well, and that's also, it's interesting, on the qualitative front of that too is by looking at it from that perspective, how are people actually using it? Are they successful in getting their work done? Are they enjoy using the solutions or is it just a struggle for them to get in there and so that's, we go back to that previous question of that trade-off between those two things and a lot of times you can't be unsecure, but you then have to look at, okay, how are we, we're now compliant, we're now secure, how are people working and there's another whole place to iterate on and improve on those plans because people may be struggling to get their work done. Totally, I mean, we don't wanna- Shadow IT comes from. Exactly, exactly. And you wanna build better, right? And you wanna make sure that you're constantly improving, glean the program, making sure that you're moving the bar forward and I see security as a service to the business, as a service to our employees, as a service to the company and as a service to our customers. That's our mentality and I also see it as everybody's job. So that's, I think it's very easy to say, oh, my security team is gonna take care of it, but it really begins with every single employee in the company and their commitment to making sure that they understand how they should be securing their environment, how important it is, similarly with privacy that this is really a culture, it's not something that is just somebody else's job, it's all of our jobs. Sorry for that ringing phone, I am turning that off. Oh, that's all right. Sorry, that's what I had to turn off my alerts and other things as much as we tried to do and this stuff just happens. That's the beauty of working from home. Yes, exactly. So question four was, so how does your organization handle guest access and external collaboration as a whole? I'll just tell you, so I do a lot of collaborating with external groups and with, I run the AppPoint Community Champions program and have kind of all these different things and I said, I'm gonna make a request and go and build out this team site and I heard from a couple of different people, it's like our policies is everything's just so locked down and let me know if you have trouble getting approval for that. Like I went in and made a request for an external facing team for this purpose through our provisioning process and in under two hours, it was live. Yeah, so we, I mean, we've tried to make the process in collaboration with the business and IT using our own products, using AppPoint products that we provide to our customers, self-service to the greatest extent possible. So we do require that there's a business sponsor and a business need for somebody to have that external collaboration site. There are often very valid business needs but they need to be limited, they need to have sponsors, they need to have approval, they need to be reviewed and monitored and re-certified on a regular basis so that they're not just out there forever because we need to know who has access to what, whether they're our own employees or external people, if we have a problem or if they're sensitive data then we need to know, we need to be able to do a forensic analysis on that and see who was able to access it. So. You know, I'm grateful that I learned some of those lessons very early about information management. I was, so before I get married, I was a runner for a law firm and for about a year after I was married and so I did all of their off-site storage management and I was very involved where they said, it's like look, the seven or 10 years, whatever it is has come to, and on these files they must be destroyed. We need confirmation that they're destroyed. It was, you know, there's very detailed process and so I had a senior partner that I became friends with was out at his house, you know, delivering, you know, a sign subpoena or something, doing some extra weekend work, and he actually explained to me some of that process and why, what the legal risk was over still having some of that content in place. So I appreciate that process of reviewing those sites because sometimes, hey, I'll be honest, it's a reminder, I go in and realize, you know, hey, that has been stagnant. Do we really need that? No, let's go and consolidate, let's get rid of that and then let's just remove that entity, that site, that site collection, that whatever that is, all of the associated content, protect those things which need to be archived which we need to maintain and everything else cleared out. It cleans up my navigation. Yeah, and particularly if it's like a project-related site, right? So if you're working on something with a customer or a partner and that project comes to a close, you know, there may be statutory, regulatory or contractual requirements for you to delete, you know, that information. And, you know, if you have it, you have to protect it. So I'm a big believer in less is more. If we don't need data, move it along and, you know. Exactly, and it's, the next question fits in with that. It's like, how do you know that you needed or not? And so the question five was, how important is information architecture and data governance within your collaboration security planning? Well, it's extremely important. I mean, that's really the key and I come from a long line sort of historically in my career of, you know, big believers that metadata is a love note to the future. And I think the ability to know the origin and the purpose and the retention cycle of information is critical