The Trifecta of Vendor Due Diligence With Caroline McCaffery

Intro 0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

 

Jodi Daniels  0:21  

HI, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a Certified Information Privacy Professional and provide practical privacy advice to overwhelmed companies.

 

Justin Daniels  0:36  

Hello, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

 

Jodi Daniels  0:52  

And this episode is brought to you by Red Clover Advisors who has recently celebrated four years in business. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, ecommerce, media, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. And today we have a super fabulous guest joining us. Caroline McCaffrey is the CEO and Co-founder of ClearOPS, a privacy technology company. Caroline has over 20 years of experience in law, privacy, cybersecurity, and she’s a frequent speaker on topics covering privacy, information security, and ethics in a I

 

Caroline McCaffery  1:54  

welcome to the show. Thank you so much for having me. I’m very excited to be here. Justin, there

 

Jodi Daniels  1:59  

are so many things that Caroline has. It’s like I could have chopped Caroline’s name off and inserted your name here. Ethics and AI privacy security, but she’s the recovering attorney.

 

Justin Daniels  2:13  

But where does it say drone?

 

Jodi Daniels  2:15  

Oh, yeah, no, it doesn’t say drones. Caroline, do you like drones?

 

Caroline McCaffery  2:20  

Oh, I have an appreciation for drones. I would say you know, there’s things that concern me. And there’s things that I enjoy, like watching my son with a little drone playing out in the yard.

 

Jodi Daniels  2:32  

There we go ever come to Atlanta, you can have a real drone less than we have a fancy commercial drone pilot over here. Well, that’s cool. Indeed. All right, Justin, kick us off.

 

Justin Daniels  2:44  

Well, speaking of recovering, why don’t you talk to us a little bit about your career evolution to how you were an attorney and are now a entrepreneur.

 

Caroline McCaffery  2:55  

Cool. Yeah, definitely. Love to so I started out my career working at a law firm called Gunderson dettmer, which represents tech startups and VCs, my practice was focused on the tech startup side. So I was a corporate securities attorney, and eventually went in house. And my first in house position was General Counsel for a marketing automation company, definitely during the Big Data era. And so when I started that job, and a fellow peer of mine said, if you’re going to be in that position, you really need to get involved in privacy. So this is about 10 years ago, I went to my first International Association of privacy professionals conference in 2012, I think it was and quickly realized that yes, based on the interest data that my company was collecting, I certainly needed to be involved in privacy. So I got myself a privacy certification. And then, because of the close link between privacy and security, I decided to really get involved in the security side of things at that company, and quickly became the go to person for anything that was related to privacy and security, including security questionnaires, which is what brings me to today. But then I left that company and I became general counsel and VP of operations for a company called clarify, which is an AI company that did image recognition. They were interested in, in my skills, because of the privacy and security component of it. And because they have a lot of images that they’re processing, and clearly there’s a lot of personal data in those images. And so worked with them for many years, and then decided, based on an experience of being the VP of operations where I got a broader exposure to running a business that I should take the idea of responding to security questionnaires is a myth, Major, massive pain point for vendors, and see if we could build something. So I had met my co founder and who’s he’s a security expert than me involved, actually with the Tor project and has been an infrastructure and networks his entire career. I met him, I decided to start it, we started discussing ideas, and then we decided to just go ahead and give it a shot.

 

Jodi Daniels  5:14  

I love career stories, always one of my favorite parts of our podcasts, I just think it’s so fascinating to see how people have been flow through different functional areas and how they take different turns. Because if you ask most people when they graduate college, did you know that you’re going to be doing what you’re doing today?

 

Caroline McCaffery  5:33  

You probably would say, Oh, yeah. actually didn’t

 

Jodi Daniels  5:38  

know we didn’t even have this concept called a drone. When we were in school, it was like Inspector Gadget like, totally dating myself there. Well, Caroline, tell us a little bit more about flare ups and what problem you’re solving for companies today?

