Grailcast

Ep. 08

Kevin Paige,

CISO at Flexport

Jan 12, 2021

Kevin Paige, CISO at Flexport shares how his experience in the military helped him accelerate a career in privacy and how leading companies are adjusting to privacy-aware consumers with modern technology and privacy by design.

Text Transcription

Daniel Barber  0:17  

Today, we’re thrilled to welcome another industry leader in security. Kevin Paige CISO at Flexport. welcome, Kevin. Yeah, obviously, you know, we’ve been chatting over the last few weeks. But yeah, love, love a brief intro, if you wouldn’t mind of just your background, and then we’ll get right into it.

 

Kevin Paige  0:35  

Happy to give a quick background. I mean, um, so I’ve been doing this for a long time, when it comes to security. And, in general, you know, I like to say that, you know, I’ve kind of been a defender, you know, I guess a blue person security professional, like my whole working life, which is like 27 or 28 years at this point.

 

I’ve been doing it that long, because I originally when I would kind of first put me down the path was joining the Air Force when I was 18. When I joined the Air Force, they decided that I should do law enforcement. And I’ve always had a propensity towards computers, and really kind of, like a passion to learn. And, you know, even when I was doing law enforcement for the first five years that I was in the, in the military, you know, I was always ended up working on computer crimes cases, or investigations like computers, or just the computer guy, like, Hey, you know, we got a virus or they got we got a thing or, or, you know, back then it was, you know, there wasn’t Windows for Workgroups, I think was first came out, and, you know, everything was still dos or whatever. So even when we’re using a computer, or you know, whatever, boza wordstar, or some of these old were, you had to, you know, know, the keyboard sequences in order to do anything. And there’s first kind of original networking stuff. 

 

So I started doing, you know, a lot of that stuff while I was, you know, before I was even, you know, in computers, and I guess I had that propensity. And while I was in the military, they moved me into computer operations, and they’ll kind of similar thing, so they got to computer operations, they were like, Hey, you used to do security and defense, and then they’re like, Hey, you, you go install firewalls. I was like, well, that’s not quite what I used to do. You know, like, Hey, here’s some wireless access points, go install them. And then, you know, go make sure they’re secure. Use a VPN device to make sure it’s secure. I was like, oh, what’s the VPN? Like, you figure it out. And then we, you know, being in the, in the government in the military, right, you’re kind of constantly under attack, especially back then. 

 

Right? So I get the opportunity and resources to put my hands on some interesting, you know, defensive tools, when it comes to making sure you know, all the wireless, you know, is secure on our on the on Air Force bases. Best off, I

 

Daniel Barber  2:39  

just want to thank you for your service. I feel like it’s so often not appreciated. But during these times, I appreciate it more than ever. So definitely want to thank you for that you took that leap, right over a decade in the military. Commercial, obviously, is very different. What led you down that path? And then what have you sort of seen as you’ve gone down that path? And what’s been a surprise as you’ve ventured into the commercial sphere?

 

Kevin Paige  3:05  

great question. The, you know, it’s, it’s kind of probably gonna be a little bit of a funny response. But you know, what ventured me in it is I was working in the Bay Area as a government employee, and I had lots of friends who were making way more money than me.

 

Daniel Barber  3:20  

I saw that coming once you said there was friends in the Bay Area. That was that was a quick lift. 

 

Kevin Paige  3:24  

But the funny thing is, is that, you know, when it comes to security and the protection of resources, you know, it’s it’s not that different. However, the big surprise, I guess, like, when you’re in a government, you have resources, and, you know, and the security is made a I mean, not that you could tell by a lot of the things that happened in the government, but I mean, the resources and the and the, you know, are there and available to leaders know, whether they use them correctly. That’s another thing. Right, right. 

