Cybersecurity, Risks, and Why Your Company Needs a vCISO With New Oceans Enterprises Donna Gallaher

Donna Gallaher is the President and CEO of New Oceans Enterprises. New Oceans Enterprises is a Cyber, IT, and Operational Risk Management Advisory Service that facilitates collaboration among your company’s business units to develop policies and operational risk mitigation strategies appropriate for your risk tolerance. Donna was recently recognized as one of the top 12 vCISO Influencers to watch and inducted into EC Council's 2023 C|CISO Hall of Fame.

Donna currently serves on the Board of Advisors for the FAIR Institute and is President of the Atlanta FAIR Chapter. She is one of the founding members of vCISO Catalyst, a professional association for vCISOs. She holds CISSP, CCISO, CIPP/E, CIPM and ITIL, and Open FAIR certifications and is designated a Fellow of Information Privacy by IAPP. She is a graduate of Auburn University with a Bachelor of Science in Electrical Engineering.

Here’s a glimpse of what you’ll learn:

• Donna Gallaher shares her career background and explains her current role
• What are the requirements for cyber insurance?
• Why smaller companies are a bigger target for hackers
• Understanding risks and solutions in financial terms
• Advice to companies looking to join the AI bandwagon
• How to prevent cybersecurity threats

In this episode…

In this age of technology, it’s wise for companies to have some sort of cybersecurity expert on staff to protect the organization’s data from theft and damage. But what happens if you’re a startup or small company and unable to afford a full-time expert? Or perhaps you’re a larger corporation with cyber technology in need of updating?

Whatever your company's needs are, you may want to enlist the services of someone like Donna Gallaher, a securities strategist who owns a securities advisory firm that contracts out services. Firms like Donna’s can provide a list of options to protect your company’s data, intellectual property, and assets.

Tune in to this informative episode of the She Said Privacy/He Said Security Podcast as Jodi and Justin Daniels welcome Donna Gallaher, President and CEO of New Oceans Enterprises, to discuss the role of a CISO. Donna explains the services a CISO offers, why smaller companies are prime targets for hackers, and how to prevent cybersecurity threats.

Resources Mentioned in this episode

• Jodi Daniels on LinkedIn
• Justin Daniels on LinkedIn
• Red Clover Advisors’ website
• Red Clover Advisors on LinkedIn
• Red Clover Advisors on Facebook
• Red Clover Advisors’ email: info@redcloveradvisors.com
• Data Reimagined: Building Trust One Byte at a Time by Jodi and Justin Daniels
• Donna Gallaher on LinkedIn
• New Oceans Enterprises

Sponsor for this episode…

This episode is brought to you by Red Clover Advisors.

Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.

Founded by Jodi Daniels, Red Clover Advisors helps companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media.

To learn more, and to check out their Wall Street Journal best selling book, Data Reimagined: Building Trust One Bite At a Time, visit www.redcloveradvisors.com.

Episode Transcript

Intro  0:01  

Welcome to the She Said Privacy/ He said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:37  

Hello, Justin Daniels here I am an equity partner at the law firm Baker Donelson, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches. And this episode is brought to you by

Jodi Daniels  1:01  

Oh, don't have ponytail. Now Novotny tail. Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. So learn more and to check out our new best selling book Data Reimagined: Building Trust One Byte at a Time, visit RedCloverAdvisors.com. I find it interesting, Mr. Justin, that you are wearing the Red Clover t-shirt today. Yes, and that you look like a black and white cookie. Well, cookies are great. So I think we should have that. Okay, well, we'll make some later. Well, if we need to further coordinate our wardrobe so that you are wearing Red Clover swag. Send me a memo. Now you know what I think we do the next time you wear the Red Clover shirt and I find a bake or something or other. Already. That's batch. Well, today though, we're going to dive into some fun in the security side because we have a longtime friend and amazing security guru. We have Donna Gallaher She is the President of New Oceans Enterprises, and was recently recognized as one of the top 12 VCISO. influencers to watch and inducted to EC Council's 2023 DC so Hall of Fame. She currently serves on the board of advisors for the fair Institute and as president of the Atlanta fair chapter. She is one of the founding members of VC co catalyst, a professional association for VC SOS. She holds way too many letter acronyms that I can actually pronounce on this podcast. So I invite you to the show notes to see all of them and open fare certifications. She's a designated fellow of information privacy by IPP and She's a graduate of Auburn University with a Bachelor of Science in Electrical Engineering. Well, Donna, welcome to the show.

