08 Nov An Interview with founder and CEO of Red Clover Advisors Jodi Daniels
This interview is part of our Cybersecurity Insights Series, where we tap our partners and industry experts for the latest trends, thoughts, and predictions for cybersecurity and beyond.
The cybersecurity landscape is always in a state of flux, but the pace of change seems to be accelerating by the day – from significant shifts in the regulatory environment to rapidly changing consumer expectations around privacy and security. Jodi Daniels is the founder and CEO of Red Clover Advisors, a consultancy which helps companies fuse their data privacy and cybersecurity practices, and we can’t think of a better guide to understanding these changes or how companies should respond to them. Jodi was generous enough to chat with NINJIO’s Matt Lindley about how companies can protect and secure their data, keep up with regulatory changes around cybersecurity and privacy, and drive cultural change around all of the above.
Matt Lindley: GDPR and CCPA demonstrate that regulations around data privacy and security are only becoming more robust. What does the future of the regulatory environment look like in the United States? How should companies prepare?
Jodi Daniels: We’re about to enter a three-state framework: In January 2023, the California Privacy Rights Act (or CPRA) – which is the updated version of CCPA – will take effect. Virginia’s new law, the Consumer Data Protection Act (or CDPA) is coming at the beginning of 2023. And the Colorado Protection Act (or CPA) is coming in summer 2023. At least 30 states have introduced privacy laws multiple times. Texas has a committee on it. There are lots of privacy laws being created, and I think we’ll see even more during this next legislative session.
There are 50 state data breach laws, which are almost replicas of one another, while we don’t have a federal regulation. Think about running a business and dealing with a privacy law every day – to have multiple laws across the country is going to be complex. There will be pressure from lobbying groups, tech companies, etc. to create a federal law, and as the world moves in the direction of stricter requirements, there will be pressure on the U.S.
We have a sectoral approach to privacy and security law (healthcare, education, etc.), so the key issue will be how to combine disparate elements into something that works. You need to be prepared for a multi-state approach – it’s vital to have someone, whether internal or external, paying attention to privacy. You need to have a person who’s the privacy sponsor or champion, even if this role is outsourced (as not all companies can afford someone who’s dedicated to the task full-time).
I don’t think we’re going to move to a GDPR state in the U.S. GDPR is very individual-first, company-second. It also has no threshold for the type of organization (nonprofit, for-profit, education, and so on), and no minimum threshold for revenue or the amount collected. Contrast that with the United States where state laws differ regarding different types of entities and data. The U.S. is very company-first, which means there are minimum floors to help reduce the burden of compliance for companies. GDPR treats privacy as a fundamental right, and while it’s becoming more important in the U.S., laws and regulations also have to be business-friendly.
ML: Red Clover emphasizes the fact that companies shouldn’t just care about data security because they face the threat of fines and other penalties, but because security and privacy are fundamental rights. Could you talk a bit more about that?
JD: I love the work Pew has done on this subject: 52 percent of people say they’ve recently decided not to use a product or service because they’re worried about privacy and security. That’s a huge statistic. I’ve received calls from companies that say, “I can’t close this sale until I show I’m complying with X, Y, or Z data law.” Sales are being lost because of that. How many people pick Apple Pay, Amazon, or PayPal for security purposes alone? If you buy from a site that looks like it’s from the 1990s, you’re not going to trust it. Consumers have good reasons to be concerned: when you’re asked to provide healthcare information, for instance, not everything is HIPAA-protected. Think about anytime you’re asked a financial question – why do you need my kids’ names and birthdates?
In the digital era, with all companies collecting data in some capacity, I have to trust who you are before I’m going to give you accurate information. There are many ways to earn trust: You can create privacy and security pages that differentiate your company from the competition and explain what you’re doing to keep consumer data safe. People are buying your products or services because they trust you, but data management is now a piece of that decision. What I don’t like is when companies force consumers to pay for more expensive services if they want better data management – all customers deserve a full commitment to their privacy and security.
ML: As investments in data management and cybersecurity increase, how do you think companies should be allocating these resources?
JD: It’s essential to understand every type of data you collect, which information is the most sensitive, and the risks someone could infiltrate the organization and steal it. Have you done the basics of a cybersecurity program, including password management and employee training? Not every company needs fancy firewalls. I don’t want to hear another company say “Everything’s on the cloud, we’re good.”
