What is Communication’s Impact on Your Security and Privacy Program?
Melanie Ensign is the Founder and CEO of Discernible, a company that is uniquely specialized in addressing communication challenges for cybersecurity, privacy, and risk organizations. Melanie has extensive experience helping security teams deliver successful outcomes for their customers and partners through the application of effective communication.
Before founding Discernible, Melanie was managing security and privacy communications for some of the world’s most notable brands, including Facebook, Uber, and AT&T. She currently leads the press department for DEF CON, the world’s largest hacker conference.
Here’s a glimpse of what you’ll learn:
- Melanie Ensign shares her background and how she got to where she is now in the security and privacy career
- The similarities between the sharks and hackers and how Discernible coaches their clients who are in a state of fear
- How Melanie uses communication skills to help her clients through a security and privacy crisis
- The biggest privacy-related communication challenges that companies are facing
- What are some ways a company can avoid being seen as privacy washing?
- How Melanie bridges the divide between IT and C-Suite companies who differ in communication
- Discernible’s strategies for communicating the value of privacy to companies in the data economy
- Melanie’s best cyber and privacy tips for individuals and companies
In this episode…
Are you struggling with communication challenges while trying to address cybersecurity, privacy, or risk at your organization? What if there are ways you can perfect your communication skills and stay compliant?
For you to deliver successful outcomes to your customers and partners, your security teams need to develop effective communication skill sets. Melanie Ensign says that most of the barriers around success involve a lack of effective communication and partnerships with key stakeholders and customers — and many security programs fail to recognize this reality before it’s too late.
In this episode of the She Said Privacy/He Said Security podcast, Jodi and Justin Daniels sit down with Melanie Ensign, the Founder and CEO of Discernible, to discuss the impacts of communication on security and privacy programs. Melanie talks about how she uses communication skills to help clients in a security and privacy incident, the privacy-related communication challenges that companies face, and how she communicates the value of privacy to companies in the data economy.
Resources Mentioned in this episode
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: firstname.lastname@example.org
- Melanie Ensign on LinkedIn
- Melanie Ensign on Twitter
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
You can get a copy of their free guide, “Privacy Resource Pack,” through this link.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to email@example.com.
Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:24
Hi, Jodi Daniels here. I'm the Founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant and Certified Information Privacy professional, providing practical privacy advice to overwhelmed companies.
Justin Daniels 0:39
Hi, Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I'm the cyber quarterback helping companies design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:56
And this episode is brought to you by, you need to go to drum school this week, Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, eCommerce, and b2b service providers. In short, we use data privacy to transform the way companies do business. Together, we're creating a future where there's greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. You're ready for a good show?
Justin Daniels 1:34
I think so. Do you know who's playing in the Super Bowl this weekend?
Jodi Daniels 1:37
No, I don't. We're not going to talk about sports. I fail at sports. You kindly remind me that all the time.
Justin Daniels 1:43
Okay, then moving right along.
Jodi Daniels 1:47
Well, I'm so excited for our guests today. We have Melanie Ensign who is the Founder and CEO of Discernible, a security and privacy communications consultancy. Previously, she lead security, privacy and engineering communications at Uber. And she currently leads the press department for DEF CON, the world's largest hacker conference. Melanie, welcome to the show.
Melanie Ensign 2:16
Thank you so much for having me. Nice to see you both.
Jodi Daniels 2:19
Super excited. We know that you're very excited about DEF CON.
Justin Daniels 2:22
I think that coffee I brought you home this morning as put an extra steam in yourself.
Jodi Daniels 2:28
I know, I can feel it waking me up. I was very sleepy earlier today. Thank you. Can you bring coffee every day?
Justin Daniels 2:35
Jodi Daniels 2:36
It was really fun. Some? Are you going to kick us off?
Justin Daniels 2:40
I can. Why don't we start from the beginning? So Melanie, talk to us a little bit about your very interesting career and how it evolved and how you got to where you are now.
