Click for Full Transcript

Intro  0:01  

Welcome to the She Said Privacy/He Said Security. Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.


Jodi Daniels  0:22  

Hi, Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies. Hi.


Justin Daniels  0:36  

I’m Justin Daniels, I am a shareholder and corporate M and A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk. And when needed, I lead the legal cyber data breach response brigade.


Jodi Daniels  0:58  

And this episode is brought to you by ding Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors com. Hi, how are you? Why are you smirking?


Justin Daniels  1:40  

I don’t know


Jodi Daniels  1:40  

just one of the ridiculous answer.


Justin Daniels  1:43  

I was laughing because we were talking about I just got a haircut. And I said, Jodi, what do you think my haircut is? And she’s like, it’s a haircut. And then I said, Well, when, when you get a haircut, we make a big deal out of it.


Jodi Daniels  1:53  

And that’s because I said, our haircuts are cooler,


Justin Daniels  1:57  

right? You have cooler fashion, cooler hair,


Jodi Daniels  2:00  

more cooler,


Justin Daniels  2:01  

I guess so. Well, we have a terrific guest today. This is someone that I met when I was at the Gasparilla festival donning my pirate hat to speak. And I met Christina Shannon. So Christina is a CIO in the CPG chemical manufacturing center with a career that spans over two decades, transitioning from Fortune 100 companies to executive technology leadership roles in mid sized private equity firms, her journey includes serving as a chief information security officer for time wow gaining experience in developing effective strategies to address enterprise cyber risk across most industries as a CIO Christina’s focus has been on leveraging technology to drive innovation, approve operational efficiency and secure critical digital assets in the CPG chemical manufacturing industry. Christina, welcome to the show today.


Christina Shannon  3:02  

Thank you. It’s really nice to be here. You know, it’s one of those where you don’t get often asked to do a awesome podcast with a husband and wife who just rock it on two of arguably my favorite subject, security and privacy.


Jodi Daniels  3:17  

Well, that was really kind Well, Christina, you’re always welcome on the show if you’re going to be that guy, but we always start with understanding how you got to where you are. And Justin gave us a little sneak peek. And if you can take us on the journey, that would be great, sure. So I


Christina Shannon  3:36  

would say, my career, in a nutshell, has been a story of growth, and I’d say, like adaptation, it’s been one where the journey didn’t start the way I thought it was going to start. And I still not sure which twists and turns it’ll take, but I’ve sure have enjoyed the ride. So I’d say, you know, my career really started in it I got my IT degree. I was technical. My ideal role was, you know, something that I didn’t get in front of people. Didn’t have to lead people. I could just work on, you know, widgets and ones and zeros all day. So, you know, 20 years later, it’s, you know, in a CIO or CISO role. It just goes to show that, you know, you can start technical and get here, or you can not be technical and get here. But both paths are are available to anyone. But I would say I started, you know, early on, at a place like the Geek Squad, for lack of a better way to describe it. Then I moved into a three person IT team, still in Ohio at this point, and then I got a call one day for this massive company who was supporting a fortune one retailer. And they said, hey, you know, do you know anything about NAS or servers and storage? And I responded back and said, Yes, I know about NAS. And they still took me, so I still went. It, which was, I landed in Bentonville, Arkansas, spent the next 10 years there, supporting them as a vendor, and then I eventually worked directly for them. I got my start in security because I moved to RSA Security, who was a vendor support partner forum and I was a tam. And then after three years of doing that, the company talked me into working for him direct as a security manager. So after about seven, eight years there, we decided that my husband got relocated, which took us to Oklahoma, and then I had a stent and oil and gas, and before finishing out with a CISO role without the title at like a 15 billion year C store, a C store company, and that was one where I didn’t know what I was doing or what I was getting myself into, but I knew I had this opportunity to go build a security program. And so it was really cool. So I left that leaped at the opportunity four years in in Oklahoma was enough for me in the sense of tornadoes, not wanting to be around tornadoes, so took a role next in Florida, was third in line to be the CISO at a big financial services firm. And then one day, I got a phone call from a executive leader that I had met along the way asked me, you know, Hey, have you ever tried PE manufacturing? And I said no. And I had lots of people telling me, No, don’t try it. And but I wanted, I’ve always said that if I’m going to have regrets, I’ll go try something. It’s just been a motto I’ve had ever since I moved from Ohio to Arkansas many years ago, and so I took the leap and tried it. And then, you know, I’ve had the opportunity to do a few different industries. After three years there, went into ad tech as a CISO role. Then did e commerce. And then that same person I had worked for 2018 at the manufacturing firm had reached out in December and said, Hey, I’ve got a, you know, CIO role. Could you some help? Come, you know, come, talk to us about it. And it all worked out. So now I’m in. I kick consumer products the CIO role. I’d say I’m a CIO slash CISO at heart. But I’d say, you know, rest is history of still growing and learning.


