Ethyca's Cillian Kieran is taking on the 'sorely misunderstood' worlds of privacy and security

The Irishman’s New York company is building tools to help businesses grapple with floods of data.

By Jonathan Keane Reporter, Fora

MAKING HIS WAY back from Davos, Cillian Kieran is reflecting on the few days he spent at the coal face of the World Economic Forum. At the annual gathering in Switzerland,  the future role of Big Tech was a major talking point. 

As the founder and CEO of New York-based cybersecurity company Ethyca, Kieran was a particularly interested observer. 

Having moved to the States a decade ago with his first company, the Irishman founded this latest venture in 2018 and closed a $4.2 million round last year.

Ethyca exists in the areas of data privacy and regulation, a well-worn topic of debate in this arena and it was clear to Kieran from talking to people on the ground at Davos that this issue isn’t going away.

“There’s a general will, I do believe this, to find a solution to the problem,” Kieran, who was there with some clients, said. “There’s a huge value to unlock from data but there is tremendous risk.”

The debate has been dominated by calls for greater regulation that will rein in Big Tech.

Regulations such as GDPR in Europe have attempted to upend the power balance between companies and users when it comes to data while in the US, prospective presidential candidates have made pledges to break up major tech companies.

“In the absence of data governance over the last decade or two from business, regulation is necessary. The reality is that it’s a very complex problem,” Kieran said. “GDPR in every respect is the tip of the iceberg of the first foray into regulation and data privacy.”

This push can be seen in other jurisdictions. In California, the home state of so many large technology firms, legislators enacted the California Consumer Privacy Act (CCPA), a sweeping set of rules similar in nature to Europe’s.

For Kieran, it’s a multi-pronged debate to navigate. Regulation must provide a strong framework for companies to work around but there needs to be a greater understanding among users and consumers about how companies operate.

“Most end users just don’t understand their rights or the risks of how data can be misused,” Kieran said.

Tools and code

It is amid this perfect storm that Kieran founded his cybersecurity firm Ethyca in New York in 2018.

At its core, Ethyca develops a platform for businesses to manage the flow and location of the data it holds to remain compliant.

“Ethyca essentially provides infrastructure as code and developer tools to make it easy for engineers and data teams to make safer technology for their users,” Kieran explained.

He previously studied physics and computer science in DIT before dropping out – “20 odd years later my mother is still upset about it” – before starting a digital consultancy called CKSK.

When it opened a New York office, Kieran moved over to lead the expansion. He ultimately left that business in 2016 – CKSK went into liquidation in 2019 – but he had seen how companies big and small were struggling with the digital transformation and managing their data.

For a long time, it has been common practice to bring in a big consulting firm to carry out audits and train staff on the risks.

“It didn’t make the tech stack safer,” Kieran said. “Data was still flowing in the same way and data is stored inside those systems in the same way. The business processes are the same. You’re basically throwing lots of people at what is a technology problem.”

Ethyca-Cillian-Kieran01 Cillian Kieran
Source: Ethyca

As GDPR came into force in May 2018, during the run-up most people received a flurry of emails from companies about updated terms and conditions. Companies big and small were taking no chances with their interpretations of the rules, lest they find themselves with a big fine.

Since then, there have been just a handful of major fines around Europe and many smaller ones – so nearly two years on, has industry finally grasped what it’s dealing with?

“I think there’s a wider understanding of what the requirements are,” Kieran said.

“There’s a realisation that it fundamentally changes the way you can do business with data, how you can use it and what rights your customers or users have. That now is trickling into every aspect of how businesses manage information.”

Culture clash

This has been greatly influential on how Ethyca delivers its product. Kieran said there’s “a big cultural difference” between Europe and the US when it comes to privacy.

“Privacy is seen as a fundamental human right in most countries in the world, particularly in Europe,” he said.

“In the US, privacy is related slightly to the Fourth Amendment, which is the idea that government can’t encroach on you personally but beyond that, privacy is not part of (the) culture in the US.

“It’s been difficult to address as data has become more sensitive. How do you tackle something that’s not been baked into their culture?”

California’s CCPA is trying to address this gap and other states are following suit – Nevada, Maine and Washington have laws on the table – which could influence the emergence of a federal law.

This is something that tech companies would prefer rather than dealing with a patchwork of state laws.

“Right now it’s fair to say that CCPA and GDPR are sufficiently aligned. A customer shouldn’t see a huge difference in their user experience or in the rights they have,” he said.

Last year, Ethyca raised $4.2 million to expand on its product development and keep up with the race.

“Our technology is continuously evolving. We have privacy specialists that are analysing draft bills,” Kieran said.

Several major economies have new privacy legislation en route or in the draft phase. Brazil’s new regulation LGPD is coming into effect this year and India introduced its personal data protection bill late last year.

“You use Ethyca and you assume the technology will behave correctly in each of these countries or states,” Kieran said.

“When you put Ethyca inside, the system now behaves in accordance with the law so you don’t have to think about it because it’s now baked into the tech stack rather than doing it manually.

“Everyone else that is competing with us is either a semi-manual process or focused on security. Data privacy and security are not the same thing. It’s sorely misunderstood.”

Get our Daily Briefing with the morning’s most important headlines for innovative Irish businesses.