Data Resilience: The Key to Surviving Security Breaches

Intro 0:01

Welcome to the She Said Privacy/He Said Security podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hi, I

Justin Daniels 0:36

I am Justin Daniels. I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:58

This episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com and I have the giggles today.

Justin Daniels 1:39

Well, I guess I wanted to ask if you could talk to our sponsor, because I think I’d like to start getting paid as a co-host of the podcast. I’m

Jodi Daniels 1:46

so sorry. There is no advertising revenue available to pay for any type of CO hosting.

Justin Daniels 1:55

Then I’m putting a disclaimer that I can’t be held responsible for what I may say to the detriment of our sponsor.

Jodi Daniels 2:01

So for anyone listening, we don’t typically record later in the day, and we are and now we have a case. 

Justin Daniels 2:12

I’m going to introduce our guest so you can, I don’t know what you’re doing today. We’re very excited to have a really interesting guest. So today we have Amy Bogac, who is a seasoned security leader with over 20 years of experience in information security, IT governance and compliance. She holds an MBA from Lake Forest Graduate School of Management and a CISSP certification from ISC two Previously, she was the CISO of the Clorox company during a significant cyber incident. Amy, welcome to the show, and up front, I want to personally apologize to you for the behavior of the co host 

Jodi Daniels 2:53

Having some fun here. In case you’re listening for the first time, I encourage you to go back a few shows where there’s not as many giggles. And if you’re new, or, I’m sorry if you’re here typically, well, then welcome to the phone and the party. You know, we like to make it a little bit different around here, but we always start every episode trying to understand everyone’s career journey and how they got to where they are today in privacy or security. So Amy, we would love to hear yours. 

Amy Bogac 3:21

Thanks. I think you should consider afternoon shows far more. And if it’s after five, I mean, all busts are off. 

Jodi Daniels 3:29

You never know it is five o’clock somewhere it is.

Amy Bogac 3:34

Thank you both for having me on. It’s really nice to meet you, Justin and Jodi both. I appreciate it. Yeah, my my journey, my origin story is, it’s a little bit non direct, right? It’s been over 20 years, as Justin pointed out, I’m apparently old, so that helps, right? And I started out with infrastructure, right? So I love networking. I love understanding how networks work. I really love crisis management. I think we’re probably a little bit kooky, because Justin you also said that you get to lead the incident response brigade, and that’s really when I have had the most fun in my career. So starting out in network operations center, so red to green with Allstate Insurance, a long time ago, it got to grow in my career, and specifically chose to move into security when I worked at the Kellogg company and got to lead through in 2010 we didn’t call it business email compromise, but you know, that’s really what it came down to. And helped the company build their first security operations team there, and then spent some time at Walgreens. Most of my career was in the Chicago market, and now I live in North Carolina, after Walgreens, some time was spent maybe four and a half years at a chemical company, CF industries in Deerfield, Illinois. So lots of varying background. And got to experience retail and financial services, but I really my heart is in manufacturing. I love being able to help secure great manufacturing organizations, especially legacy ones. So even after my time at Clorox, I’m back at it in a manufacturing organization in North Carolina today, and it’s been a lot of fun. I love helping legacy manufacturing, like 100 year old companies, really figure out what it means to protect and secure today. It’s

Jodi Daniels 5:32

so interesting that people find all different types of niches to go into, and so that you’ve identified that particular one for you is amazing. It’s been fun. No giggles.

