Measuring Cybersecurity and Privacy With a Scorecard With Owen Denby

Intro  0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36

Hello, I’m Justin Daniels. I am a shareholder and corporate m&a and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risks. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels  0:57

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws, and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy, to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. So Justin, I have an interesting fact for you. I was reading a LinkedIn social post that talked about shied caste format. And apparently, this post was talking about how it’s cool now to have a co host podcast and I thought, Oh, well look at us. We’ve been doing it this way for three and a half years. So we were ahead of the times. Why are you laughing at that?

Justin Daniels  2:00

Why is it funny as our podcast is strange and unique, because it’s the-

Jodi Daniels  2:07

What was part of their whole theme was that the people who have co hosts that really gel and jive together make it really interesting. And those are the podcasts that are doing well. So see, look, we’re cool.

Justin Daniels  2:17

Indeed. All right. Well, we have a great episode here for you today. And I’m going to introduce our guests. So today we have Owen Denby, who is the General Counsel of SecurityScorecard, a late stage venture capital backed cybersecurity company. He is a veteran of SaaS technology startups and a corporate m&a lawyer by training. Owen. Good morning. How are you? Great.

Owen Denby  2:42

Jodi, Justin. Thank you. Thank you for having me today, excited to be on the podcast and to chat with you about some interesting cyber and privacy topics.

Jodi Daniels  2:50

And apparently, you’ve joined us today where Justin has brought his late night DJ voice. Whoa, and we always start our episodes by understanding how people got to where they are today. So can you share more about your career evolution?

Owen Denby  3:07

Certainly, yeah, I you know, I started off and similar to Justin and private practice, and probably also similar to Justin and doing more transactional work, and m&a. And I always was more interested kind of in the stuff that my clients were doing, uh, you know, I love kind of, you know, structuring merger agreements and that kind of stuff, but it was way more obsessed with operations than anything else. And I thought some of the cool stuff that was happening, I was kind of kicked out of the room for you know, I was I get to the point where the deal signs and then I would miss out on some of the, you know, some of those operational decisions, instruction conversations, you know, after a deal close. So, a couple years ago, I went in house to another late stage, health tech company that was acquired by UnitedHealthcare. In, in, in b2b, SAS and the healthcare space. And from there, once that company was integrated rally health, you know, I saw an opportunity to get into the cyber world with SecurityScorecard. And it’s been, it’s been a fascinating ride, you know, learning about a new industry and, and, you know, I’m getting to work with some really talented folks. So that’s where I know.

Jodi Daniels  4:15

Well, you certainly picked an industry that is changing all the time, and has quite a lot of activity in it.

Owen Denby  4:25

Characters to boot, characters, characters.

Justin Daniels  4:30

So, Owen, I thought where we would start the conversation is the SecurityScorecard is known for the scorecard. And so maybe you can talk us through exactly what the scorecard is and how does it help customers evaluate their security posture in a meaningful way?

Owen Denby  4:48

Yeah, you know, it’s really interesting because it’s such an intuitive product, at least our core ratings products are very intuitive. So if you’re thinking about, you know, Moody’s or s&p, you know, doing ratings, doing credit ratings, we do security. headings, you know, which was an industry that didn’t exist 10 or 15 years ago, you know, that we’ve pioneered. So it’s very, very simple, right? It’s the core use case, vendor risk management. You know, and banks use us for diligence, but it’s, it’s looking at the security posture of, you know, I think at this point, we raised over 12 million companies continuously to see, you know, a simple A through F score, you know, what, what can we tell, based on public data, how these companies are doing in terms of their overall security programs. So, so from that the company’s evolved, that that’s a, it’s a very intuitive way to say, okay, you know, if my vendor is, you know, has an F score, that’s something I have to pay attention to, and how are we remediating or dealing with that, but from that point, you know, we’ve done more and more in terms of services and, you know, expanding the product base to really not just the sort of scores itself, but remediation services, tabletop exercises, incident response. And it’s really cool to see how the platform has developed over time to really, you know, to help CISOs and to help security professionals think about their overall risk profile.