Donna Gallaher 3:04  

Hello, Jodi and Justin, my favorite power couple. How are you guys doing? Thanks for having me.

Jodi Daniels  3:11  

We're so excited. You're here. This will be so much fun.

You're starting.

Justin Daniels  3:16  

I'm starting.

Jodi Daniels  3:17  

You're starting.

Justin Daniels  3:17  

Why?

Jodi Daniels  3:18  

Because I did. I had to go through all the very long, amazing list of accomplishments and many letters. I need a break.

Justin Daniels  3:26  

I see. No, I didn't know you were tiring. So early in the day, but okay. So, Donna, how did you get to where you are today?

Donna Gallaher 3:38  

Well, I had a couple of career pivots as kind of God went through my biography. They're just I just, you know, I'm a continual learner. I just I enjoy, you know, taking on new challenges. And I mean, I've worked in engineering, I've worked in sales, I've worked in IT operations, transitioned into security, I transitioned into privacy and had some privacy responsibilities, but I've never really worked as a business owner. And for me, I think that was just the next step of I kind of wanted to be in charge of my own destiny, you'll learn you know, how to build a company not be relying on other people for my income, and kind of set in spread my own personal risk out of instead of having a single employer, you know, to have multiple clusters, you know, customers or clients, you know, and be able to develop additional revenue streams have, you know, a way that to scale a business and, like sit to work on the type of projects that I wanted to work on. And, you know, that that, uh, that's, that's I guess I started my business in 2018. And slowly building and figuring out kind of what the road ahead is for myself. Think as a fellow business owner, we're always continuing to pivot and navigate and what is that that next step? Now? You

Jodi Daniels  4:59  

Some people listening might not be super familiar with what a vCISO is. So can you share a little bit more about what are the types of activities that you participate in?

Donna Gallaher 5:11  

Sure. So, um, you know, not all companies can afford to hire a full time CISO or security adviser or program strategist, you know, maybe a smaller company, they only need somebody a few hours a month, you know, to maybe set up a Strategy for them and kind of keep them on track. Or sometimes it may be a larger enterprise company, maybe they have a hold, you know, or they're a little behind in, in some of their aspects of their security program, and they need a subject matter expert. So maybe working for a CIO or CTO or CEO to kind of build out one of their security domains that, that they might have a gap. And so those are the kinds of things I worked on, we generally start with, like, just in in security and privacy is both the same process of starting with an assessment. And you're just a discovery of, you know, what type of data you have and where it is, and who it shared with, and how could it be compromised? And then you providing options, you know, for protecting it, or reducing the risk associated with with the data and with the the intellectual property and the assets. So pretty much it.

Jodi Daniels  6:28  

I think those are important activities. Why are you laughing at me today? Why not?

Justin Daniels  6:35  

So the thing I was thinking about is, Donna isn't it by and large, true that most companies do not have a C. So that's really the realm of pretty mature companies with a cyber program, think enterprise, fortune 1000, when it comes to, you know, smaller companies, or most other companies, at what point do you typically see them wanting to bring in a VC, so like yourself?