to the ability to use it effectively because there is such an abundance, whether it's in the cloud or on premise of redundant, obsolete, trivial information that actually clogs productivity. So when you talk about collaboration with confidence or collaborating securely, that ROT data that we call it makes it very much more difficult for end users to be productive, for people to find things, to ensure that what you're working with is the latest and greatest and the valid piece of information. So it ties to that strategy of, again, the basic security framework that I talked about, which is the life cycle of information. You know, what do you have? Who has created it or collected it? How is it used? How is it shared? And how is it end of life? That ties directly to the same circle of where does it live? How is it shared? Is it protected in motion and at rest? Where can you share these things? And through what systems? I mean, we have a whole data protection, data handling framework that talks about different types or different classification of data. And the spaces where it's okay to work with it and who can access it. Companies that are public have requirements around material non-public information or trade secrets or protected information that again has to be protected and limited in use and may go from something that is top secret to public. So you have to have a really flexible information architecture and data governance plan that ties together with your security and privacy protocols. We didn't really get into this during the tweet jam, but do you see a gap for a lot of organizations around the rise of chat-based platforms of Teams, Slack, as well as video? Like video is the new document. There's so much content that's being out there and yet my experience, what I've seen is that it's treated very differently. It's not tracked, it's not, besides storage, but there's not the information architecture. Correct, yeah. I agree, I mean, we have regular Teams conversations, chats, video conferences that are recorded that have sometimes very sensitive data in them. And 100%, I think that more instantaneous, and this is funny, but I remember when Microsoft first bought Yammer, this was years ago when I was at a SharePoint conference and the Yammer guys got up at stage and said, Yammer is, to Microsoft, what a water cooler is to an office where all these conversations are so piped around a water cooler, and now they're gonna be available to the enterprise, and everybody was cheering and saying, oh my God, Yammer's so great, which it is, I love Yammer. But I was thinking, well, water cooler conversations are intended to be private, all right? Right, well, that analogy may not be as strong, but one of the things that, again, being somebody who's a huge advocate for social collaboration technology for so many years, and one of the voices that was out there in the SharePoint world for years, and needing that, and I'm a fan of the Yammer platform, but it's because so much of the context of conversation is happening around projects and content, things just lost, it's just lost because it's not being- It's instantaneous and then it's gone, right? Right, and it needs to, we have to understand the relationship of chat of the conversation that happens in the margins around the documents, the files, the images, as well as the video. I mean, those three major components, I guess, and this is a broader topic. It's super interesting because even in my own personal experience, we've noticed that you can't capture everything that's being said in the meeting with nos, and so more and more often, we're moving to recording the meetings so that somebody can go back through and actually transcribe them, so wouldn't that be a cool feature of Microsoft? Yeah, that's right, I'm a huge advocate for how auto-record for Teams meetings and auto-transcription so that is- Well, auto-record with opt-in. Sure, well, so I'd rather have it by default and then opt-out, but- But that's privacy and security by design and by default, so you gotta be careful with things like DVR. I know, that's me personally, but I understand that, again, depending on the type of meeting- Yeah, of course, and he's in the meeting. Yeah, well, so the next question here, so two more, question six was, with security as the number one concern for collaboration, where are the greatest organizational gaps in security today? I think I just outlined one, I mean, I think you did, I think there's just information that is lost and translation that is instantaneous and then gone and isn't properly captured. I think that there also is a problem sometimes, and it does depend, it's situational, of information overload that an organization can get sort of so excited about collaboration platforms that they end up with all of these different, we used to call it SharePoint Sprawl, but right, sort of like Teen Sprawl, where you have all of these different places that information is living and conversations are happening. Now, when we, App Point actually has some solutions around this that helps make it better, but I think people generally, just like SharePoint was kind of like candy and people get addicted and started setting up all of these different sites, that can happen easily with teens and- Well, remember having a conversation, it was funny after a SharePoint Saturday in Finland, and at the, like attendee at a pub, afterwards, getting in conversation, getting in an argument with somebody in the community-friendly argument, but around this idea that, the