Improving Cyber Readiness: Lessons from Real-World Investigations

Intro: 00:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels: 00:21

Hi Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified information privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels: 00:34

Hi, I’m Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal Cyber Data Breach Response Brigade.

Jodi Daniels: 00:55

In this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers.

To learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello. Hello.

Justin Daniels: 01:31

What’s up? You’re back from your travails at the IAPP conference, where you have very detailed summaries on LinkedIn as to what you learned.

Jodi Daniels: 01:40

I know, and you are back after your inaugural Atlanta I week.

Justin Daniels: 01:44

Yes. For those who didn’t see it on LinkedIn, I pilfered one of Jodi’s favorite phrases to be the cornerstone of my talk around AI, which is.

Jodi Daniels: 01:55

Well, that’s what you’re supposed to say.

Justin Daniels: 01:56

I want to hear you say it. No, I bummed it from you.

Jodi Daniels: 01:59

Just because you can doesn’t mean you should.

Justin Daniels: 02:02

Exactly right. Alright, so let’s get to today’s guest, which has been a friend of mine personally and also a terrific cybersecurity professional. We have Todd Renner today with us, the senior managing director of FTI consulting. So a little bit about Todd. He is a seasoned cybersecurity professional with over 25 years of experience leading global cyber investigations, incident response efforts and digital asset recovery operations.

He advises clients on a wide range of cybersecurity and data privacy matters. Todd, welcome to the fun today.

Todd Renner: 02:41

Thank you for having me. Good to see you both.

Jodi Daniels: 02:43

Well, Todd, we always like to learn about people’s career journeys. And yours has some pretty interesting steps, like with the FBI and the NSA. So give us a little bit of a snapshot. Who is Todd?

Todd Renner: 02:59

I love that question. I love it in the cybersecurity space as well because I know so many people are trying to figure out how to get into the space. What was your career path? How did you get into privacy? How did you do these pieces?

So I love that question. I’ll give you my background, and I’ve known since a young age that I was interested in technology from the Oregon Trail days and Apple trees and DOS, which led me to pursuing my computer science degree at University of South Florida and the College of Engineering there. I worked in the defense contractor space for some time, programming, developing, and went out to work as a contractor in Cape Canaveral and Space Coast, thinking that I’d be an astronaut within a matter of days. Instead, I was in a closet programming and developing. It wasn’t as illustrious as I thought it was going to be, but I had this desire to be in law enforcement and ended up working at Rollins College, running the managing an IT department, managing help desk and web team, and as a system administrator and retired FBI agent and told him that I wanted to be an FBI agent as well.

And he said, well, as a matter of fact, we need your skills. This is before 9/11. This is the late 90s. I applied and ended up getting hired, going to New York just after 9/11 in that career path. Seeing the different ways that you could use your technology background.

I ended up being on the Joint Terrorism Task Force for a number of years. I was lucky enough to be on our intrusion response team, which is CAT team. I spent about ten years on our SWAT team, so I was able to practice both the technical side and the tactical side. It was fantastic. I finished out my career in the FBI.

Atlanta Cyber Task Force is one of the supervisory special agents, and it’s a famed task force in the government. Great skills made up of local, state and federal investigators, intelligence analysts, computer scientists, forensic accountants, and really a wide range of experience and skills that helped me move my experience, both from the NSA days that you talked about to the overseas diplomatic days to now into the consulting world. So my career has evolved from knowing I wanted to do it at a young age, having a little divergent opinions on what technical versus tactical meant, and then eventually coming into consulting world.

Jodi Daniels: 05:16

Well, I can only imagine that in consulting and advising with companies, you’re able to really draw on those technical and tactical experiences, which is so important.

Todd Renner: 05:26

Agreed. And it’s been great to be able to leverage both sides.

Justin Daniels: 05:29

You just teed you up for the next question.

Jodi Daniels: 05:32

No. That’s you.

Justin Daniels: 05:33

Oh you should.

Jodi Daniels: 05:35

But that’s your job.

Justin Daniels: 05:36

Okay.

Jodi Daniels: 05:37

Then I would take your job.

Justin Daniels: 05:38

You can see who the junior partner is in this podcast. Todd.

Todd Renner: 05:41

See.

Justin Daniels: 05:42

So building on what Todd just said, Todd, what is the biggest challenge working on cyber and law enforcement versus the private sector?

