Becoming an Ethical Hacker
Angela Gunn is fried. This is one of those frantic periods when it feels as if she works in an ER or at a fire station rather than holding a staff position with a computer security firm. It’s just after Labor Day 2018, and she’s chosen as our meeting place a café with a dive-bar vibe in a trendy stretch of Seattle’s downtown. Called Bedlam, Gunn declared the place “thematically appropriate” for any discussion that involves her life and job. A frazzled Gunn plops down in a seat across from mine. “I’m a hot mess today,” she declares.
This is her life every August, Gunn explains. Invariably, it’s the same around Christmas and New Year’s as well. She’s busiest when the rest of the world is on vacation and online fraud peaks. “People attack when they think your guard is down,” Gunn says. At the time of my visit, she was juggling three cases. That made for a hectic August
that spilled into September. All three were coming to a close, but she had been roped into a fourth. “I was up till four a.m. last night and it wasn’t even one of my cases,” she says. The late hours were because she needed to speak with the firm’s malware—malicious software—specialist, who lives in Australia. “A brilliant guy. I respect the hell out of him,” Gunn says. “I just wish he didn’t live nineteen time zones away.” Her job over the next twenty-four to forty-eight hours will be to find the people her firm needs for this latest case. “My guy can’t get here so I need to find boots on the ground,” she says. “So now it’s about making alliances with people known for wearing hats that are some shade of white.”
Gunn orders a tall Rose Mocha latte that the menu describes with flowery prose: “Imagine walking in a garden, cool and in the bright sun, a fountain splashing softly, the faint sweet scent of roses & chocolate full of Eastern promise.” After reading it out loud to me, Gunn starts rattling off jokes about the new Seattle (she first moved to the city in the late 1990s) and for good measure takes a couple of biting digs at Amazon, which she and others I meet with while in town cast as an Evil Empire, practically swallowing whole the city they love. She brightens when her Rose
Mocha arrives. It’s been a rough few weeks, Gunn tells me, “I could use a cool walk through a garden right about now.”
It’s people like Gunn that organizations large and small call if they’ve had a data breach or suspect they have. People in the industry—cybersecurity, if you’d like, though Gunn’s preference is information security, or “info-sec” for short—call this “incident response.” To my mind, though, they’re the online world’s firefighters: those who rush to put out the flames and then assess the damage. Ten years ago, Gunn was working as a tech journalist. Now she works full-time for a long-standing British security firm called BAE Systems, which hired her a couple of years earlier to help them establish a presence in Seattle. Her title is “incident response consultant,” and it’s her job to assemble the small crew she needs for each case. Typically, that includes an analyst who can pore over computer logs, a malware specialist, and those she dubs “forensic workers, except without the formaldehyde smell and ripped-open chest cavities.” That’s if she can find any live bodies to do the work.
“Right now, I’d sell a right toe for a forensics guy,” Gunn says. “Like a lot of people in info-sec right now, we’re agonizingly understaffed.”
That morning she had been on the University of Washington campus for the quarterly gathering of the Seattle-area computer security group to which she belongs. As usual, that day’s talk, about the special precautions a security team must take to protect power grids, water treatment centers, and other critical infrastructure, was off-the-record. The idea, she explains, is to create a safe space for people so they can speak freely without fear of the consequences. “It’s a network of trust. Except when it comes to stealing everyone’s best people,” she says. People don’t say hello so much as let one another know what postings they have that remain open. “A typical conversation goes, ‘Oh my God, where did you land?’ They’ll say Amazon and you ask, ‘Oooo, are you okay?’?” Gunn has been in the business for eight years—if not quite an old hand, then someone who has learned a lot since taking a job at Microsoft, in 2010, where she helped manage the company’s message to the wider world when a bug hit Windows or another Microsoft product.
