Maurice Uenuma is VP & GM, Americas and a security strategist at Blancco, collaborating with an interdisciplinary team to deliver the world’s leading data erasure, IT asset disposition, and mobile lifecycle solutions to address privacy, security, and sustainability needs. Previously, Maurice was Vice President, Federal & Enterprise with Tripwire, supporting the federal government and large enterprises in the United States.
John Shegerian: Do you have a suggestion for a rockstar Impact Podcast guest? Go to Impactpodcast.com and just click be a guest to recommend someone today. This edition of the Impact Podcast is brought to you by ERI. ERI has a mission to protect people, the planet, and your privacy and is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States, and maybe even the world. For more information on how ERI can help your business properly dispose of outdated electronic hardware devices, please visit eridirect.com. This episode of the Impact Podcast is brought to you by Closed Loop Partners. Closed Loop Partners is a leading circular economy investor in the United States with an extensive network of Fortune 500 corporate investors, family offices, institutional investors, industry experts, and Impact Partners. Closed Loop’s platform spans the arc of capital from venture capital to private equity, bridging gaps, and fostering synergies to scale the circular economy. To find Closed Loop Partners please go to www.closedlooppartners.com.
John: Welcome to another edition of the Impact Podcast. I’m John Shegerian and I’m so honored to have with us today Maurice Uenuma. He’s the VP and GM of America’s Blancco Technology Group. Welcome Maurice to the Impact Podcast.
Maurice Uenuma: Thank you, John. Great to be here.
John: It’s wonderful to have you, Maurice. Before we get talking about what you and your colleagues are doing at Blancco, I’d love you first to share a little bit about your background, where you grew up, how you got on this path and journey, and ended up where you are today.
Maurice: Yeah, sure happy to. So I grew up in two major places. One is California, Northern California, near a city called Auburn. That’s why I spent my teenage years and went to high school, but prior to that, I spent a decade in Japan. So the last name you just heard, folks, comes from Japan. My father is Japanese. A Japanese, Christian theologian is my father and my mother is an American medical doctor turned homemaker. So I grew up in a very sort of multicultural experience, very atypical, but was very fortunate to grow up in a loving family and well supported. Out of high school in Northern California, I attended the United States Naval Academy, always had an interest and passion in the military, leadership development and taking on challenges, and so forth.
And so I was fortunate to be accepted there, to attend there for four years, and then following graduation, I was commissioned as an officer in the Marine Corps. Served for nine years in a variety of infantry and Special Operations roles deployed around the world to a variety of different places. And so I was fortunate to be really part of an awesome culture and be surrounded by the best of the best among us. After doing that, I was at that point in my career where I either needed to stay in and make it a full career and take it to retirement or get out and transition to something else while still young enough to do so. I was right at that decision point, elected to get out, recently married. My daughter had just been born.
It’s also thinking about impact the family and so forth and ended up in the IT field, IT services more specifically, but over the last 15, 18 years have really not only been in the world of information technology and cyber, but really focus more and more on cybersecurity. That’s really my professional passion. And in fact, if you look across my professional endeavors and even personal activities, security has always been a dominant theme.
John: And first, I just want to say thank you for your service to our great country. Thank you so much. Thank you.
Maurice: I appreciate it. You’re welcome and thank you.
John: Security, well, you should certainly picked a profession that has huge growth wings at its back. I don’t know if it did when you actually chose to go into it, but for sure now cyber security is one of the fastest growing industries around the world for some of the obvious and less obvious reasons which we’re going to get into. Talk a little bit about Blancco for our listeners and viewers who have never heard about Blancco and just truth in advertising, Blancco’s a partner of ours of ERI. We use your great services. Love your great services, are supported really well, our clients are supported really well. So Blancco is technology that I’m quite familiar with but for our listeners and viewers who have never heard of Blanco before, which is Blancco.com, can you share a little bit about what Blanco is, where it was founded, and what is Blancco’s macro mission.
Maurice: Certainly, I’m happy to. So Blancco is a, and we would say the leading provider of software and services related to the sanitization of data wherever that data may be. In that, in turn, supports a variety of security privacy and sustainability requirements. We also provide technology to help diagnose and assess the condition of physical assets and IT assets. That’s important because that is also part of a similar process when assets are being redeployed, redistributed, or at the end of life being reused, recycled, disposed of in some other way. We are a provider primarily of software solutions that do that and the software allows our customers to certifiably confidently erase data for good across a wide variety of technology platforms.
