Steve Rivera, CRO @ Logically
Aaron Zeper, CEO @ DMD Systems Recovery
November 13, 2023 | 32 mins
Ensuring data privacy and confidentiality is no small order, but the most overlooked part of that? Proper data and asset management and destruction. In this episode, Steve and CEO of DMD Systems Recovery, Aaron Zeper, dive into the three main areas of critical asset management: physical, data, and virtual.
Listen wherever you podcast and share with your networks.
Key Takeaways from the Episode
-
- Uncover the unglamorous side of IT – asset disposal
- Understand why virtual assets are just as useful as physical devices in the hands of attackers
- Consider environmental factors at play in your management strategy
- Know the chain of responsibility when it comes to your assets and data
Asset & Data Management in “The Disposable Era” with Aaron Zeper at DMD Systems Recovery – Episode Transcript
Welcome to Logically Speaking, where we discuss the latest trends and challenges in cybersecurity with top experts in the field. Today, you’re going to learn how to protect your data safe, how to keep your operations sound, and your business ready for whatever comes next.
STEVE RIVERA
Today we have the pleasure of speaking with Aaron Zeper. He’s the CEO of DMD Security Systems Recovery, which is an IT asset disposition company. They provide solutions that adhere to some of the industry’s most rigorous environmental and security standards.
Aaron was recently recognized as Momentum’s 100th CEO in 2023, which honors CEOs who often champion new visions of capitalism and is measured by a force of good ranking. So congratulations for that, Aaron. And prior to his position at DMD, he was an executive leader in IT industries for over 20 years with companies such as IBM, Insight, TechData, where he led sales, marketing, operations.
Aaron, thank you very much for taking some time to join us. I was hoping that you’d be able to share with our listeners about your experience and how you got into this IT space, because I think most of our listeners find it very interesting to find people’s journeys into this world of IT. So if you wouldn’t mind starting there, that’d be great.
AARON ZEPER
Absolutely. So it started over 20 years ago, which seems like a hard thing to say sometimes. But before that, I was waiting tables, bartending. And I actually took an inside sales job at a large bar, basically, and found that I liked sales, found that it was interesting. I was learning something new around IT sales, technology, learning about PCs, servers, laptops. And that just spawned a career that led me to be pretty successful at sales, and then it led to sales management, and it led to leading sales groups. I got into product management, got into operations, and switched out a few times from product into software, then into services, and things that I kind of learned along the way. And then I moved into a SaaS company. But one of the things a lot of my mentors always said was, keep going to where the margin is. And so you look at the margin in product, and it was small. Then it was like, well, so you want to be in software, better margin. So we sold software. And it’s like, no, no, you want to be in services. And then a funny anecdote was, as I was looking to leave and go to a small data center services company, one of my mentors took me aside. He goes, now, what you really want to do is open a bar. He goes, once you because he’s like the problem with our industry is everything you learn within five years, it’s completely outdated. So you have to replace the entire body of knowledge. Once you know how to make a martini, you know how to make a martini forever. I was like, wait a second, I got out of that just to go do something more interesting.
STEVE RIVERA
That’s really great advice. I never thought of it that way. But that’s really great advice. It’s funny when you said bar, I thought you said VAR. And then I heard martini, and I thought, he’s got it right. You know, you could always perfect a martini. So I’d also like to get your perspective on how the tech landscape has been evolving. Right. You’ve been in it for 20 years. Maybe share a little bit about how you’ve seen that evolution and how you might see the evolution of it coming. You know, if you had a crystal ball, what that would look like in the years to come.
AARON ZEPER
Yeah, that’s an interesting question. There’s so many perspectives. I think you can take that from one of the ones that I rely on a lot is I think of it really. A lot as a pendulum. So as I think of how I look at the industry and the pendulum being from centralized to decentralized, and you can apply that same pendulum into different aspects of the IT landscape. So when I was first getting into the industry, it was the PC on every desktop. So before that, there was a lot of centralized mainframes, thin clients. And so everything was locked down. Then they put PCs everywhere and it’s great. You can have a CD-ROM, you can download music, you can download your MP3s, you can burn them. Then all of a sudden, corporate America is like, we got to shut that down.
