In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price. What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it. Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help.
In part two of my interview with Varonis CFO & COO Guy Melamed, we get into the specifics with data breaches, breach notification and the stock price.
What’s clear from our conversation is that you can no longer ignore the risks of a potential breach. There are many ways you can reduce risk. However, if you choose not to take action, minimally, at least have a conversation about it.
Also, around 5:11, I asked a question about IT pros who might need some help getting budget. There’s a story that might help.
So we've seen companies that have gone out of business because of breaches. We've seen companies that will have to deal with litigation for years ahead. So where's that factored in? There's just so many components. It's more of a philosophy that if you can do something active to try and minimize risk, then why not do it?
I think companies, more from a philosophical perspective, should try and actively take action in order to minimize risk. And companies that are under the belief that it won't affect them and that they're going to be okay, I think are acting slightly irresponsible.
So a company would obviously rather try and identify breaches as soon as possible, so they can take action, minimize some of the cost and be transparent with both the customers, the investors, and the shareholders.
GDPR definitely changes the reporting requirement, and if you're breached, you have to provide that information within 72 hours. That's a short period of time, and in order to be able to comply with that regulation, and in order to have better tracking, you really have to have systems, programs, personnel in place to try to identify this.
And the fines that come from GDPR, I'm talking about, you know, some of the requirements and some of the fines related to those requirements, are 4% of global revenue or $25 million, whichever is greater. That's a huge number that could affect companies in so many ways, definitely something that from our perspective what we see is causing a lot of interest, causing a lot of discussion, and companies are not ignoring the regulation because of its significance.
There're so many other components that thinking that you can be okay, and just by paying the fine and being breached is definitely not the action that I would like to take as the company's CFO and definitely would try and act in a way that would minimize the risk long term and short term.
And during a discussion, he was asked, "What is the best way to get budget, in order to get the Varonis product or any other product for that matter that can protect the company in the long term?"
And his response was, "Make sure the risk assessment, the evaluation and whatever you're doing in that demo is done on the finance documents. If the finance personnel, if the CFO can see how many people have access to the financial statements or any other sensitive information within his folders or her folders and have access to information they shouldn't have access to, you'll find the budget, they'll find the budget."
So that's definitely something that I I could relate because if I would see risk on files that I know team members shouldn't have access to, we could move things around within the budget to have something purchased that wasn't necessarily budget initially when I can quantify the risk in my mind.
And people could live with the risk. I don't think people, after all the breaches that have taken place and the amount of risks that companies are dealing with, can ignore it anymore. I think they have to take measures, think about it, or at least have a discussion. If they decide that they want to live with the risk, it should definitely be done after discussion with the legal department, the HR department, CEO, CFO, CISO, if all parties agree that the risk is not worth doing any, taking any action, then at least you had a conversation.
But if it's decided by one person within the organization and it's not shared between the different departments, between the different roles that would eventually be responsible, then I think that's just not good practice.