“People in security are changing jobs it seems every year, if not every six months,” Gunn says. “At the meeting just now, I was like, ‘Maybe one of you guys is my next analyst.’ Except they’re hoping I’ll join their team.” A 2015 report by
the job analytics firm Burning Glass Technologies found that postings for cybersecurity had grown more than three times faster than other information technology (IT) positions, and roughly twelve times faster than all other jobs. The firm also reported that those working cybersecurity on average earn nearly 10 percent more than others in IT.I
• • •
IT WASN’T THAT LONG ago that computer security was more of a niche job category—a wise career choice, perhaps, but a specialty that relegated an employee to a backwater of the computing world. The release of the 1983 movie WarGames woke up many to the importance of cybersecurity in a digital age, including then president Ronald Reagan, who saw the movie the day after its release. Reagan was among those frightened by its depiction of Matthew Broderick as a teen tech whiz who unwittingly breaks into a military computer and nearly triggers World War III. Fifteen months later, in September 1984, the
National Security Agency, or NSA, released a policy directive dryly titled, “National Policy on Telecommunications and Automated Information Systems Security.” The generals and spy chiefs around Reagan concluded that the film wasn’t as far-fetched as they might have hoped. The government’s systems, the policy directive said, were “highly susceptible” to attack by foreign powers, terrorist groups, and criminals. Yet networking was still an esoteric issue then, even among computer scientists, and personal computers were only starting to appear inside corporate America and in people’s homes. Most people working info-sec then toiled in the bowels of the Pentagon or worked for a big defense contractor.
Slowly, the rest of the world woke up to cybersecurity and the importance of protecting computers, networks, applications, and data from unauthorized access. The invention in the late 1980s of the “World Wide Web” helped to popularize the internet throughout the 1990s (the web is a user-friendly interface built on top of the internet). But the move online brought with it worms, viruses, and malware. Commerce came to the internet, along with thieves and scammers. We bought security software packages from companies such as McAfee and
Symantec, but then used passwords often no more sophisticated than 12345 or a spouse’s name. People talked about computer security but it still wasn’t something most colleges taught. The spread of wireless network—Wi-Fi—made it easy for us to connect our laptops, including work laptops, to the open networks in cafés, airports, and libraries, potentially exposing our personal information to those tech savvy enough to hack into a network. Wi-Fi also inspired “wardriving”—people creeping along in a car, searching for un-secure networks to infiltrate, maybe for the fun of it, maybe for more nefarious reasons—which, eventually, schooled us on the importance of a secure network.
The advent of thumb drives—USB memory sticks—proved an easy way to transfer documents from one computer to another but also an efficient way to infect a machine with malware. The nanny cams and other gizmos we linked to our networks posed another threat, punching holes in our firewalls and offering potential back doors into our private lives. “All these consumer-grade devices are made as cheaply as possible,” said Mark Seiden, who has been working in computer security since the 1990s. “They use old, unpatched software and a lot of it isn’t even
upgradeable.” Our smartphones and the tablets we’ve connected to our networks tend to have better security than these cheap, more disposable items, but there’s the so-called Internet of Things, which is this idea that cheap computer chips will be added to everyday items, including the internet-connected devices that transform the places we live into a “smart home”: smart locks on our front doors and smart thermostats and smart lights, all connected to the same Wi-Fi networks we use to do our banking and carry on private conversations. And now, of course, there are the listening devices people have welcomed into their homes in the form of the voice-activated assistants sitting on the kitchen counters of tens of millions of Americans. Is it any wonder that old hands like Seiden speak of an “attacker’s advantage”? “You’re a business that does everything right but an employee installs a device on the network which has a vulnerability and it opens you up,” Seiden said. He should know: for years he has jobbed himself out to big companies looking for help testing their defenses. “With everything we’re connecting to our networks, there’s definitely an attacker advantage today,” Seiden noted. Cybercrime caused an estimated $3 trillion in damages in 2015, according to the research firm Cybersecurity Ventures. It
expects that figure to double to $6 trillion by 2021.II
We survived phishing scams and browser popups and the danger when opening attachments from unknown senders and hijacked Facebook accounts. Yet we now have ransomware. Risk being exposed in front of your friends, spouse, or employer unless the victim sends bitcoin to the hackers who intercepted something incriminating or embarrassing. Or the hostage could be the user’s system. The victim must spend a small fortune cleaning up the malware some no-goodniks have slipped onto their server—or pay the ransom and get back to business. Victims of this second type of attack have included Fortune 500 companies, hospitals, and even police departments. Our financial lives exist online, along with our photos, texts, and medical records. Corporations store their most precious secrets in the cloud, along with ours, including our credit card numbers, social security numbers, and passwords. Yet for more than a decade, we’ve been reading about the huge data breaches hitting one big company after another, including Uber, Google, eBay,
and Equifax. Reported data breaches in the United States hit a high of more than 1,500 in 2017—a jump of nearly 45 percent over the previous year.III
Among those hit in 2018: Facebook, where flaws in its code gave hackers access to fifty million accounts, including those of Mark Zuckerberg and his nearly-as-famous number two, Sheryl Sandberg.
