@media screen and (max-width: 1023px){section[data-id=”block_4dbfb7893996094f0e36d3906b7449c7″]{ }}@media screen and (min-width: 1024px) and (max-width: 1365px){section[data-id=”block_4dbfb7893996094f0e36d3906b7449c7″]{ }}@media screen and (min-width: 1366px){section[data-id=”block_4dbfb7893996094f0e36d3906b7449c7″]{ }}

@media screen and (max-width: 1023px){section[data-id=”block_791cf97428822253c533e2d451fbc712″]{ margin-top: -100px; margin-bottom: -50px;}}@media screen and (min-width: 1024px) and (max-width: 1365px){section[data-id=”block_791cf97428822253c533e2d451fbc712″]{ margin-top: -100px; margin-bottom: -50px;}}@media screen and (min-width: 1366px){section[data-id=”block_791cf97428822253c533e2d451fbc712″]{ margin-top: -100px; margin-bottom: -50px;}}

Click for Full Transcript

Intro 0:01

Welcome to the She SaidPrivacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:22

Hi, Jodi Daniels, here, I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, I am Justin Daniels, I am a shareholder and corporate M&A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cybersecurity risk, and when needed, I lead the cyber legal data breach response brigade.

Jodi Daniels 0:57

And this episode is brought to you by — no one can hear that like it’s funny. Can I have my ding please? Ah, Red Clover Advisors, so we’re gonna do this again. This episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business together. We’re creating a future where there’s greater trust between companies and consumers to learn more and to check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com and yes, in case you were wondering, we actually do our intros live and sometimes make them interesting.

Justin Daniels 1:50

I see you’re still very chatty today.

Jodi Daniels 1:54

I am chatty today. It’s sunny outside. It’s not 25 degrees.

Justin Daniels 2:00

How do we know this isn’t an AI version of your voice, because I’m sitting next to you, allegedly.

Jodi Daniels 2:05

Ah, interesting. Okay, are you? Are you gonna get our party started?

Justin Daniels 2:13

I’m gonna let you introduce our guest. It’s your job. Well, I’m gonna delegate that to my COVID. Delegating.

Jodi Daniels 2:19

Okay, fine. Shay Colson is a partner and co-founder at Intentional Cybersecurity, a risk assessment and strategic advisory firm. He has previously worked for a global consulting firm after spending his early career as a security engineer for the US government. And he is based in the Pacific Northwest. Shay, welcome to our show.

Shay Colson 2:43

Thank you. I’m really glad to be here.

Jodi Daniels 2:44

We’re glad you’re here, too.

Justin Daniels 2:46

David Stratton, rush, Chairman, damn glad to meet you.

Jodi Daniels 2:51

Okay, back to our podcast.

Justin Daniels 2:53

I bet you, Shay knows what reference, what movie am I referencing, Shay?

Shay Colson 2:56

So you’re going to call me out, because that’s not a movie that I’ve seen. I can’t place that reference. I’m not a big movie guy.

Jodi Daniels 3:01

You don’t want Shay and I together on the same trivia team, because I am horrible at pop culture trivia, so everyone listening, don’t put me on your trivia team. I won’t be good. All right. For those I’m glad to know I’m not the only one.

Justin Daniels 3:17

Those of you scoring at home, that’s a reference to Animal House. So Shay, with now that trivia is done, why don’t you share with us a little bit about how your career evolved to your current role? Please.

