Cyber risk isn’t just a technical issue—it’s a leadership priority. In this insightful conversation, Joe Lazzarotti, cybersecurity and privacy attorney at Jackson Lewis, unpacks the evolving landscape of cyber risk, from data breaches and insider threats to AI governance and executive accountability. He and host John Riley explore the biggest misconceptions leaders hold, the impact of supply chain vulnerabilities, and why proactive planning—not panic—is the key to business resilience in today’s threat environment.
—
Watch the episode here
Listen to the podcast here
Cyber Risk Is Everyone’s Business—Here’s How To Approach It With Joe Lazzarotti
Navigating Cyber Risk: Executive Challenges & Regulations
Welcome to Navigating Cyber Risk, where we are going to explore the challenges faced by executives as they grapple with cybersecurity mandates and regulations. We’ve got an amazing guest who is an attorney barred in multiple states across these wonderful United States. He’s an avid e-bike rider. He’s a foodie here in the Tampa Bay area, and introducing Joe Lazzarotti with Jackson Lewis. Welcome, Joe.
Thanks, John. Thanks for having me.
Good to see you. We’re going to just jump right in here with the main topic, which is what’s the difference that you see between cybersecurity and cyber risk?
I guess the way I think about that is cybersecurity may be a state of enterprise or an environment at any given time, what your state of cybersecurity is, and maybe cyber risk is what you need that state of cybersecurity to be once you’ve analyzed the risk, because you need to have your cybersecurity reflect the risk to your organization.
I think sometimes people protect the wrong things. Coming from a network engineering STEM background, we always hear that there are layers of security, but if you’re protecting the wrong thing, it doesn’t matter. If you have five firewalls, but the database doesn’t live inside, you might not need the five firewalls and spend the money elsewhere.
I think that’s right. I know a lot of times there are a lot of stories about insider threat, and a lot of the resources go to protecting the perimeter, and not so much what’s going on inside that perimeter, or the same exact thing. Agree.
Who has access to what? Should everybody need access to that database or the data that’s in there? Can you restrict that down and maybe understand a little bit about who should have access? I think that’s one of the funny things that I’ve always seen, also is that I see a lot of CEOs that say, “I should have unfettered access to something.” On top of that, ‘I don’t want the two-factor authentication because it slows me down.” There’s always a reason. Those executives are the ones who are making those decisions. One of the things that we’ve done is to have them accept that cyber risk. You can do that, but you understand that you are putting yourself at risk and you’re taking the personal responsibility for doing that, correct? It gives more pause.
I think that’s right. I think it’s also one thing I see is that a lot of times, there are a lot of silos. Even identifying the risk may depend on who’s identifying it and what people in the organization you ask, because somebody may have a different perspective, and no one really has been able to think about that to address it. Really getting the other side of that, maybe it’s legal, maybe it’s sales, maybe it’s marketing, maybe it’s HR. There are different components to that risk that you need to take into account.
Beyond IT: Why Cybersecurity Is An Organizational Imperative
That makes a great point. As far as that goes, when you talk about silos, what we find a lot of times is that when we go to talk to an executive, what they do is they toss it over to the fence to the technical guy. “That’s IT stuff.” Cybersecurity, that’s just IT stuff. They don’t understand that those silos exist and that those databases are there for their other employees and that that’s the whole purpose of it. The IT guy really doesn’t know.
He knows he’s supporting a database. He might know some of the data that’s in there, but he doesn’t know that they’re plugging in credit card data or PII data or whatever. He’s just taking care of the database, or they are taking care of the database. I think that it’s not fair to just say, “That’s an IT thing, cybersecurity anymore.” It’s got to be an organizational item and something that goes across organizations or across departments for it to actually be worthy.
I think that’s exactly right. Even in different things, whether it’s cyber or privacy, or AI, a lot of times when I talk to clients, like, “Give me a policy.” As if there’s this magic, which I get. You try to say you start to have to ask some questions about what exactly, and of course, maybe the industry of your client, but you don’t know who their customers are, what agreements that they signed, and you don’t know what elements of data are impacted, and you don’t know what states they operated in.
