Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional and I help provide practical privacy advice to overwhelmed companies.

Justin Daniels  0:36 

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I’m a cybersecurity subject matter expert and business attorney.

Jodi Daniels  0:56  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they grow and nurture integrity. We work with companies in a variety of fields, including technology, sass, you commerce, media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating where there is greater trust between companies and consumers. So To learn more, visit redcloveradvisors.com. Alex, we are so excited that you are here with us today. So welcome, Alex.

Alex Rayter  1:41  

Thank you guys.

Jodi Daniels  1:43  

So Justin, who do we have with us today?

Justin Daniels  1:45  

Well, Alex Rayter is a husband, father, volunteer and operator of Phoenix 2.0, a full service it and cybersecurity consulting and management firm. Alex is passionate about local, not for profit organizations, and how technology and the power of data can solve societal problems, which heretofore felt unapproachable. He also believes that the internet access and data security and privacy are fundamental rights of our modern society is committed to helping his clients and those in his network to leverage technology to better their businesses and personal lives.

Jodi Daniels  2:22  

So Alex welcome to the show.

Alex Rayter  2:26 

Thank you guys. It’s really good to be with you. Absolutely. That was so fun.

Jodi Daniels  2:30  

Yeah. Tell us a little bit about how did you find your way to cyber? How did you start your company? Tell us a little bit about the story of how you got to where you are today?

Alex Rayter  2:42 

Yeah, I mean, it’s kind of in a nutshell. So I did an it since a little bit prior to the.com boom. So we’re talking kind of late 90s. And I worked in corporate IP, corporate employee facing IP and back office infrastructure. And, you know, just sort of through the.com crash and you know, the sort of Bay Area job market and tech that fluctuates, I sort of figured out that I like working for smaller consulting firms, and sort of being able to write my own ticket in the kinds of solutions I recommend to clients and overseeing the implementation from concept to design to post implementation support. And, you know, doing a lot of customer hand holding, and just really having creativity with tech and not sort of being pigeon holed into a rigid sort of a corporate structure around that. So, you know, started a small consulting practice that really quickly grew, I have a couple of partners that I’m fortunate to work with. And we’ve always been a boutique, but we kind of, I would say punch above our weight, just because of, you know, they’re a little bit older than I am and have a lot more market experience. So I’ve been fortunate to, to work with clients that I think I would normally have exposure to working in a small managed services provider. But yeah, and then I would say, quite a few years prior to 2017, you know, security started to become a little bit more of a public thing, right? It wasn’t like something that I see people talk about amongst themselves and, you know, worried about I mean, being in it. We’ve always talked to clients about recovery time objective and recovery point objectives in terms of architecting a backup structure for data, right? And so part of the conversation has always been what kinds of things can can blow that those metrics out of the water, right? Well, cyber events have always been the thing, right? It’s just that I think around 2017 when we had you know, ransomware start to happen and we had not Petya in one cry and equal facts right? And then GDPR comes out I think that put the subject front and center and so while we’ve been working on it for many years, we really have stepped it up. And I would say in the last five years just because it’s become such a public thing so and now we’re it’s really of a major preoccupation for us and our clients, I would say for prospective clients that we’ve talked to.

Justin Daniels  4:53  

So Alex, I think where I want to begin our conversation is interestingly enough, we prepped This program with you in early December, and since we prepped for that, we have solar winds. And I think I refer to December as the ransomware. Grinch that Stole Christmas. And so, with those things in mind, I’d love to get your take on how those things may impact the companies who seemingly continue to ignore cyber and privacy issues in their company.

Alex Rayter  5:28  

Yeah, I mean, so our clientele is SMB lower middle market, middle market, and then groups within enterprises, right. So it really depends which one of those you’re talking to, I think the solar wind thing is a major concern for larger enterprises, or people that are big enough to run solar winds or any of the tools around that ecosystem. But what I think some of the wisdom out there is saying, and some of the folks, you know, we all know, I think is going to be the case that the folks that have established sort of persistence in these environments are going to hand this stuff off to ransomware. gangs, right and night that I think will flow downstream to the smaller organizations who already so much on the backfoot. So I’m concerned about an even more massive ransomware here, right, affecting, you know, schools, municipalities, not for profits, right, you know, private, small, privately held entities, and that I think, I don’t know what we’re gonna do about the solar wind thing, sort of as a larger picture. I mean, I think that that’s a much bigger topic to cover. But I’m concerned more about our clients who, who, you know, we’re already on the backfoot.