Melanie Ensign 2:55
Sure. So I think like many people in security and privacy who didn't go to law school, I had no idea that this was where I was going to end up when I started. I actually went to college as an undergrad study marine biology. I wanted to be a shark scientist; it was my childhood dream to become a shark scientist. Unfortunately, I had a little bit of an identity crisis halfway through my program and realize that the types of jobs that were available to me at that time as a marine biologist didn't really speak to me. And so I switched majors, transferred schools, and then ended up focusing in communications. And then I went to grad school and got a Master’s of Science degree in communications as well. But I have held on to shark science and scuba diving as a personal passion of mine. And it's something that I dedicate a lot of my time to outside of work. But so that's where I entered the communications field with a background in that just marine biology, but my formal education and communications was really focused on interpersonal conflict, communications, research, mass media. It was very research focused in my undergraduate program. And when I got to graduate school, it was really focused on the business of communications. There was an investor relations course that we took, we had to take business and finance and management to really understand how communications is used as a discipline in a business environment. And so I came out of grad school with this mix of communications and science knowledge, and started working primarily with tech companies on their environmental communications and some of their technical communications related to climate change and environmental impact and things like that. I was very fortunate that early on at that particular consultancy that I was working at at the time, I had the opportunity to start working with the Chief Security Officer at AT&T. And I, again, this was something that kind of came out of the blue, I was not expecting it, and not even something that I had thought of. But as soon as I started working with that team, I instantly fell in love with the idea of continuing what I had been trying to do in marine biology in terms of translating nuanced and technical concepts into something that the average person could understand, or even just somebody with a different perspective. So in security and privacy, we're often translating technical or nuanced details for a business audience. Maybe it's a C-level executive, or even oftentimes, it's the Board of Directors who have questions about various types of risk and how the security and privacy teams are addressing that. So I was very fortunate to be able to work with that team at AT&T for about five or six years, and really cut my teeth in cybersecurity. And from there, I went and spent a very short period of time, at Facebook. I feel like this is something that I'm constantly making up for. But from there, I went to Uber to lead, as you mentioned, Jodi, security, privacy and engineering communications, and spent several years working with the technical teams and the legal teams there, not just in terms of the crafting external content, and messaging, and all of that. But really helping internal teams communicate better about security and privacy so that those teams could be more effective and more persuasive with their business colleagues.
Jodi Daniels 6:54
I'm so sorry, I didn't mean to interrupt you.
Melanie Ensign 6:57
I feel like I need to finish the story. From there, I started Discernible a couple of years ago. So we're now working with over two dozen clients on various security and privacy communication projects.
Jodi Daniels 7:10
What I was going to share is, well, thank you so much for sharing, that I love that you wanted to be a marine biologist, and then switched and came into communications. One of our daughters, I can totally see wanting to be a marine biologist. And then I can also see a similar path from the communications angle. As you were sharing the story, I kept picturing my daughter going through that entire path, but she probably wouldn't pick sharks, because she's kind of scared of sharks, she would pick sea turtles, or dolphins or manatees, she'd like to rescue all have them.
Melanie Ensign 7:44
Those are all fantastic options. And, if she does choose sharks, then I think, maybe she has a career in cybersecurity ahead of her because I have found that sharks and hackers have a lot of things in common, particularly in regards to all of the communication implications that surround both of those groups.
Jodi Daniels 8:03
So let's go with that, help us understand a little bit more about what some of those similarities are?
Melanie Ensign 8:10
Sure, the big one that stands out to me is that a lot of people are actually really scared of these topics in general. Just the issue of talking, when you bring up sharks in a group of people, they're immediately thinking of something like jaws, and same thing with hackers, right? They're thinking of these like criminals and terrible things that happen on the internet. Both of those things are true in the sense that risk does exist. This is not a zero risk environment, whether we're going to the ocean, or we're going on blind, but most of the fears actually based in either misunderstanding or myths. And so a lot of the work that I do around communications, both when I was working in marine biology, but also now in security and privacy is helping people understand the topic and the risks in a way where they feel informed and confident, rather than scared. Because one of the things that we know from cognitive science is that when your brain is stimulated by fear, it actually shuts down some really important judgment and neural pathways that you need in order to make higher level decisions. And you lose a lot of the nuance and capabilities of decision making if you're constantly in this state of fear or panic. And so even when my team is involved in incident response whether it's been a breach or something else, a lot of our work is about avoiding panic and coaching executives and security teams through that incident response process by minimizing panic, because if they are panicked, their judgment is impaired. And we want them to be able to make the best decisions possible in that moment. So we prepare them for those situations and then we coach them through them. The same way that you would for any type of first responder, right? There are certain types of muscle memory that you need to develop so that you're not having to make those split second decisions when you're feeling panicked and fearful.
Justin Daniels 10:17
So, as a follow up to that, do you feel that more companies are now being more receptive to the kind of incident response practice that you're talking about, because when I've handled ransomware situations, the communications to the customers, as well as others is one of the hardest things because they're ill prepared for it, they haven't practiced it. And if you put somebody out there who has no communications experience, what I've seen happen has been uniformly bad.
