2926: Sustainable Data Destruction: Keeping Devices Out of Landfills

[00:00:01] Quick question gang, how secure is your company's data? And by that I don't mean right now and what is on your network. I mean what happens after you've wiped those old devices, after you've thrown them away or paid a company that's got a nice shiny certificate

[00:00:19] to discard of those devices for you. Well today I'm joined by Rocco Di Amicio. Well today's guest is called Rocco, he's the founder of a company called Brass Valley. And we're going to delve into the hidden threats of embedded data in off network and end of life devices.

[00:00:39] And I want to explore how, and we'll also explore how high reliability practices from industries from nuclear to aviation and healthcare can be implemented in IT asset disposition or ITAD as it's known in the trade.

[00:00:55] By doing that I want to find out more how we can minimise data breach risks and discuss the importance of responsible data destruction and keep those old devices with embedded data out of landfills. So are you ready to uncover the critical aspects of data protection and risk management

[00:01:12] in today's rapidly evolving landscape? Well if you are buckle up and hold on tight as I beam your ears all the way stateside where Rocco's waiting to join me today. So a massive warm welcome to the show Rocco.

[00:01:26] Can you tell everyone listening a little about who you are and what you do? Rocco D'Amico, I'm the CEO and founder of Brass Valley and Brass Valley is an IT asset disposition service provider. We provide our services on a global basis.

[00:01:40] I started the company back in 2002 and originally we started as a bar, as a reseller, a computer reseller. We were selling solutions to data centres and in the process of selling maybe 100 servers or 500 servers to a bank, I'd always get the question,

[00:01:57] well hey Rocco you know we're replacing 500 servers here. What do we do with them? And by the way, you know the kind of data that's out there so we have to be careful. So we were looking at the recycling market back then

[00:02:11] and for sure it was like the wild west. It was like anything goes. There was very few standards and so we decided to get into that business and when we did, lo and behold, that's the business that took off for us. And so now we provide these services.

[00:02:27] So we started literally in my basement and we've grown to a company that services companies around the world. So what is the story behind Brass Valley? What motivated you to start it? And I'd imagine the company's evolved dramatically over the last 20 years

[00:02:42] but can you tell me a little bit more about that origin story of the company and where it's been and where it's heading? Sure. So when we started, we originally, we always had sort of a niche with data security because we were working with data centres

[00:02:57] but the way it really grew was I'm an engineer and I was playing around with the Google algorithms for search and so I developed a proficiency in search engine optimisation. So people started finding us and then one day,

[00:03:15] a gentleman found us and he was with a major security company and he basically came to us and said, hey, I'm looking for people in your industry that can do XYZ and nobody will do what I want them to do. Can you help me?

[00:03:29] And we said, yeah, we will. And so that's where we started down this path of really having a security niche and expertise with what we do. And that led to innovation. And the innovations we've had over the years really sort of led the industry

[00:03:48] and that's how we got to where we are, really. Love it. What a great story. And one of the reasons I invited you on the podcast is every day, I try and demystify a different area that people in business may have been talking about or heard about,

[00:04:03] but maybe have a few questions they're afraid to ask. And I wanted to talk about embedded data for a moment. So can you just explain what embedded data is and why it maybe poses a hidden threat even after devices have been wiped clean? Sure, sure.

[00:04:17] So I guess maybe it's about 10 years ago. We had received a load of disk erase from a bank. And the bank had a policy that no data leaves the building. So what they did, they contracted with the OEM of the equipment

[00:04:36] and said, come on in here and erase our data. So the OEM did that. They came in, they erased the data, they gave them a certificate of recycling, certificate of data destruction, and they walked away and said everything's fine. So we get the erase in our facility.

[00:04:50] And just for laughs, one of my tech says, hey, what happens if I power this up? Let's see if there's anything on it. And lo and behold, when he did, there was data on it.

[00:05:00] And we powered up all the other erase and there were data on them too. So we said, what is going on? And what we learned was that in those erase, the way they were architected, they had battery-backed cache.

