Compliance Scalability: Tips and Tools From RadarFirst CEO Don India

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here, I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hello, Justin Daniels here I am an equity partner at the law firm Baker Donelson, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well. Let’s help them manage and recover from data breaches.

Jodi Daniels 0:57

This episode is brought to you by loud drums today Red Clover Advisors, we help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our new best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com You’re very polka dotted today. And polka-daddy. You’re very loud for me today. It’s a fun day. It’s a fun day. It’s a fun Wednesday. We are excited. This is going to be a good conversation because today we have Don India who is the CEO of RadarFirst, and he has over 20 years of executive leadership experience and prides himself on transforming organizations business strategies at a global scale, and showing the businesses and their clients effectively leverage emerging technologies and stay ahead and the ever evolving marketplace. As a leader Don is well known for boundless energy, unwavering passion and exceptional coaching abilities. He thrives on generating enthusiasm and cultivating a dynamic environment within the teams and organizations He leads by inspiring individuals and fostering a collaborative culture. You fosters innovation, accelerated growth and cultivates high performance teams. And we are full of energy today on this podcast. And we’re so excited to talk with you and learn more.

Don India 2:36

I appreciate it. Justin. Jodi, thank you for having me on.

Jodi Daniels 2:39

Absolutely.

Justin Daniels 2:42

So let’s start from the top. How did you get where you are today.

Don India 2:49

So Justin, and Jodi, let’s take a little bit on the Wayback Machine. I honed my leadership skills at the IBM Corporation for just over 20 years, with varying roles in their services organization in their software, business and our hardware business, running teams across the planet. And it allowed for me to experiment with leadership, dynamic leadership styles across a multitude of cultures, driving growth, driving transformation, and really taking on opportunities that we’re newer in the world of the software ecosystem. So if you think about when SaaS Software as a Service was emerging, IBM was a little slower in their emergence of it. But I was afforded the opportunity to take new solutions to market that were new in the software as a service base to allow for myself to learn allow for IBM to change the way that they are going to market with the traditional software spend versus that of the new as a service spending. At the end of 2018, I took on a role as the Chief Revenue Officer for Regulatory Data Corp, regulatory Data Corp had the world’s largest repository of criminals. And we served as the world’s largest institutions, from financial institutions to asset management, insurance media companies to ensure that they were not doing business with these criminals through the onboarding screenings through sanctions and Id identity verifications as well as politically exposed and PEP screenings that allowed me to get into this world of regulatory environments that was highly regulated and an absolute must in terms of compliance with law. My first level of experience in the compliance world was in this role that allowed for me to expand into highly regulated, highly consistent and defensible ecosystems where that level of repeatability that level of defensibility and consistency was absolutely paramount. And that organization we sold to Moody’s organization back in 2020. And then the end of August of 2021. I joined RadarFirst as our CEO, taking over for their founder and bringing on the next layer of growth for RadarFirst and our organization.

Jodi Daniels 4:55

Don, in our pre show, we were talking a little bit about the growth that you’ve already explained. And at the company now and it’s all about scaling and being able to continue to evolve. What in your opinion is? Or rather, why is scalability so crucial to organizational compliance? And can you talk a little bit more about how companies do that?

Don India 5:18

Certainly, if you’re thinking about compliance and of itself, let’s go higher level just a bit — compliance. First. Compliance runs the spectrum of an organization from the beginning of who you’re selecting for candidates to interview to onboard all the way through the end, from a sale of a product to the after sale on how you treat your clients. Compliance is everything. If organizations aren’t thinking compliance, as the broad scale of your entire organization, from your clients, to your internal employees, to the individual corporate policies, you’re looking at compliance in a very myopic way. And when you think about compliance at scale, you have to think about as I said, repeatability. You have to think about automate what you can automate. And you have to really think about the level of consistency in terms of your compliance obligations. If organizations aren’t truly thinking compliance as a corporate right function, that every single individual in the organization must understand what compliance is and be part of a compliance culture. That level of scale cannot happen. And as you’ve rigid into is compliance, repeatable, you have to understand what processes can be repeatable, what processes then can be automated? And then how do I take that repeatable and automate automated processes, and allow for that to become your level of consistency in compliance? If you think about highly regulated organizations, whoever which RadarFirst deals with on a regular basis, real consistency in your compliance obligations is paramount to what the regulator’s look for, they have to they need to see that level of decisioning. And consistency across your entire ABA compliance obligations, whether it’s compliance with law, or you’re looking at your internal obligations in terms of what are your internal policies that you must be compliant with? When you think about scaled compliance, it isn’t simply by department, it is corporate wide, and it is internal compliance, as well as your external compliance obligations. It’s all one. And you have to look at corporate wide to to be able to scale appropriately.