Jodi Daniels  6:14

I feel like Justin, you had something you were going to ask,

Justin Daniels  6:16

I guess one follow up question I wanted to ask Owen is when they skirt, a scorecard does do the scorecard rating, and you give us a little window into the process? I think it has a lot to do with the company and their ports and how they connect with the Internet. Because as we all know, that’s a primary pathway for our threat actors to weave their way into their man.

Owen Denby  6:40

That’s exactly right. Yeah, it’s an algorithm that pulls in information, certainly from ports and from hacker channels, and puts this all through an algorithm into a simple score that we can, you know, we can, we can figure out a way to digest you know, where the vulnerabilities are. And we’re able to, we’re able to sort of aggregate a lot of the a lot of vulnerability data that’s out there into, you know, a very simple and understandable way to talk about the overall score. But then breaking down from there, you know how you can remediate different aspects of your security posture. And it’s, it’s great, certainly for your own company. But really the great use case and really where the threats are, to your point, Justin are from third and fourth parties. So how do you manage that landscape? That’s the real challenge that we address.

Jodi Daniels  7:28

Well, speaking of third and fourth parties and other vendors in the ecosystem, sec security rules are a really big popular topic. And how do you see these SEC rules impacting cybersecurity hygiene for privately held companies? Because they are often vendors to publicly traded companies?

Owen Denby  7:52

Yeah, and I laugh a bit, Jodi because this is an interesting topic. And I grill Justin on this all the time, we go back and forth, because I say, Well, I you know, I’m, I’m a private software GCC, why should I care? You know, and the reality is, if you are, if you are a private company, and you are anywhere on the supply chain, right to supplying things up to public companies, which are most sophisticated private companies, that’s just a given that those are your customers, that’s where your revenue is coming from, you know, you’re gonna see more and more flow down requirements as these these rules and regulations and the enforcement of them really ramps up. So it’s, you know, it’s, if you are in the supply chain, it doesn’t, even though you’re not directly reporting into the SEC, what we’re seeing on a day to day basis is more and more flow downs, right? Like how, you know, how our public company customers are thinking about this is how we have to think about it as well.

Jodi Daniels  8:48

I’m curious of your privately held companies, are you starting to see a shift in how they’re addressing what might be on their scorecard? Or are they still in the I’m a privately held company, and those rules don’t apply to me and I haven’t gotten the push down yet?

Owen Denby  9:06

You know, it’s interesting that I think that it makes a lot of sense. I think that the you know, the Biden administration and folks are really targeting the the bigger public companies that have more resources, right, there’s, there’s a theme of inequity across the security landscape, where the, you know, the biggest companies have the most security professionals to address a lot of this stuff. Right. And one of the cool parts of my job is I get to talk to CISOs, you know, on a pretty frequent basis, because that’s a lot of our, our customer base, and the thing that they’re seeing really is that they have to take a more active role in really, you know, shepherding along some of the private companies to say okay, we’ve noticed his vulnerabilities not only not only in your security posture, but some of the vendors that you’re working with and what are you doing to address the those those issues and obviously, you don’t have all the resources in the world. So, you know, we can give you reporting, we can sort of point things out that are vulnerabilities to you, we can be a resource to the is ultimately it’s, it’s, you know, it’s the supply chain issue, everything is flowing up to these bigger companies that, you know, they have more resources to address this kind of stuff. And they have to kind of help raise the bar across the board for some of these smaller institutions as well.

Justin Daniels  10:15

So Owen, and with the SEC rules when you read them, if you key aspect of it is there’s a reporting requirement if you have a material breach, and when you read the rules, it says, some information that would have a substantial likelihood of impacting an investor’s decision, and how do we apply that to cybersecurity? So I was wondering if you could talk a little bit about your thoughts around what an approach to materiality might look like?