Shay Colson 3:30

Yeah, great. So I was thinking about this because these origin stories are really interesting, and when I reflect on mine, I feel like I’m the tail end of a particular generation, which is the folks who remember the first time they got online, right? Our kids don’t remember that they’ve been online since they were born, right? And so for me, it really started early. And actually even in elementary school, before cybersecurity was a field, I would read, there was a quarterly hacker magazine that was in print. You would have to go to the independent bookstore to get it. It’s still around 2600 is the name of the magazine. I would read that on the school bus and I didn’t have a place to put that energy right. Cybersecurity wasn’t a field. It was still generally just left in the back room. And so for me, it was really exposure early to these pieces by living in a university town, right? I would go to the computer labs at the university. I would be able to get these resources. But I don’t like programming, right? I don’t like writing code. I don’t like me and the computer. I like the intersection of computers and people. So my undergraduate degree is a humanities degree, right? Really kind of a classic liberal arts degree, and then I went to graduate school on a joint program between the National Science Foundation and the National Security Agency focused on cyber security. And that was where I really got to bring this together and figure out, how do technology implementations, particularly the security piece, make impacts, whether that’s at the government level, whether that’s in the corporate world, whether that’s for a product or a non profit. And so that was really the start of it for me, is sitting down and figuring out that I’m unique in that I like the computer side and the human side equally often we see the business side and the tech side split. I sit right in the middle.

Jodi Daniels 5:20

No comments. I do the intro. You get the first comment.

Shay Colson 5:27

I took the LSAT once, Justin, when I was thinking about law school. I’m very sorry. Well, so the thing that was appealing about law school or the legal profession in general, to me is you have a baseline of case law and precedent, and then the challenge is to apply it to the circumstances in a particular set of facts. I like that. I don’t like the adversarial part of that world, right where there’s two sides, there’s winners and losers. Cyber is actually all of that precedent and foundations, whether it’s ports and protocols or configurations and controls, but applied to a context, and then it’s collaborative, right? We’re trying to achieve some sort of an outcome, whether it’s defense, whether it’s growth, whether it’s security resilience, right? But we’re making trade offs in solving those puzzles. That’s the part that’s really interesting to me, because no two puzzle is the same, but every puzzle you’ve solved before can help you with the one you’ve got.

Justin Daniels 6:24

Think that’s interesting for two reasons. One, my co-host over here is married to a lawyer. Deals with lawyers all the time, and it’s very logical. But Shay, I guess my question is, when you looked at, I guess the LSAT is I find myself all the time working on projects. You know, in a report on a breach, what do we include? What do we not include when we are trying to solve a breach? You know, a lot of times the report is inconclusive as to whether or not one happened or something you and I will talk about on the M&A side. How does the report on the cyber hygiene of the company to? What level do I need to be concerned about that? Does it warrant a purchase price adjustment, a hold back something or else? So I guess there’s interesting ways to do it, but from your perspective, want to talk a little bit about the latest and greatest development under NIST, which is, how have your cyber risk assessments that your company does so well changed with the new NIST CSF 2.0.

Shay Colson 7:33

Yeah. So for those who aren’t tracking it as closely, perhaps the NIST cybersecurity framework for a long time has lived at version 1.1 right? Years and years and years, which is fine for government documents. It did get an update in early 2024 and moved to version 2.0. The primary update is moving from five functions, identify, protect, detect, respond, recover, to six functions. They added governance as the first function. And really what they did was these controls or categories, and sub categories were already in the framework, but they pulled them out from each of the five functions into their own. And so to see governance both leading the assessment, leading the framework, leading the anchoring for how to use this mental model, but then also to be pulled out and condensed into its own function that is peer with these others around, identify, protect, detect, respond, recover, right? Things that the industry has really built both tools and governance capabilities around, I think is a big shift, because it takes cyber out of an IT function or a technical function, and it makes it a business function on par with all the others, right? Now, I’m not going to say that cyber is as important as what your CFO does or that. Now, you know this is kind of the double entry bookkeeping moment for cybersecurity, but I do think figuring out how you govern this function, right? Who owns it, who’s responsible for it, who makes decisions around it, who the stakeholders are, the frequency — those are questions that most organizations don’t wrestle with until it’s too late, right? Most growth stage companies are building what they need as they need it, and they don’t realize what they’re missing, because that’s not what they’re focused on. The governance shift really puts an emphasis on the ownership and the responsibility and the onus for this function across the entire company, that then rolls into the technical pieces, but also gives us, on the security side, a lever or a cudgel or an olive branch, depending on how you want to use it to the rest of the organization to build a bridge.