Jodi Daniels 7:20

When you think about those customers that are consistently creating those solutions across the their organization, what could you offer someone listening as to what they’re doing, right? Maybe is there a tactical example? Not giving anyone away, but just their process of what they’re doing?

Don India 7:42

You think about the repeatability? What processes do you have that are consistent in your organization? And if you can identify the repeatability of those processes, or repeatability of offenses, if you will, you can automate those, you can create playbooks and run books that on a consistent basis, you know, you will do these things. And there are solutions out there that will automate those functions for you. If you have that level of consistency. If you go backwards to claims adjudication in an insurance business, way back claim processing was claims processing, but a lot of claims are exactly the same. They’re exactly the same. And insurance organizations have been able to automate that claims adjudication to reduce their costs and create consistency in claims adjudication that are simply automated. If you think about a misdirected email that delivers health care information to the wrong person. That happens a lot my healthcare organizations, you can automate that level of process and create a level of consistency, not only just to prevent it, but you can look at it and prevent the downstream from happening as well. So that level of repeatability is what clients are doing right. From an automated perspective, you have to look at what can I automate? Because if you think about the expenses of an organization, automation will reduce the overall incurring expense over time. And that is something that we have to look at as organizations to say repeatable automated, allow for me to be more agile in order for me to spend my dollars where I can spend my dollars appropriately.

Jodi Daniels 9:13

Thank you for sharing.

Justin Daniels 9:15

How can executives and organizations make proactive decisions around scaling strategies?

Don India 9:21

Yes, it’s a good question, Justin. I appreciate that. When you think about organizations, as I talked about earlier, that organizations have to look at compliance across the entire spectrum of the organization, not by departments. By looking at it individually by department, you are missing an opportunity to create a level of repeatability — create a level of interdepartmental communication across an organization that if you simply look at it from one department or another, that level of communication across the institution doesn’t happen. It allows for you to look at the technologies that are available in the marketplace that allows collaboration and allow for your organization’s to be over-communicative with respect to your overall compliance. And then if you think about the the technologies that are out there in, in the marketplace, there are very niche products to fit the need of what your organizations require. If you think about onboarding, screening, our onboarding screening solutions that are very much in the compliance vertical to prevent you from doing business with sanctioned individuals, on the back end, there’s RadarFirst that allows for you to provide the right level of Best in Class incident response for private for, for data breaches and privacy incidents. Technology allows for you to look at this at scale and allows you to implement scale across your organization and not simply look at what has happened in the past is buying a software solution, or implementing a single departmental solution. And then every department has their own, then you have, then you have software spread and sprawl and expense that allows — that prevents the ability to have this collaborative effort across an organization.

Justin Daniels 11:07

So specifically, if I’m an executive, and I’m in a regulated industry, and I’m very concerned about how I handle incident response, and use my time wisely, how does RadarFirst help me automate processes so I can save time and use it more efficiently when it’s so precious in an incident response situation?

Don India 11:27

Certainly, if you think about the world’s data protection and data breach law, what RadarFirst has done is ingested all of those laws across the planet at a global scale, and have third parties as well as internal parties interpreting this law. And our patented breach guidance engine cross references every potential data input of what you potentially have lost with every single law that you are obligated by your jurisdiction to be compliant with 130,000-plus potential data inputs across a myriad of laws across the planet. Create a manual process for any organization that doesn’t have an automated tool to provide the guidance and understanding of what your jurisdictional obligations are greater versus automated, that if you are a global organization, you have to be compliant with all global data privacy and data protection laws. RadarFirst is the only opportunity to integrate our first as the only software solution in the market that allows for you to input what you have potentially lost in terms of private data, cross reference it with every jurisdictional law in the planet that you’re obligated to be compliant with and provide the guidance to your privacy teams. In a matter of minutes. If you think about what it takes an institution to research these individual laws that are regular basis, it’s days if not weeks, if not months, we’ve reduced that down to a time in minutes that provides the level of guidance that you need as a privacy institution to make a decision. First, do you notify your individuals or do you not? Is it a breach or is it not. And then we provide you the timelines and the notifications to drive into you have to notify.

Jodi Daniels 13:11

As we are using technology to help us figure out either breaches or incidents. It’s an other tools from a compliance point of view, it’s helping to raise flags. And the automation can only go so far where then executives and organizations have to start making decisions. How can these executives make decisions, doing so in a still scalable way? Absolutely.