Justin Daniels 5:47

We’re not done with you yet. So Amy, talk to us a little bit about data resilience and how you contrast that or it’s different than data recovery,

Amy Bogac 6:02

yeah, I think the word DR is really like the letters Dr, the term Dr, I think, has changed and transformed over the years, especially if you’re insecurity today, and you’re talking to your leadership or you’re talking to your team, when you say Dr, they might mean a whole bunch of different things. So I also think there’s a big push and a huge movement around educating the business and having them understand what capabilities a company has. So I have been in infrastructure for a long time. I mentioned that and Dr was basically just a test you did. Can you restore your data from backup or restore this system from backup, and it kind of did it in a vacuum, right? You would, you would do your DR process one weekend a year, or maybe two weekends a year, and you would have a business tester come in and validate, yes, that’s my data. And then we checked the box, and we all moved on. And I think over the last couple of years, we’re starting to see significant events where you really have to rely on making sure that you have a process, a business process, that you will recover that data and actually be able to run the business on it. And then when you do that, this is where I think this gets into a little bit more of like the privacy side of things too. Is how can you trust that data? Right? If you are coming out of an event where you had an intrusion of some sort, and you are bringing your data back online, either in an old server, a new server, whatever server, because you had immutable cloud backups. Ooh, fun buzzword. Then, then, if you have those, but, but how do you validate that that’s your that your data is does have the integrity that you expect it to? What if it is consumer data? You have a higher level of accountability now to make sure that you know when you’re bringing that data back in I also had some experiences, right? The experience that we went through at Clorox, the company, has publicly said that that part of the process was going to manual business processes. So now imagine your data resiliency versus your disaster recovery, and how do you bring back your old data, maybe run some manual processes for a period of time, and then marry all that back up and be able to attest to that at the end of a period of time. So I think there’s a lot more to data and Dr today, and data resiliency and Dr and marrying them together than people really thought. And I have some other ideas about how companies might be able to test that out.

Jodi Daniels 8:47

Oh, well, we want to hear about those. Keep going. All right, tell

Justin Daniels 8:52

me more. That’s like a clue. This

Amy Bogac 8:56

is very exciting. I think there are some strategies, things that I have seen and things that I would advocate for now, is really being able to run data related tabletop exercises. So an incident response is really great, and they typically talk about who will call whom when, and who will notify the SEC, when and how will we get to, you know, this customer at this time. And there’s a lot of great coordination that happens in IR planning, but I have not seen any innovation in bringing other business units to the table for a tabletop that says, if your ERP system is unavailable, how will you run the business Mr. Or Mrs. Business process owner, or if your HR system is unavailable, even if it’s a cloud system, what if the internet or a denial of service, like we just saw some from some big company this week, that there was a big denial of service and people couldn’t access their cloud services, right? How will you operate? Eight without access to your traditional application. I think some of these tools have made our business partners reliant on a tool, instead of understanding their process and then understanding how they have dependencies in their data set below that. And so I think it’s just a little bit more about running tabletop exercises around. How would you handle this exercise, this event, if you did not have access to your data? So go ahead.

Justin Daniels 10:33

Thank you. We both have questions. I do so so Amy, I wanted to ask you a follow up with that. In my experience, even at bigger companies, getting executives to even participate in a tabletop is an act of magic. Sounds to me, what you’re suggesting, which is really interesting is, well, shouldn’t we have a tabletop that, if we take away this business process, maybe your software that gets your people to their right places. What’s the backup? And I guess the question I have is, you’d have to get a buy in from a lot of different stakeholders to have that type of tabletop, because it’s more of a technical tabletop, but it’s important, because it’s going to go to the reputation of your company and how you deal with disaster recovery

Amy Bogac 11:23

Exactly, exactly. I think we’re starting to see that we have to be far more focused on how companies will perform their role, or how business units will perform their role than you know, some of the bigger questions that we used to ask in traditional disaster recovery or IR scenarios. So it’s about scenario planning. Justin you’re absolutely right and and maybe we get better traction by going a layer down and not asking the executives to participate in tabletops. Maybe we do have to partner better with our business teams across the board, our application teams, are data owners. Ooh, I bet that’s a fun topic for the two of you at dinner,

Jodi Daniels 12:07

indeed. So if we think about that, that seems very much about creating what that strategy is going to be and identifying, how do we communicate with all the right people? So what might you recommend? What are the strategies to help companies prepare for what we’re talking about.

