Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a certified privacy professional, and provide practical privacy advice to overwhelmed companies.

Justin Daniels 0:35

Hello, Justin Daniels here I am a shareholder at the law firm Baker Donelson, I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:55

And this episode is brought to you by Red Clover Advisors, we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We help companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling book Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Okay, ready to get started?

Justin Daniels 1:37

I’m ready to get started. So today, we are excited to have Krista Hollingsworth who’s the Chief Revenue Officer for Consilien, a Managed IT and services security solutions provider dedicated to helping organizations protect their data and defend their business from cyber threats. Krista is also the Director for Consilien’s security awareness training program and holds a certificate of cybersecurity fundamentals from my saqa and has a cybersecurity certification from continuum/ConnectWise. Krista. Welcome.

Krista Hollingsworth 2:12

Hi, there. Thanks for having me. I’m really excited to be here.

Jodi Daniels 2:16

Absolutely. Well, we’re excited to dive in. And we always like to start understanding how people found their way to what they’re doing today. So can you share a little bit more about your career journey?

Krista Hollingsworth 2:27

Yeah, sure. So I do not have a technology background, I was a marketing consultant. And I met one of the owners for Consilien, and they needed to improve their marketing and their sales strategy. And they’re busy working in the business instead of working on the business. So that’s how I initially engaged with them. And I really enjoyed, you know, what they were doing and learning about technology. And so I started just as a consultant, and over time, you know, I’m a stakeholder now in the organization, and I’ve been here for about seven years. So that’s how it all morphed. Yeah.

Jodi Daniels 3:15

Congratulations, people find their ways, and all different, all different journeys. So it’s always helpful to provide some context and inspiration to others as well.

Krista Hollingsworth 3:24

Yeah, and, you know, they, they weren’t looking for someone with necessarily an engineering background to help them because our, our point of contact in an organization is with the C-suite executives, and so, you know, we approach security and it and all of you know, compliance and everything as, as a business Strategy, risk mitigation. So

Jodi Daniels 3:50

yes, well, it should I agree with that.

Justin Daniels 3:52

Right. But I think an interesting point Krista makes is, it’s very different when you sell to a CISO versus someone who’s a non-technical business executive, the sales process, in fact, I’m going to pull a bit of an audible Krista, can you talk a little bit on that, about how the sales process works when you’re working with C-suite executives, where there may be an education gap versus CISOs, who tend to be very technical security professionals?

Krista Hollingsworth 4:21

Yeah. So our main — our business is we work with small enterprise and middle market organizations. So as they have a CISO we’re probably not a good fit for them because we don’t sell just services. So we work with those smaller companies. And as far as the sales process for them goes, it’s like anything else, you know, it’s what is your pain point. Often they call us because they have a requirement from their insurance. They have a privacy requirement, which is another reason Why they they reach out to us? And, lately, we’ve been getting more and more organizations, I’ve had three in a row that reached out, just because their current provider can’t help them scale the business. So if they’re growing, then we’ll come in and do an assessment, look at what their business objectives are, and then make recommendations from there. So we’re having quite a bit of that lately.

Jodi Daniels 5:29

So with that being said, can you share a little bit more you mentioned? What would be a good fit? And what would it be and the types of services and it sounds like you offer a little bit more? Can you share? What is Consilien? And what are the types of services that you offer and how you’re helping companies?