Owen Denby  10:43

Well, yeah, Justin, I came on the podcast that I was hoping you’d answer that question for me, because I, I’ve been scratching my head about materiality, and I still have I have, I have no real idea. I mean, to me, if I’m, if I’m, if I’m sitting in the seat of, you know, chief information security officer, a chief information officer, and we have a breach, what am I looking towards to make that determination? You know, certainly I’m, I’m calling up my outside attorneys. And you know, I’m working with my general counsel, but we don’t have we don’t have enough data or benchmarks to make that determination. Like what? What constitutes materiality? What were the, you know, what are the dollar thresholds? What are we seeing from other companies that are reporting these kinds of breaches? So if anything, I’m probably taking the cautious view and reporting. But, you know, over time, I think it’ll be really interesting to see as we get more and more of these filings to get more consistency in terms of what’s reported and what’s not. And pulling in some of those benchmarks will be really instructive. From my perspective.

Jodi Daniels  11:49

Well, let’s turn and talk about my favorite topic, which is privacy. And how often are you seeing privacy overlapping with the deployment of scorecards, professional services and software products?

Owen Denby  12:03

Yeah, it’s a great question. Because I think that the podcasts, for example, this, you know, the idea of cyber and privacy are so interconnected. They’re almost inseparable, in my view, I mean, our, our customer base, for example. I mean, we, you know, we have to be leaders in security. I mean, our internal security is paramount to us, because it involves customer trust. And there’s a privacy aspect, that’s just, you know, intrinsically linked. So, you know, we do our best to have some sort of world class privacy practices. And as our as our services have, have rolled out into kind of different use cases, handling more sensitive data, let’s say on an incident response, we have to be very, very careful and in terms of power, how we’re working through those issues and how we’re handling confidential information and personal information for our customers. So it’s, I think it’s it’s a, it’s a more heightened scrutiny for us, even though we’re not in an overly regulated industry. It’s just the fact that cyber and privacy are so key, and it’s so key to customer trust to get it right.

Jodi Daniels  13:07

Are you seeing any impact from the flurry of new privacy laws on how companies are looking at their security posture or you know, who else might be a part of the team that might be using the scorecard?

Owen Denby  13:23

Well, I’m going to bring up my favorite trite topic that everyone’s talking about these days. And that’s AI, because that’s where we’re really seeing the biggest push, I mean, we’re, you know, we’re in the end of our quarter, and our customers, you know, are looking to us for guidance on our AI AI tools, because they want to make sure that, you know, we are handling input securely. You know, we’re thinking about thinking ahead of the curve in terms of how are we eliminating bias from the AI that we use in our platform? So that’s the biggest hot topic, I think, and I know, it’s be curious to hear your views? Because I know it’s true. Everyone’s talking about AI these days. But I do see, especially with some of the new European guidance regulations that are coming out, I think that it is the number one topic that’s top of mind for our customers. So just thinking about it in an intelligent way to make sure that we have best practices.

Jodi Daniels  14:19

Wouldn’t be a podcast without AI.

Justin Daniels  14:22

And speaking of AI, how does security scorecard you AI and how it may influence its product offerings to its customers?

Owen Denby  14:36

Yeah, yeah, it’s a great question. I mean, we it’s such a powerful tool, and you have to be obviously careful and have guardrails around it, but, you know, we we see a future in which, you know, instead of going through tabs and navigating things, imagine if you had, you know, imagine if you had a, an AI insert, or you had some sort of a chatbot that could easily answer any question that you wanted to know about your security posture. And the security posture of, of, you know, your entire third party attack surface. So, so thinking about that in an intelligent way, like making it so user friendly, that you’d be able to do that if you’re, if you’re a Cisco, and you, you know, just log into the platform, and you can easily ask questions and get answers. But from our perspective, how do you manage that, you know, that incredible user experience that we’re trying to create, while being sensitive to a lot of the privacy and security issues around that? You know, I think that is where a lot of companies are heading in SAS, and not just us and not just insecurity. So finding ways to do it. That’s, that’s both enriching the user experience, but, but being being very cognizant, you know, for your customers, and creating trust with them that you’re that you’re doing it in a smart way with the right guardrails in place.

Justin Daniels  15:58

So I have a thought, and I’d love to get going your thought and God, maybe you as well is, Owen, from our security hat. We have the CIA triad. And most of the time we deal with confidentiality, breach or availability ransomware. And I’m wondering how much you’re starting to see or hear or will come where with AI CISOs are starting to worry about, well, gee, if somebody puts bad data into the training model, or into the learning reinforcement part of it. And now that bad data is giving me crappy results that will undermine trust in AI. And that goes to the integrity of data, which doesn’t get talked about as much. But that may be coming into vogue. But what do you guys think about that?

