Artificial intelligence is sweeping every aspect of the digital space right now, and it always finds its way into our personal lives in more ways than one. Despite its many benefits, concerns regarding data privacy arise. Caroline McCaffery of ClearOPS is here to discuss the state of data privacy laws and regulations as AI becomes more ubiquitous. Joining John Riley and George Usi, she discusses how to ensure data protection and prepare ample cybersecurity budgets amid the ever-evolving AI landscape. Caroline also explains the right way to handle a cyber crisis without having to delete all of your data.
—
Watch the episode here
Artificial Intelligence And Data Privacy With Caroline McCaffery
We have an amazing guest who is a seasoned attorney who loves hitting the slopes, cooking up a storm with her recipe for ChatGPT that always leaves her laughing with some quirky jokes and tech French Award winner in 2023, Caroline McCaffrey. Welcome.
Thank you for having me.
Cybersecurity Vs Cyber Risk
It’s a pleasure to have you on the show here. We’re going to jump right in. How would you explain the difference between cybersecurity and cyber risk?
Good question, which I often find people use when they’re trying to delay the answer. Cybersecurity I think of as how to protect yourself while you’re online or in the context of a business, how a business protects its assets online. Whereas cyber risk, I think of more of an analysis of determining when something may create a vulnerability for a business or an individual subject to an attack or a threat and how to minimize or mitigate that risk or how to mitigate that potential situation from occurring.
Addressing Phishing
What’s the most significant cybersecurity threat facing companies?
With the generative AI capabilities, it is anything that can be related to phishing, whether that’s smishing, phishing or anything like that, and how that can compound into something else. For example, I was looking at a company that was subject to find from HHS for a HIPAA violation it was because they were the victim of a ransomware attack, which came from a successfully executed phishing attempt on one of their employees.
The reason I think that is particularly the risk has gotten much more advanced in 2023 or so is because, before phishing attempts, most people could read an email and say, “That does not sound like it’s from a human. The English is not written too well.” There’s something phishy in the text itself whereas gen AI now makes that incredibly challenging to discover. We have to revert to other techniques that users generally do not. For example, if you use Apple in Apple Mail, you can turn off smart addresses. you can see that an email is coming from a Gmail address rather than from a corporate address. It’s another way to prevent phishing.
That comes down to the male client that you’re using.
The big risk is anything that is able to be driven by generative content as a way to get in has been made significantly easier for the threat actors.
I do often wonder how long it’s going to be before email is no longer viable. Platforms like Teams, Slack and what I think a lot of the internet standards folks refer to as authenticated communications where you can’t openly send an email to somebody. It almost seems unreasonable to even go that way. This is clearly one of the biggest threats that we all face. I do wonder, is this where you think CEOs should prioritize cyber risk? Is this hyper-focus on email or do you think it’s bigger than that?
In 2024, it makes a lot of sense to hyperfocus on email. I do think that that. Smishing or phishing through SMS-based methods is also a big risk, particularly in certain industries that rely on text messages quite a bit for interacting. I do think that 2024 is going to be a focus as a gateway.
Preparing Cybersecurity Budget
It’s often the CFO who is putting those budgets together with the technology leadership, and in some cases, smaller organizations may have a combo role, CFO, COO or even the owner. How do you think the person responsible for finance should prepare their cybersecurity budgets moving forward?
I think especially for those smaller organizations, they need to have one. They need to dedicate a budget to cybersecurity if they have not already, which I think, as we all know, they not have, not necessarily done. How to allocate their budgets is a topic I’m very fascinated with in terms of allocating budgets. I gave a whole presentation about how to present to the board in order to get the budget. I think you have to go through and do an analysis of each department as to their cyber risk that involves what they’re doing on a database. Let me put this into real context. If you go to your marketing department it can be quite an area for cyber risk that most people don’t think about it because a lot of their communications are to the public.
If you think, “That’s public data. There’s nothing to protect, and therefore the risk is low.” That’s not necessarily true. They have control over your website. There can be a lot if they don’t have two-factor authentication on their ability to log into the website to make changes to it, then you potentially have a risk there. How do you dedicate budget to, how do you say this is an area of the business that is generating revenue?
