Prioritizing Basic Privacy and Security Controls

Host (00:01):

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional. And I help provide practical privacy advice to overwhelmed companies.

Host (00:19):

Hi, Justin Daniels here, I am passionate about helping companies solve complex cyber and privacy challenges during the life cycle of their business. I do that through identifying the problem and coming up with practical solutions. I am a cybersecurity and business attorney,

Host (00:37):

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e-commerce media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more, visit redcloveadvisors.com. And today I am so excited. Our dog Basil would also like to join the podcast, but today I’m so excited for my longtime friend, Sabrina Serafin to join us on the show. So Sabrina welcome.

Sabrina Serafin (01:33):

Hello, good to be here.

Host (01:35):

So Sabrina is a partner with Frazier and Deeter and the national practice leader for the firm’s process, risk and governance practice. She is a frequent speaker at local and national events about topics like cyber security, data privacy, and internal controls. She is also the host of the Culture of Compliance podcast. So I encourage all our listeners to go check it out. Well, Sabrina, welcome to the show.

Sabrina Serafin (02:04):

Thank you for having me. I’m so excited to be here.

Host (02:07):

Absolutely. So to get us started, tell us how you all started in your career and tell us a little bit more about what you’re doing now at Frazier and Deeter.

Sabrina Serafin (02:19):

Sure. Well after graduate school, I actually started with you the same day at Deloitte. So I’m sorry if I date you couple of decades ago. And I, I really gained a passion for what controls can do for an organization. Meaning coming in and auditing an organization has a connotation to it. And I would have to admit it’s somewhat negative, but when you have appropriate controls in place, it can actually be a beneficial environment for your internal users and your external users. So I really started to get a passion for what having the right controls in place can do for an organization. One of the things that I realized once I was working with one of my clients was being on the road was particularly a challenge for me at that time in my life. And so one of my clients turned to me and had offered a position as a privacy consultant.

Sabrina Serafin (03:38):

And I said a privacy consultant, why? Gramm Leach Bliley Act legislation that was impacting financial services organizations. And it was really one of the first times that the industry had to really take a look at themselves and determine what they needed to do to self police and to protect us our financial users in the, in the environment, in the financial services industry. And so I had said when they had offered me a position that I can audit IT controls, I am not an attorney, Justin, I don’t know anything about these, these new privacy laws and the response from the chief security officer was we can teach you about privacy, but we can’t teach you how to audit and what CheckFree corporation, which was the client that I had been working for. And I had been helping to test their security controls.

Sabrina Serafin (04:52):

I made the switch and became internal to an organization and had to start explaining internally why a certain control and in a lot of organizations, controls can be considered administration can be seen as a burden as an extra step in trying to do my job. And so I’ve, I really early on learned how you present the value of an activity or a control or a policy procedure really starts with how you’re presenting the value to your internal users. And then your internal users can then be really passionate about how it impacts or supports external users. So being on that other side of the table, Jodi when the opportunity at Frazier and Deeter came up to really start an advisory department, I took that opportunity because I thought I have now learned how to communicate to an internal organization, the value of the controls that I would now then be auditing again, full circle

Host (06:11):

That is often what happens? I feel like I, I was an auditor and I’d audit financial controls, and I talk about financial data and financial processes. And now I talk about personal data and personal data related processes. So I often say that I have come completely full circle. I just swapped the financial data for the personal data.

Host  (06:37):

Well, if you’ve come completely full circle, how come you’re not able to put in some policies and procedures to ensure that the garbage is taken out to your satisfaction, every Tuesday

Host  (06:47):

It doesn’t fall in personal data or financial data. If it fell on one of those buckets, I’d be okay.

Host (06:54):

Maybe Sabrina has some ideas on how we could get your husband to do a better job.

Sabrina Serafin  (06:58):

She just going to say, Justin, I can, I can help process and improve.

Host (07:03):

We’re going to bring her in. We’re going to discuss your schedule and what you’re doing wrong. And there’s going to be some check marks along the way of what you can administrative process administrative processes she has you covered.

