What is Communication’s Impact on Your Security and Privacy Program?

Intro  0:01 

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:24 

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and Certified Information Privacy professional, providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:39 

Hi, Justin Daniels here. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I’m the cyber quarterback helping companies design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:56 

And this episode is brought to you by, you need to go to drum school this week, Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, eCommerce, and b2b service providers. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. You’re ready for a good show?

Justin Daniels  1:34 

I think so. Do you know who’s playing in the Super Bowl this weekend?

Jodi Daniels  1:37 

No, I don’t. We’re not going to talk about sports. I fail at sports. You kindly remind me that all the time.

Justin Daniels  1:43 

Okay, then moving right along.

Jodi Daniels  1:47 

Well, I’m so excited for our guests today. We have Melanie Ensign who is the Founder and CEO of Discernible, a security and privacy communications consultancy. Previously, she lead security, privacy and engineering communications at Uber. And she currently leads the press department for DEF CON, the world’s largest hacker conference. Melanie, welcome to the show.

Melanie Ensign  2:16 

Thank you so much for having me. Nice to see you both.

Jodi Daniels  2:19 

Super excited. We know that you’re very excited about DEF CON.

Justin Daniels  2:22 

I think that coffee I brought you home this morning as put an extra steam in yourself.

Jodi Daniels  2:28 

I know, I can feel it waking me up. I was very sleepy earlier today. Thank you. Can you bring coffee every day?

Justin Daniels  2:35 

Sure.

Jodi Daniels  2:36  

It was really fun. Some? Are you going to kick us off?

Justin Daniels  2:40 

I can. Why don’t we start from the beginning? So Melanie, talk to us a little bit about your very interesting career and how it evolved and how you got to where you are now.

Melanie Ensign  2:55 

Sure. So I think like many people in security and privacy who didn’t go to law school, I had no idea that this was where I was going to end up when I started. I actually went to college as an undergrad study marine biology. I wanted to be a shark scientist; it was my childhood dream to become a shark scientist. Unfortunately, I had a little bit of an identity crisis halfway through my program and realize that the types of jobs that were available to me at that time as a marine biologist didn’t really speak to me. And so I switched majors, transferred schools, and then ended up focusing in communications. And then I went to grad school and got a Master’s of Science degree in communications as well. But I have held on to shark science and scuba diving as a personal passion of mine. And it’s something that I dedicate a lot of my time to outside of work. But so that’s where I entered the communications field with a background in that just marine biology, but my formal education and communications was really focused on interpersonal conflict, communications, research, mass media. It was very research focused in my undergraduate program. And when I got to graduate school, it was really focused on the business of communications. There was an investor relations course that we took, we had to take business and finance and management to really understand how communications is used as a discipline in a business environment. And so I came out of grad school with this mix of communications and science knowledge, and started working primarily with tech companies on their environmental communications and some of their technical communications related to climate change and environmental impact and things like that. I was very fortunate that early on at that particular consultancy that I was working at at the time, I had the opportunity to start working with the Chief Security Officer at AT&T. And I, again, this was something that kind of came out of the blue, I was not expecting it, and not even something that I had thought of. But as soon as I started working with that team, I instantly fell in love with the idea of continuing what I had been trying to do in marine biology in terms of translating nuanced and technical concepts into something that the average person could understand, or even just somebody with a different perspective. So in security and privacy, we’re often translating technical or nuanced details for a business audience. Maybe it’s a C-level executive, or even oftentimes, it’s the Board of Directors who have questions about various types of risk and how the security and privacy teams are addressing that. So I was very fortunate to be able to work with that team at AT&T for about five or six years, and really cut my teeth in cybersecurity. And from there, I went and spent a very short period of time, at Facebook. I feel like this is something that I’m constantly making up for. But from there, I went to Uber to lead, as you mentioned, Jodi, security, privacy and engineering communications, and spent several years working with the technical teams and the legal teams there, not just in terms of the crafting  external content, and messaging, and all of that. But really helping internal teams communicate better about security and privacy so that those teams could be more effective and more persuasive with their business colleagues.