Amy Bogac 12:23

Yeah, in the days of crisis management or enterprise risk management, I think there was a lot of things that we did that from the traditional infrastructure Dr world, that we could take but want to double click on further than we ever did before. So one very common principle in disaster recovery is to have your application list tiered out so you know what you’re what you need for the business. And just like tabletops, I think they’re viewed as a checkbox sometimes, and I don’t know that companies really understand how to say if this one tier zero application is unavailable, that means nothing’s available. If a tier zero application in your DR list is unavailable, nothing’s available. If your tier one application is unavailable, here are the seven other applications that tie to it. Now, a little bit of asset management and configuration management and understanding the dependencies, but a lot of business owners today and data owners understand the data they have, not the dependencies of how these systems all work together. And I think that’s just where we have to really double click in again. So the recommendation that I have is go to your your DR list, make sure it’s reviewed on a regular basis. It may or may not be. But are you looking at those top five tier one applications? Assume all your infrastructure is available to you, your tier zero. But look at your top five tier ones, and understand, are those really your tier ones? In this scenario, if the internet’s unavailable, does that really matter to you because you couldn’t get to it anyway? Or could you right? What other controls would you have to do if you can’t authenticate to it? Maybe it doesn’t matter. But I think, like even just basic questions about what if I cannot authenticate to an application as an end user? How does that affect my ability to do my job?

Jodi Daniels 14:28

Those are really interesting and challenging questions that many companies have had to face, and I am very hopeful that they are understanding the need to for planning and really going deep. And for me, the other piece is obviously here. We’re talking about data and systems, and when there’s an event and something happens, the other part that’s so critical and important is the communication. And how do you get that information to the people who need to know it in companies? I just don’t think spend an. Time on that crisis management and communication piece. Why are you laughing?

Justin Daniels 15:07

Because you’re teeing us up for now what we need to talk about, well, that’s

Jodi Daniels 15:11

not laughing, then instead, you should say that was awesome. Jodi, thanks. 

Justin Daniels 15:15

No, I’d rather get you to giggle. Sorry. Kind of the nature of the beast today. Alright, so Amy, given all the things that we’ve talked about, now, I’m going to put on my IR responder hat that I’ve worn in the past. It’s funny, I’m a corporate M and a lawyer by training, but M A and incident response share a lot in common. But having said that, as you know, the SEC passed their new cyber rules and given your background and things that you’ve had to deal with. Can you give our audience a feel for what it’s like to be in an incident response where you have incomplete information, you’re under time pressure, and you have a whole host of very difficult decisions to make, and now we’re going to overlay it with this materiality analysis. So can you give us a feel for how that might impact how you’re able to go about a coherent type of response? Yeah,

Amy Bogac 16:10

it’s an interesting question. And I think the timing is fun, because if you just declare yourself critical infrastructure, then you know, you buy yourself a couple extra weeks, right? That’s my tongue cheek, you know? But that is what’s happening. Is there has been some other events where they’ve chosen not to disclose because of national security concerns. And, you know, I think there’s a lot of transparency in the culture of the company that you’re working for, I was very lucky. I think the culture that I came from, it was very transparent intentionally. I found disclosing early added a ton of value to our organization. Early eight cares. There’s a bunch of us out here, and we have conversations and we talk about things like, did it add value? Did you know, the materiality? Was that really the most important component of it? I think, as an incident responder, which we all have to be, when you’re a CISO of a company, you know, in your gut pretty quickly how big an event is, and that’s when you have to trip some of these other things we just talked about, your crisis management plan, your escalations, and when you have a need to start communicating to your customers, anything that’s going to go external, that’s where I found the line to be very, very clear, if we’re going to have to communicate to anybody, we should also include our SEC reporting requirements. Even though our event happened before the official timeline of like, enforcement of the SEC governance, it was the right thing to do when you’re the value to us was when you communicate once externally, now you have something to rely on, and you can point everybody back to the same message. And that was really, really helpful. So that’s what I would advocate for people when they’re really struggling with this decision to notify or not notify, the minute you have to talk to anybody else outside your company about what’s happening. You should consider the fact that you know there’s going to be transparency and consistency involved in that, that interaction.

