From Codes to Security by Design: Navigating Software Cybersecurity

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi. I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 0:57

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. You’re very quiet today. 

Justin Daniels 1:36

I decided I wasn’t going to make you laugh just yet.

Jodi Daniels 1:39

No, no, I’m okay now, because I got through the intro. So I can have, I can have my case of the giggles.

Justin Daniels 1:46

Well, shall we introduce our guest?

Jodi Daniels 1:48

We should. It’s going to be fun.

Justin Daniels 1:50

Okay, so today we are reaching into the CLO office, as we have with us —

Jodi Daniels 1:55

What’s CLO?

Justin Daniels 1:57

Chief Legal Officer.

Jodi Daniels 1:58

Can’t be acronyms. Listeners, people don’t know what all the acronyms are. 

Justin Daniels 2:01

Have you listened to yourself on an ad tech podcast? 

Jodi Daniels 2:04

That’s not the point. Carry on. 

Justin Daniels 2:08

So we have Shanti Ariker who is the current chief legal officer of JFrog, and a solution creator with global legal expertise, leveraging more than 20 years of experience working with high growth technology companies to act as the trusted business advisor to CEO executive teams and publicly public company board of directors. Shanti, how are you today?

Shanti Ariker 2:33

I’m doing great. Thanks so much for having me.

Jodi Daniels 2:35

Well, welcome to our silliness, and we start all of our podcasts trying to understand how did you get to where you are today? So if you can share a little bit of your career evolution, we look forward to hearing it.

Shanti Ariker 2:47

Fantastic. Thanks. I’d love to share that people are always asking me, how’d you get where you are? So I started as a securities litigator at a big law firm and eventually went in-house to a client focusing first on litigation and then eventually on commercial sales and marketing agreements. And if I would, if I were to offer a guiding principle for people on, you know, thinking about how their careers may evolve and change, it would be, you know, to be open to different career paths than you expect when you first start out, you know, I thought I wanted to be a litigator, and then I changed mid course, and then once I got into doing tech transactions, I really loved them, but I wanted to do something more. I actually took six years off to raise my children. And while I was doing that, I got involved a lot with my community, including being the head of the PTA and overseeing the revamp of a local park in my neighborhood. At the time, I was living in Canada, and as a result of that, when I moved back to the US to headquarters at Salesforce, I asked to start a pro bono legal program based on all the community work that I done in the six years that I had off as a result of that, the salesforce.org and the Salesforce Foundation asked me to get involved and eventually become the General Counsel. So I didn’t expect at all to pivot into a nonprofit, but it was a technology company that sold, resold Salesforce, and in return, we got the money to give away as grants for the company. And so it was more of a social enterprise. And from there, I was really bitten by the bug of being the general counsel, and I really loved it. And I went back to public to public companies, to work in legal departments, eventually making my way to be the general counsel of Zendesk, and that was the last company I was the General Counsel at, and now I’m the chief legal officer at JFrog. So, you know, I would just say that I really took a lot of lessons from the evolution of my career. You’re, as I mentioned, you know, being open to new ideas, new ways of thinking about things, not being stuck in, you know, one route of of just thinking about I have to be on this one road, you know, be open to things that kind of fall in your lap, which is kind of how I, how I got into the general counsel position.

Jodi Daniels 5:20

That is such great advice. And there are a lot of people also trying to figure out, how do I transition from one to the next? And I’m always trying to remind people, you have a lot of transferable skills. It’s about understanding what it is that you like and then how you can connect that to the next role.

Justin Daniels 5:42

So can you talk to us a little bit about what is JFrog, and how does it help customers with supply chain cyber risk?