Host (07:13):

So with that segue in mind, Sabrina love to hear your thoughts about what are some common security controls that companies are missing out on that would benefit them.

Sabrina Serafin  (07:27):

Well, I think that what we are looking at right now is a lot of organizations overestimate the value of very basic, simple and inexpensive controls. And they underestimate the overall cost that could be allotted to their control environment. And there’s a misunderstanding that some of the basic controls, which are often overlooked and I’ll, I’ll say security awareness, training, privacy awareness, training reviews of policies and procedures, regular communication of the importance of privacy laws and the obligations that we have to our users, our customers. Those, those to me are very simple ways to increase the impact or increase the awareness of our obligations to our customers. But also very simple. If you, if you look at the anatomy, the anatomy of a breach, very often, you’ve got one of two situations, someone it’s human error, and that can be argued, could be innocent or malicious or patching, simple blocking and tackling. I use patching as an example is something that doesn’t have a high priority often, but when you miss a patch can open you up to such incredible risk that we don’t necessarily give it. It’s just too. So that is my answer to your question. Justin is really not focusing on the simple, basic blocking and tackling overestimating the value of those controls and then underestimating the investment that we should be putting into, into our, into our security and privacy environment.

Host  (09:35):

I’m going to let you take the next question. Oh, it looks like you were so excited to go, as you can tell our, our dog is joining our, our conversation. You mentioned the security controls using patching as an example, if we don’t patch, it opens ourselves up to significant vulnerability and potentially a data breach. We’re seeing a rise of ransomware incidents. And so I’m curious, are you seeing an increase either in conversation from companies saying, well, what do I need to do so that I’m not going to be impacted by that? Or are you, you know, are clients asking what, what do I need to be doing to in case of a ransomware? I, I’d be curious to hear a little bit more about how it’s impacted the conversation and the type of work that you’re focusing on these days.

Sabrina Serafin  (10:28):

That’s a great question because there are a lot of organizations out there selling their solutions. So I think that what’s positive in our environment is that people are aware of ransomware. They understand the potential damage and the potential risk. And I believe that organizations are understanding nobody is too small to fall victim, to some of the the attacks that larger high-profile organizations are, are reporting in the news. So we’ve, we’ve jumped over that hurdle. What we haven’t necessarily jumped over is again, are our organizations making an investment to understand, prepare for, and then have a process in place to remediate, not if, but when it might happen to them, that’s where we’re still trying to make organizations aware that it’s, it’s not, it’s not, if it’s when and so we have to be prepared for all potential for all potential breaches, regardless of the size of the organization or the, the content of the data that they maintain. That is, that is another misconception. Oh, they don’t want my information, but as we talk about hackers or the dark web, or why people are after data to begin with, it’s understanding all data has value to somebody and understanding what value the data you maintain and manage will help to go a long way to focus where you should be putting your energy into your overall compliance program.

Host (12:28):

I can’t emphasize enough what you mentioned around the small business, because so many small businesses think I’m too small and no one’s interested in me. And the way I always explain it is comparing a bit to an alarm system, right? If I have a house and I have the sign out front that says I’m monitored by an alarm system, the robber might decide you’re too hard. You’ve got an alarm system I’m going to skip over to this next house, not everyone, but a lot of them are going to skip over. And for a smaller company, they’re more known to not have as much going on, right. They’re not doing as much to protect themselves. So it’s kind of like the house without the alarm system. And it’s sure just come on in, let’s check it out. And so there certainly tend to be more vulnerable to ransomware and other type incidents.

Sabrina Serafin  (13:23):

Yeah. And I’m going to actually go back to an example that I was making earlier, after a break in, in a house, we were renovating with an alarm system. The local police said, quite honestly, a dog is much better than an alarm system. We see a lower instance of break-ins with homes that have dogs. So it’s, it’s looking at your environment. Not everybody can accommodate a dog, but dog versus the alarm system, there may be a lot of organizations that sorry, families who might say yes, I prefer to have a dog and prefer to rely on the security of my home, to someone, something that I would enjoy. It’s just finding the right solution for the organization that you’re in or the environment that you’re in. That takes just a little extra time to evaluate the risk. And what makes sense for you? 