“Our power grid, our cars, our everyday devices—basically everything is online and able to be attacked,” Georgia Weidman, the author of Penetration Testing: A Hands-On Introduction to Hacking, told the New York Times in 2018. Our water supply is increasingly digitized, and therefore more vulnerable to attack. So, too, are the world’s dams if a malicious hacker “decided to open all their sluices. That’s actually something that could happen,” Weidman said. There will always be “black hats”—those looking for vulnerabilities in a computer system or network to do harm. Sometimes black hats are state-sponsored operatives who steal private data and disrupt or shutdown websites and networks. More often they’re small-time hustlers seeking credit card
information or bank account numbers and passwords. A corollary to Mark Seiden’s “attacker’s advantage” is the “defender’s dilemma,” which Dave Weinstein, a security manager inside Google, summed up this way: “The defender has to be strong everywhere, every day. The attacker only has to win once.” For each set of bad guys, there needs to be veritable armies on the defense side, beefing up armaments and rushing to the rescue at the first sign of an attack.
The march of technology, in other words, has created a huge demand for ethical hackers, or “white hats”: those skilled at using computers who can protect our systems and battle those with bad intentions. By now any university offering a computer science degree invariably offers classes in security. The more forward-looking among them have created a dedicated Computer Security department and offer a bachelor’s degree in cybersecurity. Still, businesses are having a hard time finding people to work computer security. At the end of 2018, for instance, there were more than twenty-six thousand openings for a “cybersecurity analyst” (average pay: $85,000 a year), according to CyberSeek, which is part of a program nested under the U.S. Department of Commerce. An “incident analyst/responder,” though an entry-
level position, paid an average of $99,000, yet the CyberSeek career survey found 6,600 openings. Senior positions, of course, pay more: $129,000 for a “cybersecurity architect,” for instance, or a lot more if working at a place like Google or Microsoft. “If someone has six months to a year of work and, when they came in for an interview, they didn’t pee on the rug, they’re going to make in the neighborhood of $85,000,” Angela Gunn said. “If they have a special skill—if they have experience doing database scanning or maybe they worked as a programmer before moving to security—then they’re going up to 110, 120, 125.” For those with five or more years of experience, she said, the salaries start at $150,000. “There was never a cybersecurity job that I took where I was like, ‘Man, I wish I could make more money,’?” said Billy Rios, who worked for Microsoft and then Google before venturing off on his own.
All told, according to CyberSeek, just over 700,000 people were working cybersecurity for U.S.-based businesses and other organizations in 2018, not including 300,000-plus unfilled positions. How crazy is the demand for quality people in info-sec? A security reporter I know was wearing a free T-shirt he had picked up at an industry event while waiting for a table at a San Francisco restaurant. A stranger struck
up a conversation: “My company is hiring security people. You have a résumé?” The on-the-spot recruiter worked for Square, a publicly traded mobile payments company worth in the tens of billions. “You’ll greet someone you know in the information security space,” Google’s Dave Weinstein said, “and say, ‘Hey, how’s it going, we’re hiring!’ And the other person says, ‘Oh, we’re hiring too!’ Only then can you move on with your conversation.” The data point that had people inside the cybersecurity world buzzing in 2017 was a prediction by Cybersecurity Ventures that by 2021, there will be roughly 3.5 million unfilled cybersecurity jobs across the globe.IV
It’s those on the defense side of things—those working to protect and defend our apps, data, devices, and networks from cyberattacks—who are the subject of this book: good-guy ethical hackers, though the word hacker is so loaded that it demands to be defined. Within these pages, it’s a neutral term used to describe any super-programmer with a gift for outwitting computer systems, often by weaknesses in the existing code. That includes those with bad intentions who
manage to get inside a seemingly well-fortified system but also those on the defense side of things. The Russian operatives who broke into the Democratic National Committee’s servers and stole its e-mails are hackers but so are those in the business of sniffing out and preventing such attacks. Consider the term life hack. A life hack can be a cheat but more often it’s a clever fix to an everyday activity.
