Paul Mander on Optery

<p><strong>Russ Fordyce (00:01)</strong><br>Welcome back to the Winner Circle, everybody. I'm here with Paul from Optery. He is the chief commercial officer for Optery for Business. And this is a really important tool these days. Paul is the latest winner in the Fortress Cybersecurity Awards. So congratulations, Paul, and welcome to the Winner Circle.</p> <p><strong>Paul Mander (00:24)</strong><br>Yeah, thank you very much. Thanks for having me on, Russ.</p> <p><strong>Russ Fordyce (00:28)</strong><br>Yeah, so now I know about Optery because I was personally interested and interested for business reasons as well as personal. If somebody doesn't know this space, what does Optery do and kind of how does it help businesses?</p> <p><strong>Paul Mander (00:41)</strong><br>Yeah, so what we do here at Optery — we are what is called a personal data removal tool. And what that means is we're focusing on solving the threats that are laid out by data brokers. If someone's not familiar with data brokers, data brokers are these companies that sell people's personal information. They'll sell things like your name, your address, your phone number, your family tree or organizational charts and expose that data on the web. So what Optery does is we constantly are scanning those data broker sites and then submitting opt-out or deletion requests at scale to get people's data off of those websites. And in today's day and age of AI-enabled social engineering attacks, this has become a very big problem for enterprises because this exposed data on data broker websites is the number one source for threat actors who are looking to socially engineer a company.</p> <p><strong>Russ Fordyce (02:11)</strong><br>Yeah, and hackers go after vulnerable targets, right? And they go after big targets. Most of these attacks really do require that social engineering aspect. So you have to know very personal information about somebody or impersonate somebody well enough that it's convincing. And we've all heard of these stories — convincing people to wire millions. It's like, you forgot to pay Ford Motor Company for tires. And all of a sudden you're down a million dollars.</p> <p><strong>Paul Mander (03:12)</strong><br>Right. You mentioned the big targets — and certainly the company's size or what industry it's in can make it a big target. But the one other thing we're seeing more of — traditionally people thought the big targets are the executives. But what we've actually seen is executives are only the fourth most targeted group. The most targeted group at companies are people in IT or who have administrative privileges because of the access they have. The second most targeted team was finance — because finance can move money. Third HR, then fourth executives. The biggest fish aren't the most targeted fish necessarily at companies.</p> <p><strong>Russ Fordyce (04:20)</strong><br>Now you've been on the commercial side of this. Optery has this personal account where you can remove yourself from the internet, and you're selling this in bulk to businesses for basically the same reason, but it really protects the business. How many of the CISOs that you go in pitching this to are hearing about this for the first time?</p> <p><strong>Paul Mander (04:51)</strong><br>Yeah, I don't think many are actually hearing about this for the first time. The awareness of the problem is there. But what's changed in the last six to eight months is that the desire to solve this problem at scale has really changed. They're thinking beyond just protecting executives — thinking about this as part of their enterprise attack surface. Each exposed employee phone number or email address is a vector that can be used for social engineering. If I think about this like a cybersecurity practitioner, I remediate these vulnerabilities and I reduce my exposure and my attack surface.</p> <p><strong>Russ Fordyce (05:40)</strong><br>Yeah, and if you don't think phone numbers are vulnerable — the latest build of Android actually includes a device ID in your contact list so that they know the person making the call is actually on the device that number is expected from. Because hackers can make it look like your mom's calling you. And now with AI, it'll sound like your mom. Walk us through how a home phone number or work phone number actually becomes a breach.</p> <p><strong>Paul Mander (06:16)</strong><br>Yeah, absolutely. Many companies have BYOD — bring your own device. That means on the same device, access to company email and company applications is sitting right alongside access to personal email and personal phone number. So the straightforward scenario is: if I compromise this device by messaging someone's personal phone number or their personal email address, I can then compromise the device and access any company systems on that device.</p> <p><strong>Russ Fordyce (07:12)</strong><br>Why is this attack surface so overlooked? Compared to the bad outcomes, it's a pretty small investment. Why do you think this has been overlooked for so long?</p> <p><strong>Paul Mander (07:36)</strong><br>Yeah, that's a great question. I think the answer is twofold. First, cybersecurity as a discipline is more technical. The initial mindset is let's harden our infrastructure and look at the API endpoints — make sure we're scanning everything incoming. But what tipped the scales is really AI. Before you needed more sophistication to start a social engineering attack. But with AI and particularly agentic AI now, it's really easy for someone with less technical sophistication to initiate a social engineering attack. They'll do it faster, at a larger scale, and with more convincing messaging. And that's what's made companies think: let's be proactive, let's reduce the source data available for threat actors.