Strategies for Privacy Professionals in the Boardroom With Judy Titera

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:21  

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:35  

Hello, Justin Daniels here. I am a shareholder and corporate M&A and tech transaction lawyer at the law firm Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risks. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels  0:59  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more and to check out our best selling book Data Reimagined: Building Trust One Byte at a Time visit redcloveradvisors.com You are very smoky today doing this episode with you is very challenging because they just want to laugh. Oh, why are you so smoky?

Justin Daniels  1:44  

Because laughing brings everyone joy.

Jodi Daniels  1:46  

Then I’m gonna twist over all my words and sound like a bumbling, silly person that makes me suitably entertaining. Oh, I see. It’s just for everyone’s entertainment.

Justin Daniels  1:57  

It’s just we’re doing a lot of things today together in various venues. So let’s focus on our guests.

Jodi Daniels  2:04  

Let’s focus on Judy. Okay, well, we have Judy Titera, who is the owner of J Titera Solutions, where she provides privacy and security consulting services and is a faculty member of ions research. Additionally, she serves as independent director on the Mitsui Sumitomo Transverse Insurance Board and Audit Committee. And she is also on the board and nominating and governance committees of Nemours Children’s Hospital, Judy retired from USAA, where she served as the chief privacy officer, and in her free time, enjoys participating in various professional activities and speaking engagements. So, Judy, I’m so excited that you are here. We’ve known each other for quite some time. And I’m just delighted to dive into all of your wealth of experience as a chief privacy officer and serving on board of directors.

Judy Titera  2:55  

Thank you so much for having me here today. And hopefully, this is a fun and enjoyable conversation. I’m all for having a good time here today.

Jodi Daniels  3:03  

I think we’re gonna have some fun. So yes, good, fun. Good fun. And actually, some people were surprised we released an episode today, while we’re recording. And people were surprised, they didn’t know that we actually are sitting side by side, Justin and I are doing this recording. So for anyone who was curious, we are sitting side by side, it’s much more fun if somebody can poke and we can prod and here we are. See, by okay, you should start.

Justin Daniels  3:32  

I will start. So, Judy, talk to us a little bit about your career journey to where you are today.

Judy Titera  3:39  

All right. If we hadn’t, you know, two hours, I could go into great detail of my journey. But as I was thinking, because I know you always ask this question. So I was thinking about my journey. And one of the things that I really focused on and it really came to light as I was thinking about it is the people that helped me along the way on my journey. I started off not knowing what I wanted to do in my career. And I started off, I was a paralegal at an insurance company. And I was working on a project and in a meeting and there was a request, does anyone have capacity, there’s this new thing called GLBA. And proposed regulations for HIPAA was 1999. And I raised my hand and said, That sounds interesting. And that really kick started my privacy career for the last 25 years, which has been really quite a great journey along the way. And through that time, you know, as I developed and it was going, I had individuals that came into my life that either saw something in me I didn’t see it myself, provided me with opportunities that I didn’t think maybe I was capable of doing, you know, gave me sound advice on what You know, what I could and should be doing in the privacy space. And, you know, those are all those things I you know, anything I’d say to anyone in the, you know, whatever field you’re in, is having good mentors, having people in your life that you can go to and just say, I, this sounds like the craziest thing, can you help me, you know, make my way through this? Have you ever had this experience before? So having mentors, I think is going to be my key to where I got to where I am today. Another key piece, I would say, in my career, my privacy career, I’m going to do a call out to IPP, when I first started my privacy career, I, it was, you know, the early 2000s, we would go to conferences, there’d be about 200 300 people at those conferences. And now there’s, like, 10s, I don’t know, maybe they had 100,000, you know, members, their resources, their training their certifications, whenever I have someone who’s considering IT/privacy career, I send them their way. So just, you know, they’re not paying me to say this. But, you know, just I think it’s an outstanding organization that folks should be involved in. So my career and privacy has been just very full, Chief Privacy Officer at USAA, I couldn’t have asked for a better position and a better company, I’d absolutely love that. But when I was planning my career, once I got into, you know, not sure where I was going to go. And then I got to a point in my life where I said, you know, success is not an accident that I do need to take some ownership on my own career, I started thinking about board work. And this was I will tell you, it’s probably maybe 20 years ago, when I was working on my MBA when I started thinking about after I retire, you know, what about board of directors? Is that something that maybe I, you know, could do. And there’s a lot of work that goes on alongside in order to be prepared for that type of role. A lot of it and we’ll talk a little bit, Jodi, we thought maybe we talk about this a little bit later, and a little bit more detail. But one of the things I also encourage individuals, if they are thinking about that is what are some of the nonprofit boards that you can get involved in today, to learn about governance, to learn about maybe your your specialty isn’t finance, maybe you get in a finance committee on a nonprofit, you know, so those are things I did, I started very early, you know, I always loved I’m a hand raiser, I’m always raising my hand to jump in and to be on different committees and boards. So I got involved in a lot of nonprofit boards, whether it be you know, my son’s, you know, PTA or drama club, and then you know, and then on to larger nonprofits throughout the organizations in the cities that I lived in. So all this, this is all, you know, additional learning that I can do to prepare myself for Board of Directors roles, in addition to my privacy experience, which we’re going to talk about more later. So I’m sorry, I’m all over the board. But ultimately, I’d say how did I get here today? I didn’t do it alone. I had so many people supporting me along the way.