Those I spoke with tend to use white hats and black as shorthands to distinguish between hackers with good intentions and those seeking to do harm. But even there you dare an argument. A definition I heard that I liked is that if you’re interested in a computer bug to fix a problem, you’re wearing a white hat; if you’re interested in that bug because you want to use it, you’re wearing a black hat. But what about when the U.S. government infected an Iranian nuclear facility with the Stuxnet worm? “Is that ethical or not?” asked Dave Weinstein. “It represented a significant setback to a nuclear program, which is a distinctly safer alternative than a large-scale nuclear strike, which was one of the options on the table.” Yet Stuxnet also seems textbook black hat: deliberately harming a machine by infecting it with a particular noxious form of malware. Or what about Captain Crunch, a former U.S. Air Force radar technician
and early hacker who discovered in the late 1960s that the toy whistle that came in boxes of Cap’n Crunch could be used to make free long-distance calls (the 2600-hertz tone it emitted was the same frequency used by one of the big long-distance networks). He was in effect using technology to steal, but was he a black hat? The ambiguities of examples like these help explain another term people throw around: “gray hats.” I’ve grown to prefer “ethical hacker,” which I picked up talking with those in info-sec.
The world’s internet service providers (ISPs), wireless carriers, and others in the network business are always looking for good security people, as are all the big tech companies, including Google, Microsoft, and Amazon. While testifying before Congress in spring 2018, Mark Zuckerberg promised to add ten thousand employees to its ranks to handle cybersecurity and content management to protect user data. These days, every big tech company has multiple offices around the globe, meaning a person can get a computer security job with Cisco in San Jose, where the company has its headquarters, or outside Baltimore, where its Talos threat intelligence and research group is based, or Austin, Texas, where Talos operates a satellite office. Banks
need small battalions of IT security people in its offices around the globe, as do health-care companies, retailers, and pretty much any business whose chief executives live in fear of a data breach that brings unwanted media attention. So, too, do governments and nonprofits and universities as well as small and medium-sized businesses. Those that can’t afford a dedicated cybersecurity team (and even some that can) have contracts with consultancies and other businesses that help them build and maintain their defenses.
The job options themselves are varied and allow for different skill levels and personalities. “What’s great about computer security is the range,” Mark Seiden said. For those seeking a more traditional work schedule, there are ample jobs in auditing and compliance. These are the legions that businesses hire to ensure that its people are following its own rules and procedures and those imposed by any relevant regulatory agencies. These are the “clerks and accountants” of the info-sec world, Seiden said, who can be found working for the companies themselves or at tech consulting firms or the country’s accounting giants, which are among those that have moved into cybersecurity. “It’s not particularly fascinating work, but it’s the kind of job that’ll let you raise a family and work regular hours and make a
good salary,” Seiden continued. There are also the insurance adjustors who investigate the claims for businesses carrying the cyber insurance that compensates them in case they’re the victim of a data breach or other cybercrimes. There are also policy jobs to be had inside government and businesses. These are the people who write the rules and protocols that everyone must follow when handling people’s personal data.
Management jobs are plentiful: database administrator, cybersecurity administrator, auditing chief. The bigger tech companies like Google and Microsoft have layers of managers among its security people (a couple of whom you’ll meet here). Sitting atop the corporate org chart is increasingly a new addition to the executive suite: chief security officer (CSO), or chief information security officer (the CISO, or “sea-so”). A new set of privacy protections implemented by the European Union in 2018 has given rise to another new executive position: the Data Protection Officer (DPO).V
Yet, of course, the higher one ascends the corporate ladder, the more vulnerable that person might find him- or herself.
“Being an IT security manager is a job fated to failure,” Seiden noted. Eventually, some kind of incident is going to happen. One bad breach and, like the manager or coach of a sports team, the person overseeing security plays the fall guy: fired because management needs to do something in response.
Those like Seiden, who does penetration testing (“pen testers” if speaking like an insider), are an interesting breed. These are the operatives businesses hire to test their defenses in the hopes they discover any weaknesses in their systems before they’re exploited by a real attack. “Twisting doorknobs for a living,” as Seiden described it, which could mean virtual entranceways or real ones. Billy Rios, an ex-marine good with computers, landed a job in his midtwenties with Ernst & Young, which had recently formed a pen-testing crew it was jobbing out to large corporations. “We were kicking doors in, picking locks, hiding in closets and bathrooms, stuff like that. It was great fun,” Rios said. That part of the job is what people in the business call “physical security.” The best pen testers are good at both.
