July 4, 2024 • 32 mins
Can preventable data breaches be a thing of the past? Join us as we sit down with Kyle Marks, the visionary founder and CEO of Retire IT, who is revolutionizing IT asset disposition (ITAD) with a vendor-agnostic approach. Kyle’s journey from Retrobox to leading Retire IT is filled with insights into the critical intersections of cybersecurity and IT asset management. Learn how his firm acts as a fiduciary, ensuring that your ITAD processes are defensible and secure while allowing you to keep your trusted vendors.
This episode unpacks the real-world challenges of IT asset disposition, from tracking serial numbers to maintaining an unbroken chain of custody. Through personal stories and professional experiences, we explore the innovative tracking systems and software that can achieve near-perfect accuracy in IT asset management. Hear about the complexities and risks of poor ITAD practices, including the recent SEC regulations and the financial repercussions faced by companies like Morgan Stanley due to data breaches from mishandled IT equipment.
Kyle’s new book serves as a cornerstone of this discussion, providing actionable strategies to safeguard your business against cybersecurity risks. Understand the importance of segregation of duties, equipment verification holds, and partnering with certified vendors to prevent conflicts of interest and ensure accurate reporting. Whether you're a seasoned professional or new to IT asset management, this episode offers valuable advice on establishing robust ITAD programs to protect your company's data and reputation. Tune in for indispensable insights from a leader at the forefront of IT asset management!
Click here to buy Where the IT Lifecycle Ends: How Non-Compliant IT Asset Disposition Creates Unnecessary Exposure
Thanks for listening!
If you like our podcasts, please leave us a review on Spotify or Apple or wherever you get your podcasts from.
Want to be a guest on The Circular Future podcast? Email Sanjay Trivedi at strivedi@quantumlifecycle.com
- Listen on: https://quantumlifecycle.com/podcast
- Follow us on LinkedIn | Facebook
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 2 (00:03):
A preventable data breach is quite possibly a
company's worst nightmare.
So why don't more companiestake properly managing their old
IT equipment more seriously,and what can we do about it?
Welcome to the Circular Futureyour access to thought leaders
and innovations.
To help you be a businesssustainability champion, even if
(00:27):
it's not your core job.
I'm your host.
Stephanie McLarty, head ofSustainability at Quantum
Lifecycle Partners.
Did you notice I saidpreventable data breach?
That's because with a secureand responsible IT asset
disposition program, theseissues can be avoided.
Still, a lot of companiesremain in the dark ages around
(00:51):
their IT equipment, but there isone man trying to change that
in a unique way.
With me is Kyle Marks, founderand CEO of Retire IT.
Over the past 20 years, kylehas managed over 20,000 ITAD
projects with Retire IT.
Kyle also servedAeroelectronics as president of
(01:11):
US Micro and has an MBA fromHarvard Business School, and
he's actually just wrote a bookwhich we'll talk about.
Welcome to the podcast, kyle.
Speaker 1 (01:20):
Well, thanks, steph, I'm glad to be here.
Speaker 2 (01:22):
Well, we're very happy that you're here and I'm
really curious to get into yourbook.
But first a couple of questions.
First, what are three thingsthe world should know about?
Retire IT.
Speaker 1 (01:33):
Well, that's a great question.
And, first and foremost, we'rea consulting firm.
So we're not the traditionalITAD vendor or electronics
recycler everyone thinks about.
So we don't own a truck, ashredder, a warehouse.
If I turned my camera around,you'd see an office full of
people.
We're not the traditional that'sprobably the first thing and
(01:55):
probably one of the most biggestmisconceptions that we manage
the process, how many?
We work with a network ofpartners.
The second thing is we are whatI refer to as a fiduciary, so
we sit squarely on the side ofthe table with our clients and
preach what we refer to asdefensible disposition.
(02:16):
It's always in their bestinterest.
We're siding with them.
And probably the third is thatwe're vendor agnostic.
So, even though we work with anetwork of partners we've worked
with that are vetted undercontract, we also work with we
call it bring your own vendorwhere sometimes clients already
(02:38):
have an established relationshipwith a trusted, certified
vendor.
We're happy to work with them.
Again, it's not who you choose,as much as how it's managed is
what's important.
So those would be the threethings I would emphasize about
us.
Speaker 2 (02:52):
Awesome, thank you, and you've piqued my interest
around defensible disposition.
Did I get?
Speaker 1 (02:59):
that right?
Yes.
Speaker 2 (03:00):
All right, We'll talk about that.
First of all, walk us throughhow you got into this space,
because I know your journey is abit of a unique one and I'm
sure our listeners would love tohear it.
Speaker 1 (03:11):
Well, it will be a little over 20 years.
I got into it with a companySome remember it was called
Retrobox.
It was a fellow who wasn't aclassmate of it, an alumni of
Harvard Business School, hadstarted a computer recycling
firm called Retrobox and it wasbased in Columbus, ohio, where
I'm originally from, and I'd I'dmoved around the country with
(03:32):
other other companies.
I was looking for anentrepreneurial industry or a
person who was in.
An industry that was fragmented, that had a lot of legs.
It was going to be around for awhile.
It was kind of messy and Ifound this guy who had started
this company and it was sort ofground zero.
There were three companies herein Columbus Redemtech, retrobox
(03:54):
and Tech Disposal and theyalmost seemed like they were
kind of the ground zero ofcomputer recycling for business
computer recycling.
I joined him because he wantedto help scaling the company and
selling it within a couple ofyears and I was looking for an
owner operator that I could helpwith that.
That was accomplished prettyquickly and I wanted to stay in
(04:15):
the industry but I didn't wantto stay with the company that
had acquired it.
I wanted to build a companythat I feared competing against
because I saw a lot of problems,mainly that logistics was such
a huge cost and such a big risk.
It didn't make sense shippingcomputer assets around the
country from California back toColumbus, ohio.
(04:37):
So my vision for RetireIT wasto be more like AAA than the tow
truck I don't know if that's aUS, assume your audience is more
US based but for more like FTDthan the florist and build a
network of trusted partners.
It would keep the costs low.
It would have a lowerenvironmental impact.
(04:58):
And I quickly discovered thatthere was a bigger issue, which
was chain of custody.
My clients would have aninventory of equipment and I
would get a correspondinginventory when the equipment was
delivered at my partner's and Istruggled with confirming those
were the right assets.
You could pick up a hundredlaptops.
You'd get a report from therecycler that they got a hundred
(05:18):
laptops but only about threequarters of the serial numbers
would match.
So it was very problematicbecause you didn't know if the
problem was on the client sidewith their inventory or the
recyclers.
Or you know, an 8 could looklike a B or a G could look like
a 6.
And so again, I'd moved aroundthe country enough times that
probably some of my furniturestill had moving tags.
(05:39):
So I thought if that industrycould use tags to solve a
problem, maybe ours could, andso I bought a label printer.
I taught myself how to printbarcodes.
I started sending stickers tomy clients and I'd ask them to
humor me and label the equipmentbefore we scheduled the pickup.
And then I would tell mydownstream partners I wouldn't
pay them unless they scanned mytags in addition to giving the
(06:02):
inventory.
