Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:20

HI, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and a certified informational privacy professional and I help provide practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping companies design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:53

And this episode is brought to you by love my drum roll, Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SaaS, e commerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit Today, I am super delighted to introduce to the show Ria Aiken. A career shifter Ria leverages 20 years of strategic planning, profit and loss management change management in the crisis management and resilience space to partner with information security teams, and business partners in developing and implementing technology and security strategies that enable business priorities while mitigating risks. And she joined the Federal Reserve Bank of Atlanta in June 2019. And Ria, We are delighted to have you here today.

Ria Aiken 2:07

Well, thank you so much. I mean, with that particular opening, I just feel like I’m on top of the world and real to be a part of this discussion as we provide tips and tricks for others that are interested in cybersecurity.

Jodi Daniels 2:22

So to get us started, help us learn a little bit. I mean, that’s a lot of different disciplines that you’ve experienced in your career, can you share a little bit of your journey of how you kind of navigated that and how you got to cybersecurity today at the reserve? Yes, absolutely.

Ria Aiken 2:38

So, um, you know, I really had an incredible career in a private in the private sector, with a firm where my technical experience was focused specifically on crisis, resilience and crisis response for communities and private organizations, not only within the US, but globally. And it was over that period of time, quite frankly, I’m coming into communities that were absolutely decimated, not only by natural disasters, but manmade disasters, infrastructure, failures, and everything else. That led me to an incredible opportunity to support the mayor of Atlanta and the city of Atlanta from 2015 through 2018. Many people may remember in 2014, the city of Atlanta was really crippled by a shock, as we would call it, by unusual weather event that really crippled our roadways impacted the ability for people to be able to get home. And quite frankly, it was global news. It was out of that particular incident that there was a recommendation by business leaders across the city of Atlanta and metro Atlanta, the mayor and other entities that there’ll be one person that literally thought about what were all the potential shocks and stressors that we could be impacted promise city, and really start to build those resilient strategies so that we can mitigate the impact to our communities and the people who live and work here. And so over the span of those three years, we work together to really think about what that could look like holistically. And quite frankly, we realized all of those particular shocks. And so one of them was natural disasters as it relates to water and so that we had snow storms continued. And then we had the implications of some hurricanes that really impacted our communities for about five, seven days and 20. There was so much going on, I’m gonna say 2017 we experienced a major infrastructure failure with the bridge collapse of I 85. So what does that really look like and the impact to the communities, the business and everything related to that as we’re going to the recovery We had a number of wastewater treatment issues that implicated drinking water. And then the one other shock that we were really planning for, as much as we possibly could was really the impact of a cyber attack. And in 2018, march of 2018, that fear was realized as an as the city. And so it was through that time, quite honestly, and really co leading the response and recovery efforts to the 2018 ransomware attack that I started asking myself, what can I do differently, to help knowing that this was one of the increasing and emerging enterprise risks for organizations, cities and communities? What can I do on the front end, to help those businesses and communities to be more prepared for really what we what I envision is one of the greatest threats to stability moving forward. And so it was that particular incident of not only responding and recovering from the cyber attack, but actually working with the city to think about the long term investments that it needed to make to stabilize the infrastructure. And then on top of that, preparing for the 2019 Super Bowl that told me you know, what, I need to shift my career to support businesses and communities to better understand the decisions that they should make relative to cyber preparedness and resilience. So that hopefully, when something happens, if something happens, that they’re able to respond in an in a way that enables them to recover, and hopefully not decimate their business in their community in the long term. So, I mean, that was a long way of getting there. But it was just really the incredible experiences that I’ve had over those 20 years. And not only responding but working with businesses and communities to develop strategies to mitigate threats, that told me that maybe I should focus on one particular area. And cyber security was was that area, it’s a

Jodi Daniels 7:08

really neat story. And both of us are here for we’ve been in Atlanta a long time. And we’re smiling at listening to all of those stories, we were very thankful we weren’t too badly impacted by Snowmageddon compared to you know, the horror stories that you heard, I very much remember the bridge that impacted our whole day and plan. And it’s very interesting to see all these different events. So thank you so much for sharing and what a really fascinating journey and story that you have. Thank you. I know it was it’s nice to kind of reflect back I think, I think I blocked some of the data out of my mind.