Jodi Daniels  7:22  

I think the idea of growing and learning and trying something new is so important. People listening are trying to go from security to privacy. Other people are interested in one of one of those and trying to try something new. And you really articulated and shared how you can continue to take those skills and move across different industries and different roles.


Justin Daniels  7:46  

So why don’t we start and talk a little bit about what products does your company manufacture? So people can get a kind of a feel for this,


Christina Shannon  7:54  

sure. So KIK Consumer Products is a chemical manufacturing CPG, we sell roughly 95% under the private bleach label. So if you walk into a grocery store and you buy, buy the private brand, that’s it’s more more than likely that it was us who manufactured that bleach. We also would, you know, we sell products like polarox pool and bioguard and our pool division. And then you may have heard of prestone, that we sell from our auto division, roughly two and a half billion year company, 2000 people just having a good time trying to help grow and retain customers and gain them.


Jodi Daniels  8:36  

It’s always interesting to see how many companies there are that people would never have thought of before. I think that’s what is always so interesting. When you see people and what it is that they do and where they work, you learn, oh, we make this interesting thing over here that people never think of. So thank you for sharing. Now, let’s go back and


Christina Shannon  8:56  

so comet cleaner. That was, that’s our claim to fame. We make that?


Jodi Daniels  9:01  

Yes, do they still make comet cleaner? Yes, they do. I remember comic cleaner. That was what that was, the big one we had when I was kid. Oh my gosh, I can, like, smell it now. That’s so funny. All right, so let’s bring it out of cleaners and back to the universe of privacy and security. How does your role as a CIO interact with privacy and security.


Christina Shannon  9:24  

So my role as a CIO, I’d say it interacts a lot with both one in the manner of helping what I’d call a future CISO move from my director role and moving from technical to focusing on business risk, right? Because that’s a big leap when you are running a SOC and running a at an IR program level to now you want to run the whole program. I’d say that’s, that’s really, I would say that this has been an awesome opportunity to be in that developmental type role, because it’s, I’ve. Been there. I’ve been there a couple times, and so I kind of know how to help people get there. And this is a really cool opportunity, because I’m that’s, that’s what I’m focused on. I’d say, more than anything, in the security role is, how do I help someone grow while at the same time, how do I help him focus on our crown jewels and tying assets to, you know, where our risk exposures are, and, you know, improving those types of capabilities based off our top risk, on the security, on the privacy side, I would say, you know, our our legal team runs our privacy program. I’ve always heard that expression, right? You can do security without privacy, but you can do privacy without security. That’s that’s probably what I would say. My role in privacy is as the facilitator of the technology that helps gain the insights, right that helps feed our policies and our plans and identifies our data.


Justin Daniels  10:56  

So, Christina, you made a really interesting point about how you’re helping someone develop from, I guess, a more security focused tactical role to more of a strategic role. And it would be really interesting if you could share with our listeners what is it that you need to do, or how do you need to reorient your thought process when you’re taking that leap? Because I find a lot of times, particularly on incident response. When you talk to the technical people, they’re very good at the technical part of the breach, but they don’t always see the larger picture about how the technical piece feeds into the business decisions that the C suite has to make on how to handle an incident. So maybe you could give us some thoughts around that.


