Mike Jones

Mike Jones is the Chief Privacy Officer at Randstad, an employment and recruitment agency for both temporary and permanent staffing. Randstad employs more than 5,700 internal staff in North America, generates almost $30 billion in global annual revenue, and maintains a presence in 38 countries.

Mike is also the Director of Global Privacy for Monster, a global company that connects employers and candidates that are searching for their perfect fit.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Mike Jones talks about his background in data privacy
  • A typical day in Mike’s role as a Chief Privacy Officer
  • Mike and Justin Daniels discuss the tensions between marketing and privacy
  • What is the difference between your company’s privacy department and its security department?
  • The benefits of state privacy regulations — and how to stay up-to-date on the ever-changing privacy laws in your area
  • Mike’s advice for new CPOs: it’s all about the data lifecycle

In this episode…

Does your company know the difference between privacy and security? What are the benefits of a dedicated Chief Privacy Officer? And, how can you improve both your data privacy and security in 2021?

Unfortunately, many people — even tech professionals — don’t know how to distinguish between privacy and security in a business. This often results in a company’s privacy and security departments being combined into an odd aggregation that no one really knows what to do with. If you want to avoid this problem in your business, you’re in luck! Chief Privacy Officer Mike Jones is here to discuss the differences between privacy and security — and explain once and for all why your company needs its own distinct privacy department in order to thrive.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Mike Jones, the Chief Privacy Officer at Randstad, to discuss his strategies for managing your business’ data privacy. Listen in as Mike talks about his daily tasks and concerns as a CPO, the distinct variations between privacy and security, and how to understand — and keep up with — your state’s privacy laws. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She Said Privacy. He Said, Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Host (00:21):

Hi Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors we are a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I provide practical privacy advice to overwhelmed companies. And I’m joined by my sidekick.

Speaker 3 (00:37):

This is Justin Daniels. I am passionate about helping companies solve complex cyber and privacy challenges. During the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I’m a cybersecurity subject matter expert and business attorney.

Host (00:55):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business. We’re creating a future where there is greater trust between companies and consumers to learn more, go to redcloveradvisors.com. And today we have a very special guest. We have Mike Jones. Mike is a privacy pro currently working as chief privacy officer at Randstad North America, where he leads privacy across all Ronstadt North America business units, including job search website, monster.com and Ranstad’s outplacement service RiseSmart. So Mike, welcome to the show. We’re so glad that you’re here

Host (01:51):

If I need outplacement for my trash hauling services on Tuesday night. I know exactly where to go

Mike (01:59):

We will help you touch up that resume

Mike (02:04):

It’s not just outplacement. We also do a training as well. So even if you’re not terminated at that trash hauling we make you better.

Host (02:15):

Oh, you can sign up too. Wow. All right. So Mike, talk to us. How did you get started in your career and find your way to privacy and serving as a chief privacy officer?

Mike (02:25):

Sure. Yeah, I got started before I knew privacy was a thing. I basically grew up on the internet all the time, back in the days when had a 14, four modem and on AOL and someone picks up the phone and knocks me offline. I’m just fascinated by the amount of information that was available, learned so much. Looking at all of the information you see online, realizing that there is personal information despite how you can control some of it way back in the days when nobody knew you were a dog on the internet, but other data sources started coming online and people no longer had control over their own data. Know there’s all kinds of data brokers. You know, the phone book was online. It was very easy to look up information about people and I just thought that was interesting. So I went to undergrad and studied engineering and liked it.

Mike (03:17):

Wasn’t terribly interested in being a practicing engineer, went to law school and in law school I was on the law journal at Ohio State under the advisorship of Peter Swire, who is a relatively well-known name and the privacy world. The journal was The Journal of Law and Policy for the Information Society, a big mouthful. And I’m pretty sure they’ve shortened the name now, but the law journal published an issue every year dedicated specifically to privacy law. And then another issue dedicated specifically to cybersecurity, which made us fairly unique among law school journals and working on that journal. I realized that there’s an entire practice of law, maybe still a little bit emerging at the time, but entire practice of law dedicated to the kinds of things I was actually interested in. And I sat through all of the standard law school classes -contracts, evidence, criminal law, civil procedure, but working on the journal and seeing that privacy was also this area is the convergence of information and access to information and technology.

Mike (04:16):

And even a little bit of psychology in terms of how people feel about the way that their information is collected and used for me was really fascinating. And then after law school, I had the opportunity to start actually@monster.com, which is fairly unique among sites in that we collect a whole lot of personal information and we turn around and we sell access to that information to third parties, which not very unique, but the difference with monster is that people give us the data, wanting us to sell it to these third parties and specifically employers, we don’t just sell it to anybody. We have a whole bunch of screening mechanisms in place, but that makes it a very interesting company to work at from a privacy perspective. You know, very rarely do you have people saying yes, yes. Please take my data and go sell it off to these other people because I really want them to have it because I want a job, but that’s the wonderful world that monster existence and continuing to work on these issues. I still find the field totally fascinating. So I stayed in it since I started out of law school and have just grown as I’ve been through almost every every privacy issue imaginable.

Host (05:12):

Actually the monster models is a good one for companies to probably study about how to create demand, especially as so many of the new state laws that are coming on board are all about how to opt out of the sale of data, but here I’m consenting, right. I’m I’m saying, please do that. And I think that’s actually really interesting business model for other companies to be able to study, to learn what monster did to make it such a place for demand. 

Mike (05:37):

And it comes along with creating a marketplace. So monster has been compared to a number of different types of businesses- dating services, where you’re trying to match an applicant with an employer. But having that marketplace where you’re really drawing both parties to the marketplace, because each party wants to talk to the other party, recruiters want to find candidates and candidates want to be found by recruiters. Yeah, it is a great business model because as long as you can get people to demand the services that are being provided on the other side, we can get that consent. And as you noted that makes it very easy for us to share information between the two parties. Now, of course, we, we do a lot of checks and balances on that to make sure that we’re not just making it available to anyone. We don’t want a choice point of turning around and making information available to whoever seems to be asking for it. Right? So we, we do extra work on that front to make sure if we tell you your data’s going to go to person A that its actually going to person A,

Host (06:30):

Your current role. Like I was on the phone last week with a woman who was the general counsel, chief privacy officer and chief compliance officer. What I’ve learned is these roles are evolving. So my wanting to understand what your role day to day looks like at Ranstad when you have other companies that may put the chief privacy role, general counsel, chief compliance officer role into one, but in your company, you’ve carved out that role. So what does that look like for you on the day to day?

Mike (07:01):

The benefits of being a large company is that we’re able to carve out a little bit more specializations that are worth having one full-time employee or more dedicated to that specialization rather than having somebody wear three or four different hats across risk management, security, privacy compliance. And in terms of my particular role its really focusing on the way that we collect and use information trying to avoid it being based, a strictly compliance type of question, really have it being a more strategic decision making around how much personal data would we want to collect, how we want to use it, how we make it available. And I tend to focus on those kinds of things day to day is dealing with that approach, but across a wide variety of different partners that I have internally at the company I work with pretty much every department, HR marketing, sales, service, security work a lot with security and then also our product team. So when we’re providing services out to our customers, making sure that those services meet the needs of our customers and they will have requirements, not just for their contracts with us, but also requirements to give them confidence that when we handle their personal data, that we’re capable of doing so, and they don’t have to worry about us having it.

Host (08:14):

I wanted to ask you a follow-up question because I see Mike, you had me at the word marketing and the question I wanted to ask you and follow up is, and I see this with Jodi and the ad tech space quite often is your role. And the role of marketing a lot of times can clash because marketing wants to get things out to people. They want to get data. They’re all about crafting very specific messages and this whole privacy regime and what you do they’d rather not listen because they just want to get it out there. And I’d love to know how you go about working, particularly with the marketing department who may see the side of you and try to run for cover. 

Mike (08:54):

There may be no bigger clash than, than privacy in marketing, because as you said, marketing is let’s collect all of the data and use it for everything all of the time, or, well, let’s collect all of the data and we’ll decide in two years while we want to do it, the data that we collected. So part of it is helping them understand, like there is a responsibility for holding on to large amounts of data. And the more data you have, the more your risk goes up. If you’re not using that data, you’re taking off risk and getting no benefit for it. So that that’s the first step is trying to cut down a minimization, trying to exercise minimization and cut down on information that say, Oh, well, yeah, you know, this is about customers from seven or eight years ago. And it’s, are you, are you actually marketing to them any more?

Mike (09:31):

Do you need this data? Well, no. Okay. Well then let’s get rid of it. For the data that they actually are using. It’s really making sure that when we are ingesting the data, that if we’re doing it as a consent based activity, that we’ve looked at the consents and made sure that we understand what the person has agreed to receive. In many cases, especially in the US we’re dealing with you know, no direct consent on that ratio, nobody’s checked a box, it’s either a cold phone call or a cold email. And in that case, it’s, yeah, it is a bit of a challenge with the way that marketers work. And it’s trying to avoid the creepy factor. You want to give somebody comfort. I mean, we’ve all received those messages in our inbox and immediately it’s like, Ooh, no, you hit delete. And you know, that’s a message that if person deletes it or marks it as spam, probably never going to get delivered to that person again. So trying to help them understand that better quality data also produces better results

Host (10:22):

Speak my language. I feel like I saved this all day, all day long, especially in the emails that you’re going to hit me again. You complete me, you complete my privacy world. Thank you. I do have the same, the same conversation on the email side. And especially, you’re also paying for the email and paying for the storage and your deliverability rates can go down. If you’re delivering to people who don’t want them, if they opt out, then they mark you as spam, maybe inappropriately. Cause they’re just mad at you that can affect everything else. There’s a big cascade that could happen. We could have a whole episode on that, but let’s not for the moment. And you mentioned that you work a lot with security. I think it’d be really interesting to talk about that, that divide, right? What do you work on versus what does security work on? Where did the two of you come together? I think there’s a lot of companies that struggle with where does privacy fit? This is privacy with the security people, can, the security people do. Privacy is an illegal function, a compliance function, a risk function. So I’d love for you to talk a little bit about how you all do it.


Yeah, that’s a great question because I see that same struggle even for my internal business partners on not necessarily knowing who to contact. I figure if they get anyone in legal and privacy or in security there, they’re already doing a pretty good job because we can circulate around it as needed amongst us. So when I worked with security, the way that I try to draw the difference is in privacy, we really focus on how data is used, the purposes behind why the data was collected. The, the purposes that the company uses it for, which are unique to privacy that that area has fairly minimal overlap with security compared to other things like privacy and security by design, even some of the basic privacy training that we do internally in the company is essentially also just security training. So when I, for me, it’s, when we talk about actually using a system and what kind of data are we putting in there and how are we using it?

Mike (12:25):

Where else are we storing it? Well that one has a little more security, but really the focusing on the how and why. Because we see so many of the laws states at the federal level in other countries are really tailored to specific uses of information. If a certain kind of person is using information in a certain way, it may, it may implicate a certain law, whereas it’s not necessarily just because you have a single type of data that, that the law is triggered. Especially when we’re looking at GDPR and look at data processing activities and building an entire, not, not really a data schema, but it’s like a data use schema of here  are the 50 different ways that our company uses data. And making sure that, that for that like a cycle of that use of the point information was collected, what kind of consent was in place?

Mike (13:08):

What are we allowed to do with that data? What are we not allowed to do with that data? What kind of retention requirements do we have? That’s all fairly uniquely within the realm of privacy. So I, I tried to draw the distinction there, but of course that may be a little bit more academic compared to, or, or at least in the minds of, of the partners that we work with. So security and I just work hand in hand, right? A new issue comes up that has security and privacy components. We both work together on it. New data collection, new data source locations, new corporate procedures about moving data from one place to another, or bringing on new vendors, both privacy and security need to be part of the conversation. So I fortunately I can  just work with the security team and deciding, okay, who’s taking care of what

Host (13:50):

That makes sense. You got two questions. I’m going to get sequenced. There you go. I’m tapping you.

Host (13:56):

Well, that was quite a time. The

Host (13:58):

Question I had was how do you approach privacy compliance? So, so many of those things you had mentioned kind of vendors, right? From a security and privacy point of view, you’re going to have a different questions, but potentially on the same type of scenario, I’d love to hear how you approach that from the privacy side and maybe how that intertwines with the security side, maybe using vendor management as an example, or a new product or launch that someone wants to do. I imagine you’re hopefully both invited to the table.

Mike (14:30):

Yeah, if we look at vendor management, so one of the challenges that I have, and I think every privacy pro has with vendor management is a vendor comes up to your internal business. Partners have pitched a wonderful service. They’re like, Oh yeah, it’s so compliant. It’s GDPR compliant, it’s CCPA compliant. And it is a platform as a service or a software as a service and GDPR compliant for a piece of software that just sits there basically means that they may provide some function to get information and that they have minimal security requirements as required by GDPR. Everything else is up to how we use it. It’s up to us to determine the kind of data that we put in there, how much data, how we store it, how we collect the consent for the data that we put in there, or determine any other legal basis for the information we put in there, how we how long we choose to keep the information, how we grant access rates or deletion rates over that information.

Mike (15:24):

Right? Those are all things that come up for us. So one of the challenges that appraises at, in terms of compliance as well, have the business team says, Oh yeah, it’s already taken care of because the product is compliant. I mean, that’s like saying, no, it’s somebody giving you a car and saying, well, yeah, it’s got four wheels and a steering wheel so of course it’s fine and wanting to be blessed, but they want to go speed it up and down the highway at 130 miles an hour, it’s all in how you use it. 

Host (15:46):

And do you use any use any tools or questionnaires or kind of, you know, different level assessments like privacy impact assessments? I think that would be helpful for people who were trying to decide what’s the right methods and approaches to managing their compliance.

Mike (16:03):

We would actually look at it from two different fronts. One is the platform itself because we do want to make sure that the platform and the company providing the platform would be secure. So we have a more security oriented review of the platform and the service. But then internally it’s, it’s reviewing with, with the internal stakeholder on what is the actual project here? Not necessarily always going through a privacy impact assessment because in some cases that may be overkill, but whether it is a formal assessment, a meeting, or even just an email threat, having that discussion on what are you trying to do here? What’s the purpose for this? What kind of data are we collecting? Usually using something like that as maybe an intake, and if it is a large enough collection of data or a fairly sensitive use of the information, then kicking off an internal privacy impact assessment, but also making sure that it’s getting filled out by our business partners. And they’re not dumping it off on the vendor, which I’ve been on the other side of those. And those are very frustrating.

Host (16:59):

And when Mike sends it to me, Justin, do you have good security practices? Yes or no? Well, yes I do. Mike. So that means immediately I should be put onto your network, right? Yes. One of things that we just we saw today They passed a new privacy law in the state of Virginia. So another state new privacy law, and just wanted to get your, your take on how these new state privacy laws and regulations are impacting you.

Mike (17:29):

Sure. So I think one of the benefits of CCPA, privacy pros, don’t always like talking about benefits of laws that will actually keep us in our job so that it really is. But getting the internal buy-in when like the state of California does something, because it’s going to set the standard across the country, right? They did that with mandating privacy policies on websites. They did that with breach notification. You look at the passenger seat, California has been the leader, and historically other States have not gone above and beyond the requirements that California has set. So when California came out with CCPA, it was really making sure that look, we’re just going to presume everything is in California, give it the CCPA treatment, apply it across the board, knowing that other States are going to come up with new laws, that will be probably very similar to it.

Mike (18:18):

Maybe each one will have its own little tweaks or changes that we’d need to address, but not trying to do the minimum necessary, like say, Oh, well, you know, only these users are in California or it only applies to this type of data or this set of data really going in and using it as an opportunity to change the way that we think about data. So when a new law comes up, we’re not scrambling. You know, and I think we’re gonna see over the next say five years, you know, 10, 20 more of these that we’re not scrambling. Every time one happens, it should be a look at it and go, okay. Yeah, we already do all this

Host (18:50):

How do you stay current with all of these changing privacy laws? Because you have CCPA, but you’ll have all these other laws that have CCPA like requirements, but they have something, a little different that you have to build into your program.

Mike (19:03):

Yeah. I’ll tell you,  law firms are very good about sending out very scary letters about the latest law and saying that you should talk to them if you need any additional expertise, I don’t need their expertise, but that alone is a fairly good network of alerts. Additionally, I subscribed to data guidance through One Trust, which is another very useful tool for getting the latest privacy news and the IAPP newsletter. I mean, they have fantastic content in terms of tracking the latest development on a state level, on a federal level in the EU, and Asia-Pacific there, their new services. Very good. And that, that helps us track it.

Host (19:35):

Like I wanted to take you back to your days when you were at Ohio State and looking at the public policy question, you know, GDPR is a law that applies across the European union, as you know, from cybersecurity breach notification laws and privacy. We are taking a sector and state by state approach. And I’d love to get your thoughts about what you think some of the consequences are from all of these state laws, because it’s my humble personal opinion that if we don’t get a federal law, we’re going to continue to drive the cost up for companies to comply. And while companies who have the wherewithal to hire an expert, like you, what happens to your vendor ecosystem, who you have to work with, who struggles to comply with a myriad of these different state laws? Yeah.

Mike (20:15):

So the state-by-state approach is always challenging, right? I mean, Randstad’s core businesses dealing with employment, placing candidates and at work sites in thousands of different locations across the country and in every state. And we have a huge team of lawyers that deal with the particularities of employment law issues in all of those States having a fragmented approach like that is, yeah, it’s challenging because it requires a lot of resources that makes scaling up really difficult and that makes growing new businesses, frankly, quite challenging. So we have the benefit that California is a bit of the market leader, but of course, I don’t think that a state like California is really excited about relying on what the federal government might come out with in terms of national level privacy legislation. And there’s the, they’ve been talking about a federal breach notification law since like 2005. And, and here we are 16 years later and no one could even figure out if they would want it to preempt state laws or not. So it’s, it seems to be very slow moving at the federal level. I think it would be useful for companies if there was one federal standard to follow. The, the state by state approach is certainly challenging and you know, it is what it is, right? It’s, we’re, we’re kind of stuck with the lack of progress at the federal level. And then with whatever States choose to implement

Host (21:33):

The busy season right now have Virginia Washington, Oklahoma, Utah, Kentucky just announced one in the last couple of weeks, Florida I think I caught them all. There’s still a lot of time left. For a new chief privacy officer. This is a growing a growing field and there’s many companies who are going to start hiring someone responsible for privacy in the company. What would you suggest is their focus for the first three months to a new CPO coming into,

Speaker 3 (22:01):

For me, it’s all about the data life cycle. What data do you get? Where do you get it? Where do you put it in? What happens to it? If you don’t know what data you have across your company, how can you protect it that is certainly true for security. It’s also true for privacy when we’re looking specifically at personal data you know, a question of, Oh, well trying to answer a point in time. Questions of, can we use this data? Can we do that? Can we do this? Can we do that? It often depends on where the data came from. What kind of consent was it subject to? What kind of if it was a website, if you got terms and conditions, if it came in, even in paper format, understanding how data gets into your company is the only way to understand whether or not it’s usable for any particular purpose. So understanding that life cycle from beginning to end is really the place to start. And then from there you can start digging into, could we optimize things better? Do we need to make changes anywhere in that life cycle from ingestion to storage and use through exercising a data retention policy? Do we need to make changes there, but, but first you got to get, get your data landscape,

Host (22:59):

Great suggestions, super important. All right. For someone who spends a lot of time in privacy and security, what is the best personal privacy tip that you might give your friends and colleagues who don’t do?

Mike (23:11):

Yeah, the best personal privacy tip is to use a password manager.  There are breaches like a daily basis. Yeah. And if you’ve got a unique password for every site, if your password on a site gets lost, okay, sure. You can reset your password, but you don’t have to worry about cross-contaminating with some other system. I certainly don’t have the mental capacity to remember 50 or a hundred different passwords or however many we have these days. So using a password manager to automatically create and store complex passwords, is it protects you so much in the event of a breach, maybe more of a personal security that a personal privacy tip. But I think at a very fundamental level, when you’re talking about trying to protect yourself from having your information, misused, keeping that information secure is it’s both privacy and security.

Host (23:57):

So when you are not at the office, what do you like to do for fun? Well, since we’re in a pandemic and I recently had a baby, most of it is taking care of the baby, which is great. Pandemic is not a bad time to have the baby because there’s nothing to actually miss out on friend activities. There’s no get togethers. There’s no fun trips. But when I do get some time to myself, I like running. I like trail running and virtual reality. Virtual reality for me is super cool. I remember as a kid using the old view masters where you’re going to have the, you get the whole of 3d image unit click over to the next one and then click over to the next 3d image that we can now make kind of a fake version of that with two screens in front of your eyes.

Host (24:44):

It’s just really cool to make really nice. Now, Mike, if someone would like to stay connected or reach out to you, how best could they do that? Yeah, they can find me on LinkedIn. I don’t remember their exact URL structure, but my username on LinkedIn it’s PrivacyMike though, pretty easy, fine. Unfortunately, every combination of Mike Jones and Michael Jones were already taken. I was thinking privacymike was really great, really long and boring constraints, breed creativity. I thought it was VR. You can have another one on your next social media channel. You can pick that up if it’s available. Thank you so much for joining us today. We really appreciated the insight that you provided as the chief privacy officer. And thanks again.

Host (25:31):

Thanks for listening to the, She said privacy. He Said Security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Nick Santora

Nick Santora is the CEO of Curricula, a cybersecurity awareness training program that strengthens employee security culture using narrative-based learning and phishing simulations. Curricula is endorsed by esteemed organizations across the country, such as AAA, the State of California, Boys & Girls Clubs of America, and many more.

Before his work at Curricula, Nick was the CIP Cybersecurity Specialist at North American Electric Reliability Corporation (NERC), the enforcement agency responsible for regulating the bulk power system across North America. Today, he is an internationally recognized cybersecurity expert who speaks regularly on the topic of security awareness training.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Nick Santora talks about his background in IT and cybersecurity
  • Why Curricula’s program is much more than just “checking a box” for cybersecurity training
  • Nick’s strategies for aligning company privacy and security goals with employee goals
  • How Curricula is revolutionizing organizational cybersecurity training: storytelling, rewards, food, and more
  • How can you keep privacy and security at the top of your employees’ minds?
  • The importance of maintaining a proactive — versus reactive — relationship to cybersecurity
  • Nick shares his best personal data privacy tips

In this episode…

Do you want to encourage a proactive approach to cybersecurity and data privacy at your organization? Are you looking for a trusted resource that can help your employees understand and apply basic — but vital — privacy and security strategies on a daily basis?