There’s all these security risks, there’s problems with what our employees are doing. So basically, they took a PC that has all this functionality, locked it back down to make it more like a thin client. And then, you know, then it’s like, well, wait a second, we got to distribute what people work on. And so as the things that we’ve gone into, so I got into the data center services group and we were worried, oh, the cloud is going to destroy this business. Everything is going to move to the cloud. And I mean, I’ve been, cloud conversations have been going on since probably 2007 and in a large way that I’ve been dealing with. And every year it’s like, oh, we’re going to move all the applications. And every time I look at the things that are on it, we still hardly have any applications in the cloud as a thing. And so, and then we see, you know, even like exchange moved all into the cloud or your Outlook, whatever you want to call it, your mail client. And then, well, for backup recovery purposes and continuity purposes, it’s really cheap to put an on-premise backup online. So in case you’re ever down. And so I see a lot of companies adopt that. It’s like, wait a second. I thought we offloaded all this to be centralized and now we’re decentralizing it. And so, you know, at the end of the day, to me, it’s there’s always change. And no matter what in technology, there’s going to be a new or better way. And that new change brings new sets of services, new offerings, new challenges. And we just keep going back and forth along those pendulums.
STEVE RIVERA
Yeah, that’s a great way to look at it. Yeah, you mentioned cloud migrations. I’m interested to have you seen certain industries be faster to adopt cloud migrations?
AARON ZEPER
So, I mean, I think it’s like anything. And just in my course of the last five to ten years, probably what I’ve seen is, you know, the older the company is, the larger the company is, the less likely they are to be able to move everything to the cloud. So you end up with companies that are, quote, unquote, born in the cloud. So if you’re a startup, people aren’t dying or clamoring to create their own infrastructure. And then when they get to scale, they might look at moving off that. And then the flip side of it, large companies, they have this infrastructure, they have applications, custom built, homegrown, whatever you want to say, that are critical to their business. And it’s so difficult to move them into the cloud that, you know, you’re going to end up with a hybrid. I think you’re going to end up with a hybrid mode in almost both cases as companies get to mass. So, yeah.
STEVE RIVERA
You know, I wanted to talk a little bit about because a lot of a big portion of your business is disposition of IT assets. And I read a study recently that stated that 69 percent of organizations report falling victim to at least an exploit that originated from an asset that either was disposed and the data was exfiltrated or didn’t dispose of it properly. Can you talk a little bit about how, just for our listeners, how to dispose of assets in an appropriate manner and the steps to take? Because I don’t think that that’s something that most people consider in the entire lifecycle of, you know, a hardware asset.
AARON ZEPER
We could probably spend the next two hours on this topic because appropriate means a lot of things. And I think you hit it on the head is this isn’t the sexiest part of IT, you know, as we work with customers and we work with primarily Fortune 5000 or what we call Cloud 500 customers. Nobody is dying to talk about how to get rid of the assets. And let’s spend all of our time on that. It’s about, hey, here’s what’s coming in. Here’s the new thing we’re going to go work on. Here’s how we’re transforming or, you know, changing things. And so this is really often less talked about for sure. And it’s not given a lot of thought. When we think about appropriate, appropriate means a lot of things to a lot of companies. And we can dissect this in the three ways we talk about it. So we think about it in three areas. One, you have the physical asset. So no matter what, there is a physical asset that needs to be this position, whether that’s a laptop, it’s a server, whatever it is, it’s physical, it’s tangible, it touches. So we can talk about that. And we usually talk about environmental appropriateness on that, because really it’s the physical components that make that up.
The second aspect would be the data on the asset and the data on the asset isn’t the same as the physical asset. It can be in some cases, but in other cases you have to think about it because it’s abstracted as ones and zeros. It’s not the physical, hey, I’ve disposed of this mobile phone. It’s gone. It’s not in my environment. Well, your data is still there. And so if you’re not segmenting that as a corporate customer, then you’re probably making some mistakes in the way you set up your disposition program.
And then the third level is what we call the virtual asset, which is the embodiment of that asset, but really as the theory of the asset, which is what corporations typically keep track of. So they have this asset, its number, whether it’s a serialized asset tag, whether it’s the make model number on it, who it’s assigned to, et cetera. It sits in either an ITSM or some similar system. And it’s a lot of companies say, well, we’ve dispositioned it out of there. We’re good. And so you’ve got to think about it at all three levels. And then we think about, so again, each of those three levels has its own aspect of it. So the virtual asset is really just the accounting of it.