John: Primarily, you do business in the United States or is it the United States and around the world? Where does Blancco sell and Market its software and services?
Maurice: Around the world. In fact, our origins go all the way back to Finland, actually, some 25 years ago or so, where a need was identified by our founders for permanently deleting data. In fact, they had ordered an IT asset that had supposedly been repurposed for resale on the secondary market and discovered sensitive medical records on that device. That turned into a new story and there were some concerns in a local dust-up over that. But that got them thinking about this problem that exists. That IT assets tend to hold onto data by design and so when these assets are at the end of its life or resold or attempting to be redeployed within an organization that data tends to persist and that’s a problem for a number of reasons. And so hence the founding of Blancco and over the years that has grown and we are a global operation, actually, a public publicly traded company on the London Stock Exchange currently and we have operations in EMEA, APAC, and here in North America, which is my remit.
John: And as VP and GM of the Americas your core mission is running sales, running marketing, running innovation? What are you in charge of specifically as VP and GM of Americas?
Maurice: I’m responsible for the team that services the needs of our clients, and specifically our enterprise and government clients as well as our partners in the ITAD space and in the mobile ecosystem, particularly mobile processors and so forth as phones are traded in and then and then erased, assessed, and shipped off into secondary markets. And so I’m responsible for the account teams that address those needs.
John: Maurice, what are some of the major trends surrounding data security and privacy more particularly for organizations that create, process, restore sensitive data? Where are we today in 2023 in terms of trends and why should people really care about these issues?
Maurice: Yeah, great question. I would say it’s important to take a step back and think about this within the broader context. The broader context is that information technology, really, any sort of computerized technology, whether it’s processing information or controlling physical systems, comprise the central nervous system of modern life, right? Nothing we do in terms of sharing information, communicating, making decisions, or even making things happen in the real world… and when I say physical processes, it could be water treatment facilities, transportation system, so forth, the critical infrastructure that we depend on to live and function as a modern society depends on that central nervous system.
And that central nervous system in turn is routinely vulnerable to and actually attacked on a regular basis, most of the time for financial gain on the part of those who are just seeking to steal money, extort money, and so forth. Occasionally, also for purposes that are in the nation-state realm, there are espionage activities going on in cyberspace. Sometimes it’s political. It’s defacing a website to make a point and so forth, but all that to say that central nervous system needs to be protected and that is also happening at the same time that the amount of data that we’re producing as human beings is growing exponentially. There’s a tendency to think of that data as though it’s self-created YouTube videos and it’s cat videos online and it’s social media and it’s gaining. Turns out in the enterprise realm or in meaning organizations that are creating data, that data sphere is twice the size of the consumer citizen data sphere. So organizations are creating a tremendous amount of data and now they have a responsibility to protect it for a number of reasons.
John: And in many ways also with the advent and rise of AI and so more data is going to be captured and be created. Data for organizations truly is some of their intellectual property now very important parts of their intellectual property.
Maurice: Absolutely. So there is some data that absolutely must be protected because of its very sensitive nature and it could be sensitive because it’s classified government data, it could be proprietary data like you’re referring to that an organization has, it could be protected because it’s personal information: health records, financial records, and so forth.
John: Right. The advent and rise of this thing called the cloud, how does that affect the algorithm and math of how you go about marketing and servicing your client base?
Maurice: So the cloud, just to define it very briefly, is essentially this much more ubiquitous broadly accessible computing environment and it provides tremendous benefits for all of us because of its scalability, its lower cost, its efficiency, and so forth, and allows everyone from individuals to startup businesses to large enterprises and government agencies to really benefit from the efficiencies gained there. However, as soon as we start creating, processing, transmitting, storing data in cloud environments… in other words, when it leaves our physical control, all the sudden the data security challenge becomes much more complex because it’s not just that an organization might take its data from its own data center meaning it had a rack of servers and storage devices in a closet somewhere or in a more professional my data center now it’s just moving somewhere else. It’s typically across multiple data centers.