[00:05:14] And that never got erased during the erasure process from the OEM. So I said, hmm, well, if the people that design and build this don't know about it, who else doesn't know about it? And the answer is probably everybody. And then I said, well, you know,

[00:05:30] we probably have to start thinking beyond the hard drive in terms of where data is stored. And that led to the whole hidden media practice. And that also led to looking in areas where there might be other vulnerabilities, like network access.

[00:05:45] So there's any kind of remote monitoring to a data center requires some kind of network credentials to get into the data center, to tunnel in remotely. So we started looking at that to find where those cards are. There's like in Dell servers, there's a DRAC card.

[00:06:04] And so data security became more holistic than just a hard drive. And that's where the embedded media practice or hidden media practice came from. When I was doing a little research on you, one of the things that I was reading there,

[00:06:19] that was Brass Valley managed to assist a major security software company in closing 49 data centers across 22 countries in just 60 days. Blew my mind. It's an incredible start that you must be proud of.

[00:06:33] Can you tell me how he managed to do this? Because it's a huge scale, isn't it? Yeah, it is. It's basically because I'm old. And I know a lot of people in the industry. But the situation for those folks was that they had, it was a merger.

[00:06:48] And company A bought company B and they were, they happened to be just based on the timing, their lease was coming up on a bunch of data centers. And so they needed to get out of the data centers quickly.

[00:07:02] So in May, we got the call that said, hey, we need to get out of, and they gave us the list, we need to get out of these by the end of July. And so that was at the end of May.

[00:07:15] So we had to get up to speed really, really fast. And it's a cooperative effort. And as I say, I've been in the business for 22 years. I know who the good players are and the bad players are. So we did it with partners.

[00:07:29] And it really comes down when you're working on a project like that, it really comes down to communication, the ability to communicate what you want effectively. It also comes down to the ability to understand the cultures of different countries. Because there is a difference.

[00:07:49] Not everybody's American, not everybody's from the UK. And there are different nuances in knowing how to communicate and get what you want when you need to get it. That just comes with experience. Incredibly cool. For anybody listening, especially any business leaders,

[00:08:07] we've set off a few light bulb moments at the moment. What strategies and practices have you implemented to achieve zero data breaches and no environmental issues in what, more than two decades of operation? Because I guess you've kind of been there and seen it all.

[00:08:24] And the pace of technological change is faster than ever. And you've probably seen a lot of things evolve as well. So how do you keep up to speed? What kind of strategies and practices do you put in place here? Well, you have to be curious, number one.

[00:08:36] But number two, the big thing for us, and I went from ignorant to skeptic to evangelist on this, were high reliability practices. So my wife, we have a tradition in our house. My wife and I would sit down for dinner, talk about our days.

[00:09:00] And many times I'd come home or sometimes I'd come home and I'd have a bad day and my wife, who was head of education at a local hospital, would say to me, you really should look into high reliability practices. I think they can help you.

[00:09:13] And so me being the attentive husband, I'd say something like, geez, that sounds great. Could you pass some potatoes, please? And she would just be patient with me. And in spite of the fact that she married me, she's pretty smart.

[00:09:25] And so one day after a frustrating day, I said, tell me about that high reliability stuff. And so what she explained to me was that it was originally adopted by the nuclear industry and then it was adopted by the airline industry

[00:09:40] and then it was adopted by the healthcare industry. And it's a way to prevent catastrophic failures. And it really comes down to how do you make your team work better together and not make and eliminate human error? And we have certifications.

[00:09:57] I mean, we are R2V3 certified, we're ISO certified, but nothing works like this in terms of getting people to work together as a team, to look for errors. And I really think this is the next dimension in data security

[00:10:12] because most data security breaches happen just because people make mistakes or they make silly errors or just do something without thinking. And that's the kind of thing that would keep me up at night because we had all the processes in place and my team was really, really good

[00:10:28] and they were committed and they're smart, but they're human. So how do you eliminate the human errors? And this is the way we address that. And I have to tell you, I talk about this frequently now

[00:10:40] and I get the same kind of response a lot of times where folks are just like, yeah, that sounds great, pass the potatoes. But if you really wanted to make an impact in your organization,

[00:10:49] I'd encourage anybody to look into it because it's made a great impact in ours. And I suspect we will have a few people listening today that we've taken on a very similar journey who before listening today were ignorant about embedded data,

[00:11:03] skeptical around how important it is on protecting it to almost becoming evangelists themselves. So how can those organizations identify where their own data protection is stronger and where there might be a few existing gaps too? Yeah. So I'm a great believer in whatever gets measured gets better.