Shanti Ariker 5:50

Sure, it can be complicated and much more deep in the tech stack than things that I’ve worked on in the past. So I like to use analogies to make it a little bit easier to understand for non techies out there like myself. So think of any supply chain. For example, I go to Amazon to order something, the order is filled, it’s shipped, and it appears on my doorstep. Well, JFrog is similar in use in the supply chain of how developers code and create, you know, the apps that we all use today. So we’re a software supply chain platform that allows developers of software just to code, scan, catalog, curate and automate and then ship, or what you know, we would say in regular English, deliver code that creates the apps that we use every day, and the way we help with cyber risk is that security must be built at every step of the journey, not just tacked on at the end. You know, similar to privacy by design, security by design, so we bake it into our platform every step of the way, and we secure. Did I? Did I say something funny because I say —

Justin Daniels 7:05

The reason I’m smiling Shanti is on this program, we always talk about privacy by design, and I love hearing about security by design, so that’s why I’m smiling.

Shanti Ariker 7:14

Okay, well, I actually was able to meet Ann Kavokian when I lived in Canada, and she obviously created the phrase privacy by design, and was very passionate about it, so it’s something that I think about a lot. So we secure at the application level, the core level, which makes binaries, which are the zeros and ones of the code, more secure. And that’s important for privacy and security. And as you probably are aware, under the requirements of the US executive order that was promulgated last year, there is a requirement to know what’s in your software, Bill of Materials, your s bomb, and so we enable that ability to, like, dig down into the ingredients. So if you’re thinking about you know, you hear a lot about source code, but you hear a lot less about binaries. Think about when you’re making a cake, the cake itself is the code, and the ingredients that go into the cake are like the binaries. So they’re really the building blocks of the code itself. And for AI Artificial Intelligence and ML machine learning. You also need to ensure that model, models which are typically used in AI development, have to be secured at that binary level, which is something that JFrog enables. Hopefully, that made a little bit of sense to people that aren’t, um, technical.

Jodi Daniels 8:41

The cake analogy definitely made a lot of sense with me, and I’m also really hungry. Now, I was going to ask who typically in an organization is working with JFrog.

Shanti Ariker 8:54

So it’s a little bit bifurcated. Now we, you know, typically we would sell to the CIO for development, you know of code and or maybe the R&D, depending on where it sits in the organization. So whoever’s doing the development and the applications for the company, and we do, we have 89% of the Fortune. 500 are customers of ours. So we have, you know, major names that I can say publicly include AT&T, Fidelity, Morgan, Stanley, Vimeo and many others that use us both as self hosted, which would be on prem and then in the cloud as well. But we also have a whole suite of security products as well as our original core offering, which was called Artifactory. And so all of it together creates this, you know, platform, and so our additional sales now go to also to the CISO or the chief security officers. So.

Jodi Daniels 10:00

Thank you. Really helpful.

Justin Daniels 10:02

So continuing on the topic of security, the SEC cyber rule has made a pretty big impact for a lot of publicly traded companies, as well as their third party vendors, and you just gave off a laundry list of publicly traded company and so what I wanted to just have you talk to our audience about is, how does the cyber rule from the SEC influence? One how you pass on security contracts or security terms in your contracts, but also what you may be seeing from all of the publicly traded customers that you have?

Shanti Ariker 10:37

Well, I think it’s really important everybody focuses on security these days, and of course, we need to after a result of so many supply chain attacks that we’ve seen over the last several years. You know, I could name a laundry list of solar winds and many others. So the cyber security rules that the SEC promulgated require disclosure of material breaches that impact you, and they don’t define it. So it’s very, you know, you have to really think about how you’re going to comply with the rule. And everybody’s looking at what everybody else is doing to understand what the best practices are. But to manage your cyber security across your supply chain, you really need to look at the contract terms related to cyber certifications. You know, it’s become very standard to require SOC two type two certifications. ISO 27,001 require companies to either provide information related to their regular security audits or to enable you to conduct as the vendor security as this vendor, require the vendor to to provide those audits to you as the customer, implement incident response plans and you know, obviously notifications for breaches and defining very specifically what that means and what is unauthorized access of customer data and things like that. So, you know, I think supply chains have become very integral parts of the overall cybersecurity posture. And I think, you know, historically, companies sometimes didn’t think as much about supply chain, didn’t worry so much about it, but today it’s definitely at the forefront, and something that you know, JFrog actually has a comprehensive supply chain risk management program. Our teams conduct thorough due diligence, and suppliers cyber security, their legal it and privacy practices and the process considers classification of data of the supplier, what they’ll have access to, where they store it, what the controls are and regulatory requirements that are involved, and so and JFrog’s products actually help with all of those areas as well.