Jodi Daniels: 05:51

That’s a totally different question, by the way.

Justin Daniels: 05:54

I see.

Jodi Daniels: 05:54

We’re just going to say.

Justin Daniels: 05:55

We’re not here to listen to us debate. I want to hear what Todd has to say.

Todd Renner: 05:59

Still an interesting question, regardless of the debate. I was on the IT side before law enforcement, and now it’s not called information technology as much. It’s more in the cyber world from Myspace, but in law enforcement and the private sector, we are both going after the same threats, the same criminals. US law enforcement has a different mission to get closer to attribution, which is probably one of the biggest challenges I see in the private sector. I lose the ability to have that judicial process that I had in law enforcement, the subpoena process and search warrants, which were fantastic and gave great information, but that was really trying to get towards attribution of who done it.

And the private sector, I don’t find that clients care as much to get all the way towards that attribution. They’re very interested in returning to an operational state, that having some confidence that the bad actors are no longer on the network. And that really gets to that shared responsibility that law enforcement and the corporate private sector have in combating this threat against all of our friends, families, organizations. The other part of that is the scale of the attacks that you see in the private sector. As a naive government employee hoping that everyone was telling the government everything you realize in the private sector, that’s not necessarily the truth.

Either by design or by legal considerations or privacy considerations, the private sector is not telling the government everything. Sometimes it’s good, sometimes not. I do encourage all of our clients to consider working with law enforcement when it’s appropriate, and provide my experience of what it’s going to be like and living through that. Sometimes effective, sometimes the clients don’t want that exposure, but the differences are subtle because we’re going after the same bad actors, the same criminals. It’s just a different point of the attack cycle of where the private sector, in my experience, the private sector, are coming in, whether it’s theft of digital assets or risk to private equity and mergers and acquisitions, or just looking at it from a different perspective and being especially being at a crisis firm like FTI.

Jodi Daniels: 08:10

I’m curious if you can expand a little bit on the hesitation that you were just talking about, where private sector doesn’t always want to share information?

Todd Renner: 08:20

Yeah, that’s a good question. And sometimes for our friends in the outside counsel world, like Justin, of making those decisions of when to involve law enforcement. And sometimes I think some of the decisions could be misinformed. You know, the thought that law enforcement’s going to come in and raid jackets and take all your equipment and not give it back is not necessarily true. And so I think that hesitation comes in not necessarily knowing what to expect.

But there’s also a matter of where we see almost family affairs companies want to hold that issue close hold. They might — I don’t see as much shame around it anymore if you get breached. There used to be a man of shame, like, I can’t believe it got breached. Now, I think people accept that they’re eventually going to get breached. But there’s still, in my view, a version of like, I want to hold our family secrets near and dear, and we don’t necessarily need law enforcement involved at all.

Jodi Daniels: 09:19

So I’m also curious, I, you know, in working with so many different clients, there’s probably some common themes that you see a lot when working on these different cyber investigations. What are some of the top ones that you kind of see over and over again?

Todd Renner: 09:34

Yeah, and that has evolved over time. I remember during Covid we were getting the questions like, what? What’s happening now with the government? What’s going to happen now because of Covid? Well, the threats weren’t changing, right?

People were still I didn’t need to go outside to be able to hack your network or get onto your network from far away lands or even criminals close by. But recently, we’ve certainly seen an uptick in mobile device compromises. We’re seeing an issue with our boardrooms and c-suites and users and new employees are very reliant on their mobile technology. We have certainly seen an uptick in mobile device compromises. I don’t know if that’s a result of nation state actors or if it’s that increased reliance on mobile technology, or maybe it’s an increased diligence with companies doing mobile device management where they’re picking up these intrusions or compromises.

But we’re certainly seeing that in mobile devices. I do see a common theme around multifactor authentication, too. Surprisingly, in 2025 that there’s companies that don’t have that implemented on key systems, sometimes for reasons that have passed down generations. But that is surprising. We see that frequently.

And I’ll leave it as a third piece of what we see frequently is that that transforming a cyber program after an incident. I see a lot of operational expenses going into buying tools or hiring correct people after an incident. And when a company has an incident, we’re all involved for weeks at a time trying to get everyone back up and running and everyone the confidence level that they’re safe again. It’s that transformational planning that is a common theme. I see that companies just get back into their old habits of all right, so the boardrooms not getting briefed, the c-suites not getting briefed outside councils not being involved when they should be.