And so one, as a corporate entity, you should keep track of where that asset is, where you think it is, the embodiment of it, because that’s how you keep track of it. Doesn’t mean that it’s not sitting in a closet, but it’s either in your environment, it’s not in your environment. And in reality, you want that virtual asset to match what the physical asset and the data of the asset is. So all three of those should be in congruence. And so to us, that’s where you put in the layer of governance. And so, you know, ultimately, you have the set of governance, that’s all three aspects. So when we talk about appropriateness of it, so you must have a process for dispositioning the asset in your own ITSM, the virtual asset. And a lot of times that’s accounted for financially.
The next piece is the physical asset. Where did it go? Do you know where it is? Do you have a physical record that you can then import back into that virtual asset that demonstrates who’s taken it, where it’s gone, when it was gone, etc. So we think of that a lot as chain of custody. So when somebody is to come pick up that asset or you are to take it to its next place, how do you have a record of that? Did you match and marry that record back up then to the virtual asset? And in theory, as a company, you’re going to want to make sure that what you did with the physical aspect, as we talk about appropriateness, matches whatever environmental compliance you’re subject to. So fortunately or unfortunately, unfortunately, like in my view for the world and even for our businesses, there is not a federal law around disposition of electronic assets.
So in my home state of Arizona, you want to throw it in the dump, you can throw it in the dump. It’s not against the law. Is it the right thing for the environment? Probably not. Is it against the law in California? Absolutely. So you can that there’s no federal law. About half the states have laws. So as a company, do you have governance? Knowing where that asset was, what state law you’re bound to and then marrying that back up now to your virtual asset for a record of it should anything happen in the future.
And then the third part and the part that we see the most risk and the most issues with is the data on the asset, because people think, OK, I know it’s not in my system anymore or it’s not in my building anymore. I’m done with it. Well, you can’t see the data, but that data sits on the asset. And just like you should have a record of the physical custody of the asset, you should have a record of the data on the asset. And so we talk about certificates of destruction and we provide those for our customers, which show when the data was eradicated. And that could be via software or it could be physical destruction. Where that was, when it was, if there’s a white blog to it, you can upload the white blog file. You can see what software was used, wasn’t used, when it was, what technician did that, when they did it, all those kind of things. And again, that should be married back up to your virtual asset.
One of the things that we see that’s probably the most concerning to me is that many companies think they can indemnify themselves of the data on the asset. And this is probably like one of the strangest things are probably the area that I see that we talk about appropriateness that companies miss. And company, if you create the data, you’re and again, you’re bound by certain legislation. So I’ll throw a few of them out there. It’s Sarbanes-Oxley. So if you’re a publicly traded company, you’re going to be bound by that. HIPAA, Fair Credit Reporting Act. People are like, OK, well, that doesn’t we’re not a financial institution. Do you pull a credit report on your employees as part of their onboard prior to hire? Yes. OK, that data is subject to that law. And if you can’t segment where that data is stored, then it’s probably better for you to assume that your entire company, all your data, all your servers, etc. are bound by that same aspect. But what those laws all say is that you as the as the data creator and the owner of it are basically responsible until the destruction of that data. So even if the assets been sold, people like, oh, I sold the asset, I got rid of it. I’m not on the hook anymore. Someone else is. That’s not you can’t indemnify yourself for a legal liability.
STEVE RIVERA
Yeah, I mean, I was just thinking about the last comment you made about data. I think from my experience, oftentimes the challenge is no, it’s like the hot potato. No one wants to actually be the owner of the data, even within business units. They’re going, well, that, you know, I.T. doesn’t own the data. The business line owns the data. And I didn’t create that data. I’m just responsible for the systems that it resides on. And it’s kind of like this hot potato. And I appreciate the way you you laid it out because that’s so important, especially with that.
That’s kind of like my next question about ensuring compliance, because more and more regulatory is focused on patient privacy, focused on breach notifications and things of that nature. So in this kind of asset lifecycle, how can some of our listeners kind of understand how to ensure compliance? It seems like compliance is is all over the place. You know, could you could you got could you offer some guidance on how to ensure compliance?
