Johnny Lee is a forensic investigator, cybersecurity and data privacy specialist, digital detective, and attorney with almost 30 years of experience under his belt. He is currently the Principal & National Practice Leader of Forensic Technology Services at Grant Thornton LLP, one of the world’s leading audit, tax, and advisory firms.
One of Johnny’s primary passions is providing advisory services to companies that are working to address complex cybersecurity, blockchain, information governance, and data privacy issues.
Here’s a glimpse of what you’ll learn:
- Johnny Lee talks about his background as an attorney and management consultant
- Why SOC 2 compliance is not enough to meet your company’s data security needs
- How blockchain technology is evolving over time to address privacy issues
- Grant Thornton’s litmus test for deducing how effectively and appropriately blockchain is being applied to business problems
- Johnny predicts what the future of privacy and data security will look like
- Johnny shares his personal privacy tips
In this episode…
You, like many other business owners, may think that you’ve done everything necessary to ensure your company’s privacy and security. After all, you have a SOC 2! But, is that really enough to protect your data?
Unfortunately, depending on compliance paperwork could lead to serious privacy and security issues for your business. Though having SOC 2 compliance is a necessary step in establishing protective measures for your company, it is the minimum requirement for privacy and security—not the maximum solution. So, what are the next steps you should take in your journey toward achieving privacy and security for you, your customers, and your company?
In this episode of She Said Privacy, He Said Security, co-hosts Jodi and Justin Daniels sit down with Johnny Lee, the Principal & National Practice Leader of Forensic Technology Services at Grant Thornton LLP, to discuss common misconceptions about privacy and security. Listen in as Johnny talks about why your business needs more than SOC 2 compliance, how blockchain technology is improving over time, and what the future of privacy and data security will look like. Stay tuned for more!
Resources Mentioned in this episode
- Johnny Lee on LinkedIn
- Grant Thornton LLP
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: info@redcloveradvisors.com
- VPN Considerations
- LastPass
- KeePassXC
- Strongbox
- Bitwarden
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.
(00:08):
Hi, Jodi Daniels here. I’m a certified information, privacy professional, and I help provide practical advice to overwhelmed companies. I’ve worked with companies like Deloitte, the home Depot, Cox enterprises, Bank of America, and many more. And today I’m joined by my husband, Justin Daniels.
(00:29):
So good morning. I’m Justin Daniels or Jodi Daniel’s husband is I like to say I’m a cybersecurity matter expert and I’m also a business attorney. I help quarterback the design and implementation of cyber plans. And I also help clients when they have the inevitable breach. Additionally, I also provide cyber business consulting services to companies.
(00:54):
Today. This episode is brought to you by Red Clover advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e-commerce media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers to learn more, go to red Clover advisors.com.
(01:29):
So who do we have here with us today? We have a friend of both of us today. So today we have Johnny Lee who is a forensic investigator management consultant and attorney specializing in data analytics, digital forensic, and electronic discovery and supportive cybersecurity incident response, corporate investigations and litigation. He also provides advisory services to companies working to address complex cybersecurity, blockchain information governance, and data privacy issues. Good morning, Johnny. And welcome.
(02:03):
Good morning to you both. Thanks for having me.
(02:06):
Absolutely. We’re really glad that you are here today to help get us started. You know, it’s really interesting that you are a management consultant and attorney in how many different areas you’ve covered over the course of your career. So I’d love if you could kind of walk us through the career arc and where you started and how you got to where you are today.
(02:28):
Well I’ll start with an anecdote from my father who was a career physician and knew he wanted to be a doctor at age seven, who thinks that my career progression is a function of attention deficit disorder, but it started in the liberal arts. I was a philosophy major determined to be a university professor and then fell out of love with that vision upon graduation and worked in the rare book business for a time taught myself how to program software and learn networking and master databases. And that was my career for about a half a decade. And then I reinvented myself and went to law school worked at the district attorney’s office for a short time. And once again fell out of love with that vision. And then ever since I have worked to try and marry those two real passions, law and technology.
(03:25):
And about the time I was doing that in the early two thousands there wasn’t there wasn’t a really established way to do that. There wasn’t a career path that was very well trod. So I worked through a series of consulting platforms. Arthur Anderson, a risk consulting firm that was formed after Arthur Anderson went under and now for the last 11 years at grant Thornton specifically focusing on forensic technology, which is, you know, the best way that I’ve found to marry those two real interest center to really leverage the knowledge that I gained over the past 25 years, doing professional consulting in some form or another.
