Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:20

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional, and I help provide practical privacy advice to overwhelmed company

Justin Daniels 0:36

Hi, Justin Daniels here, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I do that through identifying the problem and coming up with practical solutions. I’m a cybersecurity expert and business attorney. And this

Jodi Daniels 0:54

episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology staff, ecommerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there is greater trust between companies and consumers. To learn more, visit redcloveradvisors.com.

Justin Daniels 1:29

And I’m like surrounded by the C suite today I have here and we have Jana Schmidt with us today who’s an active board member of Girl Talk Inc, a nonprofit dedicated to inspiring all girls to be confident leaders through peer to peer mentoring programs. Throughout her career. She has served startups, midsize and mature FinTech and Mar tech companies in the financial services, payments, retail and energy industry. Her expertise lies in building and leading world class leadership teams to create an execute strategy for short and long term value I give you with no further ado, the C suite. But Jana Schmidt Good morning, Jana.

Jana Schmidt  2:08

Good morning, Justin. Good morning. Jodi, I’m proud of what you’re doing with your women led business and attacking privacy from your unique perspective. So congratulations on your business. And Justin, it’s so nice to meet you. I’ve heard great things about you for years. And one of the thing I would notice I am on also on a board of a public board web bank, which is an industrial bank that supports a lot of fintechs and their need for a bank charter. So I get to see how a traditional bank industrial bank in this case helps provided services to all of these really innovative FinTech companies, and how they are leveraging banking services in the US in particular, and in providing the services to people who want untraditional banking relationships or need a different level of access to credit or, you know, or what we call the alternatively sir, they’re just looking to do things differently. So and that really entertains this notion of cybersecurity for sure, when you’re looking at FinTech and how it connects into the banking system.

Jodi Daniels 3:14

Absolutely. I can’t imagine that that keeps you and the company very busy. It does.

Jana Schmidt  3:19

You know, cybersecurity, you know at all honesty, I’ve got to disclaim that my husband is the CEO of a cybersecurity company provides managed services. And so listen, this is something that I get in my private life all the time. But in my public life as the CEO of two big data companies, one was energy impact, we had energy data from 700,000 us buildings that needed to be protected and needed to be managed and stored and leveraged properly. And then as the CEO of Harlan Clark, where we were doing business with them 8000 financial institutions with enormous amounts of private data are the importance of taking care of that data. And that scenario was huge. And in fact, our entire reputation rested in both companies on us doing it well. So this was a C suite topic all the time. And as a board member to CC, it’s a it’s a board topic, but I think after 2020, it’s going to be even more so so I’m glad to talk about it because I think the implications of how we do business and the way we treat data and protect our customers information is going to become an explosively more important topic as we move forward.

Jodi Daniels 4:34

Well, I’m just first though excited that there’s another house that talks about privacy and security as much as our

Jana Schmidt 4:40

house. Oh my goodness, yes. Anything I do I get told how weak my password is and what stronger, like I’m just on nordstrom.com and he’s my husband’s over my shoulder. You know, assuring me of what I’m doing wrong all the time, so I can’t escape him.

Jodi Daniels 4:57

Well, wonderful. Well, let’s get started. with understanding a little bit about how you found your way to the CEO roles talking so much about data privacy and security, so I never unwind to the beginning of your career and kind of help us understand Jana, and, and what you’ve what you’ve done along the way. Great.

Jana Schmidt 5:19

I grew up on the sales and marketing side for, you know, some 20 years of my career, but always had a strong interest in operations. And I got a lot of education is six, sigma, and lean, and things that really helped me to understand how ecosystem works. So whatever I sold, and however I sold, it had real implications in our ability to serve our customer well. And that’s really where my heart lies is in the market and serving clients well. And the ability to manage data in that quest has wasn’t something I thought about in the 90s when I was in sales, or even in marketing, as I took over as head of sales and marketing. But as I took over operations and ultimately became the CEO, I knew one thing that our clients trust was at the heart of what I loved, I love doing things that make my clients better. And I started to learn the risk associated with improper management of data. And for me, there would have been no greater heartbreak than to disappoint my clients and to lose their trust, because we didn’t do the right things right when it came to handling data. So I grew up in sales and marketing, took over operations in the early 2000s, and became CEO, ultimately, in 2014, of the energy analytics company, and then came back to Harlan Clark in 2017, at least to Harlan Clark, I mean, we’d have major banks that you would know their names, and we would have their teams show up and spend four or five weeks on site doing end to end testing of our data practices. And it became a competitive advantage for us because when you have tier one financial institutions, signing off on your data practices, it became a real sellable asset for us, you know, talk about we do the right things, right. But I think all of us have to take a big step back after the seller wins Microsoft Exchange attack we saw just recently. I don’t know that I’m reading this book, think again, by Adam Grant, I have it right here. And I’m, as the CEO and board member, I’m telling you, you can become very pat yourself on the back because you think you’re doing the right things. Right. But the question is, have we thought of everything? And I think that’s going to be the the quest as people are digitizing everything right now? Have we thought of everything? And my guess is we’re gonna have to think again about it, and start back with legacy systems. As a CEO, you know, you’re looking at a capital budget for the next year. So for 2021, how much money do I spend on innovation and new products and new technology? And how much do I spend on technical debt of legacy systems, and I can tell you, all the fun stuff is in the innovation and new solutions, but all the risk is in those legacy systems that you don’t want to spend a lot of money on, they’re not doing anything other than in some cases, you know, keeping the lights on or running old products and services that you haven’t sunsetted, but they are where the risk really exists in my mind. And the things we don’t do enough with that we’re gonna have to spend more of those precious dollars taking care