Donna Gallaher 7:04  

Well, a couple of my customers have come to me, because they're being screened as a vendor, you know, by their customers. And, you know, they're being asked to complete security questionnaires or signed contract addendums, that they're doing certain things in their security program, and they don't even know what they're talking about. So I've had a couple of clients who have come to me that was donning a ring asked to sign this, and I don't even know what they're talking about. So can you set up a program for us where we've complied with this, and we're managing our risk long term, so I have to explain those things to them. Or sometimes they can't get a general liability insurance, you know, they're being asked to complete, you know, insurance general, you know, just general insurance questionnaire on their cyber policies and practices. And again, they don't know how to even answer the questions or what they're talking about. So you know, sometimes it comes from there. Sometimes, I've had customers who say, when they're building, let's say, a some type of technology product, and they know that in order to sell product one, they're going to have to answer security questions that how is this thing built and tested? And who's been working on it? And they need to be able to answer those questions in order for them to even be able to generate their first customer. So I've got a couple of startups that I've worked with, and just kind of seeing what type of questions what a security company or what a security adviser asked you know, about them about their product and see if we can set up that Strategy

Justin Daniels  8:43  

that you mentioned something interesting. It would. You mentioned something interesting about cyber insurance. Yeah. So what I'm finding is, is I'm now getting phone calls where people are like, Yeah, this customer is requiring that I have cyber insurance. And can you just look at the policy? And then I'm like, Well, wait a second. Do you have MFA? Do you have endpoint detection? Could you talk a little bit about some of the requirements, you're seeing the insurance carriers now ask for that require a company to really have someone like you guide them through how we're going to put all these technical requirements in place, or we have no insurance and we're not getting that business deal?

Donna Gallaher 9:23  

Yeah, there's one customer or one one, but if some person was referred to me that they could not get insurance at all. And I, well, that's strange when you wanted to give me your questionnaire and see what you know, what your answers were to these things. And MFA was like a litmus test if you didn't have multi-factor authentication, you know, deployed. There was no insurance company that was even going to give you a policy so you don't have to explain that to them. So this is an easy thing. This is generally a feature you just have to turn on. Um, you know, so go on and turn it on, and then you can get insurance after that. But, you know, like, like I said, there's just basic blocking and tackling type of things that, you know, unless it's explained if you're, let's say your business is not a technology business, and some of these concepts might need to be explained to you. You know, that's, that's the thick the value of a virtual CISO, they can take those technical requirements and translate them and explain them in regular terms so that non techies can understand what they're being asked to do.

Jodi Daniels  10:35  

The need coming from vendors, and putting the pressure from a security point of view is so similar to what we see on the privacy side it when you were explaining it, I couldn't help but smile, because many companies have kind of Yeah, I have this contract, and I can't move forward. At the end of it is this data protection addendum with this long list of things I'm supposed to agree to? And then we get started and explaining what this is? And why it's 17 pages and what that means? And again, the conversation from there. Donna, where does a VC so typically fit? Who do you often work with? And or who hires you?

Donna Gallaher 11:16  

Well, it's it likes the it attorneys, you know, their favorite answer is, it depends. And I kind of use that a lot. But it's smaller, if it's a smaller company, generally, I'm working directly with the CEO. Because you know, it's a major part of of their, their business strategies to, you know, be able to get insurance into these tickets. General, it's, they recognize that this is an enterprise requirement, and not just a technology requirement. There's customers that I've fired, you know, if they weren't taking the program seriously, and they were just saying, hey, we want somebody to blame, or we want somebody to kind of get us compliant. And we're gonna ask for all kinds of exceptions for me and not for the, you know, I won't work with with with clients that are are not going to take it seriously. So I've had to, you know, part ways with them for that, but generally, like, today, it is the owners of the company, it's the companies that are going to, you know, really, really take it seriously walk the walk and talk the talk and not just, you know, go through a compliance exercise. Some of my larger clients, it can be like a CIO or CTO. But they have to have an enterprise responsibility and support and endorsement by either their board of directors or from the CEO with the CEO is actively involved in managing the risk of the company.

