Telecommunication networks never stop evolving, moving in less than 15 years from 3G to LTE to 5G, and having our data move from on-site to the cloud and to the edge. But what does this mean for the security of our data? With the rising adoption of connected devices & applications, enterprises are at a greater risk of data breaches, ransomware, and new types of attacks. How should CIOs rethink security, and what choices do they have? Let’s find out.
Our guest for today’s podcast is Nancy Wang, General Manager for Amazon’s Data Protection and Governance, where she oversees P&L, product, engineering, and design. Before AWS, Nancy worked at Rubrik as the Head of Cloud SaaS products, as well as at Google and Deloitte. Nancy is also the founder of Advancing Women in Tech, an organization that trains and coaches women to be leaders in tech. The organization has grown to over 16,000 members in only five years.
Briefly, she has extensive experience in the data security field and brings unique perspectives to new technology adoptions.
In our discussion today, we will uncover a few things, such as:
- The changing landscape of cloud & edge and how it impacts data security
- Will 5G add a new dynamic to the cloud and edge security?
- How has data security changed over the years?
- How should CIOs of wireless-first enterprises think about security? and last but not the least
- The growing role of women in technical leadership roles.
So, let us welcome Nancy Wang.
Contact PrivateLTEand5G
Telecommunication networks never stop evolving, moving in less than 15 years from 3G to LTE to 5G, and having our data move from on-site to the cloud and to the edge. But what does this mean for the security of our data? With the rising adoption of connected devices & applications, enterprises are at a greater risk of data breaches, ransomware, and new types of attacks. How should CIOs rethink security, and what choices do they have? Let’s find out.
Our guest for today’s podcast is Nancy Wang, General Manager for Amazon’s Data Protection and Governance, where she oversees P&L, product, engineering, and design. Before AWS, Nancy worked at Rubrik as the Head of Cloud SaaS products, as well as at Google and Deloitte. Nancy is also the founder of Advancing Women in Tech, an organization that trains and coaches women to be leaders in tech. The organization has grown to over 16,000 members in only five years.
Briefly, she has extensive experience in the data security field and brings unique perspectives to new technology adoptions.
In our discussion today, we will uncover a few things, such as:
- The changing landscape of cloud & edge and how it impacts data security
- Will 5G add a new dynamic to the cloud and edge security?
- How has data security changed over the years?
- How should CIOs of wireless-first enterprises think about security? and last but not the least
- The growing role of women in technical leadership roles.
So, let us welcome Nancy Wang.
Contact PrivateLTEand5G
[0:00:02] Ashish Jain: Telecommunication networks never stop evolving, moving in less than 15 years from 3G to LTE to 5G and having our data move from on-site to the cloud and to the edge. But what does this mean for the security of our data? With the rising adoption of connected devices and applications, enterprises are at a greater risk of data breaches, ransomware and new types of attacks. How should CIOs rethink security and what choices do they have? Let's find out.
Hi, guys! This is your host, Ashish Jain and you're listening to the Alynment podcast, where we go beyond the buzzwords and connect the dots between technology and its business impact.
Meet my guest for today's podcast, Nancy Wang, General Manager for Amazon's Data Protection and Governance where she oversees P&L, product, engineering, and design. Before AWS, Nancy worked at Rubrik as a Head of cloud SaaS products, as well as Google and Deloitte. Nancy is also the co-founder of Advancing Women in Tech, an organization that trains and coaches women to be leaders in tech. The organization has grown to over 16,000 members in only five years.
Briefly, she has extensive experience in the data security field and brings unique perspectives to the new technology adoption.
In our discussion today, we will uncover a few things, such as:
· The changing landscape of cloud and edge and how it impacts data security
· Will 5G add a new dynamic to cloud and security?
· How has data security changed over the years?
· How should CIOs of wireless-first enterprise think about security? And last but not the least,
· The growing role of women in technology leadership roles.
So, let me welcome Nancy Wang.
Nancy, thanks for joining me today.
[0:01:50] Nancy Wang: Thank you so much, Ashish for having me here.
[0:01:52] Ashish Jain: Great. So, you've been involved in this field of data security and I'm really intrigued by your initiative around women in tech. So, can you give us a little bit of a background, your background as well as on this organization, Advancing Women in Tech?