AARON ZEPER
Yeah, so there’s lots of ways to think about it. And it’s a tough one. What I would advocate for most companies is if they even remotely think there’s some sort of legislation that they need to adhere to for data compliance, my recommendation would be a handful of things. But first off, no matter what, just assume all of your data is bound to that and take steps to be compliant to that across all your data. If you do nothing else, assume that across your whole enterprise, whether that’s your ability, your data center, your end user compute everything and have a governed solution of here’s how we’re going to eliminate our data and this is our process so that doesn’t matter who’s debating whether they own the infrastructure or not. Who owns the data as a as a oversight, whether it’s your CISO, whether it’s your infrastructure team, however you have it, however you have a design, make that mandatory. And then, you know, if you looked at most of a lot of it even boils down to if you want to look at federal legislation, you could just make the assumption that as long as you’re using a vetted third party, they’re adhering to best practices, that you’ve done reference checks, that you’ve, you know, investigated and done due diligence to some sort of vetting process. And again, you could probably download RFP templates online. I’m happy to talk to anybody if they wanted to go through some of the ways and we even have like a one page worksheet and we take customers through like, hey, no matter what, like just do these things and you’re covered. Like you have at least if you’re not doing this, you shouldn’t sleep at night. As long as you’re doing this, you can at least fall asleep. And then there’s like various levels you can take it to, but you should make sure they’re certified.
So look at things like so there’s different certifications in Europe. A DISA is a big one from a security perspective in the domestically made, the National Association of Information Destruction. So making sure they’re not a member, making sure that they’re AAA certified. And then there’s different certifications for what we call on site or off site. So again, it’s like you’re looking to ramp up your program, like if you’re saying, you know, what’s the best way? That’s different than what’s the minimum. And as an example, I think Morgan Stanley and this one was pretty publicly available was fined millions and millions and tens of millions of dollars for not taking these steps. And they made the assumption that they hire somebody who’s an IT asset disposition. They didn’t do any reference checks, any vetting. They subcontracted it out, subcontracted it out to a moving company. The data shows up three years later that none of these devices were actually the data wasn’t eradicated. And Morgan Stanley is on the hook for it. And they’re like, wait a second. This company bought these assets off me. Here’s the here’s the bill of sell. But like, well, your data doesn’t matter. And so, I mean, you go through example after example, and people. I think think that because somebody else took it, it’s not my problem. And we see it a lot. One of the ones I saw was most intriguing to me was companies had leased assets. They were photocopiers. A lot of people don’t know that photocopiers have hard drives in them and store data. They were scanning patient data in there. The leasing company took them back and were like, well, we made the assumption that the leasing company takes care of that because we didn’t own the asset. We’ve never owned the asset. The leasing company just gets rid of them. How are they? Hey, we have a mechanism to get rid of these things. That data comes back out and they went and hit everybody along the chain – so.
STEVE RIVERA
That’s intense. Well, I know that you were recently awarded, you know, Momentum 100 CEO this past year, part of just being a CEO that is a force of good. So my question revolves around. If our listeners are interested in the environmental aspects of this position, ensuring that they look at. The recycling and the reuse of these devices so that they don’t have an environmental impact. Can you comment on that? How you handle that and how you look at that?
AARON ZEPER
Yeah, no, absolutely. And so, again, most of the things we talk about are really on those three levels of the physical, the virtual and the data. So on the physical side, you want to make sure that any company you deal with from an environmental standpoint is certified, either R2V3, which is responsible recycling. And it adheres to everything they do. They can’t just kind of pick and choose that. Oh, look, this part was certified. This part wasn’t. So that’s one one certification. The other one’s East stewards. And both of them have very well vetted out processes that take everything from the original, the original asset all the way to and it applies all the way to the components are into the rawest form. So as an example, if you wanted to, you can go back and take any of those certified companies and see where the circuit board ends up and who’s smelting the metal out of it. And so it’s to ensure that nowhere that there’s not these leaks out of the side while I dealt with the certified company. But yet these things ended up in a landfill in Africa. So those would be the starting point. And then the most important thing, I think, that’s different that I would advocate and a lot of companies. Don’t adhere to this or don’t believe in it, but they get really wrapped around this recycle aspect and saying, OK, well, we’re going to ensure everything is recycled. And that’s great. But what we really want to focus on and what we really need to drive as a country, as individuals, as organizations and as a world is around reuse. And so what is the next best use of that device? What’s its next most useful lifecycle and driving the asset towards that? So what good is it to take a and some of the OEMs is where I have a lot of angst with them is the mandate shred. So they’ll take out a network device. And if it’s on smart, it’s not on smart net, it’s not supported. Then I’m going to take it. I’m going to force it and put it back in. We’re going to lease it to you. We’re going to take it and we’re going to shred them all and we’re going to recycle all the metal. But what is the embedded energy cost? What could that thing be better used for? Could it still work for another three years? Could it be, you know, and again, it doesn’t help with product sales. And I understand that it doesn’t help with some of the other aspects, but more and more we need to make things that. Available to move into their next most useful life, not lock out the firmware, make things more replaceable. So, again, we’re really supportive of a lot of the things out there, right, to repair some of the other legislation that makes it easier for. I.T. assets to be reused in another life cycle.