Jodi Daniels  6:54 

I’m so sorry, I didn’t mean to interrupt you.

Melanie Ensign  6:57 

I feel like I need to finish the story. From there, I started Discernible a couple of years ago. So we’re now working with over two dozen clients on various security and privacy communication projects.

Jodi Daniels  7:10 

What I was going to share is, well, thank you so much for sharing, that I love that you wanted to be a marine biologist, and then switched and came into communications. One of our daughters, I can totally see wanting to be a marine biologist. And then I can also see a similar path from the communications angle. As you were sharing the story, I kept picturing my daughter going through that entire path, but she probably wouldn’t pick sharks, because she’s kind of scared of sharks, she would pick sea turtles, or dolphins or manatees, she’d like to rescue all have them.

Melanie Ensign  7:44 

Those are all fantastic options. And, if she does choose sharks, then I think, maybe she has a career in cybersecurity ahead of her because I have found that sharks and hackers have a lot of things in common, particularly in regards to all of the communication implications that surround both of those groups.

Jodi Daniels  8:03 

So let’s go with that, help us understand a little bit more about what some of those similarities are?

Melanie Ensign  8:10 

Sure, the big one that stands out to me is that a lot of people are actually really scared of these topics in general. Just the issue of talking, when you bring up sharks in a group of people, they’re immediately thinking of something like jaws, and same thing with hackers, right? They’re thinking of these like criminals and terrible things that happen on the internet. Both of those things are true in the sense that risk does exist. This is not a zero risk environment, whether we’re going to the ocean, or we’re going on blind, but most of the fears actually based in either misunderstanding or myths. And so a lot of the work that I do around communications, both when I was working in marine biology, but also now in security and privacy is helping people understand the topic and the risks in a way where they feel informed and confident, rather than scared. Because one of the things that we know from cognitive science is that when your brain is stimulated by fear, it actually shuts down some really important judgment and neural pathways that you need in order to make higher level decisions. And you lose a lot of the nuance and capabilities of decision making if you’re constantly in this state of fear or panic. And so even when my team is involved in incident response whether it’s been a breach or something else, a lot of our work is about avoiding panic and coaching executives and security teams through that incident response process by minimizing panic, because if they are panicked, their judgment is impaired. And we want them to be able to make the best decisions possible in that moment. So we prepare them for those situations and then we coach them through them. The same way that you would for any type of first responder, right? There are certain types of muscle memory that you need to develop so that you’re not having to make those split second decisions when you’re feeling panicked and fearful.

Justin Daniels  10:17 

So, as a follow up to that, do you feel that more companies are now being more receptive to the kind of incident response practice that you’re talking about, because when I’ve handled ransomware situations, the communications to the customers, as well as others is one of the hardest things because they’re ill prepared for it, they haven’t practiced it. And if you put somebody out there who has no communications experience, what I’ve seen happen has been uniformly bad.

Melanie Ensign  10:51 

I think that is true from a general perspective. Obviously, there are exceptions. But one of the things that I am seeing is, so my team is usually brought in by this security organization. I think the reason that we’re winning hearts and minds in this space, is that we’re not going through the typical channels of the corporate communications team or the legal team, both of whom normally do not have enough experience to do this in a non-panicked way. The PR team is going to view this as crisis, right. And the legal team is going to say as little as possible, right? That’s not true of every company. In fact, some companies do have a lot of very experience, Security Council, but not many. And so the fact that we come in through the security organization, and we coach and advise the security team on how to get all of the other stakeholders on board in advance, so that they are not looking for catharsis in this very anxious moment, one of the worst things that can happen during incident response is a Trigger Happy executive who’s feeling anxious and just needs to do something in order to feel like they’re contributing, because they can’t sit still. They did not get to where they were by sitting on their hands. And we spend a lot of time with security teams and their stakeholders, whether it’s their lawyers, their PR team, or their executives, to teach all of those groups when they need to be sitting on their hands and waiting for instruction or information from the security organization, or when it is their turn to be doing something, and how to do that to the best of their ability, leveraging the insight in the knowledge that they’re getting from the security investigation. And so there is a lot of prep work for good incident response. And a lot of that actually comes from my training as a rescue scuba diver where we are taught how to keep divers calm, even in emergencies. What are the signs to look for, that could indicate that panic is a possibility for individual divers? And we bring that into our work with clients to help. It’s not easy to teach a CEO how to sit still and be quiet. But they need to do that from time to time during an incident, otherwise, they can actually interfere with the investigation actually make it harder for the security team to do their job.