[0:02:09] Nancy Wang: Yeah, absolutely. So, you know, my background has always been actually had a strong data undertone, and I'll explain why. So, out of undergrad and I went to the University of Pennsylvania -School of Engineering, I joined the U.S. Government. And so, for period I worked for the U.S. Department of Health and Human Services and I was part of the early team that built HealthData.gov. And so, if you go online, just check out HealthData.gov. It's a vast resource of just datasets. Right? So, datasets about access to healthcare around healthcare insurance, around infection rates, what you have it. And it's really a treasure trove of data that's gathered across all of the divisions in HHS. And so, if you think about what's contained within this health umbrella, there's centers of Medicaid, Medicare, CMS. There's also FDA (Food and Drug Administration), CDC (Centers for Disease Control) for example and so many more. And so, if you imagine just the type of research that you can do with these public datasets, that's HealthData.gov in a nutshell. And of course, there, I had the wonderful opportunity to work with healthcare innovators such as Todd Park who founded Athenahealth among other healthcare companies. So, that was really my first role that brought me into just what data could achieve when you for example aggregate it across different sources and also provide a scalable, let's say way for the general public or researchers to be able to quarry and derive insights from that data.
And so, from there, my career also along took the lines for example, bring talent tier to large government agencies starting with three letter words, which I will redact for the case of this podcast. But from there, I also went to working at Google and working on the team that was responsible for deploying Google Fiber in various metros and cities across the country. Again, for the purpose of bringing data, bringing information to the hands of more consumers. And that's a big part of again, Google's mission to bridge that digital divide that we see across neighborhoods and communities of varying social economic levels. Right?
And then so from there, couple startups as you mentioned. Rubrik, which really is a pioneer in the data security, you know, data protection space all the way to today where I run the data protection businesses for Amazon Web Services, one of the obviously cloud providers that's doing a lot of innovations and thought leadership in this space.
[0:05:03] Ashish Jain: That's an amazing ride. And how did you come up with the Advancing Women in tech? What's your driver and motivation for that?
[0:05:10] Nancy Wang: Absolutely. So, if you look around, right, and this is I would say, you know, phenomenon endemic to the tech industry as whole, as a woman and especially a woman of color, there's just so many meetings and leadership reviews where I am the only in the room, right? Whether it's the only woman, only woman of color, you name it. There's too many occurrences for me to really count and give you a number how many times it's happened.
And so, as someone who's really had to trailblaze a path for myself and now for others on my team who are going on the same path, I want the path to be easier. That’s really it, right, in a nutshell. I want to have an impact in accelerating and advancing more women and also women of color into leadership roles where they can be in influential positions like mine, where they can influence hiring, influence promotions, influence races and what have you. But in order for someone to be in that position where they can influence, they need to be in a position of leadership.
And so, what does that mean is leadership comes from a variety of things. Of course, as a wise man once said, “Success is opportunity and hard work.” Right? So, on the hard work side, there are so many skills that they don't teach you in business school or they don't teach you in undergrad that are a fundamental sort of playbook or guide to becoming a leader. And so, we focus our workshops on leadership skills, such as how to influence global teams, how to hire global teams, how to handle acquisitions. And those are topics and experiences that frankly one learns on the job or is really a pass down knowledge. And so, for us to make this knowledge more accessible to for example, women in mid careers and focusing on that cohort to advance them to senior leadership levels, that's where we're seeing a lot of impact. Right? And we have hundreds of women in our community running back to us, giving us testimonials online through various channels of how they were able to get a promotion or how they were able to for example, find a more senior role as a function of going through our workshops and skill-based courses, which you can also find on Coursera. So, if you type in www.coursera.org/AWIT, you can find all of our course offerings there.
And for those of you who are interested in continuing learning education or college credits, those courses were also recently passed by the American Council on Education for qualifying for six college credits and at the rate of Coursera, that's in my opinion again, making quality content and education very accessible to the hands of those who need it.
And of course, our second pillar of going back to success is hard work and opportunity is connecting members of our community to senior leaders who can provide them with opportunity. And those come in the form of executive mentors or sponsors who are willing to, for example, sponsor these highly intelligent, highly talented women into leadership roles, whether it's in their own team that they can hire for or as senior people also have other senior people they know connect them to opportunities in their network.
[0:08:45] Ashish Jain: Very nice, wow. Well, you and I need to talk more about this because one of the topics I'm very passionate about is this concept of misalignment. And I know this is different from our podcast topic today, so I'm going to stay away from a lot of details. But one area I always feel like, you know, in leadership that lacks is this mindset of alignment across different organization, within the organization and outside and inside the organization. So then, and leadership comes to me according, you know, a lot has to do with making sure everybody's aligned. I've seen marketing organizations, sales organizations, senior leadership struggle to really make an impact because a lot of assumptions are made and a lot of perspectives are completely different than what is actually need to be done. So, definitely a topic very close to my heart as well and I'm sure I would love to take your perspective separately on this topic. But coming back to data and more importantly, data security, you've seen the evolution of data, how it has emerged from very low, I mean not availability of data as much to tsunami of data now available from all sorts of devices and applications. What is your take on how the data is evolved and accordingly how the data protection mechanisms or measures have changed to accordingly as well?