Justin Daniels 18:24

So another thing I wanted to ask you, kind of related to that, Amy, is the SEC regulation is really targeting third party risk management from a cyber perspective. And so as you think about that, when you’re a publicly traded company or whatever is. How do you see that starting to trickle down to the privately held companies whose cyber hygiene isn’t as important to them? I think they’re in for a rude awakening. And I just want to say, you know, how do you look at that in terms of the contract terms you pass down, the diligence terms, the requirements of collaboration in a breach? Because a lot of times when I’ve handled it, when my client, their hosting provider, has a problem, they don’t want to cooperate with us because they’re doing the exact opposite of what you said.

Amy Bogac 19:12

Yeah, I think that’s a couple pieces there. I think the companies that are not subject to sec regulation today because they’re privately held. I think there are some really large privately held organizations who have strong maturity programs, and they’re gonna adapt their own way of notification. I think it’s still true that when you have to start communicating to people outside because you have a business disruption of some sort that includes your customers or your suppliers. You know there’s, there’s value in having, again, that very formal process for notification. I think that third party relationship and that third party risk is going to continue to evolve to be a real. Big space where people try to hide and they, you know, the pass through of information. I think people are going to have a lot of things to figure out. I don’t have the answer on this one around if I’m breached by and my data is lost, but you know, the third party is where the data lived, in, and that’s where the breach occurred. I think those are still really big items that we’re going to see. And, you know, I’m going to look to you Justin, when the time comes to say, How is, how is the, you know, regulatory landscape, or the legal landscape, you know, shaking out in that space? I just don’t think we have enough information on how that’s going to play out yet?

Justin Daniels 20:40

Well, Amy, as of this broadcast, after the 8k that was disclosed by AT and T, which I wrote about on LinkedIn, I cannot tell the audience what exactly a material breach would be if that is not considered a material breach under the SEC cyber regulation. So I suspect there’s more clarification to come, either through derivative lawsuits or the courts or the SEC says, All right, we need to put some more guardrails around this, because, as you know, the regulation itself is not tailored when it comes to what materiality is from a cybersecurity perspective, it just is the general definition of what would an investor think is material? Well, that’s great, but not specific to cyber, agreed.

Amy Bogac 21:23

I also think we don’t really talk about how a change of our political party in the White House could affect the makeup of the SEC and if this will, you know, retract or expand further after this presidential election. You’re

Justin Daniels 21:40

right. I think the entire crypto industry is cheering for a certain person to get elected so they can make Gary Gensler walk the plank.

Jodi Daniels 21:47

All right, I’m gonna steer us back over here with all that we’ve been talking about. Amy, what might you suggest for a company to do to get started? Maybe they’re listening and they say, Oh, we really have none of what these people are are rattling on about where, where should they start to help their companies and their key stakeholders get educated and adopt this concept of resiliency and planning.