And lo and behold, all of asudden we're tracking virtually
100%.
Then I had to write a lot ofsoftware to account for the two
keys, because now you have a tagID and a serial number and
there's a lot of differentcombinations that can occur.
But it solved a lot of problems.
That's how I got into theindustry, was I thought I saw a
better way of doing it from acost savings perspective, and
(06:24):
then it evolved into being moreabout chain of custody and
governance risk compliance.
Speaker 2 (06:31):
But to this day that's still how we operate has
a huge impact, and you clearlyapplied that entrepreneurial
thinking to this problem.
So you've gone on to write abook, or I should say to release
(06:53):
a book, because it's actuallymore about the images.
It's largely a picture book allaround IT asset disposition, it
asset management it's calledwhen the IT Life Cycle End.
How non-compliant it assetdisposition creates unnecessary
exposure.
So, kyle, why did you writethis book?
Speaker 1 (07:12):
I wrote the book.
It's actually been a a a kindof a lifelong a effort in terms
of my illustrations.
I've always been drawing things, doodling things.
Illustrations help capture theessence of an issue.
It also allows people to lookat something and not take it
(07:34):
personally, kind of find somehumor in it.
I've always been a fan of theFar Side cartoon.
If you remember that and thetitle of the book, you know when
the IT Life Cycle Ends.
I loved the book as a child.
Where the Sidewalk Ends.
You know Shel Silverstein.
I've always, or I've, liked touse illustrations in my
presentations, whether it's at aconference or when it's a
(07:57):
webinar.
And you know, I don't know whosaid it, but somebody actually
said I should put it together ina book and I did.
I didn't tell anybody what Iwas doing, but it was.
It was a lot of fun.
A lot was left on the cuttingroom floor.
The reason, from a timingperspective, I did it now was
because the SEC cybersecurityrules went into effect in
(08:19):
December.
Rules went into effect inDecember, more than a year ago.
They deemed ITAD acybersecurity risk when they
fined Morgan Stanley $35 millionfor a pair of breaches that
they had had a few years before,and there's a lot of
misconceptions I wanted to clearup, and there's also a couple
of best practices that again arevendor agnostic that I believe
(08:40):
every company should be applying.
Itad is one of the mostinteresting business activities
because there's usually not asingle person that's responsible
or accountable for it.
Some people think it fallsunder IT asset management,
others look at it underfacilities or maintenance or
(09:03):
under IT, but there's not achief IT asset disposition
officer in a company, and sooftentimes there's a lot of
siloed activities, and I thoughta book with illustrations could
bring people to the same tableand have conversations about
some of the gaps and how theyfix it.
Speaker 2 (09:21):
Yeah, I found the pictures incredibly helpful.
A couple of my favorites arethere's one where there's a
gentleman standing against awall and there's tons of leaks
coming out, and each of theleaks represent something
different, and he's trying tocover them all.
I thought that was reallypowerful.
Another one that I really likeis towards the end of the book,
(09:44):
where there's a dog sitting at avet and you make the point that
disposal tags are like hidingmedicine in treats.
I thought about our dog andthought that actually makes a
lot of sense.
And, by the way, when we'retalking about ITAD because we
always love acronyms it's ITAsset Disposition and ITAM, IT
(10:08):
Asset Management.
So, Kyle, where do you think weare missing the mark in this
industry?
I mean, you speak in the veryintro of the book.
You speak about the unspeakableproblem in this space.
So where are we missing themark?
Speaker 1 (10:25):
Well, there actually hasn't been any consequences to
speak of, you know, fornoncompliance or for bad you
know activities and that willchange.
You know I'm not sure when youknow it could change tomorrow if
the SEC starts enforcing thingsmore, right.
(10:45):
So there's plenty of rules andregulations on the book or
already on the books, if you addthem up and I didn't do this,
but I've read at the local,state and federal level, there's
over 550 that affect IT assetdisposition, just in the US,
right.
And if you go across the pondand look at Europe with GDPR or
(11:08):
AsiaPAC, there's plenty ofregulations but there's only a
handful.
You can count on one hand howmany times companies have paid
the price for noncompliance.
Exposure has historically beenthe result of disclosure, and
disclosure historically has beenvoluntary.
Nobody willingly or voluntarilyraises their hand and said
(11:30):
they've had a breach.
And the book illustrates howcurrent paradigm is somewhat
rigged to sweep the problemsunder the rug.
Nobody is paid to look forproblems.
Nobody is incentivized to bringthe problems forward.
In fact, it's quite theopposite.
There's perverse incentives forpeople to sweep the problems
under the rug and keep theproblems hidden.
(11:52):
It's one of the reasons why,when the SEC fined Morgan
Stanley, they came out and saidthat it was astonishing the
failures.
What I find astonishing is itis now kind of recently coming
to light because it's an opensecret in our industry about
these problems.
If you talk to others who havebeen in the industry for a while
, there's always missing assets,there's, you know, always
(12:15):
discrepancies.
They're never disclosed andit's completely rational,
totally understandable.
You know, if your people don'tvoluntarily call up the police
and say, hey, I was justspeeding on the way to work,
would you mail me a ticket?
Right, and so yeah, that'sprobably why there hasn't been.
(12:36):
But now that you've seen theMorgan Stanley incidents, you
know the two breaches.
The OCC fined them 60 milliondollars.
There was a class actionlawsuit that followed Actually
many of them.
They were consolidated into oneand then that settled for
another $60 million.
And then two years later theSEC weighed in.
This is all one relating to onecompany's problems and then
(12:59):
recently, last November, fivestates settled for another $6.5
million.
So it's sort of the breach thatwon't go away.
Speaker 2 (13:07):
And ultimately, the core of the issue is that the
companies did not manage theirold IT equipment.
So, basically, it equipment gotout there, data got leaked.
Is that the source of thebreach?
For those of us who aren't asfamiliar For?
Speaker 1 (13:26):
Morgan Stanley, there were two breaches and it's very
important you actually keepthem separate.
One might ask why did MorganStanley disclose them both at
the same time?
And your guess would be as goodas mine.
One was inevitable.
It came out because some assetswere not properly processed.
They didn't hire a qualifiedvendor.
(13:46):
However, the assets passedthrough qualified vendors' hands
, but ultimately they wereresold and data was accessible.
The person who bought theequipment reported it, so that
breach was coming out.
The second breach, which forour industry is a lot more
problematic, was really more ofa he said, she said.
Initially, morgan Stanleyreported that during the wind
(14:10):
down of Aero, aero Electronicshad become probably the biggest
vendor in our industry.
They abruptly, in July of 2019,announced they were exiting the
industry, basically gave almostno reason.
A year later it was disclosed.
That's when the breach occurred.
Morgan Stanley said they didwhat was called a records
(14:34):
reconciliation exercise anddiscovered that some assets they
thought had been sent to ArrowArrow didn't have a record of
and then they disclosed that asthe second breach.
It turned out it was a total of42 servers out of several
hundred couldn't be accountedfor by serial number.
Anybody who's been in thisindustry knows those assets may
not have actually been lost.