It could be data in software as a service environment. So think about say Salesforce for customer relationship management or even email by Microsoft 365, Box, and so forth, are all environments where an organization’s data is now spreading out and that makes it much much more complex. And so to answer your question, there is this acute need for organizations to be able to know where their data is being created and stored, be able to track it down, and then manage it effectively. Manage it effectively means categorizing the data, knowing its sensitivity, understanding when they are required to protect it with additional safeguards or delete it, and then implementing a number of additional security controls to protect that data. Of course, where Blanco comes in typically is at the point where that data now needs to be permanently, irrevocably, and verifiably erased for good.
There’s a need for that too because some data is so sensitive that it needs to be protected until say a legal hold has expired and now all of a sudden holding on to that data becomes a liability and you have to get rid of it and you don’t want any trace of it. So there’s a need to erase it at that point as well as just reducing the general attack surface is a term that we use in cybersecurity. It is the sort of the broad exposed area, for lack of a better term, to the outside world that you might be attacked in it through and so the data attack surface is the more data you have the more you have to try to protect it and so that in and of itself becomes a burdensome task.
John: Well, we started ERI almost 20 years ago now and breaches happened. It was always cover of either WSJ or the New York Times or something of that nature. They didn’t seem back then to be the seriousness or penalties that GDPR and other laws have now started imposing upon organizations both big and small for misappropriating data. Where are we in the evolution now? Also back then there was no such thing called the CISO or Chief Information Security Officer. First of all, who’s your marketplace, Maurice? Is it Chief Information Security Officers, IT directors, or both? Talk a little bit about the evolution of penalty-free era of the early 2000s to now what GDPR and both the federal local governments here in the United States have now started imposing upon organizations who are not in, legal terms, taking care of their client’s data.
Maurice: So we are typically addressing the needs of and servicing IT asset managers, historically, because they’re the ones who are concerned about managing these IT assets through its lifecycle and at the end and so forth. As I mentioned earlier, we also partner regularly with ITADs and mobile processors. And so of course, the operational folks in those organizations are who we interact with. But increasingly there is interest higher up your chart and more broadly because this is tied to data security and there is, the risk you mentioned, the increased risk of being liable for penalties, including some hefty fines for failing to properly protect that data.
So it is now becoming more of a see-saw[?] concern in all of the service providers: system integrators, consultancies, and so forth, that service our end customers. The enterprises that we all serve are also involved typically in helping their clients, our clients, secure their environment and managing it on a regular basis. And so they are also now [inaudible] the picture. For example, ServiceNow is one of the largest IT service management platforms and they do a number of things but one of the biggest things that they do is help IT professionals manage their assets across the entire enterprise. We have partnered with them. We have an app that’s available on their app store for their customers to download, install that allows them to initiate Blancco-certified erasure to whatever standard they need and then to provide their reporting back in through the ServiceNow platform. So that’s one example of essentially a third party that typically does something else, but we’re now more increasingly integrated with what they do.
John: They become a channel partner for you to further democratize your technology to their client base as well.
Maurice: Yes, that’s right.
John: Understood. Talk a little bit about the pandemic. It seems like during the pandemic cybersecurity took on even more importance with regards to the amount of tax that were happening on pharmaceutical companies, on hospitals and healthcare agencies, and also on people who are absolutely terrified, of course, of COVID and the pandemic and who were in a more fragile state than normal. How did it affect us both from an organizational but also consumer point of view? Even though, anecdotally speaking, it seemed like cybersecurity attacks were rising during that period, did they in actuality rise during the pandemic and how did it affect Blancco during and post-pandemic?
Maurice: Well, let me attempt to answer the 12 or so questions you just asked.
John: Sorry about that.
Maurice: No, it’s okay.
John: I’m excited about the topic as you could tell.
Maurice: Same here. It’s a fascinating topic, right? And because something like a pandemic is so disruptive, it has implications throughout society and throughout all sorts of different functions, and certainly cyber is one of them. As it relates to sort of this trend of in aggregate increasing cyber-attacks, much of that continued, right? There are a number of reasons why it’s good business to be a cyber attacker: low cost of entry, barriers to entry are coming down. Typically, you can attack your victims from jurisdictions that are harder for law enforcement to reach or jurisdictions where the victims reside and so forth. It’s one of those things where you only have to be right once but if you’re a defender you have to be right every time. So the deck is stacked very much in favor of the attackers and places a huge burden on those of us who are concerned with defense in terms of how to do that.