Host (14:25):

I think I have a business idea because if people don’t want to have the dog, if you ring the doorbell or you come within the vicinity of the house, all of a sudden something triggers in your house and a digital dog would start barking. We could like paton Basil.I mean, if we have deep fake, we can have the digital dog. It shouldn’t be a problem.

Host (14:48):

Maybe not. I think I’ll stick with real dog Fair enough.

Host (14:52):

I know where I stand. You seem so excited. Just think the next topic. I, I think it’s funny, it’s ironic if I asked the question, so, you know, Sabrina, so talk to us a little bit about how GDPR and CCPA and the changing privacy landscape and regulations are impacting your clients. It’s so much fun to hear you talk about privacy. It’s good to mix it up, you know, outside. It’s good to mix it up. It’s not like I don’t encounter that in my industry.

Sabrina Serafin (15:23):

Well, it’s funny that the attorney asks that question, because I will say that the privacy landscape, the legislation, the privacy legislative landscape, if that is the right way to put, it has caused a lot of concerns for clients. I would say that the majority of the questions that we are fielding are, is this going to impact me? What do I have to have in place today to make sure that I can answer the question? Do you comply with, fill in the blank? So we’ve, we often have to turn that question around to going back to originally what I was talking about, identifying the risk to your particular environment. What are the crown jewels of data that you have access to that you, that you receive, that you house, that you deliver? It’s really understanding first, what you have and then trying to apply the various state laws.

Sabrina Serafin (16:38):

GDPR obviously was, it was a large umbrella that many organizations could look at and say, Oh, I don’t have any business with anybody in, in the in the UK. So this doesn’t apply to me. And really we, we spent a lot of the time talking to organizations, making them aware that that is a precursor. What we’re seeing the concerns around privacy that we’re seeing out of the EU are concerns that are going to become concerns here in the US we, we see it, we see it, it starts in the, in the UK, or it starts in Europe. We see it in Canada. And the US is often not early adopters of privacy legislation. We have the obligation to understand, and to implement any changes to policies, procedures, or controls that need to be in place to support legislation and reduce the risk of, of litigation.

Host (17:53):

So with that in mind, and kind of thinking about the security conversation that we’ve been having, or security related conversation we’ve been having, what do you think are the biggest challenges that your clients are facing right now

Sabrina Serafin (18:12):

To, to narrow it down? A lot of clients don’t know what they don’t know. And so we’re seeing a major uptick in privacy, risk assessments, cyber risk assessments, security, risk assessments. And I, and I use the, I use the terminology interchangeably because often when they’re coming to us as an advisory firm, they don’t necessarily know what they’re looking for. They just know they don’t want to be wrong. And so by doing a risk assessment that allows us to have an open-ended conversation to understand, first of all, what are your customers? What are your clients, what are your users expecting from you? Let’s start that’s table stakes, that’s baseline. What are in your contractual obligations? What are in your statements of work, your, your agreements, your service agreements. So let’s understand that baseline. And then before we start incorporating other potential risks, let’s identify are there particular frameworks, whether they’re security or privacy frameworks that we could align the organization with that would address the highest number of potential risks and controls in the environment.

Sabrina Serafin (19:40):

And often Jodi, that may not be the, the privacy. It may not be a privacy framework or the generally accepted privacy principles. We may take it outside of that and look at the NIST framework or look at it at a different framework that provides a little more value. Then are we check, checking the box? So we have conversations around risk exposure, and then we start to do some actual procedures to do some poking around and testing to see if the controls that an organization thinks are in place. Let’s first, make sure that they’re designed appropriately. And then that’s do some testing to be able to give management and understanding of what’s working and what isn’t. So that is, I think overall the biggest challenge is, is, like I said, they don’t know what they don’t know, but they know they should be doing something. And so it’s raining in or hurting all of the compliance cats and determining what are your priorities and what what’s the low hanging fruit we can go to immediately that could create the greatest amount of difference. Justin, you had mentioned, I had mentioned, we talked about patching you know, our, the basic blocking and tackling controls in place. And if they are now, we can take a deeper dive into some of the more complex controls and risks that that hackers are out there trying to, to create vulnerabilities around.