As you know, you have all these state laws that are now popping up, and so it really becomes a pretty complex question. The frameworks that apply, there’s a lot of overlap in those frameworks. It’d be great to have some more information from different folks in the organization, and you probably would be in a much better place.
Along those lines, then, what do you think are the most significant cybersecurity threats that are facing companies today?
If you look at it from a media perspective, it’s probably the next threat actor group that’s going to hack your system. You worry about that, but I do think that what people are surmising about AI and how that could leverage different types of attack vectors that we haven’t been used to with deep fakes, and some of that. I think that’s a pretty scary thing. It’s a lot of unknowns, but I also think it’s just back to basics as well, where people just are still trying to struggle with not clicking on that link and just day-to-day basic blocking and tackling, good hygiene. It may not sound sexy, but I think it is also really important and leads to a lot of problems if you’re not careful with it.
I would say that there are also maybe some questions around how dedicated the person is. Are they paying attention? Are they able to pay attention? Is there something going on in their life? Are they distracted with a bill that’s not paid? There’s a reason that when you’re dealing with high-security data. They do the background checks to make sure that you’re able to do it without being blackmailed or forfeiting the data or anything else. I think that there should definitely be background checks should be required for any type of person who’s accessing data like that.
No, makes sense. I know that I’m not an expert in background check law. I know colleagues who just eat and breathe this stuff. From what I’ve seen, there’s always that exception for people who work in certain industries. There’s a little bit more latitude for people who, on background checks, for people who work in certain industries, because usually it’s around financial services. The idea is we’ve got to protect the money. To your point, it’s about, yes, that’s true, but now it’s the data that gets you to the money. You have to worry about that also. That’s a big gap.
You work with a lot of CEOs. When you’re talking to them, what prioritization do you tell them that they should put on that cyber risk part of it? I mean, is it something that’s at the forefront of their mind, or is it something that’s an afterthought of maybe after a scare or something like that, where they’re like, “Maybe I should clean the house?”
In some ways, I think there’s a glimmer of good news. Over the last, I don’t know, it’s probably been maybe over twenty years that the top complaint to the FTC has been identity theft and all these breaches, and it’s slipping in. I think CEOs really understand that, but I think the real issue, I think for a lot of CEOs, to your point, is that you get hit with a breach. It’s not so much the disclosure of personal information, although that’s a big deal, but it’s the business interruption that causes a concern.
If you have a business that’s more vulnerable to business interruption, if you can operate easily, or you could manage without your systems, if they’re taken down, that CEO may find that there’s maybe bigger or equal fish to fry. If you’re in a business where if your system goes down and you’re going to be in a real bad way, and you’re going to have customers who are even more upset, then I find that there’s more focus on that. I do think CEOs are more focused on this, and trying to get them to that point is a little bit easier.
I agree with you. I think that 2 years ago, maybe 5 years, 10 years ago, before some of the automation. I’m thinking like even a CNC shop. There are a lot of their things that are now stored on some server, which is then sent directly to the machine. The reliance on those electronic devices is just continuing to grow, and therefore, so is that risk, because I mean, there almost isn’t a company out there that doesn’t have data that needs to be protected or that needs to be sheltered in some way.
No, I think that’s right. To your point, it’s like the whole, even if a CEO might get comfortable with their environment, you’re only as strong as your weakest link. Much of what businesses do is through supply chains and the business partners that they work with. That’s a big gap, I think, as well.
Supply chains are another one of the big concepts that we talk about, because everybody’s got their data in Microsoft Outlook or in the cloud, but when was the last time you actually backed up the cloud? If you look at the Microsoft user license agreement, it says that we don’t back it up, and it’s your responsibility to secure it. They do the technology parts of it, but you still have to be the identity person. You have to make sure that you’ve got the right people with the right accounts and that they have access to the right things. If you screw that up, Microsoft goes, “Yeah, you screwed up.” It’s a change.