Ria Aiken 7:48

Many people do. And honestly, God, I haven’t heard the term Snowmageddon and so long that I brought a smile to my face.

Jodi Daniels 7:56

There you go, you blocked it. That’s why

Justin Daniels 8:01

we’re taking all of that diverse experience that you’ve had with crisis management, particularly with cybersecurity and bringing it forward to today, particularly in light of colonial pipeline and other things that always seem to be happening in our neck of the woods. What are your thoughts around some of the big privacy and security risks that are facing companies today?

Ria Aiken 8:22

Yeah, really? Excellent question. Um, I mean, I think many of the things that are often in the news clearly are specific to targeted attacks, ransomware attacks and malware attacks. And I would offer that really, it’s not necessarily the risk of a cybersecurity attack. Specifically, it’s the risk of not making the investment to protect an infrastructure and data privacy, in anticipation of something actually occurring, what I’ve seen or experienced, and really, one of the reasons why I did change in this particular career field is the fact that many entities either one don’t understand the potential risk or have not really defined their risk appetite and their risk tolerance to mitigate a potential cyber attack or an implication to how they run their business. Or quite, quite frankly, pardon me, quite frankly, I don’t want to say the complacency but the apathy of not actually making the investment and asking themselves, what needs to be put in place to be able to mitigate any potential threat. So I will say in full disclosure, many of the responses that I have are going to be from a business priority perspective, because many of the risks that I think that are associated with the potential threats of cyber and data privacy are really designed and based on the decisions made from a business strategy, perspective to mitigate that risk.

Justin Daniels 9:59

Thank you for that. And given the next thing that we want to talk about where you’re talking about from a business priority standpoint, we talked about this a lot on the show is how do we balance companies who are trying to make a profit, because that’s why they’re in business versus the things that you’re talking about where you have to make an investment. As I’ve been quoted before, cybersecurity infrastructure isn’t sexy, it is an exciting, it’s just essential. And so with that in mind, you know, what is your crystal ball say about the future for privacy and security legislation?

Ria Aiken 10:33

Oh, my I’m so Well, a couple things. Number one, I think we’re going to continue to see, as we’re seeing in specific states, so obviously, California, and other states are leading the way as it relates to data privacy, you know, in the, in the, in what’s expected from not only legislation, but a governance perspective, from a business area, if you want to be able to conduct business in those states and with those entities. And then, of course, we’re seeing our European partners with GDPR, and what that looks like, and the implications to that for big business and as well. And so from a from a large business perspective, the reality is, if you’re going to do business, and you’re going to be doing any type of business, and as we’ve seen during the pandemic, pandemic, pardon me, there’s been a major shift to online business models, companies are not able to survive, quite frankly, in a traditional brick and mortar business model. And so for large businesses that are making that shift, or are in the middle of that transformation, shift that investment relative you legislation critical, so that they can continue to, to do business, where I find that there’s maybe a challenge, and it’s, it’s not necessarily a challenge in the context of what is necessary. I mean, I’ve seen the Department of Defense, most recently, with some of the things that are being released, I believe it’s the CMMI, you know, and the implications that I have in small business, it is absolutely necessary to be able to protect our infrastructure, in my opinion, that these, this legislation is pushed down, so that we can protect and help mitigate those potential fences it as it moves forwards. My concern, and the challenges I see is that you know, when you think about the fact that over 99%, or it might be 9595 to 99% of our economy infrastructure is really reliant on small businesses, their ability to be able to make the investments to put the minimum program in place that is required if they want to do work with the federal government, if they want to do work with the Department of Defense. And then of course, if you also think about what’s happening in the large business community, where businesses now as much as they are developing partnerships with third party suppliers, there’s a minimum requirement necessary for small businesses to be able to work with those large entities. I finish all that to say that I think there’s so many different implications that it can have, or legislation can have, I do think that it’s necessary, and especially as it relates to data privacy, the concern is whether or not you know, the backbone of our infrastructure, economy, economic infrastructure, which really is around small business will have the ability to be able to move as quickly as they need to, so that they can continue to compete, they can continue to generate revenue, while they’re mitigating risks to their cyber infrastructure.