Creating effective privacy and security training programs for your employees is difficult, but helping your company maintain a consistent security mindset is even harder. That’s where Curricula comes in. As a revolutionary training program, Curricula not only uses story-based educational techniques to inform your employees about privacy and security, but it also makes the training so enjoyable that they can’t help but come back for more. This means that at your company, privacy and security won’t just be buzzwords — they will be core values. So, how can you learn more about Curricula and start creating a safer and more secure company today?

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Nick Santora, the CEO of Curricula, to talk about the benefits of implementing fun and effective privacy and security training at your company. Listen in as Nick discusses the ins and outs of Curricula’s educational program and shares his tried-and-true strategies for making privacy and security a company-wide priority. He also reveals how you can better maintain your personal data privacy today. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She said Privacy. He Said, Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. Hi

Host (00:22):

Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I provide practical privacy advice to overwhelmed companies and my sidekick. Hi, Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I’m a cyber security subject matter expert and business attorney. And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit RedClover Advisors.com. Who do we have here with us today besides Jodi and Basil? Yes, besides the sleeping dog right by our feet. So we can’t move our chairs at all. Well, we have Nick Santora. He founded Curricula after a seven year career at  North American Electric Reliability Corporation  or the enforcement agency responsible for regulating the power grid across North America. Nick is an internationally recognized cybersecurity expert and speaks regularly on the topic of influencing employees within security awareness programs. Welcome Nick.

Nick Santora (01:56):

Thanks for having me Jodi and Daniel. Happy to be here. Yeah.

Host (01:58):

Yeah. It’s exciting. Well, where should we get started? Well, let’s start from the beginning, Nick, how did you get started in your career to  get to where you are today?

Nick Santora (02:09):

So that’s a, probably a traditional path and then with an untraditional ending to that past, but you know, my or middle to the past, but I started in IT you know, I always was tinkering with stuff since high school and, you know, was taking certifications at A Plus and Network Plus and Security Plus and got those at a pretty young age while I was a sophomore or junior in high school. So I knew I wanted to go down this road. Didn’t want to go to college, but I wound up finding my way there to a Rider over in, in the Princeton Lawrenceville, New Jersey area, and started learning more about the business side of things. And I kinda found that I can marry the two together, become kind of a translator for technology into the business world. And, you know, along the way towards the tail end of my college career for undergrad, I found this job that was in the area, had no idea of what NERC was, what they did, what they stood for and got the job.

Nick Santora (03:04):

So I went in as an IT specialist and quickly grew into learning more about what the business actually did, which was protecting the power grid and regulating the power grid or all types of different things on the cyber and operational side. That career led me into a bunch of other things which included finishing my MBA in New Jersey, moving down to Atlanta here, which is what got me here. And then eventually finding a big problem to start my own business on. And that was learning about all of these crazy regulations for the power grid and all of the tough nuance, legal language that people had to follow, but no one understood it. So again, they needed a translator and my idea was take all the technical legal jargon and turn it into something that was fun and easy to understand for everyone involved. And sure enough, that turned into a business that worked in 2015 and then we expanded to more generalized security awareness. And then that is now expanding to even more generalize online education. So we’ve had quite a ride over the past few years and having a lot of fun along the way.

Host (04:08):

Nick tell us. Yeah, it sounds like there was this need to translate in, in the privacy space. I see the same thing. There’s these complex laws and people don’t always understand them. What’s interesting is at the same time people are the weakest link in cyber. I actually say that they’re the weakest and strongest link in cyber. How, tell us a little bit more about how you’re using training or what you’re finding when people understand these complex laws, what they’re able to do to help break down the challenges that make them the strongest and weakest link. And why do you think people are struggling so much to incorporate some of the basic items that you’re probably including in your training?

Nick Santora (04:50):

Yeah, a lot, a lot to take in there. So the, you know, at the root of it is we all know that there’s a problem. I think we can all agree that there’s a problem of, are they the weakest or strongest? Why is that? And you know, when we look at that problem and kind of how to solve it is that if we recognize that the problems there, well, we can’t just throw technology and expect that it’s going to be solved. And if we know that, just getting something done, like you know, checking the box for security awareness for a compliance regulation, well, that just gets you compliant, but it’s not effective because we’re not putting in the effort to get the results we want out of it. A good example is that CISOs and IT directors and decision-makers that are responsible for implementing these programs.

Nick Santora (05:31):

Are IT people, they solve problems through technology. In most circumstances, this is not a technology problem. This is a problem to connect with people, to resonate with people and to influence people, to making better daily decisions. And until we agree on solving that problem in the same way as a community, we’re going to continue to see the things that we see in the news every single day. So, you know, in order to solve for that, I think we have to actually just care. And I know sounds silly, but caring is the number one priority that every single CISOs should be doing to solve. And what I mean by caring is like not just growing technology and compliance training modules and remedial training and stuffing phishing simulations down someone’s throat, someone’s throat, that’s just compliance stuff that just get the job done, but it’s not what you do in this scenario. It’s how you do it. So our goal, and I think the community’s goal is like, well, well, how do we do it? Right. You know, and I think that’s what we’re all trying to work towards is resonating with our employees to get them, to actually understand this stuff, by speaking their lingo and not just putting a bunch of legal language and compliance docs in front of them, because we know that doesn’t work

Host (06:38):

Fair point. Thanks for sharing. I guess I’d like to come at it from a perspective of asking you, you know, a lot of companies go through training, I’ve quarterbacked, many post-breach resiliency plan where employee training was right there at the top. You know, Nick, have you come across any thoughts around some of the incentives that you can provide to employees for, you know, catching phishing, or really making concerted efforts or having certain parts of compensation tied to the cyber hygiene from an employee training perspective, any thoughts that you’ve seen in the last four or five years you’ve been doing this?

Nick Santora (07:08):

I think the biggest one is aligning the institutional goal with the employee goal. For some reason, we kind of think they’re the same thing, right? I mean, an employee doesn’t come into work and says, I cannot wait to report a bunch of phishing emails today. Like that’s just, I’m so looking forward to it, I can’t wait. That’s why I woke up this morning. Absolutely not. And for some reason we think that institutional goal is I do not want to get hacked as a company. I do not want to be in the news. I do not want to have to deal with all the repercussions, how we align those is difficult because it, again, it takes effort and it takes someone caring about that alignment. So incentives and aligning to those incentives, we got to find what makes people tick and what gets people excited.

Nick Santora (07:49):

And each organization is different. One of the biggest areas we see a problem or kind of a misconception is financial motivation as the only motivation money always helps. Right? But there is no amount of money in this world where an organization can continue to pay gift cards or incentives to their employees for doing the right thing. It’s just, you you’d run out of money in the first couple of weeks just from following that model. So we got to look towards other ways to get people motivated for other things that drive them inside of the organization. Not a, not an easy answer. So I wouldn’t tell you that this is an easy problem to solve, but there’s been a lot of cool work on kind of different ways to find motivation, similar to how a, you know, like Reddit communities work and how, you know, Wikipedia works.

Nick Santora (08:34):

People don’t get paid. They volunteer to put this information into this community because they feel reward in one way or another. Not all employees feel that way, but there’s a certain characteristic behind how you do that, where you can start to drive kind of a community motivation inside of an organization. But again, it’s not an overnight problem to solve. It’s something that takes years of dedication to actually figure out and work towards until we actually come to an agreeance on following that path, we’re probably gonna see the same results that we see today on poor performance, high click rates and simulations, cyber attacks left and right. And just people doing the wrong thing. Cause they didn’t know better.

Host (09:11):

It sounds like what you’re saying is you’re trying to find a way to culturally align corporate culture with what employee goals are. So it might be a group of people who aren’t interested in security who start to create a community that creates a groundswell within the ranks of the employees. Like one thing I like to do is do security training that relates to a family and how you protect your kids. Cause a lot of people are struggling with how do I handle my kids online? And a lot of the same concepts that you use protect your kids or things that might be helpful to work. Is that kind of what you’re talking about? Things like that.

Nick Santora (09:43):

Yeah. It’s just, it’s just kind of thinking creatively about the problem. I mean, there’s a good example of uses. I love The Office, the TV show, and there’s this one episode where they are, they’re trying to get their sales numbers up for the organization. Something like that. No, one’s really motivated. And then Bernard’s like, Hey, I’ll go get a tattoo on my butt. If if you guys hit these numbers and people went nuts and they started doing it and they, they met that goal. So it’s that same thing of starting to find these kinds of alignments inside the organization of what, getting everyone to work together versus just kind of individually showing up and hitting a button every day.

Host (10:16):

I was going to ask if you had any clients that you’ve worked with that of course protect, protect the privacy of them, but any interesting creative ways that you’ve seen, that people could learn from?

Nick Santora (10:29):

A lot of different things. You know, something that’s special about us is we use characters and storytelling to help influence people and create kind of a common lingo language. So we’ll see that a lot where people will kind of use our characters in different ways where they’ll make like Slack channels dedicated to certain characters. So when you see something and you start writing on there and you get rewarded for the most people, submitting things on those channels, we’ve seen them use inside of kind of these lunch and learn presentations where they’ll use the characters and kind of the food from an episode and apply it to the lunch and learn and serve those sandwiches and stuff that are based off there. So it’s again, just kind of being creative and having some fun and putting a smile on people’s faces because if you can get them to kind of, if you can prime people to have a smile and come into this positively, you’ll get better results than just kind of doing that the stick approach of like you got to do this, it’s compliance. I don’t care if you like it or not. Well, you’re going to get the results, you know, one way or another, but one of them is going to get people thinking about security positively, the other is more of a chore.

Host (11:32):

That makes sense, no one loves training, but the, if you can make it fun and interactive, or it doesn’t feel quite as much as training, then people are more apt to participate. Kind of like getting our kids to do something…

Host (11:48):

So Nick kind of drilling down on this topic from a different perspective, you know, I’m seeing a real uptick in role-based training, meaning the role that you have in the organization, you could be the administrative assistant to the CEO. You could work in the wire department, you could be working in some other critical functions. So can you talk a little bit about what the trends you’re seeing in terms of the type of cadence and type of training that we’re seeing based on someone’s role in the organization?

Nick Santora (12:12):

Yeah, it’s a good question. Like, especially with online, everything becoming just an overnight priority as of last year, companies had to figure out how to adapt and adopt to like, well, how do I teach people about things that just changed? And I don’t get to see them anymore. And from our customer base, I mean, we’re, we’re security awareness focused and we make tons of content on that, but we’ll never be able to figure out what your access control system does, how you operate it and what processes need to take place. So that’s kind of out of our hands. So for a company, they got to make a choice, right? It’s I like this at a high level, the understanding of why this is important, the awareness of the whole thing. And then I have very specific training that only I know about that I have to give out to individuals.

Nick Santora (12:55):

So we’ve listened over the past year and we’re, we’re launching this really cool tool where you can kind of build your own training off the Curricula platform. But you know  the thing about that is that that’ll always change, right? Training is always going to change because technologies and tools and processes always change. So conceptually, I look at this as kind of maturity of an organization as they’re building training, not all trainings created equal, you know, you’re, you build awareness at the beginning around a concept, and then you start to build maturity around you know, let’s get a little bit deeper to the point where you’re making specific training on, you know access control systems for CPAs inside of this specific software, like, well, who could have dreamed of how difficult that individual training was only the company or the individual could do that.

Nick Santora (13:41):

So I see that as kind of the future. Now that online training is becoming a priority for every organization to learn how to not only build this type of training, but to not try to drink the ocean here, like people come out of the gate and they say, I need to build hundreds of trainings on every single thing in the world. It’s like, well, I’ll give you a hint. You can build as much as you want. No, one’s going to pay attention to it. If you don’t do it right. And you got to start with the basics and work your way up to that more detailed, complex stuff. And then more importantly, be on top of it when things change, update it, when you modify a process, modify it in the training, because nothing’s worse than having a stale old incident response plan that has to get dusted off. And all of the processes are incorrect in there. It’s like, well, what’s the point? You know, let’s, let’s keep things current and, and take things one step at a time.

Host (14:30):

The idea of keeping things current is a theme that I’m always talking about, like understand your data. You have to maintain it. Businesses change. We’re always talking about incident response plans, dusting them off, or at least having a printed copy. But the idea from training perspective is kind of similar, right? You want to be able to, a lot of times companies will do you had described it earlier. I kind of like check the box activity. I did that training. We did it once a year. We’re good. We all know here that there’s more to it. I’d love. If you could share a little bit about maybe some stories or how, how you release trainings or help guide companies to make sure that they’re educating employees on an ongoing basis throughout the year. Not just when they’re changing a process, which we all agree as the process, the business changes and evolves. Everything should align with that, but also the idea of how do you keep it fresh in front of people. And I believe you have to hear something at least seven times before you’re even going to pay attention. So I have to pay attention. I have to remember, and I have to do so. I’d love if you can share a little bit about what you all are doing successfully or are seeing what customers are doing to keep this top of mind.

Nick Santora (15:34):

Yeah. It’s you know, number one, gotta care. Think at the end of the day, it doesn’t matter what you’re getting into. If you want to become a faster runner or more fit or anything else in our lives, we have to care to make a change in our lives. So if, as an organization, as the linchpin of an organization, which is the buyer, the system and the IT director employees, as much as they care about this stuff, do not get to make the decision on which programs or training they choose almost ever. It’s always in the hands of someone else. So if the hands of someone else who does not care, you will see the results of, of what we see today. So if we start there and we care, and we understand that the first place that we look at is like treated no different than, you know, a fitness plan.

Nick Santora (16:16):

You know, I don’t go into the gym and try to lift every single weight in one day and run for an hour and eat a salad and say, man, I am a healthy person. Like, no, that takes commitment. That takes weekly regimen of constant progress to eventually meet my goal. And when it comes to security, awareness and training and all this other stuff, sometimes we set goals that are so unrealistic, it’s just unachievable. And then therefore nothing happens. Therefore, no one cares. Therefore the results are what they are. So, you know, if you start on that mindset of saying, I got to make a plan, right. My plan is to get people to think and talk and respond more about X. Okay, cool. How am I going to achieve that plan? By what time? I don’t know. I got six months.

Nick Santora (16:59):

Let’s say to get that done. And I want to see these measurable outcomes. Like I want to be able to talk to people about it. I want to hear this. I want to make a Slack channel about it. I want whatever the case may be. Okay. Then what are the steps to get to that goal? Every month, I’m going to talk about something different, a new campaign, kind of like marketing to help buy in, influence on the people and give them knowledge on different areas of this training that I’m trying to teach. Well, that’s kind of how we approach it, right? If we, if we’re giving a an onboarding and we’re talking about a strategy behind it, we’re being realistic. We’re saying in order for you to get a security culture inside of a company you’re not going to turn this on, stuff, 12 episodes down an employees throat and expect them to perform like that’s insane.

Nick Santora (17:40):

We’re going to make a plan and we’re going to do a 30 day activation. We’re going to talk about running a baseline fishing simulation to see where you are there. We’re going to talk about privacy ethics. Like, do you have any ethics inside the company? Does anyone know? I mean, I don’t know, like, are you just mailing Excel sheets out to people left and right. Are you sending sensitive info? I mean, you got to look at what you got to start and then you get to look at where you want to be. And if companies do that, they have a lot of success with us and I’m sure with other organizations it’s the ones that come in that are looking for the quick fix. You’re just not going to get it. I mean, there’s people that might say that and they might try to sell you on it.

Nick Santora (18:16):

And they’re gonna, you know, maybe be super cheap to do that, to get that done. And that’s, that’s cool. That’s compliance stuff. That’s easy to achieve, but if you’re looking for a true culture change, a true online training behavior change, it takes time. It takes care. It takes a process, a plan, and it takes people to kind of come together to realize like, we, we are all in this together, right? We’re all getting fit as a community, not individually because individually you have half your company who is doing really well. And half the company that doesn’t give a crap about what you’re putting in front of them. Well, what do you think the results are going to be after those six months? So again, it’s, I think that’s at the crux of it is taking a systematic approach to planning structuring these on kind of a monthly basis of new activities and campaigns. And then having a conversation with the management team, the linchpins and the employees, the ones that you’re actually doing all of this or, and seeing if they care and if they do you’re off to a good start, if they don’t, you’ve got to come back to the drawing board and replant.

Host  (19:15):

So I think we wanted to ask you a question to go back a little bit in time to your days at NERC and Texas is been in the news these days, or frigid temperatures and interruptions to their electric grid. And when we think about cybersecurity training, just the industry in general, we’re such a digital economy that now electricity, that people don’t always think of until the power goes out is now probably the most important part of our critical infrastructure. And just love to get your thoughts around the grid from a cybersecurity perspective and concerns you might have around that, that maybe people who go about their everyday lives, just aren’t thinking about the cybersecurity and privacy or this little thing off to the side, and we’ll deal with it if a breach happens, but why would anyone want to breach ust?

Nick Santora (20:02):

Yep. This is the ever evolving world of regulatory compliance, right? I mean, you see an event, you respond and then you make rules for it. And it’s just very difficult to do for these events. They call them high impact, low frequency. So when they do happen, they are very devastating. The chances of them happening are very low. So do you put all of your eggs into this basket to focus the entire industry’s investment on solving for this event, a cold weather event in a very historic type of time, or do you focus on things that you know are going to happen and are high impact high frequency? So that’s kind of how the regulatory environment, not a should good work, but you know, supply chain stuff we saw that happen as soon as there was a supply chain regulatory event, let’s make rules and regulations for that.

Nick Santora (20:50):

I do not doubt that there’s going to be regulatory stuff coming out of this for protecting against cold weather. Just part of being a regulator, whether that is where the focus should be. That’s not my decision to be, but what I do know is the cyber side of the fence has had almost a decade of hard work put into it on high impact high frequency event. And that has caused a significant reduction in risk on the regulatory side, where utilities that were not doing anything before are at least doing something. And that’s a good start. Like if we did agree on that, man, that is pretty awesome. Maybe the same thing comes out of this where it’s like, Hey, did you do nothing on, on the planning behind an event like this we’ll do something. So that way, at least, you know how to respond to this.

Nick Santora (21:38):

But in the, in the future of kind of where we’re going to see kind of this risk mitigation, I mean, there are some very scary things I have seen in my careers or in my career at NERC of stuff that no one will ever know about where there’s devices and appliances, that there is no replacement for, that have been just running. It’s like, well, how do you prepare for that thing going offline? I mean, that’s the whole point. The, the electrical infrastructure is the largest machine in the world, and it’s built off this end plus one mentality where things can go down and there’s other routes to keep it stable and up. It’s the fact of when many people deal with that problem and there are no recovery path out of it. How do you deal with that type of event? Cyber is a quick way to have that type of event happening, but, you know, that’s why we’re building rules and regulations and listening and learning.

Nick Santora (22:27):

And having people think about this more from a, from an operational security point of view and not just solving for compliance. And if we can get our operators, our infrastructure to focus on that again, then I think we’ll be in a much better position for the future. And I think on top of all of this, this is a poster child of how to do this, right. And, you know, applying the concepts from NERC into another industry that may not have had anything being done on this side. And now they’re trying to do something for the first time and that’s a denial.

Host (22:59):

Well, first off, I think our dog really agreed with everything that you said because he arose from his lumber. And, but at the same time, you know, as you had just mentioned how you can apply some of these same principles outside of the regulatory industry. I think so many people when it comes to privacy and security training, are thinking about the personal data, I have to protect about the personal data, which is extremely important. I think this could also raise the idea and the thought you should also be thinking about your, your critical assets that run your business. Now, certain situations might my shut a business down more than another, but if we think about the cyber, you know, the, the utilities sure. There’s personal data, but you have an event that can take down an infrastructure. So companies should also be thinking about how to protect their intellectual property, to protect their core asset, whether that’s online or physical space or whatever it is that’s happening. I think you’ll, we’ll start to see a shift you know, to expand on how people are protecting the data.

Host (23:59):

I think the other question is, is now if I’m a company down in Texas and I got shut down because of the grid or other things went down, how does my disaster recovery work when you have external events like that? So how do you work around that problem? Cause really what Nick is talking about is the zero day event where you have a cyber intrusion that has no a quick fix and what do you do about it? And I still think we’re so highly dependent upon digital technology that we are really not thinking through the really significant impacts the cyber intrusion can have on our critical infrastructure, because we’re so interested in all this efficiency.

Nick Santora (24:33):

Scoping is big. Scoping is very big. And I think, you know, don’t drink the ocean, right? If you’re kind of what you said, Jodi is like pick out your assets, the ones that are going to be mission critical to your operation. Like if those things go down, it’s over. I mean, that’s, that’s the, you know, from an operational point of view, that’s why you’re in business. You got other systems that are important, but you can still opt out them if you don’t scope correctly. I mean, that’s what the NERC industry does is they, the first part of the standard requirements is scoping the assets that you have to protect because there could cause and a blackout, and then you build a framework off of how to protect those assets. So I think, you know, the way to at least give my 2 cents and advice on this is for any type of business is like, think about the scope for a second and then practice a scenario in your head or on paper or anywhere at least once a year at a minimum, probably more than that.

Nick Santora (25:25):

And just like walk through it and say, Oh, this just went down. What would happen? And just by saying that out loud with a community of people in your company opens a lot of eyes, cause like, Oh, I don’t know. Like we’ve never even talked about that. Could that even go down who hosts that, who has access to that? Who would we call? Oh, that was the contractor from two years ago. It was the one that set that up. So it starts to like unravel this crazy amount of uncertainty that you should be very certain on if something goes down and if you start there, it’ll start to guide you in the right direction.

Host (25:56):

How much knowledge of all the things that could happen, what do you do to protect your personal data? What’s a good tip that we could leave the audience with.

Nick Santora (26:06):

Yeah. mine, I think one that’s been kind of trending. That’s really exciting and good is like password managers. I feel like, I don’t know how anyone did this before password managers. Like we keep telling people like, remember them and do this and difficult and that, and that, and I can not let, like, I don’t know any passwords of mine. I have absolutely no idea what any of them are. I can’t tell you how many times that thing has been useful in every conversation I’ve had, because now they’re doing crazy stuff where they’re like telling you that these have been part of data breaches and this password has been exposed. It’s like, man, that’s good to know. You know, I shouldn’t use that password ever. And I’ve heard all kinds of cool stories about, so I think that’s number one is like, if you haven’t done that, the password manager that’s number one, number two is on the a multi-factor like, if it’s available, when it’s available, you always turn that on.