Jodi Daniels  12:48  

A lot of companies think, oh, I don't have health data, I don't have financial data. I'm okay, I don't have a big risk. Can you share why? Oh, companies might need to be paying attention to security.

Donna Gallaher 13:04  

Sure, so all companies should have a bank account, at least, you know, hopefully. And there's, you know, just social engineering stuff where you can trick, you know, your accounts payable to pay, you know, pay false invoices. Or you can manipulate people to sharing information about, you know, where funds are coming, who your vendors are, who your customers are to, you know, trick them or, you know, defraud, you know, other customers or other other employees. Everyone has, you know, email, you know, that every, a lot of people are gonna be personally exploited, you know, so let's say I don't, I don't attack you at work, but I target your family, and your employees, and I learned about your family on social media, from your Facebook posts, or from your, you know, your Instagram activity. And, you know, I can trick you into, you know, clicking things and downloading things that, you know, I can then take over your personal bank accounts. So it's something that everybody needs to be aware of, if you have employees, and you have any type of banking information, regardless of what personal data you have, you are a target. And if you're a smaller company, generally you're a bigger target because the bad guys know that you may not have the resources to build out a huge security program. And so that's your that's your, the lower hanging fruit. And a lot of the breaches we've seen it's, it's a second it's a it's a third party that that's actually breached. And that's how they get their foothold into, you know, one of the, you know, the larger major companies that maybe does have all the personal data If you're providing services to a larger company, and you might be the weak spot that that bad guy can get into, and then that'll not only ruin your reputation with maybe your largest or your best customer, but that's something that can put you out of business. If you're a small business,

Jodi Daniels  15:20  

thank you for sharing super important advice for everyone to hear small to big. Hopefully.

Justin Daniels  15:29  

Donna, I have a more interesting thought is

Donna Gallaher  15:32  

my thought was interesting. I thought Jodi’s thought was pretty interesting.

Jodi Daniels  15:36  

More interesting. I have another interesting thought.

Justin Daniels  15:41  

I have a more interesting thought. Yeah, well, I listen. Oh, to baldy is coachable. Sometimes. I wonder Donna, in the coming months when the SEC cyber regulations go final, that specifically are for public companies, but are really targeting their vendor ecosystems? Do you think maybe you participating in board of directors for larger companies could be in your future, because one of the requirements of this new law will be our new regulation will be that you have to have specific cyber expertise on your board? And do you think this will then be a greater opportunity for people to use VC so services, because now you won't be part of the vendor ecosystem for a big company without getting your security house in order?

Donna Gallaher 16:32  

Absolutely. And that is something that I'm actively pursuing is that I am looking for paid board seats. And that simply didn't know I could sit and say the last maybe three years that I've been trying to build those connections. Another thing that I learned is that when you're working as a CISO, if you are working for a CIO or CTO in an enterprise, you're really not qualified, actually, in corporate governance, as you would if you were a CEO, let's say of your own company, or your own small business, just generally to those board seats, they do want to have not just an executive, you know, with with subject matter expertise, but the experience in corporate governance, and until you until I was a CEO, and I had to say, hey, you know, I've got, you know, $1,000 in my bank account, do I spend it on a marketing program? Do I spend it on buying a tool? Do I take a trip? Do I take a course you know, what, what am I going to do with that, and those are the decisions that companies have to make have. It's not just about your department, it's about the whole enterprise. And I spend a lot of the CES, this, the CISOs that I see out there are still kind of stuck in the techie world and not getting that higher level of visibility that they'll need to be, you know, good board members. So I think that's something that the industry, we need to do a lot more work in that of getting the CISO to really be at that top level and get them more exposure and visibility to corporate governance and oversight than than we currently have.