Jodi Daniels 13:04

If I’m a third party with a third party vendor with AI, which appears to be every third party vendor these days, what kind of diligence could I expect JFrog to conduct on my product?

Shanti Ariker 13:19

So you know, we thought about this a lot, and we created an AI committee made up of our CTO, CIO and myself. And so we have created a very robust review of what we need to consider and think about when we have aI built into any of our vendor agreements. And so we have a comprehensive vendor review process, but it can get escalated to the AI committee if anybody has concerns or they want to flag something. So we meet regularly to talk about our business needs. If there’s something that people are concerned about that you know, in the pro the procurement process, it may be procurement or the or the person that’s trying to select the vendor or the legal team that raises these issues around data usage, the model, how it’s going to if it’s an LLM, whether it would, you know, train on the materials that you’re providing it, or is it, you know, walled In and so you’re not, you’re not giving away secrets that you may have confidentiality requirements for. So, you know, it’s a whole holistic review of exactly how the data is manipulated, where it’s stored, what it’s done with it, who owns it, and and all those in obviously, as I mentioned before, certifications and controls like SOC two, type two, ISO, 27,001 if even ISO, 27 701 which, as you probably know, is the privacy management ISO certification. And then there’s also other areas of certifications. And then JFrog’s. Asset access controls are in accordance. You know, we try to ensure that the vendor has the least privileges and only need to know. And we ourselves use strict role based permissions in accordance with role requirements, and we expect our vendors to do the same.

Jodi Daniels 15:17

Appreciate you sharing. Thank you so much.

Justin Daniels 15:20

And I’m just curious as a follow up thought, when you created this comprehensive approach to vendors, obviously you had one in place. Was this something that you created separate and apart, or it was just woven into the existing vendor program that you had?

Shanti Ariker 15:37

We wove it in, but we didn’t have a specific review related to AI. And so when I came to the company, there was a lot of, well, we’re not sure how to handle this, and, you know, doing a lot of one offs. And so we wanted to create a more systematic process, and I didn’t want to reinvent the wheel. I have to give kudos to both Microsoft and Atlassian, who’d published principles on a transparency and how to think about reviewing AI, especially LLM models. And so we took a look at those. I mean, Microsoft was 17 pages long, and obviously we’re going to do something that extensive, but we took a look at it and tried to understand what we could draw from those, and how we can how they can be applicable within our own company. So you know what I would say as advice is, you know, there’s already a lot of advice out there about what to think about, how to vet AI vendors. And as you said, Most vendors have aI built in today. So it’s really and we’ve been using many AI vendors for years. We just don’t think about them that way. But many tools have already incorporated AI to some extent. So it’s more about, I think what, what lately has led to more angst was the LLM and the training of data on, you know, the models on the data that you’re inputting into it. Thank you.

Justin Daniels 17:03

So now I want to delve into a little bit about one of the biggest challenges that I’m seeing for Chief Legal officers, and it’s this. There’s now 19 states that have privacy laws that are passed. You’ve got this SEC cyber rule out there. Now you have aI coming onto the scene. So how do you help make the business team or support them in making informed business decisions while balancing all these emerging legal risks across these interconnected disciplines?

