Jodi Daniels of Red Clover Advisors: 5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity
Know your Data. When we did a data inventory for a company they didn’t know they had 5 CRMs. Once we were done with our work, were able to clean up their data, lowering their risk for the company and reducing their costs to just one CRM.
Asa part of our series about “5 Things You Need To Know To Optimize Your Company’s Approach to Data Privacy and Cybersecurity”, I had the pleasure of interviewing Jodi Daniels.
Jodi Daniels is the Founder and CEO of Red Clover Advisors, a privacy consultancy that helps companies create privacy programs, build customer trust and achieve GDPR, CCPA, and US privacy law compliance. Jodi helps companies with the daily operations such as data mapping, individual rights, training, policies, etc. and also serves as a fractional chief privacy officer.
Jodi is a Certified Informational Privacy Professional (CIPP/US) and national keynote speaker with more than 22 years of corporate experience at Deloitte, The Home Depot, Cox Enterprises, Bank of America where she most recently served as the privacy partner for Digital Banking and Digital Marketing. Ms. Daniels started her privacy career by creating the comprehensive privacy program at Cox Automotive.
Jodi holds a Masters of Business Administration and a Bachelor of Business Administration with a concentration in Accounting from Emory University’s Goizueta Business School. She lives in Atlanta, GA with her husband, two girls, and a big fluffy dog named Basil.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
Igrew up in CT and in high school moved to South Florida. I came to college at Emory University in Atlanta, GA and have never left!
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
More than a decade ago, I was working on building a targeted advertising product at a very large media company and privacy in the marketing space was trying to self-regulate itself. How to use data within the company was a pressing business issue intertwined with privacy considerations. I had a feeling this was going to grow into a bigger business requirement and I saw this was an opportunity to jump into. SO I did! I created the first privacy role at the company and began my career in data privacy.
Can you share the most interesting story that happened to you since you began this fascinating career?
I’ll share a personal one! My husband and I went shopping for a new mattress and visited a store with an IOT mattress. The salesman was explaining all the features including how it would collect my sleep patterns, heart rate and more. We wanted to know how the company used the data and the salesman just said “it’s a big company and very safe.” After we left the store, we went and read the privacy policy which indicated how it did use our data. We didn’t buy the mattress.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
So many people! One in particular, however, recognized my skills were transferable to other functions and that was a catalyst to a career change.
Are you working on any exciting new projects now? How do you think that will help people?
I’m continuously working on how to make complying with privacy laws simpler to understand and implement. They are only getting more complex and at my company we’re working hard to provide practical tools for organizations needing to comply with privacy laws. We continuously get feedback that companies like our approach and our goal is to be a viable privacy solution for companies who don’t have an internal privacy resource.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Find a hobby outside work. Privacy is changing SO fast that it can be easy to do be learning or working 24/7.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry, as it is today, is such an exciting arena. What are the 3 things that most excite you about the Cybersecurity industry? Can you explain?
The acceleration of privacy laws in the US means that governments are paying attention and trying to catch up to the speed of technological change. It also means that companies are realizing that privacy is no longer a nice to have but a must have and are bringing in privacy resources. With both of those activities, the investment in privacy tech is escalating as well and that means more tools for companies and privacy professionals to make this work more effective and efficient.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for?
The ongoing threats of hacks is hastening not declining. Technology is continuing to advance at such a fast pace and without proper privacy and security considerations. We need to start learning from the privacy and security issues with each technological change and I fear that as a society, we’re making the same mistakes again. Companies have to think about ethical data, data ownership, and the continued cyber thread.
Do you have a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
Companies forget that older systems don’t always have the ability to be patched and updated leaving them vulnerable to attacks. It’s important to review the tech-stack and especially of companies being acquired.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
Microsoft Sentinel that detects unusual traffic on a company network. Knowbe4, Ninjio or Curricula for training. Bigger companies use Crowdstrike falcon to do proactive threat hunting with AI.
