Grailcast

Ep. 11

Vanessa Pegueros,

Chief Trust and Security Officer at OneLogin

Mar 9, 2021

Vanessa Pegueros, Chief Trust and Security Officer at OneLogin shares how the privacy and security landscapes have changed in the last 12 months and why trust has become an advantage for OneLogin customers.

Text Transcription

Daniel Barber  0:17

Today, we’re thrilled to welcome another industry leader insecurity, Vanessa Pegueros, Chief trust and security officer at one login. Welcome, Vanessa.

 

Vanessa Pegueros  0:27

Thank you, Daniel. It’s nice to be here.

 

Daniel Barber  0:29

Yeah, like I said, when we first spoke, I’m really impressed by your background. I feel like you’ve covered so many different industries. Perhaps you want to just give us a bit of an intro to get us going?

 

Vanessa Pegueros  0:39

Sure, yeah, I have been in as you mentioned, many different companies, I think I’m on company number 13. In my career, different verticals. I’ve been in banking and telecom and SAS in e commerce in more recently with a company called one login and security. Definitely had a I’ve always been from the start in technology, had an engineering undergrad degree, really loved technology and continued to love technology.

 

About 18 years ago, I got I always tell people secure ID and choose security security chose me. And that launched my career, there was a pen test assessment that was done at a company the results weren’t great. So they say who dedicated director to go fix security, I got called. And they said, you’re gonna fix security. So that’s how I ended up in insecurity.

 

Daniel Barber  1:35

That’s cool. Yeah. So yeah, I mean, you’ve got such extensive experience across, you know, some really large companies, a few that sort of come to mind that I that stood out for me, you know, DocuSign, Expedia, at&t, among just many to your point, how have you seen the landscape evolve? And, you know, particularly perhaps, over the last 12 months, given the digital transformation that we’ve seen so quickly?

 

Vanessa Pegueros  1:59

Yeah, I mean, I can go back all the way in pre iPhone. So without the iPhone, and I would say, there is something really special about the iPhone that launch to the true mobile experience. And I think that’s really when I started to see like security explode is something that people needed to pay more attention to. And so I was at at&t at the time, and we launched the iPhone. So I’ve been there since I remember I had one. Yeah, they looked a little different. But yeah, yeah, very different than the phones previous to them.

 

So yeah, I basically knew like the world was different. Once we launched the iPhone, I didn’t realize how different it would be. But I think I’ve seen like a probably in the last six years, the escalation of attacks, the sophistication of the attackers growing the involvement of whether organized crime or nation state, which, which had always been involved, I just seen it, it seems to be it’s like this democratization of security tools and weapons that can be used by anybody. That is really like made it such a global challenge.

 

And I think in the last 12 months, I think, you know, what the acceleration of digital transformation, I think it’s, I’m personally happy that we accelerated a lot of the change that we do, I know a lot of companies and feel that way. But with that acceleration of change, I think companies have realized how far behind they were in some cases, as well as not having the right talent to necessarily manage that. That acceleration of technology. So so it’s not, it’s not simply just a tool. It’s having the people who understand how to really run those technologies and operate them. So but I think overall, it’s we needed that shot in the arm have no pun intended with the fact that we needed that to accelerate the digital change that has occurred in the last 12 months.

 

Daniel Barber  4:05

That’s an interesting perspective. I hadn’t even considered the iPhone as sort of the catalyst there. But you’re probably right, that changed the way we operate with our phone and became the starting point for a mobile generation. Really, like the phones prior were pretty, pretty primitive. Really?

 

Vanessa Pegueros  4:20

Yeah. Remember trying to have to type in a text message on the keypad? I think the Europeans did it way faster than the right way. The Americans never caught on to that and thank you. Amen. staples.

 

Daniel Barber  4:32

Yeah, yeah, I think so. Yeah, I remember all too well, might not be here. And I am glad I have an iPhone. That’s all cool. Yeah. I mean, shifting gears a little bit. Right. I think, you know, we were talking about just before this sort of the interplay between security and privacy and how some teams it’s all under one roof and other teams, they’re, you know, separated. I would love to just get your sense like what you see across one login customers and just your peers how you see security Teams sort of engaging in this field of privacy.