(04:12):
So Johnny specifically in that interesting career arc of yours, how do you think being a lawyer has helped you with your management consulting and forensic practice?
(04:23):
So I think it’s a really understated aspect of a law degree that it is first and foremost, one of the best business degrees in the world. And the reason for that is that it lays bare the mechanics of how businesses really operate at a tactical level over time. The regulations they deal with the insulations and risk management protections, they’re able to secure their place in the market their ability to protect their brand. I learned more through law school and the years since about basic principles of contract law, to how to manage vendor relationships through my legal training, right? It is it is a first rate business degree and I’ve used it every day since in that capacity. It really does give you a peek behind the curtain that allows you to look at things with, with the proper level of skepticism and to apply that knowledge of how the world really works to say that that’s, you know, that’s not the right position we should be taking, or that’s going to run a foul of a regulation downstream, or that doesn’t protect our interests in the way you think it does because you don’t have this appreciation for a nuance in this quadrant or that arena.
(05:47):
So I’ve used it in that capacity. Mostly, I should say for the benefit of my current partnership that, that these, these views are mine alone and do not reflect those of Grant Thornton. For the record, I am a non-practicing attorney which will make my CPA partners quite happy to hear on the record.
(06:08):
Got it, got it, got it, love it. Are there any particular themes that you find come up often over and over again?
(06:17):
In regard to the consulting work? I do, yes. I think you know, it depends on the context of that question, but there are themes that I see over and over again with regard to the way that certain interactions happen, you know, with our clients in some ways seems elementary to say that you might have the right to do something in a contract. But if you do it as a matter of common sense or sort of social being socially conscious, you’re going to alienate your customer or the actions you’re recommending may take, might alienate their customers or their stakeholders. So I see that disconnect happen all the time, confusing permission, you know, confusing the is with the odd, if you will. And that scene comes up again and again, both in the privacy arena and the security arena in the security arena. I see that conflation happen most often in the context of confusing compliance with actual security. One is, you know, both are very valuable agendas, but they’re very different animals. And we see that come up again. And again, that sort of difference between we’re compliant. How could we possibly have been breached? And those conflations can be very dangerous for businesses, both in, in their tactical security and their, their broader privacy philosophies. So wait a second, Johnny, you mean when I read the cloud providers soc too , I thought that meant that they’re good to go.
(07:55):
Well, soc twos are our scopes that are designed by management. So it’s important that you read them carefully. And for the substance of them, the fact that they exist is evidence of nothing, except that they’ve had a third party do something for them. So it’s a great point. And I know you asked the question tongue in cheek, but I think that is the illustration that we see as a disconnect. We see paperwork being held out as something beyond which it really signifies, and there’s a danger to that. And I think privacy professionals recognize that. And I know that cybersecurity professionals recognize.
(08:33):
Yeah. So that’s a really interesting point. There’s I talk with a lot of companies and the belief is, Oh, if they have that SOC two, then that’s it. They’re good. I’m curious. What do you see companies doing? What, are the recommendations we could offer to another company evaluating to say that piece of paper is great?
(08:56):
Here’s what else you also want to be looking for?
(09:00):
I think first and foremost, it’s recognizing that satisfying a compliance agenda and satisfying the desire to be secure or to hold private information truly securely. Those, those are Venn diagrams, and if you’re doing it well, they overlap significantly, but there’s daylight on both sides of that, right? There are things that relate to a compliance agenda that have little impact, move the dial very little in terms of securing your data more or less. That’s always going to exist, right? With the nature of evolving technology and the complexities of bad actors, constantly innovating and studying ways to compromise data. There’s always going to be a Delta between what the law or the regulation says needs to occur as a certification mechanism versus how to actually day-to-day keep your environment secure. And I think that’s just a practical reality that more and more executives appreciate every year.
(10:04):
But it’s an important thing for us as consultants and advisors to, to repeat as often as we can, because I think the, the notion that a compliance audit has achieved security is a dangerous one to be sure there is overlap there. And there are meaningful things that management can take out of a compliance audit done very well. And that can rely on those audits. If it’s done by a reputable party against an established benchmark, that’s meaningful in the security arena, but it is very dangerous to conflate those two things as a matter of principle. But I think, you know, your, your, your company is a great example. I know Justin, the way he practices law thinks about this holistically, and these are the sorts of things that our clients need to hear again and again, right? Which is, these are different conceptualizations of very squishy concepts. And, you know, you can’t find any two security geeks to agree on much, but I think if you ask them whether, you know, a SOC is equivalent to security, you’ll get pretty uniform answers in the negative there.