Jodi Daniels 13:58

Well, thank you, you, you hit on a variety of items that I want to call some attention to. And for anyone who might be watching the video version of this, our dog basil in says hello. And for any of you listening, the heavy panting is basals way of trying to join the conversation.

Justin Daniels 14:15

For his concern over third party property, as he’s in terms of cyber, he

Jodi Daniels 14:18

is very, very concerned about these items and wants to make sure that we don’t forget about them. So every new edge is going to be shifting gears. And one of those is really on the third party you had mentioned, you know, big businesses and how they’re managing a third party and how the smaller companies need to also consider that especially as they want to work with larger companies. I see this all the time, smaller companies will say I’m too small, I don’t need to deal with this, then they want to work with the larger company and you can’t work with a larger company until you can go through their vendor process because the large company doesn’t say, oh, you’re too small, it’s fine. You know, you can do anything you want with that. That’s okay. No problem. In your role today you manage third party risk, and I I’d love to hear a little bit about, you know, what are the big third party rest just from like a process perspective that you’re seeing and and how you’re, you know, maybe seeing that in other companies that that you’re working with big or small just kind of overall, what are the themes that you’re seeing in managing the vendor process?

Ria Aiken 15:21

Really great question. I think there’s a couple of different things. Number one, I’ll talk from a business perspective, I think that a lot of corporations that clearly because of how they’re designed, or maybe because of the partnerships that they develop, and quite frankly, because, you know, they’re they’re trying to leverage and use innovative technology, many times they’re working to partner with those small businesses. And with a shift and I actually experienced this in previous roles. Recognizing from the very beginning, one of the things I would offer as a potential threat to really having a robust third party vendor management program is really designed around the procurement process, and making sure that that procurement process, and those terms and conditions are clearly defined to understand number one, the what’s expected relative to a business that would be wanting to conduct or propose on a particular procurement with a large business. And then even more importantly, so it’s clearly defined so that those that are bidding understand what’s expected so that they can minimal minimally apply for those particular contracts for a large business. So that’s a theme that I’m seeing I’m seeing and working with other colleagues in and outside the industry, that they are completely revamping their procurement process to make sure that those things are are clearly understood from a third party cyber risk perspective. The other thing that I’m really recognizing and seeing a lot more is this concept and, and understanding about the need or the possible review of cyber insurance. And whether or not businesses are requiring those entities that are bidding for potential projects or potential contracts to have cyber insurance, when you think about the cost implications that that could have on any company, but specifically to small businesses, anywhere from five to 15k. You know, that’s something that I’m seeing a trend where businesses are requiring that of anyone that they are allowing to propose. And then of course, the implications for those small businesses that don’t have the ability to be able to, to actually submit them. The other thing that I am seeing and a couple of different aspects is is the notion of ensuring that, you know, the the procurement and the continuous monitoring and the actual risk management of working with third party suppliers starts from the moment that someone bids from a proposal to the moment that they are being introduced to your infrastructure, including those continuous monitoring and evaluating what the potential risks are whether or not a cyber cyber security tester has been impacted by something that’s going on. And then the organization’s following up with those businesses to either question or verify that nothing has changed with those with their potential cybersecurity posture. There was a time when I worked in the environmental engineering space, the space that I spoke to, that we would always conduct audits of the vendors that we were partnered with, that was really around their health and safety programs. So it was really around their quality programs, it was really around their cash flow to make sure that they could continue to do business with us. Now what I’m seeing a big shift in is making sure when companies are partnered with businesses, that the primary business is actually now requiring to do third party audits, independent audits of the cybersecurity programs of the companies that they’re partnering with to ensure that whatever they have said that they have as part of their security program is actually in place. And so the last thing that I’m also seeing, so number one is really around the procurement programs and process. It also includes the legal aspects and cyber insurance. The third is around continuous monitoring and validation and third party audits. And then the fourth is really what I’m often seeing is the ability for a cyber or small business in particular, to be able to perform and and implement the information structure that they need to be able to conduct business with larger businesses,