Jodi Daniels  8:02  

Sure, do you? One of the things I think is really interesting is a lot of people are interested in privacy. And sometimes they think Chief Privacy officers have to be attorneys, which your career arc just showed you. You might have had a start in as a paralegal, but not necessarily as, as an attorney, the business skills of an MBA really helped prove to be helpful and understanding the overall process. So for people listening, I’ve worked and seen many Chief Privacy officers that are not attorneys, and I think there’s a place and room for both.

Judy Titera  8:36  

I completely agree. I completely agree. I think, uh, having that understanding of legal is critical. Right. But I would say the majority of the work that we do as Chief Privacy officers is operational, understanding, you know, the technical side, and the, you know, the strategy side. And so, so, I, I’m, I’m an advocate for Chief Privacy officers, the non attorneys, I think they bring a ton of value.

Jodi Daniels  9:04  

To be successful in the organization. You just talked about how you had a lot of people support you along the way in your career and for privacy professionals to get to be successful in accomplishing the goals in their program. They really also do need executive support. And sometimes that can be a challenge. As a former chief privacy officer, can you talk about your role with working with executive leadership? 

Judy Titera  9:27  

Sure. In this, this is a fun story, too, because it’s changed over the years when, you know, starting off in the early 2000s. Privacy was not front of mind. It was a you know, it was a check the box, you know, I worked in an organization that was required to have a privacy officer under HIPAA. So it was like Okay, check. We have that right. So when I would meet with executives, they’re like, you know, I got other things on my mind. You know, this is not top of mind. Fast forward to today. Executives, no matter where they said I should be thinking about privacy and many of them are. So it’s a much different story that I find working with executives today. So rather than me going in, and you know, here’s just, you know, little piece of advice that I’ve used, and you know, what some of the people I’ve been mentoring is, look, if we’re looking at an executive, and digital, I think is probably a big area, right? A digital or marketing, our, you know, maybe even a sales, helping them, you know, they’re going to come to me, and they’re gonna say, I want to develop this tomorrow, what do I need to know, so I’m compliant with privacy, right. So also spinning that a little bit by saying, helping them educate themselves. So they know what some of the privacy barriers are, and many of them are starting to see that. So one of the things I’ve been doing with executives is sending them webinars from IPP or other areas on like, Oh, here’s a, you know, a webinar on privacy and HR for the HR executives, maybe have that. Make sure that your entire team sees this or have initiatives for your teams to have privacy, understanding privacy, going to webinars or going to conferences. So not only building that relationship with them, as I’m the expert, and I’m going to tell you what to do that helping building that relationship with the executives that were in this together. There’s so much you know, the expertise in your area. And here’s how we together can make sure that we’re compliant with privacy, that we’re thinking about trust and customers, that we’re really, you know, building that bridge of partnership rather than my expertise. Hearos expertise, and hopefully it matches.

Jodi Daniels  11:48  

Mr. Quiet. Here, even after lunch. 

Justin Daniels  11:59  

No, not at all. Just blown away by my thinking, but as you talked about, you know, things have evolved where yes, board of directors are taking a keen interest in data privacy. So at that level, what are some of the important metrics or topics privacy professionals should be thinking about and preparing for for a board meeting? I mean, security has the same issue. 