(11:13):
So Johnny, you touched on emerging technology. So I wanted to take the conversation into a more narrow area of emerging technologies. And I want to have you talk a little bit about the type of work that you’re doing with blockchain technology.
(11:29):
Sure. I’d be happy to I’m a diet and will convert so a discount accordingly, but we we’ve been in this space for a little over seven years at Grant Thorton. We are doing work principally in, in an arena. That’s very age-old right. We are helping our clients as a public accounting firm do financial statement audit work and the intersection of how blockchain relates to that and how it in some ways hinders that and how it helps. It really been a fascinating thing to watch over the last seven years. If you think about what a traditional financial statement audit consists of, some of the key testing attributes come in this concept of existence, right. Does the asset that your client is asserting to hold exist? Is it real, and is it valued at the level that your client asserts it to be in their books?
(12:34):
Ownership is a really critical, crucial aspect of testing of this kind of financial stuff kind as well. And in the book, blockchain arena, those two concepts, perhaps above all others, at least from a technological perspective Have been very challenging to, to effect with distributed ledger technologies. Yeah, I’ll explain a little bit why without you know, exhausting our entire time together, but with regard to existence, the ledger actually has neat mechanisms for ready identification of whether an asset exists. And at that given point in time, what that asset consists of in terms of its objective valuation in some ways that’s a little harder than a traditional financial statement audit because you can’t get things from an objective third party, like a bank. We can’t simply get a bank statement as of midnight on December 31st and call it a day. We have to, for some types of cryptocurrency and our firm audits nearly 40 different nodes and thousands of different ERC, 20 compliant tokens.
(13:47):
In some of those tokens, especially what we call the Satoshi like tokens Bitcoin and their derivatives. Getting to a point in time balance is an eminently challenging affair because the ledger doesn’t hold that data. So in essence, once you have an address that you need, that, that you can establish is in fact, under the custody and control of your client, you then need to establish what at that point in time, the end of the fiscal year was in that address and what its objective value is. And to do that for certain kinds of technology, you need to recreate the entire transactional history of that address because you need to tabulate what are called unspent transactions. And so it’s not enough to have the address, and it’s not enough to establish that that client had custody and control of that address as of that point in time.
(14:47):
But then you have to do all this convoluted forensic work to reconstitute. What that value was that point in time balance was for that address in that cryptocurrency. And this mode of testing can be vastly different from one cryptocurrency to the next. Now in other ways we can do very ready things. The existence and ownership for some cryptocurrencies, the existence is pretty straightforward and the ownership is very straightforward because it is immutably recorded to the ledger. So in some currencies that’s even more straightforward than a traditional financial statement audit, but in others it’s eminently harder. And so we need to actually run both an independent node to satisfy our charter as a arm’s length accountant, but we also need to run derivative or forensic nodes that are constantly improving the record in the background in a way that satisfies an agenda that is very different than what the designer’s implemented. It may come as no surprise to you two, that blockchain developers don’t really contemplate making auditor’s happy as they build their new products. So I hope that helps,
(15:57):
Or I might add privacy and security professionals for that matter. They just develop technology. But on that score with a follow-up question, Johnny, what are you seeing as blockchain is evolving when it comes to addressing privacy issues? Because one of the great things about a blockchain is the ledger is supposed to be interviewed. And obviously we’ve got privacy rules, California, and GDPR that talk about being able to get your data or being able to be forgotten. How are you seeing that being reconciled or that an issue that’s just not being addressed yet?
(16:31):
I think it’s being addressed. And I think it comes down to the consensus model, the design of the original implementation. There’s some really exciting promise for privacy in the blockchain technology. Perhaps no more so than the bank of India example where a consortium of banks who are normally fierce competitors are actually sharing information at a remarkable level of fidelity to prevent a certain kind of systemic fraud in that part of the world. They’re doing it in a way that is not in any manner betraying the privacy obligations that they have for their account holders and their applicants that would run a foul of either, you know, national law or, or their customer relations outreach. So I would say that that is an example of an exceptionally well-designed program that uses firmly established cryptographic architectures like a Merkle tree to secure private data, and yet make it available or verifiable if those combination of data elements is seen again in a ledger.