Jodi Daniels  16:42

I think they call that poisoning of data, which I thought was just a really fascinating phrase and risk that I don’t think most people are talking about. And it’s absolutely real. I mean, if I was a bad actor, I would try and poke holes wherever I can. And that’s a really interesting one to get to the heart of whatever the model is meant to be doing.

Owen Denby  17:05

Yeah, it’s a two sided problem, right? Because there are two risks, there are two things to think about, in my view, a lot of our customers are focused on both sides. You know, it’s the inputs and the data and where that’s coming from. And also the outputs and the hallucinations and everything that comes from that. So it’s, I think you have to think about it holistically. Like it’s not just one risk, it’s really, it’s really two, it’s two different things you’re trying to solve for.

Jodi Daniels  17:28

Owen, when what are some of perhaps the big themes of challenges that you’re hearing from companies? We’ve talked about AI? There are these SEC security rules and the plethora of privacy rules and regulations, but I’m just curious, do you see kind of a common theme, any specific areas that companies keep trying to tackle?

Owen Denby  17:51

Yeah, I do think there’s a lot of focus, you know, certainly with, there isn’t there’s an increasing regulatory scrutiny and focus on cyber, and you know, that we get to chat with a lot of CISOs and sort of see what’s top of mind, but certainly, there’s, there’s the thought, and this is a community that after the SolarWinds case, you know, we’re there Cisco was, you know, was was prosecuted by the SEC, for fraud and internal controls failures, there’s the thought of, okay, I could be at risk my job, I could be personally liable for things that my company is doing. So that has folks, you know, not slipping so well at night. There’s this idea of, of, okay, well, with these new cyber rules, how am I being more prepared? And how am I? How do I sort of guard against that? So a lot of folks are thinking about this supply chain issue where I have to expand sort of my continuous monitoring of a lot of these vendors. And that’s another sort of theme to that, that we hear a lot from CISOs is that it’s not, you know, typically, it was the kind of thing where you’d review your software once a year, you know, you’d look for vulnerabilities, you do review of all your vendors. But that’s not enough. You know, it’s not even quarterly isn’t enough, it has to be something that’s more continuous. Yeah, and I think, I think that there’s a focus now, especially with the new SEC rules of making a cyber program that’s more objectively defensible. So that’s kind of bringing in KPIs metrics to show not only where your posture is currently, but how you’re improving over time, because there just is a lot of regulatory scrutiny. And not just from the SEC, you know, from the FTC, as well from other agencies that are very, very focused on cyber. So it’s a it’s a, it’s a challenging regulatory and legal landscape, and it’s how companies are responding and thinking about through those things, you know, in a corporate capacity, but also if you’re in the CFO role, you know, you’re you’re you’re worried about your own, your own role and your own liability.

Justin Daniels  19:57

Owen I wanted to ask you a question kind of taking you back. Back to your general counsel days that predated the scorecard. And maybe give us a sense, maybe from your experience or the other in-house attorneys that you know, what is it like these days as an in-house legal department to be stretched in so many different directions. And now you have this confluence of events with privacy, regulation, cybersecurity, everywhere. And now, AI and what it means and, you know, as an in-house lawyer or general counsel, it’s like, it’s like you’re drinking from a firehose, even more than usual? How do they contend with that?

Owen Denby  20:38

I don’t know. I’m still trying to figure it out. It’s, it’s, I’ve always I’ve always approached it in sort of these new regulatory challenges. As you know, I’ve always been very intellectually curious about it. But that doesn’t help me on a day to day basis. Because, you know, there’s, there’s folks there’s, there’s things that we have to kind of really focus on. I mean, I think it’s just a question of prioritization. And, and a lot of what we try to do, you know, obviously, we’re trying to keep up, but we’re thinking about things, you know, in sort of a market setting, like, what are our competitors doing? What are other folks in our space doing? How are they thinking about these issues? We do a lot of benchmarking against, you know, where’s our compliance program versus versus others? You know, we are at a market standard, because, you know, with privacy and cyber, it’s a continuously evolving process. And I think that I think that thinking about your customers and their problems, first, is usually the way to go. I mean, it’s certainly from a revenue perspective, but they’re, they’re issues that your, your buyers, and your customers are caring about the most, and you want to be at the forefront of all of those. And you don’t have all the resources in the world. So starting, there is usually the best point I found.