Jodi Daniels  13:25 

With all that in mind, what are you seeing as some of the biggest privacy related communication challenges that companies are dealing with now? Obviously, we’ve talked about the incident response ones, are you seeing anything in addition to those?

Melanie Ensign  13:40 

Yeah, so the two that I see most often is one; they get stuck with a compliance message of we’re only doing this for compliance. Now, that works really well for everybody who has compliance in their job description and whose performance review is going to be based on a compliance checklist. But for everyone else in the organization, compliance is not what motivates them. And so we do a lot of work with privacy teams on how do you talk about what you’re doing to engineers or to finance or to HR, in a language that they understand that isn’t dependent on compliance? Because for a lot of people, when you say compliance, they start going to sleep. And also when you talk about it in the context of compliance, it can be limiting in the sense that your colleagues are then asking, “Okay, what do we have to do?” And they’re using the legal requirements as the bare minimum, it’s hard to get teams to go above and beyond a legal requirement. If you’re telling them that, the goal is to be compliant. And to be compliant, you only have to do this one small thing. So that’s a big one is helping privacy teams kind of elevate their own profession and their own discipline and to start to view themselves and demand that they be treated as a value driving business in it. So that’s the big thing that I see. And the second thing is privacy washing, where we actually see this a lot in, in big tech. And unfortunately, it’s kind of spreading to other industries. But companies are noticing that trust and loyalty is critically important for their bottom line. But instead of actually doing the work, and putting in the investment and the resources required to be a privacy protecting organization, they’re doing some hand waving, marketing speak, and hoping that just having a website with a privacy policy, or a long checklist of toggles that no consumer is ever really going to be able to understand or use is, you know, going to magically repair their reputation in regards to whether or not they’re a trustworthy steward of consumer data. And so those are the two big things, internal teams that are getting stuck in compliance. And then the brands who in their external communications are relying too heavily on words, rather than action.

Jodi Daniels  16:12

I love that phrase, privacy washing. I actually had a client the other day, who asked us to evaluate a potential SaaS tool that they were going to use from a privacy point of view. And so we can see kind of what we could from the outside. And I also love the clients who come and say, “I just made a privacy notice.” And obviously, we could kind of only see what we could. In looking at other competitors, you could tell what one company had and what the other company had, you could tell some point a little bit more effort than others. My follow up question is, for those that are really doing the work, what can they do from an outward facing so that they don’t appear to be privacy washing to the outside person like me who’s trying to evaluate them?

Melanie Ensign  17:00

Sure. So I think a lot of it depends on who your stakeholders are externally, whether you’re a b2b company is going to be different than if you’re a b2c company. Or if you work in the government, public sector versus if you’re, like a small business and in a different industry. So the most important thing is to actually understand what the expectations are of your stakeholders. When you simply meet their expectations, that’s like hitting the legal bar, right? You are operating in a legal way, congratulations, you don’t get credit for that, like you just don’t go to jail or get fined. So simply meeting expectations doesn’t move the needle in terms of reputation. And so, when we look at what are the expectations of the stakeholders, what we actually want to do from a communications perspective, is to aim above that. We want to give them more than they actually expect of us. That’s how you move reputation. And so for the companies that are doing the work, when I talk about that from a communications lens, what I actually mean is, are you doing more than you have to? If you are not doing more than you have to, it is my personal recommendation that you not try to get credit for doing the thing you are legally required to do. And there’s actually a lot of examples of backlash of companies being like, that was in our privacy policy, which makes it legal because technically a contract. And that’s the only way that we understand consent in the United States. And so,  that doesn’t necessarily get you the results that you want from a reputation perspective. And so something like doing more than what is legally required. I’ll give you an example. Prior to working for Discernable, I was working with the security and privacy organizations at Uber. One of the things that they did recently is for data privacy week, which was a couple of weeks ago now, they put something into their mobile app for all riders and drivers to show which personal information is being used at what stage of your Uber trip. So when you’re ordering an Uber, what information is being used when you’re in the car, on the trip, what information is being used and for what purpose? And at the end of the trip, what information is being used and for what purpose? Now, of course, Uber has a privacy policy just like everybody else, right? It’s privacy notice. But I think anyone who’s expecting consumers to read that is really just fooling themselves. These are long legal documents. They have to exist for legal purposes or legal requirements, so they’re not going away. But we can rely on them exclusively to educate and communicate our data and privacy practices to customers and to users. And so I like what Uber did a couple weeks ago, because it’s putting the privacy information in the context of the user experience. And inside the mobile app, where customers are actually engaging with the company. To put something up on a website is asking somebody to discover it on their own somehow. But actually putting it inside the product, I think gives it some really important context.