(14:54):
They could have been lost inthe building.
So if two technicians areworking at Quantum Kyle and
Stephanie and we have twodifferent client deliveries at
the same time, I'm working onone pallet, I put something down
on the floor, you bump into it,you pick it up thinking it was
off on your pallet.
That asset's not lost, it'slost in the building.
It's lost from reporting.
(15:14):
That could have explained a lotof the problems.
It's one of the things when Italk in the book about three
safeguards, one of them beingequipment verification holds.
You know where you actuallyreceive the equipment, report on
it and hold it until youconfirm chain of custody.
That in and of itself couldhave solved, you know, a lot of
problems for Morgan Stanleybecause the assets may not have
(15:35):
been lost.
If you're trying to reconcileinventories a year later and
those assets are long gone, thenyou know repurposed and resold
or recycled.
There's no way of correcting aninventory.
Speaker 2 (15:46):
So it sounds like, in terms of the risks for
companies, there is significantbusiness risk, financial risk,
brand risk and now and what Ilearned from the book even
personal risk, because, underthe new SEC ruling, executives
can be held responsible for this, which I think that's great, so
(16:09):
okay.
So you talked about safeguards,so walk us through these
safeguards the best IT assetdisposition managing companies
actually do.
What can companies do toprevent this?
Speaker 1 (16:22):
Well, they have to recognize the conflict of
interest, and every single datasecurity regulation has an
element of segregation of duties, and so you need to separate
duties so you don't have the foxwatching the hen house.
And with respect to IT assetdisposition, if you're
responsible for managing thelifecycle of the assets, you
(16:43):
shouldn't also be responsiblefor the retirement process?
So a company either has to hirea third party to manage the
process or have a separateperson in the organization
manage the disposition.
The teachers shouldn't begiving the answers to the
student and having them grade itthemselves, right.
Speaker 2 (17:00):
Right or in the accounting industry, it's the
same thing Like.
Whoever receives the check-inshould not be the one recording
it in the books and depositingit in the bank, and all of that
100% Generally acceptedaccounting principles.
Speaker 1 (17:14):
You know accounting 101, you know you need to have
that segregation of duties andyou know, if you think about
ITAD as reverse procurement, youwouldn't have somebody, you
know cutting the PO and thecheck, you know, and doing all
everything at once.
So segregation of duties is anabsolute, certainly a must have.
(17:36):
We also talk about I mentionedequipment verification holds.
You know you would not jump outof an airplane without a backup
parachute.
I don't care how many times youdo it and your primary issue
has never failed you don't wantto be caught.
And with the equipmentverification hold you have
hourly employees receivingequipment and they're being
(17:58):
compensated for receiving themquickly.
You know they're scanninganything that's available, you
know, or they're keying it in.
And so there are going to beinventory capture problems.
Right, being able to go backand get a second look at an
asset capture, the correctinventory identifier will.
You know, 99% of inventorydiscrepancies can be cleared up
(18:21):
if you get a second look at it.
And then the third piece is wepreach disposal tags.
You know 99% of inventorydiscrepancies can be cleared up
if you get a second look at it.
And then the third piece is wepreach disposal tags and
minimally a separate identifier.
You know, maybe you have assettags on your equipment already.
They don't work as well asdisposal tags.
But if you rely solely onserial numbers, you're just not
going to be able to close thegap.
(18:41):
You're going to have too manydiscrepancies and unaccounted
for items.
Disposal tags will account for99% of assets.
They also serve a reallyimportant function because it
helps identify what needs to betracked.
When the clients are labelingthe equipment.
They're saying this isimportant.
(19:01):
We need you to capture aninventory and there are certain
devices that aren't necessarilyalways captured.
It could be, you know, asmartphone or this IP phone I
have next to me.
Is that an asset or is that acommodity that's just going to
be recycled?
Some assets, like smartphones,don't have a readable serial
number right.
So you know, putting a barcode,you know it makes it very easy
(19:25):
to prove chain of custody.
Disposal tags also deter theftright, because if Stephanie is
getting ready for a disposalproject to take off and she has
a room full of equipment, ifsomebody opens the door and sees
that all the equipment has neoncolored barcodes, they're a lot
less likely to take it.
When the driver shows up topick up the equipment,
especially if it's anenvironment where there's some
(19:46):
assets that go and some thatdon't, you can give instructions
and say only take the assetswith tags and you get an
accurate count.
It deters theft in transit andcertainly when the equipment's
received at a facility, italerts that facility that this
equipment needs to be accountedfor and is going to be.
You know the inventory is goingto be reviewed and so I believe
(20:09):
it takes a.
It puts them on a heightenedsense of awareness in terms of
capturing inventory out of thefirst time.
Speaker 2 (20:15):
And to you know, going back to your book and the
visual aspect, the visualmarkers for our listeners.
Kyle held up the disposal tags.
They are bright, yellow, bigbarcode.
You can't miss them.
So, yeah, I could understandwhy that would be effective.
It's just another visual cuefor a number of reasons.
Kyle, before we get into ourhow-to section, I want to ask
(20:37):
you one more question, and thatis where you think this space is
going.
If I were to give you aproverbial crystal ball we
talked about this back in thevery first episode of this
podcast, Gary Diamond where doyou think the space is going?
I'm going to ask you whattrends do you think will define
the future of ITAD?
Speaker 1 (20:58):
I think there is going to be the mother of all
disclosures will happen.
It will relate to ITAD and Ithink everybody who is a
listener should be aware.
You know this.
The Morgan Stanley case theclass action settled.
Because that's what happenstypically with class actions
(21:19):
when the settlement is offered,what happens typically with
class actions when thesettlement is offered.
Now that attorneys understandthat this information is readily
discoverable just comparingprocurement records to
disposition records, to currentinventory you're going to find
gaps.
No company can credibly claimto have protected the data on
assets that they don't know thewhereabouts.
(21:40):
So this industry is a plaintifflawyer's dream come true.
There are plaintiff law firmswaiting for the next.
You know breach disclosure.
But even more interesting isyou know the SEC motivates
whistleblowers with hugecompensation.
They pay up to 30% of thepenalty.
(22:02):
In the case of Morgan Stanleyand I'm not saying we will never
know if there was awhistleblower involved, but that
was a $35 million penalty Athird of $35 million is a really
nice it's a lot of money.
That's a lot of money.
And now anybody that has insideinformation in terms of
noncompliance it could be adisgruntled employee, it could
(22:25):
be a contractor, it could be avendor.
A disgruntled vendor could tipoff a regulator and bring down a
regulatory inquiry.
And, as I said, thisinformation's easily
discoverable right.
And you combine that with thefact that the SEC also does not
allow for plausible deniability.
(22:46):
It's an executive's job, youknow, to have controls in place,
not rely on somebody's.
You know good intentions butactually have mechanisms to
alert you to non-compliance.
And so when I say it's going tobe the mother of all
disclosures, I don't think it'sgoing to settle very quickly.
I think you know time there's abreach, they're going to go the
(23:15):
plaintiffs will go for, youknow, for the jugular.
They won't stop at a simplesettlement.