Nick Santora (26:55):

I just cannot see a circumstance where it’s like, that’s a bad idea. If there is, tell us about it, we’ll write a blog about it. Cause that’d be really cool. It’s always better than just having a loose password sitting out there and not knowing if someone stole it. And then three is a practice, a scenario yourself of what if someone just got into this, what would that affect? Like, I kind of do that every once in a while. Cause I’m weird maybe, but I I’m like cautious about who has access to what? And I always question like where else has that been or had access to and what does that connect to? And I kind of run these baked scenarios in my head. Well, that’s me doing it, maybe it’s overkill, but it also kind of opens your eyes like Man, if someone got into my email right now, that would be a rough, rough patch for me to clean up. If you do that, I think that would be a, another kind of fun. I don’t know if it’s a fun exercise, but it’s an eye-opening exercise for your own personal security and privacy.

Host (27:50):

We’re big fans of the password manager and the multi-factor authentication over here. Yes we are. So last question when you’re not at the office, thinking about cybersecurity scenarios from which you extricate yourself in the escape room, what do you like to do for fun?

Nick Santora (28:04):

Surprising enough. I think my disconnect is like to get away from computers. I’ve been, I think all of us have been cooking a lot, but you could ask my wife, I think I’ve actually been surprisingly good at it, considering that I’ve never really done it before. And I think it’s from subliminal kind of like watching, cooking shows growing up and everything. And then now I’m just like, almost like I’m on iron chef show. Like, Oh, give me a pile of bananas, some garlic and tortilla. Then I can turn that into something crazy yet. You know, I’ve, I’ve had a lot of fun doing that because I think it just disconnects my head completely into kind of creating some fun stuff. And it’s it’s been exciting for me to kind of learn and experiment with stuff. And if it sucked, it sucked. But most of the time it’s been actually coming out pretty good.

Host (28:49):

Nice Nick, thank you so much for joining us today. If people want to connect and learn more, how do they

Nick Santora (28:55):

They can head over to curriculacom, watch an episode, check out stuff. And I’m always on LinkedIn. You can just search Nick Santora Curricula, something like that. I’ll pop up and follow me. Cause I’m always talking about this stuff on there.

Host (29:08):

Awesome. Well thank you again for joining us today. We shared a lot of really helpful tips to help make sure that employees and companies are staying compliant when it comes to privacy and security and how to make sure that

Host (29:20):

it stick with employees. Thanks for listening to the, She said Privacy. He Said Security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Dominic Vogel

Dominic Vogel is a cyber risk advisor, board director, speaker, and comedian with over 15 years of experience in the cybersecurity industry. He is currently the Founder and Chief Strategist at Cyber.sc, a cybersecurity advisory firm that provides management and expertise to startups, investors, and small to midsize businesses. As an established cybersecurity leader, Dominic has overseen projects including security strategy development, endpoint security, and threat management in a variety of industries.

Dominic is also a cybersecurity speaker resource for TEC Canada and the co-host of the podcast, Cyber Security Matters. He has been featured as a guest expert on Global BC, CKNW, the Vancouver Sun, and more.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Dominic Vogel talks about his background in cybersecurity
  • How different countries approach the issue of cybersecurity and data privacy
  • Why small and midsize companies often outsource their cybersecurity — and the consequences of doing so
  • The importance of security-focused due diligence when buying or selling a business
  • Dominic discusses how he helps small to midsize businesses perform risk assessments
  • Who should be responsible for protecting a company’s privacy and security?

In this episode…

Does your company take cybersecurity and data privacy seriously? If not, cybersecurity expert Dominic Vogel has some advice for you: it’s time to start.

Unfortunately, many businesses see cybersecurity as a simple technical task — not a vital part of their risk management strategy. However, cybersecurity isn’t just an IT problem that you can easily outsource; it’s a business problem. According to Dominic, cyber risks can cause businesses to lose revenue and major clients in the blink of an eye. So, how can you start prioritizing cybersecurity in your company and protect your data, customers, and reputation today?

In this episode of She Said Privacy/He Said Security, Justin and Jodi Daniels sit down with Dominic Vogel, the Founder and Chief Strategist at Cyber.sc, to discuss all things cybersecurity. Listen in as Dominic reveals how different countries handle security and privacy risks, why outsourcing your company’s cybersecurity isn’t the best solution, and the vital importance of performing security risk assessments for your business. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She Said Privacy. He Said, Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. Hi, Jodi Daniels here.

Host (00:22):

I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I provide practical privacy advice overwhelmed. Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am a cyber security subject matter expert. And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, staff, e-commerce media agencies, professional and financial service. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com.

Host (01:23):

And today we have a very exciting guest on, we have Dom Vogel and he is the founder and chief strategist at Cyber.sc, an organization dedicated to providing cyber risk leadership to small and mid-sized businesses. Dom’s cybersecurity career has spanned nearly 15 years covering cybersecurity for the largest and smallest organizations, Dom is a positive troll and comedian in his spare time. So I do expect a few jokes during this show, cause we’re heading North of the border Dom is from where you are – from Vancouver. I remember the journey when we flew to Seattle and then drove to Vancouver all in one day with two children. I remember coming very close to, I need to get out of this car in the last 20 minutes of the drive, our kids. I mean, it was a long day. It was long. It was long, long day. They couldn’t do it the last half an hour. It was just absolutely pure screaming. We pulled over to the side of the road. I hopped in the backseat to try and help, it was a mess but in other news let’s move to cybersecurity. So Dom tell us, how did you find your way, your cyber security and a little bit about what you do today?

Dominic Vogel (02:56):

Goes back to my high school days. I always knew

Dominic Vogel (03:00):

I wanted to do something in technology and IT, my, my dad was a computer science high school teacher. And one day he just, he, he dropped a bunch of magazines on my desk and he says, there’s always something in here that interests you because he would always get all these free IT, computer magazines at work. And I would just flip through all of them. And then this one magazine just popped out of nowhere and it said Information, Security Magazine. I was like, what the heck is information security? I never heard that before. I, I just, I read it cover to cover and I still have that magazine somewhere because that’s my origin story. So it is somewhere in the, in the mess. That is my house, but it was from that point on, I just got, I got hooked on it. And after graduating from university I, I thankfully got a job in cybersecurity as a security administrator for a large logistics company here in Vancouver. And 15 years later, I’m still in the field and I love every minute of it. 

Host (03:59):

Not everyone can say that they found their career by reading a magazine.

Dominic Vogel (04:07):


Host (04:11):

I think where we’d like to start today since we’re lucky enough to have an international guest is, you know, we talk about cybersecurity. We talk about privacy and a lot of times how people and companies approach privacy and security really stems from well, what is the kind of culture and the country around those two topics. And I’d love to spend a little bit talking about, you know, from your perspective in Canada, working with Canadian companies, US companies, you probably have worked with the European ones. I’d love to get your thoughts around culturally, how you see different countries and their people approach privacy and security.

Dominic Vogel (04:47):

That’s such a good question. And it’s been, it’s really interesting, you know, and especially we take sort of Europeans, Canadians and Americans. You can see that the spectrum basically any of the Europeans I’ve ever worked with or worked for privacy is first and foremost, it is so intertwined with their culture and, and almost is a basic human right that they, that they lead with it. Canada is right in the middle. You know, in, in terms of, it’s not quite as serious around privacy, but the privacy commissioners that we have in this country and in the various provinces that make up the country privacy is, is very much taken seriously. And we can see that in the SMB levels as well. The US again, depending where in the US some States do take it more seriously than others. They tend to be more blue States than red States, but I’ll leave that commentary for maybe a political show.

Dominic Vogel (05:37):

But but I have noticed, again, that part of the US is definitely the lagard or when it comes to privacy, you know, unless you’re in California or New York or another state that has a more rigorous privacy regulation. You know, I, I’ve definitely seen, in fact, there’s one organization that we were with and I believe they were in an Idaho and, or it was something with an I and we were totally on the concept of privacy was coming up and he said, well, you know what, we don’t really, we don’t really care, we don’t have any state regulation here. I don’t really care about privacy, you know? So it’s, it’s interesting to see sort of the, the different levels of how, like you take a concept like privacy and how you can have such variance amongst people. So it’s it’s definitely interesting. And you have to, you have to sort of work along those, those nuances the way you would talk to a European about privacy, very different than how you would talk to probably with someone from Alabama about privacy.

Host (06:36):

The laws in Canada are certainly stricter than here in the United States. Do you, do you feel that the companies that you’re talking to take it more seriously because of the regulation or because of just the culture in the view of, I put the individual first. So if we, if we think about Europe, it’s, it’s a flipped mentality, obviously there’s regulation, but just the concept of how they even approach it is individual first, company, second United States exact opposite, unless there’s regulation involved. So I’m kind of curious to know, just from a cultural perspective, is it because of the regulations that Canada has, which are more strict in several areas than the US or is it because of just how people believe in it.

Dominic Vogel (07:14):

I say it’s a little bit of both, you know, I think Canadians  just like, get along. We all have that same view, strict view of privacy with the Europeans, but we don’t have that necessarily the lenient view that many Americans have. So we’re, we’re in this sweet spot kind of thing. So you know, it, it’s, it’s definitely not like to the same degree as Europeans from a people perspective, but if I was to pick, you know, random, Canadian SMB owners and some random US SMB owners. Canadians, we have a much stricter view of privacy than, than some random SMB group of Americans. So I’d say it’s a little bit of both, but like I said, you know, Canadians are all, we always come in right in the middle of for whatever reason, that’s who we are as people – we don’t like to offend anyone

Host (08:08):

Talking a little bit more about a lot of the small and medium-sized business with, I want to talk a little bit about the topic and, you know, Solar Winds has brought it up, I’d love your perspective on why consistently you see companies who are going to outsource IT, outsource all these different functions, but really don’t take the time to think about my company security is only as good as my weakest vendor, and yet they don’t pay a lot of attention to it. They, you know, have inked the business deal, the contract, they get through it as quickly as possible. They might negotiate a nibble around the edges and they go about their business. And then when the vendor has a hack and it, and it’s ransomware, and now you don’t have access to your data. You’re like, holy…

Dominic Vogel (08:56):

The, the, the, the, the short answer. And I’ll, I’ll give you a long answer. But the short answer is that, especially with small size businesses, is that they’re still prevailing myths and misperceptions around security and cybersecurity. So many small – midsize businesses. And I, and I see this both from a Canadian and US perspective, you pick a business owner or a CEO or CFO, or whatever, in a SMB space, they view cybersecurity as a technical task, and they do not see it through a business lens, or you don’t see it through a risk lens. They see it as something that can be outsourced. And I cannot tell you how often I still hear it, even, even in this day and age of the, Oh yeah. You know, we, we don’t worry about cybersecurity security, or IT service provider handles that, or, you know, we have an IT guy who handles that, or my, my wife’s brother handles it.

Dominic Vogel (09:49):

And it’s, it’s seen through a lens in which it’s out of sight, out of mind, and they don’t do any oversight due diligence, and they don’t see any purpose of, from even a risk management perspective. So it’s, it’s that mindset. I think that’s still perpetuates the problem because unless it’s gets seen through a business and risk lens and seen as a true business problem, and not some task that you outsource you know, we’re going to keep dealing with this, this problem, you know, and where I am seeing some noticeable change is mainly with B2B organization;s. And this is where I think the Solar Winds incident is going to is going to help things in the long run. So in particular, again, so, so smaller businesses or mid-size businesses that sell to large enterprise organizations, concept of vendor risk management has been around for a while andafter what happened with Target, whenever that was eight or nine years ago, I think vendor risk management became a thing.

Dominic Vogel (10:41):

We get a little more popular, but then it was just basically questionnaires, you know, and if you were clever enough, you could just or maybe not clever, you were deceitful enough. You could just lie on those questionnaires and send it off to a prospect and say, yes, we do all of these things from security, privacy talk, talked it out, right. That because it’s often these larger companies would never actually check on that. They wouldn’t call the bluff. What I’ve seen, especially during Solar Winds. It’s only been what, two months, I guess, a month and a half. When I’ve seen is that there’s been an increased outreach from small organizations reaching out saying, Hey, you know in fact, this actually was a prospect to reach out to us. They said, we’ve had this client for, for years at the, where they’re small B2B company.

Dominic Vogel (11:25):

And they sold their platform, very large enterprise. They said, this one customer makes up something like 60% of their annual revenue. And they said, this customer is now cracking down on supply chain and vendor risk management. We’ve been filling out the questionnaire for years, right? We’ve actually, then they told me, we lie on it every year, and now they’re actually, they’re actually coming to audit us. They want, they want proof. They want us to see that we’re doing what we’ve claimed that we’re doing. And the fact that I’m hearing this more and more, I’m seeing organizations reaching out saying, we’re realizing now we can’t just, you know, lie or extend the truth on these questionnaires. We need to be able to provide proof. I think that’s gonna, what’s interesting there is that unlike something like, you know, preventing against a cyber attack or preventing against a data breach, that’s so abstract, but selling now when you impact the the bottom line where you, you realize, Hey, are you going to lose out on revenue? You’re gonna lose your biggest clients and customers. Now, all of a sudden, there’s a very interesting narrative as to why you need to invest in cybersecurity. So the B2B space, I see tremendous growth from a cybersecurity investment perspective. Other areasobviously time, time will tell, but that’s, that’s an interesting thing that I’ve noted over over the past few months.

Host (12:38):

Interesting, because I see something similar in the privacy side from a B2B perspective where companies won’t do business, in fact, I talked to someone this morning, smaller company, and they can’t sign the deal until they’re able to say, yes, we’re complying with XYZ privacy law. And so you’re seeing that more and more. I think it’d be really helpful for a company to understand if you were to be audited. What does that mean? What are they looking for? So can you share a little bit about, you know, like what is the big company coming to audit and what that means?

Dominic Vogel (13:07):

Yeah. And that’s really good question, Jodi. And again, it can take multiple forms, you know in some cases often what they’ll say is, okay you know, if we’re going to do business with you, you need to be able to engage a third party assessor, have this third party company come in and do a security assessment. And then you provide, us the the report. You know, we go over that and you have to pay the the bill kind of thing. So they won’t necessarily send one of their own auditors or assessors often they’ll just want to see a third party has done an assessment in the past year or past six months. What the often entails. Again, it depends on the level of depth they want to go to. It could be something as simple as, you know, we want to do.

Dominic Vogel (13:48):

What’s referred to as a maturity assessment, you know, let’s we want to make sure that you are following maybe a certain framework and often the list industry, best practice frameworks, whether that’d be the CIS top 20 security controls, which is a fairly basic framework for many small businesses. Maybe it’s the NIST cybersecurity framework, the CSF. Again, depending on regulations, they may want to say, Hey, we want to see if you are compliant against ISO or or, or ISO 27,001 or 27,002. You know, you claim that you’re moving in that direction, let’s see where, where you are kind of thing. So it does depend on the, on the, on the industry, certain industries like healthcare and financial services can be put through the ringer a bit more there than maybe other industries, such as manufacturing as a, as an example. So it does contextually depend, but at the end of the day, it’s being able to just prove what you claim to do. If you claim that you have multi-factor authentication enabled for all your email accounts for remote access, you better be able to prove that otherwise they will call your bluff.

Host (14:55):

Hmm. You have a fun, good story on that, don’t you Justin

Dominic Vogel (15:00):

I do love a good story,


Right? So I guess, so a Dom this morning I wrote on LinkedIn. So I was using a password management service and I was having an issue with the service. And basically I was advised, well, you’re going to need to re-enter passwords, the easiest way for you to do that is just take a screenshot of every one of them and put it on an Excel spreadsheet. I said, okay. And then Jodi, why might that be some very interesting advice? Well, then you’ve taken a picture that’s in a cloud server somewhere of all your passwords. So, right. So the moral to the story was right from the customer service of the password people. That was the advice that I got. I did fly that one up the chain and say, Hey, you might want to be aware of this email that I received for customer support, that when you dug down a little bit, it was not so supportive. Like when the the HR person will ask for the social security number in an email or that, you know, credit card number. And it’s all those, interesting things

Dominic Vogel (16:08):

I guess, categorize as a training issue or training gap.

Host (16:12):

Yes, yes. The other thing, you know, I, I’m thinking about as we sit here and a chatter away is what happens when one of your customers comes to you either because they’re going to be acquired or they’re going to be acquiring. Because one of the interesting things that I have seen is when I have a client go out and acquire another company, it is almost never happens that any cyber due diligence is ever done on the vendor ecosystem. And then I’ve had situations where there is a breach of a vendor in the ecosystem of the company that I bought. And that’s when I find out that my liability to my customer is far in excess of what that vendor’s liability is to me. And my reaction is, Oh! So could you talk a little bit about your perspective and what you see in those instances,

Dominic Vogel (17:06):

You bring up such an interesting concept and topic there, you know, and it’s something which obviously, you know, as secure practitioners, obviously we would want to see that happen more, more frequently, that actual due diligence happens. Again, this goes back to, well, I referenced earlier about the continued misperception or 1995 level thinking of cybersecurity. Again, if it was truly seen as a business risk, just like with any M and A deal, they, they look at all the risks. They look at financial risk, operational risk personnel risk. Why in 2021 is cyber risk still not seen that way. Main, reason it’s still many executives and many, you know, business people, sorry for using all these air quotes, but all these business people still don’t view cyber risk as being a true business risk. It gets buried under, you know, IT, or it gets buried under some technical thing, which is often overlooked.

Dominic Vogel (17:58):

It’s Oh, it’s something we can deal with later. You know, so to me, it’s, you know, we can talk about, you know procedural stuff, you know, why it needs to be in there. But to me it’s still all about mindset, unless the mindset of people in an M and A activities in terms of business executives, in terms of non-technical non-security slash non privacy people, getting them to the mindset that in the year 2021 and into the future, that cyber risk needs to be treated as such as a business risk until we change that mindset. You know, it’s, we’re just still chattering, you know? So it’s, it just, it’s, it’s so important for that mindset that to change I’ve seen it changing slightly, I’ve seen, we’ve actually had more private equity firms reach out to us during 2020, and then all our previous years combined when they were trying to ask questions, such as we’re worried about cyber risk in our portfolio of companies, what can we do to assess it?

Dominic Vogel (18:55):

You know, so the fact that these questions are starting to be asked is a good indicator that we’re moving in that direction. How fast are we moving? Not very, it’s sort of the, somewhat of the turning around the Titanic, not quite sinking yet, but it’s, it’s, it’s, it’s a very slow move as a lot of inertia to overcome. But it is certainly very encouraging to see these types of organizations ask these questions, because I didn’t see that as, as little as, you know, late 2019 or 2020. So it’s, it’s encouraging to see that.

Host (19:27):

I’m just curious when somebody asks you or if I’m the buyer, and I say, Dom, you know, it was part of my due diligence. I’d like to get access to your network and put sensors and do due diligence on it. What is, what is your reaction to that? Yes. Or no answer for you,

Dominic Vogel (19:43):

But to me, the reaction would be, yes, let’s let let’s do that. You know and again, to me, when we’re talking about doing an assessment, there’s two, two, there’s two parts to me, there’s, there’s the let’s open up the hood and let’s look at all the technical stuff. You know, let’s run some technical vulnerability assessments, scanners, what have you, you know, that’s, that’s, that’s important, but equally important is looking at it from a governance risk and compliance perspective. You know, what, what frameworks are, is the organization using? Do they have a security strategy? Is it just, let’s just apply random security technologies and see what fits. So getting it from the best strategic, a level of getting it from the tactical and operational level, that to me would be, you know, the, the best way of assessing the, the true cyber risks, then being able to at least tell an organization, yes, you’re taking on a great asset or no, you’re taking on a huge liability. And here’s why.

Host (20:31):

And so related to that, when you do your risk assessments, I’m curious with your client base of small and medium sized businesses, how often are they engaging you directly versus saying, you know what, I’m going to route this through my outside counsel.

Dominic Vogel (20:44):

Yeah. Good question again, specifically the context of M and A’s, you know  I generally, we’re generally only seeing that M and A stuff come through the, the, or the, either the private equity firm or the acquirer, not necessarily from an organization that wants to best prepare themselves to be acquired. That would always be a great use case, I think, for organizations to be more prepared. But the, the two use cases we’re seeing is mainly through either private equity firm, who is either in the, is in the process of bringing that company into their into their portfolio, or they’ve already done so, and sort of want to do it retroactively, which is, you know, it’s not a great idea, but it’s it’s a, it’s it’s certainly better than not, not looking at all. So it does sort of depend, but in terms of broader SMBs, why they reach out to us one of the things I’ve really noticed this amongst small, mid sized businesses, especially during the pandemic is that proactive investment in cybersecurity has plummeted.

Dominic Vogel (21:49):

They are, it’s pretty much I’m going to say 90% of the clients. We have been onboarded since mid March, 2020. So the onset of the pandemic have come to us reactively and reactively either because either a, they are mired in ransomware and ransomware as the digital fire, which is destroying many Canadian and US small midsize businesses. I’m gonna say probably a two thirds of the organizations that came to us in 2020 did so, but because of either, they were immediately dealing with ransomware or shortly after ransomware took, took effect, and they were trying to rebuild it, figure out how do we prevent this from happening again. Other organizations reached out because they, there was a potential data breach or others were reaching out because they were needing to prove compliance or prove their security capabilities from a B2B perspective. And these are all reactive situations. We went from in 2019 having a relatively, let’s say maybe 60, 40 balanced 40% of the clients that would reach out to us or prospects that reach out to us, they ‘re doing so proactively, 2020, and so far in 2021 is being very reactive. Part of that may be due to the fact that SMBs we’re stretched very thin during the pandemic. But it’s been very interesting to see sort of that proactive balance just disappear, maybe small and mid-size businesses are purely reacting to cybersecurity investment right now.

Host (23:13):

I think that there was a significant number of SMBs that were, I think you used the word decimated due to ransomware. And I was wondering if you could share a little bit more about types of businesses and are they truly, are they, are they done? They’re not able to come back to life or it’s just whatever you can share. So people understand the severity of that.

Dominic Vogel (23:32):

Absolutely, absolutely. You know, and what we’ve seen, especially during 2020 was the I’ll refer to it being almost like the great equalizer in which this doesn’t really matter what sector you’re you were in. We saw ransomware effecting organizations in pretty much every sector. We even saw it with the farming organizations, manufacturing, education sector, public, private. It didn’t really matter. It truly is a great equalizer that way. And two stories, which are quick stories, which I’ll share one of which was, it was a real estate development firm here in Vancouver that reached out to us. And they were the, in the final stages of completing a massive multi hundred million dollar building, but they were unable to get the final documents to send off for inspection, to get final sign off from the city.