Justin Daniels 9:39

So Shay, one thing I wanted to get your thoughts on is, most of the time I deal with NIST CSF, but ISO is out there, and I wonder, you know, do you find them to be different? Do you have a reason why you might favor one over the other? I happen to like NIST because when you tell people, well, we’re using. A framework that a non-partisan part of the Department of Commerce with the government recommends. It’s kind of hard for third parties or other people to say, hey, this isn’t legit. But I’d love to get your thoughts. What do you think?

Shay Colson 10:12

Yeah, yeah. I think there’s a couple differences that are worth exploring here. The first is ISO and I would put the SOC 2 certifications in that same bucket and have a check box, right? You either are or are not ISO certified. You do or do not have a SOC 2 certification. There is no such thing as being NIST CSF certified, right? It is a framework that you can use, and there isn’t really this like, Hey, I did it. It’s an active process. So I think to that piece. For me, I often see ISO and SOC 2 pieces as really more sales enablement functions within a business than security and the compliance piece is important, but you can be compliant and not be secure. You can be secure and not be compliant, but it’s much easier to be compliant if you are already secure. And so I think these compliance forward programs often serve a different function. I’m not going to say they’re better or worse or that they’re hiding the ball from us on the cyber side, but getting ISO certified, the reason that you do that is so you can tell your prospective customers that you’re ISO certified. Right? That’s the big difference for me. I think it’s really hard to govern an organization in that world exclusively ISO or SOC 2. And I think the truth of it for you and I, Justin, is we both know plenty of clients who are ISO certified, SOC 2, type two, who also have an incident and end up on our desks that way.

Jodi Daniels 11:36

Well, this compliant person over here that she said part of the podcast wanted to talk about privacy, because there’s, like, a little bit of privacy in this talk to you, and a little bit of privacy in some of these other assessments. So, Shay, in your cyber practice and in these various assessments, how are you finding the intersection between security and privacy?

Shay Colson 11:59

Yeah, this is a really good question. I think it’s similar in the sense that it is hard to have a robust privacy program without also having a robust security capability. And these two things are complementary. They work together, but they’re not the same, right? I think you and I can both recognize that, and pros on either side will say that. But the thing about privacy and security both is what gets us in trouble, is assumptions, right? Oh, this is what we do. This is how this works. This is where our data is right. When we assume that, whether as a technical person, a compliance person, someone on the legal side, or someone in the C-suite, those assumptions are what get us into trouble. And so governance takes away those assumptions and it makes us validate them, right? How does this work? Where does this live, right? What is our data flow? What is our retention schedule? Is it being followed? All of those things end up flowing from that and can keep us out of trouble. But, you know, as soon as we think, Oh, this is how it works, and I don’t go check, that’s when both security and privacy end up in a place that can be a little tenuous.

Jodi Daniels 13:01

I feel like you have something to say.

Justin Daniels 13:07

I want to take us in a bit of an interesting direction. I can’t wait. No. So Shay, probably in the last year we’ve talked a lot about artificial intelligence, and one of the things that I’m starting to see with some of the MSSP clients that I have managed security service providers, is a lot of the security providers are out there are now starting to infuse AI into their products. And I’d love to get your perspective from all the risk assessments and you know, V CISO type of work that you provide is, how often are you seeing these AI tools appearing in vulnerability and point detection, and is there any particular cyber AI tool that might have your interest? Yeah,