Justin Daniels  18:16  

Oh, I think you bring up a point, which I want to talk about a little bit more is in the incidences where I've had to go in and handle a data breach. One of the biggest challenges that I find in that scenario is translating what the technical people are saying about what they find in the investigation into business language that the business people can understand to decide if are we paying the ransom? What conversation Do I have to have with my customer? Because I risk losing them for how long this is going gone on? Can you talk a little bit to our audience in that context about the challenges you've seen, in your personal experience when the technical people try to talk to the business people, when they're under time pressure with incomplete facts and why it's so hard?

Donna Gallaher 19:07  

Absolutely. So my SAT and you heard my biography that I'm with the fair Institute and the president of the Atlanta fair chapter, and on the Fair Board of Advisors, and what that is, it's quantitative risk analysis of taking, you know, vulnerabilities scenarios, and identifying, you know, what the actual financial loss, you know, to the businesses, because right now, very, very much that the industry is still very compliance based. It's take, you know, the whole compliance framework and apply it, you know, throughout the whole company, whether the controls applied to specific scenario or not, and that's, that's, too that's like drinking out of a firehose. So say we want to talk about ransomware. Well, companies seem to understand there's some Multiple ways ransomware can get on and if I'm only protected against phishing. So say I've got, you know, a training program in place, and I've got some email filters, you know, screening my mail before they come in and hit my inbox, you know, maybe I think I'm good, but they I've got, let's say, USBs, still enabled on all of my devices, and somebody throws a USB card or something in the parking lot that says, company salaries or whatever, and they plug it straight in, it might not protect against the controls that you have might not protect. So you might think that you're invulnerable to certain scenarios, but it's not, you haven't covered all of the bases of all the different ways it can get in. So you have to understand not just what you have, how it can be attacked, you know, and the and the options for mitigating it. But, you know, putting it into financial terms of how much is each option going to cost and how much is the overall loss gonna cost in the end CSIS most smaller spaces, they've come up through the tech industry, and they're still very much into the geekspeak. And they're not talking about risks and solutions in financial terms. And that's really what's needed a lot more focused on, on translating that risk into into monetary and probability, you know, type of type of discussions that and that's how, you know, other risks are talked about as well, this, this this data center, you know, hurricane hitting the data center, does that happen once every five years? Or does that happen every once every 100 years? That's a loss event that, you know, you have to do anticipate, you know, how frequently is this going to happen? How much is it going to cost? And, or this international shipping company? How often does it ship think, you know, with inventory on it, that's something that, you know, you can quantify, and you can, you know, estimate, and cyber risk should be treated the same way, where there's things that happen every day, and there's things that could happen, but probably won't happen regularly. So those are generally you know, lower risk, and then you can make decisions, you know, based on the same decision criteria as your as you're deciding on other risks of how to handle them. Well, speaking of risk,

Jodi Daniels  22:28  

one of the risks that is talked about often and we had a discussion pre-show, is that related to AI. Donna, what advice are you offering to companies who are looking to join the AI bandwagon?

Donna Gallaher 22:45  

Oh, gosh, well, I would say don't wait for the regulator's you have to kind of start thinking about this. Now. As a as an automated hacker, I guess I would, I would think about it, of, of start doing your threat modeling, and figure out, you know, let's just assume the worst case scenario because it's going to figure it out. Whatever it is, and, I mean, I just have theories about how this needs to be addressed of, you know, working with AI subject matter experts and not not regulators and getting your threat scenario advice from people who actually build it. And they can tell you, you know, what's possible and what's not possible and like I said, to implement your security best practices your you know, need to know your segmentation of it, you know, if there's a way to specialize in separate you know, but I think the genies out of the bottle you know, and we're gonna have to use AI to fight a war not fight but to regulate at some point and then what is that do so it's it's a it's a big scary time, but I think you know, Justin nailed it when he said scaring is carrying on on a recent podcast I'd heard him on but our newscast is very true. Yeah, you have to anticipate and think like, what could go wrong here and so just try to do your best and let's get that get the best advice that you can from people who actually build it.

Jodi Daniels  24:31  

Faster, Mr. Scaring his caring, what

Donna Gallaher 24:32  

do you have to say?

