This episode features an interview with Kelly Haydu. Kelly is Vice President of Information Security and Technology at CarGurus, the most visited automotive shopping site in the US. Prior to CarGurus, she served as Senior Director of InfoSec at Salsify. Before her tenure in the security space, Kelly worked in Quality Assurance including lead automation roles across markets and verticals. On this episode, Kelly and host Tim Chase discuss sources for keeping up on the latest privacy laws, why there isn’t a national privacy law in the U.S., the benefits of micro training and more.

Key Quotes

*”If you get too technical, you'll lose your audience very fast. So if you can correlate it back to somebody's real life or an example of how it may relate back to a theme, it resonates more. As soon as you start getting into the technical jargon, you're going to lose people. Because people already think security is boring and complex and don't understand the jargon. So that's how I start with education.”

*”From an engineering perspective, building privacy by design into our pipeline starting with the product teams. But really explaining why it's important to do that up front. The cost of a breach is the cost of a breach. But just looking at a vulnerability that makes it into production, let's say it's a high vulnerability. The cost to remediate that vulnerability is more expensive after the fact than if you address it up front, before it gets into production. And so explaining that to engineers and making sure that you're partnering with them and providing them guidance on what's a go/no-go decision, and not being a blocker, will help drive adoption.”

*”Micro training is great. And make it fun. I received a LinkedIn message from an old coworker at a new organization now that said, ‘Hey, don't know if you remember me, but you gave this security training at a previous company, and I thought it was hilarious but it stuck with me.’ And that really got to my heart, because I said, ‘Yes, I got to that person. They remembered the security training.’ And if you're going to be boring about it, It's not going to resonate with people.”

Time Stamps

[0:39] Introducing Kelly Haydu, VP of InfoSec, Technology and Enterprise Applications at CarGurus

[1:40] Where do security and privacy overlap?

[3:41] How do you educate the executive team on compliance?

[5:42] How do you stay up to date on current privacy laws?

[9:23] Why has it been so difficult to get a national privacy law?

[14:48] How did Kelly first become involved in IT and security?

[16:57] What was Kelly’s path to CarGurus?

[20:35] What makes a good cybersecurity leader?

[22:43] How is cybersecurity a strategic partner to the business?

[24:53] How does Kelly build privacy by design into their pipeline? 

[27:08] How does Kelly’s team train the entire company on cybersecurity?

[28:38] How do you make cybersecurity training fun?

Links

Connect with Kelly on LinkedIn

Learn more about CarGurus

Learn more about Lacework

This podcast is brought to you by Lacework, the leading data-driven cloud-native application protection platform. Lacework is trusted by nearly 1,000 global innovators to secure the cloud from build to run. Lacework delivers true end-to-end protection, empowering customers to prioritize risks, find known and unknown threats faster, achieve continuous cloud compliance, and work smarter–not harder–all from one unified platform. Learn more at Lacework.com.