Shanti Ariker 17:35

Well, I’vebeen in-house a long time, and when I first started, you know, there wasn’t there weren’t very many people in-house. There was typically a general counsel and one or two lawyers working on just about everything, and everything was farm to outside counsel. Over the years, there have been a buildup of legal folks in house, and especially prevalent is the privacy area. Because prior, even 10 years ago, there weren’t a big group, like we had one privacy lawyer when I started at Salesforce, for example, and maybe then we had two, and they had to go around for everybody. And so I think, and that is one reason that I got certified in privacy when I was living in Canada, because I needed to be able to speak to the laws myself. As it’s become more complex, and you mentioned 19 different laws in the US, but we also have so many areas of law that we have to cover outside of the US as well. Depending on where you’re doing business, our team has to stay focused. I’m lucky enough to have three people on my privacy team now, and we stay up to date, and obviously I have my own certifications in privacy, but we look at numerous resources, including the IPP membership that we have and we all maintain. We leverage CL es through our different law firms we have, we partner with an external data processing officer who is like a check and balance against our privacy program to benchmark against other companies and what the current risk levels are, and that helps us as well. And our privacy team is also dedicated to both AI and cybersecurity. So you know, the I recently spoke with my lawyer who oversees SEC compliance and corporate, and she said, You know, when the privacy lawyer talks, I don’t even know what she’s talking about, because it’s just such a different area of law that I’ve never delved into, and I’m really interested to learn more. So I think, you know, it is becoming such a specialization, you really have to understand the complexity involved. And so, you know, we really emphasize within the company, embedding ourselves into the product, especially in other business areas, so that we’re ensuring that they understand privacy by design and the privacy principles that we are dedicated to, so that our company will. Understand the risks, whether it’s marketing, product, sales or anything else.

Jodi Daniels 20:06

Privacy’s cool. I’ve been saying that for a really long time, and some of your team members who want to learn it’s emphasizing privacy is cool. The space to be Now, with that being said, there are I know I get asked this question all the time, so I’m going to ask you to put on your crystal ball hat here and share your thoughts on a future federal privacy law.

Shanti Ariker 20:29

Well, you know, it would be, I think, amazing if we could have a federal privacy law. You. 70% of the nations in the world and 79% of the global population are protected by national privacy laws. And of the 10 GDP nations in the world, the US is the only one that does not have a federal law. And so you know, as we’re being drawn along the way to improve our privacy practices by the European Union, who’s, who’s been ahead by promulgating GDPR. And then other countries have, you know, been following in that foot, those footsteps. And then we have states like California, who’ve put in, you know, who, who’ve passed legislation like the CCPA. And so now we have, and then, and then that’s just created this, you know, roller coaster, as we talked about, of the 19 states that have varying laws. And so now we’re forced to be doing a review of, where does GDPR have differences? You know, Cookie banners have to be either, you know, across the board stringent for the most stringent, or, you know, you typically businesses don’t want to do that, so then you have to really factor in what the differences are across the different jurisdictions, and so having a privacy law that was at the national level would just make it so much easier, both for businesses to understand what they can and can’t do, and make it more systematic across the US, but also for consumers, to understand what the rules and regulations are and how they can maintain their own data and in a safe way.

Jodi Daniels 22:13

It makes sense. It will be very fascinating to see what will happen. The statistic that we’re the only top 10, you know, country without a national privacy law, comprehensive, right we have our sectoral laws is very, very telling of the good stuff. I think a lot of people listening are going to like that one.

Justin Daniels 22:31

So when you are out at a cocktail party or whatnot with friends and they ask you, do you have a best privacy or cyber tip you would like to share with our audience?