I’d be curious about your thoughts on this because to me it’s an interesting issue, but like after some of these file transfer breaches for the last several years and others, those aren’t the only ones, of course, but the idea of, how far down the chain do you go? If you’re thinking about fourth party risk, everybody’s saying, “It’s a third party, but what about the fourth party and the fifth party?” It’s like, how far down do you go? Now there’s so much interconnectivity. Those entities way down the chain could cause a lot of harm for a lot of other folks that they may not even know.
Cyberattack Playbook: What To Do When Hacked
Does that new startup that’s doing that crazy good thing for you, are they actually certified? Should they have the data? That’s a whole other podcast, I think we’d have to talk about. Let me ask you this. I don’t know if you’ve worked with CEOs as they’ve been through that journey where they’ve been hacked, but I mean, what do you think that looks like for them when, like, an executive finds out they get that call first thing in the morning, cause it always happens overnight. It’s like 6:00 AM, they get that call that says, “We’re locked out of the system and customers are screaming at us and banging on the door. What would you like us to do?”
We dealt with hundreds of clients on data breaches, and you’re right. It’s either at a bad time of day or it’s the Friday before a holiday weekend. I know one of the things that we really try to do is give them some comfort because we’ve done it many times, and there are other great firms out there that have done it, and you get through it.
I think they need to know that upfront because it’s a lot of unknowns, and particularly for smaller businesses that may feel like, “This is going to sink our business. Our clients are never going to forgive us.” I think giving them a level setting with a little bit about, “Here’s what this process looks like.” With a few questions, you can get some sense of their business and what the road might look like in the next 3 or 6 weeks. I think that’s a big part of it is trying to be, give them a little bit of an understanding of the process, give them a little comfort, because now they have to make some important decisions.
If they’re all worked up over that, which you don’t know everything at that point, it can be hard. You need to be a little bit methodical about what an incident is, this? What data is affected? If any, who’s the threat actor? What are some next steps immediately? There are a bunch of things, but yeah, I think it’s just grounding them and then being methodical and then moving forward in a pretty quick but prudent way.
One of the things we also like to talk about is practice it before you actually have to play the Super Bowl. You don’t want the Pee Wee team out there trying to play the Super Bowl. Try and figure out who it is, what would it look like? Play some of those. Who’s going to be in charge? Who’s the quarterback at that time, and then who are the players? In your case, I would say, put your retainer in. “I’m just going to give you a retainer just in case I get hacked and so that I can call you and you’ll answer my phone, give my phone call that day.” Same thing for a PR company or any other context that you might need for when that happens.
That’s right. When you say practice, you probably want to practice with those folks, too. You want to build that rapport early on, and you want to get a sense of what CEO this is? I know I do it. How risk-averse are they? In the process, I learn about the client’s business. Learn how they operate, who the key people are, how they go about making decisions, and what data they have.
You’re exactly right. Those sessions can be really crucial. I’d want to call you on a quarterly basis, just to make sure you pick up the phone, and then we’re so good, and we’re going to go. I mean, just as part of my planning. That way we know if it happens, and that phone rings and you see that number, who it is. It’s time. Excellent. From your perspective, taking a look at what’s going on, we’ve got AI, we’ve got robotics, we’ve got quantum computing. What do you believe is going to have the most profound impact on cybersecurity in the near future?
Things have moved so fast over the last couple of years, it’s really so hard to say. I think we’re going to move in a parallel direction. Things are just going to continue to escalate because the bad guys have the technology as well. On the one hand, I’d love to get your sense of this. I think you’re closer to this than I am, but I feel like the IT security folks that lead those efforts at companies want to leverage that technology to protect their companies, but the bad guys are doing the same thing. In many ways, we think that there’s some advantage to it, but that advantage could be easily overcome. From my perspective, it’s hard to really gauge those types of technologies, but it’s just a little unsettling. We’ll see.
