General security

Interview: David Kidd, Vice President of Governance, Risk and Compliance at Peak 10

May 22, 2015 by Infosec

David_KiddDavid Kidd joined the Peak 10 management team in 2000 and has more than 20 years of management experience in information technology. Mr. Kidd oversees Peak 10’s legal affairs, risk management, and regulatory compliance activities including quality assurance, data center commissioning, business continuity planning and related activities.

Kidd previously served as president of the 7×24 Exchange of the Carolinas and has received professional training and certification through his involvement with the Disaster Recovery Institute International (DRII) and the Information Systems Audit and Control Association (ISACA).

Prior to joining Peak 10, Kidd served in the management team of several entrepreneurial, high-growth ventures in software development, banking, and telecommunications.

Kidd holds a B.A. degree in Business Economics from Wofford College where he was recognized as a Wofford Scholar.

1. As the vice president of governance risk and compliance at Peak 10, you are responsible for your company’s legal affairs, risk management and regulatory compliance efforts. What exactly does this entail?

Governance, risk management and compliance are all distinct but related activities that help protect our organization and our clients. From a risk management perspective, I look at our operations and business activities and think of the potential impact those activities could have on the company’s future if unfavorable events occur. We manage those risks by putting measures in place to prevent, minimize or respond to those unfavorable events. Compliance with industry standards and regulatory requirements help align Peak 10’s operations with those of our customers, particularly those in specific industry segments with mature frameworks governing their operations. For example, clinical trials organizations (CROs) in the biotechnology industry, healthcare providers regulated under HIPAA, financial institutions, and businesses that serve government agencies are focused on maintaining a strong compliance program. As a trusted advisor, we help enable the success of those organizations by making sure that the services Peak 10 provides are consistent with their compliance requirements, company philosophies and bottom lines.

From a legal affairs perspective, I work with our general counsel and others to make sure that our operations and legal agreements are well structured to effectively and securely meet our needs and the needs of our clients.

2. Assuming that there is no typical workday, what sorts of activities might you be tasked with performing over the course of any given day?

Each day brings with it a new, unique challenge to solve or project to complete, and I’ve really come to appreciate the intricacies and variances of my work. For example, one day I may be asked to help one of our project managers as they develop a solution for a client with complex compliance needs, while the next, I might sit down with our security and compliance analyst to review plans to assess our service delivery systems or provide guidance to Peak 10’s general counsel for a unique client agreement.

Outside of that, I also make it a priority to travel to each of Peak 10’s ten data center markets and speak to local groups and organizations about information security and regulatory compliance. Once thing you adjust to in the security and regulatory industry is change. Oftentimes I start the morning with grand plans for a specific project, only to temporarily set them aside to assist customers or colleagues with immediate needs of the day. Some of the best days are when I have the opportunity to work directly with a client that is facing a new challenge. During that initial meeting, sometimes I can tell in their voice that they are overwhelmed or uncertain of next steps, so I get on a call with them or we sit down together in one of our customer offices and we talk through their concerns and expectations. Many times, I hear them say, “Wow! That’s not as hard as I thought it was going to be,” and I love hearing that! When I can take something that seemed complex and overwhelming and show them a way forward, it really makes my day and my career that much more rewarding.

3. How have things changed on the regulatory compliance, legal affairs and risk management fronts over the two decades you’ve been at Peak 10?

Regulatory compliance and risk management were barely on the radar for most IT managers when I first started at Peak 10. It’s sometimes hard to grasp how quickly things change. You have to remember, this was back before continuous news cycles, smart phone apps collecting personal data and social media, so the landscape was much more confined. But, today, the technology industry continues to rapidly evolve and there are definitely challenges. With the onslaught of data security breaches at Target, Home Depot, Sony, Anthem, and others, we’re seeing increased security pressures and greater demands for expanded compliance and security programs in the information technology industry.

As the industry continues to innovate, customers are calling for more automated services and we’re seeing more data and a bigger migration to mobile technology, both professional and personal. That’s concerning from a regulatory and security standpoint because that’s an additional platform to incorporate into a business’s security strategy. As information becomes more accessible it’s also harder to monitor and regulate. Employees now have access to work email on their personal phones and tablets, so regulations and security standards must be adapted to fit new technologies. Who owns this data, how can companies ensure work data is not merged with personal data or shared with others on synced devices? What are the consequences? These are all questions that we didn’t need to consider years ago, but are increasingly important for data security and privacy today.