Jodi Daniels  21:52

Knowing what you now in the security space, what would be your best security tip that you might offer your non security friends, when they’re curious what you do, while they

Owen Denby  22:06

I was gonna steal Justin’s and say, show me the documentation. But that one’s already taken. So I’ll go back to, to, to the one that I constantly talk about and a variety of contexts, but I think it’s preparedness. You know, I think that the more that you can do now, are you if you’re, if you’re worried, you know, your future proofing for some kind of incident to happen by, you know, having having a law firm on retainer, that’s going to help you if when that happens, like having all of those having a very clear playbook if if something goes wrong, if there is an unfortunate incident and practicing that, and having a really tight relationship with your CISO, to know exactly what what steps you have to take, if something unfortunate happens, and you can’t be you can’t be too too prepared, and especially in this sort of not only just the as the attacks are getting more sophisticated, but as the regulatory climate really increases in the as the scrutiny increases, that the pressure is going to increase. So, you know, certainly preparedness is my number one tip.

Jodi Daniels  23:12

Always a good one. Be prepared to help but have musical songs in my head. Yes.

Justin Daniels  23:20

So Owen when you are not helping security scorecard, have the cyber message to everyone. What do you like to do for fun?

Owen Denby  23:30

Well, I was going to ask you both who you’re picking for the national championship in basketball, because as we’re taping now, I think we have 30 minutes before the deadline? I’m not totally decided yet. So

Jodi Daniels  23:42

I’m leaving all the Justin. No, I’m leaving. I have absolutely no idea.

Justin Daniels  23:49

That will be the Cleveland Browns

Jodi Daniels  23:50

Oh will go away. I don’t know.

Justin Daniels  23:56

I’ll just say North Carolina, North Carolina, because Carolina has blue and white shoes.

Jodi Daniels  24:01

Because she has blue and white shoes. There you go. All right, there we go.

Justin Daniels  24:05

Jodi is real live.

Owen Denby  24:07

So I’m picking UConn you know.

Jodi Daniels  24:12

I wouldn’t pick my home state.

Owen Denby  24:15

I’m also from New England. So I grew up in Rhode Island. So sort of close to home there. You know, I have two young kids so I don’t really have any hobbies. I’ll be honest. We’re taking our oldest to Disney World next week. And that’s kind of the big —

Jodi Daniels  24:29

Say hi to Mickey Mouse for me and have some Mickey waffles. So that’s not the point. Okay. And he should say yes. If he’s willing to say hi, then.

Justin Daniels  24:41

I’m gonna tell him this, one parent to another, bring your walking shoes because you’d be doing some walking.

Owen Denby  24:48

And Justin and I just promised that we played pickleball at some point so I loved it when I have time. I’d love to get out, get outdoors and anything with hiking, biking, that kind of stuff. So we you know, I think that Justin had a really intense biking trip with another goal scorer so I know that he’s into competitive sports so well, next time.

Jodi Daniels  25:06

That is an understatement. Well, I want it’s been a true pleasure having you here. If people would like to learn more and connect, where should they go?

Owen Denby  25:17

SecurityScorecard,check us out, go to our website, you can learn a lot, you can learn a lot there. You know, happy to answer any questions that anyone has. You can always email me odenby@securityscorecard.io If you have questions about the platform, or if I can direct you to the right folks that can help you. We, you know, we love chatting with folks and trying to understand their security challenges and how we can help so but thank you so much for having me today. And maybe someday I’ll get invited back. I don’t know. Pickleball knows I better throw the game and that in that sense that.

Jodi Daniels  26:02

Well, thank you so much again.

Owen Denby  26:05

Thank you so much.

Outro  26:10

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.