My perspective on it, I mean, we’ve got a lot of changes that are coming. If you can use AI to say, “Give me steps to break into this company. Help write code that does this or takes advantage of this port.” It’s all kinds of things that AI could do. Robotics is going to be interesting, deep fakes. I actually had a friend of mine who was buying a house, the bank called him, and he was moving money anyway. The point is that somebody did a man-in-the-middle attack on his personal phone, and he responded back to the bank with a code and did a deep fake of his voice and was able to get them to transfer money into their account.
Those are the things that, even if you’re talking to somebody via Zoom, you’re not going to know that that person’s the right person anymore. I think that there’s going to be some opportunities and some ways that we’re going to have to learn to do things. The good guys will have to put some regulation in that says, “If it’s AI-based, there needs to be like a little plus sign over here in this corner that says it’s AI no matter what.” Now, there are going to be bad people who don’t do that or remove it. At least we’ll have something to try and help us identify it as humans.
Maybe that’s the thing, John. Maybe it’s leveraging AI to really help awareness with people, because to your point, that’s a big part of this is just people doing their job, trying to be efficient, trying to get the job done, and trying to move inefficiencies out of the way. In the process, you can really step into it and cause some problems. I know that we were talking over the weekend with some friends about some of this stuff, and someone said, “Make sure you always have a safe word with your kids.”
There was that attorney from Philadelphia, I don’t know if you saw it, he presented to Congress about an incident that happened with his son, who got into an accident. It was a pretty interesting story about how he almost got duped. The point is, if there’s that safe word, you could have that with your kids. If someone is trying to do a deep fake, you can ask for that, and they can say that word, and you’ll know it is or it isn’t them, perhaps. Again, just using maybe these tools that we have to be more efficient to get better coverage with training people, creating awareness, so that they can avoid these issues.
Cyber Risk: Cybersecurity may be your current state—but cyber risk is what that state needs to be.
On top of that, we’ve got quantum computing that’s going to just that may just leapfrog everything that we’ve done as far as cryptography and trying to get into systems and protecting systems. I think that’s going to be another huge leap in computing kind.
That’s the other issue. It’s a related issue, I think, is so many are talking about, if we just de-identify the data, it’s fine. There’s a whole question about whether you can really de-identify data. Certainly, in the not-too-distant future, that may be something that becomes harder and harder to do.
The AI Policy Quest: Is There a “Massey AI” Golden Ticket?
There’s so much data out there now. I think, as you said, everybody’s got their silos that people are keeping track of and trying to run with. What are you currently working on that you’re most excited about?
I guess a couple of things. One is trying to help, maybe it’s pretty mundane, but it’s a good group and we’re trying to help them figure out how they leverage data that they have about customers to get them back in their store through online marketing, through outreach and mindful of different activity on their website, mindful of state privacy law issues. There are twenty states now that have that. Just trying to work through some of that stuff.
I guess the other thing is just been dealing a lot with companies who are trying to figure out how to get governance around AI in their organization, which is pretty interesting because a lot of it is just, it’s almost like a two-level analysis. It’s, “Do you want a high-level governance structure in place?” You have to think about, “That high-level governance might not adequately address the nuances of the different use cases that you’re trying to implement.” You have to think about those use cases because that’s going to drive ultimately what you want, what safeguards and policies, and transparency around that particular use case.
I don’t know if you saw a movie, but there was a movie with Catherine Zeta Jones, and I don’t remember the guy’s name, but basically it was the Massey prenup. He writes these prenups that are just perfect every time. He falls in love with Catherine and whatever, and then she breaks it for him. Anyways, so that’s what people are looking for. The reason I’m bringing that up is because people are looking for that golden ticket on the policy of AI, the Massey AI policy. It’s everything. Without the nuances of the business, it’s just going to be the perfect prenup, and they can go to sleep with it. They feel safe.
That’s it. Think you’re exactly right. That’s a great example.
Now you have to go see that movie if you haven’t seen it before.
I’m to go look for that.
I’ll see if I can find it real quick for you towards the end of it, but we’ll move on, and I’ll come back to that in a second. Tell us a little bit about who you are. How’d you get here, and a bit about Jackson Lewis?