 

But in the commercial world, it wasn’t like that, right, there was just not a understanding of the types of attacks that are happening. Like right now, there wasn’t an understanding of kind of what I what, what, what you would call kind of basic security, hygiene, and just the amount of knowledgeable people, insecurity, I’m seeing less right. And the government, there was lots, right, like I was working with, you know, a lot of people that were very knowledgeable. I’ve been doing it a long time. Because, you know, in the government, we’ve been doing security, you know, on on, you know, before the term cyber was, was calling, but we’ve been doing security for a long time. And, you know, unless you’re in a, you know, a large fortune 500 company that had had been hacked or been breached, right. I mean, most of commercial companies didn’t start their security programs until after a major event, right. 

 

That’s kind of the sad truth. You know, from a surprise perspective was really just that, you know, kind of lack of understanding, you know, so I did do a lot education on on risks, and what could happen and what is happening and then show the evidence of people trying to do that to us. So that was easier to get budget and resources. That was probably the biggest surprise, just total, like oblivious to what’s what’s, what’s what’s happening. You know, and, you know, that’s probably my biggest surprise, but I also saw it as a major opportunity, you know, to a height.

 

Daniel Barber  5:04  

Yeah, that’s great. So I mean, I guess switching gears a little bit, right. So there’s, there’s obviously an interplay between privacy and security. We see this a lot. I mean, that’s how we met each other a couple of years ago. But how do you see global companies they leading with privacy? It’s obviously for some folks, they’re looking to drive competitive advantage. But how do you how do you see that given your experience?

 

Kevin Paige  5:28  

Yeah, I think it’s been super interesting to kind of watch what’s happened even just the last couple years. Right. And I, I think that I mean, I honestly think that GDPR was a driver of a lot of the things that we see today, right? Because in Europe, when, where people started saying, like, Hey, your personal information in the protection of it as a basic human, right, we in the US didn’t think that all right, and, but I think that once you started to really understand and see what’s going on, you’re like, hey, these guys are right, like, our personal data is our personal data. And we should know what’s happening to it. 

 

And we should have a say, and who’s using it and why they’re using it. Right? So we can say that, you know, a bunch of politicians, you know, maybe they went a little overboard by telling people how to protect their data. Because some of its, you know, doesn’t really make a lot of sense. And, you know, and probably isn’t the best advice, but it’s coming from a good place with good intent. You know, and the, and the idea behind it is fantastic. And I think that kind of probably the areas that I see is when privacy is like an entirely legal thing, right? Because, yeah, privacy are laws about how to protect personal information. But at the end of the day, if we’re saying that privacy and protection of our information is a basic human right, then it should just be a data security issue, right? Like we should, you know, you always encrypt your data, you always have good authentication, authorization, access, auditing, your confidentiality, or integrity, are in a good spot, you know, and you’ve got those fundamentals in place. 

 

You know, what you should, and you think about it, from the beginning of when you’re building a system instead of, at the end, when you’re worried about getting, you know, sued or fined by a government agency, then I think it puts you in a great place. And I really think that’s how people need to look at it, right. It’s it’s a, like privacy, maybe laws. However, the protection of personal information is a data security issue and an information security issue. And, you know, and we need to put the right controls and the right technologies in place, and the right mindset, when we build systems. And if we do that, I think privacy just becomes a footnote in the future.

 

Daniel Barber  7:37  

Yeah, that’s super interesting, a question that we ask every speaker, you know, I’d love to know, what you read or where you go, or, you know, what are your sort of top three sources that, that you use as a security pro? And if anything related to privacy, that’s great, but always just interested in the sources that people go to? 

 

Kevin Paige  7:57  

Yeah, yeah, I mean, I’ve been doing this for a long time. So I’ve got tons and tons of sources. But I mean, kind of, I guess, I kind of bucket it into three areas. So I’ll bucket a bucket into three. bucket number one is that I think, as a security professional, we need to understand the things that we’re securing, right? If it’s technology, and I happen to be a technology, you know, a security and privacy professional, that I really want to understand how technologies work.