Host(21:25):

Well, knowledge is power. So from your personal perspective, do you have a favorite privacy tip that you’d like to share with our audience today?

Sabrina Serafin (21:37):

Oh passwords. We have to, we have to update our passwords. We have to use password complexity. What is I speak often about security and privacy, and that’s often a question that I get from an audience. Give me just two or three things that I should be doing. And the reason password protection is important is we, we we’ve had kind of a pendulum swing when it comes to passwords where any password or juice we’ll do, just make sure there’s a password that’s protected. And now you have different industries and different organizations that are requiring different complexities. And it almost made us numb to the value of a strong password. And we became as users, we became annoyed with two factor authentication or things that are put in place to protect ourselves because they can be seen as a time-waster or an impediment to me being able to do what I need to do in a timely manner.

Sabrina Serafin  (22:49):

So understanding if we develop our own personal password policy management process, whether it’s for a household that you’re then teaching your family good password health really taking it to a next level and saying, rather than trying to add complexity to my dog’s name, add an, add an, a number and a special character. Why don’t we create a phrase using special characters, numbers, and letters and capitalization that works consistently. So when I’m making those password changes or making those updates, it’s less administrative using, using softwares and other way or any kind of process. I, I’m not encouraging anybody to go and spend money, but develop some of a process that helps make people aware of how important passwords are not sharing passwords. And also if we would take it to the next step, understanding when something is possibly wrong when you receive that message that has a link to click on it, when you receive a request that seems urgent, but is somewhat misplaced. Just having that awareness of, there’s always someone trying to get to what you have and what is my personal responsibility for protecting that from happening. That’s like people to walk away from

Host (24:30):

You you found Justin’s heart there with your password phrase. I feel like it’s what I hear all day long. So Sabrina, when you are not talking about privacy and security, what do you like to do for fun?

Sabrina Serafin  (24:50):

Well, I grew up in Canada, so living in the South I like to do things that are outside in warm weather. I don’t like being out in the cold, so I really appreciate the I appreciate gardening. It’s something that I never imagined I would do living up in Canada because it seemed like a lot of work for just eight weeks of enjoyment, but being here in the South, I’ve been able to enjoy it eight months of the year. So that is probably my priority. Trying to convince my kids to help weed is another hobby. I haven’t quite mastered that one. And we, we love animals. I love seeing Basil there. Henry is right here being quiet. We’re fostering threel cats right now. So we have a busy household.

Host (25:43):

Now, do you garden with for vegetables or sort of like flowers and trees and things like that?

Sabrina Serafin  (25:50):

The, the squirrels and chipmunks have really impeded our ability to grow anything edible, but I still enjoy the beauty that the Southern weather provides so many different native species. I, I do a lot of work with trees, Atlanta. I just really love being outside.

Host (26:11):

If you can help suggest what we should do with our, I had a place for a garden and we’ve done it a few times, but it’s, it’s kind of lonely cause you can’t get your husband to take out the weeds. Sabrina, thank you so much for our sharing. So many important insights on really how companies can take a control and make it not an impediment, not a one more thing, but truly to help move the company from an operational point of view and also obviously to help protect itself and comply with privacy laws. So if people would like to connect with you where best to find you,

Sabrina Serafin  (26:55):

You can go to our website @frazierdeeter.com and there is a link to my bio and they can email me directly.

Host (27:04):

Wonderful. It was great to have you.

Sabrina Serafin (27:08):

Well, thank you for, I’m always willing to talk about privacy and security. I appreciate you inviting me. Thanks. Absolutely.

Host (27:15):

Thank you.