On the marketing, if you have a security page, the m department can tell you how many people are visiting the security page. That will give you an idea of how much security is impacting your ability to get new customers, and therefore you now have a tangible relation for budget. Our security page is getting this many views. This means it is important. It is important for people to do due diligence on us, and therefore we need to put money into it because it is clearly resulting in sales.
Cyber Laws And Emerging Trends
That’s a difficult position for a lot of mid-size businesses that are and maybe they have a couple of IT staff or a very small IT staff. They are trying to grasp what problems they’re facing in terms of cyber risk. I think often what I hear is that the common problems they experience, email issues, concerns with vulnerabilities in their perimeter, that is an obvious answer, but to address those things. When it starts to get into things like, “Do I invest in new policies and procedures and what about these new cyber laws?” As an attorney, I can imagine this is probably something that you’re familiar with. Do you think that the emerging trend in cybersecurity is cyber laws that enforce or force companies to do the right thing? How are they supposed to do that if they don’t have the resources? Do you have any feelings about that?
You’re correct. All the regulations that have been recently passed in the United States which are data privacy protection laws in various states that have gone through, contain obligations on the businesses to perform their due diligence, make sure they have certain cybersecurity controls in place and potentially be subject to regular audits. We’re still waiting for California to tell us what those audits are going to look like, but it’s definitely in that law.
Artificial Intelligence: Data privacy protection laws in various US states obligate businesses to have cybersecurity controls in place and subject themselves to potential regular audits.
CCPA is amended by CPRA. For those who don’t have budgets for it, it’s a little bit of my soapbox, but I go back to sales. If your customers are demanding it, therefore it is a cost to sales. It is a customer acquisition cost. If you don’t have a budget for it now increase your pricing to set aside that for the budget because they are requiring it. It is part of the sale now. It needs to be accounted for in terms of your pricing to your customers.
Where you’re talking about marketing and how that affects the lead gen, what leads and what data they’re collecting, all of that is important when you’re looking at that. I want to depend on one of the things that you also said earlier. When we were talking about emerging trends, and you mentioned AI before, how do you think AI is going to affect those privacy trends? Are people asking ChatGPT for policies and procedures?
I think they are. In playing around with the chat GPT store, I created my own custom privacy policy generator GPT by taking all of the various state privacy laws that have gone into effect and uploading that into the custom GPT and then asking it to create a privacy policy for me. It wasn’t perfect obviously, but it was super fun and very interesting from a legal perspective. I do think that what has been interesting with this recent surge of AI interest is the privacy communities grasping it.
It’s because as a community privacy, we still haven’t gotten a federal law and we’re seeing exactly what everyone in the community predicted, which is state-by-state privacy law is going into effect. Generally speaking, privacy has not been put on the federal agenda as a priority, and yet AI has. By jumping into the AI and saying, “This is privacy,” we’re going to hopefully finally get that federal law. It’s going to be called an AI federal law versus a privacy one. It’ll closely parallel to what the privacy proponents want to have in that federal law.
Our politicians are pretty good at pork barrel spending, maybe they can throw in some privacy law.
It would be a relief because all these state-by-state laws that are going into effect are certainly not the ideal situation. You don’t want to be dealing with 50 different state privacy laws.
Dealing With Cyber Crisis
The bigger question that I get all the time is not necessarily, “How do I prepare?” but, “It happened. Now what do I do?” That cyber disaster journey for an executive. What do you think most executives go through like the hackers hit us and they stole sensitive data, now what? What has been your experience working with those executives?
When it comes to experiencing a crisis, it is full of a lot of emotion. It is very difficult at the moment because you’re making decisions based off of the information you only have at the time. Sometimes, as we get down the road, you might look back and say, “If I’ve known then what I know now.” My experience working with executives is it’s basically that. They react. What most of the cybersecurity community is trying to do is say, “Let’s practice and let’s put in place the plan.”
What did Churchill who said something about how making plans is important, but you never follow them type of thing? Having a place to plan and practice means that when you do get to that crisis moment, you’re not taking actions that could increase your risk, which unfortunately happens calmly. My experience with executives is to try to calm down the reaction a little bit to get back to process, “Let’s get through this thing.” The first step if we can is containment, and then we go through the motions. It’s to calm it down and bring it into the right methodology in order for a response.