Justin Daniels 8:24

of Jana, it’s interesting to hear you say these things, because it’s so consistent with the view that Jodi and I have that cybersecurity and privacy are strategic business enterprise risks. And you talk about solar winds. And I know you’ve represented companies, from startups to mid size CEO of large companies. And so I’m going to ask this question, which is, given what you understand, why is it then in the last three months I’ve held, I’ve handled three different ransomware events and their their Incident Response Plan amounted to we’ll call Justin and we’ll figure it out when it happens opposed to your very proactive approach from a C suite. As you well know, you set the tone for the organization, if it’s important to Jana, and she communicates that the organization it’s important to the organization yet we seem to have this disconnect at that level. any insight you can provide because you talk to other board members in C suite, what is it that maybe I’m missing?

Jana Schmidt  9:18

I don’t think you’re missing anything. I feel like because actually had a ransomware attack at my, one of the companies I was co CEO of, and it’s paralyzing. And it is so dangerous and you just don’t believe it can actually happen to you until your code is being held hostage and ransom and i think that you know, what do they say there’s some percent of learning you can have from seeing there’s some percent of learning you can have by hearing and there’s a huge amount of learning you could have from experiencing it. Sadly, experiencing it is something that makes it go from the CI the chief information security officers To the CEOs plate. Also, I think the new laws that came out around David, data management in California and New York and all that that became a tier one project for our organization, because the implications were so high if data if consumers complained about the way you’re managing their data, and the penalties associated with that there was really just a great unknown, like, could this paralyze your company, if you know someone asked you to delete all of their information, and you miss one legacy system, and it’s somehow exposed? And what are the implications of class action lawsuits and that kind of thing? I do think that that, sadly, made it more of a, you know, we don’t want to have risk, and we don’t want to have a known exposure. And those California, New York and of course, out of the European Union, the privacy laws that came, they started really becoming very known risk. But having had a ransomware attack, like you said, Justin, I probably would have had that just call Justin and see what he says. But in today’s environment, you have to have a full action plan, just like you would disaster recovery, you know, site goes down or whatever, what are you going to do when these malware or ransomware attacks affect it. And by the way, it’s just your it’s your ecosystem to so it may not affect you, your company, but it is a supplier in the ecosystem. Those connected parts affect you just as much. So what are you going to do? And how are you looking at their plans for attacks because data is now housed in you know, we serve our customers in a very API oriented COVID z ecosystem way. So how are you looking all that end to end point? That’s not easy. And we’ve got to get a lot smarter about it.

Justin Daniels 11:40

There’s marking I know because I, I know who she’s married to. I know what he does. And with your experience, I can only imagine the conversations Geneseo. Yesterday at our school, Jodi was in route and they said and I got a text saying, hey, there’s been a gas main break, comeback gas leak gas. And Jodi’s like I didn’t get one. And my first thought is, of course, that someone hacked the school’s communication system found going

Jodi Daniels 12:07

round and round and come back, go to school come back. That is how our house thinks is yes, there’s there’s a hack.

Justin Daniels 12:16

And then we posted on Facebook as a joke. And then people was like, I had never thought about that. And then I realize, once you get out of your little cybersecurity bubble, and you talk to people who aren’t immersed or haven’t suffered ransomware, or as educated as you are, you just have this disconnect until, of course, you have the ransomware. But yeah, I guess I want to shift gears just a little bit and talk about what you’re doing now. And you know, you’re a board member of Girl Talk and love to get your perspective on why it’s important to you as a board member to help girls be aware of cybersecurity, when they’re online?