(17:47):
Then there are certain that we’ve seen that don’t adequately contemplate the right to forget or the right to purge or immutably recording things on the ledger that are you know, un-encrypted or unauthorized skated. Those are problematic because as you know, with the EU directive and the privacy laws coming out of California and burgeoning elsewhere around the world those are going to be very problematic technologies because if you write it to the ledger, it is, you know, in, in the common parlance immutably there. And so whatever you’ve written can’t be struck. And so if you haven’t contemplated that from a consensus model, you’re going to have a lot of problems with that. And those kinds of solutions will fall by the wayside, whereas something out of India, like the Merkle tree example those are, those have got legs. I think we’ll see those architectures be adopted more and more often because they find where to put that fulcrum between efficacy and privacy. And I think it’s a, a very good question, but it’s all over the place
(18:57):
So much, like we talked about before where oftentimes people will get a SOC report check-mark. It’s a secure company. They’re good. A lot of times I hear, Oh, well, it’s on the blockchain. So it’s secure it’s okay. What are the challenges when someone is thinking along those lines?
(19:17):
You know, it’s a great question. And, Grant Thornton came up a few years ago with what we have come to call the litmus test, which was as much an internal mechanism for us as it was a mechanism to help our clients figure out whether blockchain was being appropriately applied to the business problems they were bringing to us to help solve. And I think, I think something like that is probably worthwhile, right? I won’t bore you with the entire litmus test, but it basically comes down to an illustration that if you can do what you’re proposing with the traditional database design, then all you’re doing through a blockchain implementation is building a slower database, right? Because you’re not speaking to the two central strengths of blockchain, which have to do with functions of trust and functions of system resilience. And so if you can’t pass that litmus test, then you are by definition applying the wrong tool to the problem.
(20:18):
And I think that’s how we would approach that, which is, let’s be careful about what your actual agenda here, your agenda is to serve clients with this kind of modality, but you also have this privacy balancing that is blockchain, the right solution for that. And that’s that design consideration that you were alluding to Jodi, which is maybe blockchain technologies aren’t designed with auditors in mind or privacy and security practitioners in mind, but the better ones will be because those are necessary design inputs, but I think there’s an analog to traditional software development there. Right? Most software is not designed with security in mind. That’s changing as a phenomenon in the it world and has been, I think for a decade, but it used to be quite the afterthought, right. I remember doing coding at Arthur Anderson and the security guys were brought in at the last minute with an impossible deadline and an incredibly complex set of interwoven code that they were asked to sort of bless or rubber stamp days before a launch.
(21:23):
And it was a completely unfair request. And I think, I think a great deal of that still goes on and the better companies bring into their dev ops and their design protocols considerations about privacy and security. And I think you see that with the cottage industry, that’s springing up to serve those who are, are tending more toward privacy considerations in their consuming habits, right? Look at a company like start page out of the EU as a, as a secure search engine, right? A private search engine. It, something like that didn’t exist. Right. We had the U S equivalents and ducked out go in the light for years, but this has ratcheted that up even more so that there is a free market response to those. And I think the ones that contemplate privacy insecurity in the design and through the implementation of the software are going to have a real competitive advantage because I do think there’s a groundswell in the consuming public that those things are increasingly important every year.
(22:28):
Yeah. We’re, we’re certainly laughing over here about the last minute folks coming in, being asked to bless and make it all magically secure. I certainly still see similar concepts, whether it be from a legal point of view, here’s the contract I’m good. Right. Or we can get that privacy notice updated, or it meets that or the security piece. So we have certainly made progress at the same time. There’s more, more to be done. On that note, what might you say is sort of the future? We talked about blockchain and the evolution of incorporating privacy and security at the beginning and how the tools are continuing to advance with the push towards thinking about privacy and security. So if you kind of put your crystal ball in front of you, what, what does the future have to say? Is there a new future technology that you might you might start seeing more of?
(23:27):
I think I go back to the way I sort of answered the last question. I think the future is going to be driven by considerations that 10 years ago weren’t part of the equation, right? I mean, if you look at the launch of the things like Facebook and consider a launch of competing technology today, like parlor nobody would have paid attention to parlor, which is a social media platform designed with privacy in mind. Those are really different conceptualizations and, and they’re almost bookends to the kind of contemplation you’re asking about here. People weren’t shopping for privacy 10 years ago. They simply, weren’t not in America anyway. And that’s mostly what I’m commenting on here. Folks in the European union, they have a different conceptualization of privacy.