Those called “security researchers” also search for vulnerabilities, though in their case no one is hiring them to do so. These “bug hunters” are at once the elites of the info-sec
universe and occupy a more ambiguous perch. A St. Louis man with whom I spoke, Charlie Miller, described himself as a “good-guy hacker.” Yet Miller was also the first person to hack the iPhone. He’s also broken into an Android phone, a MacBook and, with a friend, commandeered a moving Jeep Cherokee (including its steering wheel, brakes, and accelerator) via the car’s built-in cellular connection. The Jeep he hacked into was his own, as were all the other devices he exploited. In each case, he let the target companies (Apple, Google, Chrysler) know months in advance of going public with a vulnerability, so as to give them time to fix the problem. “I’d describe myself as a white hat but a lot of people say we’re gray hats because we find these vulnerabilities and publicize them,” he said. After stints at Ernst & Young, Microsoft, and Google, Billy Rios would join the ranks of security researchers. He and his partners probe for holes in medical devices—and have found them in such essential instruments as insulin pumps and heart regulators. The device makers may view him as a pest, if not worse, but he sees himself as potentially helping to save lives. “It almost feels sterile when you’re giving the presentation to a group of hackers but then someone goes, ‘What can you do with this?’ And I’m like, ‘Dude, you can kill someone,’?” Rios said.
Security researcher is the glamour position of the info-sec world. You see them quoted in Wired and the New York Times and find them onstage at conferences. There are two premier hacker events each year, Black Hat and DEF CON, or three if you include RSA, which is an industry trade show that draws some of the same big-name speakers. Black Hat and DEF CON are held back-to-back in Las Vegas every summer. Black Hat drew over seventeen thousand people when it celebrated its twentieth anniversary in 2017, and DEF CON, which is a few years older, attracted more than thirty thousand participants. Black Hat, despite what its name might imply, is the more corporate of the two conferences; it’s DEF CON that is geared more toward hackers and hobbyists and is focused more on breaking things and mischief. A commonly voiced adage about the two conferences: Black Hat is the university and DEF CON the fraternity. “Black Hat tends to focus on new attacks with the goal of promoting awareness of a vulnerability, so that users can protect themselves and technology developers can start thinking about how to implement fixes,” said Harvard computer science professor James Mickens. By contrast, Mickens continued, DEF CON is known as “the funner, more interesting conference that has more of
a maker community feel, with capture-the-flag competitions, tutorials on lock picking, and the like.” Maybe it was just as well that Black Hat 2018 is where Rios and his partner, Jonathan Butts, exposed the latest vulnerability they had found in a medical device—a pacemaker. “We were going to get a veterinarian to implant a pacemaker in a pig to show people that this is for real,” Rios said. “The Black Hat folks kind of walked us off the bridge on that one.”
And then there’s Angela Gunn’s world of incident response, which offers any number of pathways into info-sec. Gunn described herself as “technical but not as technical as my tech guy.” But then her “tech lead,” she said, “isn’t as technical as his deep-dive guys.” These include the “log analysts” and “host analysts” who are doing more root directory work. “These are people who look at the traffic coming or going, or are trying to figure out why the system did what it did,” she said. “And out on the fringes we have the malware guy. Just slide a pizza under the door and don’t talk to him and he’ll be happy.” Her favorites seem those she dubs the “malware hunters,” who study the beasts once they are trapped in what info-sec people sometimes call “the sandbox”—a safe space where a virus can’t do
additional damage. “There are certain engineers who want to be that guy who opens up that malware and sees its beating heart,” Gunn said. That’s the Australian engineer she had been talking to in the middle of the night. “You can tell it feeds his soul,” she said. “You can tell he found his place.”
That is essentially true of all the people you’ll meet here: Each seems to have found his or her proper place in the world with work that gives life meaning and helps feed his or her soul. Gunn is the focus of the first chapter: someone happy to the extent that is possible in a stressful, intense job that occasionally causes her to reach a breaking point. The focus of chapter two is Mark Seiden, an impish computer prodigy with the pluck of a con man—in the parlance of information security, a master of social engineering (here, eliciting information from people through deception). These days Seiden, who is in his sixties, takes on all kinds of projects, but in his day he was a master pen tester, as good as any in the business at sniffing out creases in the security systems of some of the planet’s largest corporations. He might slip on a FedEx shirt and push a hand truck for a caper, or play the part of the Iron Mountain employee there to pick up boxes of sensitive information bound for the shredder. “It’s amazing what a windbreaker and clipboard can do,” said Seiden,
a former IBM programmer who also worked for the legendary Xerox PARC.