A follow-up question on that, what do you think is the biggest mistake the technical teams make because they’re not aware of what they’re supposed to do when an incident happens? Do you have any field experiences there that you can share?
It is destroying evidence and not intentional. I’m trying to contain it and all of a sudden I erased how the attacker got in the first place. There’s no way to know or I erased any evidence of how we could figure out if data was taken or not. Now we have to default to the idea that all data was taken even though nothing could have been exposed.
That’s an important one for a lot of the technical folks that there are natural reaction historically has been, “I’ll wipe it and we’ll rebuild it because we got to get up and running.” We’ve seen that before.
It’s a big challenge because, obviously, you want to prioritize getting systems back up and running to stop the bleeding, but unfortunately, it can be worse.
That’s where the executive is breathing down your neck going, “How do we get this back up and running?” You make the decision to do something and it’s the wrong decision ultimately, but you don’t recognize it at the time because you’ve got to make that choice. It’s like playing the Super Bowl with a Pee Wee league.
Especially in healthcare, I’ve heard, “If we don’t get this up and running, that patient in the operating theater is going to die.” I can imagine that it’s easy to destroy evidence in those situations.
Maybe in those situations, you do have to destroy the evidence because that is the risk. We’re talking about doing a risk transference who should take the risk? In that case, I don’t think the hospital wants to take the risk of the patient dying over potentially having leaked data that they should have been protecting.
Career Path
Tell us a little bit about yourself. How did you get here? You’re a part member of the California bar, but you live in New York. Are you practicing in both? How’d you get there?
I’ve been practicing for many years as an attorney, which is crazy to say. I started out in a California law firm that represents technology startups then I moved to New York. I’m a New York and California barred attorney. In the first decade of my career, corporate securities. I helped those technology companies obtain financings to mergers, even get up and running. A little bit of A Jack Of All Trades in that sense, because when you’re dealing with young companies, they will usually go to one primary lawyer and ask for help with all sorts of things that you may not have experienced before. I enjoy that in terms of being challenged, then I went to a company called Sail Through, joined as their general counsel and Sail Through, which has since been acquired, started off as a marketing automation company, collecting quite a lot of user interest data on the web.
When I joined a fellow attorney who was also an in-house counsel at the time said, “If you’re going to join that company, you need to dive into privacy.” I went to my first privacy conference. It aligned with my own principles in terms of being careful about how we’re collecting users’ data online. I decided to get my privacy certification and I used to oftentimes within the company itself, say to people, “If you want to talk to me, I’m always happy to talk about privacy,” which made me a little bit of a nerd. Because of that, I also said, “And security,” because with privacy comes the interest in security. I came across my first security questionnaire. As an attorney who was sitting in the sales team, helping them sit conduct sales and doing all the licensing agreement negotiations, when that security questionnaire came across my desk, I couldn’t complete it.
I didn’t know what the information was or how to respond. I spent the next year essentially coordinating an effort to get all the answers into this thing. This is 2012, it’s a long time ago. I thought it was the most painful experience I’d have ever had in my life. It stuck with me. When I went to my next role, which was in an AI company called Clarify. They do image recognition technology. I was introduced to all the different methods of AI that were being worked on and developed.
One of them was natural language processing. When I learned what that was, I thought to myself, “This is a game changer, especially in the legal industry and even more, especially when it comes to responding to assessments like security questionnaires.” After a few years at Clarify and meeting people and networking, I met my CoFounder, whose name also happens to be George. He and I were talking and eventually, we decided to start our own company, which is ops, which the initial pain point we focused on was responding to security questionnaires since then it’s grown exponentially. Thus my interest in generative AI stems from that interest in NLP, which is what Gen AI is.
The number of security questionnaires coming out has increased since 2012. In the last few years, it’s multiplied immensely. I don’t even want to try to put a number on it, the number of customers that we get that are in that deer in the headlights, “What am I supposed to do with this questionnaire that I received?” They’re not lawyers. They’re just trying to make a sale. All of a sudden, now they’re presented with this and it stops the sale. Maybe they make it. Maybe they don’t, and that’s some pre-planning and maybe helping get under get past that is helpful for the sale.