Amy Bogac 22:16

I know this is going to like, give everybody the like, not a great feeling. I’m going to say something very what I think is controversial, and it’s not sexy, and it’s not a cool new tool, and it’s, it’s not anything that we haven’t done before in it. But I’m advocating a lot of this stuff is back to the basics. I really do think that Dr and disaster recovery strategies. When data centers were data centers and you had to have a plan for, you know, a physical event or a fire or, you know, we relied on our data so much in those early days. But I have seen many companies put that process on the back burner, and it’s probably out of date, and I think that’s a very tactical thing that companies can do today is dig up their DR plan. If you’ve never had a business impact assessment, find a partner that will help you walk through that. So then you I have a very clear and current inventory of how you’re operating your business process today, so that if you do have a problem, you understand. You know, I’m not. I don’t like to bring up other people’s bad days, but there was a lot of press about the change healthcare outage. I’m just going to say it that way, because there was a lot of misunderstanding of how that third party contributed to a lot of other components of the healthcare industry. And I think that’s why I’m advocating for start back with some basics. Do a BIA understand your application set, and understand where your really big risk is today. Because if you did it five years ago, the world has changed. It is 2024, and we primarily compute online. And I, I think there’s just a really big misunderstanding about how much risk exists in the way we are architected today that people may think that they’re fine with just, you know, backups and data disaster recovery testing once a year. It’s just not true anymore.

Jodi Daniels 24:22

Back to the Basics works for me So

Justin Daniels 24:28

Amy, when you’re out, maybe at the bar or a restaurant, and someone comes up and says, Hey, do you have a great tip from a cybersecurity perspective or privacy? What would you like to share from your perspective?

Amy Bogac 24:44

Oh, that’s a good question. My tip is it bad that I’m gonna go to black hat and carry my phone in an RFID case and like protect myself for. All, everybody that’s good, you know, I, you know, I’m that’s like, what’s stuck in my head right now is getting ready to travel and really being aware of how vulnerable devices are physically when you’re near somebody who has ill intent. So that’s going to be my travel tip for the end of the summer. Here is, you know, turn off your Bluetooth, protect your device and and really be aware of your surroundings, especially if you’re going to Vegas. Wait

Justin Daniels 25:27

a second, I think I’ve heard about a business idea, maybe Jody and you can come up with a stylish fair Faraday bag. Yeah, it’s stylish, but it blocks out all of the ill intent, because, yeah, those signals can’t get in or out of it, but

Amy Bogac 25:44

it’s stylish. Yeah, yeah.

Jodi Daniels 25:46

There are a few purses that do that,

Justin Daniels 25:48

the Faraday bag. That’s what they get.

Amy Bogac 25:51

Yep, that’s my temper trick for the day, getting ready to go to Vegas. Get

Justin Daniels 25:55

your Faraday bag to go to Vegas during Black Hat. I like it when

Jodi Daniels 25:59

you are not securing your phone and working with 100 year old manufacturing companies. What do you like to do for fun?

Amy Bogac 26:10

I consider, though a calendar to exist in two seasons. It’s either summer, which we’re in, which is perfect for family and fun and Pool time. The other season is hockey season. So my husband and I are season ticket members for the Carolina hurricane, and really enjoy, you know, following all things hockey and traveling for outdoor games. And you know, our youngest son played hockey growing up, and my favorite t shirt to wear is the one that says my favorite hockey player is the one I raised. Ah,

Jodi Daniels 26:52

that’s so sweet. Well, Amy, we’re really grateful that you joined us today. And if people would like to connect with you or learn more. Where could they go?

Amy Bogac 27:01

Yeah, I am available on LinkedIn. That’s the best way to connect with me. And you can also see on LinkedIn places like this podcast where you can hear more about what’s going on with me, but also you’ll be able to follow along with any of the conferences that I am attending, or have the really great honor to be able to speak at and advocate for all these great foundational security principles, because I think getting back to basics is the most important thing right now.

Jodi Daniels 27:34

I like it. I speak all day long about privacy and basic foundational privacy pieces. So we need basic security foundational pieces too. Why are you looking at me strangely? Because

Justin Daniels 27:43

you speak about operationalizing privacy. Yes,

Jodi Daniels 27:46

you use the word operationalize earlier today in a non work event, and it was really hysterical. So that is what happens when you work around someone way too long and they start using words in strange places. All right, it has been quite a fun podcast filled with giggles and strangeness and some wonderful practical advice so Amy. Thank you for joining us here.

Amy Bogac 28:13

Appreciate you both. Thanks so much.

Outro 28:19

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.