 

Caroline McCaffery  5:56  

Yeah, sure. So we are on. So today, when two companies want to do business with each other, especially if one of them is a processor or a service provider, or whatever terminology you want to give to the vendor who is processing the data of the customer, potential customer, or potential customer will send them a due diligence request that essentially is asking whether or not they’re going to respect data privacy laws. And these days, these questionnaires are anywhere from 50 questions to over 1000. We’ve seen one that was 1100, which was pretty crazy for pre customer. Yeah, pre customer due diligence. And so I was very fascinated with the idea of helping vendors because I saw that on the customer side to the buy side, they were being very well serviced by technology software. But the vendors themselves were not, and just wanted to help out those vendors responding. And so we started out building two things. One, one part of it as I was very much fascinated with the concept of the communication gap between your lawyers, your privacy professionals and your security team. And that they had to work on the same for the same purposes. But there was a large, a large communication gap. And then you add in sales, who’s the one who’s fielding these questionnaires, and you have an even broader communication gap. So the first thing I said to my co founder was, is there any way that we can maybe figure out a way to answer these questions without having to involve your engineers. And so we started looking at collecting publicly available data on companies first. So that’s where we went. And now we use that for public data reports. And the information in those public data reports is usable in responding to security questionnaires. But then we also needed to build something that helped with the private data that we couldn’t get access to publicly for responding to security questionnaires. And with my, my experience working at an AI company, I knew that NLP natural language processing was a was a great solution for this problem. So so we built that ability for companies to for vendors, to put together collections of their prior answers to help them pre populate an answer more quickly, future blank questionnaires. So it’s really, it’s really at the end of the day, it’s third party risk management, we go out in our layer. And I always say that there’s the great The reason that this is a privacy technology company is because if you look at third party risk management, it’s a task that both the information security team and the privacy team have to do, even though they come at it from different perspectives. They’re both working on the same thing, which is trying to figure out how to make sure the vendors are secure and what they’re doing with all that data.

 

Justin Daniels  8:53  

So I have an interesting question. I just wrote about it on LinkedIn this morning. What do you think is stopping us from being at a point in time with a vendor ecosystem where you basically say, no MFA, no deal?

 

Caroline McCaffery  9:07  

What is stopping us from being at that point in the ecosystem? Aye. Aye. That’s a good that’s a really good question. I’m using that as a stalling technique to try and figure out a good answer for that. I do. I do believe that MFA is table stakes. So

 

Justin Daniels  9:22  

I’m just thinking about your software and what your software does from a privacy perspective. But obviously, it’s intertwined with the security aspect. And I just curious how often you see that companies are not using MFA, and they’re allowed to get away with it. Because the thing that’s happening that I see is, if you don’t use MFA, good luck trying to get cybersecurity insurance these days, I think most of the market now is not going to give you insurance. So that may be a market way to do it. But I’d love to hear about it in the context of your

 

Caroline McCaffery  9:53  

software. Yeah, yeah. Well, I mean, you’re I actually 100% agree with you on the cyber Insurance mfas is you can’t even get cyber insurance right now based on all these ransomware attacks about MFA turned on. Think, think not having MFA for most of your high risk assets, as a company is happening purely due to either a lack of solid communication within the company itself, or just some other, I would say human error as involved. And I think that with my software specifically, you know, we’re in vendor due diligence, that third party risk, being able to detect whether the option for MFA exists is not easy. However, we do have, because we collect all this private information, this business information about the security operations of these vendors. Yes, we know their answers to that question. And that question is always asked. So could customers now make it a requirement that they’re not going to work with you? Unless you say, Yes, we have MFA turned on for not just our own application, but also for everything that we use internally, that it’s at least a medium or high risk. It’s very conceivable that that’s going to be coming down the pipeline in terms of customer do due diligence,

 

Justin Daniels  11:25  

because I guess there’s a follow up, does your software have the ability to help people prove that something is the case or not? Because as you know, Caroline, people fill out these questionnaires all the time. Is your security. Great? Yes, of course it is. Because if they’re not going to check, it’s just a piece of paper. So how do you help handle that gap? And you’re right behind mine the gap?

 

Caroline McCaffery  11:49  

Yeah, exactly. Yeah. Yeah, that’s what we’re really obsessed with. And that’s why we pull in the public data. You know, it’s, it’s still, there’s still quite a lot that’s behind, like, I call it under the hood, right? There’s a lot of things that are under the hood. But to the extent that we can figure it out Republic data, that is exactly what we do, because of the independent verification. The vendors are under extreme pressure. Whenever they receive a question where they where the, the risk response box turns green, for a yes. And a red for a No, of course, they want to have those green boxes, especially when you’re talking about questionnaires that are coming into the sales team. So there is a high high high pressure on the vendors to respond to in a way that they think the customers want them to respond. I’m not saying that they do or say definitely not suggesting that they should. But there is a high pressure and I am what we have seen. And what we do at ClearOPS is we help companies by saying, You got the security question from this customer, of course, you want to turn it around in 1234 hours. And you can do that. But it might be better for you to take a step back and look at your last questionnaire, the answers that you did there and decide what security you really need to have in place, and then implement that, and then respond to a questionnaire and then you know, you’re going to pass the customer review. And that’s that’s where we have seen a lot of success with with some of our customers who go through that type of process.