Shay Colson 13:52

good question. So obviously, AI is the hot topic these days. I heard another attorney characterize it in a way that I thought was really clever. I can’t take any credit for this, but they said AI is still a lot like sex in high school. Everybody’s talking about it and nobody’s having it. And I thought that was pretty good, right? And so to that end, we’re still in the early days of AI. When you look at how technology evolves, not just AI, but all technologies, there’s a double S curve, theory of innovation. The first part of this growth curve, this is acceleration, right? So we’re doing things that we can already do, we’re just doing them faster. The next part of the S curve, and they overlap here in the middle, is doing things that we can’t do today, and then we can do them faster. We’re still in the acceleration phase for AI, even you know these kind of identifying new compounds and drug discovery things that we’re hearing about with AI use cases, we can do that today. It’s just resource intensive, time intensive and cumbersome. AI will accelerate that. The same is still true in cyber right? We’re doing the things that we already do just faster, whether that. Is for your endpoint detection and response capabilities, whether that’s in your security operation center, right, and your analysts in terms of triaging tickets, responding to events, pattern recognition, we’re not yet doing things that are uniquely enabled by AI, and so I don’t know what’s going to happen, but we’re going to get there a lot faster, right? So the first cell phone call was in 1973. We didn’t get the iPhone until 2006. It’s not going to take us 30 plus years to get to that second curve of innovation with AI, but we’re not there yet. And so I think this is the opportunity for folks to really put those pieces in place, governance, privacy amongst them, to figure out, do we have our basics and our bases covered? Because AI is going to accelerate whatever we have, whether it’s good or bad. And so we need to get it in a way that if we get more of it, we want more of it, if we have it in a place where we get more of it and we don’t want more of it, that genie is out of the bottle.

Jodi Daniels 15:58

I like how governance is the added module, if you will, in that assessment, because it’s, it’s such an important piece, if you just try and go straight to the tactics, whether it’s security, privacy, AI, or, quite honestly, anything else you need that governance, who’s responsible? How are you going to keep up with it? Those are important pieces,

Shay Colson 16:22

yeah, and it’s going to depend on each organization, and the function that you’re looking at, that governance role will shift, right? It’s easy to feel like, oh, I hired a Chief Privacy Officer, or I hired a CISO, that person is now going to own that function for me and they can do a lot for you, but it doesn’t actually work that way. And I think the other challenge that we’re just now encountering is the attack side of the world is using AI with much less constraint than we are on the defend side, right? They’re willing to use it to do anything. They experiment very rapidly. They are pivoting and changing in a way that corporate or the defenders of the world just can’t do structurally. And so we are getting further and further behind because we’re change resistant. New things are hard. There’s entrenched interests. The attackers don’t have any of those things. And so it’s going to be a very difficult time to play catch up when they’re running at the pace of AI and we’re running at the pace of change request boards now.

Jodi Daniels 17:21

Justin loves talking about his SEC cyber rules and his privately held companies and publicly traded companies. Ah, why are you laughing at me? It is true. I bet if I were to go back and look at all the podcasts, there would be a lot you this is you could probably have a —

Shay Colson 17:37

I go listen to them all, describe them and count those references.

Jodi Daniels 17:42

But today I’m gonna skip that exercise, and instead, I’m just gonna ask you, I’m kind of curious, are you seeing more privately held companies really paying attention to security because they might be required to by their publicly traded customers?

Shay Colson 18:00

Yeah, this is a great question. So I do want to hear a little bit from Justin on the legal side of the SEC cyber rule as well, because it, to me, seems underwhelming. And what I mean by that is, yes, there’s a lot of people filing eight Ks. You know what? There is nothing in there that’s helpful to me as an investor or as a defender, right? They’re so abstracted and genericized that it becomes perfunctory, and that’s unfortunate, because I think that’s a real missed opportunity. You know, who tells each other what works and what doesn’t work? The attackers and so they are getting the benefit of that community knowledge, and we are not, because there’s this permission structure around if you had a cyber incident, you must have done something wrong. You must have been deficient, right? And you know, sometimes that is true, but oftentimes it’s not, and shifting this conversation to resilience, I think, can be really helpful in understanding what matters. And so for private companies, yes, they are getting pushed by their public customers to improve, but they’re also getting pushed by their investors and their leadership teams internally to improve, because there is this potential of themselves having to end up either as part of or as a public company, and in doing so be subject to the SEC regulations. But in the meantime, these folks want the business to both preserve and then create additional value, and a cyber incident is one of the few things that can take an entire organization down in minutes. There’s very little else in our environment that has that level of impact, and so it can be a scary time for private and public companies alike.