Christina Shannon  11:39  

I mean, it’s a couple of ways, I think that, you know, it is hard to broaden that lens from a technical focus, and I would say I was in that same boat. So it’s some of its experience that I’ve learned, lessons learned in terms of how I’m applying that to help others now, and the sense of, you don’t know what you don’t know, but when you’re really technical, sometimes you think that, you know, you just go down the NIST control list and you’re looking at, you know, how many, how many tools do I have, or how many boxes can I check across, you know, the identify, the protect, detect, respond and recover, categories. But you’re not really getting beyond the tool set, and when you’re kind of when that’s your only focus, you’re looking at controls, looking at capabilities, but you’re not yet tying those things to what business people care about, which is their assets, and I’d say their ability to make revenue gain and keep customers. And so I think it’s really that showing the asset connection, and then what that means in terms of it’s really tying, again, the assets that the business cares about, to the technology that those assets sit on, that they are connected to, and then really showing the risk exposures And tying that to business impact, I’d say, really getting a technical focus, security engineer, Director, more looking at business impact, risk, thinking about starting with the end in mind. By doing that alone, they’ll have to connect the dots to, here’s the things the business cares about. And then, then, I think, as part of that, you start communicating a little differently. It’s not, you know, I had, you know, here’s my mean time to detect and here is my mean time to respond, which you need all those in terms of metrics, it’s also, you know, here’s our top risk exposures. Here’s what this looks like from a quantified standpoint here, here’s our options to address and then working through those remediations. You know, another example would be, and this is me. I used to think that, you know, when you got a risk assessment, that meant, like, you check that box, but I was not really good back in the day of leading my team to go do the remediation. So we would have, like, these remediation lists pile up, but we still thought that it was okay because we were over installing our tools across the different, you know, control capabilities. And it wasn’t until you work through an investigation, or, you know, I’ve been through a breach, and then you see it, and you see the whole picture, and it’s like, oh, you know, starting with the end of mine, let’s, let’s figure out what are the things our business cares about the most, and put our controls there, and then test that right, and then make sure that we’re good there before we move on to the next thing. It’s really, I think, getting more strategic and where you focus versus, you know, just focusing on the technology. Try to sum it up.


Jodi Daniels  14:41  

Christina, I was curious. You mentioned that legal runs the privacy program, and people are always asking me, Where should legal or where should privacy sit? Does the legal does the operational piece also sit in legal, or do the does the legal team do the review of privacy laws and push down? Here’s how you operationalize them. And if it’s the latter, who’s doing the operational piece,


Christina Shannon  15:06  

no, that’s a good call out. So the legal team here would be, you know, the DPA, the data privacy agreement, right? They would be responsible for crafting that, and that’s what they do. They’re responsible for, you know, advising the on the laws, but the actual operational piece in terms of the how we identify data, how we, you know, our third party risk management program, and how we look at con like, I would say the contract review is a dual responsibility. We’re looking at it for security. We’re also looking at for privacy, but we have privacy lawyers that are looking at it for the privacy piece too. The actual classification of data, I’d say, is a joint between us and the business, but we’re the ones that has the tools, and we’re surfacing the data for the Governance Committee to make decisions on. You know, if this is in scope or not, so I’d say it’s a joint responsibility overall, between my team, operationally, present, you know, enabling the capabilities that gives the insight so we know how to govern, or what’s in what’s not. And then really the legal team as the authoritative source, for lack of a better word,


Jodi Daniels  16:19  

Yeah, thank you for sharing. It’s really helpful. People are always asking, yeah,


Justin Daniels  16:23  

so another thing that you mentioned at the outset was how you drive innovation, and it gets mentioned a lot on this show and Jodi, I talk about it a good bit. But what is your thought about how, as a company, or just you individually counseling others about your approach to artificial intelligence and generative AI and all that stuff.