Dominic Vogel (24:25):

And their, their server had been hit by ransomware and they had been unable to recover it. And they call us three weeks in and saying, well, we were not able to access this for three weeks. Can you help us? And my first question with ransomware is always what’s your backup situation? You know, if it’s been three weeks and you have a recovery, anything I’m taking the guess, that it’s pretty crappy, but that’s always my first question. So they said, we don’t know, can you talk to our IT service provider? And I said, sure. So I talked with their IT dservice provider. And the first thing this guy said was, Oh, we backup every night, we have daily backups. We, we back up all the critical data. There’s nothing to worry about. And I said, well, why am I here? Why am I, why am I talking to you? Then? He said, well, the last good data backup was actually in February. This discussion I was having was in, in late October. And I said, why didn’t you lead with that? You idiot. What would you tell me? You have such a, a great data backup architecture.


That’s up to you as a service provider talking to you on the phone. My, my limitation of liability is $20,000. So, sorry.

Dominic Vogel (25:29):

Yeah. And this is where there’s, that, that notion too, again, about understanding, viewing it through a risk lens. This,  this business, they just blindly trust their IT  service provider, right? They didn’t, they had, they done sufficient due diligence. Had they done sufficient governance, just something as simple as when was the last time of data backup was testing. Was that test successful, right? We’re not asking rocket science questions, right? We’re not trying to send someone tomorrow. So this is fairly straightforward stuff had that basic level of due diligence and governance and oversight occurred. They would’ve known that the data backups were not working, and then they could have, you know, the check that to find out why and how to proper restore process. So without one, there, they were pretty much out of luck and they they as an organization, they refused to do anything about, and they actually ended up paying the ransom to get access back to those files. Again, yeah,

Host (26:29):

You just mentioned they outsourced it to IT. Soho was responsible for that relationship within the organization since they’re in real estate and they don’t think they’re in the data business, but we’re all in the data business.

Dominic Vogel (26:41):

Yeah. How did that work? It was the, it was the CFO. And what happened there, especially with this particular firm, this was a family organization that had been a family run organization for years. The CFO was first close friends with the with the father who handed the reigns off to it to his son. And this, this guy had been the CFO for, for years, you know, and again, he could do no wrong. And that’s where, again, when there’s a lack of accountability, when there’s a and that’s why for me, when I assess security, I’ll even not ask technical questions right away. First, the first thing I look at and I talk to the CEO, CFO, COO and ask is the accountability is the oversight and governance there. If it’s not, I don’t need to do a technical assessment. I’m going to save my time. I’ll save the money.

Dominic Vogel (27:23):

I’m going to say your organization likely sucks at security, because I can tell just by talking to you, you know, so it’s a I’m a firm believer in that and you’ll see it very apparently when you talk to talk to the executives and talk to the board, if they have one the other quick story that I’ll share with it’s a manufacturing firm also based here in, in greater Vancouver, it was a family run organization. It had been started something like 40 or 50 years ago, the, the founder and the person who grew it, he had died about three years ago and he handed it off to his wife. His wife didn’t want to sell the company. She wanted to continue it, you know, continue his legacy. And, you know, she, she, she kept running it. And her daughter was also helping her with operations.

Dominic Vogel (28:10):

And  they too got hit by ransomware and here because they were manufacturing it affected their, their the availability of the systems, the confidentiality of the data wasn’t really an issue. It was that they could not access the systems they needed to, to continue the manufacturing process. They were down for, again, this to come back and call us three and a half weeks. And they were down for three and a half weeks, you know, they hadn’t manufactured anything. And she reached out and she said, you know, we’re, we’re in our final few days here should have, we can’t get up and running. We’re we’re, we’re going to lose everything. And I said, well, you should have probably call me three and a half weeks ago, but, but sure. Let’s, let’s see what we can do. And you know, we have a digital forensic specialist on our team, and I think he was able to recover it and unlock some of the systems.

Dominic Vogel (28:55):

So they were able to, to, to continue. And then when I was sort of debriefing with her and telling her, in terms of you got lucky, you know, here’s what we need to do moving forward. I laid out, you know, here’s sort of what you need to do from a planning perspective. You know, here’s our virtual chief information security officer package. We think this will help you set the right foundational security building blocks to make sure that this doesn’t happen again, or at least become more resilient if, if it happens again. And so then she said, Oh boy, you know, I, I just thought security costs maybe two or $300 a month. And I said, and I said, let me get this straight you. Cause she just, before I presented this to her, she told me she cried. She said, I can’t believe I almost lost my, my husband’s legacy.

Dominic Vogel (29:36):

I said, do you not see the disconnect between what you just said? And the comments about what you are willing to pay? So you you’re basically telling me, you know, like ransomware where almost brought your company down for good. It almost destroyed your husband’s legacy. Now in the same sentence, you’re telling me your husband’s legacy is worth $200 a month. Do you not see the disconnect and she didn’t. And that’s what’s so, so worrisome, I think when it comes to small midsize businesses that they fundamentally do not see that that disconnect between surviving as a digital company. And you said, so you both hinted at that in this day and age you’re data-driven in digital organizations, COVID has only made that even more. So, you know, companies are much more virtualized, much more digitized. If you’re not going to plan for that cyber risk, you’re pretty much walking into a, into rapid gunfire and you’re not going to last in the long run. So it’s those are two stories to sort of illustrate the lack of understanding.

Host (30:32):

When you said that to her, she didn’t kick you out of the room. Cause when I had my way, I get the boots.

Dominic Vogel (30:41):

Well, I have that with generally speaking this year, at least we were able to have some civil discourse in the conversation. She didn’t particularly care for my tone, but I would just think I’m so taken aback by by that, you know long story short, she didn’t become a client, but it it’s It’s just time for the time for politeness, I  think with organizations is has has come to has, is long gone. You know, we need to increase our tone, you know, with, with these businesses. Otherwise they’ll, they’ll, they won’t survive in the long run.

Host (31:14):

I have one last follow up question in both of your stories. What were they both doing for three weeks? I mean, the businesses down you can’t run. When I deal with ransomware, I get the call on Sunday or whatever they’re like Holy…what are we going to do. And then I have to put the team together and you know, for three weeks,

Dominic Vogel (31:34):

Well, first of all, I love the comedic timing between you two. That’s perfect. But the, the, and to me, what was, what was so strange again is the, so for the first case with the real estate firm, what was happening there, it was that the IT service provider kept saying to them, we’re working on it, we’re working on it, we’re working on it, we’re working on it with that real estate firm. You know, the, because it wasn’t the, all their systems that were affected. It was just this one server that was affected. They were at least able to continue operations, but it was, it came to an impasse because they needed those documents in order to pretty much open at that  several hundred million dollar building. So they did have some gift of time. There was the manufacturing one similar thing again, blind trust. The CEO, the, the lady was blindly trusting the IT consultant. And by consultant, I mean, some guy who maybe, you know, knows how to use a computer he wasn’t really much of an IT person, but he kept saying to her, I’m working on it. I’m working on it. Give me one day, give me one more day. You know, I think that blind trust blind trust leads you down.. The path of destruction

Host (32:44):

Sounds like a good bumper sticker.

Dominic Vogel (32:53):

I like that

Host (32:54):

All these stories of what you see all day long of companies doing what they shouldn’t be what is your best privacy tip that you offer your family, your friends, closest to you, dogs in the background…blind trust… best personal privacy tip.

Dominic Vogel (33:18):

I think you and I need to go into the bumper sticker business. I think we could do really well, but I try really hard not to be the support person for my family. Sometimes I, I think idiocy around the technology just so I can be left alone. But in terms of, in terms of the controls are not controlled with the recommendations and advice I give to friends and family is mainly really around social media. You know most of my family and friends, their interactions with technology is social media. So everything I point them to is the, you know, the privacy control let’s share the privacy and security control best practice controls for Facebook, for Twitter, for Instagram, you know here’s what you should be doing. Don’t have your profile open to the whole world. So just to helping them go through some of those basics obviously find this is a good starting point because that’s often their view of the technologies is through the lens of social media

Host (34:12):

When you’re not in the office making up great bumper stickers, honing your comedic timing. What do you like to do for fun?

Dominic Vogel (34:20):

Good question. The well…I love playing with my with my with my kids, my, my son in particular, my, my three-year-old son, James. So being able to see the world through his eyes, and I spent a lot of time doing on my LinkedIn posts around him. And what I learned as a, as a dad. And it’s his level of joy that you see from within, through a toddler’s eyes, it keeps you it keeps you humbled and makes you realize that, you know, I, although I do security work for a living, that’s not who I am, you know, or the things that I love absolutely doing are being a dad and being a husband, you know, the, the other stuff it’s just fun, but the being a dad and being a husband, nothing, nothing beats that, that’s what, that’s what I do for fun.

Host (35:03):

So how can people find you outside of listening to this fabulous podcast?

Dominic Vogel (35:10):

Good question. For people who are listening / watching reach out on LinkedIn, I spent a lot of time on LinkedIn. @Dominicvogal, I’m the only one out there please feel free to reach out. I’m always open to, to new new conversations, love meeting, new people, love networking. You can also email me dvogel@cyber.sc. Those are probably be the best two ways of, of reaching me well. 

Host (35:38):

Thank you so much for coming today and sharing your insights about what it’s like to do business in Canada and around the world. And, you know, it’s really interesting to see that we’re all facing the same similar, similar struggles.

Dominic Vogel (35:55):

So it was a lot of fun. 

Host (36:01):

Thanks for listening to the, She said privacy. He Said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn, see you next time.

Dan Shulman

Daniel Shulman is an Intellectual Property Shareholder at Vedder Price, an international business-focused law firm that serves clients of all sizes in the US, the UK, and Asia. With more than 12 years of experience as the Chief IP Counsel for multibillion-dollar companies, Daniel specializes in IP acquisition, trademark litigation, copyright litigation, portfolio management, and much more.

Daniel is also an Adjunct Professor at Loyola University Chicago School of Law. He has been featured in a number of publications, including Intellectual Property Magazine and the Seton Hall Law Review.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Daniel Shulman’s litigation journey—from mock trials in 4th grade to Chief IP Counsel for billion-dollar companies
  • How privacy and security concerns impact the development and licensing of new tech products
  • Daniel discusses when to sign—or not sign—a mutual non-disclosure agreement (NDA)
  • The differences between IP lawyers and privacy lawyers
  • When should technology inventors start thinking about privacy laws?
  • Daniel shares his personal privacy advice: don’t answer calls from unknown numbers!

In this episode…

Are you brimming with new ideas for tech products, services, or programs, but struggle with the aftermath of invention—when patents, IP laws, and privacy and security come into the picture? If so, this episode of She Said Privacy/He Said Security is for you!

Intellectual property, patents, trademarks, and the like can be complicated and confusing. However, according to Daniel Shulman, the sooner you begin to consider IP law for your new products, the better. In fact, he suggests that any thoughts of new inventions should be closely followed by discussions with an IP expert. So, what can you do today to start protecting your privacy and security when creating new products for your business?

In this episode of She Said Privacy/He Said Security, Justin and Jodi Daniels sit down with Daniel Shulman, Intellectual Property Shareholder at Vedder Price, to discuss the importance of privacy and security when developing new tech products. Listen in as Daniel reveals when to avoid signing a mutual NDA, how quickly to consult IP lawyers when creating a new product, and his number one personal privacy tip for listeners. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She said Privacy. He said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Host (00:22):

Jodi Daniel’s here. I’m founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, certified informational privacy professional, and I provide practical privacy advice to overwhelmed company. Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practicable implementable solutions and I am a cyber security subject matter expert attorney. This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers. Learn more. Visit redcloveradvisors.com. We’re really excited to welcome Dan Shulman to the show. Dan, welcome. Dan is a shareholder in the IP group at Vedder Price in Chicago, and he’s a former chief IP counsel who turns innovation into value to win in the market before a win in the courtroom. Dan is an experienced litigator and appellate lawyer, but only as the last resort, we really don’t want to be in the courtroom.

Dan (02:04):

It’s the least efficient way to turn your innovation into value. (Host) Now, apparently did not get the wear black memo today. I was more interested in hearing about the snow in Chicago since I won’t be seeing any this year. (Dan) I was watching the news last night and they were showing, of course, you know, they always have the reporter out on the expressway when the snow is coming down. And you know, there were flurries not too bad. And I thought to myself, if this were Atlanta up there, there’d be like, it’s a disaster. (Host) There’s some people who wants to so badly or they just want it to be perpetual holidays that they have still the snowman in the yard. It’s still there, but moving beyond snow, Dan, we’d love to learn how you got started in your career and kind of a journey you’ve taken because it’s been really interesting to see both in in house and at a law firm and kind of the change in the differences between them. If you can share a little bit more,

Dan (03:00):

That’d be great. Yeah, absolutely. I don’t know how far back I go. I think my legal career started in fourth grade when we did a mock trial for Alice in Wonderland, which we’re reading part of our class. And I was tasked with defending Alice in the mock trial and kind of got the litigation bug. And then I discovered, well, we’re, short on time, but the short answer is. One of my friends, Steven was the mad Hatter and he was there to testify about, you know, all the awful things that Alice had done in Wonderland. And he had a cast on his arm and he was, and he testified that Alice had broken his arm in Wonderland, which I, as the lawyer knew to be untrue because I had broken his arm in a play date like a week earlier

Dan (03:41):

So, so armed, no pun intended with that information, totally eviscerated him on cross examination and that, and, you know, we ended up Alice ended up being acquitted and I got, you know, the Perry Mason bug. At some point later, I discovered math and science and decided to, I would try my hand at being a physicist, but I was a much better writer than I wasn’t solving equations. And when I decided at the end of college, that physics wasn’t going to work out, I went to law school always with the attendance of being an IP lawyer because I still love math and science. So graduated from law school started my career in private practice was at a firm called Mayor Brown for about seven years. Always wanted to be a dad more than I wanted to be a lawyer.

Dan (04:20):

So as I got closer to partnership and realize I was spending more time with my kids and it was then I think they would have liked me to spend at the office realized I probably ought to go in-house. And so spent a year and a half at Motorola and then moved on to be chief IP counsel for what ended up being about a $14 billion consumer packaged goods. Over the time that I was there and I was there for about a dozen years. And then those kids that I was so eager to spend time with became teenagers and didn’t want me to spend time with them anymore. And having been in that same role for about 12 years and learned a ton, made me a much better lawyer being in house. And not just in terms of relaying you know, relating to clients, but just in terms of different areas of practice and different problems that needed to be solved.

Dan (05:06):

I had down everything I think I wanted to do, and it’s a blessing and a curse to be comfortable in your job. And I was really comfortable in my job and decided with the kids being older. You know, I didn’t need to sacrifice the lifestyle, wanted to get back in the courtroom. More wanted to bet on myself, wanted to try a different challenge. And so in May of 2019, after 12 years, as a chief IP counsel went back to private practice, and now I’ve been at Vedder Price for 21 months, I suppose it is now. And, and just loving being in private practice and, and doing it with the idea that I’ve been in my client’s shoes that for relate to their, what they’re going through, can talk to them in a way that I think that they appreciate having a different set of tools then lot of outside IP lawyers have, because rather than needing a big budget to do IP work, I had to do IP work with a budget of very close to zero.

Dan (05:56):

And if it wasn’t close to zero, it was shrinking every year. And so making the most out of what you have doing smart IP work from, you know, building a culture standpoint, having the right processes in place. That’s really the stuff that I focus on helping my clients, my clients with, you know, I tell my clients, it’s not necessarily great for business development, but the better I am at my job and helping them the better they are at their job and the less they need me. And, and if they need me less, that’s fine. If they’re better at their job because of what I do for them when they need me, I know I’ll be one of the top people they call. And so it’s all about building those relationships and helping them be better at their job.

Host (06:35):

Digging in a little bit about talked about the companies that you’ve worked at in house. A lot of them either licensed or develop technology products. We wanted to focus a little bit today on the intersection about how privacy and security fit into the process of developing this technology as well as licensing from IP lawyer perspective.

Dan (06:53):

Yeah. So it comes up in a variety of contexts. So the first thing is there are two categories for what would come up. One is internal development. That’s entirely within the company. That kind of stuff is, is trade secret. It’s gotta be confidential at least until it becomes public. And so there’s gotta be security around people understanding that you can’t talk about works that are in development. That until a patent is published, that’s valuable confidential information. If you’re going to get a patent at all, they always become confidential. So, so in that regard, there’s one set of challenges, which is just making sure employees know not to talk about what they’re working. The other category is stuff that people do with joint development partner, where by necessity, you’re talking to your partners about things that you’re doing, but there you have to understand a couple of things.

Dan (07:43):

One the value of confidentiality in that relationship, both going out, not telling your development partner more than they need to know in order to work on the project with you. And number two, not receiving confidential information that you don’t want to have, right? I can’t tell you how many, how much training went into telling, teaching the business, not to engage in a mutual nondisclosure agreement with a party when you’re just talking about a project to have that party tell you what their potential solutions were that would prevent you from go shopping around to another developer or another party that you might want to work. Right? And, and, and that was a change, too many companies, as a default enter into mutual nondisclosure agreements and end up receiving confidential information from somebody else that they don’t want, and they don’t need and prevents them from them pursuing the project with somebody else.

Dan (08:30):

And so teaching clients about being disciplined in terms of their own non-disclosure agreement. And then once you are in development with somebody, again, it’s about making sure that you have security around the things that you’re developing jointly so that they don’t spill the beans to somebody else. Even if the project doesn’t result in something that’s marketable, there is in- process work, that’s gone into that development that you want to make sure that you maintain rights over. So we had agreements that made sure that rights were protected even when the development fell off. Those kinds of things are all about education and strategy and being smart about what product development looks like and what confidentiality looks like and not getting stuff you don’t want and not giving away stuff that you don’t need to give away. That was all about education. On the, on the internal side, there were a number of things that needed to be addressed.

Dan (09:22):

One was that stuff that we were, we knew we were going to maintain as a trade secret stuff. We weren’t going to pursue patents on either because we couldn’t get a patent on it, but it was still valuable, or it would be too easy to design around or too hard to detect infringement that we would keep as a trade secret. We made sure that those things were identified as trade secrets during the review process for the invention, as we decided, whether it was going to be patent, trade secret or something, if they were identified as a trade secret, we would put them in the database as a trade secret and therefore have in our internal IP database, a list of our trade secret is really valuable for the company having that list. And just knowing that the trade secret exists was totally insufficient because you needed to have somebody responsible for maintaining the confidentiality and the security of that trade secret.

Dan (10:12):

So there was another field in our database, which was where is the trade secret located? Sometimes it was just in somebody’s head and you knew who that person was, and you could identify, okay, you are responsible for this trade. So sometimes it was a drawing. It was something physical where in the plant is that being kept because we needed, then the plant manager was responsible for that trade secret. If it was on a server, if it was, you know, on any kind of a SharePoint system that had security around it, okay. Then the, per the IT, the chief information officer or the chief technology officer, somebody in IT who is responsible for that server security was ultimately going to answer for the trade secret and a security compliance for that trade secret. And, and having that, where is it in addition to, what is, it was critical for security

Dan (11:01):

You can’t just say I’ve got a trade secret. Here’s our trade secret policy. Everybody’s got an agreement with the company that they’re going to keep trade secrets confidential. That’s fine, but who’s ultimately responsible. And so when we did our trade secret program, we made sure not just to identify what it is, but where it is, and then allocated responsibility, depending on where that trade secret was located. And that was key to security because then when businesses came in and we wanted to spin off a business, or we needed to license that technology, we knew who was responsible. We knew we could make a rep and warranty, but who was responsible if we needed to spin off the business, we need to know who had access to it. If we were licensing it, we knew where to go, who to go to, to make sure that we could comply with our obligations. And then as we got information in, we also put that in our database with where is it because the, where is it would trigger, who was responsible, 

Host (11:54):

You said something interesting around the mutual NDA. And I think there’s a lot of companies who ask for a mutual NDA. And then the other side where they’ll say, okay, I’ll just sign that. Could you share a little bit more about how would you advise kind of either side? What would you tell a company where you’re saying, throw this mutual NDA in front of every prospect or partner that you’re talking to, what should they be doing differently? And then the reverse of if you’re on the inside, you’re the person receiving that? When should you maybe not sign that? I think that would be really helpful information.

Dan (12:26):

Always ask the question when you’re sitting across the table from somebody and confidentiality comes up, always ask the question, what do I need from this person? And, and do I need something confidential from that person? And you’d be surprised how many times the answer is you don’t need something confidential from that person. Typical example of where this would come up is again, we would have some sort of product development and we’d be trying to develop a product and we don’t have a particular expert. So there may be three or four different companies that has had that expertise that we’re going to need to rely on in order to bring this product to market. Right. We might not have some of the chemical knowledge, some of the manufacturing knowledge, whatever it is. If you sign n mutual NDA with one of those parties that you’re talking to about starting the project and the NDA is typical and says, not only will I not disclose what you told me, but I won’t use what you tell me, except for in a project with you.

Dan (13:19):

If you give me information about how you would solve my problem, right? Because that’s what I’m doing right now. I’m vetting potential partners, but how they would solve my problem. If you tell me how you would solve it, I now can’t use that information to go talk to the other three people. I’m going to talk to you about how they would solve the problem. It may be that they might come up with the same solution. And now you’re going to be in an issue where if you launch with somebody else and come up with that solution, the first party is gonna say, Hey, you used what I told you, right? Maybe you can document that you didn’t, that somebody came up with it independently, but that’s going to be a litigation, or it might be that you need to compare what they said with what somebody else did, well doing that comparison.

Dan (13:53):

in order to order to enter into an agreement with somebody else is using that person’s confidential information. You could technically be in breach of the NDA. What you really want is to talk to partners about, what your off the shelf solutions are first don’t tell me something that’s confidential. I don’t care if it’s proprietary, like it might be patented, but don’t tell me your non-public solution until I determine that the thing that you have off the shelf doesn’t work for me because then you’re not going to receive confidential information. So you gotta make sure that you’re being disciplined about that. You know, another example I would have from time to time, my procurement group would want to talk to a partner about pricing. And the other side will say, we need a mutual NDA. And my procurement group would say, is this okay?