Jodi Daniels 19:31

So you mentioned around resiliency, I thought that would be interesting. Can you share a little bit about how can companies do that better? What is the learning that they might be able to take that people listening here can learn from?

Shay Colson 19:47

Yeah, so I think this idea that we are secure is a difficult one to frame, because, you know, we all understand that that’s not possible as practitioners in this space, but it sounds like. It would be great. It sounds very comforting, or, Oh, we finally got ISO certified, or we have our SOC 2 type two in place, right? And then we’re good. But that’s just not realistic, because software has vulnerabilities. There are unknown attack vectors that we may have in our environment. Lots of our risks are not up to us, whether that’s a vendor patching a piece of software or a third party risk management incident, where our vendor has an incident with our data, and that wasn’t up to us, right? And all of these things can manifest. And so I think framing the conversation where I can deter malicious or anomalous event, I can detect them sooner rather than later, and I can disrupt them in the sense of limiting the impact, limiting the scope, whether that’s a technical piece like network segmentation or role based access control, or whether that’s a financial limitation through contractual obligations or other measures, these are the things that I think are going to build resilience with companies where cyber stuff is going to happen. Do you understand what you have, where it is, and how it’s protected, so that the response and the impact are commensurate to the risk for you, because until now, we’ve just kind of let it ride, and it hasn’t blown up until it does, and when it does, not only is it too late, it’s too big, and that’s a tough way to build and run a business. That makes sense.

Justin Daniels 21:17

So Shay I want to respond to your question about I think it’s really around the vagueness of the SEC cyber rule. So I would respond this way, you make a fair point the public policy goal of the SEC cyber rule while it regulates publicly traded companies. If you read the comments to the rule, which it was like 150 pages. Yes, I read most of it. I know that sounds crazy. It’s designed to really get at their third party ecosystem, because, as you know, that’s where the biggest risk is, and so. So I think it could be done better, yes, but at least it’s now requiring companies in a, in a manner of speaking, to talk about what they do. But it also means they now have requirements to pass that down to their third party ecosystem, because after the AT&T Wireless breach where they said that wasn’t material, I don’t know what is if that is not and then the other thing you see is companies will, like, proactively file. And the SEC said, Stop doing that under the cyber breach. You should do it under the other for —

Shay Colson 22:32

When you have a material type of event sets this other filing over here, right?

Justin Daniels 22:35

Yes, yeah. And so do I think it’s an incremental step forward? Yes. I do do. I think having written some of them, that they could be more detailed, they could, but I think that’ll happen over time as you start to see some lawsuits or whatever, where they put some meat around the initial rules. But I think we’re better off to have them than not. But it’s a continuum.

Shay Colson 23:01

Yeah, I agree. And I think the other thing that is important to me, and I think I hear you saying, which is, let’s take progress rather than wait for perfection, right? And is this rule perfect? No. But does it represent progress? Yes. And I think in both cyber and privacy, we often find ourselves saying, Oh, I could do that. But then this other thing might happen, right? I’ve been working with a client even just this week to say, well, what if I implement Okta for my single sign on solution, but then Okta is not available? Yeah, absolutely. That does create this risk. But what about all of those logins that you now have robust, multi factor authentication, role based, access, control, resilience, around, visibility, around, right? What about all of that benefit? Right? We are kind of underweighting that, and we’re overweighting this, yeah, but, and I think in the SEC role, same thing. It’s tempting, and I do this myself, to say, Yeah, but these aren’t helpful, right? There’s not enough information for me to understand how this attack was carried out, and what changes I should make or tell my clients to make to avoid this happening to them. And while that is true, that doesn’t mean there’s not benefit in understanding who’s getting breached when, what the cadence and the frequency are, and as that corpus grows, being able to see that will also drive more change, both at the policy level, from a governance perspective and regulatory perspective, but also for defenders and leadership teams.