[0:10:20] Nancy Wang: Yeah, absolutely. So, when we think about data today, it's really exploded and that's why I mentioned recently in another interview, one of the interesting trends I see is actually data as a first party construct and the security of that data. So, previously, in the data center, we saw really data being protected. If you protected, the network and compute and the storage, whereas in the cloud, that is all very much decoupled at this point. And so, when you have that decoupling, you want to make sure that your data itself is secure. And how do you start with that is actually by being able to know where that data actually lies. So, going back to again, what's really exciting in this world today is the concept of data security posture management where really traditionally there was cloud security posture management where it was sufficient to know, ‘Okay. Here my cloud resources. Make sure they're secure.’ Today, with this data sprawl of not just human data but in your world from 5G and devices, there's also so much device data, system data. Right? And of course, all of this data that's being used to train machine learning models, all of that needs to be secured. And so, the first step is data visibility, knowing where your data actually is. But then also being able to classify and evaluate data for risk. And there's many companies now in the data security posture management space that purport to do just that.
[0:11:59] Ashish Jain: Okay. So, you mentioned 5G and devices, IOT devices are generally perceived to lack security. I'm not sure how much that is true. But definitely there is some truth to that and with massive connected devices, deployment even projected to quadruple and even more like billions and billions of devices over 5G networks, it will likely worsen the situation. What's your thought on it? I mean, how are the data centers or the edge or cloud gearing itself into that level of data coming in to these types of infrastructures and protecting it?
[0:12:43] Nancy Wang: Yeah, of course. So, in my role, oftentimes, I have my risk and compliance hat on and this is a question that it comes up very often in conversations that I have with chief security officers or chief information security officers, or CSO community. And where oftentimes my world intersects with the 5G and edge world is around increased attack surfaces because when you have billions of more connected devices, 5G makes it possible for larger and frankly more dangerous attacks. Right? So, the current and future vulnerabilities of existing internet infrastructure only get worse. Right? So, for example, you hear about sophisticated botnets, different varying levels of privacy violations and even faster data extraction can escalate with 5G. And so, that's where for example, CSO will reach out to myself or my team to understand what are the protection policies. What are the, for example, protection perimeters that they can apply around their data, around their networks to make it more secure, not just for data at rest, but also for data in transit as well.
[0:13:59] Ashish Jain: Great. So, are you seeing any impact? I know Amazon launched their own private 5G network. I'm sure you have played a role in ensuring the data protection aspect of you're connecting to millions. I mean, Amazon is already connecting to a lot of enterprises. So, there's already that infrastructure I assume for data protection in that. But in general, do you see the emergence of this new concept of private cellular for an enterprise will have an impact on how the cloud security or the edge security has traditionally been designed? Would it require a rethinking or is it already designed in a way that is sufficient to address the emerging needs of enterprises from security standpoint?
[0:14:49] Nancy Wang: Yeah. I mean, I do see some pretty fundamental shifts in the sense that so of course, without going to private information, of course. For example, given the mission of my team is protect data wherever AWS customers might have that data, whether it's in the cloud, whether it's in their arm premises, hybrid clouds or it's at the edge, we want to make sure that we're there to protect it. And so, if you think about the way that let's say different AWS services, foundational services such as EC2 or S3 and the different form factors they can take on, for example, edge spots, for example, like outposts or local zones, that difference in infrastructure will also then play downstream to how we protect that different form factor. So, I'll stop there and that for example is a more tactical difference that we have to consider when we're protecting data that can take a different form on the edge.
[0:15:53] Ashish Jain: Great. So, whether it's for 5G or not, but you speak with a lot of executives, enterprise CIOs or chief security officers of different organizations, what do you see are their top concerns or challenges in terms of digitalization? And the Covid has really accelerated a lot of digital initiatives, what kind of concerns do you hear from them?
[0:16:20] Nancy Wang: Yeah. So, I mean, concerns, a lot of open source. We see also a corresponding resurgence and open source security companies for example, and that's where now that much of code is actually reliant on open source libraries and and so on and so forth. It becomes more important to understand what exactly is your code base calling other code bases, right? We saw this with the industry wide log for J-impact. It’s really around how can we make, for example, not just devices more secure, but actually our code more secure? And that goes into the topic of increased supply chain and software vulnerabilities that can exist with 5G. Right? Because currently, and also for the foreseeable future, 5G supply chains are inherently limited. And so, those vulnerabilities exist and especially as we see different devices being rushed to the market, it increases the possibility for faulty and also insecure components. And so, being that 5G is more reliant on software itself, it also increases the risk of exploitation of the overall network infrastructure. And so, that's another trend that I see specifically I think to 5G. And then taking a step back to your question on overall digitalization, if we host more data in the cloud, in other places, it just increases the need to make sure that that data is always protected both for compliance, risk purposes and there's a whole slew of for example to SEC 17-A regulations that I often discuss with customers but there can also be privacy concerns, privacy data sovereignty concerns of where is this data going? How is this data being used? And is the PI that's contained in this data also being protected?