The other thing that I'm goingto make the prediction that's
going to happen is thatgatekeepers are going to be
implicated in this.
Gatekeepers are also consideredfiduciaries or accounting firms
.
Every single public company hasfirms that test controls not
(23:39):
just financial controls but alsocybersecurity controls.
That is going to become veryproblematic, because if they've
been given a clean bill ofhealth or haven't been testing
those controls, then they'regoing to have a lot of
explaining to do.
And I might be revealing my age, but I'm old enough to remember
when Enron left a $55 billionhole in the economy.
(24:02):
It also resulted in ArthurAnderson going away.
Because they were complicit inthe problems, right.
I would encourage thefiduciaries, the gatekeepers and
the SEC has made it abundantlyclear that they rely on
gatekeepers to surface problemsright.
So I would expect that theseaccounting firms that are also
(24:25):
testing the controls to startauditing this function.
Speaker 2 (24:29):
Okay, let's move into our rapid fire how-to section,
where I ask you how-to questionsand you can answer it short or
long, all depending on what youfeel the answer is.
My first one is now that you'vewalked us through all the
potential risks out there, andfor some companies, they may be
(24:49):
fairly new at this, or evenstarting from scratch.
So, kyle, how to set up aneffective ITAD program from the
beginning or from scratch?
Speaker 1 (25:01):
ITAD is the last phase of IT asset management.
So that's sort of a difficultquestion to answer unless you
actually put in place some basicIT asset management.
I call ITAD the final checkout.
So IT asset management and I'mfocusing on hardware asset
management because there's alsosoftware asset management
(25:24):
Hardware asset management,software asset management they
might run in the same park, butthe paths rarely cross.
I focus on hardware assetmanagement and if you don't have
an inventory, a good inventoryof what you've acquired, if you
haven't managed the lifecyclethroughout, then you're going to
(25:44):
have a challenge of accountingfor everything at the end.
And this I believe it'srelatively easy to close the gap
at the end of life with tags,with holds, with segregation of
duties, but there might be someassets you have not explained
and it is not appropriate toretire missing asset without an
explanation.
(26:04):
That's, and so you do needfundamental, you know best
practices with IT assetmanagement.
They need to have the resourcesto do their job and the mandate
from executives, assumingthat's in place.
When it comes to IT assetdisposition, you certainly have
to work with a qualified vendor,and by that I mean somebody
that's minimally R2 or e-stewardcertified.
(26:27):
But that's a starting point,right, that is, you have to.
I believe you should.
I talked about defensibledisposition.
It's really a strategy.
Tags are certainly an element.
I believe you should put a tagon as early in the positioning
process as possible.
So when the equipment comes outof the rack or off the desktop,
you're tagging it andinventorying it and the tag
(26:48):
actually sort of protects it,because employee theft is a
really huge issue.
If somebody walks out the doorbefore the vendor ever shows up,
no vendor can protect an assetit doesn't receive.
And so, having the assetssecured, I do believe it's also
important to secure or destroydata before a move.
It's not always possible, it'snot always practical, but if
(27:09):
there is sufficient data interms of quantity or the type of
data that it would result in abreach if it were lost, then I
definitely think it's aworthwhile investment to secure,
to destroy the data before amove.
You either can do it yourselfor hire a vendor to do it.
But assets, you know datashouldn't travel, and I, years
ago, read an article what hasmore value an armored bank truck
(27:32):
or a van delivering your usedcomputers to the recycler?
You know it's.
If you think about it, you knowan armored truck might only
have a couple hundred thousanddollars of cash, whereas if you
lose a single hard drive, itcould result in a seven-figure
problem overnight.
And I'm not advocating thatevery disposal project be done
(27:54):
with brinks, trucks and armedguards.
I'm advocating securing anddestroying the data before a
move.
Speaker 2 (28:00):
And thinking ahead too, is what I get from that,
like thinking ahead of what arethe what-if scenarios of this
particular batch of equipment.
You know, if a unit got out, ifthe data got out, what's the
what-if scenario, and to protectyourself against that, we do a
tabletop exercise with clients.
Speaker 1 (28:18):
Most clients have a handful of scenarios they think
about.
You know if something's foundin the wrong place or found with
clients.
Most clients have a handful ofscenarios they think about.
You know if something's foundin the wrong place or found with
data, I have actually over 140scenarios that can happen.
Some are benign and not veryconsequential.
Others are much more severe andif you walk through these
scenarios, most are preventable,right.
And so putting those safeguardsin place in advance, will you
(28:43):
know, an ounce of prevention isworth millions of cure, right?
So absolutely Simple, thingslike not sharing serial numbers
with your disposal vendor.
I already use the example ofteachers shouldn't give answers
to a student and expect them tograde their their own tests.
So there are certain you ask mefor a step by step by step.
(29:03):
There's actually over 122 stepsin our process that we do that
a client never sees if we do itright.
Speaker 2 (29:10):
Did you say 122?
Speaker 1 (29:12):
Correct, wow.
Speaker 2 (29:13):
Yes.
Speaker 1 (29:14):
You know it's also comes down to the commercial
aspect of it, right, you knowthe financials.
You know how often do you auditbills or how often do you
reconcile the or look at fairmarket values.
You know we were looking atevery aspect of it.
We do what a company should andcould do for themselves if they
had the wherewithal and thetime and the resources to do it.
Speaker 2 (29:35):
Kyle, you are a wealth of knowledge and you've
clearly had so much experience.
As we wrap up this conversation, what would you say would be
one piece of advice that youwould leave companies with IT
managers, it leaders, evenbeyond.
What's one piece of adviceyou'd leave them with?
Speaker 1 (29:56):
Well, I recognize that this podcast is about
circularity.
It's not just about datasecurity.
However, the one piece ofadvice is you need to follow the
money, and the money is incybersecurity, and I think that,
from an environmentalperspective, we're certainly a
big proponent of ESG, but weshould be using the G to
(30:20):
accomplish the E and the S, andwe should leverage the
cybersecurity aspect of ITAD toget the resources to do what
will ultimately benefit from acircularity and a sustainability
perspective.
The money is in cybersecurity,the resources are not in ESG,
(30:45):
and it is a positive externality, right?
So let's go to where thebudgets are.
You know ITAT is cybersecurity.
We need the resources.
You know we need the money, weneed, you know, the attention
from senior management to manageit properly, and that's going
to benefit us from asustainability and environmental
(31:06):
perspective.
Right, we can accomplish twobirds, kill two birds with one
stone.
Let's just use the budgets fromcybersecurity to accomplish it.
Speaker 2 (31:16):
I think that's very wise advice.
Follow the money, usecybersecurity to accomplish the
rest of the E and the S from theG.
And you know, I would say aswell, my piece of advice would
be to grab Kyle's book We'll puta link to it in the show notes
because it is a quick andpowerful read.
(31:37):
There's people on your team orin your organization that you
really want to get on boardregarding ITAM or ITAD.
This is a great thing to givethem to flip through, because
it's very powerful, and thankyou, kyle.
You've been a very powerfulspeaker as well, so we
appreciate you sharing yourwisdom here.
Speaker 1 (31:55):
Thank you for the invite.