Born and raised in New York City, practicing law for about 25 years, decided to move down to Florida. Loving it down here. It’s great. I made a lot of new friends. I started out doing ERISA and tax work as an associate and got into privacy through HIPAA. I have a pretty deep expertise and HIPAA, but then states started having data breach notification laws and started going through that, and just started building out a practice group here at the firm.
We do a lot of pre-breach services, like you were saying, tabletop exercises and policies and compliance work, biometrics, and obviously incident response, soup to nuts on that. Of course, when agencies investigate and plaintiffs sue, we defend our clients on the business side. That’s what we do at Jackson Lewis. We have a group of about 8 to 10 compliance and incident response attorneys about the same number of litigation attorneys. That’s our practice.
I think that a lot of companies are looking at GRCs and how to manage some of those, and understand a little bit better. What we find a lot of times is that that’s a tool, and they think that it’s a magic bullet. What I equate to what used to be the CRMs of sales. It was all I need is Salesforce.com, and I can make money.
I think that’s all I need is the tool of the GRC, and I’m protected. Of course, that’s not the case. It has to be a cultural change for the people to understand that they’ve got to use the tool in the right way. It’s more than just IT that has to do that. Everybody’s got to do their training. Everybody’s got to do their parts and understand where the data is and protect it. I think that’s one of the things that we see. The name of that movie was Intolerable Cruelty.
I’m that down, John.
That was like I said, it was a funny movie anyway.
I’ve been married for 30 years. The prenup option is gone.
Which is fine. I’m just saying it’s one of those funny things where I want the perfect one. The Massey prenup was the one that came across as a lawyer. Might find that one funny.
That’s great.
If you could go back in time and give your younger self advice, what would it be?
Probably to get into this space more deeply sooner. Not that I didn’t like doing benefits, and there are some advantages to that in terms of regulatory analysis. Now, the DOL has finally come around to regulating cybersecurity. It took them a while, but just getting involved sooner. There’s so much to learn. That’s what my advice would have been.
Strategic Imperative: Prioritizing Your Organization’s Cyber Risk Assessment
We’re going to wrap up here, I mean, so tell us, I’d like to give our audience some advice or something dealing with cyber risk. What would be your suggestion for an executive or somebody listening to the show on what should be their next step?
Maybe to end where you started. To really get a handle on your risk, which is, I think, more important in a lot of ways than cybersecurity itself, is to build out that function. Going back to HIPAA, if you’re in healthcare, that’s an enforcement objective that’s pretty actively enforced right now, in particular by the Office for Civil Rights. Figuring out who on your team you want to sit down with and maybe have periodic conversations about your organization, really understand what risks there are. Maybe you’ve addressed them, but maybe you haven’t. I think for any organization, that’s really a starting point and will serve you well.
Get a risk assessment done and figure out where to go from there. I like that. The last thing is, how would you like people to reach out to you? We’ll put in links for all your email addresses and all that if you’d like, but how do you prefer to be reached out to?
Email’s great. [email protected]. That’s the best.
There you go. Everybody, that’s Joe. I appreciate your time. This has been a great chat, and I’m glad we met through the way that we did and everything. Thank you very much for being on the show.
Thank you.
To our readers. Thank you for reading. Hope you’ve learned something. Maybe laughed or commiserated with some of these issues that we’re seeing. That’s it. This is another great episode of Navigating Cyber Risk, and we’ll see you next time. Have a great day, everybody. Thank you.
Thanks, John.
Thanks, everyone.
Important Links
About Joe Lazzarotti
Joe has a 25-year career in law, specializing in ERISA, tax law, and healthcare privacy, particularly focusing on HIPAA compliance and data security as the industry evolved with electronic data transfers and breaches.
Joe mentioned his own podcast, “Jackson Lewis – We get work®” which talks about We Get AI and We Get Privacy.
He shared his interest in outdoor activities, particularly e-biking, and Joe shared that he and his wife enjoy exploring Tampa’s restaurants and outdoor lifestyle since moving to the area 15 months ago.