Judy Titera  12:22  

Yeah, yeah. No, I think that’s a great, great question. So, you know, when you think about your board of directors, you know, think about what they’re they’re doing, I’m preparing right now for for board meetings I’m reading over I mean, well, over well over 500 pages of detailed documentation about the organization, about the strategy about the finances, about to compliance, right. So I mean, we are spending a lot of time deep diving in this. So my fiduciary duty as a board member is to make sure that the organization is sound, that the organization is doing the right things, that we’re continuing for the long run, as an organization, and do that, do that? Well. So when we start looking at things like privacy, so having, you know, for my privacy seat, privacy is the most important thing in the world, right? I mean, I know, you know, like, I know it, I love it, it’s like without privacy, the whole place is going to fall apart, right? But from a board of directors standpoint, that’s one one of the agenda items out of 100. So how can I make an influence? You know, what does that board need to know? And how can I make impact on there? So when we’re talking about metrics, it’s not only we had 75 data breaches this year. Okay, that’s good. Is that? Is that a lot? Is that not a lot? Why are you telling me what, you know, we don’t — what should I know? So it’s, it’s taking what you know, and what you have in your organization? How mature is your privacy organization? What are the things that you’re seeing? What are the trends? What is trust important to your organization? As far as privacy? How do we show that we are increasing our trust because of privacy? Or maybe it’s going down? Maybe you’re working with some other areas? Your communications department’s social media? Are they trending? Are they hearing different things that we can bring into our privacy program as well? So as we had maybe there was a breach that impacted X number of people, you know, how did that impact our trust levels on the organization? So, so, you know, bringing it back to, you know, what do you want to tell the board is, you know, do you have a program, you know, what, if you’re just starting off, how mature is it? Where, where do we need to improve? What do I need to improve it and why? And then next time when you come, okay, I was here, I’ve now improved, you know, but I didn’t hit these marks that I thought it would, why not? Was it resources? Was it other initiatives? Was it important? Is it really bad that we didn’t make it or is it okay that it goes on further? So really thinking or trying to put out a little bit more strategic hat, when you’re talking to the board of directors on what they know how you can help them to help you in the long run. 

Justin Daniels  15:11  

So really the why, of what you’re showing them. So you talked about in that example, talking about, you know, if you had a data breach and so, in your experience, how often it is that the CISO makes a board report, the CPO may make a separate board report and what is the, I guess, overlap between those two? Because if I were a CPO, and maybe Jodi may correct me, you will enjoy that that may be talking about breaches is not what the CPO wants to do with the board, they’re gonna say, hey, the CISOs coming up to talk about that bag of stuff.

Judy Titera  15:50  

Number one piece is see some Chief Privacy officers should be best friends. And when we’re preparing our board reports, we should be talking. So the last thing you want is two reports that either duplicate or are not consistent between the two. So that is a critical piece. I, you know, also maintain that, you know, other areas if I was talking about trust, making sure I’m talking to my community, my communications team as well on what I’m reporting to the board. So. So that’s number one. I think that’s one part of the question, but I think your second part is who reports it, right? Who reports breaches, I think that that can be a combination, right? So CISO might be talking about how many times we’ve had a cyber incident on the privacy team might be talking about how many times we you know, Miss delivered mail or we you know, we had, you know, an outage, that was not a cyber incident that caused an issue. So making sure that there’s an alignment and definition around what we’re talking about when we are talking about breaches.

Jodi Daniels  16:52  

Community, one of the pieces that you talked about was how a board member has 100 different things to think about. And the privacy and security people, they’re so detailed. And that’s all they do all day. So of course, everything is incredibly important. And what I wanted to share was early in my career, I had learned to be able to summarize and get the other side to understand why what you’re talking about is so important. And to put it into their language in their terms. And if you think about all the different departments, they’re all coming with, everything is critical and important and on fire right then. And you also mentioned at the beginning how privacy is really, you have to understand everything about the operations of a company, it’s incredibly operational, which means the privacy person can then articulate how it has a financial impact. It has a marketing impact, it impacts our sales and impacts our customer support, how all of that is interconnected. And I just wanted to share that really for the audience and get your thoughts because I think that’s another piece to help the privacy piece not just be one more kind of burning fire. But to really help elevate the conversation, make it strategic to get that bored person out of 99 other topics and to pay attention to this one.

Judy Titera  18:11  

Yeah, I think that’s that’s that’s spot on. And one of the other pieces too is to work with. Maybe we’re working with our digital team, and they talk about privacy within their report as well. So it’s not so it’s not just only my silo. But it’s been talked about as this is overreaching throughout the entire organization. So I think that’s a great point.

Jodi Daniels  18:34  

I like that a lot. Now. CPO privacy person is talking to the board, what kind of questions should they anticipate receiving?