I love the podcast and I'veenjoyed going through and
listening to the 20, some otherones and it's fantastic.
So I hope this gets the wordout and accomplishes what you're
trying to do.
Speaker 2 (32:08):
Yeah, thank you.
And remember, if you're lookingfor a partner in ITAD and
e-waste recycling, we'd love tochat.
Head on over toquantumlifecyclecom and contact
us.
This is a Quantum Lifecyclepodcast and the producer is
Sanjay Trivedi.
Thank you for being a CircularFuture Champion in your company
and beyond.
(32:29):
Logging off.
A preventable data breach is quite possibly a
company's worst nightmare.
So why don't more companiestake properly managing their old
IT equipment more seriously,and what can we do about it?
Welcome to the Circular Futureyour access to thought leaders
and innovations.
To help you be a businesssustainability champion, even if
(00:27):
it's not your core job.
I'm your host.
Stephanie McLarty, head ofSustainability at Quantum
Lifecycle Partners.
Did you notice I saidpreventable data breach?
That's because with a secureand responsible IT asset
disposition program, theseissues can be avoided.
Still, a lot of companiesremain in the dark ages around
(00:51):
their IT equipment, but there isone man trying to change that
in a unique way.
With me is Kyle Marks, founderand CEO of Retire IT.
Over the past 20 years, kylehas managed over 20,000 ITAD
projects with Retire IT.
Kyle also servedAeroelectronics as president of
(01:11):
US Micro and has an MBA fromHarvard Business School, and
he's actually just wrote a bookwhich we'll talk about.
Welcome to the podcast, kyle.
Speaker 1 (01:20):
Well, thanks, steph, I'm glad to be here.
Speaker 2 (01:22):
Well, we're very happy that you're here and I'm
really curious to get into yourbook.
But first a couple of questions.
First, what are three thingsthe world should know about?
Retire IT.
Speaker 1 (01:33):
Well, that's a great question.
And, first and foremost, we'rea consulting firm.
So we're not the traditionalITAD vendor or electronics
recycler everyone thinks about.
So we don't own a truck, ashredder, a warehouse.
If I turned my camera around,you'd see an office full of
people.
We're not the traditional that'sprobably the first thing and
(01:55):
probably one of the most biggestmisconceptions that we manage
the process, how many?
We work with a network ofpartners.
The second thing is we are whatI refer to as a fiduciary, so
we sit squarely on the side ofthe table with our clients and
preach what we refer to asdefensible disposition.
(02:16):
It's always in their bestinterest.
We're siding with them.
And probably the third is thatwe're vendor agnostic.
So, even though we work with anetwork of partners we've worked
with that are vetted undercontract, we also work with we
call it bring your own vendorwhere sometimes clients already
(02:38):
have an established relationshipwith a trusted, certified
vendor.
We're happy to work with them.
Again, it's not who you choose,as much as how it's managed is
what's important.
So those would be the threethings I would emphasize about
us.
Speaker 2 (02:52):
Awesome, thank you, and you've piqued my interest
around defensible disposition.
Did I get?
Speaker 1 (02:59):
that right?
Yes.
Speaker 2 (03:00):
All right, We'll talk about that.
First of all, walk us throughhow you got into this space,
because I know your journey is abit of a unique one and I'm
sure our listeners would love tohear it.
Speaker 1 (03:11):
Well, it will be a little over 20 years.
I got into it with a companySome remember it was called
Retrobox.
It was a fellow who wasn't aclassmate of it, an alumni of
Harvard Business School, hadstarted a computer recycling
firm called Retrobox and it wasbased in Columbus, ohio, where
I'm originally from, and I'd I'dmoved around the country with
(03:32):
other other companies.
I was looking for anentrepreneurial industry or a
person who was in.
An industry that was fragmented, that had a lot of legs.
It was going to be around for awhile.
It was kind of messy and Ifound this guy who had started
this company and it was sort ofground zero.
There were three companies herein Columbus Redemtech, retrobox
(03:54):
and Tech Disposal and theyalmost seemed like they were
kind of the ground zero ofcomputer recycling for business
computer recycling.
I joined him because he wantedto help scaling the company and
selling it within a couple ofyears and I was looking for an
owner operator that I could helpwith that.
That was accomplished prettyquickly and I wanted to stay in
(04:15):
the industry but I didn't wantto stay with the company that
had acquired it.
I wanted to build a companythat I feared competing against
because I saw a lot of problems,mainly that logistics was such
a huge cost and such a big risk.
It didn't make sense shippingcomputer assets around the
country from California back toColumbus, ohio.
(04:37):
So my vision for RetireIT wasto be more like AAA than the tow
truck I don't know if that's aUS, assume your audience is more
US based but for more like FTDthan the florist and build a
network of trusted partners.
It would keep the costs low.
It would have a lowerenvironmental impact.
(04:58):
And I quickly discovered thatthere was a bigger issue, which
was chain of custody.
My clients would have aninventory of equipment and I
would get a correspondinginventory when the equipment was
delivered at my partner's and Istruggled with confirming those
were the right assets.
You could pick up a hundredlaptops.
You'd get a report from therecycler that they got a hundred
(05:18):
laptops but only about threequarters of the serial numbers
would match.
So it was very problematicbecause you didn't know if the
problem was on the client sidewith their inventory or the
recyclers.
Or you know, an 8 could looklike a B or a G could look like
a 6.
And so again, I'd moved aroundthe country enough times that
probably some of my furniturestill had moving tags.
(05:39):
So I thought if that industrycould use tags to solve a
problem, maybe ours could, andso I bought a label printer.
I taught myself how to printbarcodes.
I started sending stickers tomy clients and I'd ask them to
humor me and label the equipmentbefore we scheduled the pickup.
And then I would tell mydownstream partners I wouldn't
pay them unless they scanned mytags in addition to giving the
(06:02):
inventory.
And lo and behold, all of asudden we're tracking virtually
100%.
Then I had to write a lot ofsoftware to account for the two
keys, because now you have a tagID and a serial number and
there's a lot of differentcombinations that can occur.
But it solved a lot of problems.
That's how I got into theindustry, was I thought I saw a
better way of doing it from acost savings perspective, and
(06:24):
then it evolved into being moreabout chain of custody and
governance risk compliance.
Speaker 2 (06:31):
But to this day that's still how we operate has
a huge impact, and you clearlyapplied that entrepreneurial
thinking to this problem.
So you've gone on to write abook, or I should say to release
(06:53):
a book, because it's actuallymore about the images.
It's largely a picture book allaround IT asset disposition, it
asset management it's calledwhen the IT Life Cycle End.
How non-compliant it assetdisposition creates unnecessary
exposure.
So, kyle, why did you writethis book?
Speaker 1 (07:12):
I wrote the book.
It's actually been a a a kindof a lifelong a effort in terms
of my illustrations.
I've always been drawing things, doodling things.
Illustrations help capture theessence of an issue.
It also allows people to lookat something and not take it
(07:34):
personally, kind of find somehumor in it.
I've always been a fan of theFar Side cartoon.
If you remember that and thetitle of the book, you know when
the IT Life Cycle Ends.