Justin Daniels  6:35  

So Alex, just to drill down on that a little bit, from your perspective is, when I think about solar winds, and some of these other things, what immediately comes to my mind, from a SMB, or even enterprise level is, your supply chain is a significant cyber risk and potentially a common point of failure. And I still find myself really having to educate a lot of companies to say, Well, what kind of third party compliance plan? How are you vetting your vendors, because you may have a great cyber plan, but if you know, you’ve given your HVC vendor, the keys to your kingdom, all your security is for not So talk to me a little bit about what you’re seeing with your clients, when you talk to them about, hey, you really need to care about this, your vendor ecosystem risk level?

Alex Rayter  7:19  

Absolutely. So what I have seen an increase in which I find hopeful is that a lot of our clients or prospective clients we’re talking to, we need them because somebody handed them a security questionnaire and said, fill this out if you want to continue working with us, which I think is a positive development. And so we get brought in to do some sort of a gap assessment or readiness assessment against one of the frameworks, right. And I normally, you know, during the course of that conversation, I will normally interject you know, you should talk to not just us hybrid IP security firm you should talk to, you shouldn’t have counsel on standby that you can call an event, in the case of an event, right, you should talk to a privacy consultant, because let’s start having the privacy conversation while we’re looking at security. Right, let’s not put that off and have a team approach to this thing. So that’s one of the positive developments I see. And that I think, you know, so they understand supply chain from that perspective, because they’re being asked, some of our more mature clients are, in turn asking clients in their support vendors in their supply chain to fill out questionnaires. So it’s this whole, you know, sort of everybody’s passing around their papers and saying, Hey, you know, what’s your posture? Like, right, so which is a new positive development?

Jodi Daniels  8:32 

So for the smaller companies that you’re working with, and you know, we’ve we’ve talked about solar winds and what’s happened recently, but we’ve now been at this mostly permanent ish, remote workforce situation for 10 months now. What are you seeing are some of the big issues arise from those types of environments, right, people are now kind of settled into this remote work environment. So what what are you seeing from a privacy and security perspective of what they’re doing? Right, and maybe what they’re not also doing, right?

Alex Rayter  9:09  

I mean, so for me, it’s a question of sort of pace and scale, right? Like I said, I think, you know, smaller organizations were already on the backfoot, right, with security, just trying to catch up and get, you know, handle some of the CIS top 20 controls, right, roll something out that resembles a programmatic cybersecurity approach. Now, what we’ve done since March of 2020s, we’ve just multiplied the attack surface several times fold, right I mean, exponentially. home offices with no sort of de facto security built into them. People that were using work devices. Now there’s people in employees that have gone home, and they’re using, you know, home devices for work at least part of the time, right. So you’ve got BYOD, to have those sort of the worst things that can possibly happen to an environment. So no network perimeter and BYOD, right, and oftentimes You know, requisite policies to deal with, you know, those kinds of situations, right? So what happens if you’re using a personal device, and it’s compromised, and we need to wipe it and you’ve got, you know, family photos on there, what? You know, that’s not a conversation you want to have with an employee in the middle of a cyber event, right? So some of our more mature clients have done things like couldn’t attend them to their employee agreement that to work from home, and then the talks about acceptable use policies in the home. Right? And a lot of it is is data privacy, how do people feel about this, this sort of reading over, you know, personal and work data onto the same device, right? When I, if I’m in my home, and I’m talking to a customer, right, and folks can see everything around me. You know, I may have tabs open on a personal computer that people can see, I mean, all of these sorts of things that were here before not really a concern. So yeah. So

Justin Daniels  10:53  

Alex, kind of bringing the conversation out at a strategic level is, talk to us a little bit when you have to go into these potential customers of yours to talk to the executives, the CEO. How do you communicate cyber to them on a level that they can say, yeah, this is something actionable, I need to put money and resources towards this, how does that conversation go these days for you?