 

Vanessa Pegueros  5:02

Yeah, I think initially when security Well, first of all Europe has been, is far much mature around privacy than the US. And I mean, GDPR, there was laws, even priority GDPR that were focused on privacy. So I think we’re playing catch up in the US. I think when GDPR first hit, it was pretty much handled by the legal teams, you know, and, and I think that really missed the point of true privacy, which there are a lot of operational elements of privacy that that legal teams simply don’t understand or an honor involved in.

 

So for me, there’s a real this real strong line between legal privacy elements, and then operational privacy elements. And I think, where all the real meaningful stuff happens is on the operational privacy elements. And I think, when you look at the operational privacy elements, it’s like, you know, where is the data stored? How are you securing the data? Can you delete the data? If a customer asks you to delete the data? Do you have the mechanisms in place to do that in an automated and scalable way? These are things that I think you have to have your technical teams thinking about, you have to you have to have the people who are designing the systems be thinking about privacy by design. So I think there are some great synergies when you have privacy embedded together with security, because I think they think they think very, like on many issues.

 

And it’s also a very much the same challenge security has sometimes which is you don’t want to bolt on privacy, at the end, it becomes very expensive and sometimes impossible to do. So you really have to hit privacy on the on the upfront processes similar to you was a security. So I think there’s a lot of similarities there, even though the people who handle privacy, and the people who handle security seem to not always want to mesh together. But But I think that there are they have more in common than they do, then they have differences. And so I have personal responsibility for both those functions in my team, and it’s worked well, they complement each other, they can help each other. And it’s pretty optimal. We’re a small organization, but and so I know it’s not optimal. Like that’s not how all large companies can operate, because, but, um, but I do think you have to think about you can’t operate in complete silos, and that I think that’s a dangerous formula for privacy.

 

Daniel Barber  7:35

Yeah, interesting. I think, you know, being on the vendor side, would love your commentary on our next point here, which is just, there’s obviously this trust movement, and we’ll talk about this more as we keep going. But, you know, how do you see trust as a competitive advantage? I mean, it’s, it’s in your title today, right? There are people who choose to mention trust. And there are folks that are just looking at security. And I feel like trust is the path of where we’re going. How do you see that in? Perhaps your peers, and also, perhaps customers one login?

 

Vanessa Pegueros  8:06

Yeah, I mean, trust is a very difficult thing to do. First of all, how you gain it, and then it’s a little more clear how you lose it. So gaining trust can take quite a long time, depending on what you’re trying to sell to your customers. And I think that when you’re a security company as one log in is, it’s key that your customers trust that your product or service, so if they can trust your service, that it will be have good security, quality, that it’s reliable, that’s available, they can trust those elements that and they can trust the relationship they have with you, which is simple things like do what you say you’re going to do.

 

If you are going to follow up, follow up with me, let me know. And so it seems like yeah, that’s all like not really very interesting technical stuff. But it’s about human relationships. It’s about managing those relationships and your products, they enhance or they can destroy that relationship, depending on on how good they are not. So and if you look at the world today, there are so many different options for vendors and using different you know, it seems like the ecosystem of third party vendors is even more, you know, there’s just so much options. I think customers have to like distinguish something and trust is like a really element that they can really, do I trust this person that I trust the salesperson do I trust his customer service rep. And so I think it’s even because it’s a really key competitive advantage.

 

And it contributes at a business level, not just a technical level. So that’s one of the reasons I wanted to do my title. And I think it’s so important for all businesses to consider trust as a you know, competitive advantage.

 

Daniel Barber  9:56

Yeah, that’s that’s really compelling. I hadn’t entirely thought through it as at a human level, that’s really what you’re you’re trying to achieve first, even before you touch product, right? I think we so often go to product tests, like, Do you trust the product? But to your point, do you trust the person that you’re interacting with first that comes before you even see the product? So yeah, that’s an interesting point.