Christina Shannon  16:50  

I’m laughing just a teeny bit because, look, I would say that the industry I’m in is not known for being bleeding edge, right? I would say that maybe fast followers, and that’s probably because people like me are pushing, but, but, but what I would say is, is that there’s a place for you know, when I think about AI, you have to figure it out sooner than later, just because, if you don’t figure it out from a security, from security and in privacy lens, it’s like, there’s tools out there today that if you just deploy them without thinking about it, there’ll be all kinds of data leakage, or, you know, potential compliance violations, like, for example, Microsoft copilot, that would be one. You just roll that out and you start asking it questions without having your access controls in place. You’re probably not going to like the results. But that doesn’t mean that you don’t try those things, like, in the sense of detection and response, right? A lot of the current full sets out there already have machine learning in them, and so now they’re getting better, where, you know, from a standpoint of anomaly detection, or you know, you’re running a sock and you have a SIM, I think that’s really a strong use case for where AI is starting to I don’t want to call it a game changer yet, but I see that as a we have to keep up, because the bad guys are using it, and so, you know, the faster that how they use it to get in, we need to also be able to use it to detect and respond. That would be one main use case I would see from a innovation standpoint. And my, if I put my coo hat on, it’s, it’s more of a, how do we, you know, create the policy first? How do we create a framework to where people understand like, do’s and don’ts, right in terms of, you know, use public data if you’re using something like chat, GBT, don’t, you know, use, don’t use your company data, or don’t use confidential data. I think, though, that that’s one. It’s still, I would say that we’ve specifically are in the education phase. I would say in our we have marketing product teams, and I would say in those spaces, that’s where we’re finding a few use cases that we’re starting to try. You know, where pattern recognition is providing some extra value, and we see that as adding to our ability to service our customers. But overall, I would say we’re early as a company in the game. Off to the side, I’m super passionate about AI in general and where it’s going, so I’m always curious of, are we going to end up with the Rosie the robot, or are we going more towards Skynet?


Justin Daniels  19:28  

Well, another interesting point that that I think you’re bringing up is your company may be going along a certain continuum, but you got probably third party vendors out there like for example, now all the video chats have an AI tool to transcribe meeting notes, and I’ve had to tell clients, I don’t want you to transcribe with AI the meeting notes from calls with me for two reasons. One, if it’s transcribed incorrectly, you could act on something that’s incorrect. But more important. Personally, I don’t know where your AI tool is putting this information, and you may have just blown any attorney client privilege, and a couple companies like, oh, I hadn’t thought about that. So I was just curious how you think about these risks that may be coming inbound to you, because you may use suit and vendors who are like, Oh, we’ve got this new functionality AI tool, and we’re going to just give it as part of our offering to you.


Christina Shannon  20:23  

I think that you’re spot on, right? And I think that’s, I think that’s where the policy comes in, right? It’s, it’s really, I think we first start talking AI. And I think any organization, it’s, it’s explaining first, I think the diverse between Gen AI and then regular AI. That’s, already been in tools from machine learning standpoint and pattern recognition standpoint, but when I think about the example that you gave, it made me chuckle a little bit. And remember a article I recently read where, you know, there’s a police force, I hit exactly where that was, but they’re actually using the they’re they’re trying out, um, body cams being automatically transcribed using AI. And when I read that story, I was like, huh, I don’t know that I’d want to be, you know, in that first pilot group, like, let them work out the kinks and and then figure it out. Because, from the standpoint of not having to, from an efficiency gains, you know, a streamlining of having to do multiple processes to collect meeting notes. I mean, I think the idea of it’s awesome, and I think that it’s a helper. But I think that when you don’t think about the standpoint of, where’s that data stored, who has access to the data, if you don’t think about those things up front. Then I then to your point, I think it can definitely be problematic, and then it can end up being a waste of time anyway, to do it that way, and potentially worse data leakage. That’s