Jodi Daniels  20:35 

I think that makes a lot of sense. I always find good examples. And then I find my not so good examples. But we’ll let those companies remain nameless.

Justin Daniels  20:44 

Why?

Jodi Daniels  20:45 

Because we’re not company bashing here. We’re learning.

Justin Daniels  20:49 

We’re learning. Are you learning?

Jodi Daniels  20:51 

I’m learning, always learning.

Justin Daniels  20:55 

One of the things I wanted to ask you about Melanie, putting it in the terms of a funny book, which is, how do you bridge the divide between IT whose communications are from Mars and the C-suite whose communication style is from Venus?

Melanie Ensign  21:11 

So it’s interesting. When I think about this question, what comes to mind to me having been that bridge many times is that I actually think the communication style of both these groups is very similar in the sense that they are both used to being the smartest person in the room. And so they approach conversations with other people in a very similar way. Where we end up with challenges, from a communications perspective, is that the motivation and the priorities of these groups are different. And so if you can imagine you’ve got two alpha groups coming together, but trying to solve different problems, because they have different priorities, and they have different goals. And so, part of the job of my team is to get those folks on the same page in terms of a shared outcome. What can we agree to that is important for both of these groups? And then how can we break out that goal into specific deliverables and action items for each discipline, or each team that’s involved in the process? And so, I kind of chuckle at the question, to be honest, Justin, because I think executives and engineers have a lot in common. They both think they’re always right. It’s just a matter of getting everybody agree to the direction that we’re going to swim in so that the work that is being done at the executive level is supported by the work that’s happening within the IT organization, or engineering team.

Jodi Daniels  22:51 

Does that make sense to you?

Justin Daniels  22:52 

It does, I guess the challenge I get into Melanie, because I’m in your role a lot because our commute to school in the morning is 75 minutes. So I’ve spent a lot of time on YouTube learning the technology stack. You’d be shocked at what I can talk about. But I guess what I see is, though, I’ll be on the phone, there’s an incident and the IT people are saying yes, it was a brute force attack with the RDP protocol, to get into the network. And I just watched the business people. And then I can see the blood draining from their face. They don’t understand what they’re saying. And then I have to step in and say, Okay, this is what happens. That’s where I see it. It’s almost the language that they’re using. They just shut down. Because once you go into techno speak, the C-suite, they’re done.

Melanie Ensign  23:42 

But it happens in the other direction, too, in terms of executive saying things that don’t make any sense to the engineers. And I think the problem that we see in those types of cases is that both parties expect that, number one, what they’re saying to be important to the other party. And number two, they’re making a lot of assumptions about what the other party needs. And so sometimes those conversations need to start with questions rather than progress reports. And both parties need to communicate to the other. Here’s what I need from you. When we do incident response planning, we’re telling the security team, here are the questions you need to be prepared to answer for your executives within the first 12 to 24 hours of an incident, right? And for the executives, we’re telling them, here’s what you can expect realistically from an investigation. And based on the information that you need to do your job as an executive, here are the questions to ask an engineer to get that information. And so it is a lot of free work prior to an incident to teach those teams not just how to talk to each other, but how to just communicate effectively in general in terms of putting your cards on the table in explaining here’s what I need from this and here’s what I can offer.

