Interview with Integris COO: Do you know where your data is?
Drew Schuil, President and Chief Operating Officer of Integris Software –
Partner interview of the month
The U.S.-based company is a leader in data privacy automation. Integris software is used to precisely analyze and categorize (sensitive) data in the company-wide IT landscape in terms of storage location, use and protection. As a result, data can be used more effectively and protected in accordance with compliance requirements.
ITSDONE: Mr. Schuil, you are President and Chief Operating Officer at Integris. What are your responsibilities at Integris and to what extent are you helping to improve your clients’ business? When did you start working for Integris?
DREW SCHUIL: My journey at Integris Software began just over one year ago after spending almost the last 20 years in the Information Security space. Prior to Integris I spent 11 years at Imperva, a data centric audit and protection software firm, meeting with companies and speaking at industry events in 43 total countries. International exposure to privacy sentiment such as GDPR led me to data privacy innovator Integris just as regulations like the California Consumer Privacy Act (CCPA) began driving heightened privacy awareness in the US as well. My responsibilities at Integris are to lead the Product, Sales, and Marketing teams.
ITSDONE: Can you briefly describe the USP of Integris? What are the cornerstones of the Integris Software?
DREW SCHUIL: Integris Software addresses the missing link in the data privacy workflow – accurate discovery of sensitive data at scale and the ability to map data to people.
The objective is to answer three simple questions:
- Where is my company’s sensitive data?
- What sensitive data does the company have?
- How does this sensitive data tie back to business handling obligations and risk?
Answering these questions across hundreds or thousands of data repositories is easier said than done.
Data governance is certainly not a new topic. But there’s nothing like regulation to get everyone focused on it again and to inspire innovative new approaches to be developed. GDPR up until now has mainly consisted of corporate legal teams defining privacy policies, practices, and workflows. The next phase of maturity will be technology enabled data privacy, data governance, and data protection – the emphasis will be on solving the big data problem with technology. For example, companies are now looking to automate and scale previously manual best effort data governance workflows with discovery tools to inventory and control sensitive data – and respond to data subject requests (DSRs) in the thousands.
IT and Data Infrastructure teams are being overwhelmed with filling out surveys and data inventory spreadsheets. The responses are a best guess as to what data is where and the interpretation of what is considered PII-Personally Identifiable Information. On top of that, the data environment is changing constantly with third party data streaming into data lakes all the time for example.
Integris Software lives in the customer’s secure data center or virtual private cloud (i.e.. not SaaS cloud) and scans all different types of data repositories from databases to data lakes to file shares. Policies and orchestration to other systems can be triggered based on what data Integris discovers and the associated risk factors. Integris becomes the company’s source of truth for sensitive data and PII.
ITSDONE: Mrs. Bergman, the founder of Integris, started the company in 2016 after news regarding Edward Snowden and his revelations about the abundant collection and the misuse of data first came up.
In your opinion, how far has the situation changed since the introduction of GDPR? How much has the awareness (of companies) changed as far as data privacy is concerned? Which risks and challenges arise for businesses from not taking data privacy seriously?
DREW SCHUIL: The general public’s awareness to what data companies (and governments) collect and the potential misuse of data has accelerated tremendously in the last few years thanks to folks like Edward Snowden and situations like Cambridge Analytica. We are also starting to see companies like Apple and Microsoft use their data privacy stance as a brand differentiator. For example, Microsoft recently said it’s giving all consumers the same data rights as California residents under the California Consumer Privacy Act (CCPA). This is great marketing, but really, it’s just as easy to put the same controls in place across their entire database as segmenting California customers. Many large organizations are using GDPR and CCPA as the regulatory highwater mark and use it to comply with less stringent regulations.
There are hundreds of GDPR fines in the works for companies that haven’t done anything to protect sensitive data. Businesses need to know where their personal data is, who is accessing it and how they using or sharing it. Those who can’t answer these simple questions will likely be found negligent and face the largest fines.
ITSDONE: Integris defines itself as a global leader in data privacy automation and states that the world’s leading organizations trust the Integris Software. In Austria – where ITSDONE and Integris just started to cooperate – the average company size is much smaller than in your home market, the U.S.. Do you choose new clients based on criteria like company size, industry sectors or other criteria? Please describe your ideal customer.
DREW SCHUIL: Great question. Generally speaking, the larger and older the company, the more of a data problem they have. Data is all over the place, in databases, files shares, data lakes, cloud systems, etc. Often the process of data collection pre-dates regulations like GDPR. Following industry standard frameworks like NIST, the first step to protecting the data and adhering to privacy standards is identifying the data. Companies typically try to do this manually at first, perhaps with a giant spreadsheet or a survey intake tool.