Dan (14:36):

I said, well, what are you going to do with the information? But we want to shop their price around so well, that’s why they want you to sign a mutual NDA. They don’t want you to shop their price around. He’s like, Oh, we always say mutual NDA. And them do price shopping. I go, I know you’re not supposed to do that. So things as simple as that is just being disciplined about what do you need and understand if you are getting something confidential from somebody that you really need it for your business purposes first. And if you do, then you have to treat it as confidential information. Because otherwise you should think of an NDA as an exclusive arrangement your signing up for exclusivity. Once you get that confidential information, you can’t use it with anybody else. And if you’re not comfortable with that push back on that mutual NDA,

Host (15:20):

Thank you for that explanation. Mutual NDA is kind of like getting married. You’re supposed to elusive with that one person. And if you breach the NDA, you go to a different kind of a lawyer

Dan (15:31):

Yeah, exactly. I, and I, and I appreciate that as a member of another Provisors husband, wife team. Absolutely. I’m a hundred percent behind that though.

Host (15:45):

A little more seriously, you know, you were talking about intellectual property and NDA contacts, but let’s talk a little bit about how attorneys approach protecting personal information when it comes to intellectual property. A lot of times I see this in the M&A context when intellectual property is the real value that’s being purchased and, you know, law firms are treasure troves of information, but from your perspective, in a law firm setting, or even working on a client project with intellectual property how did, how do IP lawyers think about protecting the personal information that relates to the IP or the IP itself?

Dan (16:20):

Well, so we’re talking about Justin in this case, different from what I was talking about before, which is protecting your company’s own information, you’re talking about protecting information that belongs to somebody else, somebody else’s personal information, either your customers, your employees, wherever you’re getting information from. And I think frankly, it’s something that IP lawyers need to be better at thinking about. And, and the reason is it’s where there’s the divergence in terms of frame of mind, between a lot of IP lawyers and privacy and, and they are distinct practices, and they need the same distinct of mind as an IP lawyer I am mostly concerned with protecting the confidential information of my clients because it belongs to my client. And so everything I do about protecting my client’s confidential information assumes that my client owns the information that I’m trying to protect, which means they can do whatever they want with it, but they don’t want it to get out because it’s theirs. For a privacy lawyer, it’s not that it’s not that situation at all, the information that you want to protect doesn’t belong to your client.

Dan (17:24):

It belongs to the people who provided the information to your client. It belongs to the customers, the employees, the contractors, the individuals whose information that is, and therefore protecting it is not just an obligation that you have to, that the company has to itself to protect its own information. It has an obligation to actually a legal obligation to the people from whom they got that information, which means they can’t do whatever they want with it, you know, it’s not a matter of, well, if I’m loose with my information, you know, it’s my own company’s information. I can decide that I don’t want to put resources behind protecting that anymore. I don’t believe that that trade secret is valuable anymore, right? The product may be obsolete. I’m not going to take the steps that I used to take to protect that trade secret. Well, you can’t do that when it’s somebody else’s information because it’s not yours.

Dan (18:10):

You don’t make, you don’t have the right to make that decision about somebody else’s information. I think IP lawyers who get asked privacy questions have to remember to treat the confidential information like it was information that you got under a mutual NDA, right? In other words, it’s not yours. You have an obligation to protect other people’s information and make, and that may be a higher obligation that you would protect your own information with. And, and so, you know, as you go through an M & A transaction or a licensing transaction, and some of what is the value of your company is say your customer information, customer data, all of that stuff, you can’t trade it around as if it were your own confidential information, right? You have an obligation in terms of what you do with that. You may have a notice obligation if you’re going to disclose it or sell the company or sell that data to somebody else that you wouldn’t have, if it were your own data.

Dan (19:06):

And I think not enough IP lawyers ask when it comes to transactions involving company trade secrets, or which trade secrets are we talking about? Is it entirely theirs, or does somebody else have an ownership interest in that trade secret? And I think IP lawyers and I know privacy lawyers are conditioned asked that question, IP lawyers are not enough conditioned to ask that question who owns that. Right. I know we’re treating it as a trade secret, but they’re not all equal. And I think that’s where as an IP lawyer, I have to constantly remind myself to ask that question. Who’s is it, who owns it?

Jodi (19:35):

We had a couple of different discussions. And part of what I remember was, and what I found so interesting is if you think about all the different innovation that’s happening today, so someone’s going to be coming and talking about trade secrets and IP, because they’ve created, it’s something of value. If you think about the new technologies that are coming out, where are you seeing privacy and the technologies intersect and where, and when should privacy start being considered in those initial stages. And then kind of practically speaking, when do you actually see it being considered? I might have my, and you might have your perfect idea of, of when, you know, for me I’d want it right at the beginning as you’re ideating and coming up with those, those new ideas and technologies, that’s when you should be thinking about, well, do I need to do it a little bit differently due to a privacy law? Or what kind of information am I having? But I’d love to hear from you from, from the angle that you’re coming from as an IP attorney, where is that intersection in theory that you believe, and then what you’re seeing?

Dan (20:37):

Well, Jodi, I agree with you a hundred percent that that earlier is better. And the reason why earlier is better is because of where the intersection is happening that I see you know, the economy is moving more towards a service-based economy and as it moves to a service-based economy the newest innovations are all about providing personalized services or services in a broader let’s call it in e-commerce environment, right? Which, which is all about where do you live? What’s your credit card information? What are your tendencies? What do you like to buy? What are your preferences, right? And people wanting to leverage that, to build out new models for different kinds of service. And so a new inventor may come to me with a wonderful new e-commerce idea, whatever it is, right. It doesn’t matter. They’re going to be doing something for individuals using the internet as a backbone and different suppliers and different streams of commerce.

Dan (21:40):

And, and, but it’s all going to involve servicing a customer in some way, and that will involve getting customer data necessarily. And so very frequently they have a business model I’m going to, you know, get this good from this supplier, figure out which customers like it best, send it to that customer and get a fee, fine that’s your business model. Have you considered as part of your business model though that you might be quite limited in terms of what you can do with the information that you’ve got, right? You may not be able without jumping through a lot of hoops and hiring some good privacy people to figure out who are the best customers for your services, because it involves parsing a lot of personally identifiable information in that. And if you haven’t accounted for that in your business model early on, and you try to now file for your patents and set up your company and get investors, and now you realize, Oh, there’s a privacy hiccup here.

Dan (22:36):

My business model didn’t account for that my business model didn’t account for, if I want to do what I need to do, I have to go through certain registration processes. I have to allow customers to opt out. I have to build my system to allow them to opt out of certain things, to not provide me information. If I don’t get that information, is the company really that valuable? Well, what if, what if, what if, and you built your model not realizing how important privacy law was to that business model. And so now the whole thing gets upset, right? And that’s not even that’s before I even get involved and try to write you a patent application on this e-commerce idea. It’s that your business model didn’t make sense. And if you have to redo your business model, that patent application that I write you is going to look very different because you may not get data from database, A shifted to database B and use it for purpose.

Dan (23:22):

C, right. Which I might try to write a patent on. Instead, it might have to go a different route because you have to account for the privacy issue. And I think, you know, especially with individual inventors and especially in, in an area where innovation is happening so fast and people are in the innovate now ask questions later you know, forgiveness instead of permission mode, that there’s a real danger that, that skipping the privacy step is going to mean your business model. As you thought it up, isn’t going to work, or isn’t going to work the way that you thought. And I see that not, you know, not every day, but certainly several times a month, as I talk to clients and new clients, new potential startup that don’t have privacy as an initial part of their businesses.

Host (24:05):

Yeah. I’m gonna, I’m gonna take a guess that I think we’re going to start seeing it more and more, as more regulation becomes required. It pushes more into the United States than it ever has before. Just like they’re thinking about if it was a healthcare financial situation, they really would’ve thought of those at the beginning. I think you’re going to start to see it, but it’s not quite there yet. I think pretty soon. 

Host (24:28):

I’m laughing because I just dealt with this issue and you and I both know that from a startup and series a and seed investor round, just not top of mind till they watch their investments blow up or have problems. They’re not going to want to spend on it. I mean, we’re talking on zoom. Once they had their meteoric growth last year, then they got hit with the CCPA lawsuit. Now it was time to bring in the expert and, you know, because their stock had skyrocketed so much, that was merely a cost to do business. Now, if you’re earlier and you’re not quite at that stage, it’s a different story. But my lovely wife, I do beg to differ as I still think, even with regulation, there’ll be a reluctance on startups and early stage investment to focus on it because they don’t have a minimum viable, viable product and customers. That’s always their focus. And as you know, I like to say privacy and security are what

Host (25:19):

inconvenient, except if you were going to create a brand new health care app to connect the vaccine to your doctor’s office, that’s going to be my new thing. And if there was insurance related and I need to think about HIPAA, I, as a, as a startup inventor, any individual advising me, I would drill into you well hold on. You have got to think about that part right there. I don’t think we’re there for non-healthcare and financial data, but I do think as more States continue to roll out and GDPR here in the U S is a questionable one of how many people do pay attention at the very early stage, which is negligible, but as we get more and more in the United States, I do think you’ll see, we’re going to have a shift.

Dan (26:02):

At the risk of being the mediator. I think you’re both right. I think Jodi you’re right. I think, I think Justin, that you were right. That, that when, when it’s healthcare because people are so used to every time they walk into their doctor’s office, having six HIPAA forms to sign, they’re aware that there’s something out there, right. If, if there’s a healthcare issue, it’s like, I think there’s some privacy or something. I don’t really know, but this might be an issue, right? If only people just thought, I think there’s something out there. I don’t know what it is. There might be an issue how much headaches they could say, even if they don’t know what that issue is. They don’t know. I think I got asked this, I think for healthcare related stuff, I think most people are their… problem is you know, the service-based economy and the kind of inventions that people are coming up with are beyond healthcare.

Dan (26:55):

And that’s the sort of stuff where they’re just not realizing you know, they know intrinsically cause they watch, you know, things like The Social Dilemma and they watch, you know, all this stuff with Facebook and they go, well, the real golden nugget for all, this is my customer is customer data. Look at all the things they do with customer data. Like they know that people, people are, I think people are aware that, you know, when they talk to their wife about, you know, what kind of red wine should we get drink tonight? And, you know, they’re just talking and next thing you know, you open up Facebook on your app and you have ads for red wine. And you’re like, my God, my phone was listening to me. Right. And that’s like super, super creepy. And yet we’ve all sort of accepted that that happens.

Dan (27:36):

Right. And so the point is we were all kind of aware of how transactional or customer data is. And so people who want to invest in companies that are startup companies where they think the golden nugget is, I’m going to get a lot of customer data because look at what Facebook made billions off of customer data. Yes. And they also spend billions trying to defend themselves from the misuse of customer data. Right. so you just have to be careful about it. And I think that recognition hasn’t quite hit. So in that regard, I think Justin is right also.

Host (28:07):

I agree. I don’t think it’s there yet with all this privacy knowledge. What is your best personal privacy tip?

Dan (28:15):

Well, my, my best personal privacy tip is to not answer the phone when you get an unknown number. If you answer the phone once and I went through this, like months ago, I made the mistake of answering the phone because the the number that was close to another number in my context. And I thought it was a friend and it wasn’t, it was somebody from China trying to sell me, I think, an extended warranty on my car that, that I haven’t owned in 10 years. And as soon as I answered, they knew the number was real. And in the course of the next 24 hours, I got somewhere in the neighborhood of 30 different spoof number calls. And so, and I called my cell phone company. I’m like, what can you do about it? They’re like, well, they use a different number every time. So we can’t walk it like, well, this sucks. Cause I might have to change my phone number now. Cause I have no idea how long this was going to go on. It’s been 24 hours, I’ve gotten 80 calls and eventually they stopped. So my personal tip just to avoid annoyance is don’t answer the phone if you don’t know a number because they’re getting personal information from you just by you validating the fact that that’s a working phone number that you answer. That’s my personal top.

Host (29:20):

So Dan, when you’re not in the office or maybe not at a Cubs game or the Bears game, what do you like to do for fun?

Dan (29:27):

Well also I team up with my wife to do marketing and business development. Oh, wait fun. I, I am an avid reader. And so I am, I am buying more books on Amazon than I can possibly read and just having them pile up. I just started a new book, which I mean, cause you guys are in sort of the tech business, you might find interesting just came out. It’s called Humble PI. When mathematics goes wrong in the real world and it’s a whole bunch of, of stories of, you know, computer programming that just used math, but had unintended consequences like numbers that weren’t big enough. You know, just all kinds of like software when they were flying F fifteens and seven of them information crossed the international Dateline and the software couldn’t handle the change in the tape back. And all the systems crashed simultaneously and the air force had to put in a bug fix in the next 48 hours. And it was all because they couldn’t handle the zero on changing the international Dateline. Just interesting stuff about math gone wrong, which again, you know, as a math and physics major and science geek is endlessly entertaining for me. So reading is what I do for fun.

Host (30:39):

And where can people find you if they want to learn more about  Humble PI and other math books that you might be reading or they have more important IP related question?

Dan (30:50):

The best way is you can find me on Vedder Price Website. www.vedderprice.com, search Shulman without a C – S H U L M A N. You can email me at dshulman@vedderprice.com. You can find me on LinkedIn. You can call my office (312) 609-7530. I haven’t been in my office since March, but I will get your voicemails all. I don’t want to give you my cell phone number in case you’re selling car warranties, but but I promise that if you reach out to me, I will get back.

Host (31:26):

You don’t have one of those day calendars. Do you that when you go back in, it’s going to be from a whole year ago, have you seen the pictures of people going in their offices 

Dan (31:35):

No, but I will tell you that I haven’t, I’ve only been in my office for about 45 seconds since March. And the last time I went in was August. Cause I had to pick something up. And, and it was a little bit like an archeologist walking into Pompei because you see kind of what was left when the volcano erupted and you didn’t actually get to in the scariest thing was not the day calendar, but the post-it notes with phone numbers that were on my desk because some more soul is waiting for me to call them back. And I have no idea what those phone numbers were or what they’re for. I assume if it was important, they reached out to me. But yeah, I’ve post it notes of phone numbers, or probably calls that I meant to return as soon as everybody came back to the office.

Host (32:12):

Well, Dan, thank you so much for joining us today. We really enjoyed our conversation. (Dan) Thank you. I appreciate it.

Host (32:23):

Thanks for listening to the, She said Privacy. He said Security Podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Kenji Kuramoto

Kenji Kuramoto is the Founder and CEO of Acuity, a financial management firm that builds and maintains financial functions for entrepreneurs and startups. Through his work at Acuity, Kenji achieves his core business mission: to offer scalable financial solutions to busy entrepreneurs so they can focus on effectively growing their businesses.

In addition to this, Kenji is also a Founding Venture Partner at NextGen Venture Partners and a Board Member at Entrepreneurs’ Organization. His specialties include strategic planning, financial forecasting and analysis, accounting process optimization, and more.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • How Kenji Kuramoto’s background in technology and financial services helped him build his financial management firm, Acuity
  • What is a fractional CFO and how do you know if your company needs one?
  • The role part-time CFOs play in mitigating a small company’s privacy and security risks
  • A CFO’s most important responsibility when it comes to privacy and security: raising awareness
  • How to quantify a brand’s reputation based on their privacy and security measures
  • Kenji’s best privacy tip: SMS-based two-factor authentication isn’t all it’s cracked up to be

In this episode…

Do you ever wonder how your CFO impacts your company’s privacy and security? Or, if you’re a small company without a full-time CFO, are you looking for a better way to assess your privacy and security risks? If so, this episode of She Said Privacy/He Said Security is for you.

Most business owners primarily look to CTOs for their privacy and security concerns. However, did you know that CFOs can also greatly influence your business’ safety? It makes sense: CFOs are privy to a great deal of your company’s financial data and technology, which gives them insight into where you may be at risk for data breaches, ransomware attacks, and more. So, how can you ensure that your CFO is safety-savvy and ready to protect your company’s privacy and security at every turn?

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Kenji Kuramoto, the Founder and CEO of Acuity, to discuss how CFOs can maintain their company’s privacy and security. Listen in as Kenji talks about the value of fractional CFOs, how they can effectively mitigate your company’s security risks, and why avoiding SMS two-factor authentication is his number one privacy tip for individuals and companies. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She Said Privacy. He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. 

Host (00:22):

Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information privacy professional, helping to provide practical privacy advice to overwhelmed companies.

Host (00:37):

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am a subject matter expert in cybersecurity and a business attorney at Baker Donaldson.

Host (01:00):

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, professional in financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit RedCloverAdvisors.com.

Host (01:35):

So before I introduce our guests today, what is today, Jodi?

Host (01:40):

Ah, yes. The day of recording it’s data, privacy day, happy data privacy day. Woo.

Host (01:45):

And this is also my first episode as a fully FAA, licensed commercial drone pilot with a, with a drone, with even a better camera to come and surveil your whereabouts during the workday. Thank you.

Host (02:00):

You can keep stocking the dock. That’s great

Host (02:03):

With that in mind. I want to introduce our guests today. So we have Kenji Cora Moto, who is the founder and CEO of Acuity, which has provided fractional CFO and accounting services for thousands of entrepreneurs and small businesses. Hello, Kenji. Hello,

Kenji (02:23):

Jody and Justin so glad you’re here. This is to, yeah. What a momentous day to be here on a national data, privacy day, Justin getting some kind of licenses. It sounds like he can go break privacy laws and spy on people with, I mean, it’s just, it’s all coming together. This is perfect. 

Host (02:41):

Everyone should have a drone pilot in their family.

Kenji (02:44):


Host (02:46):

Yeah. So I’ll spare you the five months of he’s studying every Sunday night and all this other stuff, but I’m excited. I wanted to fly an airplane like the, you know, the ones that go in the sky and Jodi was like, yeah, you’re not going to do that. So this is where we came to our marital compromise.

Kenji (03:03):

Is there a such a thing as a top gun for drone pilots? Is that something you can pursue?

Host (03:09):

Well, it’s funny, you said that because on LinkedIn, I said, move over Goose and Maverick ghost rider says the pattern is not full  – in the air I’d come maybe one day, maybe one day it’s easy to fly in certain ways near stuff, as you would think. But with the AI and whatnot, we could do a whole show, but let’s talk about yes, but we could do another. All right. So let’s talk about fractional CFO and let’s begin. So Kenji, talk to us a little bit about your interesting career path to where you are today.

Kenji (03:46):

So I guess where I started, I, I somehow in college picked accounting as a major. I’m not sure which kind of broken individuals do that, but I was one of them and I do it. I knew there was something about you that they’re like, yeah, those are so coming out of college went to go work for in the big six back in the day when there was a big six for a firm called Arthur Anderson. And if you’re of a certain age, many people, you may have heard of Arthur Anderson. If you’re not, maybe you’ve heard of them because you’re big into watching documentaries about major fraud cases. So, you know, that’s where I started my career. I was, I was not involved with any of that, but I started doing their Atlanta office working in the audit practice. And while it was a wonderful place to start a career, it was not the most riveting of, of career choices.

Kenji (04:43):

I felt. So I left about four or five years in and went to go work for a technology services company. This is right around 2000. So this was when the first big .com bubble was building. And so I had thought, Oh great, I’m going to go and help them go public. Cause if you had any kind of form of technology in the business, that’s what you did. You just naturally went public. And so I went there as their controller, which is kind of a mid tier level financial role and an accounting function. And then about a year after I was there, the old bubble burst and we weren’t going public and the mission became, how do we keep the small startup technology company from completely cratering? And our CFO took off. So I got promoted to the role of CFO as a pretty young professional, trying to keep this thing out of the ditch.

Kenji (05:38):

We managed to do that and ran that business for about four years, really enjoyed kind of the small entrepreneurial tech field. And then I found myself just with other friends of mine who were entrepreneurs or small business owners were kind of asking for things like, Hey, could you help me with financial model? Or I think I’m starting. They want to start something and it would, we’d go out and get drinks or catch up, but I’d kind of share some advice. And I was having fun doing that, kind of just moonlighting doing that, you know, getting compensated and time with friends or with a drink or dinner and thought, you know, can, this could be kind of fun actually to do something more consultative around my two backgrounds, right? So one being, having a fairly good understanding of what a, an accounting infrastructure should look like from a big global firm perspective, but how do you apply that into a smaller startup company perspective? So that’s when Acuity started, that was 2004 can’t believe, 17 years ago. And started with the very first service line that we offered was fractional CFO services. So we started looking for Atlanta entrepreneurs who were just like some of my friends who just said, Hey, I certainly don’t need you full-time but could you spare a couple hours a week, a month? It’s kind of help with this CFO role. And so that’s how we started.

Host (06:56):

And so 17 years later, you have fancy hats on, and I am aware of Arthur Anderson. I actually started my career at Deloitte for five years and then left and went into Sarbanes-Oxley implementations. That’s what was the big thing after? And I was actually just talking to someone how I don’t hear about accounting frauds anymore. So either reporting them or Sarbanes-Oxley is doing a good job of mitigating

Kenji (07:29):

There, there, there they’re certainly there there’s probably some less with, with newer controls and things like Sarbanes-Oxley our, our also maybe just our Arthur Anderson Enron one just sucked all the air out of the room and nothing you paired anything that large and everything just seems, you know.

Host (07:44):

Yeah, exactly. Super small in comparison. So talk to us more about how does a company know needs a fractional CFO and what, what does a fractional CFO do?

Kenji (07:56):

Yeah, so it can get a little confusing. And I, I think the simplest way to think about what a CFO does is that really almost everything a CFO is doing should be forward-looking. And in fact, much of accounting work we do is historic it by nature. An event happens, a transaction occurs and the accounting team goes and organizes it in a nice way and sticks it in essentially a database and out you get meaningful financial data. But a lot of that is very historic in nature. So a lot of the roles below a CFO, like a controller that I was for many years, we offer those services or bookkeeping the best way to think about those are those are activities that are kind of happening currently on your financials. Or maybe in retrospect, you’re trying to organize them to get ready for taxes. The CFO function should predominantly if not, totally be forward-looking.

Kenji (08:49):

And so you’re doing financial modeling, you’re doing forecasting, budgeting and planning. Oftentimes there’s two, if there’s a lot of external stakeholders involved in the business, the CFO will play a more external role and meeting with bankers and investors folks like that helping kind of manage the relationships with the board of directors. But yeah, I like to think of it when people were kind of confused about what, which role goes, where is that it’s really should be in a very forward-looking state. So that’s where we kind of provide, I mean, small businesses, again, that’s a function that most of them will maybe have some aspect of, Hey, I’ve got someone who’s working in QuickBooks for me, who’s keeping things organized. Is that a CFO? And we typically say, no, that’s probably not. Unless for some reason that person is also doing some excellent modeling and forecasting that help the business make some decisions about future events.

Host (09:39):

So is there a baseline or a size company? So in other words, when should someone be thinking, Oh, I really need that person. Yeah.