So that general sort of dynamic did not change with the pandemic but what really changed is that the organization on enterprise footprint, if you will, overnight left the offices, left commercial buildings that they controlled and IT networks that they controlled, and now all of a sudden they are all diving in from their insecure home router with a default password that’s available on the web and using Zoom, for example, as we’re doing right now to communicate and talk and so it made the security challenge that much more difficult and it demonstrated, I think, what we’re seeing in general, which is that in the security space, whether we talk about enterprise cyber versus a home cyber or physical security and IT security or IT and OT security, which is operational technology that control systems running everything, there’s this convergence going on.
It’s increasingly difficult to distinguish and control in different environments. So now an enterprise cyber security posture is dependent on how well protected somebody’s home environment is, that includes home internet access through their internet service provider in their Wi-Fi. It now depends on how well configured or managed their own IT assets are at home. And an employee may be exposed by the fact that their teenage kid is upstairs online visiting a site they shouldn’t that allows malware to enter the home environment, right? And so there are a number of different impacts that just made it a much much more challenging space and we’ve all had to respond to that. That I think will continue to be the case now.
As it affected Blancco, to answer I think your last set of questions… And I’ve been at Blancco a little over a year. I wasn’t here for the initial search but what we have seen of course is that the number of end-user computing devices shipped spike significantly, right? All of a sudden they were shipping laptops to everybody and so forth. And so we saw that bulge and now we’re starting to see some of those assets start to be processed out. At end of life, some of the early ones but of course, there are also macroeconomic things that drive, factors that drive how long those assets are used in an enterprise environment. And we do see more enterprise customers sort of sweating the asset longer. So instead of a three-year refresh, you might be four or five even longer.
John: And once we were all working from home on a very… Say we were all sent home on or around March 20, 2020, and with very little notice, IT directors didn’t have any notice. They started sending out redundant systems for people to be able to do their work from home, but besides everything you just said which makes so much sense, at some point didn’t not only cross contamination in the routers happen, but on the actual electronics themselves in terms of the kids using mom’s work computer or dad’s work computer or dad’s cell phone that was made for work and then taking personal devices and using them for business and before you knew it there’s all sorts of cross-contamination with both personal hardware and software and work hardware and software as well on a regular basis.
John: Yeah. you’re getting into the issue of both E-Waste and ITAD. Let’s talk a little bit about that. Where does Blancco see itself in the ecosystem of ITAD and E-Waste and materials that are looking to go have a second or tertiary life, materials that need to go to their end of life, and then the critical issue of sustainability because cyber security and sustainability are probably two of the biggest trends that we’re living through right now and seem to be growing and going to have a lot of tailwinds for years to come. Where does Blancco sit in the convergence of those two massive trends?
Maurice: Well, I think you used the term convergence and that’s the right way to describe it. We are at the convergence of two different trends that are typically and historically been separate. With increased interest in and need for sustainability both sort of as a self-initiated thing on the part of consumers and enterprises as well as increasing regulatory pressure to be more sustainable, and in particular to reduce E-Waste, that is then driving the need for solutions that help enterprises not just throw away IT assets when they’re done.
And given the fact that we are shipping 1.3 to 1.5 million laptops a year, those laptops all have to go somewhere. Millions of servers, storage devices, routers, switches, and so forth need to go somewhere and that contributes to a tremendous amount of landfill waste. It is wasteful also in terms of the opportunity cost right where if some of the materials in those devices could be reused then they would need to be pulled out of the ground somewhere else. And so there are a number reasons why reverse logistics and sustainability initiatives and the work that ITADs are doing is so important that there is an increasing interest, I think, on the part of end customers to try to reduce the amount of waste.