Shanti Ariker 22:44

I have so many, you know, and I actually, I have to say the number one thing I remember once saying, like I can’t I’m locked out of all of my accounts because I can’t remember any of my passwords. I think the number one would be to use a password manager and then to make sure that you don’t forget your Master Password. I actually keep mine in the safe and, you know, check your privacy settings on all your social media, because anytime they update to a new feature, they’ll set it to the default. So you need to, from time to time, review what you’ve what you’ve set, and update those, and you’ll be surprised to see that you didn’t realize you were the Why was this ad following me around? It’s because they had some new feature and I didn’t turn it off. Um, you know, check your browser settings, your geolocation, your tracking, default settings. Yeah, I love Taylor Swift, and she has a, she has a song about a bar, about her, you know, one of her exes, and she sees that he’s in this bar in London. And why? Because he forgot to stop sharing his location with her. So, you know, I think these are all things that we don’t think about anymore, you know. And I remember having a discussion with my kids when they turned off their settings for me, about why it still was important to share their locations. And I wouldn’t be a stalker. I just would like to know where they are, and that way I don’t have to call them all the time and say, Where are you right now? So, you know, I think don’t necessarily always hit, accept and agree just because you’ll be giving up your rights without thinking through. I don’t know if you saw that. There was recently a case that somebody was injured at Disneyland, and Disney argued that they shouldn’t have rights to sue Disney because they had a Disney+ account where they had agreed to only arbitrate against Disney. I don’t think that people are thinking that if they accept watching some streaming device that if they were injured in an accident in a park, that it would apply. So I think you know. Really understanding what you’re agreeing to. And obviously contracts of adhesion are hard to negotiate, or, if not impossible, those you know, agreements that you can’t, you can’t say, Hey, I’m going to send a red line to Disney+, before I accept this, it’s not going to happen. So, but you’re all thinking about it, not just accepting everything. I think another really important one is enabling two factor authentication, and maybe beyond just agreeing to your phone number, looking into using other third party. I can’t remember what they’re called, but you know, they authenticate authenticators, like Google has one other companies have them so that you’re not tying it necessarily to your cell phone number in case that gets stolen or misappropriated somehow with your SIM card, definitely not trusting any communication from somebody that you don’t know. Like the latest phishing scam I read about was about people accidentally texting you, and I used to always say, oh, sorry, wrong number. But now it’s purposely. They’re purposely doing it from other countries and places to try to scam you. So, you know, I think sometimes having to be harsher with strangers because you can’t trust and you trust and then verify before you just blindly accept things and then backing up your data. Personally, I have a data backup of my own computers at home, both at the hard drive level and then in the cloud. And it’s very easy to set those types of things up, because, you know, you can imagine, if your computer was lost or stolen, you want to make sure you have all your documentation. Most of us nowadays don’t keep a lot of hard copy records, and just think about all the things you could lose, including your pictures, and it could be devastating.

Jodi Daniels 26:58

Those are amazing tips. Thank you so very much. Now, when you’re not giving awesome privacy advice inside or outside the company, what do you like to do for fun?

Shanti Ariker 27:09

Well, for the last several years, I’ve been very involved in writing my memoir, which is about a crazy custody battle that my parents went through that kind of caused me to assess, you know, how I wanted to raise my own kids, and ultimately, it is a coming of age story on how I how I changed my life through getting into another conflict by joining the Israeli Defense Forces in Israel and coming out the other side, you know, thinking through everything that I’d done. So I’ve been working on that for several years. If anybody’s interested in hearing, seeing more about my writing, I have a website, shantiariker.com where you can see, see more about that.

Jodi Daniels 27:57

That is so fascinating. I love when we ask this question, because we learn so many new things.

Justin Daniels 28:01

I’m thinking, when the movie comes out, Gal Gadot may be playing you.

Shanti Ariker 28:06

I would love that.

Jodi Daniels 28:08

Well, we’re so grateful that you came and shared all that you have this morning. If people would like to learn more connect in addition to your website, where should they go?

Shanti Ariker 28:19

LinkedIn, my website, are probably the best. Okay, amazing.

Jodi Daniels 28:24

Well, we’re so grateful that you came this morning. Thank you so much.

Shanti Ariker 28:27

Thanks so much for having it was really fun.

Outro 28:35

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.