</p> <p><strong>Russ Fordyce (10:21)</strong><br>So you've built this platform that removes data from a thousand or so sites. You can do custom sites too. What happens then — are they rebuilding profiles?</p> <p><strong>Paul Mander (10:45)</strong><br>Yeah, absolutely. They're rebuilding profiles. In some jurisdictions the opt-out or deletion may be valid for a year or a quarter, and on day 366, they'll bring that profile back. And data brokers aren't really focused on quality of data — it's all about quantity. So if you're a Russell, they might say Russ Fordyce is one person and Russell Fordyce is another. So we're constantly scanning for that. The other thing we see is data brokers shutting down, rebranding, moving from one shell company to another. It's a bit of a game of whack-a-mole.</p> <p><strong>Russ Fordyce (11:56)</strong><br>How are you doing the opt-out requests, and what kind of evidence do you get to prove the exposure is actually gone?</p> <p><strong>Paul Mander (12:16)</strong><br>Yeah, and this is really what differentiates us. Our platform has a specialized search engine good at finding data broker profiles. As we find these profiles, we actually provide a screenshot of the exposure and a link to it. Then we begin submitting our opt-outs — we use AI, we have API integrations into the larger data brokers to process these at incredible speeds. Once the opt-out gets processed, you'll see that screenshot and that link — if you click on it, that link would be dead. We don't just say trust us. We'll prove it to you every time.</p> <p><strong>Russ Fordyce (13:31)</strong><br>Yeah, and what's interesting about the commercial angle is it's really almost self-selling. You go into a CISO and say, look, your IT guy sitting next to you — here's everything about him. What surprised you the most about how much executive personal data is actually out there?</p> <p><strong>Paul Mander (14:06)</strong><br>I don't know if anything surprises me anymore, Russ. I found data from my grandparents out there and they've never been on the internet. I think when engaging with CISOs and executive teams, we often do something similar to a consumer free scan. If you explain this to the CFO or CEO and they see their phone number, the name of their spouse, the name of their children — they're like, whoa, okay, this is a problem we need to solve.</p> <p><strong>Russ Fordyce (15:27)</strong><br>Yeah, and if anybody hasn't done it, do a Google search. And now you need to do an AI search too, because AI search is a completely different animal. Now you describe the tool as a human plus machines. Why not fully automate the removals?</p> <p><strong>Paul Mander (16:22)</strong><br>Yeah, we try to automate as much as possible because it's faster and cheaper. But there are times where you need a human in the loop. We have a team of what we call privacy agents that back up our technology and will QA the AI to make sure it's doing everything right. Or if we need to have a back-and-forth with a data broker escalating a request, there is a human in the loop.</p> <p><strong>Russ Fordyce (17:02)</strong><br>As a marketer and sales guy, do you ever get into situations where people want their data updated?</p> <p><strong>Paul Mander (17:17)</strong><br>The way I respond is: give me a reason why you want a company who you don't know and never gave permission to have your phone number and email address out there. I want the information about me — yeah, I'm in sales, you can find me on LinkedIn. But I'm controlling that. I didn't tell Apollo or ZoomInfo, here's my phone number and here's my team's org chart. And data brokers combine that with other data sources — public records, marriage records, fishing licenses — and combine that data with whatever you put on a form at the mall. That's why you don't want this sort of data out there.</p> <p><strong>Russ Fordyce (19:24)</strong><br>You guys open-sourced what was called a data broker directory. Give us the reason for doing that.</p> <p><strong>Paul Mander (19:36)</strong><br>Yeah — we fundamentally believe privacy is a right here at Optery. Our open-source data broker directory is the largest of its kind. It lists the data brokers, discusses what type of data they process, and provides information as to how someone can self-service opt-outs — because we know not everyone can afford our service, but that doesn't mean we think they don't deserve privacy. We wanted to create a resource for the whole ecosystem so people can get educated about the problem and work to solve it on their own.</p> <p><strong>Russ Fordyce (20:31)</strong><br>Where do you think this personal data removal industry is headed in the next five years?</p> <p><strong>Paul Mander (21:01)</strong><br>I think two things top of mind. First, companies are going to view this as part of their cybersecurity stack — just with their EDR and other technical solutions, this is going to be a key part of the stack over the next couple of years. Second, I think we're going to see more consumer control over where their data goes. The open web really fueled this rise in data going all over the place, and I think we'll see solutions that enable consumers to really gatekeep where their data goes — especially with AI changing the threat landscape.</p> <p><strong>Russ Fordyce (22:43)</strong><br>Well Paul, fascinating conversation. Super important that people at least consider this. Start doing those Google searches and AI searches on yourself. And if it's near personal information, you really ought to consider doing something like Optery to get it off there. Because it's rapidly becoming a very easy attack surface, and the social engineering is really what makes these attacks work — you can't do it without data. Thank you for coming on and congratulations on the award.</p> <p><strong>Paul Mander (24:44)</strong><br>Thank you, Russ. Thanks for having me on and appreciate the kind words.</p>