Separately, of course, there’s this concern about the data that persists on these devices. As storage media become more and more sophisticated more and more data in higher density can be stored on some of these drives. And so if the reliance is on physical destruction it becomes actually harder to truly purge the device and data using physical means. So in that sense, there is a convergence right where the need to try to salvage the device and at the same time ensure that there is no residual data left on it. That is the convergence and that is right where Blancco is and we’re happy to partner with all of our partners and customers who are focused on that. ERI’s tagline: people, planet, and privacy, I think that cuts right to the heart of it and is an important aspect of what we’re focused on helping to enable and frankly gives us that additional sort of higher purpose. We are helping to reduce impact on the environment. We are helping to protect our customers from data loss and we’re helping to protect end customers or consumers and citizens and employees from having their personal data compromised and those are important missions.
John: And you’re enabling what also seems to be another major trend, those shift from linear to circular economy, making these devices able to be used second and third and fourth times now with, like you said, the peace of mind that the data has appropriately been destroyed and wiped, etc. is again just better for the planet and better for everybody.
Maurice: Yes, absolutely.
John: I know there’s no exact numbers out there from your position anecdotally speaking. What your mission is to protect or limit the attack space of any organization. Where are the breaches really coming from today from your industry-specific knowledge and your expertise of working in this space for quite a long time? Is it human error with regards to phishing attacks, or is it benign neglect and human error from misappropriating their electronics and other associated E-Waste when it comes to its end of life? Where are the scales of balance from what you see out there currently?
Maurice: There is a general principle that I’ve noticed not only applies in the cyber realm but applies in any kind of security including physical security. That is that an organization or an individual is more secure when they habitually implement and properly execute on a set of very basic routine safeguards and that is supported by the data. So let me describe that in greater detail. If we look at one of the most widely read reports in terms of data breaches is the Verizon data breach investigations report. Comes out every year, fascinating read, available to everybody, and they do a great job of kind of telling the story of sometimes the very highly technical things in a very sort of flipping way, but sometimes sarcastically because year after year the vast majority of cyber-attacks are the result of some fairly basic things. It is misconfigurations, meaning that sort of basic settings of an operating system, as an example, are not… they come out of the box pre-configured for your ease of use and convenience not necessarily security.
So you have to actually go in there and say, “Okay. I’m going to tighten down the bolts, right? I’m going to close the door. I’m going to lock the windows and I’m going to put a light on the back porch,” is the Cyber equivalent. It’s oversimplifying it but the idea is you have to do some basic things to lock it down. Miss configurations are a huge part of cyber attacks and that includes in cloud environments. Misconfigured S3 buckets in the Amazon space for example have led to some of the worst breaches in recent memory. It is unpatched vulnerabilities, right? So on a regular basis, we are discovering vulnerabilities in the millions of lines of code that make up any software package. And so there’s a race as soon as we discover a vulnerability to patch it and prevent the bad guys from exploiting it. Meanwhile, the bad guys are rushing ahead to try to exploit it to their benefit. It turns out patching is not a necessary and easy thing to do because it can disrupt the systems themselves and so forth. So unpatched vulnerabilities is a huge factor.
Human error, as you called out, also a huge factor, right? We try to condition our employees to not click on that attachment or open the attachment or click on a link from a phishing email and yet a certain percentage will always do so and so that’s how they get a foothold in the organization. So I say all that because from a defensive standpoint, there are a couple things that need to happen, but one of them is that some of the basics need to be done as scale. They need to be done consistently and they need to be done well. I spent some time at the Center for Internet Security. CIS is an independent nonprofit focused on cyber security best practices among other things and one of the principal things that CIS does is to maintain the CIS critical security controls.
These are a set of best practices developed by looking at real-world attack data and developed through the input of cyber defense and IT security professionals across government industry and academia. They routinely are reviewed to ensure that really the most foundational and important security controls are available as a reference and as a guide because there are literally hundreds and thousands of things that an organization can and should do but you need to prioritize. You can’t run a business if you’re trying to do everything. So the CIS controls are very effective at helping an organization to prioritize and properly implement the basic things that they need to do. Well, turns out for years running I think from the very beginning, the first two controls are all about just knowing what your assets are, having a good accountability for them, and maintaining them properly essentially. This ties right in with asset management, ties right in with knowing where your data is, and so forth. So that’s a long answer to your question but as it turns out doing the basics well, excellence in the essentials will take you a long way in cybersecurity.