Integris is a good fit when they outgrow or feel resource constraints using the manual approach. An influx of hundreds or thousands of Data Subject Requests (DSRs) which is a right granted under GDPR is typical breaking point for the back-end data and infrastructure teams supporting the DSR fulfillment process. Consortium groups submitting DSRs on behalf of thousands or millions of people is really where a resource denial-of-service can happen. This can affect companies large and small.
ITSDONE: Can prospective clients somehow test your services?
DREW SCHUIL: Yes, we offer an Integris Test Drive proof of concept environment where prospective clients can kick the tires on how Integris works in a pre-populated environment loaded with different data sets and data source types. This saves time and enables companies to quickly determine solution fit before engaging in a more resource intensive POC with their own data set.
ITSDONE: You have held various key leader positions in various software companies and are a proven expert in data privacy. Can you explain to us, what “data mapping” is exactly, the advantages it brings, and which steps companies have to take to guarantee cutting edge data protection?
DREW SCHUIL: There are quite a few industry terms out there, including data mapping, data inventory, data discovery & classification, data governance, data lineage, etc. Integris has launched a Data Privacy Dictionary to help standardize terms and provide a short hand reference for all the “buzz word bingo”! You can find technical definitions also on our website, here is a little introduction:
Data Mapping Locates and Analyzes Data for Governance and Compliance
Data mapping is closely related to data inventory by helping organizations understand where data is located and its purpose (classification). For the purposes of this definition, data inventory is different than data mapping in that it provides further intelligence on risk, protection, and compliance.
Data mapping involves discovering, classifying, and understanding personal or sensitive data for privacy compliance. Companies need to identify all data sources for personal information, discover what personal information resides on these sources, and analyze how the data flows to and from the sources. Data mapping lays the foundation for recording processing activities and for data protection impact assessments. With the addition of information such as protection and user access, organizations can also determine the risk of personal data for privacy compliance. This enables them to take remediation actions such as masking, encryption, deletion, or strengthening of access controls.
What questions can data mapping answer?
- Where is personal data located? Understand the physical location and technology platform (i.e., Hadoop, SQL Server, file server).
- How should the data be classified? (Public, Private, Confidential)
- Where does the data flow to and from?
- What applications use the data?
What tools are used for data mapping?
Many tools are available that provide discovery and classification. But many of these tools were not designed for privacy; they lack capabilities for correlating identities across sensitive data and do not provide the intelligence needed for compliance readiness. However, new purpose-built tools for privacy have emerged over the last few years. For example, Integris provides data discovery and classification, subject registry, lineage, and risk reduction of personal data. These capabilities provide privacy professionals the intelligence they need to understand the personal data landscape, its risk and undertake the most effective remediation.
ITSDONE: You claim that unlocking data fuels innovation, can you give an actual example (from a real client situation) where innovation got fostered by doing so?
DREW SCHUIL: That’s right, the initial reaction to privacy regulation can sometimes be to lock down the data which ultimately penalizes innovation. One example is a large bank with a data science team that is using a data lake to perform analytics. The data lake has been “de-identified” meaning that customer names have been removed. The reason is for data analysts to be able to work quickly and without restriction to perform their jobs.
However 3rd party data streaming into the data lake sometimes includes customer names and what they call “toxic combinations” of data. Combinations of data can be used to re-identify people, for example with just three attributes – Gender + Date of Birth + Address Code – 87% of the US population can be re-identified.
So in this case, Integris inspects streaming data coming into the data lake as well as regular scans of the data lake itself to find PII data that is not supposed to be there. Integris kicks off an event to remediate the data so that the data analysts can continue doing their jobs without undue access control burdens, thereby fueling innovation and efficiency.
ITSDONE: Last but not least, a general question: Which big topics will dominate IT Media this year? Any trends that you classify relevant for Integris?
DREW SCHUIL: One topic that is already trending in IT Media is whether GDPR will be a paper tiger. There were a few high-profile fines announced in 2019 and the world is watching how GDPR will be enforced in 2020. Privacy regulators around the globe are following the precedent set by GDPR.
ITSDONE: Thank you very much for your detailed insights, Mr. Schuil!
Credits: Photos and infographics by Integris
As a system integrator and reseller, ITSDONE is now the first point of contact in the German-speaking countries, so that you can use your data securely and without restriction. Since October 2019 we are exclusive partner of Integris Software in Austria, Germany and Switzerland.
For questions about Governance, Risk, Compliance, Data Security, Data Mapping please contact Mr. Ravi Sankar