I loved the book as a child.
Where the Sidewalk Ends.
You know Shel Silverstein.
I've always, or I've, liked touse illustrations in my
presentations, whether it's at aconference or when it's a
(07:57):
webinar.
And you know, I don't know whosaid it, but somebody actually
said I should put it together ina book and I did.
I didn't tell anybody what Iwas doing, but it was.
It was a lot of fun.
A lot was left on the cuttingroom floor.
The reason, from a timingperspective, I did it now was
because the SEC cybersecurityrules went into effect in
(08:19):
December.
Rules went into effect inDecember, more than a year ago.
They deemed ITAD acybersecurity risk when they
fined Morgan Stanley $35 millionfor a pair of breaches that
they had had a few years before,and there's a lot of
misconceptions I wanted to clearup, and there's also a couple
of best practices that again arevendor agnostic that I believe
(08:40):
every company should be applying.
Itad is one of the mostinteresting business activities
because there's usually not asingle person that's responsible
or accountable for it.
Some people think it fallsunder IT asset management,
others look at it underfacilities or maintenance or
(09:03):
under IT, but there's not achief IT asset disposition
officer in a company, and sooftentimes there's a lot of
siloed activities, and I thoughta book with illustrations could
bring people to the same tableand have conversations about
some of the gaps and how theyfix it.
Speaker 2 (09:21):
Yeah, I found the pictures incredibly helpful.
A couple of my favorites arethere's one where there's a
gentleman standing against awall and there's tons of leaks
coming out, and each of theleaks represent something
different, and he's trying tocover them all.
I thought that was reallypowerful.
Another one that I really likeis towards the end of the book,
(09:44):
where there's a dog sitting at avet and you make the point that
disposal tags are like hidingmedicine in treats.
I thought about our dog andthought that actually makes a
lot of sense.
And, by the way, when we'retalking about ITAD because we
always love acronyms it's ITAsset Disposition and ITAM, IT
(10:08):
Asset Management.
So, Kyle, where do you think weare missing the mark in this
industry?
I mean, you speak in the veryintro of the book.
You speak about the unspeakableproblem in this space.
So where are we missing themark?
Speaker 1 (10:25):
Well, there actually hasn't been any consequences to
speak of, you know, fornoncompliance or for bad you
know activities and that willchange.
You know I'm not sure when youknow it could change tomorrow if
the SEC starts enforcing thingsmore, right.
(10:45):
So there's plenty of rules andregulations on the book or
already on the books, if you addthem up and I didn't do this,
but I've read at the local,state and federal level, there's
over 550 that affect IT assetdisposition, just in the US,
right.
And if you go across the pondand look at Europe with GDPR or
(11:08):
AsiaPAC, there's plenty ofregulations but there's only a
handful.
You can count on one hand howmany times companies have paid
the price for noncompliance.
Exposure has historically beenthe result of disclosure, and
disclosure historically has beenvoluntary.
Nobody willingly or voluntarilyraises their hand and said
(11:30):
they've had a breach.
And the book illustrates howcurrent paradigm is somewhat
rigged to sweep the problemsunder the rug.
Nobody is paid to look forproblems.
Nobody is incentivized to bringthe problems forward.
In fact, it's quite theopposite.
There's perverse incentives forpeople to sweep the problems
under the rug and keep theproblems hidden.
(11:52):
It's one of the reasons why,when the SEC fined Morgan
Stanley, they came out and saidthat it was astonishing the
failures.
What I find astonishing is itis now kind of recently coming
to light because it's an opensecret in our industry about
these problems.
If you talk to others who havebeen in the industry for a while
, there's always missing assets,there's, you know, always
(12:15):
discrepancies.
They're never disclosed andit's completely rational,
totally understandable.
You know, if your people don'tvoluntarily call up the police
and say, hey, I was justspeeding on the way to work,
would you mail me a ticket?
Right, and so yeah, that'sprobably why there hasn't been.
(12:36):
But now that you've seen theMorgan Stanley incidents, you
know the two breaches.
The OCC fined them 60 milliondollars.
There was a class actionlawsuit that followed Actually
many of them.
They were consolidated into oneand then that settled for
another $60 million.
And then two years later theSEC weighed in.
This is all one relating to onecompany's problems and then
(12:59):
recently, last November, fivestates settled for another $6.5
million.
So it's sort of the breach thatwon't go away.
Speaker 2 (13:07):
And ultimately, the core of the issue is that the
companies did not manage theirold IT equipment.
So, basically, it equipment gotout there, data got leaked.
Is that the source of thebreach?
For those of us who aren't asfamiliar For?
Speaker 1 (13:26):
Morgan Stanley, there were two breaches and it's very
important you actually keepthem separate.
One might ask why did MorganStanley disclose them both at
the same time?
And your guess would be as goodas mine.
One was inevitable.
It came out because some assetswere not properly processed.
They didn't hire a qualifiedvendor.
(13:46):
However, the assets passedthrough qualified vendors' hands
, but ultimately they wereresold and data was accessible.
The person who bought theequipment reported it, so that
breach was coming out.
The second breach, which forour industry is a lot more
problematic, was really more ofa he said, she said.
Initially, morgan Stanleyreported that during the wind
(14:10):
down of Aero, aero Electronicshad become probably the biggest
vendor in our industry.
They abruptly, in July of 2019,announced they were exiting the
industry, basically gave almostno reason.
A year later it was disclosed.
That's when the breach occurred.
Morgan Stanley said they didwhat was called a records
(14:34):
reconciliation exercise anddiscovered that some assets they
thought had been sent to ArrowArrow didn't have a record of
and then they disclosed that asthe second breach.
It turned out it was a total of42 servers out of several
hundred couldn't be accountedfor by serial number.
Anybody who's been in thisindustry knows those assets may
not have actually been lost.
(14:54):
They could have been lost inthe building.
So if two technicians areworking at Quantum Kyle and
Stephanie and we have twodifferent client deliveries at
the same time, I'm working onone pallet, I put something down
on the floor, you bump into it,you pick it up thinking it was
off on your pallet.
That asset's not lost, it'slost in the building.
It's lost from reporting.
(15:14):
That could have explained a lotof the problems.
It's one of the things when Italk in the book about three
safeguards, one of them beingequipment verification holds.
You know where you actuallyreceive the equipment, report on
it and hold it until youconfirm chain of custody.
That in and of itself couldhave solved, you know, a lot of
problems for Morgan Stanleybecause the assets may not have
(15:35):
been lost.
If you're trying to reconcileinventories a year later and
those assets are long gone, thenyou know repurposed and resold
or recycled.
There's no way of correcting aninventory.
Speaker 2 (15:46):
So it sounds like, in terms of the risks for
companies, there is significantbusiness risk, financial risk,
brand risk and now and what Ilearned from the book even
personal risk, because, underthe new SEC ruling, executives
can be held responsible for this, which I think that's great, so
(16:09):
okay.
So you talked about safeguards,so walk us through these
safeguards the best IT assetdisposition managing companies
actually do.
What can companies do toprevent this?