Justin Daniels 24:24

Shay, I think the best way to think about it is the evolving cybersecurity regulatory structure is very similar to the evolution of safety features on a car. Go back before we had airbags, we had vehicle assist, before we had seat belts. So think of how this regulatory, involved environment is evolving to how safety features in a car. Because to your point, we can have all the safety features we want in a car, but it isn’t going to stop having accidents. It can mitigate them. Maybe people aren’t injured. They’re able to be avoided. And I think some of these regulations and how they’re evolving is this. Aim for cyber security.

Shay Colson 25:02

Yeah, interesting. I think that’s a good analogy. And I’d be curious, Jodi, from your side, privacy regulation seems to have gotten some real momentum at the state level, struggling still at the federal level. How do you see that playing out, both for privacy, state versus federal? And then, what can we learn on the security side? As we don’t really have a corollary, right? We don’t have the same kind of state security laws, a few Safe Harbor laws here or there, right? But nothing like what privacy has seen in the last three, four years.

Jodi Daniels 25:29

The federal side, I don’t anticipate seeing any real movement. I do envision we’re going to have many, many more states that are going to pass. We’re at 19 passed so far. We’re about to go into a legislative season here in 2025 I think we’re going to pass the halfway mark. That’s my prediction that will get passed out of this next season. And there’s all different flavors, which means, if we go back to this governance concept that we were speaking of before, if you don’t have a plan, now is a really good time to start, because it’s going to get complicated pretty soon. Even if some states align in a particular model, there are still differences among them. What I find interesting is sometimes companies pay more attention to the security side first, because they’re so concerned about a breach as they should be, right? That’s an important piece. At the same time, how I use that data and what I told people is also equally important. And so some companies choose to focus on it because there’s a law. Other companies choose to focus on that secondarily, because they’re so focused on the security side, first, very much company dependent, I don’t think we will see any stopping in the regulatory front, and that’s just at a US focused level, very centric conversation. Globally, there are 150 plus privacy laws, and they are continuing, continuing to modernize and keep passing, yeah, yeah.

Shay Colson 27:03

And I think this piece, and you make this point really nicely about having a plan that is both common and defensible. What do we do and why do we do it? The same is true for security. Night. Often encourage clients to think about those two things. And I don’t mean defensible in terms of show me you check all the boxes, right? What I mean is, we know you don’t have all the controls in place, because nobody has all the controls in place, right? The NIST, 853 document that underpins the Cybersecurity Framework, has 460 plus controls, right, depending on if you’re a low, medium or high system. And so really help me understand what risks you know you’re accepting and why, and if there’s mitigating or compensating controls, and that you understand your environment and are operating in a thoughtful way within it, that’s really the goal. And I think the same is true for privacy as well. And we’re not there yet, right? Folks are really still encountering this stuff for the first time, and sometimes the driver is a regulatory piece, or there’s a new law and I have to comply, and sometimes the driver is a Russian ransomware gain.

Justin Daniels 28:06

So Shay, kind of switching gears. Just a little bit is different. Side of the cyber equation is, are you finding that PE firms are paying more attention to cyber risk in their portfolio companies, day to day operations. Are you still finding it’s really PE firm dependent?