 

Jodi Daniels  13:20  

I’d love for you to share a little bit more about how you see the sales teams working with these privacy and security questionnaires. They’re often received them as as a starting point, do you find that they’re kind of the go between they’re answering them first, there’s a bank of answers. The Privacy team is letting them have they work, they bring the privacy and security team to the calls, I’m sure companies are doing a variety of different approaches, it would be really fascinating to hear what you

 

Caroline McCaffery  13:49  

see. So it sort of depends on enterprise versus SMB. At the enterprise level, what we have seen is entire teams dedicated to just responding to security questioners. And that’s their job. And so they have created a bank of a repository of the answers. They’re constantly keeping them up to date by going into the repository and updating them when, when appropriate. They even have systems where they send reminders to various other teams that they need to go in and update some of the answers in the repositories. So the sales team doesn’t even handle it. They’re just a go between they get the security questionnaire and they send it to this dedicated team dedicated team answers it sends it back, and that’s their process. It’s the SMB, that’s a bit more all over the place. So at the SMB level, you will have quite a lot of companies where the sales team takes in the questionnaires and handles it completely. So all they do is they create, you know, they basically pull up the spreadsheets that the questionnaires they filled in in the past and they pull up like two or three of them. And so they have multiple spreadsheets on their screen, and they’re just doing a copy and paste job wherever they think is reasonable. And in that situation. A lot of times questionnaires are being distributed to whoever the sales team member was that received it. So you may have a complete disk. You may not have collaboration on what the answers are going to anyone to their customer, because there’s no central repo of those answers. It’s just literally that individual salespersons sort of database versus another salespersons database. And in case you can’t hear it in my voice, I’m very worried about situations. Other SMB may actually have an information security team, or a privacy team that decides to own and that’s a good process. Because to that, to the point I just made, as long as you know, your answers are being consistent, and you’re keeping some sort of repository of those answers, then you you haven’t, you know, you have at least some idea of the consistency of the information that you’re, you’re presenting to your potential customers. However, the incentives are misaligned. So a salesperson is commissioned for each sale, the information security team is not security questionnaire is required to be done before the sale can happen. So sales team is highly incentivized to do that security question and get it done. Information Security, under budgeted has no bandwidth, and therefore very, very low priority for the security questionnaires to get done, they have no real incentives to push them on that. And I, I see that as honestly the biggest problem. And that’s where something like the CEO, or you know, someone who’s an operations or someone in finance starts to get these security questionnaires across their desk. Really interesting

 

Jodi Daniels  16:41  

point that you highlighted, I don’t see that as a discussion, oftentimes about the sales team incentive as incentives compared to the other team members that they need to help them get that sale across the finish line. It’s a really good point that people need to be thinking about a little bit more closely and how they can make it more equitable, so that everyone as a company is moving in the right direction.

 

Caroline McCaffery  17:09  

I mean, I love to point out to especially information security teams, who I said are frequently you know, under budget, exactly. start tracking, how many questionnaires you’re doing and how many hours is taking you and then use that as you’re now not a call center anymore. You’re helping sales like this is the this is an allocated piece of your line item that is selling for the company

 

Jodi Daniels  17:30  

exactly like that, as long as that security team also is doing the privacy questions, because oftentimes, we see the questionnaires are one sided, right and more to security, they’re forgetting the privacy side. And there’s so many other questions these days with the rise of the various privacy laws, and how companies are using that data, we really need to be making sure that all companies are considering that I couldn’t not have my privacy plug

 

Caroline McCaffery  17:56  

here. Well, I mean, definitely with the new standard contractual clauses annex two, it has a mixed match of privacy and cybersecurity typical standards, critic questionnaire type questions on it. And right now, and the privacy questions, which I think are incredibly challenging to answer, such as, what are your measures for data minimization?

 

Jodi Daniels  18:19  

I had a company this morning asked me, Do companies really purge their old records? And an AARP said, well, they do. But it’s tied to your business purpose and legal requirements. And you need to evaluate all of those. They were in the eye keep it forever.