Krista Hollingsworth 5:45

Sure. So we are a Managed IT provider. In fact, let me just take a step back. So Consilien, we started in about 2001-2002, right after 9/11. So one of our founders, Eric was working for a Fortune 100 organization. And he was the head of project management and for business continuity planning for this company. And so they had their home office on the east coast near ground, ground zero, and he was here on the West Coast. And so when 9/11 happened, everything went dark, obviously, and the business failed over to California. And so they were able to continue operations. And so when they started Consilien, it was with this idea that a smaller organization wouldn’t be able to withstand a catastrophic event. They just didn’t have the governance and the planning. So when we started, we started as a consultancy, and that’s really the heart of Consilien. So when we come in, and we engage with the CFO or with the CEO, we come in wearing that, that hat as the consultant, then we added on managed services, because once we consulted with them on how to build their infrastructure, they said, Well, why don’t you just manage it for us? So we started managing. And then right around the time that I came on, we started our security practice in earnest. So that’s when we started getting our certifications, we brought on our chief information security officer who oversees our program, and helps works with our clients as well. And then most recently, we’ve added managed compliance to our service stack. So we do have organizations that work with the Department of Defense, and they need to be CMMC certified. So the cyber security, maturity model certification. And so organizations like that they need a practice to help them with providing evidence and getting ready and all of that. So when I started with Consilien, one of the things I did to educate myself was to go to other, you know, to go to conferences, you know, I attend groups, you know, because I wanted to learn the language and really understand this ecosystem that is managed services providers. And I really felt that consolidation stood out in a way that other MSPs don’t, because we don’t just go in and do the tactical we come in, and we want to help to provide the strategy so that organizations will be successful in the long term. And that makes it fun for me to sell and to talk about. So those are areas of practice.

Jodi Daniels 8:36

It’s really nice to see the evolution as a small consultancy as well. I’m a lot younger than Consilien at the moment, but it’s always nice to learn and see how other organizations are evolving and, and scaling, we do very much the same on the consulting and the implementation of privacy practices.

Justin Daniels 8:55

So talking a little bit more about what you alluded to is how has cyber services sales cycle evolved, with companies kind of changing their perspective about cyber in response to what’s gone on in the cyber insurance market, which is, in turn, been impacted by the rise of ransomware?

Krista Hollingsworth 9:18

Yeah, so it’s interesting, because I did a couple of talks recently. And you know, I would ask a question, you know, how many of you know someone either in your business or personally that’s had ransomware. And nearly everyone raises their hands if they know someone personally. And when we started doing the security awareness training five years ago, you wouldn’t have business leaders, business owners, they didn’t raise their hand — they were not going to happen to me, I have insurance — insurance is going to be a lot less expensive than hiring you, you know, those kinds of things. So now that there’s been so much ransomware and other cyber either then send it in the consciousness of everyone, it’s made it easier for us to sell to be honest with you. And then also, some of the new regulations also make it a lot easier for us to bring our solutions and services to organizations, because now it’s in the forefront of their mind. And as you know, the cyber liability market has hardened quite a bit. So it’s a lot harder to get insured. And so an interesting fact I don’t know, you probably already know this, since you guys have written a book on on cyber and privacy. But manufacturers actually, their incidences of ransomware have decreased. And one of the reasons is because of the insurance and the insurance providers now are asking for, you know, you need to have multi factor authentication, you know, what are you doing with your data. So there’s this long form, and in order to get the insurance, they have to improve their cyber posture, and it’s made a positive impact in regards to ransomware. But it’s been less positive in that now. There’s other areas in which they’re vulnerable. But it’s, you know, it’s always a balancing act.

Jodi Daniels 11:16

It’s the second time I’ve heard in probably a week, that comments how companies think that the insurance is less expensive than bringing someone in to help. It’s interesting to see companies have that lens and point of view.

Justin Daniels 11:31

Because that’s the easier solution. But Krista just pointed out why I wanted to ask her the question is, I think, the insurance requirements. So in my experience, what I’m seeing is the average increase in cyber premium is about 79%. Like, significant, yes, but now you have to go through a very rigorous underwriting process to get less coverage. And so I think the insurance market is creating opportunities that have nothing to do with regulation, to get companies to think differently about cyber and bring in Krista and her company and your company to help them with that. I look at it as a market driving, not regulatory force that has the benefit of making companies do more about security.

Krista Hollingsworth 12:22

Absolutely. And so from that perspective, it has been, you know, beneficial, but also beneficial for the organizations because, you know, the fact was, is that they were still getting hacked, you know, they thought, well, we have the insurance, this isn’t really a threat, you know, it’s not going to happen to us. It’s happening to Target, it’s happening to Equifax. It’s happening, these big organizations, who’s looking at a small- or medium-sized business for this. And it’s like, well, a lot of cyber criminals because you don’t have those protections. You’re easy pickins.