Judy Titera  18:43  

Yes, I think one of the questions that is really important is, you know, what are so when I talked about, you know, what are the most important risks are what are the biggest risks you’re seeing? And what I don’t want to hear as an answer is AI. Okay, so what why AI? What does that have to do with my organization? What does that have to do with the, the, you know, with what we’re looking at? Oh, you know, because personal information might be misused. Okay, so then I’m gonna go further. So why is that important? What does that mean? How does that impact us on the bottom line? Okay, so I’m going to continue to drill down on that. So to proactively do that, let’s start thinking that the board is going to be asking those questions on what is the most important risk to our organization. And we may say, number one is losing the trust of our losing the trust of our, you know, our customers, and that could happen by these different things. This is what we’re doing about it. This is the risks, the barriers that I have to get there. And here are solutions that we’re looking at today, in order to get there. So you know, Start thinking, not just one answer, start thinking, the five questions that they’re going to ask and be prepared to kind of come ahead of when they’re asking those questions, because the board’s going to, you know, really wants to know, you know, not only, not only you know what we’re doing, but do we have the right team in place? Right? Do we have the right, you know, do we have leaders who are thinking strategically? Are they working, focusing on the right things? How are they showing that to me? And how are they showing up for their employees, the employees in the organization overall? 

Jodi Daniels  20:38  

Those are some of the things I’d be prepared for, you know, what comes to mind this night? So the kinds of shows that we’ve been watching a lot of comes to mind a shark tank, and how you, those that get gobbled up and the Shark Tank, we’re not prepared to be able to answer the questions about their business. They didn’t know their numbers, they didn’t know, you know, some of the basics that you might think. And as you were explaining, being able to prepare really thoughtful answers. It seems that’s what Privacy/He And this is true. I would say, for anyone listening, it doesn’t have to be just a board, it could be an executive suite of people who are asking you the same questions. Not every company has a board. And so you want to be able to be prepared for those same types of questions. So anticipating and preparation, I think, is critical. And Shark Tank is cool. Right?

Justin Daniels  21:30  

You talked a little bit about customer trust. And I was wondering if is that like a key performance indicator that a board might look like to look at? And I guess if so what would that measurement look like? Because sometimes where at least I struggle from a privacy perspective is we see all kinds of data breaches. And I’ll give you one as an example here in Atlanta, Equifax, they had a horrendous data breach. But with Equifax, we have no choice. You can’t take your business away from Equifax, if you want to get credit. They’re one of the three reporting agencies who pulls your credit. So I’m wondering if you could talk a little bit about what that key performance indicator might look like how you measure it, and maybe we’re not quite there where it’s the right one yet? I don’t know.

Judy Titera  22:22  

Yeah, no, that’s a great question. And I think one of the things to think about with looking at trust, it’s not just data breaches. So data breaches is one app one, just one aspect of when we’re looking at trust, are we being transparent with our customers? Are we doing what we say we’re doing? You know, I can go like the most extreme right? Many years ago, Facebook sharing information with another party that we didn’t, we didn’t realize that that was happening, right? They weren’t being transparent. They didn’t know they were sharing information with a third fourth fifth party. So helping to build that, like, yes, we are going to have breaches, you know, and that’s the name of the game, right? Things are going to happen. But that should not be the only thing you shouldn’t know, and we’ve seen over time, that that doesn’t erode trust completely of an organization. But what else can we do? What else? How else can we share that story of what we’re doing and being transparent, and join what we say? Natalie saying it but doing it. So internally, having those mechanisms in place all the time.

Jodi Daniels  23:31  

My favorite phrases, say what you do and do what you say.

Justin Daniels  23:37  

My favorite phrase in cybersecurity, “scaring is caring.” That’s a good one.

Jodi Daniels  23:45  

Wonderful kids book, shark.

Justin Daniels  23:47  

See Jodi doesn’t like the one I have for privacy, which is sometimes when they want to collect your data. Just say no. And Jodi’s like, nobody knows where you’re coming from. But I bet you do. 

Jodi Daniels  24:00  

Well, some people do. But there’s an entire generation that has no clue. Yeah. So your age, but that’s okay. Wow.

Justin Daniels  24:12  

Ooh, she got me there. So for a privacy professional who is interested in getting more involved on a board of directors, what would you tell them and how should they get started?