Melanie Ensign 10:51
I think that is true from a general perspective. Obviously, there are exceptions. But one of the things that I am seeing is, so my team is usually brought in by this security organization. I think the reason that we're winning hearts and minds in this space, is that we're not going through the typical channels of the corporate communications team or the legal team, both of whom normally do not have enough experience to do this in a non-panicked way. The PR team is going to view this as crisis, right. And the legal team is going to say as little as possible, right? That's not true of every company. In fact, some companies do have a lot of very experience, Security Council, but not many. And so the fact that we come in through the security organization, and we coach and advise the security team on how to get all of the other stakeholders on board in advance, so that they are not looking for catharsis in this very anxious moment, one of the worst things that can happen during incident response is a Trigger Happy executive who's feeling anxious and just needs to do something in order to feel like they're contributing, because they can't sit still. They did not get to where they were by sitting on their hands. And we spend a lot of time with security teams and their stakeholders, whether it's their lawyers, their PR team, or their executives, to teach all of those groups when they need to be sitting on their hands and waiting for instruction or information from the security organization, or when it is their turn to be doing something, and how to do that to the best of their ability, leveraging the insight in the knowledge that they're getting from the security investigation. And so there is a lot of prep work for good incident response. And a lot of that actually comes from my training as a rescue scuba diver where we are taught how to keep divers calm, even in emergencies. What are the signs to look for, that could indicate that panic is a possibility for individual divers? And we bring that into our work with clients to help. It's not easy to teach a CEO how to sit still and be quiet. But they need to do that from time to time during an incident, otherwise, they can actually interfere with the investigation actually make it harder for the security team to do their job.
Jodi Daniels 13:25
With all that in mind, what are you seeing as some of the biggest privacy related communication challenges that companies are dealing with now? Obviously, we've talked about the incident response ones, are you seeing anything in addition to those?
Melanie Ensign 13:40
Jodi Daniels 16:12
I love that phrase, privacy washing. I actually had a client the other day, who asked us to evaluate a potential SaaS tool that they were going to use from a privacy point of view. And so we can see kind of what we could from the outside. And I also love the clients who come and say, “I just made a privacy notice.” And obviously, we could kind of only see what we could. In looking at other competitors, you could tell what one company had and what the other company had, you could tell some point a little bit more effort than others. My follow up question is, for those that are really doing the work, what can they do from an outward facing so that they don't appear to be privacy washing to the outside person like me who's trying to evaluate them?
Melanie Ensign 17:00
Jodi Daniels 20:35
I think that makes a lot of sense. I always find good examples. And then I find my not so good examples. But we'll let those companies remain nameless.
Justin Daniels 20:44
Jodi Daniels 20:45
Because we're not company bashing here. We're learning.
Justin Daniels 20:49
We're learning. Are you learning?
Jodi Daniels 20:51
I'm learning, always learning.
Justin Daniels 20:55
One of the things I wanted to ask you about Melanie, putting it in the terms of a funny book, which is, how do you bridge the divide between IT whose communications are from Mars and the C-suite whose communication style is from Venus?
Melanie Ensign 21:11
So it's interesting. When I think about this question, what comes to mind to me having been that bridge many times is that I actually think the communication style of both these groups is very similar in the sense that they are both used to being the smartest person in the room. And so they approach conversations with other people in a very similar way. Where we end up with challenges, from a communications perspective, is that the motivation and the priorities of these groups are different. And so if you can imagine you've got two alpha groups coming together, but trying to solve different problems, because they have different priorities, and they have different goals. And so, part of the job of my team is to get those folks on the same page in terms of a shared outcome. What can we agree to that is important for both of these groups? And then how can we break out that goal into specific deliverables and action items for each discipline, or each team that's involved in the process? And so, I kind of chuckle at the question, to be honest, Justin, because I think executives and engineers have a lot in common. They both think they're always right. It's just a matter of getting everybody agree to the direction that we're going to swim in so that the work that is being done at the executive level is supported by the work that's happening within the IT organization, or engineering team.
Jodi Daniels 22:51
Does that make sense to you?