Jodi Daniels 20:04

I really liked how you captured those four different phases really, really important for companies to understand. It’s, it’s not one little thing, it’s a methodical process. And really starting from ripping up what you’ve been doing, you can’t just add a contract on or add three questions and think you were good, you really have to look at the entire experience. And as a small business myself, I’ve experienced all of that I’ve, I’ve been a part of the big company, vendor process, the cyber insurance, and I know, Justin, you have lots of thoughts and views on on cyber insurance. And it’s, um, I’ve seen how companies have reviewed their entire process to make sure that I as a small business and other companies that they’re working with really fit for the type of work and service and personal data that they’re doing. So thank you for for really summarizing it. So Well,

Ria Aiken 20:52

yeah, they find me, I would like to add just one more thing. And it is a you know, I keep going back to the small business and in the partnership with larger businesses or community or, or any type of organization. Um, and it’s, in particular to the available resources. So I spoke of all of this, and for many that have heard me speak to this before, it becomes very overwhelming, you know, especially for small businesses. What I did want to share, though, is that there are a lot of really great resources that small businesses can leverage for free, as they understand and assess their current posture from a security perspective. And that may enable them to really prioritize what they need to do to put in place so that they have the type of program that will position best position, then, you know, to partner and propose with other entities. So, Small Business Association has a number of free resources for small businesses, including a self assessment that you don’t have to be technical, to be able to leverage, but it allows you to assess your risk posture, so that you understand what your risk tolerances and your risk appetite is. And that could be the seed for developing a security program for your group. The Department of Homeland Security has business partnerships with the small business entity and Sam’s and other organizations so that small businesses, more than anything should know that they’re not out there alone, and that there are some resources out there to help them get started. I mean, at the end of the day, when I think about small businesses, and God spoke of your transition, as well, to a small business and working with larger companies, it’s not just the investment and financial, it’s time, it’s the fact that you’re duplicating hats, and you’re running a business and you’re, you know, trying to bring in cash flow, and you’re developing your marketing plan and everything else. And so when small businesses think about cybersecurity, and what did you say, I forgot what you mentioned earlier about, you know, whether or not you have the money and whether or not you should make it a nice to have and I think you’ve finished with, it’s essential. And so the first step is ensuring that as part of that essential intent, to be able to ensure that the business is viable is to I would offer take advantage of some of those free programs so that a business understands what their risk posture is,

Jodi Daniels 23:30

yeah, well, that will definitely include those references into the show notes. And something I’ll just add was it as a small business as you’re going through, and let’s say you go and purchase cyber insurance, it’s important to really make sure that you’re, you’re informed and getting the right product for you. Or even if you go and purchase some type of technology that will, you know, quote, unquote, protect you that you don’t just get something that is marketed really well. And you have either thoroughly researched it, or you’ve brought on an advisor to help you navigate that process. We’ve experienced On the flip side, kind of seeing small businesses, and, you know, have helped educate them along the path and making sure that they’re getting the right, the right products, the right services, the right knowledge. Excellent reinforcement.

Justin Daniels 24:18

So one of the things that I’m hearing in this conversation as well, of course, God, my data is on the cloud. So that’s not my problem. And it’s safe and secure. Right?