Jodi Daniels  24:36  

I guess our house it's often sharing his carry. Hopefully, you've adjusted our I have our story. Well,

Justin Daniels  24:42  

I have to adjust. I have to address the threat matrix. Okay. So Donna, you said one thing that I thought was interesting about working with people who develop the AI, you know, to try to assess what the threats are and the more I read and read Learn about AI is it's constantly learning itself. And it seems one of the kind of consequences we should expect is it's going to start acting in ways that the developers of it don't really anticipate. And that's part of what makes it so scary coupled with the fact that you throw in deep fake. I mean, you weaponize the opportunities for misinformation. If you thought we had misinformation before, I think you ain't seen nothing yet.

Jodi Daniels  25:30  

Thoroughly scaring me and many other people listening, good job

Donna Gallaher 25:35  

to be clear about what is a fact? And what's an opinion and be clear about where sources are. And just be skeptical about everything you hear. And I recognize that statistics can be used to support any position, you can always play with numbers and, and, you know, make them come up, and what put the emphasis on whatever point that you want to make. Yeah, and AI is gonna do the same thing. You know, you don't know what its motivations are. But it's essentially going to have them and I mean, the scariest things that I've heard are is when you ask an AI if it thinks it's alive, and it does, and you tell it, no, I don't think you are. What's that thing going to do? It's, you know, it's like the AI have to think about it as a psychopath is it is a brilliant unlimited knowledge. Yeah. And and then unlimited ability to, to learn and to manipulate without any conscience at all. And without any ethics. It's not a moral thing. It's it's a it is a thing. It's just, I said, it's a computer psychopath, I guess is what I would call it.

Jodi Daniels  27:03  

i Well said, and I know we've talked about that in the presale, and I'm glad you brought it up. Again, here. I think it's important to hear.

Justin Daniels  27:09  

But I also think Donna is bringing up an important part of AI advice, which is one of the things I stress when I talk about AI is you have to assume it will hallucinate ie convincingly lie. So you really have to put a process in place to back check what you're getting on the AI because even if it isn't completely right, you back check it and you may save several hours in research that you needed to do. But there's already a lawyer who filed a brief with the court and is has a problem now because the AI that was used to do that cited a whole bunch of cases that drumroll please, don't exist. Yeah,

Donna Gallaher 27:51  

that's just speculating of other things that are similar. So I guess having multiple API's programmed by different people would provide some protection so that there's a balance, you know, I mean, generally, you just when you do a weather forecast, you don't use just one model, you know, you use multiple models from different sources, to see what they all say. Or if you see one, AI consistently spitting out the same advice privacy You that You get another one spun up to take the opposite position, and continually try to get to a balance is the best I think I can I can think that we can do to prevent our, to prevent a catastrophe of just, you know, when you know, always challenge, you know, always be challenging what the status quo is, and try to get the balance and put one against the other. And I think that's the only way we're gonna get the best advice we can.

Justin Daniels  28:52  

Well, speaking of security threats, you know, as we talk here in June of 2023, what are your thoughts around security threats that you see companies facing today? Or is it just new variations on the same old phishing thing?

Donna Gallaher 29:10  

Things that I guess I get concerned about? You mentioned AI, you mentioned deep fakes. So you're gonna, you're not going to be able to tell anything that you see or hear if it's if it's real or not, which is terrifying, but then also the speed that things are going to be able to happen. And so quantum computing, I think, also scares us to have, you know, how quickly you know, things can be assessed and hacked, you know, or your passwords cracked, or we have permutations done with that. So I think quantum computing is a big thing, but most most businesses are still failing at the basic blocking and tackling you know, and where the human component is and the human error piece. You know, that's still I think the biggest problem One that most have to deal with? And yeah, I would say you don't have to be you know a bank all the time, you just have to not be the lowest the slowest gazelle on the on the Serengeti, you know, just just be better than your competitors. And maybe you're not the one that gets taken out. So I think that's true for most companies.