Alex Rayter  11:22  

It goes better. And again, I think since I think 2017, has gotten people to pay attention. ccpa coming online is definitely has gotten lower middle market companies, and some SMBs thinking, Okay, privacy security, I need to be looking at this. Where I find that I’m successful is when I talk to them about the overall risk landscape. So we have an IP business, but we also have an IP management, but we also have an IT staffing practice or technology, staffing practice. And so I talked to employers about the difficulty of you know, hiring and retaining tech talent in the Bay Area, right in California with all of the employment law, sort of burdens and salaries and just finding the talent, right, so I talked to them about that. We talk about supply chain, product supply chain, or materials from Asia, right? A lot of companies here rely on that, right? So a lot of sass companies have a device that were part of the supply chain and manufacturing was in Asia. So what’s happened since COVID right with that, talking to them about financial headwinds, right so and then I slide in cybersecurity right as part of that conversation so when when I talk to them about the general risk landscape and cyber is just one of the top five things that you now mister business owner or Mrs. business owner should be paying attention to, it’s a much easier conversation than if I just come in and start spewing cyber all over the place without contextualizing as part of the larger sort of risk landscape that any good business operator has to concern themselves with. And frankly in the conversation the sites look you could be sitting here and have a seven figure six figure seven figure event tomorrow depending on the size of your organization and be at you know 20 to 50% operating capacity for a month how you know is that based on your risk appetite you know, is that something we should be concerning ourselves with right and i think that kind of conversation gets people to pay attention a little bit versus sort of diving in with you know, controls and all of this kind of, you know, all of the compliance frameworks and stuff which I think people lead with sometimes and you know, it sort of falls on deaf ears because you know, they don’t know what what most business owners don’t get cyber that way so

Jodi Daniels  13:27  

yeah, so on that theme, what do you think are some of the biggest challenges today that your customers are seeing from this privacy and security person perspectives?

Alex Rayter  13:40 

Well, the especially on the privacy side, I feel like they they understand that they need their workflows you know need to change that they need to be able to do some things pretty quickly now if somebody calls up and says hey, I want to see what you have on me and furthermore, I want to be forgotten right and and so I think a lot of them don’t know where to begin and what I appreciate Jodi about your services is that you have the sort of prepackaged plans that I think are very easy to consume and get people started on the program in a sort of a you know, it’s a practice in a program right it’s not you’re not going to arrive a GDPR ccpa compliance overnight and I think a lot of business owners out there they don’t know where to begin and so you know, telling them look you can do you can talk to a privacy consultant just have a consult first right? Do a data classification project, right? This is something that is automated the you don’t need to sort of, you know, Marshal your whole workforce to do this. And then let’s have a review. Let’s have a conversation with cyber with legal with HR about, you know what this would look like if you were to begin this journey, but you’ve you’ve got to start somewhere and I think that people find that helpful versus Okay, I’m in scope for ccpa what do I do here on fire kind of thing, right? So

Jodi Daniels  14:54  

that are very important. I talked to someone yesterday, it was really interesting to hear how To the needs arose of how to comply and who’s on task. It actually started from HR and thinking from an employee perspective. And then, but they kind of tasked someone else who doesn’t know anything about privacy and security to go out and find vendors who can help. So yeah, it’s it’s really interesting because the decision to decide you know, which vendor and how to start and where to start, you really need people who understand the situation in the in the in the data, and how the organizations kind of set up for them to make the right choice of which people do they need to bring in. So it’s, I think it’s even the learning curve of who in the organization needs to be a part of the team, if you will, to help solve these privacy and security challenges.

Justin Daniels  15:50  

Well, on the privacy theme, because we just had this conversation before. So in the context of, hey, Jodi, does your company collect any privacy information?

Jodi Daniels  16:01  

No. Now we really don’t we don’t really market we get all referrals? we don’t we don’t do anything like that.

Justin Daniels  16:08  

Yeah, but you have the CRM and don’t you have emails and phone numbers of people?

Jodi Daniels  16:13  

Oh, we do.

Justin Daniels  16:15  

Well, that’s p i didn’t you know that?

Jodi Daniels  16:18  

No.

Justin Daniels  16:19  

Oh, well, maybe we need to have a conversation with this Red Clover people. So Alex, with our fun banter in mind, our question for you is, how often do you see companies who claim they do not collect personal information only defined it in places the company did not expect to find any like maybe Jodi’s phone? Or an employee phone or something like that?