[00:11:24] And some of the principles that we talk about in high reliability are wherever there's handoffs. So whenever there's a handoff between a company and a vendor or internally within a company, whether it's documentation, whether it's equipment, those areas are usually ripe, ripe,

[00:11:41] ripe for some kind of errors to happen. But whatever gets measured gets better. Take a look at your workflows, map out your workflows, look for the handoffs. And that's a great place to start for eliminating human error. Fantastic advice.

[00:12:00] What are the key features a good data risk management platform should have, do you think, especially in ensuring a comprehensive data protection? Because there's so many different plates to spin in many occasions and it's difficult to know what to do and when.

[00:12:16] So what would the best key features be in your eyes? So you've got to have strong processes in place, number one. The process has to be solid. The workflows have to be solid. There should be two-way feedback on the workflows.

[00:12:29] So, for example, if I'm sending or I have a customer that's sending 1,000 laptops, they should know the serial numbers that are being sent to us. So that way when we give our reports back to them, they can reconcile that data. That's number one.

[00:12:43] The people aspect, we talked about that briefly, but high reliability practices to make sure that the people are working collectively as a team and they have the goal of zero errors. And it's a cultural thing.

[00:12:57] So you can do it within a department, but it's great if the whole culture absorbs it. The people process and then what happens if something goes wrong? You have to have a plan in place.

[00:13:09] So you have to have a DR, a disaster recovery plan or something that goes in place. And most people do not understand indemnification and the indemnification that they get from their ITAD vendors specifically. And many of the ITAD vendors don't really want to touch it

[00:13:24] because it's very, very expensive. And they're not probably as tight in their processes as they need you to believe because most folks in the ITAD industry, they'll point to their certifications and say, well, we've got our 2v3 and I know I just said these things,

[00:13:43] but the certifications guarantee nothing. They guarantee absolutely nothing. And honestly, the prisons are full of folks that had all the right certifications. So certifications are good and they're a good starting point. They're the good first words, not a good last word.

[00:13:59] And don't let that lull you into a sense of security about the performance that you'll see from your vendor because it's just a starting point. So people process and then indemnification, get the vendor to have some skin in the game.

[00:14:16] And I suspect you can't mention any names here and that's fine. But just to bring everything we're talking about to life, we've talked about higher reliability practices from industries like nuclear, healthcare and aviation. Is there anything you can share around that on how they've been adapted

[00:14:32] to IT asset disposition at Brass Valley to minimize the risk of data breaches? I just think a few of those examples might bring this topic to life a little. One of the principles of higher reliability is just the ability

[00:14:48] to raise your hand and say, I have a concern. So we had a situation last year where once again, we were at a bank and we were scheduled to raise two arrays. And when we got to the bank, one of the gentlemen at the bank said,

[00:15:05] oh yeah, while you're here, go get that third one. And my tech who has been schooled in high reliability practices didn't feel comfortable with it. Now, in most situations, in most organizations, when somebody doesn't feel comfortable with something,

[00:15:19] especially in front of a customer, they're very likely to keep going down that path because the customer told me to do it. But in this case, because he had been trained, when you don't feel comfortable, that internal smoke detector goes off,

[00:15:31] you have to stop and you have to say, I have a concern. And that's a code word for us. When anybody in our organization says, I have a concern, everybody stops and listens because they know something's not right. Somebody's noticed something that's not right. So he did that.

[00:15:46] I have a concern. So he went back and he said, this isn't on my work order. I can't do this. And the guy said, hey, do that array. He goes, so my guy said, let me call my supervisor. So he did.

[00:15:58] And his supervisor called a supervisor above the level that my tech was working with. And he said, well, if Joe said to do it, go do it. So my general manager said, are you sure? He said, yep, I'm sure.

[00:16:11] The next day, I get a call from the vice president. And he said, Rocco. He goes, I know the answer to this question, but I got to ask you, can you get that data back off that third array? And I said, John, we can't.