Jodi Daniels  25:00 

Kind of like the book, you have to understand the needs of both people and be able to build that relationship?

Justin Daniels  25:11 

Well, if you think about it, what Melanie is doing is really smart, because basically she’s level setting expectations and questions so that both parties, before they get into it, they’re starting to speak the same language, instead of talking past each other. And so that seems to be why your service is so highly valuable. Because that lack of communication, when you put somebody under the time pressure, the business at risk, it’s going to break down. So thank you, that was a really insightful way of looking at it.

Melanie Ensign  25:46 

I’ll just add one piece to that, Justin, I think one of the reasons why that challenge is so prevalent is because oftentimes, incident is the first time that some of these executives are even speaking to their security or IT departments. And so that’s also a big problem that that we try to address early is you need to have a relationship with your leadership team, before something bad happens. Because they will feel antsy, they absolutely well, there’s a lot of pressure on their shoulders. And they’re concerned about risk to the business. And if the first time they’re talking to you is when they think something is broken, they’re going to feel like they have the answers on how to fix it because they don’t actually understand what you’re doing every single day. And so that proactive relationship with business leaders is also really critical for security teams if they want to communicate most effectively during an incident.

Jodi Daniels  26:42 

So picking a slightly different challenge. In today’s world, we’re really in the data economy, everyone has some type of data. And for some companies, their business is using data, selling data, monetizing data, analyzing data. So how do you communicate the value of privacy in those types of situations?

Melanie Ensign  27:07 

Sure. So for most companies, it’s about helping them understand that effective data governance, including privacy, but also including, like data integrity, data management, all of that actually opens up the door for more access to data and more value from the data. If you are a trusted steward of data, you can actually acquire more data. If you know how to use your data wisely, including complying with all the laws, but also maintaining the quality of your data, you can get more value from the data that you have. And so for companies who are dependent on data, which is most of them at this point, your data is an asset. And if you’re not managing it well, you’re not actually getting all of the value from the risk of the cost associated with acquiring that asset. Now, there are also businesses whose business model isn’t just data, but it’s the exploitation of that data is the individuals about whom that data is about. For those people, I don’t try to convince them, I’m just waiting for the law to make their companies illegal. It is completely okay, as a society, because we’ve done this before, to say there are certain types of businesses that we do not allow to exist. We’ve done it with human trafficking, we’ve done it with certain types of illicit drugs, we don’t have to accept every single business model as acceptable in our society. And I think there are several, even things like pyramid schemes, those are illegal for a reason. And I think we have similarities in the Data Broker world as well. the law does not have to accommodate every single company that exists. We, as a society can decide what our values are. And so for those companies that really cannot move into a privacy-preserving business model, I’m hoping that the law actually writes them out of existence.

Jodi Daniels  29:13 

That’s interesting. As privacy and security professionals, we were so familiar with the type of data that companies have and how they’re using it. And you had shared before many companies don’t always or people don’t always appreciate and know what’s happening. And so being in that inside seat, it is sometimes very scary to know what is actually happening.

Justin Daniels  29:31 

It’s worse than that. So Melanie…

Jodi Daniels  29:34 

In my view, that’s scary. In your view, it can be worse than that.

Justin Daniels  29:38 

It’s worse than that, because think about deployment of drones with facial recognition technology, autonomous vehicles with the same thing. So now they have a complete understanding of exactly where you went during the day, how long you were there, and I’ll talk to people about this and they’ll say, “I don’t have anything to hide.” It’s okay. And so to me where I think it’s worse when you talk about getting rid of the data broker business model, I don’t think as a society as we speak today, people don’t care. And I don’t think they will care until their actual privacy or freedoms, they actually see them ripped away in some meaningful way.