Speaker 1 (16:22):
Well, they have to recognize the conflict of
interest, and every single datasecurity regulation has an
element of segregation of duties, and so you need to separate
duties so you don't have the foxwatching the hen house.
And with respect to IT assetdisposition, if you're
responsible for managing thelifecycle of the assets, you
(16:43):
shouldn't also be responsiblefor the retirement process?
So a company either has to hirea third party to manage the
process or have a separateperson in the organization
manage the disposition.
The teachers shouldn't begiving the answers to the
student and having them grade itthemselves, right.
Speaker 2 (17:00):
Right or in the accounting industry, it's the
same thing Like.
Whoever receives the check-inshould not be the one recording
it in the books and depositingit in the bank, and all of that
100% Generally acceptedaccounting principles.
Speaker 1 (17:14):
You know accounting 101, you know you need to have
that segregation of duties andyou know, if you think about
ITAD as reverse procurement, youwouldn't have somebody, you
know cutting the PO and thecheck, you know, and doing all
everything at once.
So segregation of duties is anabsolute, certainly a must have.
(17:36):
We also talk about I mentionedequipment verification holds.
You know you would not jump outof an airplane without a backup
parachute.
I don't care how many times youdo it and your primary issue
has never failed you don't wantto be caught.
And with the equipmentverification hold you have
hourly employees receivingequipment and they're being
(17:58):
compensated for receiving themquickly.
You know they're scanninganything that's available, you
know, or they're keying it in.
And so there are going to beinventory capture problems.
Right, being able to go backand get a second look at an
asset capture, the correctinventory identifier will.
You know, 99% of inventorydiscrepancies can be cleared up
(18:21):
if you get a second look at it.
And then the third piece is wepreach disposal tags.
You know 99% of inventorydiscrepancies can be cleared up
if you get a second look at it.
And then the third piece is wepreach disposal tags and
minimally a separate identifier.
You know, maybe you have assettags on your equipment already.
They don't work as well asdisposal tags.
But if you rely solely onserial numbers, you're just not
going to be able to close thegap.
(18:41):
You're going to have too manydiscrepancies and unaccounted
for items.
Disposal tags will account for99% of assets.
They also serve a reallyimportant function because it
helps identify what needs to betracked.
When the clients are labelingthe equipment.
They're saying this isimportant.
(19:01):
We need you to capture aninventory and there are certain
devices that aren't necessarilyalways captured.
It could be, you know, asmartphone or this IP phone I
have next to me.
Is that an asset or is that acommodity that's just going to
be recycled?
Some assets, like smartphones,don't have a readable serial
number right.
So you know, putting a barcode,you know it makes it very easy
(19:25):
to prove chain of custody.
Disposal tags also deter theftright, because if Stephanie is
getting ready for a disposalproject to take off and she has
a room full of equipment, ifsomebody opens the door and sees
that all the equipment has neoncolored barcodes, they're a lot
less likely to take it.
When the driver shows up topick up the equipment,
especially if it's anenvironment where there's some
(19:46):
assets that go and some thatdon't, you can give instructions
and say only take the assetswith tags and you get an
accurate count.
It deters theft in transit andcertainly when the equipment's
received at a facility, italerts that facility that this
equipment needs to be accountedfor and is going to be.
You know the inventory is goingto be reviewed and so I believe
(20:09):
it takes a.
It puts them on a heightenedsense of awareness in terms of
capturing inventory out of thefirst time.
Speaker 2 (20:15):
And to you know, going back to your book and the
visual aspect, the visualmarkers for our listeners.
Kyle held up the disposal tags.
They are bright, yellow, bigbarcode.
You can't miss them.
So, yeah, I could understandwhy that would be effective.
It's just another visual cuefor a number of reasons.
Kyle, before we get into ourhow-to section, I want to ask
(20:37):
you one more question, and thatis where you think this space is
going.
If I were to give you aproverbial crystal ball we
talked about this back in thevery first episode of this
podcast, Gary Diamond where doyou think the space is going?
I'm going to ask you whattrends do you think will define
the future of ITAD?
Speaker 1 (20:58):
I think there is going to be the mother of all
disclosures will happen.
It will relate to ITAD and Ithink everybody who is a
listener should be aware.
You know this.
The Morgan Stanley case theclass action settled.
Because that's what happenstypically with class actions
(21:19):
when the settlement is offered,what happens typically with
class actions when thesettlement is offered.
Now that attorneys understandthat this information is readily
discoverable just comparingprocurement records to
disposition records, to currentinventory you're going to find
gaps.
No company can credibly claimto have protected the data on
assets that they don't know thewhereabouts.
(21:40):
So this industry is a plaintifflawyer's dream come true.
There are plaintiff law firmswaiting for the next.
You know breach disclosure.
But even more interesting isyou know the SEC motivates
whistleblowers with hugecompensation.
They pay up to 30% of thepenalty.
(22:02):
In the case of Morgan Stanleyand I'm not saying we will never
know if there was awhistleblower involved, but that
was a $35 million penalty Athird of $35 million is a really
nice it's a lot of money.
That's a lot of money.
And now anybody that has insideinformation in terms of
noncompliance it could be adisgruntled employee, it could
(22:25):
be a contractor, it could be avendor.
A disgruntled vendor could tipoff a regulator and bring down a
regulatory inquiry.
And, as I said, thisinformation's easily
discoverable right.
And you combine that with thefact that the SEC also does not
allow for plausible deniability.
(22:46):
It's an executive's job, youknow, to have controls in place,
not rely on somebody's.
You know good intentions butactually have mechanisms to
alert you to non-compliance.
And so when I say it's going tobe the mother of all
disclosures, I don't think it'sgoing to settle very quickly.
I think you know time there's abreach, they're going to go the
(23:15):
plaintiffs will go for, youknow, for the jugular.
They won't stop at a simplesettlement.
The other thing that I'm goingto make the prediction that's
going to happen is thatgatekeepers are going to be
implicated in this.
Gatekeepers are also consideredfiduciaries or accounting firms
.
Every single public company hasfirms that test controls not
(23:39):
just financial controls but alsocybersecurity controls.
That is going to become veryproblematic, because if they've
been given a clean bill ofhealth or haven't been testing
those controls, then they'regoing to have a lot of
explaining to do.
And I might be revealing my age, but I'm old enough to remember
when Enron left a $55 billionhole in the economy.
(24:02):
It also resulted in ArthurAnderson going away.
Because they were complicit inthe problems, right.
I would encourage thefiduciaries, the gatekeepers and
the SEC has made it abundantlyclear that they rely on
gatekeepers to surface problemsright.
So I would expect that theseaccounting firms that are also
(24:25):
testing the controls to startauditing this function.
Speaker 2 (24:29):
Okay, let's move into our rapid fire how-to section,
where I ask you how-to questionsand you can answer it short or
long, all depending on what youfeel the answer is.
My first one is now that you'vewalked us through all the
potential risks out there, andfor some companies, they may be
(24:49):
fairly new at this, or evenstarting from scratch.
So, kyle, how to set up aneffective ITAD program from the
beginning or from scratch?
Speaker 1 (25:01):
ITAD is the last phase of IT asset management.