 

Vanessa Pegueros  10:20

Also, Daniel, if you have trust, if you make small mistakes, your customers will tend to like, they’ll give you a little bit of flexibility. If they you’re not clear, they trust you. And you have a small mistake. They might just say, That’s enough. But it’s just proving you know, it’s proving to want to do business with you. So it’s also a sustainability element, you know, having that trust, allow you to be take a long term relationship. Long term. Yeah.

 

Daniel Barber  10:48

Yeah. Yeah, that’s interesting. So as we go onto the rapid fire round, so the next couple here, I always love to ask folks, especially on the vendor side to just, you know, the information sources that you’re reading about everyday as sort of a security Pro. What are those those resources? And perhaps just like your top three, if you will? And where do you? Where do you go to learn about privacy? Like there? Are there any sources that you see is a trusted source, pun intended? Maybe you want to share, share a few with us today,

 

Vanessa Pegueros  11:19

I have a little bit of a broad kind of perspective on this. So like I being being a board member on some companies, I do look at the NACD director daily, which a subscription to but it just talks, very broad out topics and elements around business. And they are cybersecurity is a huge element. And privacy is a huge element of topics on that. So board members are starting to see that SC media cloud security is another one that I looked at.

 

There’s also this bulletin we get a daily I don’t know if it’s paid for but it’s called smile on Friday. And it’s a summary of all that have happened. And then say no. Yeah, for privacy stuff. I I like to I do go to the i p what I IPP. Yeah. I do look at things there. But usually, I’m starting to see more privacy type things just pop up with the security articles. So they’re starting Yeah, yeah, you know, those two things come up. So there’s a main their main areas, and then I do get kind of tailored intelligence briefings from some of the vendors, we work on intelligence, right? Oh, I look at those. And those are like usually 810 page documents that I will sit down and read at some point. Yeah.

 

Daniel Barber  12:39

Yeah, this has been great. So the one question I always ask, and listeners definitely enjoyed this one. If you could offer sort of one piece of advice to folks perhaps starting their career in security or in privacy? What would that be?

 

Vanessa Pegueros  12:53

Yeah, so um, I’ve thought about this a little bit. And I think I would have to say that go work for a small company that wants to use security, but doesn’t really know how to do it completely. You’re going to like, learn a lot in a very short amount of time, and you’re going to be exposed to things you have absolutely no idea what to do. I think that it’s a great way to get your feet wet and understand, hey, I really like this part of security.

 

I don’t like this part of security. Because security is so broad and compliance related stuff. You could do detailed technical stuff, but part of it is discovering what element Do you really love. And then once you figure that out, you start diving deep into that particular element. And once you dive deep you develop your expertise might happen to be network security, and then you’re able to branch off into leadership and doing other kinds of things. But you always like have to have a core area, you’re really strong. And because you need that credibility with people that you work with and people that might be working for you.

 

Daniel Barber  13:57

That’s so interesting, your choice of words there of just like finding something that you love along the way. That’s the thing that I’ve realized around like development and employee development. If you find out something that you really enjoy doing, even if you’re not really that good at it, you’ll figure it out because you just enjoy doing it. So it’s just an interesting point that clearly you found too. I think that sound advice for folks starting out in their career.

 

Vanessa Pegueros  14:21

Yeah, I enjoy reading. People used to give me a bad time about the books I read. You like reading a technical book, you’re reading whatever and I’m like, actually like it

 

Daniel Barber  14:35

but I enjoy this.

 

Vanessa Pegueros  14:37

Yeah, going for it seems it’s a lot less effort when you go towards something you love a lot less grade.

 

Daniel Barber  14:44

A grade. Well, this has been great Vanessa, thank you for tuning in. And you can hear Vanessa’s podcast on all of the major channels. So your Spotify SoundCloud Google podcast. Thank you for joining us for this And I look forward to seeing you again soon.

 

Vanessa Pegueros  15:01

Thank you, Daniel.

Share

Stay informed on privacy regulations, weekly insights, and the latest GrailCast updates with our weekly newsletter.