Jodi Daniels 13:00

You know? So, Justin, and I are having a lot of conversations with companies on AI. And it’s hard to read anything these days without having AI in the headlines. What are you hearing from customers about how they might deploy AI? And obviously, Justin and I are very focused, as argue on the privacy and security side.

Krista Hollingsworth 13:23

So we talked about AI actually, internally yesterday, just because I have been getting more questions from my colleagues, mostly, you know, what about AI? And how is it going to impact us? And, you know, our answer is, it’s still evolving, we are looking at the phishing is probably going to get phishing and vishing, the voice phishing, you know, is probably going to be a lot more intense, and it’s going to be better. So one of the things I like to tell our customers and friends is that the cyber criminals are the best marketers on the planet, because they know how to get you to open up their emails and click on things, you know, so they are operating at scale. And we imagine that the AI is going to help improve that. And just and you guys probably already know that, you know, 82% of attacks involve human elements. I mean, people are easier to hack than systems. So I think that’s going to be the most immediate impact is with the fishing and the fishing and then we’re kind of keeping our eye on how it will evolve over time, and how we’ll respond to it.

Justin Daniels 14:45

Is one other thing, Krista that I’ve been talking to my colleagues and other professionals is about is you have aI but now you have deep fake and it’s becoming really good at parroting someone’s voice and so from To me, the most common thing you see is phishing combined with getting people to wire money, fraudulently. Yes. So the common way that you try to combat that is you have multifactor, where the second one is you get someone’s phone number and you physically pick up the phone and call them. Now this new, deep fake enters a whole new thing into the equation. And I don’t know what the answer is yet, but at some point, it’s going to be widespread, faking people’s voices. Yeah. And, you know, inducing them to wire money fraudulently. So from a security perspective, what we’re doing well with some of the insurance stuff with fishing, now, here comes this next innovation that has a new handmaiden cyber threat and whole new list of issues that we’re going to have to grapple with.

Krista Hollingsworth 15:43

Yeah, that vishing right, the voice phishing. So one of the things we’ve talked about is maybe you have a passphrase, or something that only the person, we all know how good everybody is with unique passwords and remembering their passphrases. But that might be a way of, you know, of helping, that issue that there’s only something that Jodi knows that Jodi and I know, you know, to verify whether or not you know, it’s an actual, it’s actually you and not someone on the other line.

Jodi Daniels 16:15

Yeah, there’s something. I mean, I don’t like email phishing. And there’s something though more creepy about a voice, email, you’ve just stolen my email. You’ve you figured it out? You guessed it, you sent it to me. But there’s something about my voice I creepy factor. And every time I hear someone talk about it makes me very, very uneasy. Like that. Oh, I know it’s here. And I know it’s real. And I think there’s definitely going to be some type, either — it’s a passphrase. Or maybe it’s if I think about business compromise, and maybe the financial systems start to step on with some type of two factor authentication on that side before I’m willing to send the wire the other side has to verify. I don’t know, it’ll be an interesting to, I’m surprised that there isn’t actually that right now, some type of email back or verification back to the person who’s going to receive the wire from the financial systems to help prevent the fraud. Maybe that’s coming?

Justin Daniels 17:13

Depends like with the closing attorneys who have to wire money. There’s some of that. But I mean, over the weekend, I was reading an article about AI that they used to mimic a famous band with a whole new song that the AI created that the band was singing, and it was all fake.

Jodi Daniels 17:31

Yeah, it’s not the same as creating the same feed for you and I, right, yeah.

Justin Daniels 17:39

So kind of Krista, changing a little bit of gears here is Iowa was the seventh state to pass a privacy.

Jodi Daniels 17:49

Six, six, Indiana was seven. Why you were the security?

Justin Daniels 17:55

Privacy, but you know what, the security hat audit has a big part of it. That’s privacy because I in anyway, yes.