Alex Rayter  16:44  

Yeah, absolutely. I mean, all the time, right? I mean, I can give you the IT perspective on this. So we often meet companies that, you know, would like to form a support relationship with us, right? And, you know, most the reality is most, you know, even middle market companies don’t have adequate IP documentation for somebody to come in in an emergency and pick up support of the environment. So if they don’t have basic documentation about infrastructure, I mean, do you? How can we expect them to know where data is flowing through that infrastructure? Right? I mean, it’s sort of like, that’s the scale of the problem. So yeah. I think people are really, really sort of in the dark about, you know, first of all, nobody really has a purview this organization lied, right? So it depends who we’re talking to. Right? If we’re talking to marketing marketing, those they have typically those that they have PII, right, because they use this stuff in campaigns, right. So and, and sort of customer nurturing, and journey mapping and all this sort of stuff. But, you know, you talk to another department, and they’re, they’re kind of like, you know, they don’t really have a sense of what goes on overall. So you know, and the reality is, we can’t, it’s hard for us to get enough stakeholders together really have a conversation that’s meaningful about, you know, we’re going to look at the overall environment, and how data flows and sort of what, how you guys actually work with somebody, it’s a problem of documentation, you know, from my perspective, so

Jodi Daniels  18:07

you mentioned documentation and sort of the it documents, so someone could come in and pick it up, what, what should that documentation look like? If you were to come into an organization? What are what is it that you’re asking for? And want them to to produce? Or if they don’t have them? What are the types of things that you could help? Great?

Alex Rayter  18:27  

Yeah, great question. So if I didn’t realize they really do a great job of contextualizing the last answer, but one thing I would say is a network diagram, right? Like a basic network diagram, what’s connected to what right in terms of infrastructure? Where are the servers? How’s data coming in, you know, what, what protections are right? Where are people remoting in and from where we know IP addresses login credentials, right? what’s running on what so just in that and that’s typically you know, it’s a half a page Visio diagram you know, that you can fit a lot of stuff into sometimes you got to zoom out there’s so many little pieces there. But I mean, they often don’t have that right so if we’re, you know, we’re going to drill down to the data level, we certainly can’t expect them to have any kind of meaningful answer and again, I think we have to, we typically do upwards of 20 to 30 interviews in an organization to really get a snapshot of it and data and all this sort of stuff and that’s that’s an IT audit and then we take that and we propose, you know, cybersecurity, IT management, you know, planning for near to mid term budgets, etc. So that’s that’s the scope of the exercise to really get our hands around this and I know that there’s some great tools out in the vendor landscape for doing this from a privacy perspective, right? Which I think is is amazing because otherwise, you know, this is a manual effort on our part. So for or has been here before. We also have tools but I think the privacy tools that are out there, seeing what very mature

Jodi Daniels  19:55  

thanks for elaborating. I think that’s really helpful for people to to understand the types of docking That we want to be having

Justin Daniels  20:01 

seen, I find what Alex said very interesting. Because Alex, what you just said, is one of the first three questions you’re going to ask on an m&a deal when you’re looking at due diligence of the it and the cyber infrastructure. Because if you don’t ask the question that Alex put forward, you won’t even know what ports you could have that might be open, which are the exact way that people get in to have a ransomware attack. And as we all know, the typical amount of time between coming into a network and engaging in the mayhem is around 277 days. So I find it interesting that what Alex is saying is not only relevant for your initial trying to help companies with their hygiene, but also if you engage, Alex, because you’re going to use his firm on m&a cyber due diligence.

Alex Rayter  20:52  

Yeah, absolutely. I mean, we’ve been on both sides of the deal tables, so somebody is going to acquire somebody, they want to understand what they’re requiring, conversely, you know, hey, where we’re being required, or we’re being shopped around, people are coming in, or auditors are coming in, we have to, you know, documentation, we have to show them something, show us our papers, right? As Mike Hamilton, from CIA security likes to say, I really love that phrase, show us your paper has kind of a negative connotation, but but, you know, that’s the reality of it. And so, yeah, I think doing that kind of exercise is, you know, important to you, it’s really got to be in place, whether it’s m&a, or whether you’re going to get a questionnaire from one of your largest clients, you’ve got to be able to turn this stuff around pretty quickly, you know, you don’t want to be doing this kind of discovery right? In a crunch. So I agree, Justin,

Jodi Daniels  21:41  

I’m curious of either the m&a side or just even in general as we were talking about kind of that vendor management piece, have you seen it change in terms of volume or the types of questions over the last couple years? Are the questions getting a little bit more granular or more of them? Or has it been the same?