And so getting back in those old habits and not transforming your cyber program following an incident is a fairly common theme that we’re trying to combat. We’re trying to work with companies wherever we can to transform their cyber program.

Jodi Daniels: 11:37

Those are really good tips.

Justin Daniels: 11:39

See, it’s funny that Todd says communication.

Jodi Daniels: 11:42

So important. Communication.

Justin Daniels: 11:43

I think there was some hidden meaning in what she just said about communication.

Jodi Daniels: 11:48

Shows up everywhere.

Justin Daniels: 11:50

Right? Or a particular co-host. Lack of communication.

Jodi Daniels: 11:54

We’re focusing on Todd.

Justin Daniels: 11:56

So, Todd, I kind of wanted to you know, you brought up the point about really what you’re saying is people go through a breach and then as soon as it’s over, it’s like right back to what we were doing, as if nothing had happened. Which brings up the idea around all of this artificial intelligence. And the last time you and I had coffee, I’m just going to ask you the same question, which is, you know, put on your red hat if you’re a threat actor, given all of your experience, where would you attack AI tools if you were a hacker? As you look at the landscape of where we’re at right now with AI, because we know there’s going to be new cyber threats, there always are. But, you know, what does that look like from your perspective?

Todd Renner: 12:40

Yeah, that’s fresh off your trip to AI week. Right.

Justin Daniels: 12:43

So our coffee you you.

Todd Renner: 12:46

Yes.

Justin Daniels: 12:46

But you told me was fascinating. So let’s do that again.

Todd Renner: 12:50

I do think that AI is creating this ecosystem that’s going to keep us all employed in the security and privacy arena for as long as we want to be employed in there, because it’s creating a lot of hype. It’s probably worth creating that hype around using AI. Deploying AI and understanding the incredible opportunities that AI presents for companies both on the startup side, but actually how people are using it in their day to day world. And I think in the world of red teaming, where we’re looking at like real world attacks to help companies understand where some of the risks and vulnerabilities are. I think those Red team attackers are going to use this to aggregate data quicker.

They’re going to be able to identify and exploit vulnerabilities a little bit quicker. The use of deep fakes and, you know, being able to generate a replica badge that looks exactly like a normal badge. Not that we couldn’t do that with Photoshop and other tools now, but I think AI is going to increase that efficiency for very creative red teamers that are looking how to simulate an attack. And as it stands now, as you guys know, it’s the talk of all the boardrooms, the talk of the media. It’s the talk of, you know, general council meetings and C-suite meetings.

Employees are talking about it. And what that does to me is it introduces this, this vector of attack for red teamers. That’s different than a normal system. I don’t know how many boardrooms or c-suites are talking about the latest database server that’s exciting, or the latest web server exciting, but they’re going to be talking about AI. They’re going to be talking about and possibly bragging on social media.

They’re possibly going to be putting out press releases about their use and how they’re using AI, which gives a red team actor and even pen testers, which is a little bit different. It gives them access or knowledge of those crown jewels that someone’s going to click on a link that’s going to enable me access, or it’s going to, you know, it’s going to give me a way to segue into a conversation with someone at a bar. I’m trying to figure out more about a company or a restaurant or someplace that a red teamer might start attacking these companies and using AI, both on the technical side, but also on the social engineering, and then generating very realistic voice interactions and real realistic videos.

Jodi Daniels: 15:13

Well, speaking about those realistic voice and videos, I was just having a conversation before this podcast about deepfakes and the concern of how will you know that it’s the real thing? Or how do I continue to trust that person and that brand that concerns me? So what are you thinking about that, right? You have this law enforcement background. You’re seeing what’s happening in the private sector. It frightens me to pieces.

Todd Renner: 15:44

Yeah, I’m with you. Deepfakes are something companies should definitely be paying attention to. I’ve worked with some to consider code words for their accounting departments, to make sure that if there’s a transaction over X number of dollars, that there’s also an associated code word, almost like our home alarm systems that might have a code word to know if you’re in distress or not. I think the same thing would be true to start combating deep fakes and the technologies behind that. Companies, I think, need to start thinking about how to detect those voices and videos.