problem is that there's too much content out there and we just need to limit the amount of content. It's like volume of content is not the problem. What we've seen in the last decade, right, is the organization of that, and then the tools, the refiners, the ability, it just brings to prominence once again, yet again, the importance of search. Search is still a critical function in all of this. Well, and search is not only a critical function, I agree with you, but it's also probably one of the most dangerous tools from a privacy and security perspective too, right? Because if you don't have that proper information architecture and data governance and data classification and protection framework in place, then search, and some of the other great features that Microsoft has that show you who's talking about what and conversations that may be relevant to you or documents that may be relevant to you, that all can quickly become a security hole where you're exposing confidential sensitive data that wasn't intended to be exposed. And this happens, for example, all the time regularly with things like passports. People will need to post information about a vaccine status or passports or personal sensitive financial data, healthcare information, and they think they're putting it somewhere that's private, but they're actually putting it somewhere that's searchable and then, hey, everybody has your bank account number. That's a very common note. That's easy to control for, it's easy to prevent, but if it isn't planned for properly, that can be a concern. Yep. Well, the final question was for an organization at the start of their collaboration planning, what steps or security guardrails would you suggest they begin with? Well, I think that for most companies, and I always imagined that someday I would be in a company that had nothing, had no data, no anything, and we were just starting this imaginary company that was gonna start everything from the beginning, but in reality, that almost never is the case. I actually have never worked with a customer who was brand new and just saying, I'm envisioning a company and I have nothing yet, so I wanna set it up perfectly. As a founder of a startup, that was my experience. Okay, well, that's awesome. We had a green field, yeah. That's awesome. I worked in a startup too, but it was still like by the time I joined, there was a lot of information already there. So I think there are a couple of critical things, right? First, don't let perfect be the enemy of good, right? You have to decide based on who you are, your industry, the kinds of information you hold, regulatory and legal compliance obligations that you have, you have to decide how to build security and privacy in. Now, again, most companies already have existing information, so I also think you have to be careful about paralysis by analysis, right? Because you want to make sure that you both have a backward-looking view and a forward-looking view, right? So you have your as is environment. And I remember talking to many CIOs and security officers about their file shares. And they have this sort of almost like a repulsive reaction and say that that's a toxic waste dump. And I'm not gonna look at it because I know that there's all kinds of sensitive data buried there. But then they'll come along and it'll be time to move to Office 365 and everything just gets lifted and shifted. It's the cloud where it's now searchable. So not knowing is never better, in my opinion. You're better off to know what you have and have a plan from a regulator's perspective and from a sort of a, again, that building that trusted environment with your customers and your employees. So have a plan, make sure that you have a backwards-looking plan that looks at what you have and a forward-looking plan because you can draw a line in the sand, right? You can say, this is where we are today. This is where we wanna be. This is what our ideal environment should look like. And so any net new content, any net new sites are gonna be built this way. And we're gonna take a holistic backwards look at doing that ROT analysis of what we already have, cleaning it up and then migrating it. And if you build that new solution, that ideal utopia that has security built in properly with great usability, then people will want to move to that site. Look for volunteers, look for advocates in your organization, look for people who are gonna be your security champions because they're always out there. We have tons of them at App Point. Very lucky to have a great collaboration across our, really around the world, that people that help us do this gracefully where we stand on the shoulders of champions because we have so many really amazing colleagues that understand how important this is. Well, Dana, I'll just, with that, I think that's a great place to wrap up on. Really appreciate your time to participate in the Tweet Jam as well as come on a little bit extra, the after hours party here. Oh, excuse the 101. But really appreciate it. Important topic, looking forward to, well, have this out live and provide some links that of course you can find if you're listening to this on the podcast. Find out more. I'll have Dana's contact information and some more links of some of the things that we're doing at App Point so you can have a little more insight into our perspective on that. If you just go to buckleyplanet.com and you'll be able to search for Dana and you'll find her on the blog. So Dana, thanks so much. Thanks a lot, Tristan. Take care, everybody.