 

So I spend a lot of time reading O’Reilly and, and reading medium articles looking at the technologies and capabilities that my it and engineering organizations want to use and implement. So I can ask smart questions, and I can understand our risk levels. Right. So I know so I you know, I think probably O’Reilly You know, I’m always reading an O’Reilly article or a webcast. Me that’s probably one of my one of my go twos. But you know, with a lot of like, really up and coming futuristic technology, sometimes, you know, sometimes you’ll hear some engineers or some security professionals post them on, on medium or some other some of these other conglomerate sites. So I think that my education on technology, kind of is my first my first go to so you know, I like I like a lot. Personally, I think it’s pretty good.

 

Am I kind of second one into kind of a, you know, what’s, what’s kind of real time information, right? And because there’s lots of real time information coming in Twitter, there’s lots of people communicating on Twitter, and Reddit, right? So Twitter and read that thing, great sources, great, great forums. And then you find the people that are giving you a practical information and people that are really trying to share, then they’re the great, the great tools for getting kind of like real time, you know, short tidbits of information, right? And then you can go do whatever you want with it, right? You can do some more research or you can be like,

 

Daniel Barber  9:32  

right, maybe as a starting point.

 

Kevin Paige  9:34  

Yeah. And then probably my third thing is probably more security and privacy related, right. And I think over the years, I use this tool, I think it’s called feedspot. And it’s basically an RSS reader. And I probably have like 1000, you know, websites on there and all that stock ones that probably everybody knows, you know, whether it’s information from sans, you know, what they’re thinking about, or talking about from a security perspective, or, you know, Bruce Schneier. You know, blog, which is amazing, right? Even Hacker News packet storm retros. Right? Like, oh, like, they’re all, I don’t go to them individually, but you know, I’ve got an RSS feed. Yeah, it probably has 1000s of things on there writing everyday, you know, just going through the RSS feed CMC, and if there’s anything new or interesting on there, but yeah, that’s kind of how I bucket information. 

 

I think that, you know, that’s all you have to do, right, there’s so much information out there that, yeah, if you can find a good, you know, RSS reader, and, you know, just go out there and pick everything and just watch it all come through, and then just filter out what you don’t want to read or just not read it or market not read. And if you want good information, right, the more sources the better. you get RSS reader or some other kind of information conglomerate tool that can, you know, helps put you in a good spot and get you all kinds of all kinds of kind of real time information or, or just educational information or, you know, or just, you know, kind of various aspects of technology, security, privacy, you know, etc.

 

Daniel Barber  10:59  

Obviously, you’ve been doing this for a long time. And I’m sure there are many folks that will listen to this one and think, wow, you know, impressive track record, how can I go down the path that Kevin has, if you were, you know, sharing with a listener, trying to take the same path? What would you share as sort of your one point of advice for someone who’s just starting out in their security career or privacy career?

 

Kevin Paige  11:21  

Yeah, I think from a security or privacy perspective, you know, I kind of have this fundamental thought of really understanding the areas of that I’m trying to protect or defend. And, you know, I say that, you know, if you’re starting out in security, and you’re a security analyst, or your, you know, your security operations person, really spend time to understand the systems and the technology, if your privacy, really understand the personal data, really understand the interactions between the systems, you know, go deep, right, don’t just take superficial answers, like, go deep go deep thinking, and I think those are two, you know, some values are to really, really live by and, you know, you really want to not just be a person who’s overseeing things, but you want people to come to you and be able to really understand those types of questions. Right. 

 

And if you’re coming up, the more knowledgeable you can be, more help you can be makes you a more valuable resource, which is going to help you get promoted faster, right, more valuable resource you are, the faster you’re going to get promoted. So that’s kind of kind of my my advice.

 

Daniel Barber  12:20  

Sound Advice. Well, thank you, Kevin, for coming on the show. And yeah, look forward to chatting again soon. 

 

Kevin Paige  12:27  

Thanks, Daniel. Thanks for having me, this was great.

Share

Stay informed on privacy regulations, weekly insights, and the latest GrailCast updates with our weekly newsletter.