Justin Daniels  21:49  

interesting, because I guess my final point, reacting to what you just said, is, if I were part of that legal team, I’d be saying, Okay, if we’re going to do that, then what is the interval and depth of human intervention once those notes have been transcribed to make sure they’re accurate or to make sure there aren’t any discrepancies. And I guess we’re still in a phase where, as you develop AI policies, that level and depth and interval of human intervention is really important completely


Christina Shannon  22:17  

agree, right? So just to your point, I went to a conference not too long ago, and the conference was fully available in terms of, there wasn’t any it was out of college. Everything was public in terms of what the conference was going to be about. Nothing confidential, nothing private in terms of the content of the conference. So in cases like that, I oftentimes will, or at least I tried it this time I’ll do use notes on my iPhone. And then afterwards I tried, you know, dumping it in to one of the llms and just saying, hey, you know, give me key takeaways. And what I noticed on that was, so I got the key takeaways, and then I asked it a question of this conference I was going to was because there was a mandate being put in by a retailer for all of their suppliers, and if you didn’t comply with the mandate, then eventually there was mention that there would be fines and stuff like that. And so I asked the All I did was transcribe, or I asked the LM give me key takeaways, and then I said, has there been any mention of compliance fines or anything like that that’s been handed down? And then it went on and gave me, like, a ton of bad data right after that. That was none of it was true. So I went out and I, like, looked right to validate, and it was like, so the hallucination risk is real, and I think you’re spot on that you have to have a human that helps make sure that whatever you’re using is valid and it’s good and accurate.


Jodi Daniels  23:51  

As the manufacturing company, you have not only IT security risk, but also physical operational risk. How do you sort through those different security needs?


Christina Shannon  24:04  

I would say I, you know, for me, it’s more about Crown Jewels, identification and the sense of, when I get to a company, what I like to do is understand, like, you know, from a confidentiality, integrity, availability standpoint, like, what are the risks that would cause a business interruption, a business interruption, and I want to do that first. And so when I got to KIK, I was looking at, we are chemical manufacturing company. We actually produce our own raw materials. We’re one of the, I think we may be the biggest producer a trilore in North America. And so I knew immediately, you know, if you think about an intrusion, an intrusion, for example, on one of the chemical controls, if they can manipulate that, say, in the absolute, you know, worst case scenario, they could, I mean, you could cause an environmental hazard, right? You’re not just talking about a cyber breach at that point. And. And so that’s how I looked at ot was, where do we have where do we have things that could either cause a business interruption, or where do we have things that are even worse? And chemicals new to me, so this was a new risk, but I hadn’t considered this one before. And so when thinking about that, then it’s immediately going and finding out, okay, well, what you know, what automation do we have in place with the control system, what things are reaching in from the internet, and how you know what data is being sent out via the internet, and then making sure that all those things are locked down and you’re monitoring and and so I would say it’s really looking at it from the standpoint of a risk, taking a risk based approach, prioritizing the risk impact to the business and the event of a cyber incident, and then creating your risk treatments and plans. And I say all this, but the first step I missed was, is goes to all the plants, and that’s what we did. First was we did an inventory of all the laptops and all the desktops, because if you can get around, you know 90 95% coverage of all your laptops and desktops, and you have really good ability to detect and respond, right anomaly detection, then if you do have An incident, the likelihood that it’s going to be cause major business, business impact is low when you’ve identified, you know, over 90% coverage of your inventory. And along with that, even if you don’t know what the OT systems are, if you go in every plant and you identify all the workstations, you’re going to identify creative, or arguably one of the most critical components of that architecture when it comes to where malware can we drop for a breach type event. So I’d say it’s just really Crown Jewels identification and then tying that to risk impact.


Jodi Daniels  26:55  

I think it’s really important and applicable for many other organizations. It’s it’s an important piece. We’re oftentimes so focused on the cyber piece, and you have to connect. Could someone get into a plant? Could someone access a plan? And there’s plenty of plants you know that aren’t just chemical that this would be impactful for.