Privacy and security are entwined. Privacy is how companies collect, use, and store data. When there’s an attack, the trust that enables this process has been lost. You need to understand the threat landscape and allocate your budget appropriately – cybersecurity and data management need to be considered costs of doing business these days, as well as investments in future sales. Prevention is so much less expensive than being forced to respond to a breach. I’m seeing 20 to 30 percent increases in security budgets, but privacy isn’t receiving the same attention. Companies have to go beyond “privacy principles” and focus on access control.
ML: How do you think about cultural change when it comes to compliance, privacy, and cybersecurity?
JD: I think that’s a challenge. The first piece is getting people to realize that they have to pay attention to privacy – that it’s not an afterthought. Every company today is a data company. If you don’t make it a priority, you’re losing half your customers.
To get buy-in from executives who are numbers-oriented, you should emphasize the fines that the company could incur and the sales you’re going to lose without a robust privacy and security platform. Demonstrate how privacy is connected to the brand. When you start to get a few people on board, you can start to move that wheel.
Consumers are willing to share data if they get something back for it, which is why privacy notices and a privacy page are so important. These pages can be visually appealing and on-brand. You can summarize why you collect the data, how you protect and manage it, and how consumers can benefit. Think about customer objections and questions first. Be transparent. Consider how it feels to discover that companies have been collecting and sharing your data without telling you.
ML: There seems to be a disconnect between the general public awareness of cyberthreats (which has surged after several recent high-profile attacks) and companies’ preparedness. What do you think accounts for it?
JD: People think an attack won’t happen to them. There are also misalignments between key personnel – how often does your CISO communicate with the CEO or the board? If company leaders aren’t properly educated, they may not fully understand the status of their privacy and cybersecurity platform or what they need to be thinking about. You often hear that cybersecurity is one of the top five concerns CEOs have, but they’ll tell you they have all these other important priorities: budgeting, growing sales, and so on. You also can’t ignore the wider culture – how is the security team connected to the rest of the organization?
ML: Can you talk about the link between brand trust and data privacy and security?
JD: Companies have to understand that a data inventory is a foundational element of any privacy program. Data mapping exercises are very different from a security point of view – you have to know information is protected and where it needs to be. When it comes to privacy, however, you’re focused on the business purpose of data, and you might uncover things the security team had no idea about. For example, employees could be using their own unauthorized SaaS and cloud tools. When you do a data assessment, you need to understand why information is being collected and all the places where it’s being collected. You can’t honor your customers’ right to privacy and security if you have no idea where your data is. The establishment of a data inventory also helps companies comply with privacy laws, illuminates whether data has been shared or sold as defined by CCPA, and allows companies to determine whether data use aligns with customer expectations.
ML: We know personal data is frequently exposed in breaches, while various forms of social engineering continue to work startlingly well. What does this tell you about the state of employee education around data security?
JD: One reason I really like NINJIO is its unique approach to making cybersecurity engaging and interesting. Companies often just want to do a one-time-a-year thing and that’s it, but the idea of continuing to educate is very important. How people receive content is changing – companies and educators haven’t necessarily moved with the times. It’s important to be able to do that, especially when so much of this is employee-driven – one employee can risk the whole company. CEOs don’t always understand that threat. Employees need to understand that they can’t address a potential breach on their own – so who’s the person they should contact if there’s an incident?
Employees are afraid they’ll get in trouble if they report a suspected cyberattack. Companies need to make it clear that employees aren’t going to be reprimanded for falling for something that was designed to trick them. You have to anticipate employees’ concerns: reward and thank them for recognizing a problem and admitting mistakes early.
ML: Data security has to be embedded in a wider range of business operations than ever before. How do you go about helping companies develop a coherent data, privacy, and security platform?
JD: You need to have a designated person responsible for overseeing the privacy and security practices in a company. Sometimes, that person will be high up enough in the company and have the credibility and weight to push the agenda. Other times, they’ll need an executive sponsor to be that conduit.
Regardless of the size of a company, there’s a privacy and security program that’s right for it. No privacy program at all is always the wrong answer for a small company.