 

Caroline McCaffery  18:39  

Yeah. Yeah, I mean, and there’s, there’s problems in a lot of the software that I’ve seen as, particularly as a startup, actually, because as a startup, you’re going through different processes, particularly fundraising process, you get asked to put all your startups information on all these different portals. And I have tried to go through through and keep track of all of them and then delete my data. And you can’t, there’s actually no option to delete your data. So that’s why I still think privacy is young.

 

Jodi Daniels  19:06  

Second, and he pointed out.

 

Justin Daniels  19:10  

So you had mentioned earlier about this communication issue, which seems to be the impetus behind your company. So I guess talk a little bit about how, what your target what the impetus behind your company is transforming the way you have to look at corporate governance because you know, Caroline, I listened to how you talk about how the how to incentivize the information security team differently by those data points you discussed, isn’t what you’re really talking about, is creating a cross functional team and a culture where these different stakeholders have to think differently because they all have something to add as opposed to sales saying, We don’t want those information security people because they’re the deal killer. I mean, they’re a version of you and i is the lawyer don’t go get them. They’re the deal killer. So I’m thinking around your challenge, talk a little bit about how a company These need to approach that corporate governance issue differently.

 

Caroline McCaffery  20:04  

Yeah, I mean, and I’ll answer that with with the, with the real case. So delta suffered a breach back in 2017. And they filed a lawsuit against a company a vendor called 24. Seven AI, this is in the Southern District of New York. It’s a real case. And I’ve been sort of tracking it. And basically, delta claimed a bunch of different things. fraud, misrepresentation, of fact, all kinds of things that 24, seven AI was, they alleged was the reason that they suffered the breach. And that 24 seven AI, didn’t disclose, or maybe lied about the security questions that they answered. I bring that up, because you have an absolute communication problem within businesses, if you have a legal team, if you have a privacy team, if you have an information security team, and if you have a sales team, all of those individuals should be involved in responding to these security questionnaires. Why aren’t they? Because it takes a long time to get them to all, you know, look at this thing, right? It’s a collaboration and a workflow issue more than anything else, but they’ve been a little bit siloed. And so now, you have this process where who it’s like, who will deal with this horrendous object that’s in our way to get the customer sale? And so we’ll just we’ll do the fastest path and have it you know, have this person just handle it by themselves. And then if something happens, we’ll worry about it, then. Well, okay, so let’s, let’s take a look telling us kind of example, so salesperson responds to the security questionnaire, they put it on their computer, answer the questions, and then email it back to the client. So now it’s an email attachment that went back and forth between sales, right? That salesperson leaves the company, just like any good data retention policy, you purge your emails every six months? Well, the statute limitations for disputes and contracts is sometimes two, sometimes three years. So two years go by, and there’s now a contract dispute because the your, your customer, is now claiming that you’re the cause of their breach, and that you lied and your security questionnaire. So you go try to find a copy of that security questionnaire. You can’t, because it was an email attachment, and the salesperson is gone. So you can’t ask that person. Any questions anymore. So now what do you have, you have a buyer who has all that information on their end, because they have good systems in place where they kept a record, and you don’t, you have no idea what you’re up against. And so when you do you have to settle. It’s just an insert of the liability and the cost of that one person and getting know that the advantage of getting that customer maybe a month or two earlier, because you wanted to avoid the hassle of bringing in legal and information security and everyone who just double checks, everything is now born out two years later, when you have to literally let go have the company, the customer churn, and you’re suffering through a massive settlement issue.

 

Justin Daniels  23:08  

It’s even, it’s even worse because the the salesperson has zero incentive to want to bring in the other stakeholders because it slows down their deal, it could blow up the deal. And they’re typically compensated on getting deals across the finish line. So you have that problem. Because salespeople can’t stand dealing with when I deal with them. And it’s a challenge because we’re in the way of their compensation in their deal. It’s almost like you have to rework the compensation to incentivize them to bring in these other stakeholders or they’re lining themselves up for exactly what you talked about.

 

Caroline McCaffery  23:45  

Yeah, I 100% agree that I mean, it’s it’s true. And they’re incentivized also shorten the timeframe of getting the deal right. So it’s, it’s, it’s definitely it’s, it’s a, it’s a battle that I believe wholeheartedly in trying to, you know, win at the end of the day that we get back those those channels that workflow streamlined and improved, because it’ll just be a win win for everybody, including the salesperson who’s commission based, because once the workflow process is established, they can actually get those questionnaires out faster and get the deal close faster. I mean, I know for a fact, these questionnaires, this due diligence that’s happening for privacy and security purposes, has slowed down enterprise deals that were taking six months there now a year. This is the root cause. And in

 

Jodi Daniels  24:36  

that diligence, are you seeing a trend? You know, there’s questions you mentioned, right? Yes and no. And this is always a debate. Sometimes one side wants to actually see the policy the other side as well, but that’s my policy, and that’s proprietary. What are you seeing are people uploading whole things is are they doing screen shares? Is it a third party audit, that’s coming to test part of That would love to hear a little bit of, you know, anecdotes, stories of what you’re saying.