Kenji (09:48):

Yeah. So it tends to be somewhat industry depending on the industry, the size of the company, but also what events are happening. And so you can be traditional business, you know, you might not have much in the way of needing a CFO as you hit a few million dollars in revenue. You might just very sporadically need someone just to help you think about a budget or maybe you’re going to need some help thinking about going and getting a loan at the bank. So you might have very, only very specific needs. And you might, it may be worthwhile engaging someone just once, twice a year, every blue moon for something like that, when it starts to become more, Hey, we should probably get someone in a dedicated role and this could be full-time or it could be part-time depending on how much these events happen is we typically see that all of a sudden, either the business grows and scales dramatically from a revenue standpoint, usually the complexity follows there, or you could be a startup company.

Kenji (10:45):

And suddenly you’ve got a cap table full of a lot of investors who are expecting good, clear reporting and accountability, and maybe revenues are small, if not small, maybe non-existent, but you’re raising significant rounds of capital to where then all of a sudden having someone in there to kind of do some of that board reporting back and forth is typically where we also see businesses needing CFO’s presence ramp up a bit more. So those are a couple of different flavors. If you’re more kind of an organic growth story, I would say that by the time you’re kind of hitting four or $5 million in revenue, there’s certainly a, probably a few needs you have on a somewhat regular basis. If you are a investor backed company you’re probably gonna need it much sooner than that, just to term some of that’s determined based on the complexity and size of the, of the investor deals.

Jodi (11:33):

Super helpful. Thanks.

Host (11:35):

Awesome. I think now, Kenji, we want to take the conversation with the CFO and focus it a little bit more on this privacy and security concept and would love to get your thoughts around the CFO’s role in these earlier stage companies and how the privacy or the security issue does, or maybe doesn’t come up when it should.

Kenji (11:57):

Yeah. It’s a great question because it’s, you know, the way we view the CFO as having a role in that, certainly. But again, these are small, early stage companies and I think, you know, you’re limited in your resources for what you’re going to be able to do. You know, we’re a small business, right? We got started, you know, Jodi, I think a Red Clover, right? You get that going and you go, you just, you know, there’s not enough people to wear enough hats. We’re kind of growing into those roles. So what do you, how do you approach security and privacy? There is no full-time CFO there there’s no full-time CTO, there’s no chief privacy officer there. So how do you start implementing some of the things that someone would do in those roles in the larger company? And I think that the CFO role is certainly not the expert when it comes to security and privacy.

Kenji (12:44):

I viewed that that what a CFO can help with the most, in that case is helping think what the financial impact of a privacy or security issue is. And I think that’s important because, you know, while you’re helping quantify that risk, you can then start prioritizing the risk. You can really get a sense of, okay, go, Oh gosh, if that event does happen, the magnitude of that is much larger than the magnitude of this other risk. So we being limited in resources, we probably need to take our limited resources and apply them to where the magnitude of risk from a privacy or security issue is going to be the highest. And so I think it kind of starts there in, in, in being able to, first of all, just assess the risk so that at least the business can be aware of it. And then you have to kind of start looking for professionals or other people to help you. So that’s where the first place I like to make sure our CFO team is thinking in terms of quantifying of risks. 

Host (13:42):

Can you use a follow up to that when I’ve worked with smaller companies, usually the privacy or the security comes up in one of two instances, one, you have an event. And now as I like to say, you are reborn because if you’ve had to have, if you’ve dealt with ransomware and it shuts down your company that gets everybody’s attention. But the other one is when you want to do business with a larger enterprise who starts asking you the questions or who says, Hey, you know, Mr. Startup or small company, I like what you’re doing, but if you can’t meet my privacy or security requirements, that’s going to be a barrier for you to even get in the door, to get to that revenue in the contract.

Kenji (14:23):

Right. Absolutely. Yeah. And we see that quite a bit. I think that there’s nothing like, and it’s unfortunate when there is that, like the first thing you mentioned you a serioes of an events happened, right. Suddenly, wow, all these things like policies and procedures and proper use of tools and technology and training suddenly become important when they weren’t, because there has been an event now. And sometimes that event very clearly has a dollar denomination attached to it, which nothing like to get a business owner’s attention when, when he’s going to have to go out the door for, to deal with an issue. But also it’s more on the second part of that opportunity costs, you know, Hey, you built a business depending on who you’re working with could be a government entity could be a large scale, fortune 500. That is going to have some requirements to say, Hey, to do business with us.

Kenji (15:11):

We’re going to ask you to jump through some hoops. And that’s just the cost of doing business to where we’re going to have to go and operate in a way that shows more transparency into our processes, into how well we’re holding customer data in managing it and keeping it secure. So those do come about. And again, I think it’s, we see it across the board in different places, but in different scales, you could be a venture funded software company that is doing electronic medical records, right? For you know, state run medical centers. And you go, okay, you may not be very large, but you can just immediately think that all of the different areas of security and privacy, privacy issues around investors, HIPAA, patient lawsuits, intellectual property protection, there’s just a multitude of things there. And you might think that like the local pizza joint, right, as a small business goes, well, you know, their, their issues pale in comparison, they might in certain ways, but they’re just different right there. There’s credit card fraud. We’ve seen issues with security, you know, people the way that people have used security videos and cash that, so there’s different orders of magnitude. And it’s not always applicable to every business owner, but yeah, we see it from whoops, an event happened and it’s costing us. And then also, whoops we’re not going to get this amazing opportunity if we don’t put some things in place, depending on who the business.

Host (16:37):

So when you see those types of things and let’s take maybe those technology companies more than the, the, the pizza joint cause they’re really going to have that B2B impact a lot more. And they’re a bigger target from an external viewpoint. How are they starting to tackle privacy? And you know, so there’s these risks, the CFO’s recognizing there’s a financial consequence either to revenue, won’t get the deal signed. There’s a financial consequence to potential investment. It might not get the continued investment or there’s the financial consequence of, of a data breach. The marketing team over there might be talking about trust and brand and the impact from that standpoint. So when companies are, have these types of conversations, where what happens next and what role do you all play in those conversations?

Kenji (17:26):

Sure. Well, like I mentioned, I think first it’s the awareness and sometimes when you put a price tag on it, which again, should be accounting, financial teams should be able to help put a price tag on it that should help drive some of that awareness. Okay. Okay. We’ve got some issues here that could potentially bubble up. We need to kind of deal with them. And then I think to your point, like, what’s next, okay, great. You’ve got some of these risks. How do we go about them? And in some cases you know, you certainly look for whether there are just processes that can be deployed, you know, to go ahead and start mitigating. Some of the risks, are there just some better processes that we need to put in place? And then after processes, I mean, usually kind of maybe in conjunction with process and we start talking about certain systems, do we need some external tools that are going to help mitigate risk and some things around there.

Kenji (18:16):

And then oftentimes once we’ve kind of, I won’t say exhausted, but maybe put forth great effort on the process side, the system side, then you may be looking at from an insurance standpoint, where are there gaps, you know, how much can we really do as an internal organization in different software and where are we gonna need to find some places to do some gap fill because maybe we just can’t tap down every single risk. So we need to maybe look for some coverages to kind of fill in between and does that, you know, do the combination of those things, get us to a place, whether we can talk to the business owners or the investors or wherever it might be to say, Hey, that’s going to put us in a, a good enough place where we can still execute on the business and not be so worried about either the likelihood of huge expense exposure or the huge loss of revenue.

Kenji (19:04):

And then that’s going to needs to be reviewed and updated on a regular basis, going back and assessing those risks. And so that’s, that’s usually the way that we typically go about it. In many of those places, when it comes to processes and systems, we’re not the experts we would, I’d be, you know, calling Jodi or Justin going, Hey, what do you guys think from this? Here’s something from a HIPAA perspective, that’s outside of our league, what would you recommend? But someone and usually a good place to start is the accounting financial team. They typically tend to be a little bit more process oriented, a little bit more risk attuned is a good place to start that. But then oftentimes you need to bring in those other experts to help build that, build that entire risk mitigation profile in place for the company.

Host (19:45):

So Kenji you mentioned the issue of insurance because I find in most smaller companies from a cyber perspective, the CFO is intimately involved in that because that’s for many companies, smaller ones they use, I like to say they use cyber insurance as a panacea and not a tool in risk mitigation. My question is obviously there’s data out there about cyber breaches and whatnot, but a lot of things that Jody always talks about as I do as well, is about the reputation of the brand. And I’ve been in conversation where people will, Justin, how do I put a, put a figure? How do I quantitatively evaluate that? And I don’t always have a good answer. And I’d love to get your perspective because there is that trust of brands we’re seeing what Apple just came out with. With there are no iOS for privacy and Facebook and others, but for smaller companies love to get your perspective on how do you quantify this elusive concept of the reputation of your brand from a privacy and security perspective.

Kenji (20:45):

It’s whenever a client of says, Hey, we need some help measuring or doing ROI on things like marketing or branding, right? It it’s, it’s a challenge. I mean, it’s a, it’s kind of an interesting challenge, right? That’s sometimes very interesting projects, but it’s also difficult and there’s usually some ranges of possibilities or ways to approach that. You know, again, I think there’s one of the ways that I think sometimes can be a little more resonant with clients, even though these are perfect is in thinking about clients who are going to maybe run through an RFP process or have a very competitive process when it comes to acquiring clients. And, you know, we know that we’re going to be one of three vendors looked at here or however many. And in certain cases we can say, gosh, well, we can start looking at what the cost of acquiring a client is.

Kenji (21:34):

And any time that maybe someone has a better brand than we do, and from the sense of whatever it might be. And maybe in this case, it would be in reputation because they didn’t have a breach. Now we got, Oh my gosh, we had a breach. That’s probably going to affect our close rate when we’re going competitively against these other firms that haven’t, and you can start actually, if you’re doing, it’s going to impact your closing rate of how many deals you close and you can estimate that to some extent you can actually start working into, well, gosh, if our close rate goes down, then what that’s really telling you as a business is the cost to acquire a new customer, just went up, just got more expensive for you. And so, you know, can you specifically say that because of the reputation image of our brand, that we know that it had an 18% impact?

Kenji (22:20):

Probably not exactly, but you can probably start working through those and getting at least in mind of going, okay, where do we have to protect reputation enough to where we just can’t keep losing out, see these other, other competitors of ours. And that may be a way to approach it from I use it like doing that with, with entrepreneurs. It’s a little bit more of an I think a positive or a way to look at it and going, okay, we, we want to close more deals more than our reputation higher. We want to improve that close rate of an acquisition of new businesses. The other way you can go at it. And that’s a bit more of the carrot approach. You can go the stick approach, right? If you want to go well, Hey, let’s take a look at what this has cost other businesses.

Kenji (22:59):

Who’ve had a reputation hit because of privacy issues or lawsuits. And you can dig around a little bit and talk to some of your favorite lawyer friends, right? And say, Hey, can you give me some insights on what you’ve seen the typical cost for someone to go defend this type of legal action if it comes up and that’s a bit more of the stick approach, you know, but you can kind of use those as a little bit of some ways to quantify and get at least some dollars in mind of either lost revenue again, or the expense. If again, that brand reputation takes a hit, but it’s still a little bit some there’s going to be some art in that. Anytime we always say there’s marketing and branding, and there they’re a little bit of arts not purely science on quantifying that ROI.

Host (23:41):

I think that makes a lot of sense. You’ve you mentioned something that’s really interesting to me, the carrot and the stick. So there’s going to be more privacy laws coming, more security breaches. And I’m very curious to know when you’re talking with companies, do people gravitate, just, just kind of your sample size of those that you’ve worked with over the years? Do they gravitate more to the stick or the carrot?

Kenji (24:08):

I think ours go more for the caring. I mean, these are, we’re dealing with entrepreneurs who are, who started something and their stars are in their eyes and they are just going, going, going. They tend to be more of a ask for forgiveness. So I think they’d have a natural bend and lean toward, you know I’ll deal with that risk if it pops out and they’re looking for, how do I take down more business – How do I grow, grow, grow? And so yeah, I think that’s where most of have a proclivity in that direction is they’re already thinking they don’t usually need a whole lot of stimulation around the opportunity. They sometimes need to go, Hey, time out a little bit here again. I know I’m playing the CFO wet blanket, the person that says no, but someone in the organization needs to be talking about some of the discipline we have to where we do need to be cognizant of, you know, new things coming out.

Kenji (24:57):

Have you seen, I’ll give you a good example of this one is I think a lot of small businesses, especially in the tech space go through, you know, probably some gray areas and they shouldn’t be greater as they’re around can- spam, right? Because how are you doing grow, grow really quick, right? We just closed our series a and we’ve got a couple million dollars and the investors all say that they want us to grow sales and marketing. So we’ve seen that very frequently as a very fast way that people love to jump in and go, well, let’s go sales and marketing. Let’s go get some lists and let’s pump it in some systems and let’s go, go, go. Right. And that is a very frequent one that we see that clients in tech companies that don’t always consider like, are we doing this in a, a way that follows some of the legislation out there and they don’t really stop and ask that it’s more like, Hey, investors said, we got to grow, we’ve got to grow sales and marketing acquire new customers. We’ll figure out that later. I don’t know if you’ve seen that thing. I know that’s a place that you work in Jod

Host (25:55):

Yeah, I see all different kinds of things. The other one that people should pay a lot of attention to is just in the United States is TCPA the texting one, which texting, supposed to continue to catapult even more people are going to want to jump on that bandwagon. And it is a polar opposite to can- spam. It is an opt in approach. So anyone listening it is opt in and there are plenty of plaintiff’s attorneys just waiting to pounce and find the companies that are not doing what they’re supposed to be. But certainly that is true across all types of marketing channels. People want to grow. And, and that’s the interesting challenge. And why I asked about the carrot versus stick approach is oftentimes what I see is it’s a lower priority, but it’s a real business risk where they’re losing deals. And so they’re losing sales. And then when there’s an issue, aside from the loss sales, you potentially have the increase costs for fines. That’s just very expensive to deal with. So that was why I was so interested to hear what you see.

Kenji (26:59):

Yeah, it’s, it’s, we we’ve always liked. It’s probably one of the reason, one of the reasons why we liked working with startups, one, me and my partner and I, and our team loves just new technology and things like that, which is great. And so many of us have worked in startups, but also because at some point usually investors come in and professional investors come in and there’s nothing like was we say all of a sudden professional investors coming in that allows the organization to quickly go, you know what time to kind of act more like professionals. So let’s get better for us in the accounting and the accounting world. It’s like, let’s get better revenue recognition policies, gap based financials. But we tend to see other places too, where they say, Hey, let’s go and let’s go and fix some other risks here. That in certain cases, it’s, it’s been a little harder to get the self-made entrepreneur. Who’s the only person on the cap table to really make a move on that when they’re pulling down a lot of money each year and they’re like, yeah, things are fine. It’s hard to sometimes get them motivated.

Host (27:56):

It’s funny you say that Kenji, because I’ve spoken to at investor events where they bring, brought me in to do a tabletop or speak about cyber and from a professional investor standpoint, I’ve had them tell me, yeah, that’s about 10th or 12th on our list. So there’s obviously an education gap there as well. Cause in the series, A I’m worried about keeping the lights on and growing revenue. Justin I’ll deal with this problem. The challenge comes is if they get the problem, it could wipe out the entire business. Cause I’ve seen that as well. But I would like before we ask you a personal question to say, okay, when you guys think of this carrot and stick, I’m thinking about chocolate and peanut butter in the Reese’s peanut butter cup. And I’m thinking it’s more of a chocolate. That’s how I’m thinking about this approach now because it just, I have the Reese’s peanut butter cup in my mind.

Host (28:45):

See, I have some of that because it chocolate covered broccoli. They, everyone wants chocolate. They don’t want broccoli. You have to eat more broccoli. So give them, give them their chocolate, but then cover it in broccoli. Yeah. Got to dress it up somewhere,

Host (28:59):

Thinking this’ll be your set Red Clover with the chocolate covered broccoli anyway. So Kenji would love to get your perspective as a business owner who also advises small businesses as well as do you have a best personal privacy tip?

Kenji (29:18):

I’ll just share one that I’ve been doing more and more of these days, it’s around two factor authentication. And he is really trying to move away from some of the text-based. I think two factor authentication is great. I’m not crazy about some of the SMS space or text-based, because we’ve had some problems with that and have started really using more of some of the authentication tools, Google authenticator, things that are a little more secure, just because, you know, I think you can realize depending on what kind of device you’re using, your, you can get your SMS, text messages coming in on your computer. And so in some cases you lose your computer, someone gets access to it. You know, the two factor authentication doesn’t really work that well because they’re also giving the authentication. We’ve actually had, we do a lot of work in crypto which is a whole other ball of wax, which we should have you should, if you ever want to get to that, to have my business partner on is the real expert.

Kenji (30:12):

But we’ve had some issues where we’ve been targeted with SMS attacks to us. Because these crypto companies can sit on a lot of currency that can disappear quickly. And we’ve seen that. I think people think that, Oh, I’m getting a text message, which means it’s secure. And if you don’t understand the full process that people can go actually go and take over a phone account. And maybe not everyone going through that. But I would say that we’ve seen more and more sophisticated hacks around that where I think people just assume that text-based two factor is the gold standard. And I think there’s some better approaches out there that are actually pretty easy despite adding on your phone or your Google authenticator, which we’re starting to see more and more than I think some of the better software requiring that as the standard versus some of the tools, that’s a relatively easy one that people can add that doesn’t add much complexity in their day. So yeah,

Host (31:11):

It’s a great recommendation. I use Authy and really enjoy it. What’s nice about Authy is it can be on your computer or your phone and they’re in sync. Which is,

Host (31:19):

Which is great. It is nice. Yeah. So

Host (31:21):

When you’re not using two factor authentication and not advising people what do you like to do for fun?

Kenji (31:30):

Well you know, let’s see, what do I like to do for fun? I think the, my most recently the thing I’ve been doing, I think everyone’s got their COVID hobbies, right? So, or something they’re doing there. Mine has been a little funky and then I started brewing my own beer. I know lots of people were doing making their own bread and things like that. I thought, well, how about the liquid version of bread? And so, yeah, I’ve been brewing my own beer. So the basement and unused portion of the basements turned a little bit into my old brewery area. Yeah. I’m on batch number. I think 11 now I’m getting better slowly. So I still waste these beverages on friends of mine. And some of them are, you know, good enough friends that tell me the actual truth.

Kenji (32:18):

Some of them kind of go, Oh, it’s great. And probably dump it out, you know, as soon as I leave, but it’s actually been kind of fun. It’s been something that I’ve enjoyed doing, takes up a takes a little bit of time, but it’s been actually the most fun part about it has been whether they’re friends, the neighborhood or other friends on sometimes just go surprise and be like, leave a couple bottles on their doorstep or stick them in their garage. Like, Hey, go check on your work bench. I put a couple of bottles out there. You know, this is not a great beer, mind you, but I think it’s been kind of fun. Like you feel like you’re leaving little gifts and people get a kick out of it. So that’s been kind of my fun thing I’ve been doing more recently. We’ll see if that continues to go at the pace it has been. I don’t know if there’s going to be a brewery in my future. I don’t think so. It’s been, it’s only been up on pastime or I’m at home more often these days, so.

Host (33:06):

Excellent. Well, can you, where can people find you and connect and learn more?

Kenji (33:12):

Sure. you can find me on Twitter. You can reach out to me there. It just Kenji Kuramoto there’s my Twitter handle. You can connect with me over on our website, which is just acuity.co. So not.com, but just acuity.co. You can find me there and love talking to other small business owners. So feel free to reach out if you have any questions.

Host (33:33):

Wonderful. Well, thank you so much. It was great to have you

Host (33:36):

Thanks for listening to the, She said Privacy. He Said Security Podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.

Alex Rayter

Alex Rayter is the Principal of Phoenix 2.0, a full-service IT consulting and management firm that provides daily IT management and support to Bay Area organizations of all sizes. Phoenix 2.0 helps its clients boost efficiency and profitability by leveraging technology for business outcomes.

In addition to this, Alex also has a great deal of volunteer experience with organizations such as Operation ELF, Hebrew Free Loan of San Francisco, and the Jewish Community Federation of San Francisco, the Peninsula, Marin, and Sonoma Counties.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Alex Rayter discusses his background in corporate IP and how he started his IT consulting firm
  • What the SolarWinds breach means for your business’ data privacy and cybersecurity
  • How working from home has impacted security and privacy risks for small businesses
  • Alex’s strategies for sharing privacy and security concerns with executives
  • The importance of creating adequate IT documentation for your business—and why you should build a network diagram
  • Alex shares his top cybersecurity tip for listeners

In this episode…

Do you know how data flows through your organization? Do you have adequate IT documentation for your business? If you don’t feel confident about the answer, it may be time to build a more effective IT infrastructure that will protect your business from dangerous privacy and security risks.

Lacking a clear understanding of your organization’s IT infrastructure doesn’t just inhibit your business’ growth and productivity—it actually poses very real risks to your data privacy and cybersecurity. However, according to Alex Rayter, problematic infrastructure can be remedied in a few different ways—and his IT consulting and management company, Phoenix 2.0, can help you implement all of them. So, how can you start applying Alex’s privacy and security strategies to your business today?

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Alex Rayter, the Principal of Phoenix 2.0, to discuss the importance of well-functioning IT infrastructure. Listen in as Alex shares his perspective on the SolarWinds breach, his tips for communicating with executives about privacy and security risks, and the secret to building an effective network diagram for your business. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.



Kelly GearyKelly Geary is the National Practice Leader and the Executive Risk & Cyber/Professional Services Claims & Coverage Leader at EPIC Insurance Brokers & Consultants. In this position, Kelly leads cyber and executive risk initiatives, monitors legal changes that increase organizational risks, and offers risk management counseling and claims advocacy.

Kelly is also the Managing Principal, US Cyber Practice Leader, and Coverage and Claims Counsel Leader at Tysers (formerly Integro USA), an insurance brokerage that is focused on global risk management.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Kelly Geary talks about her extensive experience in the world of cyber insurance
  • What kind of cyber insurance coverage does your business need?
  • Kelly reveals how cyber insurance policies have evolved to address ransomware risks
  • How cyber insurance policies interconnect with preexisting business insurance policies
  • Kelly discusses cyber insurance policies that cover violations of privacy laws in addition to data breaches
  • Why obtaining cyber insurance is more than just checking a box
  • How often should your company re-evaluate its cyber insurance coverage?
  • Kelly shares her best cyber insurance tips for both individuals and organizations

In this episode…

Most business owners know that they need business insurance in order to protect their organization. But, did you know that obtaining cyber insurance is just as important for your company’s safety and security?