Jana Schmidt 12:49

that’s a that’s a great question. In fact, probably something we need to talk more about a Girl Talk at Web Bank, we talk about it all the time, because you think about the banking infrastructure, and actually they’re extremely responsible and and it’s that end to end testing at web bank that I know that they’re thinking through it all the time. But you know, when it comes to our personal data, and the way we share information online, and the ability to create deep fakes, and social engineering and all of these things, boy, isn’t it scary what can happen to us and sharing personal information. And in today’s society, even if someone was able to embed a deep fake or something that is attributed to your social network, somehow, you know, jobs could be lost, all sorts of things can happen. So it doesn’t even have to be that you said it, but are you exposing yourself to it by sharing too much information. I love someone, actually, our daughters Listen, I’m married to his suspicious cynical person when it comes to this stuff. But I wonder if there is I share it too. And I saw my one of my daughters on Facebook shared one of those words like tell us about, you know, your first house and all that. But in it, she was like, and the and the hackers love this. So she was actually saying, this is why it’s so stupid to do that. So I was so proud of her. I thought this is this is a growth moment for our family where our kids are actually sharing themselves, how social media can overshare information that creates the ability to do reconnaissance. In fact, God you shared an article today about metadata, and the ability to do reconnaissance on PDFs, and even Excel, Excel and how much information we leave out there that can be brought together to to aggravate and create almost absolute knowledge about a person. So with Girl Talk, actually, you’re making a really good suggestion. Justin. We talked about financial literacy. We talk about networking, we talk about, you know, creating women, strong women leaders, but what we have done is move girl talk from an in person setting to a digital one. So the discussion about digital protections, it would be an amazing addition to our curriculum for Girl Talk. So I’m really glad you suggested it. I mean, I will give you credit for it as I have a board meeting next week, and it’s an important thing for us to discuss. Yeah, I

Jodi Daniels 15:15

mean, with us, we have two girls who are, well, a young one and one itching for a phone and talk, well, just any type of a phone. And were any of the types of devices that they’re using, whether it’s for school, or just basic communication with people where as you would imagine a little bit hypersensitive to how she’s engaging. But the the knowledge and the peer pressure that the girls today are going to have as well they have, you know, everyone else has a phone. And of course, she wants the phone, but then everyone else is going to be on tik tok, or insert the latest trend of whatever that is. And to help create that education much like how your daughter knew, to not share that information on social media, that’s the same situation we need to have here is how to get them to understand the risks are real. It’s not just these annoying adults sharing all of these types of things. But to kind of break them from the the attachment, which is a whole different conversation is truly the privacy and security risks, because you can’t erase them, they’re here the trail follows you, like we’ve talked about with the metadata, it follows you wherever they are. So it truly is a really, I mean, I feel very passionate about this particular topic and protecting kids online. And I think especially girls, I think they’re

Jana Schmidt  16:36

I agree with you, I agree completely. And honestly, it’s something we need to do more about with than our family. But sharing podcasts like this with our girls to show how it can actually happen. You know, I think to to share the consequences again, you can only learn so much but to be to see how easy it is to download a game that has ads and things that are totally inappropriate or to accept an invitation from someone. I saw a deepfake yesterday that had it was a girl that looked like a girl and she was maybe in her late teens and she had all these millions of followers or whatever it was, she was actually a he and it was a 50 year old man that had was was posing as this girl. But I mean, you could not tell it and I think how are we in the world? Are we going to teach people to not trust their eyes? You know, and and to? So how are we going to see that deep fakes and that how unreal they are when they look so real. And so it’s almost like our senses are not good enough to trust anymore. Because things can be you know, we were talking about zoom, how we can make our selves look better. I can apply fake makeup, or whatever it might be. I mean, how do you trust? what’s real? And how do you teach people to have that suspicion? When it’s so prevalent today?

Jodi Daniels 17:56

Oh, my lipstick is back. And I haven’t done

Justin Daniels 17:59

the AI. You know, Jana, based on what you’re saying there, I guess I want to ask you a question. To get your perspective, we’re talking about the deep fake because obviously we’re talking about technology. And you’ve worked in multiple businesses that have leveraged technology to have a competitive advantage. But at the same time, we have what I like to call this inconvenient necessity of managing privacy and security. And this deep fake is a great example because that technology exists that can be used for both positive and negative. And so from your perspective, how do we drive this growth? Because companies are going to continue to use technology but yet find a better balance with the privacy and the security that are inconvenient, but very necessary?