(24:24):
We can certainly talk about that, but I think more people are coming around to privacy as a worthwhile consideration are, are more considerate of how businesses, some, some businesses exist strictly to aggregate and resell and package you as the product. I think the disturbing trends coming out of the consumption of social media among our teenagers. Research like that is really important. And if you’re sort of watching all of that unfold and becoming an edified consumer, you’re going to shop very differently than you did a few years ago. And I think the companies that are picking up on that and honestly catering to it, they’re going to have a real edge there. And I think that above all is the real difference in the next five or six years in terms of how markets are going to be, our products are going to be marketed, I should say,
(25:25):
Thank you for that, Johnny. I think we’re gonna get to the last two questions that Jodi had asked about that. We’d love to learn more about.
(25:37):
What’s the best privacy or security tip that you’d offer to our listeners?
(25:44):
Oh boy, I get this one, a fair amount. Sticking with, with personal privacy, the two best things you can probably do for yourself are to research and adopt the use of a password manager and a VPN. There are things that, you know, if you study this space, even at a cursory level, will disturb you about how much your internet service provider knows about you, about how much your phone company knows about you, about how even the public records that your jurisdiction holds about you and how those information and those data get packaged and resold even from governmental entities. There, there are steps that you can take to make sure that you can minimize those digital footprints and without becoming perhaps as paranoid as the speaker here lighten your concern about exposures in that way. I don’t think people need to go down, you know the privacy rabbit hole entirely to get comforting news, that these things are manageable risks and password reuse is one of the easiest things to conquer. And there are viable user-friendly technologies to help you with that. So I would say those two things are probably at the top of that list.
(27:18):
Thank you. Do you have a we’re big VPN and password manager, people here as well. Do you have a favorite one that you recommend?
(27:28):
You know, I should probably steer clear of a specific endorsement here, but for my personal use, there are a lot, I think what’s important is to find a reputable company that’s going to be around two or three years from now, and that’s always a challenge, right? But there, there are a lot of you have to do your homework, right? There are a lot of very reputable sources out there. There are companies that are established to do nothing but privacy work. You look at a company like proton which has secure mail and calendar functions, and also its own VPN client situated in Switzerland, which is a remarkably privacy oriented jurisdiction. You have Nord as a technology that there are, you know, there are a half dozen, highly reputable firms that do VPN work. And there is a privacy scorecard that you can build for some of those things.
(28:23):
And certainly happy to send you some links for your show notes on that allow you to contemplate those sorts of things where they’re situated. Are they subject to this third-party review, are their practices, where are the servers do they store logs? You know, all those sorts of things I think in the US there’s an increasing appreciation among the consuming public that there’s an awful lot of warrantless searches that happen on logs of that kind servers of that kind. There are exceptions to what most people envision as their fourth amendment protections that are worth looking into right. Again, consider the source I’m professionally paranoid, but these are the sorts of balancing acts that I think are important for privacy conscious folks to contemplate as they look at a password manager or a VPN product.
(29:16):
Well, thanks. We would love that list. So please do send it along. We’ll make sure that we post it
(29:21):
Excellent. Happy to do it.
(29:23):
All right. So I think the most important thing is outside of being professionally paranoid, when it comes to privacy and security, what do you do in your free time?
(29:34):
Well, I think this may not be a terribly interesting factoid, but I have been an inveterate reader since I was a kid. And my first real job out of college was in the rare book business. And there I think I had the habit turned from reading to collecting. So I’ve been a book collector for more years than I’ll admit on this podcast, but decades let’s call it. And I have a, a really solid collection of 20th century detective fiction first edition. And so I spend a great deal of my time out of work, reading mysteries and detective fictions and those sorts of things. So that’s how I’d answer that.
(30:22):
Yeah. That’s a new fact in all the years. I’ve known you. I didn’t know you collect books, that’s going to be it for our next coffee time, whenever that happens in the future. Well, fair warning. I can go on for days about that.
(30:34):
Well, I look forward to it. I love to read as well, but so Johnny, how can people find you to learn more about what you do and the kind of expertise you provide?
(30:44):
Well, I appreciate that. I am a partner at Grant Thornton and I lead a practice there called their forensic technology group. And that group specializes in cyber security and privacy and blockchain work in, in terms of how advanced technologies get applied to those agendas. So if you go to grantthorton.com and search my name all eventually come up, there’s a good looking Johnny Lee, he lives in New York. So I’m the second one.
(31:13):
Nice. Well, Johnny, thank you so much for joining us today on the She Said Privacy, He said security podcast.
(31:24):
Thanks so much for having me. It was a lot of fun.
(31:26):
Thank you.
Privacy doesn’t have to be complicated.
As privacy experts passionate about trust, we help you define your goals and achieve them. We consider every factor of privacy that impacts your business so you can focus on what you do best.