Shay Colson 28:26

Yeah, for me, I think it’s still firm dependent. But generally we are seeing more attention, I think, for two reasons. One is again, with these hold periods, which were typically three to five years, have stretched from five to seven years in the current environment, that means more opportunity to have a cyber incident while you are the lead investor. And again, there’s very little that will reduce the value or saleability of an asset like a cyber event. And so I think we’re seeing an increased emphasis in it from a value preservation perspective, right? I don’t want to lose money on my investment. I think we’re seeing a select few firms view this as a value creation opportunity, thinking whether I’m going to public markets or larger private equity funds as I transact out of this asset, those folks are going to bring in cyber due diligence people. Those folks are going to look at these elements moving forward. Those folks are going to see this as a growth enabler, as a value creator. And if I can put that in now and demonstrate a communicable, defensible plan, even if I’m not fully where I want to be, but I know where I am, and I know where I’m going, that’s going to create value. And at the same time, you get that value preservation right, if you’re more resilient, if you have a better understanding of your environment, if you’ve deployed some of those controls, you benefit from that every day, and you benefit at the next transaction, not the least of which is kind of supporting that growth throughout, right? We’ve both seen clients Justin where you’re growing, you’re growing, you’re growing. You have an incident. Revenue drops because you’re hard down, right? You have a bad quarter, but it takes your executive team three quarters to clean that mess up, and your sales team three quarters to get back. Back to where you were. If you only own this company for 12 Quarters, that’s a lot of your ownership time impacted by an event. And so yeah, I do think we’re seeing this, but we’re seeing it in a way that is more forward looking, rather than reactive. And I think that’s a nice change.

Jodi Daniels 30:13

I love that change. They need to be forward looking for security and privacy. My ears are happy, okay. Now with my happy ears, Shay, you know, a lot of what can go wrong. We always ask someone what is their best privacy, or perhaps, in this case, cyber security tip,

Shay Colson 30:38

Yeah. So for me, I think the tip is, no matter what the size of your organization, whether you’re two people or 200,000 people, you can’t beat the basics. And there’s no sense in getting fancy if the basics aren’t in place. And the basics, again, in the cyber world, are going to be complex and unique passwords, multi factor authentication, robust backups, encryption and then some alerting around that in both your on prem endpoint and cloud environments. And then, if you can get there a data retention policy that’s actually enforced, and so that’s a little bit of a nod to the privacy side, but you need all of those things in place before you go by that whiz bang AI solution that is either going to tell you that you’re missing all the basics, or it’s going to distract you with things that it thinks are important when you have fundamentals that you need to take care of, right? One of the things to go back to Justin’s car analogy that I like to use with clients in this space is, why does a car have brakes? A car does not have brakes to slow you down. A car has brakes so that we can go fast. The same is true for these basic security controls. We put them in place so that we can continue to grow and drive value to our customers, and we understand that sometimes you’re going to need them. A lot of times, just having them is enough.

Jodi Daniels 31:54

That exact same analogy has often been used by Trevor Hughes, who is the CEO of the IPP, many of the conferences, he uses a very similar example on how the car was made. And it’s a wonderful, wonderful example. I’m glad you brought it up.

Justin Daniels 32:09

So Shay, before we wrap up, there was one other thing that struck me in your answer, and that is the new NIST guidelines. Came just came out around passwords. And one of the things that got my attention was NIST guidance for good password hygiene is now, Hey, have a long password. We don’t need you to have all the you know, characters and whatever. And we’d rather have you do that and do away with Hey, change your password every 90 days, because, paradoxically, making people change their password every 90 days. They’ll do it in a way that’s predictable, that doesn’t really add any value, and that was interesting to me. I’d love to get your quick thoughts before we wrap up.