Jodi Daniels 24:28

I hear that all the time. But I don’t have to worry because my data is all on the cloud.

Ria Aiken 24:35

And not true. And I think bail. Oh, he’s he’s knocked out back there. I was hoping he might bark too.

Jodi Daniels 24:43

Yeah, he got my war now by the third party rest conversation is very chatty.

Ria Aiken 24:49

Absolutely not. I will Yes, migrating your data to the cloud. And especially for those who are Either transitioning from on prem to the cloud, certainly, if you know they’re in the private cloud, and they have a private entity, of course, they’re, you know, the feeling is that everything could be and would be safe. But the reality is that does not negate from the need to ensure that businesses understand what the risk posture and security around that data in the cloud looks like. And then more importantly, that they revise their resilience strategies in the in the instance that that data is unfortunately extracted and used for other means

Justin Daniels 25:37

to Ria just kind of reinforce this. And again, I picked small businesses about cyber investments, because so many small businesses want to use the efficiency of the cloud to bring that cost down. And so could you talk a little bit, in your opinion, what types of investments so if I’m going to move my data to the cloud, because I have more customers, and I want to put their data there? What cyber investments would I want to make? Because it’s not fully protected? Um, help me out a little bit more, you don’t mind? Sure. So one of the things I always talk about with clients when they want to put their data on the cloud is I talked about, well talk to me a little bit about using multi factor authentication and your passwords, because obviously, you have to connect to the cloud. So if someone steals your password from one of your remote workers, they can get onto your cloud and take your data.

Ria Aiken 26:30

Absolutely. Thank you. Um, I was trying to think of where we were going there. So I’m making those well, and depending on who you ask, I mean, those could be minimum investments. I mean, one of the things I often hear when we make the recommendation for multi factor authentication, or ensuring that, you know, you have a program in place, that your employees are only entering your infrastructure through a secure network, or through VPN, or something of that nature, many people are like, well, that’s just inconvenient, or that just takes extra time.

Jodi Daniels 27:06

And inconvenient truth is what Justin always likes to have to say.

Justin Daniels 27:11

The other thought is, and I’ve seen this happen is you purchase a cybersecurity policy, but in the definition of computer network, it excludes personal devices. So if you log in remotely with your own device, because it was much cheaper for a small business to allow you to do that, and that’s the origin of the breach. Guess what the insurance company is going to read that policy is technically isn’t as possible to what not pay?

Ria Aiken 27:37

Yep, exactly. Yeah. And, and so something, you know, that I think we’re seeing more and more of, to your point, especially these last 18 months, this is the round this essence of bring your own device to work. And then of course, many entities don’t have the ability, or don’t have the cash flow to be able to invest in computers for their employees. And so they’re they welcome that. And here’s what I can say to that is the minimum investment that’s made in ensuring that you have the tools and support and re structure in place to mitigate any potential threat to your data, I think is in many aspects is going to serve the long term goal of having a thriving and growing company in the wake of this ever changing landscape. One of the things that we, as an organization, we are not allowed to use our personal devices, or any work that we do, everything that we do is required to be on an approved device. We are only allowed as most organizations to log in through specific networks, we have a very robust DLP program to make sure that we do or that we understand what it is that we’re sending, and where we’re sending. And I’m seeing big trends and investments in this regard across multiple industries, small and large, in a way to protect their data as migrating to the cloud.

Jodi Daniels 29:16

Well, again, really helpful tips I think for small business kind of captures the growing trends of where we are through the pandemic and you know, the movement to remote working and I’d love to ask you for someone listening. Maybe they’re interested in the cybersecurity field and how you transitioned recently, in what advice, you know, maybe one or two tips that you might offer to someone who’s interested in shifting careers into cybersecurity.