The reality is that everything is moving into an online and digital arena – ubiquitous computing, if you will, and the growing mobile workforce brings its own unique set of security challenges. While mobile technology is a boon to productivity, it also introduces a new threat vector. Cloud based applications, unencrypted USB drives, laptops, smartphones and other devices are an increasing threat to information security. In the hands of careless or malicious employees, every device that accesses the network or stores data is a potential risk to intellectual property or sensitive data.

4. Are there issues in those areas that, while perhaps not on the radar right now, could be major things to contend with in the near future?

I think people are starting to recognize that information security and data protection are not just IT responsibilities; they start internally with employees and span all disciplines and management levels. Like most things in life, what matters most is people. While technology is a powerful tool, we sometimes forget that there are people behind the processes and technologies, and it’s critical to select and screen employees carefully, train them about information security and give them the tools they need. By encrypting data, implementing employee security training and limiting access to critical data, corporations can very easily and proactively mitigate the risk of a data breach.

Tied to cybersecurity is the increasing need for experts in this field. In fact, ESG reports 30 percent of organizations have a problematic shortage of data security skills. So we’re definitely seeing an increased need for cybersecurity at the small-to-medium-sized business level but the rate of awareness and action has been slow. Leading in security and compliance, Peak 10 has worked hard to establish and maintain leadership through a strong compliance program for our customers. In the past, few would have thought companies would need specified security and compliance experts, but here I am, and I’m increasingly finding, I’m not alone.

5. What are some of the negative consequences that can arise if companies are negligent when it comes to legal affairs, regulatory compliance and risk management?

I think the evidence from recent data breaches is testament to the need for proactive legal affairs, security measures and risk management. Failure to update security controls and maintain compliance carries concrete consequences, including fines and security breaches, which can impact customer growth, reputation and the bottom line. One of the biggest areas where we see negligence is with risk management. We all know data backup and disaster recovery solutions are important, it’s something we talk about, but it needs to be something we do.

The rate of data production has raced beyond the ability and resources of many organizations to store and manage it effectively themselves. As a company’s digital footprint expands, so do exposure risks to downtime and outages, as well as the time it takes to recover systems. Data stored in the cloud, even if at rest, still needs to be encrypted and effectively protected and managed. Cloud storage and backup strategies force organizations to reassess storage requirements, and to evaluate the relative values of data and applications to the business.

We often advise our customers to really consider what type of security measures they seek, and then we sit down and craft a unique solution that meets those needs. So much of the risk can be eliminated from the start if businesses are educated on the importance of data security and the available options. Security doesn’t have to be an overwhelming burden.

6. How do you stay on top of the changes and developments taking place in your field?

With the rapidly evolving technology landscape, the only way to stay abreast of industry trends and change is to regularly read the news and immerse yourself in your profession both in and out of the office. From a business-to-business and professional development perspective, LinkedIn is a platform that keeps me informed on partner and competitor news as well as connects me to other experts in the security and compliance field. It also helps to attend seminars or networking events that provide in-depth looks at current security and compliance regulations, laws and developments. Whenever I have time to attend a webinar or a lunch and learn session, I do. I know next month Peak 10 is hosting a webinar on disaster recovery with our partner, Zerto, on the importance of DR for continuous data protection and how compliance and flexibility issues can be achieved. Ongoing education is crucial, especially for those in the industry and I never turn down an opportunity to learn.

I also spend a lot of time talking with our customers and our channel partners. These are two great resources that we shouldn’t overlook. Data security is a two way street, and I’ve learned as much from our customers as they’ve learned from us. In fact, I was just on a call the other day with a client whose contract we are working through and we were talking about the increased attention on high-level security credentials and certifications in the healthcare industry. Peak 10 recently released a research report that revealed these same concerns. Healthcare professionals are so burdened by compliance regulations and security standards that it’s starting to affect the bottom line and customer service. Moving forward and as a service provider, we need to ensure we are doing our best to mitigate these risks and easing that burden as much as we can. It’s those varying perspectives that add to our tool kits and make up the whole security picture.