Parisa Tabriz and Dave Weinstein are the focus of two chapters: ministers of defense, as I see them, occupying important jobs at Google. Weinstein is a middle manager doing security for Android, the operating system the company wrote for mobile devices—no easy job given how often Android is in the news because of a security breach. (A sample headline from 2018: “Here we go again: Newly discovered Android vulnerability can be used to spy on you.”) Tabriz is the self-proclaimed “security princess” who oversees Chrome, the globe’s dominant web browser. She is the more acclaimed of the two—and, as a director of engineering at Google, much higher on the company org chart. Tabriz has been on CNN and profiled in Elle and Wired, which in 2017 put her on its list of “20 Tech Visionaries.” She has lectured at Harvard’s Kennedy School and consulted both with the White House during Barack Obama’s presidency and with Hollywood writers interested in a more accurate depiction of cybersecurity in movies and on TV. Maybe most impressively, she was the keynote speaker at Black Hat in 2018.
Patrick Wardle, one of the more interesting bug hunters
I came across, is the focus of the next chapter. Wardle, who went from emancipated minor at age fifteen to a hilltop in Maui, worked at the NSA, the U.S. government’s main spy agency, before venturing out on his own. He is not yet thirty-five, but has already cofounded a pair of startups. He also might stand as Apple’s least favorite person in the security world. The best way to make a name for yourself in the security research world is to have a specialty. “You really want to be an expert in one thing,” Wardle said—he chose macOS.
Finally, there’s Allison Wong, whose story I tell because hers is one that demands to be told. A working-class kid from Houston, her introduction to the internet was the PC her family kept in the living room so they could stay in touch with her father, who was in the military. She was programming by age ten; by fifteen, she was working tech support at a local ISP, less for the money, she said, than the free bandwidth. She was seventeen when she went to work at NASA on the space shuttle program. By twenty-one, she was a globetrotting security consultant and engaged to a Ukrainian hacker.
Now thirty-eight, Wong has done a little bit of everything in the computer security world. She spent several years as a firefighter and has done her share of penetration testing.
She’s also done defense work for major companies including eBay and Visa, and created products for McAfee and Symantec. These days she is the CEO of the security startup she cofounded with a friend, and active in Women in Technology, a group that reaches into area high schools and local colleges to get girls thinking about the potential for a career in science, technology, engineering, or math (STEM).
It’s never more obvious how great a life in computer security can be, Wong said, as when she speaks before an auditorium of young women. “The idea is to get girls to look at computers as a career path,” she said. “I always say the same thing at these things,” Wong told me: At least consider info-sec as a career path. It’s a sector that offers a wide range of options and the pay is a huge plus. “It’s a cool job,” she’ll say. “If you stay in it for four years and show you’re good, you’ll make in the six figures. And not just the low six figures.” Plus one more advantage, she tells them. “It’s not a job you can get bored at. If you get bored, you’re doing something wrong.” I
. “Job Market Intelligence: Cybersecurity Jobs, 2015,” Burning Glass Technologies, https://www.burning-glass.com/wp-content/uploads/Cybersecurity_Jobs_Report_2015.pdf
. Steven Morgan, “Cybercrime Damages $6 Trillion by 2021,” Cybersecurity Ventures, October 16, 2017, https://cybersecurityventures.com/hackerpocalypse-cybercrime-report-2016/
. “2017 Annual Data Breach Year-End Review,” Identity Theft Resource Center, https://www.idtheftcenter.org/2017-data-breaches/
. Steven Morgan, “Cybersecurity Jobs Report 2018-2021,” Cybersecurity Ventures, May 31, 2017, https://cybersecurityventures.com/jobs/
. Nate Lord, “What Is a Data Protection Officer (DPO)? Learn About the New Role Required for GDPR Compliance in 2019,” Data Insider, January 23, 2019, https://digitalguardian.com/blog/what-data-protection-officer-dpo-learn-about-new-role-required-gdpr-compliance