Jana Schmidt 18:45

Yes, I that’s like I said, when you’re sitting with a capital budget, and you’re saying how much money can I spend? And traditionally we’ve said, Okay, how much is going to go to technical debt into maintenance of old systems, that kind of thing? And how can I make that as small as possible, so I can invest as much in, you know, creating new technology that advances my company, and helps me grow and sell more services. But it was historically when the the seaso sitting at the table, it’s like, how much can I give you that that meets the need for a more secure environment, but not $1? More? That has been, I think, our historic approach. So it’s okay, here’s all the things we could do to protect ourselves. Okay. And here’s a rational amount of that, you know, and I think this is good enough. But as we look at some systems residing in legacy applications on premise, other things moving to a private cloud, others moving to a public cloud, or some hybrid of that, the seaso is going to have such a more difficult job telling us where it is enough to spend and not $1 more because there’s so much unknown in that. So I think that seaso you mentioned earlier is and now a sea level. It’s not like under the CEO or the more push down CEO needs to know exactly what they’re what’s happening internally. privacy and security because it’s their job. I remember when target got hacked by that, I think is the age back person who had access in, you know, I trembled a bit at that because I thought, first of all, I was at the energy analytics company and we did business with companies like that. And I thought, is there any way our software which resided within their systems could allow for some backdoor attack, so you can do number one is like, Oh my goodness, because that happened to us. Number two, that would be my job, right. And in today’s environment, with CEOs, it’s more, you know, it’s so much more complex. So I don’t know that as much as their job. It was it was with the target hack, which seemed very linear to you had an attack, the CEO is gone. I mean, the Microsoft Exchange attacks, Satya Nadella is still there. But I think he’s ringing in the warning about the complexity of these hacks, the importance of patches being applied, and that that seaso needs to sit at the table and tell us, you look at all these systems, this is how much money it’s going to cost to protect it. And the risk is far more real, I would say it’s not some, it’s not just like life insurance, when you’re in your 40s, it’s fine to have it probably not going to need it with this with the type of insurance we’re talking about that comes from Security and Privacy Practices, chances are really good, you’re going to need it in some way. And so you’re the spend is going to go up, and that is going to be a tougher thing. Because does it mean, innovation happens more slowly, because we’re having to divert costs, or we’re gonna have to match costs and security with that innovation. But also guess what those legacy systems that we do as little as we can maintain, those are probably more scary where the risk comes from. And so as CEO, one thing that you do is too often you keep those legacy systems because it actually you may only have one or two people running them, they don’t cost much to maintain, all your costs are depreciated, you just kind of hang on and hope they work. And as I’m the CEO, again, a company, I’m going to get rid of that stuff, like I’m going to have to spend the money to get rid of it, because it presents every day risk as some kind of cyber attack because you’re not maintaining it the way you should, in too many cases. And so it’s not a matter, keep it at perpetually, because it’s all been depreciated. It’s it’s sitting there as a cyber risk attack, cyber risk, and you got to get rid of it,

Jodi Daniels 22:15

I have to say, hold on, you say you want to stay at the same time, I know we’re both so excited go, I have to, I have to say, I really liked how you recognized and are pointing out to people. So often people are looking at the cost, just the finite technical cost legacy system cost us to remove and replace, that’s too much, we won’t do that. But instead the cost and another side of a potential risk that is greater than the technical piece. And people really need to understand and pay attention to that. That’s a very different philosophy than I think many people are thinking. And I’m really excited that you highlighted that. I

Jana Schmidt  22:55

I was there I just saw PwC just came out with a report yesterday at least I saw it yesterday may have been out sooner. But it said as CEOs globally, what their greatest concerns were and the number one was health pandemic related. But number two is cybersecurity. That and that to me was shot a bit shocking to be honest with you is like way more than climate change. Climate change did increase but not that significantly. As much as we’re talking about it in the news, I thought that there would be a much greater appreciation for investing in climate change based on that cybersecurity, number two, before taxes before policies, that tells me we all are recognizing the complex nature of this ecosystem and how much risk there is if a seller winds is sitting and has been what was that it was nascent for a year or more before they noticed it that they’re probably as good as any of us at looking for that stuff. And they didn’t detect it. What are we doing? It was a real wake up call and for it to have moved up that much. And that report CEO report was a bit shocking. What did you think of it, Justin?