STEVE RIVERA
Yeah, yeah. No, thank you. That’s really that’s great comment. I wanted to shift gears a little bit and talk a little bit about any experiences you might have with medical devices and or kind of the Internet of things, because the IOT seems to be something that is beginning to push out large and larger numbers of devices that in my humble estimation seem to have shorter life cycles. You know, when it comes to Wi-Fi access points or when it comes to these devices that are in these health care organizations. So can you can you talk a little bit about that, whether it’s the Internet of medical things or IOT specific? Is this something that you’re seeing in any comments that you can make around those?
AARON ZEPER
Yeah, so it’s – that’s a tough one. We are seeing more Internet of things. We’re seeing that proliferation of devices. And, you know, again, the tough part with those is one is there’s not usually and it’s hard to find a useful life for those afterwards. Two is that they all have little batteries in them, which make them very difficult to recycle. And so it’s like a burgeoning problem that hasn’t quite reared its ugly head yet. But that I think is going to be and we talk about it, we see some of those devices. It’s really hard to decide what to do, how to do and then really get back to the other question of what data is on those things. So we also see and I use I won’t use an Internet of things, but a lot of routers switches, things that don’t have you moving parts, really. You know, people, their network passwords are loaded in there and there’s levels. There’s like three different levels of data on a network switch, as an example.
And getting rid of all of those is complicated and expensive. And I think that you’re going to see more problems with like the Internet of things because those passwords are embedded on there. There’s it’s a it’s a very low cost item. And so they’re probably again, this is I’m not it’s out of my wheelhouse a little bit. But the security level of what people are paying attention to and how they’re managing those, I think is much less than what they consider their critical infrastructure that has to pass different kind of security protocols in most companies.
STEVE RIVERA
You know, you mentioned earlier, just as you were talking, I thought about it, you know, asset management. And I think one of your points was know where all of your assets are. Do you come across ever in scenarios where customers struggle with that? And why would that be the case? I mean, you know, you think about it in a sense, I think about it in a sense of my home and protecting my home. And and there are certain things in my home that I find to be irreplaceable. Right. My critical assets and and most of those are a little intangible. Like pictures of lost loved ones and things like that. Organizations themselves have that same kind of criticality of asset. It can be intellectual property. It can be it always is in some form of data. But do you find that from a physical asset, organizations struggle with that? And why would you know if you could share your opinion on why you think folks have that difficulty with asset management?
AARON ZEPER
It’s almost every company has that problem. I mean, it is I mean, I’ll speak for myself. I just even this is my business. And usually people come and visit me. They usually bring me a couple of hard drives, an old cell phone, an old mobile phone, and they usually drop them off. Right. And so I know that I just came across our our own drawer the other day. But where did this Nokia phone come from? And I’m sure it has pictures on it of my daughter when she was born, you know, 12 years ago.
STEVE RIVERA
All right. Since you mentioned it, Aaron, I’m going to bring this and this one when I come to to visit you.