7. What hard and soft skills do you need to do your job effectively?

I have been fortunate enough to work in many different areas of business for many years. Some of the core skills I’ve developed over time include knowledge of business law, business continuity and network and cloud technology. There’s also the added focus on the regulatory world and expertise needed for the technology we manage, but the real key for me is what I call translating “English into English.” I work closely with a lot of technology experts, such as our network engineers, application developers, administrators, cloud architects, even mechanical and electrical engineers involved in the design and operation of data centers. When you’re dealing with technical terms, it can be difficult for those outside of the field, such as clients, to easily understand. Likewise, government regulators, industry standards experts, auditors, and legal professionals also have their own perspective and language. Much of my focus is on bridging the language and understanding gap between these two groups and the business leaders who depend upon them. This means that in order to effectively communicate between these groups, and find a common ground and solution that meets business, compliance and legal needs, I must be adept at speaking all languages, from the technical to the legal. These skills – patience, understanding and instruction, as well as an ability to build consensus and strong, foundational relationships – are critical and I’d argue, almost more important than the textbook knowledge I’ve acquired over the years.

8. What do you enjoy most about your job, and what do you enjoy least?

At Peak 10, we’re in the business of helping people. When we serve our customers, we’re really setting out to serve our customer’s customer as well. We build relationships at the local level throughout our ten markets and we maintain that trust by becoming more than a service provider, but also an advisor and partner. And for me, there’s no greater reward than helping others succeed. We understand our customers’ needs because we listen to them, we sit down face-to-face and ask them what their IT and business needs are, and then we craft a unique solution to meet those needs.

I wouldn’t say there’s any one particular thing I enjoy least about my position at Peak 10, but looking holistically at the industry, it’s often times frustrating to see security and cloud technology come under attack. People have a tendency to let recent news headlines of breaches evoke feelings of misplaced distrust of a technology that, for the most part, does a very good job of protecting sensitive information. In fact, something people tend to overlook, is that as our industry continues to innovate new cloud technologies, our information is often times safer online than in our own hands.

I see new technology, regulatory and security challenges as opportunity, not misfortune. Crime and theft aren’t new. Assets have moved to the information realm, and criminal activity has just naturally moved into the cloud, because that’s where we live now. There are technology tools to protect us, now we just need to protect ourselves by educating employees and businesses on the proper ways to implement technology and ensure data is protected.

9. What role does corporate culture play in ensuring that there is buy-in from all levels of the company?

Company culture is everything. In order to successfully meet business goals, drive growth and meet customer demand, there has to be trust and teamwork from within all departments and across all levels. From the beginning, Peak 10 has been a company invested in the success of its customers and its employees. We’ve always been about the people and focusing on understanding people’s needs rather than just delivering a product. It’s part of our sales process, and our operational practices to ensure we exceed customer and employee expectation because that’s what’s going to differentiate us from other organizations – our authentic commitment to people.

We’re also a very grounded company. It’s not unusual to pass our chairman and CEO, David Jones, in the hallways of one of our 25 data centers. Dave is invested in this company and its people and it shows in our daily operations. Beyond our workplace walls, we like to get everyone out to celebrate at least a few times a year. In Charlotte, for example, every summer we host barbeques and family fun nights for our employees. When you’re dealing with complex data and IT technologies and spend most of your time inside of a data center or a cubicle, it’s always a nice change of scenery to spend time with the team outside of the office.

10. If a college or university student were to ask for your advice on how to eventually work in the field you presently work in, what would you say?

Be passionate and immersed in all aspects of the industry – from cybersecurity to cloud technology to compliance – and never stop learning. In my role, I sit at the intersection of the technology and regulatory side, and ensure all communications flow well between the two. That also means I am well versed in the IT and compliance landscape. There’s so much opportunity at students’ fingertips while in school with the availability of IT software, programs and presentations all at little-to-no-outside costs. STEM education is growing and as I’ve learned, that knowledge can be applied across all industries and sectors. Technology helps solve real business problems. It matters.

Also, I’d say that if you can find a mentor or a role model within your field of interest, then just spend time talking to them, learning about the work they do, and the clients they serve. And ask a lot of questions. I think that’s my biggest piece of advice – don’t be afraid to ask questions. Even if they don’t seem directly applicable at the time, you never know when the information will come in use down the road. I think our education system is really good about involving students in the workforce early on through internships, job shadows and co-ops, but sometimes it’s the unexpected conversation or opportunity that makes the biggest difference. In the end, it’s about people, not just technology.

Posted: May 22, 2015
View Profile