Conversation with Prithvi Rai

As you may know in these conversations I usually focus on Data aspects. But before we get into the meat of the matter, I would also like to review your great trajectory in the Security arena. You started your professional career at CyberCash, in the field of secure payments on the Internet. Tell me a little bit what brought you there and which were your main responsibilities as Infrastructure Engineer

Cybercash was one of the pioneers in online payments, and one of the main responsibilities of my team was building, and operating secure and resilient infrastructure which was crucial to the success of the companies real time payments platform. I learnt a lot working with some of the top technologists, especially the importance of security for payments. 

Then you moved to Yahoo! You spent almost eleven years there and you ended up being Head of Global Information Security in the Asia & Pacific Region. I am curious to know the scope of the Information Security & Risk Management Program you develop and what was the role of Data, if any, on it. 

Yahoo! Was a EPIC journey, it was one of the early technology companies that went global, they actually had data centers all over the world including in China. We faced numerous data jurisdiction channels collecting, replicating data for global users, which became the key focus of our Security and Risk program which included: what data did we collect; the data use-cases or data handling standards and controls based on local regulatory requirements. And the most challenging was managing cross border access. This was in the pre-cloud era, which made it all the more complicated. We ended up having local security/compliance representatives in pretty much every country and region we operated. This approach helped us get consistent in terms of our security review process, and implementation of controls.

Yahoo! gave me the opportunity to travel the world and learn from the best.

How would you compare the Security challenges and risks in those days (2000-2010) with the current challenges we face in 2023? I guess the proliferation of AI-driven attacks has grown exponentially, but it is not the only difference

The goal-post has shifted considerably over the last decade. We went from a centralized managed architecture in terms of network, databases, and application to a much more distributed, borderless model with the advent of cloud, distributed data platforms, microservices and SaaS applications which are accessible by everyone.

The other big change has been that as the value of data grew exponentially, the attack vectors have changed from early days of DDOS type attacks targetted at the infrastructure which resulted in outages and business disruption to more modern day attack vectors that are aims at stealing/compromising valuable data, like ransomware. Hence the rise in data breaches and fines. This trend will continue to grow as more data moves online.

After Yahoo!, you spent 5 years on Facebook / Meta where you were responsible of Building and expanding Facebook's Global security program and secure infrastructure. Can you explain to me how you were using Data in the different projects you were dealing with?

Facebook/Meta was an amazing ride, seeing the company cross a billion users. Most manual processes for data reviews just did not scale, so we ended up investing heavily in internal tooling and automation.

We took a very engineering friendly approach by giving the power back to the data owners, eg: we build a discovery engine that was able to crawl thru our entire data warehouse, identify sensitive data, prompt the owner of the data to apply the right tags for classification, retention period and justification - we then centrally analyzed this information to apply the right controls. 
We used ML extensively for data classification, correlation and anomaly detection to evaluate high risk patterns, and make informed decisions about access privileges. This helped us find the right balance to protect user-data without slowing down development velocity.

And then  time for Uber, where you spent almost three years (2016-2019)  as Senior Director of Engineering & Head of Global Security. Tell me also the role of Data in this period

Uber was exciting as the company had a physical presence in pretty much every country, and the regulatory landscape was heating up around the same time. Uber was also a very on the ground business had they had a large number of employees and assets on the ground. 

At Uber we have a very complex data set in terms of payment, kyc for drivers, location, and many other forms of telemetry information. Due to the nature of transportation regulations, Uber also had requirements to host data locally in countries like China, Russia, Vietnam, Indonesia  etc. We relied heavily on engineering/infra automation to manage the risk and ensure consistency across the global locations.

You definitely have had an impressive journey in hugely successful hyper growth start-ups…maybe that is the reason you decided to found your own start-up. Jokes aside, let's talk about Borneo, the company you launched in 2020. What is its mission? Which services do you offer?

The inspiration for Borneo did come from my decades of experience as a security practitioner, and learning from working with some of the best folks in the industry. Data Security & Privacy done right will become a huge competitive advantage for companies, sectors, and countries. At the same time, Privacy gone wrong can kill a business. There is going to be a 300% increase in expected class action lawsuits by next year. The risk of bad privacy practices is skyrocketing.