Alex Rayter  22:03 

I think they are getting well these are different right? Like what I find mysterious is the questionnaires that cyber insurance companies send around it’s it’s fascinating that someone has a very basic questionnaire and others you know, some of the better companies I think, would it’s prudent to have a much more detailed questionnaire but that’s that’s a whole separate conversation that that landscape is evolving quickly these security posture questionnaires are typically I think they get pulled out of like some you know, sock reports or other compliance frameworks and then you know, the company will then sort of take what they think is relevant and give it to people in their supply chain right so when I look at these I you know, we often will bring in a CPA firm and who you know, who has people that do cyber compliance and auditing and typically you know, what happens is for most companies if they’re mature enough to have enough infrastructure, they’re better off going for a sock right? And so we’ll tell people listen don’t you know don’t fill this thing out and fill out another one tomorrow in a different one tomorrow. Just go for you know, high trust or SOC certification or something like that. Start that journey, you do the readiness assessment you can answer the questionnaire and show them that and say, Hey, I’m working towards the SOC but most of them will say look, you can show us if you have some kind of a credential thing you can show us that So yeah, I feel like that’s it’s evolving right? I mean, I think it’s good that we’re making each other feel those out so thank you.

Justin Daniels  23:28  

So Alex changing tact a little bit we ask our all of our guests the following question is can you share with us what you think your best personal cyber tip would be?

Alex Rayter  23:38 

I think it starts with passwords. I think if you can’t really get around that and start going into you know, advanced cybersecurity, I tell people start with passwords, right? If you can get wrap your mind around that concept and how to do that. Just the exercise of that will get people to then realize, okay, I’m doing passwords, I should do MFA, I should think about identity and access and you know, privacy you know, it’s my data right um, it’s the whole concept of securing it with a password. So I think that for me, that’s the number one control right I think most most the biggest issue you can have is if somebody that navs your credentials to email right? I mean, if they get into your email, will start resetting things, locking you out sending emails on your behalf so I would say passwords and then from there, you know, the Australian cyber Directorate which is an agency they have their came up with this great thing called the essentially assignment got an essential term, they tell people I added a couple things, but it’s all it’s like a subset of the CIS top 20 kind of scale down to the personal level. And I and I, you know, I would tell people look passwords and then turn on multi factor and, you know, make sure you have a backup of your data somewhere that’s not connected to your main device that you’re working on. So

Jodi Daniels  24:52  

super great tips. Thank you. So when you were not consulting and advising on cybersecurity, what do you like to do? For fun,

Alex Rayter  25:03  

like, I can best answer that question by asking you what do you mean by fun, I don’t know if that tells you anything, but I’m kidding. I, you know, work works really busy and I’m lucky that I enjoy what I do. I mean, I geek out on this stuff, but I’m really into history and, you know, it’s a sort of like a passionate interest of mine. And I do, you know, what I would say is purely fun that it has no sort of motive attached to it or anything else, you know, there’s no sort of value add for work is hanging out with my four and a half year old. So I have two older stepchildren that I didn’t have when they were little, so are my four and a half year old, it’s kind of like I get to do all the things, I get to relive my childhood, you know, go fishing, go bowling place, you know, play sports, and it’s, that’s, I think, for me, that’s the purest sort of type of fun that I have these days. And the rest of it is, you know, dealing with, you know, 2020 and, you know, the inherent sort of challenges of that and then work you know, I really do enjoy what I you know, what I do for work so it’s in volunteer work is I you know, there’s a social component to that, I think you guys, you know, I think you know, some of the things I’m involved in, I think you guys have a connection to some of those things. And yeah, it’s, it’s sort of checks both boxes, I get to volunteer and I get to hang out with fun, interesting people while doing it. So

Jodi Daniels  26:18  

I see future history book clubs in the future between the two of you. There could be there’s a history about. Well, Alex, thank you so much for sharing your wealth of knowledge here today. If people want to get in touch with you, what’s the best way to do that?

Alex Rayter  26:35  

Well check out our website, our contact info is on there our URL is p20inc.com or p20inc.com or email me at alex@p20inc.com. look me up on LinkedIn. I’m very, I’m very active. And so as Justin, I enjoy participating in this conversation, so yeah, feel free to reach out I’m very giving with my time. I’m happy to talk to people about this stuff, just sort of off the cuff and no engagement needed. I’m genuinely interested in helping people with cybersecurity and bringing new guys in to help on the privacy front really important.

Jodi Daniels  27:11 

Well, wonderful. Well, thank you so much again, Alex, and we appreciate your time.

Alex Rayter  27:17  

Yeah, likewise, thank you guys. This is fun. Appreciate the opportunity.

Outro  27:24  

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.