Similar to the onset when I was growing up and Caller ID came out and like, oh my goodness, we could actually see who’s calling ahead of time. We learned later that you could fake that, but I think the same technology should be used for combating deepfake voices and videos as well. Trust. Trust is key. I mean, it’s if you can’t trust what you’re seeing and reading and who’s talking to you, and there’s a possibility there’s a deepfake.

It’s — I think it’s going to cause issues for companies moving forward.

Justin Daniels: 16:47

So, Todd, I want to drill into this a little bit from a different perspective, given your FBI background is tell me how things like the next election cycle will work or things that get put out on, you know, platforms like TikTok that are completely fabricated videos. But before you even have a second or to process it, it spreads like wildfire and becomes the narrative. And yet it’s completely fake. I just don’t know how we’re going to get around that problem. That’s the part that really worries me, is you’re going to erode trust in civil society and government institutions.

Todd Renner: 17:27

Yeah, I wish I had an answer for that. But I do know that we’ve seen over the past few election cycles that the the ability of the algorithms of what we’re staring at every day on our phones, whether very young kid or very elderly citizen, is impacting your decision making, much like marketers figured out years ago that if you put things at the end caps of a grocery store, people might buy it because it’s sugary or it looks bright. And I think the same thing is happening for the election cycles of no matter which side of the aisle you’re on and whatever country you’re on, the data that is being fed to us is really getting easier to manipulate. Who’s going to believe what data you’re seeing. And so the implicit bias that’s there to drive videos and messages to someone that feels a certain way.

We’ve seen over the course of many, many election cycles now that it works, it’s effective.

Jodi Daniels: 18:27

Well not really happy note Todd. Knowing everything that you know, what is your best security tip that you might offer your friends who don’t do this all day long like you?

Todd Renner: 18:41

Yes. So on the organizational level, I think the best security tip is to have a plan. Make sure you’ve practiced this plan. Know. Know what’s going to happen.

I don’t know what’s going to happen to your company or your house, but I know there’s 5 or 10 things we could pick that’s going to happen. From a ransomware attack to an insider threat to a business email compromise. Have a plan. When I was in the UK, I was always amazed by big meetings. They would talk about the fire drill beforehand.

We do it in schools and some office buildings, but they do it for many of their meetings. That sort of planning, much like a fire drill, has to happen in organizations for my friends. On the personal level, I would encourage everyone to have these conversations with your kids and with your parents the same way we teach our kids not to do certain things. Don’t. Don’t go to that creepy van that’s offering free candy or or, you know, puppies.

We need to have these conversations around protecting our children and our elderly parents. The text messages are really, really targeted now. They’re really good at getting to our family members and our friends that. Can we have a lunch or. Hi, I’m sorry, who is this?

I forgot I lost my number and people reply and they fall into this category. They fall into this trap of conversations and depending on where you’re at in your stage of life, that might be a welcomed conversation, right? You might want to just start chatting with someone. The 2024 Internet Crime Complaint Center, which is the FBI’s way of tracking some of these crimes. Their numbers were just released recently, and that they had investment fraud at $6.6 billion in business email compromise at 2.8 billion.

Government impersonations were at 400 million. So the whole spectrum from impersonations and those deep fakes all the way through my security tip is to have these conversations with your children, with your parents, because we are vulnerable and it’s working. It’s working over and over again to the tune of staggering billions of dollars of money.

Jodi Daniels: 20:46

Very good. Very good tip.

Justin Daniels: 20:49

So, Todd, as we like to always conclude on a fun note, when you’re not doing your cyber stuff and consulting, what do you like to do for fun?

Todd Renner: 21:00

All right. My free time. My fun time is normally spent keeping up with the family kids’ schedules. It’s normally a wash, rinse and repeat type of weekend of soccer. I’m a bad tennis player, but like getting out there, I’m a worse golf player, but try to get out there and get better as well.

I do read a lot of content on cyber threats and intrusions and technical reviews, and of course I listen to great podcasts like yours.

Jodi Daniels: 21:29

Well, Todd, we’re so excited that you were a guest on our podcast. And if people would like to connect and learn more, where should they go?

Todd Renner: 21:38

I am on LinkedIn, Todd Renner here in Atlanta, and they could also email me at Todd@fticonsulting.com

Jodi Daniels: 21:46

Amazing. Well, Todd, thank you so much for sharing and joining us today. We really appreciate it.

Todd Renner: 21:52

Thank you for having me.

Outro: 21:57

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time!