 

Caroline McCaffery  25:05  

Yeah, I mean, I think the the, I call it the trifecta of vendor due diligence. The trifecta of vendor due diligence is a security audit, public data and private data. So right now, clear ups does the private and the public data, the security audit is what I’d say is the third thing. So that’s the independent third party who can go in and look at the private data in the public data and confirm that they’re not seeing any loopholes or any gaps or anything like that. So yeah, so I think, when it comes to, when it comes to vendor due diligence, the the yes, no, the policies, the artifacts that all these companies are asking for. I actually disagree a little bit with that process, because essentially, what you’re saying is that they need that they, they have an in-house expert on how to do privacy and security audits. And as far as I can tell, most even large enterprises don’t have someone who’s fully dedicated to being an privacy and security auditor, I think that is better left to outside consultants who do it all the time. It doesn’t have to be a formal, you know, sock to audit or ISO 27,001. I just mean someone who understands how to do a true vendor audit, that they should be the ones looking at the if they’re going to look at the policies, they should be the ones looking at the policies and doing all that kind of stuff. I actually don’t recommend to vendors if they share, like, for example, their network diagrams, because it’s very confidential information. And I don’t know if they’re sending it over an email attachment, like, first of all, the security of just that is pretty, usually circumstance talking about multi factor authentication. So why why would you trust this potential customer, you may or may not even have an NDA with, with your network diagram like that, to me is, is? It just shows bad security? Actually.

 

Jodi Daniels  27:08  

I appreciate it. Thank you so much, that was helpful to see what others are viewing in the marketplace? Well, turning to

 

Justin Daniels  27:18  

more of a personal question is, every guests that we have on our show, we like to ask you, what is your best cyber tip?

 

Caroline McCaffery  27:25  

Well, you took it from me, because I would have said multifactor vacation, you can

 

Justin Daniels  27:33  

feel free and say it become an informal poll.

 

Caroline McCaffery  27:38  

And it’s exactly to the point that you made, which is, it is your best defense right now in terms of like ransomware. And what’s very popular in data breaches and phishing exercises. But it’s also table stakes for getting cyber insurance like you can’t get you can’t bind coverage right now, unless you click that box that you have multi factor authentication, so why wouldn’t you? You know, just, I just think it’s worth saying over and over and over again, just turn it on, get it figured out.

 

Jodi Daniels  28:07  

Excellent. Well, you can join it is our most popular answer. Now, when you are not doing all things, privacy and security, what do you like to do for fun?

 

Caroline McCaffery  28:17  

Um, I mean, it sort of depends a little bit on the season, because I’m a big skier snow skier. But I also do love cooking, so I’ll do either one. Yeah, like your T shirt. Yes. My mother was on the British ski team. Back in the 60s. And so we I grew up skiing, and just a big lover of snow skiing, even though I tore my ACL. And that slowed me down a little bit. I still like it.

 

Jodi Daniels  28:42  

Do you ski east or west?

 

Caroline McCaffery  28:45  

We do both. We try to go out west at least once this season, for about a week. And then we do weekend trips on East Coast, cuz that’s where we live and so we can get there fairly easily.

 

Jodi Daniels  28:56  

Very, very nice. Now, where can people connect with you if they want to learn more about you and ClearOPS?

 

Caroline McCaffery  29:03  

Thank you for asking that. Yes. So our website is clearops.io and people can always email me I’m caroline@clearops.io And love to hear from anyone love to talk about this. This what I call. What I say to people is you know, I found security questionnaires to be such a painful, boring, awful process decided to do it every single day of my life.

 

Jodi Daniels  29:25  

Why you decided to make it better. Thank you so much for sharing all of your insightful stories, your journey and how you are helping companies to make sure that they’re going through the due diligence properly. We really appreciate all that you offer today.

 

Caroline McCaffery  29:40  

Thank you so much. And thank you so much for having me. I appreciate it. It’s really fun.

 

Jodi Daniels  29:43  

Absolutely.

 

Outro 29:48  

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.