Justin Daniels 22:52
It does, I guess the challenge I get into Melanie, because I'm in your role a lot because our commute to school in the morning is 75 minutes. So I've spent a lot of time on YouTube learning the technology stack. You'd be shocked at what I can talk about. But I guess what I see is, though, I'll be on the phone, there's an incident and the IT people are saying yes, it was a brute force attack with the RDP protocol, to get into the network. And I just watched the business people. And then I can see the blood draining from their face. They don't understand what they're saying. And then I have to step in and say, Okay, this is what happens. That's where I see it. It's almost the language that they're using. They just shut down. Because once you go into techno speak, the C-suite, they're done.
Melanie Ensign 23:42
But it happens in the other direction, too, in terms of executive saying things that don't make any sense to the engineers. And I think the problem that we see in those types of cases is that both parties expect that, number one, what they're saying to be important to the other party. And number two, they're making a lot of assumptions about what the other party needs. And so sometimes those conversations need to start with questions rather than progress reports. And both parties need to communicate to the other. Here's what I need from you. When we do incident response planning, we're telling the security team, here are the questions you need to be prepared to answer for your executives within the first 12 to 24 hours of an incident, right? And for the executives, we're telling them, here's what you can expect realistically from an investigation. And based on the information that you need to do your job as an executive, here are the questions to ask an engineer to get that information. And so it is a lot of free work prior to an incident to teach those teams not just how to talk to each other, but how to just communicate effectively in general in terms of putting your cards on the table in explaining here's what I need from this and here's what I can offer.
Jodi Daniels 25:00
Kind of like the book, you have to understand the needs of both people and be able to build that relationship?
Justin Daniels 25:11
Well, if you think about it, what Melanie is doing is really smart, because basically she's level setting expectations and questions so that both parties, before they get into it, they're starting to speak the same language, instead of talking past each other. And so that seems to be why your service is so highly valuable. Because that lack of communication, when you put somebody under the time pressure, the business at risk, it's going to break down. So thank you, that was a really insightful way of looking at it.
Melanie Ensign 25:46
I'll just add one piece to that, Justin, I think one of the reasons why that challenge is so prevalent is because oftentimes, incident is the first time that some of these executives are even speaking to their security or IT departments. And so that's also a big problem that that we try to address early is you need to have a relationship with your leadership team, before something bad happens. Because they will feel antsy, they absolutely well, there's a lot of pressure on their shoulders. And they're concerned about risk to the business. And if the first time they're talking to you is when they think something is broken, they're going to feel like they have the answers on how to fix it because they don't actually understand what you're doing every single day. And so that proactive relationship with business leaders is also really critical for security teams if they want to communicate most effectively during an incident.
Jodi Daniels 26:42
So picking a slightly different challenge. In today's world, we're really in the data economy, everyone has some type of data. And for some companies, their business is using data, selling data, monetizing data, analyzing data. So how do you communicate the value of privacy in those types of situations?
Melanie Ensign 27:07
Sure. So for most companies, it's about helping them understand that effective data governance, including privacy, but also including, like data integrity, data management, all of that actually opens up the door for more access to data and more value from the data. If you are a trusted steward of data, you can actually acquire more data. If you know how to use your data wisely, including complying with all the laws, but also maintaining the quality of your data, you can get more value from the data that you have. And so for companies who are dependent on data, which is most of them at this point, your data is an asset. And if you're not managing it well, you're not actually getting all of the value from the risk of the cost associated with acquiring that asset. Now, there are also businesses whose business model isn't just data, but it's the exploitation of that data is the individuals about whom that data is about. For those people, I don't try to convince them, I'm just waiting for the law to make their companies illegal. It is completely okay, as a society, because we've done this before, to say there are certain types of businesses that we do not allow to exist. We've done it with human trafficking, we've done it with certain types of illicit drugs, we don't have to accept every single business model as acceptable in our society. And I think there are several, even things like pyramid schemes, those are illegal for a reason. And I think we have similarities in the Data Broker world as well. the law does not have to accommodate every single company that exists. We, as a society can decide what our values are. And so for those companies that really cannot move into a privacy-preserving business model, I'm hoping that the law actually writes them out of existence.
Jodi Daniels 29:13
That's interesting. As privacy and security professionals, we were so familiar with the type of data that companies have and how they're using it. And you had shared before many companies don't always or people don't always appreciate and know what's happening. And so being in that inside seat, it is sometimes very scary to know what is actually happening.
Justin Daniels 29:31
It's worse than that. So Melanie…
Jodi Daniels 29:34
In my view, that's scary. In your view, it can be worse than that.