[00:16:23] You know we can't get it. It's gone. And he goes, hey, I was afraid so. Okay. So the guy that initially said to go do it, he lost his job. And so that's an example of the high reliability practice that if that guy was schooled in high reliability,

[00:16:40] there would have been things for him to do, and he wouldn't have had to lose his job in the process. So I'm a big believer in it. As I said, I went from ignorant to skeptic to evangelist. And it really works.

[00:16:52] It really does work if you use it. Wow. And I think it's a powerful moment to end on there. So much food for thought about high reliability and embedded data. And I'd love to dig a little bit deeper on this with you to later date.

[00:17:06] But I always like to finish the podcast on a note where I ask my guests to share something else with everyone listening. And that is one final gift. That is a book that we can add to our Amazon wish list

[00:17:17] that you recommend or maybe mean something to you. But all I'll ask is what book would you like to leave everyone listening with and why? Yeah, I would like to leave you with a book that I found fascinating.

[00:17:28] It's called Living the 80-20 Way, and it's by Richard Koch. And he is a gentleman that wrote the Perito. He wrote the 80-20 principle, which is based on the Perito principle. And everybody kind of thinks they know what this is.

[00:17:45] But it's really how to leverage the things that really matter and to get more results and better results in your life overall. And it's had an impact on my life. And I have to remind myself of this.

[00:18:03] And especially I'm always reminded of this when I see time management courses and people who are struggling to get enough hours in the day. And I think if you read this book, you'll look at that differently and you'll focus on the things that have the biggest impact.

[00:18:19] And he does a really great job of explaining how focusing on the things that really matter. And I think he breaks it down into five areas. It just made a lot of sense to me, and I want to share that with your listeners. Well, thank you so much.

[00:18:34] I'll get that added straight to our Amazon wish list. And for anyone listening, just wanting to find out more information about anything we talked about today, whether it be the work that you do or the topics we covered,

[00:18:45] what's the best starting point for all things Brass Valley and indeed yourself? Yeah, so you can go to our website, www.brassvalley.com. We're also going to have posted up there, you'll see it's not there yet. It'll be there over the next several days,

[00:19:04] an ability to tap into an AI tool that we've created. It's ITADvisor.com. And you can ask that tool anything about IT asset disposition and it'll get you the answer. And we continue to add data to that and information to that.

[00:19:24] So it's only going to get better over time. And so I encourage you to do that. And if you want to email me directly, it's Rocco, R-O-C-C-O at BrassValley.com. Be happy to hear from anybody. I love to talk about this stuff. Awesome.

[00:19:37] One of the things I love about recording this podcast every day is I myself get to sit down with an expert such as yourself and learn so much. And today I've learned about embedded data, the hidden threat inside off network and end of life devices,

[00:19:50] even after they have been wiped clean and have to keep old devices out of landfills while responsibly and efficiently achieving data destruction, but also about implementing high reliability practices. So much gold in this 30-minute conversation. But more than anything, just thank you for bringing it to life

[00:20:07] and shining a light on it today. Thank you for having me, Neil. It's been a pleasure. So as we wrap up my conversation with Rocco, I think it's evident that securing data goes far beyond wiping hard drives. From understanding the hidden threats of embedded data

[00:20:23] to implementing high reliability practices, I think the insights shared today are crucial for any organization that's aiming to protect its data comprehensively. And the big question to everyone listening, of course, is how is your company addressing those hidden vulnerabilities? How are you ensuring robust data protection?

[00:20:42] Those legacy devices with embedded sensitive company data hidden inside them. Do you trust the business that's turned up with a nice shiny certificate? Do you really know how they're disposing of that data? I'd love to hear your thoughts on this. Please let me know.

[00:20:56] Email me, techblogwriteroutlook.com, Twitter, LinkedIn, Instagram, just at Neil C. Hughes. But more than anything, thank you for tuning in today, being a part of this conversation. Stay connected with me for more in-depth discussions on technology and data security and so much more.

[00:21:13] We've got a fresh topic tomorrow, though. I can't reveal too much. But until next time, let's keep pushing the boundaries of data protection, sustainability and everything in between. So thank you for listening as always. And until next time, don't be a stranger.