[0:18:19] Ashish Jain: Interesting. And I'm sure every country is taking its own stands, Europe being on more on GDPR and many other places are following. You talked about data privacy concerns as well. So, are we ever going to be in a position where it will standardize those efforts across different countries? So, there is some unanimous voice on how data sovereignty, data privacy laws will be implemented or we will continue to have different laws, different countries?
[0:18:52] Nancy Wang: I think on the privacy side, we are already seeing, for example, GDPR being used as a model across different countries and frankly even states, right? If you look at how California treats privacy versus Arizona versus New York is very much modeled after a certain template and that template currently being GDPR. Now, what I can speak to from personal experience is working closely with a regulatory data security body actually out of the UK. It's called the C-M-O-R-G, CMORG. It stands for Cross Market, I believe it's Operational or Organizational Resiliency Group, but essentially the chart of that group is working across the largest financial services institutions in the UK and across Europe on helping those institutions secure and protect their data. So, without of course going to deprive information, what my team did with that group was actually go in and design a reference architecture using AWS services that could help these financial services institutions across the board be able to architect and make sure that their data was immutable, make sure that their data was retained for a certain number of years that is required by that industry. And I'm very proud to say that the work that we did with CMORG is actually not only being implemented across financial services institutions. So, to your point across different geo boundaries across different corporate boundaries but also adopted by other cloud service providers. Right? So, the ability to not just influence customers on mass but also being requested by customers to be implemented in other class service providers. Well, that's very exciting and that's frankly what I love about my job is that there's so much green field opportunity that one can go in and really help define what does data security and overall security mean in a very fast evolving cloud environment,
[0:20:57] Ashish Jain: Interesting. Now, I also always wondered about this in terms of data. I mean, when we talk about data security, we treat data as like all data is same. I'm sure that it's not always true. I'm sure there are a lot of granularities and how we view data especially with connected applications. I mean, I keep going back to 5G but there are broadband applications as well. In terms of the kind of applications that are becoming connected, which were never before. I mean, they were residing mostly within the local environment, land environments but they're now all emerging to go to the cloud. There's this resurgence of everything pushing to the cloud and then I call it a boomerang effect of first everything was going to the cloud now because of performance reasons and whatnot, things are coming to edge. But regardless, I mean, there are wide variety of applications that are coming into the connected space, whether it's mission critical applications, likes of healthcare, you were talking about earlier robotic surgeries. We are talking about somebody supporting people remotely or video surveillance cameras that are all--I mean, they're all data. They’re all generating data at the end of the day. And there's data also from perspective of very, you know, time sensitive data, which is we're talking about autonomous vehicles on the road. How does that create new challenges? Because they’re not just we're protecting data but it's very time sensitive data. Does that add any new dynamics to the security in terms of time sensitivity and mission critical aspects of this type of data?
[0:22:45] Nancy Wang: Absolutely. I mean, especially if you have mission critical data and time sensitivity, you need the ability to make that data resilient and certainly there's a whole working group around data resiliency here at AWS that uses different AWS. For example, AZ technologies or for example fail over technologies to make sure that that data is really resilient and available when you need it. There are other technologies and let's just say broadly that, you know, I'm working on that, for example will help customers when they're let's say AWS account gets compromised or when they are the subject of a breach or attack. And so, I think with what you were saying about 5G networks creating more network traffic to manage, I think without a robust wide area network or when security solution like Secure Access Service Edge, SASE in place, a lot of companies are telling me that they're not able to gain the network traffic disability that's required to identify these abnormalities or potential attacks. And that's where oftentimes my team will get involved to make sure that well, once that happens, how are you able to recover your mission critical data? How are you able to recover entire applications across your entire organization?
[0:24:09] Ashish Jain: Interesting. I mean, one simple example I always use is in time sensitive networks, the attack would be as simple as introducing latency. You don't have to do anything else. I mean, at the end of the day, breaches, attacks are trying to disrupt an existing operation monetarily or just being notoriously. And if I need to disrupt an existing network, which is time sensitive as a hacker, one simple way they may be thinking about is just introduce latency in the network somehow, which is possible. Does that fall under data security or those are more network security aspects?