It’s such a huge sales blocker and it’s becoming even more so because now not only do they have questionnaires going to the information security team, but on the legal side, we now have security addendums being attached to the licensing agreements that may or may not match what is happening at the information security team side with the questionnaire. It is becoming not just a more intense process, but if we’re talking about that risk again, there’s now increased risk within the company itself, who’s being told who’s responsible for what and them operating in a silo.
We haven’t even touched on the insurance part of it.
ClearOPS
I am curious of the ClearOPS product. What roles use the product? Is it in the risk management and the legal team more so or does it cross the chasm of interdepartmental and get into the IT team, security team and supply chain? That’s what I would imagine. You had to build it for somebody, and they’re all different personality types so how did you deal with that?
It’s an interesting trajectory because we started with going after small businesses, which as you know, don’t necessarily have information security teams. They often have the CFO who may also be the COO, who may also be the CEO, someone who’s wearing multiple hats. We found that working with that person was not the right person to go after because what they wanted was to hire an intern to take it completely off their plate. They didn’t want some self-serve type of model of technology.
Over the years that we’ve been building, we’ve now settled on information security managers as our target. They’re a good fit because this is the task that they have on their plate. We’ve spoken to lawyers in law firms about this as well. It does crossover. We did start with the premise that we wanted the platform to be cross-functional because I think this is a cross-functional problem, but in terms of who do we talk to in our sales marketing material, it’s that information security manager that is someone who has this on their to-do list isn’t getting paid commissions for it like the salesperson is and could be using their time spent doing other things that would be better for the company, such as pre-audit work or putting in place proactive security measures, not spending 40%, 50% or 60% of their time responding to questions over and over again.
That’s an interesting dynamic role. Who is responsible within organizations we’ve seen many times where the technology teams or the information security managers, in this case, they’re very frustrated with the revenue teams because the revenue, “The deal is coming. Finish this questionnaire.” Two years later, the deal still hasn’t closed. We see a lot of that internal role and responsibility challenges of, “Who’s going to do this?”
There’s one thing that you learn about technology and security folks. They don’t like to do things twice. Generally speaking, that’s what ends up happening. I don’t have an answer for it, but I definitely hear the frustration. I’m sure for the ClearOPS tool, it’s a great opportunity because they have to have the tool there for when the sales team comes and knocking. In the end, this is all still cyber risk management, but thank you for the overview. There are intriguing challenges that I’m sure you had to deal with in your design. I appreciate your sharing.
Thank you. This is a little bit of a self-pat on the back, which I don’t mean to do, but being a lawyer gives me a little bit of a different take on how to build because I build in decision-making and risk transference into the product itself because I know from experience how that, for lack of a better analogy, that ball gets passed back and forth.
Artificial Intelligence
What are you currently working on that excites you? You’ve got your AI and your recipes for great jokes. What else are you working on there that excites you?
I do love playing around with the DE&I products. I use my little recipe ChatGPT all the time, but because I’m building ClearOPS, it’s that technology that has my full attention and focus. We turned the platform onto the other side of the table. For years, we’ve been working on the vendor response side. We turned it onto the other side. You’re sending out vendor cyber risks due diligence requests. I have my head in that in how to use generative AI in a way that is creative, helpful, and efficient, without taking people’s jobs. That’s what the name of the game is because I don’t want to be responsible for making substantive decisions. I think that has to be with the experts, not with any type of automation.
I often say AI copilot, not pilot. That’s where the expertise still has to apply a lot of that has to do with the fact that the artificial intelligence only has the intelligence, intelligence of maybe a somewhat smart animal like a pet, but it’s still not there yet. Copilot is better in my experience.
Since working at Clarify, the AI company, I’ve often asked this question I don’t have an answer to, which is, “If we train or retrain these models based off of people’s expertise, and when we start to lose the expertise, how do the models ever get better?” Instead, we’re making the humans worse. It’s one thing that we have to figure out.
Network Building
I am curious, as you look at your career, if you could go back in time and give your younger you some advice, what would that be?