Don India 13:38

Compliance culture truly is an answer that you’re looking for here and drive that into your entire organization. If you are reading as an institution, a culture of compliance, it takes the executive landscape. These are decisions that are important to us. These are decisions that are important to our organization, and pushes it down into the broader spectrum of the entire embodiment of your employee base. It allows for the decision that the executive would make to be in the forefront of the minds of the decision makers and the leaders at the layers below that allow for that repeatability of a process. Of course, every major impact decision must be elevated up into the executive level, because you have to look at the level of authority you’re going to provide to your leadership team. And as you create that compliance culture, it will create the level of decision that the executives are going to expect and will be aligned to your overall corporate beliefs. Further that if you think about as you talked about earlier, in terms of trust, Jodi created that level of compliance culture creates an overall trust not only internally in your organization, but a trust of your external clients and your potential clients. They’re going to be trusting you that you’re going to be making these right compliance decisions across your across the institution. So it really is creating that culture of trust, creating a layer of repeatability as we talked about as well as the repeatability of action creates that level of consistency, which builds that level of trust. So they’re all combined together. Thank you.

Justin Daniels 15:11

So kind of looking out over the landscape of technology, one of the major trends is this digital digitization with digital convergence across so many departments and executives and how to grapple with all that. Can you talk a little bit from your perspective, what that is going to start to look like we now have AI coming onto the table and the impact that’s going to have on how businesses start to manage this convergence that’s happening faster and faster with data.

Don India 15:43

Certainly, we can even go back to digital transformation and back in the 50s and the 60s to really start to look at the historical Well, let’s let’s not do that take too much time. When you think about the convergence of let’s be specific security, privacy, cybersecurity, compliance, are all merging together to a degree. Now, every one of them has individual facets of specificity. But you don’t have one without the other. You’re not compliant with global law with respect to data, privacy breaches without privacy and without security. And then the cyber jumps in there no matter what anyway, when you look at that landscape that gets into the compliance culture across an organization, if you’re not doing that, you’re looking at it in a siloed approach. You’re looking at a cybersecurity or security to prevent the intrusion prevent the data loss, but you’re not looking at it from a downstream perspective. But how do I tie in What actually had happened, or from a compliance front end perspective, you’re not thinking about what is beyond the onboarding screeding aspects of bringing on clients and institutions to do business with all of this institutional convergence is going to happen. It’s already well underway. Now, individual solutions that are out there will help you address specific aspects of this convergence. Now, what is the most important aspects when you’re looking at the technology? It’s back to your earlier question, Jodi, of of this proactive strategies and scale? How do you integrate with those solutions? How does your front end solution integrate with your your security solutions that are in house currently to your to your notifications to your your third party obligations? How do you integrate all of your facets to allow for this ecosystem a culture of compliance to not simply be siloed? But to have interconnectivity to have a level of communication you need? How do you integrate it with your outside counsel? How do you communicate with them? How do you create an ecosystem of collaboration in the event of a data center shut down or you lose your cloud or you have a ransomware? Attack? You have to look at that all these things in terms of what can you do. And as they converge solutions and integrations are going to be one of the most important aspects that executives will want to be looking at, as they move forward with the repeatable, scalable and automated processes that they’re going to have to put in place.

Jodi Daniels 18:01

That’s it, you see a lot of these different types of incidents, can you share maybe some of the learnings that you’ve had and how what Don was just describing sounds like if many of these organizations had something like that they would be in a better place? Sure.

Justin Daniels 18:19

I think from my perspective, number one is, all these companies in their breach response, they have customer contracts now that have contractual breach notification requirements, you don’t want to find out in the breach that you’ve got to review 170 contracts, you want to have all that done uploaded to software, so you know, the lay of that land. Another one is is parsing through automating the process where if you know that someone’s email has been hacked, and you have to look in the email inbox for what kind of PII might be in there. Automating a process to do that, we still have to provide people, the eDiscovery firm with the words we’re looking for, it’s automated to some degree, but the biggest one is, how to have communication where you’re outside of your network. Because when you first deal with an incident, you don’t know if the threat actor is still in your network, that’s still to be determined. And if you’re having conversations and they’re listening in, it’s very difficult to respond. So having what I like to call a lifeboat somewhere off of the network that has all of the things that you’re talking about, Don so that we can have an open and honest communication without being concerned that the threat actors listening in a lot of executive teams don’t think about that. And then last is what do you do in response where the unexpected happens? And what that means is, the threat actor starts calling the CEO spouse because they have their cell phone number and they’re like, Well, how did they ever get that? It’s kind of all out there and that completely overturns whatever you thought the cadence was in responding to the incident.

Jodi Daniels 19:56

And I see you smiling for those who are listening Don has been smiling while Justin was talking.