Large companies like Facebook, Google, Apple spend 100’s of millions of dollars hiring the best security talent and building custom in-house solutions for privacy data management. They understand that having the best tools for managing and protecting customer data is a huge competitive advantage (perhaps their most important competitive advantage) and a critical part of maintaining user trust.

Most startups do not have the same level of resources, skills, or tools and their inability to do so has resulted in a significant “Privacy Debt” (the hidden cost of handling private data in a non-uniform or non-centralized way in a subsystem that is part of a larger architecture).This Privacy Debt prevents companies from fully realizing that data’s value and, just as critically, made the data vulnerable — increasing potential data breaches that erode user trust.

I wanted to take my learnings, experience, and network of practitioners passionate about privacy to build Borneo with the mission to empower companies to protect their customer data and improve user trust.

What I find interesting, is the convergence of two worlds (Security and Data), which, at least in my experience, have been quite set apart. Thoughts on this? You can disagree, of course

I agree 100%. Data is your most valuable asset today, we are living in a data economy, where every company has become a data company.

The right way to do security is to take a very data centric approach ie: understanding what you are trying to protect will define how you must protect it. Many of the new security tooling will have to evolve to make it work well for our data practitioners as they are the real custodians of data in today's world.

In your own words, what is Data Observability? And Data Security?

Data Observability: to understand the health and state of your data and data systems, at any time and point in the data lifecycle

Data Security: Starts with understanding the risks to your data, applying the right set of controls to safeguard your high risk data, and having continuous monitoring and policy enforcement.

The Borneo platform blends the above to give you what we define as true “Privacy observability”. Which is about addressing the growing complexities of privacy compliance management: the deep understanding and wide management of privacy compliance of your data and data systems (in real-time), at any time and point in the data lifecycle.

Are you using any ML model for the Security endeavors? If so, what was the approach in terms of models and Data infrastructure?

Great questions. Data volumes are growing at an exponential pace, so is the variety of data that’s collected. Today we have PII in structure, unstructured  data, logs, images, voice snippets etc. Understanding the risk of how this personal information is handled, used and stored is really important from a visibility and risk mitigation perspective. We used ML models for automatic data discovery, classification and correlation e.g. automatically detecting passport numbers in data sources, classifying them based on risk or compliance rules, and most important is to understand the risk correlation based on meta data and security configurations. 

The Borneo platform does it end to end, automatically and in real-time as data flows. 

Beyond having the right tools, which profiles does a company need to have to address Data Observability, Compliance and Data Security challenges? 

Data Security Engineer, along with a strong compliance lead who understands the regulatory obligations and a strong partnership with the dev-ops and data team - as they are the actual owners of data, data tools and data infrastructure.

Finish this sentence: Data Security is the responsibility of….

Joint responsibility of the Compliance/Security/Data teams

Many companies are investing in new “Data-repositories” (Data Lake, Data Mesh, etc). How does this affect the Data Security and Data Observability strategy?

We need to ensure the data security and Observability strategy encompasses all data-repositories - it starts by making sure you have full visibility of your data footprint and data lifecycle.

One collateral topic: one of the hottest topics in the Data space is the lack of transparency of certain algorithms (particularly those based on Deep Learning) and also the potential biases and discrimination they can bring. What is your take on that? How can we be better at that?

This is definitely a hot topic, I think it starts with understanding the intent and what outcome we are expecting, and then having checks and balances in place which sounds easy in theory but hard to implement/measure. I definitely agree we need to get better at it, unfortunately I am not an expert in this area and dont have good answers on the solution.

And looking ahead, which are the main changes you foresee in the next 3-4 years regarding Security and Data Observability? 

Data centric security/observability is in its early innings and will continue to be one of the fastest-growing segment in terms of innovations and solutions for three reasons: 

1. Data Visibility and Control – More and more companies are now concerned about the risk to their valuable data, the legal ramifications of data breaches, esp to C-level execs, and the new privacy regulations being enforced globally.  

2. Cloud adoption – Data is moving to the cloud at record volumes and pace. This presents new challenges to security practitioners for data discovery, policy enforcement, and data security posture management.

3. Automation and Budget Consolidation - The economic downturn is forcing companies to re-evaluate their headcount and vendor strategy. This will drive a need for automation to do more with fewer people and also step away from point solutions to a unified data security platform for cost optimization.