Justin Daniels 27:14  

Completely agree. So Christina, when you are out after an event having a drink. What is your best privacy or security tip that you would like to share with our audience?


Christina Shannon  27:27  

I would say that you can’t protect what you don’t know about, right? So I would go back to the understanding your environment and your assets up front. And I’ve had a lot of people say, Well, if you’re in these big companies, you can’t do asset identification, and I would say that that’s a bunch of baloney. I think that you just have to try to and like you have to put the focus on asset identification, and at least get to the point where you understand the exposure to your top assets that your company deems most critical to running their business and keeping their business and operations and then protecting your customers and and helping grow and retain customers.


Jodi Daniels  28:06  

It’s an interesting answer. I was at a conference recently, and someone asked a you know, our company’s so huge and we don’t know where all our data is, and it feels impossible to do it, almost as if that was, well, I it’s just too hard, so I don’t have to. And the fellow panelists started the answer with you. Start with one. Start with high risk. Start with one. You You have to start somewhere. So you have to start somewhere. I like the answer of you just get started and try.


Christina Shannon  28:36  

I love that. Jodi and I agree 1,000,000,000% it’s like you have to just chunk it down, and eventually you’ll get there. But don’t just stare at the problem


Jodi Daniels  28:44  

when you were not doing asset inventories and protecting the physical plants and all the cyber operations and helping with privacy programs. What do you like to do for fun? So


Christina Shannon  28:59  

two things, and my so I would say one is, I’m a huge Cincinnati Bengals fan. I grew up outside of Cincinnati when they weren’t very good, had season tickets and haven’t missed the game and probably 15 years. So a few years ago, when they went to the Super Bowl, even before that, when they they had a 32 years playoff drought that they got over a few years ago on their Super Bowl run, and was able to take my daughter up to that game. And it was one of those experiences where it was like, I think that was gratification, even though we lost the Super Bowl. But, you know, it was one, I’d say that the other thing I like to do is a, I like seashells. It’s a, it’s an interesting thing, but it’s, it’s, we go to Sanibel a couple times a year, and then just love collecting seashells and doing, you know, interesting things with them.


Jodi Daniels  29:52  

I used to collect seashells as a kid when we went to the beach with my mom, and I still have them. They’re in a jar and they’re on my dresser. They’re really special. Yeah.,


Justin Daniels  30:00  

Hey Jodi, do the Bengals in Cincinnati? Who do they typically play?


Jodi Daniels  30:04  

They play some bumblebees. Who’s gonna win a tiger or a bumblebee


Justin Daniels  30:11  

with Joe burrow playing? He’s Adam at worst, he’s the second best quarterback. Now,


Jodi Daniels  30:16  

not everyone understands why I call them a bumblebee. Would you like to explain


Justin Daniels  30:20  

because their uniforms are they the Steelers.


Jodi Daniels  30:23  

Everyone knows who you are, yes.


Justin Daniels  30:25  

since I grew up in Pittsburgh, and it’s funny, Christina, I talked about that when we met, because Cincinnati and Pittsburgh are very similar, yeah, so I grew up in Pittsburgh, my team is the Steelers. They play the bangles twice a year. It’s a pretty heated rivalry, but


Jodi Daniels  30:39  

their colors are bumblebees, and it’s much more fun to just and make fun of you and call them the bumblebee team. So going back to Christina, Christina, people would like to connect with you and learn more. Where could they go? LinkedIn, that’s


Christina Shannon  30:51  

probably the best place to hit me or find me is LinkedIn. I like to hang out there. Wonderful.


Jodi Daniels  30:55  

Well, Christina, thank you so much for sharing all these amazing tips. We really appreciate it, and having some fun with bangles and Bumblebee.


Christina Shannon  31:05  

Yes thank you very much. This has been a lot of fun. Thank you.


Outro 31:13  

Thanks for listening to the She Said Privacy/He Said Security. Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time you.

Privacy doesn’t have to be complicated.