Cyber insurance is an essential part of protecting your organization from privacy and security risks. However, obtaining cyber insurance is much more than just checking a box. Both cyber risks and cyber insurance policies are evolving at a rapid pace—so how do you know which insurer and coverage will be the best fit for your business? Thankfully, Kelly Geary, a cyber insurance expert, has a few best practices for identifying and implementing the right cyber insurance policies for your company’s privacy and security needs.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Kelly Geary, the National Practice Leader and the Executive Risk & Cyber/Professional Services Claims & Coverage Leader at EPIC Insurance Brokers & Consultants. Listen in as Kelly talks about the different types of cyber insurance, what kind of coverage your company needs, and the important steps to take after obtaining cyber insurance for your business. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to the, She said Privacy. He said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century. 

Host (00:21):

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified information, privacy professional, and I help provide practical privacy support to overwhelmed companies.

Host (00:37):

Hi, Justin Daniels here, otherwise known as Jodi Daniel’s husband. I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through helping them identify the problem and coming up with creative practical solutions. I am a subject matter expert in cybersecurity and business attorney.

Host (01:06):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, professional services, and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com. So Justin, who do we have with us today?

Host (01:45):

Well, today I’m particularly excited because we’re going to make the topic of cyber security, insurance fun. And I almost feel like in light of what’s going on, it’s almost like the ransomware grinch is stealing Christmas as we speak with all that’s going on. So today we have with us Kelly Geary, the national practice leader for executive risk and cybersecurity for EPIC Insurance Brokers and Consultants. Welcome Kelly.

Kelly (02:16):

Thank you, Justin and Jodi.

Host (02:16)
Hi Kelly. It’s so good to have you here. And this is really such an important topic. I have people all the time saying, Oh, well, I have cyber insurance. I’m good. I’ve checked the box. I’m, I’m all set. I, I did that thing that someone said I should do, and then they never think about it again. So this is going to be a fun, fun conversation. But before we dive in to that, help us understand how did you come to the world of cyber insurance? 

Kelly (2:51)
Oh, that is a great, great question. Thank you. So I’ve been involved in cyber insurance, probably since about 2005. Cyber insurance, the first cyber insurance

Kelly (03:00):

Policy was written by AIG in 1998, but cyber insurance, as we know, it really started to sort of become a thing back in sort of like the mid 2,000’s And I was on the carrier side at the time heading up a claims department for professional and specialty lines. And we were, I was charged with basically figuring it out and, you know, trying to start to draft a product back then. So it was that’s, that’s how long it, and it’s evolved quite a bit since then

Host (03:34):

I have to imagine the people in 2005 would probably look at someone and say, cyber insurance, what, what, what is that sort of the deer in headlights kind of look,

Kelly (03:46):

That is correct. That is correct. Back then. I think really most, most of the purchasers of cyber insurance were very, very large companies, mostly tech companies. And you know, so it really hasn’t hit mainstream America really until very recently because cyber crime has really run rampant in the last say five to 10 years, 

Host (04:12):


Host (04:15):

So Kelly, I thought you and I would dive in cause you and I have had many conversations on a variety of topics, but let’s start with, why do companies overwhelmingly have such a hard time getting the right types of coverages when it comes to cyber?

Kelly (04:30):

That is the question of the day, right? I mean, cyber is a very dynamic risk. And I think that that is part of the challenge for everyone, really the insurance industry, as well as purchasers of insurance the cyber cyber risk itself has changed and continues to change very, very rapidly. And the insurance market has tried to keep pace with that. And as a result, the policies themselves are, are very, very long. They’re very complicated and it’s, it’s really still considered a pretty immature product. You know, it’s not like a property policy or an, an error’s and omission’s policy. Something that companies are really very used to and accustomed to and have had in their insurance portfolios for very, you know, for many, many years and understand how it works. Cyber insurance policies you know, probably are updated every 18 to 24 months. So the coverages are different. They, no two policies are exactly alike. Terminology is different. Scope of coverage is different, claim handling services and pre-brief services. All of that is completely different. You know, like I said, you could pick up five different policies and it could be all different.

Host (05:47):

So I’m curious as a business owner, I would ask, well, which one do I need and how do I sort through them all? So one is kind of, you know, what advice do you have for people and what, what should I be looking for? Or, you know, someone from any company, what should they be looking for? And then why, why is it so different? Why if you pick up many different policies, are there multiple different versions?

Kelly (06:13):

And I think the answer to the, to that question really is that the market is still relatively immature. Number one. So you don’t have standardization yet. And I don’t know for sure whether or not we’ll ever get to that point of standardization. You know, and an example of that is, you know, what I consider to be the heart and soul of any cyber insurance policy is the definition of computer network or computer system, because that’s really where all of the coverage flows from. Some policies will define that term as some, in some policies will be computer system and some policies that’ll just be network and some policies they don’t define the term. You know, it really is, is pretty much all over the map. And so that, that is a real challenge for business owners. You know, in terms of how, you know, you’re getting the right coverage and what coverage is right for you. You know, that is something that you really is a very sort of customized, in my opinion, a customized kind of of an approach, I guess, for business owners. You know, what we do with our clients is really look at, at the size of the client the nature of the business, and then try to look at the market from the standpoint of what is right for you and what really is important for you from a protection standpoint. 

Host (07:39):

So Kelly, I wanted to kind of dive into a little more detail of a comment you made about how the policies evolve. And let’s talk a little bit about ransomware and the recent OFAC advisory about potential criminal prosecution. If you pay the ransom to somebody who’s on this exclusion list and the office of foreign asset control and what that might mean for how ransomware coverage may start working as early as next year.

Kelly (08:09):

So, so OFAC, I mean, the, the, this is not a surprising move by the us government to start to try to address ransomware. I, you know, how that’s going to impact the cyber insurance market is still a little bit of an unknown. We have seen the insurance market respond by some, you know, enhanced underwriting specifically around you know, controls and networks security and, you know, business continuity plans specific to ransomware. So you’re starting to see that from underwriters, from cyber underwriters in terms of the coverage itself. And obviously Justin, you know, this, that, you know, if, if you are hit with a ransomware attack and the entity or the ransomware variant is on the OFAC list the insurance company is not legally able to pay the ransom on your behalf is not legally able to reimburse you even for a payment. So that is the position that a number of the carriers have already taken. In some instances we are sort of seeing some sub limits being added to cyber extortion coverage as well. So we’re definitely, you know, the markets are being impacted and we expect the coverage will, will certainly be impacted in the not too distant future.

Host (09:39):

I think that would be helpful. So let’s take one of those situations. If a company pays a ransom, that particular amount won’t be covered, what should they expect to be covered? What are the, you know, if they enter into this ransomware situation or they they’ve, they’ve been forced to enter into this ransomware situation, what, what can they expect their coverage to help them with?

Kelly (10:02):

And, and that’s a good point because there is a lot of coverage that exists in a comprehensive standalone cyber insurance policy that can still provide a lot of protection and assistance for policy holders you know, incident response services. So, you know, you will get when the ransomware incident hits, you will get coverage associated with computer forensics public relations in the event that the organization feels that it would be helpful to engage a PR firm to help mitigate any potential negative press that might, you know, come from the event. There will be legal fees. Like, you know, I know Justin does, does a lot of this you know, helping, helping the entity sort of manage through the process and, you know, grapple with you know, the compliance requirements, do they have to notify their clients? Do they have to notify employees? All of that is all covered and will continue to be covered by the insurance policy. The other thing that is important and is covered would be business interruption loss. So if the ransomware attack shuts the business down for 10 days or five days before they can sort of get back up and running from you know, from backups or however, they, they are able to manage through the process, given that they can’t pay the ransom. The business interruption business income loss will be covered as well.

Host (11:35):

And considering those, we also have a variety of other insurances, right? I might have business insurance and a variety of other insurances. So how do those interconnect is there, you know, if do I have to worry about one insurance over the other one overlapping, or if I, if I have a situation, do I just dive right into my cyber insurance first?

Kelly (12:00):

You know, that is something I think the, the insurance market as a whole is trying to address right now. Many of the traditional insurance products that are out there do have some cyber related coverage, whether it’s silent. Maybe you have a property policy that has business interruption, loss coverage, and it doesn’t specifically exclude cyber perils that may trigger. You may have an errors and omissions policy that has some affirmative cyber in it that may trigger during an incident. So your point is a really good one. One of the things that we encourage our clients to do when there is an incident is to really look at all of your insurance policies in your portfolio and try to determine you know, which ones may have some coverage, which ones may trigger. Our suggestion always is to have the cyber go first.

Kelly (13:00):

You know, we try to coordinate that upfront at the very outset and, and affirmatively state that the, that the cyber policy will go first simply because the cyber claims professionals, that’s what they do all day long. And you want someone who knows how to deal with these incidents dealing with them upfront. You don’t want your property claims professional, trying to sort of manage through it where they see it every once in a while. And you know, it’s a different dynamic. So you really want that claim handling professional on the cyber to, to respond first.

Host (13:35):

And I’m just going to keep talking. So Justin, you might be able to get a word in edgewise, but I have another question.

Host (13:42):

If you want to ask another question, go ahead. It’s just, I’m used to this. So keep going.

Host (13:49):

Is there a Benefit to having your insurance all with one company or, you know, someone might start with business insurance at one company and then maybe they decide, Oh, I guess I should get some cyber insurance, but I’ll go to this other one. Cause it was less money. And I think that’s a risk. I don’t really need to worry about as much. I I’ve talked to business owners and companies, and that’s often how they view different types of insurances. So can you talk to us a little bit about the advantage of having one company manage all your insurances?

Kelly (14:21):

I mean, I think if you have one carrier that is issuing all of the insurance products in your portfolio you, it, it could be an advantage in that, you know, it’s a streamlined situation. You don’t have a situation where two carriers are sort of pointing at each other, if both policies are triggered. I think one of the challenges and one of the things that you will see a lot of these major carriers do is in the event that they have issued, say five policies to one entity a cyber policy, a property, and, you know, an ENO policy, they may add what is called a non stacking endorsement to that, which sort of contains their exposure. So if they, if, if they issued five policies to you, they don’t, they may not want to extend themselves to all of those limits. So if you have one incident that triggers multiple policies, they may actually add a non stacking or an anti stacking endorsement to their policy that says, if this happens and all of these policies do trigger, we’re only going to give you one of those limits.

Kelly (15:29):

So let’s say you have five, you have a million dollar limit on each policy. They may say if all of these policies trigger, you only get one, $1 million in coverage for this incident. Careful, because those are sometimes built into the policy form. Sometimes those provisions will be built into the policy form and you won’t even realize it’s there and other times it will be added affirmatively.

Host (15:57):
So it seems like making sure you’ve reviewed all these with someone who knows what they’re talking about at the beginning. It’s going to be really important. 

Kelly (16:02):
Yes. Very important.

Host (16:06):

Okay. Well, I’m going to have some fun because Kelly, let’s talk a little bit about the insurance policies when it comes to coverage for potential violations of privacy laws that are not a data breach. I think that’s an interesting as to how would coverage work in that instance?

Kelly (16:26):

That is like one of my favorite topics, Justin, I think you probably know that already. So, so going back to 2005, when I started you know, when I was, I was mentioning earlier that that’s when really we started to see cyber policies and the cyber insurance market start to evolve. That was right around the time when breach notification laws started to really sweep the country. Right? So we had California, the first data breach notification law was I think, 2002, 2003. And then you had a number of States that sort of followed in lockstep behind now we have all 50 States that have breached notification laws. The cyber market, the cyber insurance market really grew up around the concept of breach notification and to address the whole concept of breach notification and breach response. So your, your point is, is right on because that is how most of the policies were drafted. And fast forward to 2018 you had the GDPR and you had a whole host of other, the CCPA and a number of other state and foreign privacy laws that were much broader in scope than just talking about notifying customers, clients of, of breaches, right? So impose all sorts of obligations on companies relative to the collection of the data and, and consent and things of that sort. So not all cyber policies out there will respond if, if the allegation doesn’t attach to, or, or relate to an actual breach event.

Host (18:09):

But I think you’re also saying there may be policies out there that do. And so as we have this proliferation of privacy laws that we’re seeing in California, and there are other States that are contemplating passing them, the likelihood of having a violation of a privacy law that doesn’t necessarily have a breach goes up and there may be opportunities to have affirmative coverage to help you with that. But one, you have to work with someone who understands that like EPIC and two, you have to make sure you understand the details of the policy itself to know what’s covered. That’s really what I wanted to make clear for our audience that, Hey, these privacy laws are coming and there are now products out there in the insurance market, depending on your understanding and what you buy that can help you in the instances where you violated CCPA, but it didn’t necessarily rise to some type of data breach notification,

Kelly (19:03):

Right. And that is exactly right. There are there are policies, there are cyber markets out there that will provide affirmative coverage for privacy violations. Many of them, even, even those markets that will provide coverage for the broader privacy violations. Many of them will only provide coverage. If it’s a regulatory investigation, they will not provide coverage if it’s a third party action. So take, for example, BIPA in Illinois, right? You have a private right of action for the Illinois biometric protection act. Right? So if, and I think we saw, I think there’s a lawsuit recently I think against Amazon involving BIPA and, and those, you know, the private right of action around the wrongful collection of personal information, that is something that not a lot of carriers are willing to sort of stick their neck out for, in terms of coverage. And if they are typically it involves pretty detailed underwriting around your you know, your controls and your attention to privacy laws and your compliance with them before they’ll even provide the coverage and also sub limits of coverage. So be very careful about that distinction between coverage for the privacy violation if, if the action is brought by a regulator versus privacy, you know, broad privacy coverage, if it’s brought by a third party individual. 

Host (20:43)
And so then the other question I have is kind of related to, you know, some companies might have a violation a little bit more unknowingly. They didn’t know about a particular piece, or they did their best effort, but still something happened compared to the company who knew, but opted not to do the coverages  – distinguish between those scenarios

Kelly (21:06):

They do in that almost all. I mean, I think all I can probably say all policies have what is often referred to as an intentional act exclusion which typically will include knowing violation of a law. So if you knowingly avoid a law, you know, that you have to, you know, get consent from various individuals, your employees, for example, if you’re going to collect their biometric data and you just say, you know what, it’s going to be too much of a big deal for me. It’s going to cost too much. It’s going to be a pain in the neck. I’m not going to do it. And then you are sued for that. You know, depending on the circumstance and depending on the policy language, your policy could potentially exclude coverage for that based on the fact that if you had senior executives at that organization that knowingly violated the law those policies will not, not likely cover that.

Host (22:07):

Got it. So on the same theme of a company doing their best efforts when it comes to cyber insurance, I buy it. Am I good? Am I done? I don’t have to do anything else, or are there elements I need to do to maintain a strong program within to make sure that I still can, you know, in other words, is it, I bought the insurance. I’m good. I file it away. I can do whatever I want to in the company. Or do I still have to maintain certain levels of training, a certain level of a program? You know, are there elements that the insurance is basically requiring companies to do to still have that insurance be honored?

Kelly (22:47):

It’s a great question, because I think the market is, is grappling with that. It’s right now I think there are a handful of cyber markets out there that will conduct scans public scans of your network. And they’ll do it on a routine basis during the policy period. And they may send you reports and you know, this, after we conducted this scan, this is what was, you know, this is what happened and we noticed these vulnerabilities and some of those policies will require that you promptly address anything that is brought to your attention during the policy period. So if you have a policy like that there may be things that you need to affirmatively do and make sure you’re doing or you may not get coverage. If, if the incident relates back to a vulnerability that they identified and you didn’t address but not all policies are like that. So,

Host (23:46):

Kelly, it’s interesting that you bring this up because I know there’s one carrier that you and I have talked about that does exactly that. And one of the things I think it brings up the companies don’t think about is, is if the insurance company does that and gives it to the insured, there’s no attorney-client privilege that attaches to that. So if the company just decides that we’re not going to do it, we’ve got other budgetary concerns, particularly in the COVID environment, they may ignore it. And then if a breach happens and there’s litigation, those reports are fair game. And a lot of times people don’t consider that, that if they were going with that insurance company and they were going to issue those reports, I’d be telling them you need to do that through our outside counsel.

Kelly (24:30):

Right. And I think that that’s exactly our position. You know, there are more and more of the cyber carriers that are conducting these scans for underwriting purposes and, and they can do that. And they can, as long as they’re not providing the reports affirmatively without your consent. And that’s, that’s the issue. I think you and I have talked about a number of times if the company understands that they are going to, that their cyber carrier is going to run this test and they, and they say, yes, I would like to see that report. Then that’s, you know, I mean, that’s their decision. Maybe they’ve, they’ve decided they want to see what it is and they’re committed to addressing any problems. And as long as they understand the potential you know, pitfalls of that with respect to the attorney-client privilege. And, you know, I think that that’s okay.

Kelly (25:19):

What my biggest issue is when an insurance carrier does these scans and just automatically sends the report to the to the company with the quote. And I’ve had a number of our clients that, you know, when that happens, they are just taken aback and confused and like, look, I didn’t want this. So, and I think these scans and I know Justin, you, and I’ve talked about this as well as these scans are, you know, all different you know, you can run five scans on the same company on the same day and have a different results. So I’m not so sure how valuable they really are. But I do think that they could put a company in, in a worse off position legally at least than they were prior to having it, if they get it without knowing 

Host (26:17):
How often should a company, re-evaluate their coverage?

Kelly (26:21):

Annually And I say that because cyber risk, as we all know evolves at such a rapid rate. And I, you know, I can tell you that the markets you know, we see probably new amendments, you know, endorsements to policies, changes to policies, I would say every six to nine months. And if you’re not, if you don’t have a broker that is really paying attention to this and immersed in this, it’s very easy to miss something. And then you won’t have the most current version and the privacy coverage that Justin and I were talking about before is a great example of that, you know, that sort of happens in the background. The other thing that, that is a really recent change that is, was COVID driven, was the idea of your, the definition of computer system, including employee-owned devices. That was a big change in the market because everybody went remote and, you know, before that, you may have had a definition in your policy that did not include employee-owned devices, only company-owned devices.

Host (27:36):

Yeah. That raises a good point. So if you’re a company who had, you know, sign up for, for insurance a couple of years ago, you have the same coverage COVID hit, would that amendment apply retroactively to the policy I have, or only to new policies?

Kelly (27:54):

You know, some of the, some of the carriers were at least re you know, probably within the last six months or so, we’re issuing, issuing endorsements to existing policies that address that affirmatively but not all did that. So, you know, if you were not sort of paying attention to that, sort of back to your point, Jody, about, you know, I have the coverage, I check the box where I have to do anything. This would be a perfect example of, this is one of those, those times where, you know, the world changed and the work environment changed and the technology, you know, everybody started relying on their own devices and that was a big change for a lot of companies. And if they didn’t have this endorsement or if they didn’t have you know, a definition in their existing policy that encompassed employee-owned devices, whether it was phones, iPhones, or laptops, tablets and then they had a claim or an incident that related back to one of those employee-owned devices, they would not have coverage.

Host (29:04):

Yeah. That’s an important takeaway. I think that everyone needs to make sure if they haven’t already done is to go back and identify your carrier and your coverage and determine are you in scope or has that endorsement followed you or not? Yes.

Host (29:19):

By the same token, Jody, when we talk about ransomware coverage, there’s a huge difference between the coverage where the insurance company pays the ransom versus they reimburse a company or the insured for having paid the ransom because a lot of companies may not have Bitcoin or whatnot lying around. And in the ransomware coverage, did the coverage include access, a ransom negotiator who can comply with OFAC. These are the kind of nuanced details that are now becoming really important because as we sit today, ransomware is now rampant in the marketplace right now. So all the insurance companies are getting flooded with claims and now is when people find out what the nuanced details of these coverage that have a dramatic impact on how they address these problems really works because so many brokers that they work with are not immersed in cyber. And do not understand any of this, unlike someone like Kelly who’s part of her job is she understands how the actual policy works inside and out. And that’s part of the value of what EPIC brings to the table is her expertise.

Host (30:29):

Well, thank you. So, Kelly, what would be some of the best tips that you would offer individuals and companies? So you can kind of pick the cyber insurance tips for companies and maybe something, just knowing what you know, in, in dealing with this all day, what do you do in your, in your personal world to make sure that your data is protected? 

Kelly (30:53):

So I think from the, you know, for companies, from my advice for companies would be you know, almost to what you had said before Jody is, you know, you can’t really buy an insurance cyber insurance policy and check the box and sort of walk away from it. It is it is the risk itself is a very dynamic risk. It changes constantly. You need your coverage to keep pace with those changes in risk. Or you will find yourself in a, in a very unfortunate situation where you have an incident that is not covered by your policy. And that’s whether it’s cyber crime or, you know, to Justin’s point privacy related. So I would say that, you know, it’s definitely one of those, one of those insurance products is I know insurance is not fun, but it’s one of those insurance products that you sort of have to stay on top of.

Kelly (31:46):

For individual, it’s interesting, you know, the market for personal cyber coverage is so small still it’s about 500 million in gross written premium. You know, whereas the, the market for commercial lines is probably between five and 7 billion. But the personal lines market is growing a bit. So there are products out there that you can get typically added on to a homeowner’s policy or some sort of umbrella policy for personal protection for for cyber incidents at your home. But one of the best tips I got was I went to a conference a couple of years ago where Frank Abagnale the Guy from Catch Me if you Can was speaking. And he was really, and his best tip was when you’re using your debit card, your bank card, right.

Kelly (32:45):

That if you’re making a purchase, you should always make a purchase as credit, because then you don’t have to worry about if, if you had a you know, somebody kind of stole your, your your credit card or your information, the bank automatic, the debit card, it automatically comes out of your account. And then you have to fight with your bank that could take months to get your hundred dollars back. Whereas if it was a credit purchase the onus is on the merchant, right? So they just automatically we’ll, we’ll give you the a hundred back and say the merchant was at fault. So I always do that. 

Host (33:26):

That’s a really great tip. I had not heard that. Wow. Gold. So that was good. Well, Kelly, it’s been wonderful to have you, we could talk about this topic for hours, especially when people are saddened, when they don’t realize when they realize they don’t have the coverage that they thought you forgot the fun. I did forget a question. I forgot. You know what? We need to have some fun Kelly off topic from our cyber insurance world. What do you like to do for fun?