So that's sort of a difficultquestion to answer unless you
actually put in place some basicIT asset management.
I call ITAD the final checkout.
So IT asset management and I'mfocusing on hardware asset
management because there's alsosoftware asset management
(25:24):
Hardware asset management,software asset management they
might run in the same park, butthe paths rarely cross.
I focus on hardware assetmanagement and if you don't have
an inventory, a good inventoryof what you've acquired, if you
haven't managed the lifecyclethroughout, then you're going to
(25:44):
have a challenge of accountingfor everything at the end.
And this I believe it'srelatively easy to close the gap
at the end of life with tags,with holds, with segregation of
duties, but there might be someassets you have not explained
and it is not appropriate toretire missing asset without an
explanation.
(26:04):
That's, and so you do needfundamental, you know best
practices with IT assetmanagement.
They need to have the resourcesto do their job and the mandate
from executives, assumingthat's in place.
When it comes to IT assetdisposition, you certainly have
to work with a qualified vendor,and by that I mean somebody
that's minimally R2 or e-stewardcertified.
(26:27):
But that's a starting point,right, that is, you have to.
I believe you should.
I talked about defensibledisposition.
It's really a strategy.
Tags are certainly an element.
I believe you should put a tagon as early in the positioning
process as possible.
So when the equipment comes outof the rack or off the desktop,
you're tagging it andinventorying it and the tag
(26:48):
actually sort of protects it,because employee theft is a
really huge issue.
If somebody walks out the doorbefore the vendor ever shows up,
no vendor can protect an assetit doesn't receive.
And so, having the assetssecured, I do believe it's also
important to secure or destroydata before a move.
It's not always possible, it'snot always practical, but if
(27:09):
there is sufficient data interms of quantity or the type of
data that it would result in abreach if it were lost, then I
definitely think it's aworthwhile investment to secure,
to destroy the data before amove.
You either can do it yourselfor hire a vendor to do it.
But assets, you know datashouldn't travel, and I, years
ago, read an article what hasmore value an armored bank truck
(27:32):
or a van delivering your usedcomputers to the recycler?
You know it's.
If you think about it, you knowan armored truck might only
have a couple hundred thousanddollars of cash, whereas if you
lose a single hard drive, itcould result in a seven-figure
problem overnight.
And I'm not advocating thatevery disposal project be done
(27:54):
with brinks, trucks and armedguards.
I'm advocating securing anddestroying the data before a
move.
Speaker 2 (28:00):
And thinking ahead too, is what I get from that,
like thinking ahead of what arethe what-if scenarios of this
particular batch of equipment.
You know, if a unit got out, ifthe data got out, what's the
what-if scenario, and to protectyourself against that, we do a
tabletop exercise with clients.
Speaker 1 (28:18):
Most clients have a handful of scenarios they think
about.
You know if something's foundin the wrong place or found with
clients.
Most clients have a handful ofscenarios they think about.
You know if something's foundin the wrong place or found with
data, I have actually over 140scenarios that can happen.
Some are benign and not veryconsequential.
Others are much more severe andif you walk through these
scenarios, most are preventable,right.
And so putting those safeguardsin place in advance, will you
(28:43):
know, an ounce of prevention isworth millions of cure, right?
So absolutely Simple, thingslike not sharing serial numbers
with your disposal vendor.
I already use the example ofteachers shouldn't give answers
to a student and expect them tograde their their own tests.
So there are certain you ask mefor a step by step by step.
(29:03):
There's actually over 122 stepsin our process that we do that
a client never sees if we do itright.
Speaker 2 (29:10):
Did you say 122?
Speaker 1 (29:12):
Correct, wow.
Speaker 2 (29:13):
Yes.
Speaker 1 (29:14):
You know it's also comes down to the commercial
aspect of it, right, you knowthe financials.
You know how often do you auditbills or how often do you
reconcile the or look at fairmarket values.
You know we were looking atevery aspect of it.
We do what a company should andcould do for themselves if they
had the wherewithal and thetime and the resources to do it.
Speaker 2 (29:35):
Kyle, you are a wealth of knowledge and you've
clearly had so much experience.
As we wrap up this conversation, what would you say would be
one piece of advice that youwould leave companies with IT
managers, it leaders, evenbeyond.
What's one piece of adviceyou'd leave them with?
Speaker 1 (29:56):
Well, I recognize that this podcast is about
circularity.
It's not just about datasecurity.
However, the one piece ofadvice is you need to follow the
money, and the money is incybersecurity, and I think that,
from an environmentalperspective, we're certainly a
big proponent of ESG, but weshould be using the G to
(30:20):
accomplish the E and the S, andwe should leverage the
cybersecurity aspect of ITAD toget the resources to do what
will ultimately benefit from acircularity and a sustainability
perspective.
The money is in cybersecurity,the resources are not in ESG,
(30:45):
and it is a positive externality, right?
So let's go to where thebudgets are.
You know ITAT is cybersecurity.
We need the resources.
You know we need the money, weneed, you know, the attention
from senior management to manageit properly, and that's going
to benefit us from asustainability and environmental
(31:06):
perspective.
Right, we can accomplish twobirds, kill two birds with one
stone.
Let's just use the budgets fromcybersecurity to accomplish it.
Speaker 2 (31:16):
I think that's very wise advice.
Follow the money, usecybersecurity to accomplish the
rest of the E and the S from theG.
And you know, I would say aswell, my piece of advice would
be to grab Kyle's book We'll puta link to it in the show notes
because it is a quick andpowerful read.
(31:37):
There's people on your team orin your organization that you
really want to get on boardregarding ITAM or ITAD.
This is a great thing to givethem to flip through, because
it's very powerful, and thankyou, kyle.
You've been a very powerfulspeaker as well, so we
appreciate you sharing yourwisdom here.
Speaker 1 (31:55):
Thank you for the invite.
I love the podcast and I'veenjoyed going through and
listening to the 20, some otherones and it's fantastic.
So I hope this gets the wordout and accomplishes what you're
trying to do.
Speaker 2 (32:08):
Yeah, thank you.
And remember, if you're lookingfor a partner in ITAD and
e-waste recycling, we'd love tochat.
Head on over toquantumlifecyclecom and contact
us.
This is a Quantum Lifecyclepodcast and the producer is
Sanjay Trivedi.
Thank you for being a CircularFuture Champion in your company
and beyond.
(32:29):
Logging off.
Popular Podcasts
Are You A Charlotte?
In 1997, actress Kristin Davis’ life was forever changed when she took on the role of Charlotte York in Sex and the City. As we watched Carrie, Samantha, Miranda and Charlotte navigate relationships in NYC, the show helped push once unacceptable conversation topics out of the shadows and altered the narrative around women and sex. We all saw ourselves in them as they searched for fulfillment in life, sex and friendships. Now, Kristin Davis wants to connect with you, the fans, and share untold stories and all the behind the scenes. Together, with Kristin and special guests, what will begin with Sex and the City will evolve into talks about themes that are still so relevant today. "Are you a Charlotte?" is much more than just rewatching this beloved show, it brings the past and the present together as we talk with heart, humor and of course some optimism.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.