Don India 20:04

Well, the smiling myriad of things, but it’d be the one thing that gets me in my institution has been text message by Don India, fake actors consistently since I’ve started. So the it’s it’s a true aspect of they’ll call your spouse, they’ll text your team, they’ll text your board members, because they’re going to grab that information. So it does happen on a consistent basis. And I will tell you, it happens regularly, if not daily, here at write our first so no one’s immune to it. When I think about what you started off, just to start talking about third party obligations, that is a tremendous open problem that institutions have if you have hundreds of 1000s of contracts, and you want to go through hundreds of 1000s of third party potential notification obligations, some of which has stiff penalties, and some of which are under 24 hours of notification of a data breach. And you don’t know it, you lose the trust of that third party, you lose the trust of the ecosystem around you that could have been there for years. And it’s bi directional. It’s your clients, your third party obligations of who are your customers, but it’s also who has access to your data, there are third party data that access your data to so there’s an outbound and inbound problem with respect to third party obligations. So that is a big, big problem across every industry. Now I’ll do a little plug for RadarFirst, we do have a third party obligation module that ingests contracts, understands the obligations and allows for us to input them into the RadarFirst solution. So you know that you are in under 24 hours are obligated to notify your series of third party providers or third party clients. Outside of that. You mentioned what we owe. And I briefly touched on Justin, this ecosystem, as you described it as a lifeboat the communication mechanisms that allow for you to connect internal legal, IT security, privacy, compliance, external, outside counsel and others. It’s a critical component to allow for that to happen to allow for you to have conversations off of your network, you may not even be able to access your network, or you’re accessing it and people are listening in as you described. Well, that’s a fundamental problem as well. So this lifeboat concept, RadarFirst does have that allow, allow for that level of communication. There are solutions out there that does that well, but that also do this, it’s a critical component to how you’re able to handle events and incidents, whether it’s a privacy incident or not, you need to have that lifeboat as you described, in order for the dialogue to happen in a secure environment.

Jodi Daniels 22:39

Now, Don, you see a lot of companies have a lot of incidents, which means you might have some really good privacy or security tips that people are asking you when you’re out and about in a social setting. And we always ask our guests, what is your best privacy or security tip?

Don India 23:00

From a privacy perspective, if you think about your organization, you have to look at what are you actually looking at from a notifications perspective. And I’ll be specific to right our first in terms of what we do. When you look at privacy notification obligations. The majority of institutions are way over notifying on every if not the majority of not every incident, they are making a decision to notify someone that’s a waste of time. You are burning cycles based on what the law states. So you have to look at the law and understand what your obligations are. And when you think about over notify, you’re spending time energy resources, on things you’re not obligated to do. And it sounds interesting when I say don’t over notify, but it’s a fundamental problem of time. And if we have a solution that allows for you to understand your obligation notifications and reduce the amount of time spent on over notifications, you are saving yourself time, you’re saving yourself money and organizations that can focus time and energy on what is really important on those in those obligations to notify that are within 72 hours that will create significant penalties to your institution and allow for you to be more open to your ears and allow for you to have that level of notifications that is accurate, consistent. And the problem with over notifying is actually you’re exposing yourself to a reputation of having significant problems. So over and over vacation beyond the work and time spent is a problem with your reputation of well, why are they losing data all this often? Why are they notifying on a consistent basis? Why are they notifying every day? So you have to look at it from their overall reputation perspective. You will erode trust in your over notification scenario because you are doing too much of what you’re not obligated to do. That would be the way that I would share from a privacy perspective of do what you’re supposed to do and look at look at what RadarFirst can provide to you in terms of the guidance we provide at a global scale. And it’ll help you optimize time. It’ll help you optimize your notification obligations. And also keep you in the reputational arena that you want to be and continue to build that trust with your organization’s and your and your employees and your clients. Acquiring point

Jodi Daniels 25:32

on the reputation thank you for sharing that. So when you’re

Justin Daniels 25:36

not being a CEO, and evangelizing about scalability of crucial to organizational compliance, what do you like to do for fun?

Don India 25:47

I am an avid endurance runner. I have a long term goal since January 10 of 2010. To run a marathon in every state, I have 18 states complete a little bit, a little bit more to go 32 to go. But that is something that I enjoy doing. I enjoy hiking, I enjoy snowboarding. Those are the three things are running, hiking, snowboarding are the three things if you asked me to do something, I’m likely going to choose to do one of those three things. Oh,

Jodi Daniels 26:17

I might not join you on the marathon party. I’m like the hiking idea of a very ambitious goal. Very exciting. Thank you so much for sharing what you have today if people would like to connect and learn more where should they go?

Speaker 4 26:31

First and foremost, if you want to learn more about RadarFirst, please check us out on our website www.radarfirst.com and if you need to read and if you want to contact me directly, Jodi What should I say? So have them go to my email

Jodi Daniels 26:46

whenever you want.

Don India 26:49

And if you want to contact me directly please send me an email at don.india@radarfirst.com.

Jodi Daniels 26:55

Well, Tom, thank you again for sharing all your insights today. We really appreciate it.

Don India 27:00

Justin enjoy it. Thank you for having me. It’s really appreciate

Outro 27:07

thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.