Kelly | Host (33:55):

Oh, Oh, so you’re going to make fun of me. So I bought a Peloton right before COVID hit. It really had, it was totally before COVID, but it was maybe in February, we got it delivered. I love it. I have a favorite instructor. We’re Peloton people. Also, ours is now two and a half years old. So we were very fortunate where we I guess now we have an old bike though. So you do, you got to get this cool screen. The flip screen, my husband thinks I’m crazy. He’s like, we just bought this bike. Do you have a favorite instructors? I like Robin. Of course she’s the sort of main one. And I like Hannah. And who else do I like? Jess Sims. Very good. Well, maybe we can have like a cyber privacy tag hashtag yeah, we should do that.

Host | Kelly (34:56):

Well, it has been fun Kelly to have you here. How can people find you? If you go to the EPIC website you can certainly find my contact information there or I’m on LinkedIn. Well, wonderful. Well, Kelly, thank you again so much for sharing so much value and helpful information when it comes to cyber insurance. We really appreciate it. Thank you for having me.

Host (35:32):

Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.


Hanno Ekdahl

Hanno Ekdahl is the Founder and CEO of Idenhaus Consulting, a cybersecurity and identity management company based in Atlanta, Georgia. Idenhaus Consulting helps clients implement security solutions to reduce the risk of security breaches, eliminate audit findings, enhance regulatory compliance, and safeguard sensitive information.

Hanno is also currently a Member of the Forbes Technology Council, the Harvard Business Review Advisory Council, and the Tech CEO Research Circle at Gartner. His many professional specialties include identity and access management, IT strategy, risk assessments, and more.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Hanno Ekdahl talks about his background in identity and access management (IAM) and cybersecurity
  • What is IAM, and why is it relevant to your company’s security and privacy?
  • Hanno discusses how IAM has evolved in response to the increase in remote work
  • The types of technology and software that are behind IAM and where the industry is heading in 2021 and beyond
  • How should small businesses leverage IAM services?
  • Hanno’s number one piece of privacy and security advice: don’t click the link!

In this episode…

Do you want to know how to better protect both your employees and your customers from security breaches? Are you looking to implement more effective security solutions at your company, but don’t quite know where to start? If so, this episode is for you.

Identity and access management (IAM) is a privacy and security solution that collects data on users in order to determine what parts of a database, network, or website they should be authorized to access. In other words, IAM is concerned with implementing effective security measures to ensure that a user doesn’t see—or alter—information that is outside of their security clearance. So, what do you need to know about the world of IAM in order to maintain your company’s security and privacy?

In this episode of She Said Privacy/He Said Security, Justin and Jodi Daniels sit down with Hanno Ekdahl, the Founder and CEO of Idenhaus Consulting, to discuss his insights into the identity and access management (IAM) industry. Listen in as Hanno explains what IAM is, how it affects your company’s data privacy and cybersecurity, and what you can do to improve your personal and professional privacy today. Stay tuned for more!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Host (00:01):

Welcome to The She said Privacy, He said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Host (00:21):

Hi Jodi Daniels here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional. And I help provide practical privacy support to overwhelmed companies.

Host (00:38):

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practical implementable solutions. I am a cyber security subject matter expert and business attorney.

Host (01:00):

This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce, media agencies, professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there is greater trust between companies and consumers to learn more, visit redcloveradvisors.com.

Host (01:35):

All right, and now let’s introduce our guest. We’re excited to talk identity access management today and we have with us today Hanno Ekdahl who is the founder and CEO of Iden Haus Consulting, which specializes in you guessed it – identity access management and cybersecurity services based here in the good old ATL. Hello Hanno. 

Hanno Ekdahl (1:47):
Hi Justin. Hi Jody. Thanks for having me. I appreciate it. Looking forward to having a good conversation about identity and access management and its impact on businesses, how it can help.

Host (2:00):
Well, I have a question right off. Are you Hanno? How did we verify that you are, who you say you are? Are you a deep fake on that screen?

Hanno Ekdahl  (2:07):
I had to fingerprint authenticate to my phone in order to get on the camera. So you got some biometrics going for us today.

Host (02:29):

Good to hear. Well, we’re so glad that you’re here. Thanks for spending some time, you know, it would be great if you can kind of help explain how did you get started in, in, into this world of identity access management?

Hanno Ekdahl (02:43):

Sure. So I started off, I’ve always had a fascination with technology and computers did a lot of computer programming when I was a teenager. And also sort of had an interest in business. You know, I was selling my comic books. I came up with all these ways to make money. You know, you had to like the lemonade stand type of thing when you’re growing up. So my background is in applied math, computer science, and I got an MBA married the two together and really found that I enjoyed solving business problems with technology. So I think a lot of folks look at technology as this independent thing, but the most interesting part about it is actually can help solve problems if you link it to the business correctly. One of the biggest pain points is that IT systems aren’t implemented in a way that’s truly aligned with what the business needs, whether it’s from a security perspective or functionality perspective. And so we help bridge that gap. And that’s what got me into identity and access management and cybersecurity.

Host (03:44):

Well, wonderful. So tell us a little bit about what is identity access management, we’re floating these words and acronyms around, maybe not everyone is as familiar with it.

Hanno Ekdahl (03:55):

Yeah. I don’t want to wind up with some alphabet soup here where everyone ius wondering what we’re talking about. So identity and access management. I mean, actually Justin did a really nice job of teeing that up with how do we know who you are, who you say you are. And that really is what identity is, right? How do I know that you’re an employee of whatever company, right? So the first part is establishing your identity. Usually that’s done when you’re onboarded right there, validating your driver’s license, your passport, other information about you to make sure you are who you say you are. And then they create a record for you in their HR system. And we can use that record then to create accounts for you inside the network, because we know you should be inside the network. We validated your identity. We have a trusted system that can establish that identity.

Hanno Ekdahl (04:39):

Now the access management side of that is what systems should you have access to and what are you authorized to do in those systems? So I’m, if I’m a financial analyst, let’s say I may have access to some basic financial functionalities but I can only do certain things in the system. So I have, what’s called a role that role determines what I can and cannot do in the system. So identity and access management is about taking good data on users to determine whether they should have access to our systems and taking additional attributes on that user to make decisions about how much access they should have within our environment based on their job function or role.

Host (05:23):

So in other words, that’s like in our household, if my role and responsibilities doesn’t include going and getting the specific things at the Whole Foods I wouldn’t have access to that program and the ability to go to Whole Foods and select those items.

Host (05:41):

Yeah. I didn’t know we were going to connect Whole Foods to Access, but all right, whatever works,

Host (05:46):

You know, I don’t know if you can create some IT or the technology around making sure that I’m permanently excluded from that program. I think we’ll have to talk after this podcast

Hanno Ekdahl (05:59):

We’ll see what, if we can help you out with that one,

Host (06:02):

But a little more seriously. When it comes to IAM, which is a significant defense in the defense and depth cyber strategy, why do companies have such a difficult time effectively implementing IAM?

Hanno Ekdahl (06:19):

I think the reality is that while identity and access management is a fairly straightforward concept, right? We laid it out pretty quickly there. This is what identity establishing identity means. This is what access management means in practice. It’s a lot more complicated than that. It’s intersects policy, process systems. And there are all these edge cases that need to be considered. A lot of times organizations shortcut the analysis and make some overly simplistic decisions about how they manage things. So they might say, well, all people in the accounting department should have this access period. Which is oversimplified. And so they wind up creating security issues by making very simple decisions for more complex problems. They don’t understand the nuances. The other thing is that scope on these projects actually tends to explode really quickly because everyone sees that they need what identity management offers and you wind up trying to take on too many things and you can’t do it all.

Hanno Ekdahl (07:23):

And so the program ultimately fails because you’re not able to meet the project deadlines, et cetera. But getting back to the root question – underlying data quality issues is a big problem. Understanding the processes, how do we manage the identity life cycle? What do we do for people who join the organization, move within the organization, when they leave the organization? How does that intersect with technology and our policies, right? What you should, and shouldn’t have access to based on different states that you may have as a user, all that has to come together and work in lock step in order to create the desired result. And there’s a lot more complexity than you might think.

Host (08:07):

So help us understand where you all come in and you know, if I’m a company, I recognize, gosh, I really need some assistance. How can I you know, under better understand what you all can do to assist? Where would you start?

Hanno Ekdahl (08:29):

Sure. So I think there are a lot of people in the identity management space that are technical implementers. So they’ll go build what you tell them to build. We come in and offer more of a strategic approach. So we have architects who will evaluate and layout designs. We have strategists who will come in and think about the processes and how the whole system comes together. So one of the things we like to do, that’s a little different is start off with an assessment and a planning session. It may only last a week, usually they’re one to three weeks – understand where the gaps are and processes the gaps in technology, any data issues that are underlying any policies that need to be developed. And once we understand where the problems are, we can actually lay out a comprehensive plan in order to get our customers to the right side of the solution, which is it’s working and it’s doing what they want. So a lot of organizations have a build and pray strategy. And some get paralyzed in analysis. We like to come out somewhere in the middle where we’re making smart, deliberate decisions with our customers to help them move forward, mitigate risk, maximize value.

Host (09:38):

So kind of building on that concept, Hanno and let’s talk about 2020. What was an interesting year for a lot of reasons is how does IAM evolve when we talk about it in terms of using it with a workforce that’s so quickly pivoted to being mostly remote.

Hanno Ekdahl (09:57):

It’s interesting. We have a customer that we just finished standing up their identity management solution for them probably actually a month or two before COVID really hit and then suddenly everyone’s working remote. And so the first question I had is, well, how do we get everyone VPN access? It’s like easy. You put them in the group that says they get VPN access. And we can automate that through the identity management solution. So the identity management solution can help us grant and revoke access as our needs change. So suddenly you go from, let’s say a thousand people in your company needing VPN access to 10,000 people needing it. Okay. We can grant that in literally a couple of minutes and we can really look at as well based on our business rules. So now we’re able to quickly provision and deprovision access as our business needs change. I could actually implement policies that say, you need a VPN to access these three systems. But otherwise you don’t need it. So we can then consume and manage our VPN licenses based on the sensitivity of the systems that people need to access.

Host (11:04):

So let’s talk a little bit about the technologies that are in place. So you mentioned, you know, a technology solution. Can you speak to some of the technologies that are here now and where you think those types of technologies are going?

Hanno Ekdahl (11:19):

Well, it’s a crowded market space, so there are a laundry list of solution providers out there. So SailPoint, Sapient, Plain ID, Hitachi, Micro Focus, Omada, Empower ID. So some of them are smaller niche players others have specialty type solutions in terms of where the market’s going. So we talked a bit about the flexibility, right? You have a remote workforce, right? And the environment’s changing where organizations are moving more and more to cloud. So we see in the more sophisticated platforms and some of the vendors who’ve been on the scene for a few years. So they’re starting to implement more and more risk-based controls that are based on user attributes. So I can enforce my policy and reevaluate my policy even within a session, right? So we have policy decision points. So I keep evaluating the policy based on your session data, maybe there’s an update to how you’re accessing.

Hanno Ekdahl (12:18):

Maybe you were accessing the session sitting at your desktop, which was a company issued machine. You switched to your phone. And we say, look, you’re not allowed to see that application on the phone. We can terminate that session. So we’re constantly and continuously re-evaluating security based on changes to your session. We see anything anomalous. We can shut down your session. So the tools we have are getting much more sophisticated and allowing us to apply real-time security decisions to sessions as they’re ongoing. So instead of being a static set of rules that we evaluate once at the beginning of the session, we continuously reevaluate our policies based on, on your session, what we know about you as the user, so we can make adjustments.

Host (13:05):

So one thing we’ve been hearing a lot about from a variety of our guests and just in the marketplace is about zero trust. You have some thoughts you’d like to share about what you think about zero trust and its potential from an IAM standpoint.

Hanno Ekdahl (13:18):

Sure. So zero trust, a, another way of saying that is identity is the new perimeter, right? So who you are and what you should access is really our perimeter, right? We used to have basically these IT castles, right? We have a wall which was our firewalls. We have a moat, you know, we’re doing all these things to keep people out. We have our internal network and our external network. And with cloud, that’s all blown apart, right? People who are accessing cloud-based applications are outside of our network. So how do we manage their access? How do we determine what they can and can’t see, and still have a notion of security. Well, we have to change our security model to focus on what you, as an individual can access. So identity and access management then is about continuously establishing and re-evaluating your identity to make decisions about what access you should have. So it ties back in very nicely to the previous question where we were seeing that trend. Now that we’re, we’re looking at risk, what device are you coming from? What are you trying to access? Even when you’re trying to access it, right? We’re starting to look at pattern recognition. It’s like, well, Hanno doesn’t normally access our financials at three in the morning from a device in China. Maybe we shouldn’t allow that. And so the security now is inherent in the re-evaluation of policy, on the fly, through these identity management technologies and platforms.

Host (14:52):

Small businesses. So, you know, someone listening might think, well, I’m kind of a smaller business. These tools sound really big and fancy for large enterprise, like customers. We all know in the privacy and security space that bad actors love small businesses. So how do small businesses leverage IAM? Is it, you know, only a big business kind of problem, or what are the ways, or maybe some of the differences, or maybe there’s no differences for what a smaller business needs to be doing?

Hanno Ekdahl (15:25):

Yeah. For a small to medium sized business the investment in a mature big scale identity management platform probably isn’t worth it. However, more and more of the cloud-based providers are providing identity as a service functionality that small businesses can adopt. So for example, at Iden Haus, we use an online provider and we’re using their multi-factor authentication where they have these policy controls that they didn’t have two or three years ago. Right. So we continue to enhance our security. So I would encourage small, medium sized businesses if they’re using an cloud-based platform for their email collaboration tools, look at the security features within those tools and apply them. There’s all sorts of validations and security measures you can put in place to protect yourself. The one thing I would say is that hackers know that the the end user is easier to compromise than your IT systems. So really the biggest risk is training and awareness. And that’s a great place to focus on your team is helping them understand that they shouldn’t click on links and they shouldn’t download things that are attachments in emails. That’s really where most of the compromise happens. Not as much in hacking systems. I mean, that does happen certainly, but it’s really hacking users to get inside the network.

Host (16:49):

I did a presentation, a client training yesterday, we covered phishing and the, IT folks were cheering me on when I covered all these specific points, they had all their yes’s in the comment boxes. Great.

Hanno Ekdahl (17:03):

Yeah. I find that having worked for a number of very large organizations, you know, they do take the awareness training seriously and they do it periodically and they have these phishing campaigns internally to see what people click on. And we’re all human. We might occasionally click on something, but there are some people who click on everything, no matter what you do. So then you’re going to have to make a decision what you want to do with that person, because they’re a pretty big security risk.

Host (17:28):

Yes. You had also mentioned something around pushing policies down, perhaps for those who aren’t familiar with, what that means. Can you explain a little bit more about what type of policy we’re talking about here and when you push different policies, what that is like in this context?

Hanno Ekdahl (17:45):

So policies that can be something that’s fairly straightforward, like your password policy, which is probably something everyone understands, right. When you go sign up for access to your bank is a good example, right? It’s like, well, you know, it has to be this many characters long. It has to have upper case lower case. These special characters are allowed. These aren’t that’s a policy, right? So it’s defining some minimum standard that the user has to conform to. Right? So the idea with identity management is to pull as much of that policy management to the center as possible, and then enforce it through the connections to the end points. Right? So if I’m, if I have an email security policy that I’m applying to your mailbox, I can enforce that centrally in my identity management solution, how big your mailbox is, how long you’re able to retain emails what happens if you’re placed on a legal hold, those are all policy decisions. So like if, if there’s some legal event going on, my accounts placed on legal hold, identity management can then go out and lock my mailbox. So I can’t delete any of my emails, all my emails secure everything’s stored because there’s a legal hold on my mailbox. So these policies are defined centrally and then enforced through these connectors that implement the rules and evaluate them in the end points. Hopefully that helps.

Host (19:09):

I think it’s very helpful. Thank you for, for explaining for, for our audience who might not be as familiar with it.

Host (19:17):

I thought we might ask you as our last couple of questions based on all of your experience in the IAM sector what is your best personal cyber tip for end users or just, you know, people in their everyday lives to be more secure,

Hanno Ekdahl (19:34):

Don’t click on that, whatever you do, don’t click on that.

Host (19:35):
Like, I think that should be a new t-shirt.

Hanno Ekdahl (19: 36): I’ve got my coffee mug. I need to put like, “don’t click on that”. So that’s exactly it. I think thing is a lot of times people have that gut feeling like something’s wrong, right? We all have so many people have, whether it’s Netflix or Hulu or whatever bank you do business that spammers know that they’re out and you’re sending out thousands and thousands of emails. You know, the reality is that it’s funny, I was actually listening to a presentation recently on this and they said, you know, the average bank robbery yields $3,000. Right. And it occurred to me, you know, the odds of you getting caught or shot trying to rob a bank are probably pretty high.

Hanno Ekdahl (20:26):

The average cyber security hack nets, more than $65,000. And they have very little chance of catching you. So, which do you think is the more attractive crime and there’s almost no cost or risk to perpetrate it. So there are these broad scams, right, where they’re just sending out millions and millions of emails, hoping you click on something, download something. So if you have a suspicion, don’t do it. So what I do is if I get a link saying, Oh, your Amazon account’s been hacked, or this has been hacked, just go on the device that you trust and log in directly, like you normally do, right. Type in the URL, or go to that safe Favorite. You have go to your account. It will tell you if there’s a problem with your account. So every now and then if I’m unsure, I will do it that way. But I never click on emails on links in emails. And my wife knows this too, because I’m like, Oh, don’t click on that. What are you doing? Don’t click on it. So it’s like, we have cyber security awareness training in my house because I’m nervous that she’s gonna, you know, compromise her phone or whatever.

Host (21:26):

So when you’re not hosting home cybersecurity awareness training, what, what do you like to do for fun?

Hanno Ekdahl (21:37):

Well, one of the ways I blow off steam is running. So I enjoy running, but unfortunately didn’t get to run the Peachtree road race this year. We did the virtual race. So I’m missing the road racing part of that. And travel, travel is actually another big thing. So our last big thing was a trip to Vermont to do some skiing. And that was really the last big trip we took this year. And I miss that. So, you know, just getting out of house, travel and, and running.

Host (22:04):

Travel’s good. Thank many of us also miss travel. Well, Hanno, thank you so much. Where can people stay connected and learn more about you?

Speaker 3 (22:11):

Sure. Our URL is www.idenhaus.com and spelled I D E N H A U S. It’s the German spelling of house. And, or you can send an email to info@idenhaus.com.

Host (22:28):

Well, wonderful. Well, thanks again for sharing all of your wealth of knowledge with us today. We really appreciate it.

Hanno Ekdahl (22:35):

Thanks, Jody. And Justin, appreciate you having me. All right.

Host (22:38):

Take care. We look forward to next time we talk to you. Sounds good. Thank you. Thanks for listening to the, she said privacy. He said security podcast. If you haven’t already be sure to click, subscribe, to get future episodes and check us out on LinkedIn. See you next time.


Rob Cummings

Rob Cummings is the Managing Director and Chief Technology Officer of Falfurrias Capital Partners, a private equity firm that acquires and invests in middle-market businesses. Rob is also the Co-founder and former Director of DealCloud Inc., a software provider that serves businesses in the private equity, investment banking, corporate development, lending, and business development corporation industries.

In addition to his current role, Rob serves on a variety of boards, including the Apex Center for Entrepreneurs, Charlotte Angel Fund, Skipper, and many others.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Rob Cummings talks about his background in business information technology and his current role as Chief Technology Officer
  • How a company’s privacy and security risks impact its ability to sell
  • The importance of prioritizing your business’ privacy and security—not just its revenue
  • Some of the biggest security challenges that Rob’s portfolio companies are facing today
  • How to prepare and implement a privacy program at your company
  • Rob’s top personal privacy and security tip: take a breath before replying to an email

In this episode…

Is your company really doing enough to mitigate its privacy and security risks? Do you have a plan in place to protect your business from dangerous scams, data breaches, and other privacy and security concerns?

Unfortunately, for many companies, the answer is no. However, this lack of protection can have disastrous outcomes, such as lost revenue, stolen employee and client data, and an inability to sell your business in the future. So, what can you do to boost awareness and implement practical protective measures at your company right now?

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Rob Cummings, the Managing Director and Chief Technology Officer of Falfurrias Capital Partners, to discuss the ins and outs of common—but dangerous—privacy and security risks. Listen in as Rob reveals why revenue isn’t the only important part of your business, how to implement an effective privacy program, and his biggest personal privacy and security tips for individuals everywhere. Stay tuned!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.


Todd Ruback

Todd Ruback is the Director of Promontory Financial Group, an IBM Company, which advises clients on a variety of financial services issues, including strategy, compliance, risk management, and more. In this role, Todd oversees and manages privacy and data protection projects on the east coast of the US.

Before his work at Promontory, Todd worked as the Executive Director of Global Privacy Compliance Strategic Initiatives at JPMorgan Chase & Co. As a privacy executive with decades of experience, Todd specializes in GDPR, e-privacy, data protection, security, and much more.

Available_Black copy
Available_Black copy

Here’s a glimpse of what you’ll learn:

  • Todd Ruback talks about his background in data privacy and security
  • The challenges organizations are facing as a result of the globalization of privacy
  • How companies can better protect their data security when collaborating with third-party vendors
  • Todd discusses the recent progress large and small companies have made in understanding and complying with privacy laws
  • What are the differences—and similarities—between privacy and cybersecurity?
  • Todd’s number one privacy tip for individuals: take control of your digital identity

In this episode…

Let’s cut to the chase: you want to know how to protect your company’s privacy and security. So, how can you avoid falling prey to the common privacy/security issues that plague small and large organizations alike?

With the speedy evolution of technology over the past few decades, many companies are struggling to keep up with the latest buzz on data privacy and cybersecurity. While many professionals are looking to take practical steps to protect their customers, their company, and themselves, it’s easy to feel overwhelmed by the volume of information available. That’s where privacy expert Todd Ruback comes in: to help your company create the fool-proof privacy strategy it has been looking for.

In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Todd Ruback, the Director of Promontory Financial Group, an IBM Company, to discuss how both large and small companies can avoid privacy and security risks. Todd reveals how to protect your data while working with third-party vendors, the importance of understanding and complying with privacy laws, and his crucial privacy and security tips for both individuals and organizations. Stay tuned for more!

Resources Mentioned in this episode

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.

Their free guide, “How to Increase Customer Engagement in a Private World,” is available here.

You can also learn more about Red Clover Advisors by visiting their website or sending an email to info@redcloveradvisors.com.