Shay Colson 32:51

Yeah, what people will do, and this is why NIST recommends, this is they will reuse a password that they know that meets the complexity requirements across multiple accounts, which means that if you use that to buy pants from Nordstrom, and you also use it to log into your corporate snowflake account, and Nordstrom has a breach now, so too might your corporate snowflake account, right? And this is, this is actually how snowflake had their incidents earlier this year, right? They were single factor, and people had reused passwords. They were leaked, the credentials were matched, and attackers use them to not hack into they just logged into these environments, and so the length gets at the entropy, right? Some of the cryptographic details around why a password needs to be so long to prevent it from being cracked or exposed. But really, I would prefer that your passwords are unique, even if they’re not particularly complex, because then, even if that credential gets lost, stolen, breached, etc, the impact is limited to that one account. And if you have multi-factor, I care much less about that password being exposed, because that second factor is going to provide that compensating control. And so segmenting them off by keeping the passwords distinct, adding that second factor that gives you a fighting chance to say, Hey, I’m getting second factor, push notifications, but I’m not trying to log in. Something must be going on, and then being proactive to investigate what that is, rotate credentials, look at logs, whatever else. So that’s my take on it. I think it’s often over simplified as, oh, I don’t have to ever change my password. Okay, if your passwords are long, complex, unique, and everything has MFA. You can keep that password as long as you want until then, maybe changing gives you some value, especially if you don’t have MFA, or if you know people are reusing credentials, shorten that rotation window to a reasonable amount of risk that you can live with 30, 60, 90 days a year is probably too long if you know it’s getting reused.

Jodi Daniels 34:42

Shay, when you are not advising on security, what do you like to do for fun?

Shay Colson 34:47

Yeah, so my fun things do not involve screens. I like to go outside. We live in a big biking town. Mountain biking is huge here in the Northwest, and that’s something that I picked up during COVID and it’s been fun to do both for myself, but also with the kids. And so things that are outside, things that let me disconnect, right? I’m not looking at my phone, I’m not listening to a podcast, I’m trying not to die as I race down this hill. That’s a good way to get reset for me, and then doing fun things with the kids, right? Where we have kids that are of an age, where they’re starting to experience some really interesting, fun things in the world, and being a part of that is really cool, and facilitating it by participating has been really rewarding, especially as they come into middle school and are navigating environments that I would not want to navigate. Right I would much rather do, let’s do a let’s do an incident response, rather than a day as a seventh grade girl.

Jodi Daniels 35:42

That is a good, good point. Well, say, where can people connect to learn more about you and Intentional Cyber?

Shay Colson 35:50

Yeah, you can find us online at intentionalcyber.com. You can find me on LinkedIn. We post weekly video updates every week on intentionalcyber.com For folks around what’s going on in cybersecurity that matters to mid market companies. We really work hard to bring enterprise cyber capabilities down to mid market customers who have, frankly, enterprise cyber challenges, but don’t have enterprise teams and tools, and that’s the best place to find us and let us know if we can help.

Jodi Daniels 36:16

Amazing. Well, Shay, thank you so much for sharing and joining us today.

Shay Colson 36:21

Yeah, thank you both. It was a lot of fun.

Outro 36:27

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

(function($){
$(‘[data-id=”block_791cf97428822253c533e2d451fbc712″]’).find( ‘.accordion-title’ ).on(‘click’, function(e) {
e.preventDefault();
$(this).toggleClass(‘active’);
$(this).next().slideToggle(‘fast’);
});
})(jQuery);

@media screen and (max-width: 1023px){section[data-id=”block_2dbea22cbee6aa77b212277a93817776″]{ }}@media screen and (min-width: 1024px) and (max-width: 1365px){section[data-id=”block_2dbea22cbee6aa77b212277a93817776″]{ }}@media screen and (min-width: 1366px){section[data-id=”block_2dbea22cbee6aa77b212277a93817776″]{ }}

Privacy doesn’t have to be complicated.

The post Developing Resilient Cybersecurity Strategies for Businesses appeared first on Red Clover Advisors.

Jodi Daniels

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the…

Jodi Daniels is Founder and CEO of Red Clover Advisors, a privacy consultancy, helping companies from startup to Fortune 100 create privacy programs, build customer trust and achieve GDPR, CCPA, and privacy law compliance. Jodi as a Certified Informational Privacy Professional with the daily privacy operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer. Jodi Daniels is a national keynote speaker, host of the She Said Privacy / He Said Security Podcast, and also has been featured in The Economist, Forbes, Inc., Authority Magazine, ISACA, and more. Jodi holds a Masters of Business Administration and a Bachelor of Business Administration from Emory University’s Goizueta Business School.