Judy Titera  24:25  

Yes, I think that’s a great question. So I talked a little bit about it in my opening. When I first started thinking about the board of directors and I would talk to individuals they’d say, privacy, privacy professional, we’ll never be on a board of directors. We want to be CEO, you want to CFO you know, you have your little silo and that’s great. You know that. That’s the way it is. After, you know, Facebook had a large incident, they were required to have a Privacy Committee on their board of directors. And I was like, yes, that’s great. So That’s we’re starting to see more opportunity. But I maintain that, again, what we were talking about earlier, is a privacy officer or chief privacy officer especially needs to understand the entire organization. So we are in a position unlike many other areas of any organization, where I need to understand the strategy of the organization, I need to understand the front desk who’s checking IDs, and, you know, what do we have going on? I need to know what’s going on in the mailroom. I need to know what’s going on in digital innovation. I see So has to be my best friend, the data governance team has to be my best friend, the salespeople, underwriting whatever, you know, frontline backline, everyone, privacy officer sees and hears and understands risk. In a, you know, holistic view, we understand we are advisory roles across the entire organization, we have to be you know, just really understand that whole picture. So similar to maybe a CEO. All right, so, so what I talked to privacy professionals about considering going into a board of directors role, it’s helping others and understanding that, that yes, I can tell you, you know, everything you want to know about privacy and cybersecurity, you know, all these great things. But I also understand strategy, understand how the organization’s run. So that’s one aspect of understanding our skills and what we bring to the table with that view. And then the second piece I had mentioned to is really, for someone who’s considering that really start looking at opportunities, if you haven’t already on nonprofit organizations, understanding corporate governance, so in a nonprofit, you know, how, you know, what is the finances that you need to know what is, you know, how does board governance work. So all these skills that you’re learning, in addition to the work that and value that you bring, comes together into a really nice portfolio, that we’re able to then say, to the organization, “hey, this is what I can bring to the table. And I can help you see things that you might not be able to see, I can ask questions that you may not have thought of, and that, you know, just that’s part of the packaging, that I don’t think a lot of people have really thought up.” And I may have mentioned that I did have a lot of people say no, right. And I, that’s a motivator for me. I don’t know about anyone else. But if someone tells me I can’t do something, I’m like, oh, yeah, let’s see. So that’s another piece of it, but happy to talk to anyone you know, I usually give information on LinkedIn, if you want to contact me, I love talking to individuals who are considering, you know, board work or other type of mentoring. 

Justin Daniels  27:54  

I’m just happy to connect with anyone who’s interested in that duty for the amount of how well you know, our podcast, maybe we should have a guest co-host? 

Judy Titera  28:01  

You know how pretty well, I wasn’t all the time. Do you have great guests? That’s wonderful.

Jodi Daniels  28:08  

Thank you. Well, so then you also know that we always like to ask everyone, given all the privacy or security knowledge that people have, what is your best privacy tip that you might offer the non privacy people in your life?

Judy Titera  28:23  

I know, it’s probably been said more than once. And it’s kind of a “just say no” thing. It’s a felony? Yes. Right. Yeah, it’s yes. You know, good on hygiene, I like to call it going and turning off all those microphones, turning off all those location devices, turning off. You know, it’s just, you know, it’s fun talking to like a great aunt or, you know, like someone just saying, pull out your phone. Let me show you, you know, what’s, what’s going on behind the scenes and what you have control over. So those are just kind of fun things that I’d like to do at parties.

Jodi Daniels  29:00  

I recently did a phone cleanup, and it was so much fun. Yeah, I did. I cleaned. I had all kinds of kids apps that I had for when my kids were younger, and they’re not the same age anymore. So I got rid of them all. And then I was just on a mission. I downloaded apps that I thought, “well that would be interesting.” I haven’t used them at all. Jodi’s so much fun. You subtract organization to gang. Alright.

Justin Daniels  29:25  

So, Judy, when you’re not doing your board work, and you’re consulting, what do you like to do for fun?

Judy Titera  29:31  

I am. I started something new just recently, I’m watercolor painting. And this is what I call my trend to slow my brain. And I’m a recovering perfectionist. And if you’ve ever watched watercolor, the water just takes the paints wherever it wants to go. So it’s never perfect. And the final solution is just what it is. It’s been a great you know, meditation In that time for me, so that’s been one of the things I just have been loving doing recently.

Jodi Daniels  30:05  

My daughter loves watercolor and all things painting, so she would certainly agree with you. 

Justin Daniels  30:10  

Well, I had a taste of time. 

Jodi Daniels  30:12  

Yes, yes. For Justin calls quiet meditative time. Yeah. Well, today, you mentioned being able to reach out on LinkedIn. Is that the best place for everyone to learn more? That’s the best place. Yes. Wonderful. Well, I highly encourage everyone to connect with Judy. It’s how you and I met? Yes. How do we meet LinkedIn? It all goes back to LinkedIn. Judy, thank you so much. This was a really fun and interesting episode. And I want to remind everyone I know I said it. But this content doesn’t have to be just for a board. It really can apply to any executive leadership that you need to explain and convince. So thank you so much for sharing. 

Judy Titera  30:50  

Well, thanks for having me.

Outro  30:55  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.