Justin Daniels 29:38
It's worse than that, because think about deployment of drones with facial recognition technology, autonomous vehicles with the same thing. So now they have a complete understanding of exactly where you went during the day, how long you were there, and I'll talk to people about this and they'll say, “I don't have anything to hide.” It's okay. And so to me where I think it's worse when you talk about getting rid of the data broker business model, I don't think as a society as we speak today, people don't care. And I don't think they will care until their actual privacy or freedoms, they actually see them ripped away in some meaningful way.
Melanie Ensign 30:21
Yeah, but truthfully, those of us that have the knowledge and the influence and authority to do something like really have a moral obligation to do so. I mean, I look at other consumer protections like seatbelts and airbags, those were not implemented because of consumer demand. Those of us who understand the risk, in my opinion, have an obligation to help protect the people who don't understand what's going on, who don't understand the risks that they're taking, because you're right, they will not understand until it affects them. And for a lot of people, particularly in the United States, they are shielded by a number of different demographic groups that they may be in, where they're not the target of some of these groups right now. But they will be eventually because everybody will be eventually. And so if we're not mindful of that, it's very easy to get into this slippery slope of allowing these types of technologies and business models to exist, because they don't seem scary to a particular group right now. But they're scary to somebody right now. And those people deserve protection those people deserve for their concerns and their rights and their needs to be heard. I mean, like I said, if we waited for consumers to dictate all of the various protections that we need, we wouldn't even have like child safety cap on medicine bottles. Like this stuff comes from regulators and comes from practitioners who actually understand the risks that consumer space, and we need to do our part to protect them, regardless of whether or not they are conscious of those risks.
Jodi Daniels 32:04
So with all of that in mind, what would it be, we always ask this of all of our guests, your best cyber or privacy tip that you would offer individuals or companies or you can even answer both?
Melanie Ensign 32:19
Sure. So my number one thing, this isn't earth-shattering, I think it's probably what a lot of security people would say, but use multi-factor authentication on everything that you possibly can.
Jodi Daniels 32:30
We need to have a poll because it is a common answer. It's totally acceptable answer. But I think we need to start tracking when people give that answer.
Melanie Ensign 32:38
I mean, everybody has a little bit of a different risk model, depending on who they are their lifestyle, things that they participated in all of that, but two-factor authentication is a universal protection that benefits everybody, regardless of all of the other details of your threat model.
Justin Daniels 32:55
Melanie, do you have a digital wallet?
Melanie Ensign 32:59
I do not.
Justin Daniels 33:00
Okay. I asked a polling question on LinkedIn this week of which kind of digital wallet do you have because there's varying levels of security to put your tokens and your Bitcoin? It's the exact same issue just in a different context, but let's turn and talk about outside of all of the great communication work you do and advocating for privacy and security. What do you like to do for fun?
Melanie Ensign 33:30
So I mentioned this at the beginning of the conversation, but I am an avid scuba diver. Being underwater is where I feel most at peace. It's a big reason why I live in the part of the world that I do so that when I'm not working, I can be underwater in a warm climate and just relax and just experience something that's so different from life on land. And, it's the only thing I have found that can actually occupy my mind well enough that I can disconnect from my work.
Justin Daniels 34:05
But not near the shark.
Melanie Ensign 34:10
I dive with sharks all the time. I love them.
Justin Daniels 34:13
Maybe not near the great white shark.
Melanie Ensign 34:17
I've done that too.
Jodi Daniels 34:19
I will not be joining you.
Melanie Ensign 34:24
I am tell you, our fear of sharks while it is seemingly primal, in a lot of cases is really unfounded. I have dove with hundreds of sharks. I've never had an incident with any of them. In fact, most of the time they're so uninterested in me that I'm just hoping that they will come closer so I can get a good photo. But they're not what we portray in movies or TV or things like that. Do they play risks? Yeah, some of them, but I'm more likely to die in a car accident, or lightning strike. I mean, sharks are definitely not more dangerous than humans.
Jodi Daniels 35:16
I can agree with you for sure on that there. That's a whole nother conversation. But if people would like to learn more and connect with you, where is the best place to send them?
Melanie Ensign 35:29
Sure. So there's two great places. One is LinkedIn. I'm easy to find Melanie Ensign on LinkedIn. But I'm also pretty prolific on Twitter. My Twitter handle is iMeluny, spelled phonetically.
Jodi Daniels 35:43
That is wonderful. Well, Melanie, thank you so much for sharing all this great wisdom with us. I really enjoyed our conversation. And I think companies from small to big can certainly learn something along the way.
Melanie Ensign 35:55
Great, thank you so much for having me. It's been a pleasure.
Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven't already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.