AARON ZEPER
OK, perfect. We all have it right. And, you know, like, did you keep track of it? It was, you know, it’s probably expensive when you bought it. And it never it’s probably the hardest thing. I mean, you have employees that bought stuff on a credit card and they put it in the drawer and then or something wasn’t accounted for. I mean, we do we’d run a box program for a large software development company. And when their employees are terminated or quit for any work from home employees, we send a box to collect their assets. And they’re also supposed to throw in their badge or credit card, a couple of things. I would tell you, probably, I don’t know, it’s it happens every week, but we get personal assets in there as well. People just throw in other things. They don’t even know. Like, is this the company’s asset or not? I mean, we end up with a laptop, a MacBook and be like, hey, this one’s not on the list. And then the company goes back and forth and try to figure it out. I mean, it is it’s all those things that people buy, take out or they don’t account for. I mean, it’s hard and we attend the asset management item. There’s a certification and an association around it, the International Association of I.T. Asset Management.
We have a number of individuals on our team that are certified and we help companies go through that. And like any time you think it should be easier, there should be a process. There’s always an exception to it. And when you get into companies with 10000 employees, you start multiplying the exceptions. And it’s you know, they acquire companies. They don’t know what the you know, we have one company we work with every time they acquire a company. We go to a physical asset count on site. So they start with like, hey, we have no idea what we have an idea of what they have. Here’s what they told us. We need somebody to go on site, count them all and match all the serial numbers. And then you run and you run into things like if you were to replace the motherboard, it’s going to read as a separate serial number.
So all of a sudden, you’ve lost this match up. I mean, I mean, we’ve seen so many things. It is that it’ll never be perfect. It’ll never be reconciled. I think there is a better chance is a little out there, but like the block chain could probably help. So you have the processes to register it and you can keep track of it. And so I’ve seen some interesting ideas and thoughts around it, but I don’t see it going away anytime soon. And all you can do as a company is hope to do your best and create processes and. Inspection points to ensure that the quality is as high as possible, but it’s massively impossible.
STEVE RIVERA
Well, so, you know, you brought up the three aspects, physical data and then the virtual aspect of that, the asset theory of that asset. If you were to share like one or two things that are most critical for our listeners, kind of as we wrap all of this up, what would you suggest that they do with respect to their current asset inventory?
AARON ZEPER
So I will make two suggestions. One is like, hey, this is what you should do no matter what. And here is if you’re if you want to be best in class, there’s a simple thing you can do. So the first one is no matter what, you should get your different groups together. However, you think about that in your organization, whether you have an infrastructure group and, you know. And then user compute group or if you have security over here and physical assets over here, whatever you do, get the different groups together and come up with governance to handle those three aspects.
- Here’s how we’re going to account for our virtual asset.
- Here’s what we’re going to mandate across all locations, all assets for a data destruction policy.
- And here’s what we’re going to do from an environmental or physical disposition.
So get those groups together, get them talking, get them conversing and come up with something that you’re going to apply. Universally across the company, and if there needs to be exceptions, figure that out as it goes. But, you know, like a lot of times we see mobility handled by, you know, HR or it’s in this onboarding process and it’s just completely outside of IT because we have corporate liable phones and certain titles get them. And then it’s like those are totally on their own. So, again, bring all your IT assets, have some sort of governance. And as long as you do that, you’re going to be better than 90 percent of the companies out there. Even Fortune 5000 companies, I tell you.
If you want, if your data and the next one kind of moves to the data side and you want best in class, the easiest solution is to work with a provider that does and it’s not a huge incremental cost. It does cost more. But erase, destroy all your data on site before it leaves your four walls of your of your buildings. Like that’s probably like if you did that, you know, you just dramatically reduce down. Could there be errors? Could things slip out? Maybe. But you’ve dramatically reduced what your exposure is. And so best practice would be, you know, if you have a help desk that swaps PCs in and out, laptops in and out before those leave, quarantine them all together and then have someone come on site and wipe them all. For your data center, same thing. You know, either get a locker. And we do this with a lot of customers, even in their third party like Togo facilities, is we provide a storage bin of some sort, a lockable thing, or we do ones at like some of the large codes in Vegas where you don’t care who you are, you drop it in there with a tag and it all stays in this box. And we come out once a month and we erase all of them or we destroy them all for all to fail. And like you don’t want any data leaving that facility.
STEVE RIVERA
You know, those are great recommendations. I really appreciate it. Aaron, thank you for your insights.
That is all for this episode make sure you tune in next time to Logically Speaking and stay cyber first and future ready.