Almost like a softball question. It would be when you are building your career, think about your network and keep it, not only building, but keep in touch with them as consistently as you can using whatever tools or methods you can. Many years ago I was meeting people who today I would love to be able to reach out to and say, “Can you help me? I did this crazy thing and started my own business,” but I’ve lost touch with them. There’s very little incentive for them to respond to me at this point. Definitely, it’s a networking thing.
Going Skiing
I hear you on that one. I imagine that as much enjoyment as I’m sure you get out of work, there’s got to be other interests or hobbies that you have. What drives you when you’re not working? What are those hobbies or interests that you have?
I love to go snow skiing. I was a racer in college. I’m going on spring break with my kids pretty soon. Spent a lot of time with my kids. They’re both teenagers. I’m going through a lot of the work for them to think about college and that type of thing, which is interesting to live vicariously through them, going through it again for the second time. I love animals. I already talked about cooking. Cooking is like my relaxing time. Thanksgiving is my day because I get to spend 5 or 6 hours cooking. No one questions me or anything. They all give me tons of praise for the output. It’s probably one of the best start-to-finish projects you can have.
I imagine that where you’re at. Where’s the skiing at in New York?
We do tend to go out West for skiing, and sometimes we’ll ski locally, but it’s usually out West. It has been a very good year in the Northeast, but normally northeast skiing is ice skiing and skiing on ice is treacherous. I tore my ACL about many years ago, I’m a little bit more nervous about doing that again,
Both John and I are from the Sierra Nevada so we can relate to the skiing situation.
We both skied for Years.
You don’t ski now?
I haven’t skied in a while. Hip and knee stuff that prevents me from doing it now. I love skiing, but I’m not sure that counts either. George, I thought you went skiing.
I stick to sledding these days. I have issues with my feet. Super high arch and finding like renting boots, it’s always very painful. It’s one of those things where I have to invest in a pair of boots to get back on the slopes. Frankly speaking, I’ve got an ACL reconstruction in one knee. That means the other one’s probably coming soon because I do play soccer. I raced in high school in skiing, but one would argue that you’re not going to find me on the charts. I never won anything. As much as I’d like to say that, it’s the, used to rent. I’d like to blame it on the rentals, but I’m pretty sure it was the skier, not the skis.
You’re not going to find me in any competition like trophies either.
One time I won a medal for something, but it’s gone now. Caroline, where can people find you?
Closing Words
Our website is ClearOPS.io. You can email me or find me on LinkedIn.
Are there any books, podcasts or anything else that you would suggest people look at?
In addition to this show, I listen to the Cyber Risk Management Podcast, which I find useful. It is not cyber risk care related at all, but I listen to The All In Podcast, which I find super entertaining. I read a lot of, books about optimizing your time. I highly recommend that. I should have written down a list, but there are a lot of books I think are good for entrepreneurship.
Thank you so much, Caroline. We appreciate you taking the time to be on our show and sharing more information about yourself as well as ClearOPS. It sounds like a wonderful solution, but most importantly talking about risk transfer and cyber risk as a topic that we don’t think is discussed as often as it should be, especially when it matters or when those things happen to businesses. To the audience, thank you so much for reading. If you learned something, whether it was, something creative or new, heck, maybe you laughed, hopefully, you didn’t cry. Please tell somebody about our show. It’s been another fantastic episode of navigating cyber risk. We’ll see you next time. Thank you so much.
Thank you.
Thank you everybody.
Important Links
- Caroline McCaffrey
- LinkedIn – Caroline McCaffrey
- Cyber Risk Management Podcast
- The All In Podcast
- https://www.LinkedIn.com/Company/ClearOps-Inc
About Caroline McCaffery
She has her own podcast. Has been an attorney for 23 years. Loves snow skiing. Loves playing with AI. Created a recipe GPT that ends every recipe with a joke. Has a passion for volunteer projects.
Caroline McCaffery is a seasoned corporate securities attorney who started at Gunderson Dettmer representing technology companies in their financings and M&A. After a decade, she moved in house as General Counsel to two technology startups, the last one an A.I. company that furthered her passion for building ClearOPS. Caroline is a unique attorney due to her breadth of experience in commercial, privacy, cybersecurity, corporate, securities, employment and other practice areas that gives ClearOPS a unique competitive advantage.