Justin Daniels 24:00

I guess, Jana, from my perspective, and I deal with a lot of companies who aren’t fortunate to have someone who thinks about security the way that you do or even has a seaso. And so I thought it was interesting, but I still see a gap with a lot of companies between what they say about security and what they actually do when it comes to implementing things because you can’t have policies and procedures and write your way to being in a good place. You have to just roll up your sleeves and do it and I still feel we have a persistent gap with that. And that’s why getting your perspective I think is so refreshing. It’s how do I get other people in the C suite at other companies to think more the way that you do and unfortunately, in my experience, the way that happens is once they’ve had ransomware they are reborn and how they think about security because to your point it is paralyzing and the thing that got me when you talked about your last comment about the legacy systems, I have a ransomware can In the last three months where there was a server circa 2003, and you can’t put any kind of threat endpoint detection on it, because nothing will work with it, it’s just too old. So now you have this legacy system to your point. And now if you get into an area where you’ve got to go and find out how the threat actor got in and where they went, you can’t get any window into that system, because there’s nothing that will work with it just flat out.

Jana Schmidt 25:27

Yes, I mean, OBD, six systems we built in the 90s, and all of that. And that’s why I think, like I was saying, you know, when your cost benefit analysis of shutting one of those systems down, it’s always tipped towards and just let it be. It doesn’t require much, but it’s just a sitting time bomb may be a too strong a word. But like you said, I mean, I think investment in security monitoring and tools is essential. But some of these, some of these systems simply don’t even allow for it. And in many cases, the people who built them don’t even work there anymore. So how do you, you know, disassemble and disaggregate where it could have happened where you have people have very little knowledge of the system anymore. So to me that that’s going to be a big priority for us, you know, in business is to reduce our risk, not by just putting security monitoring on top of that, but by getting rid of the risk getting rid of those systems, and it’s going to take a chunk of money, and does that slow innovation, I don’t know. But some of the digital tools were using I hope, as we’ve digitized could reduce the cost to serve our customers, and some of that reduction in cost can be redeployed towards cybersecurity.

Justin Daniels 26:39

So given who you’re married to guess, I’d love to hear your thoughts on what your best personal cyber tip is for our listeners.

Jana Schmidt  26:49

So really and truly I think that what what I do know and what my husband is pounded in my head but I’ve also experienced firsthand as a CEO and as a board member is that humans are still the greatest risk those emails that come to ask someone to go buy Apple gift cards, all of that we would do things all the time to test our employees and how many would act on that. And you know, there was one case where I personally was like, I’m going to get dressed because you know, my CEO at the time of the holding company asked me to go get something it was like not unusual for him to ask for weird things like this because we are in retail services and my husband’s like, let me just look at that first. So anyway, when I think about it is about what do I do personally, and I do think passwords are such an important piece of it and I do get like the how strong my passwords are. And so I think with my kids and all that we have a regular conversation about changing our passwords you know, your dog plus your birthday and how risky that is. And so my personal tip is having great great passwords I think that’s the thing I think about the most because it said again that reconnaissance their ability to piece together where I’ve used different pieces that gives hackers so much access to the total me and so how do I make that harder as as hard as possible for them to take all those disaggregated pieces and compiled them to a picture of me

Jodi Daniels 28:19

well when you are not managing privacy and security?

Justin Daniels 28:23

Yeah husband isn’t talking to you about yes weakness of your password because you have to show no weakness. Exactly,

Jodi Daniels 28:29

you know it What do you like to do for fun,

Jana Schmidt 28:34

I first thought I’m that husband of mine that I’ve talked about I love him to get deeply and I love being with him and during this pandemic we have started walking all the time I’ve got two black labs both of them around here somewhere and so we walk most every day and I cherish that so much we love playing tennis. We do that a lot. We’ve you know we’re just trying to focus more on our health and on our appreciation for this blessed life we live and get out of get away from the news away from you know, sedentary habits that come from working too much and try to remember to take better care of ourselves so it’s what we do for fun but it also is you know investing in our own our own health and in our longevity and I’m really excited to get to share that with my husband.

Jodi Daniels 29:26

Well thanks for sharing maybe one day we’ll pass you with our large wave dog.

Justin Daniels 29:32

I promise I won’t ask you about how strong or weak your password is.

Jana Schmidt 29:37

No I had to do on this morning for the I fit for the treadmill my husband Jeff shut me out of it so I had to get a new password. He’s like share your password with me. You’re not going to compromise the treadmill because you had to create crappy passwords like seriously, I really do love this man but he really does drive me crazy. But it makes me a better leader all the all the better for that

Jodi Daniels 30:00

Well, thank you so much for joining us today. If people would like to connect with you and learn more, where can they do that?

Jana Schmidt 30:07

Dennis? Great. Jana Schmidt, LinkedIn. I don’t even know what that is. Or they can send me an email at janamschmidt@gmail.com.

Jodi Daniels 30:16

Wonderful. Well, thank you so much for being with us.

Jana Schmidt  30:18

It was a pleasure talking to you both.

Jodi Daniels 30:20

Absolutely.

Outra 30:24

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.