John: One of our most important things is to have certifications that ERI both environmental certifications or data security certifications such as SOC 2 standards, such as being made certified, etc. And we have a lot of IP there. We’re always both using at our marketing, but also trying to protect on a regular basis. Where does that analogy fit for Blancco in terms of we’ve used your great firm for years and I don’t really, even off the top of my head, know or even understand who your competition is? You just seem to be the platinum standard year after year because of all the IP that you have and the certifications that you adhere to and things of that such. How important is both standards and certifications and IP when it comes to setting yourself apart as the leading software data protection provider in the world?
Maurice: Well, it’s very important. It’s important both in terms of the certifications that the provider has. So in this case the fact that Blancco is certified by third-party organizations that are reviewing the validity and the robustness of our code and our security operations, and so forth, can give you and everybody else confidence that we probably know what we’re doing, and that’s very important. Ultimately it comes down to trust. Do you trust this product? Do you trust these people that are implementing it and managing it on your behalf and so forth? As well as the standards that we then in turn help you and others implement and maintain and monitor against.
Whether it’s R2 or some other certification, those types of industry certifications to say as a processor of devices at end of life you need to be able to demonstrate adherence to and be subject to audit relative to ensuring that data has been permanently erased from these devices and so forth, gives your customers confidence that you’re doing the right thing. And in order to do that at scale, since you are processing hundreds of thousands and millions of devices on an ongoing basis, you have to be able to do that at scale. And so you have to have robust enough solutions that are not only themselves good and sound from a security standpoint but can properly get the job done, erase to the standard that you or your customers need to erase to, and then be able to verify it at scale and report on it accurately at scale so that when the auditor comes they can look at the report and say, “Okay. I have confidence that this is happening.” Now, they may still grab a few samples take it back to the lab, but the auditors are not dumb. They know after a while which solutions are reliable.
John: That’s right. Maurice, I know you’ve only been at Blancco for about a year or so now. What are you most excited about in terms of upcoming initiatives that you’re working on that you’re allowed to talk about? I know you’re a publicly traded company, but what gets you out of bed in the morning, and what gets you excited about all the great things you and your colleagues are cooking up for the months and years ahead of Blancco for us?
Maurice: Well, I think one of the most important and interesting aspects of the work that we do is that data sanitization is going to become increasingly important to data security and effective data management. We are already seeing this but it’s exciting to be part of a scenario, to be on the leading edge of a scenario where as the data itself becomes kind of decoupled from the underlying hardware infrastructure and is now in the cloud, is now in SAS environments, it’s now containerized, is now a virtual machines, and so forth, to be able to then help our customers effectively identify and track down that data and then permanently remove the data in live environments.
So not just the drive that sort of done and needs to be wiped because it’s in a laptop that is being redeployed to a new employee or is being reused, recycled, repurposed at its end of life as an asset. Now we have data out there in the ether, in the cloud that needs to be addressed. There are some interesting conversations we are routinely having with our customers and partners in this space. And of course, we are also of course looking at some very interesting ways to address this from a technology standpoint. That’s the realm of our CTO and his product management team and I can’t say much more than that, but it’s an exciting place to be.
John: Well, you said a lot and you’re always welcome back on our show, Maurice. Thank you for your time today. I can just spend all day with you just talking about data security and cyber security. I’m fascinated by the topic and I really truly love it and believe in the importance of it. For our listeners and viewers, to find Maurice and his colleagues and all the great work they’re doing at Blancco go to www.blancco.com. Blancco, Blancco.com. It’s two Cs, one N. Maurice, thank you for your time today. Thank you for your vision. Thank you for your knowledge and thanks overall for making the world a better, safer, and greener place.
Maurice: Thanks so much, John. It’s great to spend this time with you. It’s been fun.
John: This edition of the Impact Podcast is brought to you by Engage. Engage is a digital booking platform revolutionizing the talent booking industry. With thousands of athletes, celebrities, entrepreneurs, and business leaders, Engage is the go-to spot for booking talent, for speeches, custom experiences, livestreams, and much more. For more information on Engage or to book talent today visit letsengage.com. This edition of the Impact Podcast is brought to you by ERI. ERI has a mission to protect people, the planet, and your privacy, and is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States and maybe even the world. For more information on how ERI can help your business properly dispose of outdated electronic hardware devices, please visit Eridirect.com.