Melanie Ensign  30:21 

Yeah, but truthfully, those of us that have the knowledge and the influence and authority to do something like really have a moral obligation to do so. I mean, I look at other consumer protections like seatbelts and airbags, those were not implemented because of consumer demand. Those of us who understand the risk, in my opinion, have an obligation to help protect the people who don’t understand what’s going on, who don’t understand the risks that they’re taking, because you’re right, they will not understand until it affects them. And for a lot of people, particularly in the United States, they are shielded by a number of different demographic groups that they may be in, where they’re not the target of some of these groups right now. But they will be eventually because everybody will be eventually. And so if we’re not mindful of that, it’s very easy to get into this slippery slope of allowing these types of technologies and business models to exist, because they don’t seem scary to a particular group right now. But they’re scary to somebody right now. And those people deserve protection those people deserve for their concerns and their rights and their needs to be heard. I mean, like I said, if we waited for consumers to dictate all of the various protections that we need, we wouldn’t even have like child safety cap on medicine bottles. Like this stuff comes from regulators and comes from practitioners who actually understand the risks that consumer space, and we need to do our part to protect them, regardless of whether or not they are conscious of those risks.

Jodi Daniels  32:04 

So with all of that in mind, what would it be, we always ask this of all of our guests, your best cyber or privacy tip that you would offer individuals or companies or you can even answer both?

Melanie Ensign  32:19 

Sure. So my number one thing, this isn’t earth-shattering, I think it’s probably what a lot of security people would say, but use multi-factor authentication on everything that you possibly can.

Jodi Daniels  32:30 

We need to have a poll because it is a common answer. It’s totally acceptable answer. But I think we need to start tracking when people give that answer.

Melanie Ensign  32:38 

I mean, everybody has a little bit of a different risk model, depending on who they are their lifestyle, things that they participated in all of that, but two-factor authentication is a universal protection that benefits everybody, regardless of all of the other details of your threat model.

Justin Daniels  32:55 

Melanie, do you have a digital wallet?

Melanie Ensign  32:59 

I do not.

Justin Daniels  33:00 

Okay. I asked a polling question on LinkedIn this week of which kind of digital wallet do you have because there’s varying levels of security to put your tokens and your Bitcoin? It’s the exact same issue just in a different context, but let’s turn and talk about outside of all of the great communication work you do and advocating for privacy and security. What do you like to do for fun?

Melanie Ensign  33:30 

So I mentioned this at the beginning of the conversation, but I am an avid scuba diver. Being underwater is where I feel most at peace. It’s a big reason why I live in the part of the world that I do so that when I’m not working, I can be underwater in a warm climate and just relax and just experience something that’s so different from life on land. And, it’s the only thing I have found that can actually occupy my mind well enough that I can disconnect from my work.

Justin Daniels  34:05 

But not near the shark.

Melanie Ensign  34:10 

I dive with sharks all the time. I love them.

Justin Daniels  34:13 

Maybe not near the great white shark.

Melanie Ensign  34:17 

I’ve done that too.

Jodi Daniels  34:19 

I will not be joining you.

Melanie Ensign  34:24 

I am tell you, our fear of sharks while it is seemingly primal, in a lot of cases is really unfounded. I have dove with hundreds of sharks. I’ve never had an incident with any of them. In fact, most of the time they’re so uninterested in me that I’m just hoping that they will come closer so I can get a good photo. But they’re not what we portray in movies or TV or things like that. Do they play risks? Yeah, some of them, but I’m more likely to die in a car accident, or lightning strike. I mean, sharks are definitely not more dangerous than humans.

Jodi Daniels  35:16 

I can agree with you for sure on that there. That’s a whole nother conversation. But if people would like to learn more and connect with you, where is the best place to send them?

Melanie Ensign  35:29 

Sure. So there’s two great places. One is LinkedIn. I’m easy to find Melanie Ensign on LinkedIn. But I’m also pretty prolific on Twitter. My Twitter handle is iMeluny, spelled phonetically.

Jodi Daniels  35:43 

That is wonderful. Well, Melanie, thank you so much for sharing all this great wisdom with us. I really enjoyed our conversation. And I think companies from small to big can certainly learn something along the way.

Melanie Ensign  35:55 

Great, thank you so much for having me. It’s been a pleasure.

Outro  36:01 

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.