Jodi Daniels 18:01

Well, you have to go to alphabet —

Justin Daniels 18:02

I have to go to alphabet school and counting school, amongst others. So Krista, the question for you is, with this proliferation of more state privacy laws? How is that helping to drive the need for cyber services? Because you I think you alluded to the protection of data.

Krista Hollingsworth 18:21

Yeah, so we have made a decision internally that we will do just the cybersecurity. In other words, we’re gonna help to, you know, create a framework help you decide which framework you’re going to use, help you to implement that framework. Because we’re bounded cybersecurity, we’re going to manage it, we’re going to help with any remediation, those kinds of things. What we’re not going to do is get into data mapping and actually doing the data privacy, we made a decision that it’s actually separate from the cybersecurity that you actually need someone like Jodi, who is a data privacy specialists to help to drive that part of the business, and then we’ll help them support with the cybersecurity. So we do get calls, like I said, with, well, there’s CMC, which really isn’t a privacy issue, but the CPRA we are working with customers, and then we have partners, data privacy partners that we bring in for dealing with those issues.

Jodi Daniels 19:30

Are you finding because some of the state privacy laws have security components? Are you finding that companies not only are needing to improve their privacy posture, but as a result, maybe now they’re paying a little bit more attention to the security side of their business because of these new privacy law requirements?

Krista Hollingsworth 19:51

100%. Absolutely. You have — they go together. So there’s, you know, you can’t have data privacy without security, they do go hand in hand. But because the data privacy, there’s so much to it, as you know, we just prefer to work with partners on the data privacy, but we certainly are seeing more of that they do have to be aware of the security because you have to be able to secure the data. And you know, you know, as you know, they have to know where it is, and how much data should they be keeping, you know, on all of those kinds of things.

Justin Daniels 20:28

No, absolutely. So as we like to ask, all the folks who come on our show, is, if you’re out at a cocktail party one night, hopefully on the beach in California, what is your best cyber tip you might have.

Krista Hollingsworth 20:47

So my best cyber tip is actually about the passwords, people really seem to like this, that you create your own formula for your passwords, so that they’re easy to remember. So like we use singing in the rain, so maybe a favorite line from a movie or a favorite book, you know, maybe something from childhood. So you know, that will help you remember the password. And so singing in the rain, you might want to change all the I’s to ones, capitalize the first letter and then you know, add a dollar sign or something to it. So that really helps people feel better about those passwords. So that’s my best tip.

Jodi Daniels 21:34

And when you are not building a company and trying to help organizations keep their data safe, what do you like to do for fun?

Krista Hollingsworth 21:42

Lately, I started roller skating again. So I went roller skating. I know. Everybody should try it. The 70’s are coming back. So you know. So I have the so we started roller skating, started with my nephews, I took them to a roller skating rink, and I put on the skates and I could remember how to do it. And it was so much fun. So I’ve been going down to the beach here and they’re not doing it enough. But that’s really fun. And then I have a writers group that I belong to. So real people know AI. And we write poetry and you know, do that, that kind of thing.

Jodi Daniels 22:20

So that’s exciting. And the roller skating I tried that four or five years ago, was pre-pandemic, I kind of can’t keep it all straight. I was at a party of the birthday party for my daughter. I thought, Oh, I’ll do this with you. And then it broke my wrist and my wrist has never been as strong again since and I think I’ve hung up my roller skates. I’m good. I’m gonna support people like you on the sidelines.

Krista Hollingsworth 22:45

Well, when you come out to California, I’ll take you to a rink and we’ll do it together. It’d be fun. No falling.

Jodi Daniels 22:53

I know. I don’t even know I just sprained it until a while later. It was terrible. Well, guys, that has been so much fun. If people would like to learn more about you and Consilien, where should we send them?

Krista Hollingsworth 23:04

They should just go to our website at www.consilien.com.

Jodi Daniels 23:13

Awesome. Justin, any parting thoughts? Nope. This has been great. Krista, thank you so much for sharing. We know that everyone will value all the tidbits, especially the password phrase, it’s a really great reminder for personal and professional. Thank you again.

Krista Hollingsworth 23:29

Thank you. Thanks for having me. I really appreciate it.

Outro 23:37

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.