Ria Aiken 29:42

Yeah, thanks. Um, well, a couple things. One is I would offer right off the bat. Absolutely. Having a technical background could serve anyone Well, in transitioning into cyber security. I have had the pleasure and honor of working with some The most brilliant technologists and engineers in the industry, both within where I’m working now and in other entities as well. And you might be surprised to hear that, for many of those, many of my colleagues that are serving in this capacity, whether it’s a policy risk and compliance, or in the threat vulnerability space, many of them started in different careers. And they transitioned into cybersecurity because they be passionate and need a curiosity to understand how they could leverage their skills. And so a couple things for those who are interested in going their traditional route of an undergraduate program is, obviously to look at those across the country to see what might work for you. But there are other aspects, maybe going through other organizations to get some of the minimum on foundational certifications, because certainly served one Well, one of the things that enabled me to really transition quite frankly, was just to really understand and define my strengths. And although after someone who had been in the industry, so to speak for 20 plus years, the reality was, I was probably not going to go back to school. But I knew I had to learn different aspects of cybersecurity. So what I did is I took what I brought to the table in other areas, strategic planning, I do know Enterprise Risk, I have a financial background, so I’m able to interpret those things. And then I started with networking throughout the industry. on LinkedIn, I’m even having the opportunity to participate in a panel like this, really getting to know different industry experts understand what they’re looking for, from an organizational perspective, or that top talent, and then experimenting and trying different ways where you could leverage your previous skill set. For example, you might have a journalism degree, or you might have a degree in organizational development, or you might have a passion in mentoring and training. Well, how could that be translated into the security awareness and education forum, which is so vitally needed to be able to train and educate employees as they’re walking or logging in every single day? Do you have a background in math and you have a background in technology that maybe you would like to shift into cyber security? Do you like research? Is that something that you are passionate about? Or are you very curious about understanding why things happen, and what that looks like? There’s a room for you in cybersecurity. And I think more than anything, there’s so many avenues that people can transition their skills. I would offer, of course, as someone who was raised in an environment where you must go to college, and you’re must go to grad school, and you must do these things. Well, that’s changed. Now. you or anyone could transition at this point. And those are a big part of the time, I spent a lot of time with high school students talking about how they could possibly go to a technical college and learn some of those basic fundamentals. before they get into the industry. I think the sky’s the limit. And there’s a lot of people out there and a lot of organizations out there to help people.

Justin Daniels 33:30

Well, thank you for that. And we wanted to end with one last question is when you’re not evangelizing about cybersecurity and privacy, what do you like to do for fun?

Ria Aiken 33:39

Thanks. Well, I’m on the heels of setting up for this particular interaction and podcast with you all, I just come back from a 10 day trip to West Texas. I love exploring state and national parks. There was a time when I had little ones at home that we would do a lot of camping. And this last 18 months, my husband and I have been camping more than we’ve had in the most recent years. And I’m not talking about glamping because I’ve I’ve enjoyed that too. But I’m talking about busting out the good old tent and our stove and packing it up with bear spray and tick spray and everything else and just getting out there and enjoying what life has to offer. That’s that’s what I love to love it.

Jodi Daniels 34:33

We really enjoy the outdoors. I’m not quite for camping, but I’ll do the hike. But how can listeners find you and connect to stay in touch if they have any questions or want to continue to learn from you? Yes, thank you so

Ria Aiken 34:46

much. So I am on LinkedIn and my name is spelled Ria Aiken. I do not spend a lot of time on other social media platforms. That is probably the best way to get in touch with me. And then the other way is to be honest with you just send me an email. My email address is and then at the Fed: Sometimes it may take a little longer for me to respond. If you want an immediate response, I encourage you to go to LinkedIn. But either way, I will certainly respond. Wonderful. Well,

Jodi Daniels 35:31

Thank you so much for sharing your journey to cybersecurity recommendations for how other people can find your career in the industry. And of course, some really helpful tips for both small and big companies.

Outro 35:43

Thank you so much for having me. Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.