[0:24:51] Nancy Wang: I would say it's really a balance. Latency, I would say falls probably more within the network security side of the house whereas in my opinion, data security often talks about data at rest. Although there are different companies and movement around making sure that data is secure while it's in transit. And so, that part of data security could very much tie into the concept around latency that you're mentioning,
[0:25:23] Ashish Jain: Interesting. You mentioned something very interesting earlier when you were talking about data centers are mostly focused on security around network security, cloud security, computer security, but the new posture around data security. I mean, there are four different dimensions now, right? We're talking about network, compute, storage and then data itself. How will they ever align in terms of understanding a holistic perspective of what is really happening on an application perspective, not an individual subset of individual elements of, ‘Okay. Am I protecting my network correctly? Am I protecting my storage that nobody is able to access it?’ But from an application standpoint, any of these four could be compromised, and one compromise could affect another element, another dimension. How do these four things come together in ensuring a holistic security?
[0:26:21] Nancy Wang: Yeah, absolutely. So, again, thank you for kind of wording what is one of my most important tenets around protecting the data itself because as I mentioned, security really evolved in the data center. In the data center, a lot of the Fortune 500 customers that I speak with, they're really focused on protecting two things: the network and the compute. Right? And this was sufficient because computing data were coupled. So, if you protected compute such as for example, EDR or workload protection, your data was also safe. But fast forward to the cloud, this decoupling is in fact what customers like about the cloud. And so, in what I'm seeing sort of evolved both from security startups that I work with quite often as well as advised in addition to my role with AWS is that next wave of protection and frankly billions of dollars of business opportunity will come from a strong collaboration between data itself and also security. So, that's where you see again this emergence or wave. I'm sure Gartner is capitalizing on it is a DSPM or Data Security Posture Management, which is actually protecting data as a first party construct of knowing where the data is, classifying that data as mission critical or not mission critical, making sure that you are setting for example the right IM policies, the right access policies to make sure that data is always protected.
[0:27:53] Ashish Jain: Great. I mean, there's a lot of great evolution happening in this space and will be worth watching anything. To wrap it up, Nancy in terms of any word of wisdom and guidelines or guidance you would give to the CIOs in terms of how they should think about security going forward.
[0:28:14] Nancy Wang: Yeah. I would say thinking about--well, actually, I’ll end this note, which is something I'm really passionate about is fostering the next generation of security startups. And if you look at the past event that I hosted during AWS re:Inforce, which is our annual security compliance conference and I'll be doing something similar at AWS re:Invent coming up here in just a few weeks is around introducing CISOs to more early stage security startups. And the reason for that, yes, oftentimes when you think security and compliance, you may not automatically head towards the direction of early-stage startups. But with that said, that's where a lot of innovation can happen. And the role of the CISO or the CIO to be able to guide these companies in producing the best in class, as I mentioned, data in rest, data in motion, protection, solutions is super important. And that's where a lot of the startups will come to AWS. And oftentimes, the question I get is well, if we work with AWS, won't you guys just for example produce a managed solution or a managed version of what we're building? And the answer is no, because the ecosystem is frankly large enough for both AWS as well as startups to coexist. And with AWS focusing on the undifferentiated heavy lifting of creating best in class storage or compute platforms or network platforms, that's where the opportunity for startups to build, you know, value added work flows on top of AWS really could result in a 1+1=3 paradigm. So, that's where I really see the CISO plus the startups that I work with plus AWS creating something better together.
[0:30:08] Ashish Jain: Very nice. Very well said. I think innovation happens in the startup land. That's always true and definitely the security executives need to get exposure to that. Very well said. Very well. Well, I think we are coming towards an end, Nancy here and I really appreciate your time and your insights on this very complex topic. Thank you very much.
[0:30:31] Nancy Wang: Thanks so much for having me, Ashish.
[0:30:40] Ashish Jain: Great talk, Nancy. Your insights on data centric security solutions and posture management will undoubtedly help enterprise leaders better understand how to protect their information and digital applications. It's definitely important for chief information security officers to connect with new security startups to drive innovation.
Thanks again for your time and all the work you're doing to advance women in tech. Thanks everyone for listening. Please subscribe to the Alynment podcast on your favorite platform. It's A-L-Y-N-M-E-N-T. We hope you will continue the conversation by asking questions and sharing your thoughts on 5G data security concerns. Feel free to reach out to me at ashish.jain@kairospulse.com or drop me a note on my LinkedIn. Until next time, enjoy reading and listening to our insights and perspectives on privatelteand5g.com.