How does someone who doesn’t have a large team deal with this? How would you articulate when a company can suffice with “over the counter” software, and when they need to move to a contract with a cybersecurity agency, or hire their own Chief Information Security Officer?
Most companies that do not have a large team use a third party msp or mssp as their outsourced security terms and use the tools the vendor recommends. Another great option is a company like cyvatar.ai
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a lay person can see or look for that might indicate that something might be “amiss”?
A lay person should be wary of emails that pressure them to take action or give them a free gift. Phishing is still the number one attack method for hackers. They should periodically check email rules and also if they are getting any kind of password reset notifications.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
They should ensure that all their systems are constantly being updated as appropriate, that controls are in place to monitor unusual activity, to ensure all current and new employees are trained and on the latest security threats. If they weren’t prepared before, there is typically a debrief session with their security counsel and consultants that will have a more detailed list. The company should not ignore that and start acting on it right away.
What are the most common data security and cybersecurity mistakes you have seen companies make?
Companies don’t know where their data is so they don’t know how to protect it all! They assume that someone in IT has that handled. Employees are not properly trained and there is no preparation for an incident respose.
Since the COVID19 Pandemic began and companies have become more dispersed, have you seen an uptick in cybersecurity or privacy errors? Can you explain?
Yes, with more employees engaging in remote work, there is more data on personal machines, more people using unprotected wifi, more companies are using SaaS tools that might not be properly secured. People forget to lock their computers, print privately, and some people might be having conversations in public places. I have heard a lot of “confidential conversations” on the patio at a coffee shop that would be better to have been held in a private space. Companies need to remember to have strong password policies and employ MFA as well.
Ok, thank you. Here is the main question of our interview. What are the “5 Things Every Company Needs To Know To Tighten Up Its Approach to Data Privacy and Cybersecurity” and why? (Please share a story or example for each.)
1. Know your Data. When we did a data inventory for a company they didn’t know they had 5 CRMs. Once we were done with our work, were able to clean up their data, lowering their risk for the company and reducing their costs to just one CRM.
2. Review your vendors. Nowadays, companies have a spiderweb of software often on the cloud housing data. Using the data inventory, companies can begin to review their vendors ensuring compliance with applicable privacy laws, how data will be used and protected. A data protection agreement and vendor assessment of their security practices may well be in order.
3. Train your team. Training people what they can do to protect data is essential for companies of all sizes.. People also learn differently and it’s important to have various training methods such as video and written. It takes people multiple times to hear and absorb content so repeating privacy and security tips multiple ways is important. Don’t assume people will remember or that the executives should be skipped! I have seen a phishing report from companies and it’s often the executive team clicking through.
4. Assign a Stakeholder — Who’s in charge? If there is no one paying attention to privacy and security then nothing will get done because everyone will assume “someone has it taken care of.” I highly recommend a privacy professional to manage privacy and a security professional to handle security. While they are intertwined, they are also different and I find when companies have a dedicated professional for each, whether that be full time or outsourced, the company is better positioned for its privacy and security risks.
5. Risk assessments. For each project, companies should consider the privacy and security risks during the design of the project or campaign. Often they are brought in at the end and it’s too late to make meaningful adjustments. I have seen projects launch with privacy and security flaws that then have to be halted. Conversely, I’ve seen projects include privacy and security at the beginning, the risks were identified and mitigated and even included in the promotion of the product.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Be kind and use your manners. I think during the pandemic, people more than ever need social connections and due to the lack of it, we have also lost how to interact with each other. My suggestion? Look someone in the eye and say hello. Especially do this to the people you don’t know! When asking for anything — to an employee, colleague, your kids, or at a store or restaurant — say please and thank you. Finally, if you have nothing nice to say, don’t say it.
How can our readers further follow your work online?
www.redcloveradvisors.com and https://www.linkedin.com/in/jodihoffmandaniels/
This was very inspiring and informative. Thank you so much for the time you spent with this interview!