Jodi Daniels  30:25  

kinds of fun analogies this episode.

Justin Daniels  30:27  

Yes. Let's see. Did you hear what Donna said, when she said, We all knew who the weakest link is? It's the that's an argument for getting rid of the people and what the

Donna Gallaher 30:37  

video different set of problems. That's fair, that's very true. I mean, as technology evolves, you know, you're just trading one set of problems for another set of problems. So it never really goes away. You just like, we we started out when we said, hey, let's let's move from on premise equipment to the cloud, you know, because that'll solve everything said now that doesn't solve everything in just, like, upgraded your problems. Right? Or, or, you know, let's go from a, you know, like, from a human to an AI, you know, when you start we're worried about the human making a mistake. And now you have to worry about an AI deliberately, you know, skewing results because whoever's, or whatever it's been listening to, you know, it's, it's made up its own mind about what to do now. It's, it likes and you just trade one problem for another. It's definitely something we'll have long careers in, you know, continuing to

Justin Daniels  31:37  

cyber security and privacy, there is no free lunch, there is no free lunch.

Jodi Daniels  31:41  

That's very true. Well, given what you see all day long, what is your best privacy or security tip?

Donna Gallaher 31:51  

I guess it would be to understand your crown jewels, you know, what is a value to your company, and what the scenarios are, you know, around how that could be attacked, and what controls you have in place to protect you and what options you have. That's generally where I spend most of my time with my clients is talking about specific scenarios that we want to protect against, and you'll why we want to prioritize, because you never have enough money, you know, or resources to do everything. So you have to focus on the biggest things first. So that's, that's it, you know, it likes that starts with the risk assessment. And that's what to say, Save work is worked on and focusing on, you know, over time as you're developing your program, but that's very simple. Donna,

Justin Daniels  32:45  

when you're not protecting companies are hanging out in the security community and the fair Institute, what do you like to do for fun?

Donna Gallaher 32:53  

Oh, gosh. Well, I am a backyard beekeeper. I don't know if I've shared that with you guys before but I actually do have several honeybee hives in my backyard. And I like kind of watching them and playing with them and I'm kind of a gardener and you know, vegetables and medicinal plants that just I like learning you know, what things do and how they grow and I think where I can unplug Yeah, and just kind of get away and get out some sunshine and some fresh air that's that's what I like to do.

Jodi Daniels  33:32  

So fun do you package honey as well

Donna Gallaher 33:36  

I do I have a whole shelf over here to have this year's harvest we just have about oh I want to say 30 pounds of honey that we just did with the last couple of weeks. So maybe it's not a huge operation it's enough for friends and family to share. But you know, it's something that I really do enjoy and they said the benefits of raw honey from your own community are you know have great effects on you know, allergies and health and it's just one of those rewarding things where you get not only the benefit of learning and watching but something that you can use and is useful to others and yeah make candles and other stuff with the with the beeswax I just enjoy all that. I'm also trying to get into woodworking although I don't know how to use most of the tools but my husband is kind of slowly letting the get into his workshop.

Jodi Daniels  34:38  

So very exciting. You can put me on the shortlist. I love local raw honey, that's super fun.

Donna Gallaher 34:44  

Definitely do that. Are you God? Where

Jodi Daniels  34:47  

can people find you and learn more about all the wonderful VCISO services that you offer?

Donna Gallaher 34:55  

So my website is NewOceansEnterprises.com or The other way to reach out to me is LinkedIn is I'm usually pretty active on LinkedIn. Just connect with me so you'd like to learn more and let me get back to you.

Jodi Daniels  35:13  

Well, wonderful. Donna, thank you so much for all your expertise today. We really enjoyed it. fun as always,

Donna Gallaher 35:21  

thank you guys for having me. Really appreciate it.

Outro  35:28  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven't already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.