[00:00:00] Rob Aragao: So Stan, who do we have joining us here today?
[00:00:03] Stan Wisseman: Rob, our guest today is Shawn Tuma. Shawn is a, an experienced cybersecurity and data privacy attorney. and partner at Spencer Fane, where he serves as a co chair of the firm's Cybersecurity and Data Privacy Practice Group. Having practiced in the area of law in the cybersecurity and privacy space since 1999,Shawn is one of the most experienced and well respected cybersecurity and data privacy law attorneys in the United States.
[00:00:31] Shawn, it's great to have you with us today. Could you spend a few minutes expanding on your background, as well as share some of the focus areas that you have in your practice?
[00:00:41] Shawn Tuma: Sure. Thank you, Stan. Rob, it's a pleasure to join you guys here today, and thank you for having me on. Um, as you mentioned, I've been practicing in cyber law since 1999.
[00:00:53] I got into it when I graduated law school in 99 with the Y2K. issue. [00:01:00] Um, my, uh, I started studying and researching that while in law school, uh, in 1998 and really thought that was going to be my ticket to, to stardom and that I would have been retired about 10 years ago and living on my own private island somewhere.
[00:01:18] You know, it just didn't quite happen like that. And, uh, it, it, it really turned into be a fizzle or a dud, but, um, It got my foot in the door in cyber, and it's something that I've been able to continue working in ever since, um, much, you know, for the first couple of years as, as, uh, you know, I had to support myself as an attorney in a, in a young attorney in a large law firms, and it really wasn't until, you know, the mid 2000s that I dove into the computer hacking type work.
[00:01:56] And, and as I studied and learned more about [00:02:00] that, it kind of dawned on me that with every hack we were dealing with, somebody's personal information in many cases, or businesses, sensitive business information, were being disturbed and were being, uh, you know, violated, if you will, the confidentiality of that.
[00:02:19] And so that's what got me into the data breach side of things. And I remember in 2011, writing a blog post that 2011 is the year of the data breach, you know, once again, I mean we saw an uptick, but it. Was still kind of a dud, and it wasn't really until, you know, 20, uh, 2013 with Target, Home Depot, Neiman Marcus, all that, that it became headlines.
[00:02:47] That was the watershed event for many of us in this, uh, space. where data breach or, you know, incident response became the dominant part of our practice. And really that [00:03:00] that's when I began able to transition to doing nothing but cyber and privacy, you know, exclusively. And so these days, my practice involves kind of three components.
[00:03:13] One is that continued litigation of cyber and privacy issues. Two would be the proactive risk management side of things. The third bucket of what I do day in and day out, and probably 70, 80 percent of my work, is incident response and serving as what we would call a breach quarterback or coach or privacy counsel or whatever the Term du jour is you kind of hit
[00:03:43] Rob Aragao: is you kind of hit upon this.
[00:03:43] It's the you know, when you look back at the year of the data breach It seems like it's been every year since right and then that watershed moment that watershed moment of of target to me was A bit of an eye opener when it finally got to you know The c level right the ceo actually losing their job and people starting to pay a little bit more attention to it [00:04:00] So I hear you So sean, you know one of the things as you're engaging with your clients that we'd be interested in hearing a little bit about our you know, the recommendations of kind of the key elements that they should be focusing their attention on at the highest level, if you will, um, that help them in being as best prepared as possible, but knowing that, you know, this is the inevitable cyber attack, cyber breach, it's going to occur, but kind of top level, right?
[00:04:22] What are those things that you're consistently seeing and having those conversations and guidance for your clients
[00:04:27] Shawn Tuma: around? To me, reasonable cybersecurity is not a definition. It's a process. It's a process of evaluating your risks, which are all unique to each business. Assessing you, your risk assessment, and then developing a strategic plan for addressing those risks and then executing on it and then continuously reevaluating.
[00:04:48] You got to have that process. If someone called me right now and they said, Sean, what are the top couple of things, you know, the key. Elements of. [00:05:00] that you're going to ask me about that will lead to a bad, a bad cyber case. First thing I'm going to ask is, are you using RDP access into your network? Because what we're finding is nearly 50 percent of the ransomware cases we're handling involve RDP access.
[00:05:19] And you've got, I'll air quotes, you know, the IT guy who says, yeah, but I changed the port. So it's good. And I'm like, yeah, no, it's not, you know, nice try, but not quite. But, but that's a problem. We see open, you know, RDP access. The other thing is, um, your backup. You're how you handle your backups. Are you using something like a three to one, you know, type of backup process and and not just in principle, but are you testing it and validating that it actually works, you know, ransomware attackers, these guys, they know they're not going to get paid if they've got.
[00:05:58] If you've got backups. [00:06:00] So they go take out your backups first. And so we've had several cases where the the organization thought they were backing up appropriately, but they couldn't be restored because of misconfiguration at some level. So you got to test that. And then the the third thing I would say is, you know, for folks who use Microsoft Office 365, or Google web based type email, are you using multifactor Because if you're not, you're going to get one of those business email compromise situations, and you're going to be scratching your head going, it's not our fault.
[00:06:38] It's theirs. But I'll tell you, probably 90 percent or more of the cases we see dealing with business email compromise, somebody is using Office 365 without MFA. Bad guys got a hold to an old Username and password, ran it against the account, got in, and boom, that's how it happened. [00:07:00] And then finally phishing, and we all know phishing, you know, the problem we have with that.
[00:07:07] And it's not easy to address, but you've got to educate your workforce about this, because we love to wring our hands and talk about, oh, it's always the people that's the problem here. Well, of course, because the people are the ones that are doing everything, right? So they're going to be the problem. But how do we expect them to do a good job with something if we don't teach them?
[00:07:29] And, and, you know, we push out policies, we even penalize sometimes, but, but we never teach. And so it's got to start with teaching, and then put your policies and, and educate them on the policies, and cover that why. You know, why are we doing these things? You have
[00:07:47] Stan Wisseman: that risk management framework. And the processes supporting it, but you also are highlighting specific weaknesses and controls [00:08:00] necessary to shore those up.
[00:08:02] And so, uh, you know, in addition to that, you also are talking about the culture enabling the employees to actually, you know, be part of that human firewall. and helping the organization be secure at some of the weakest points, which is again, the phishing attacks are probably one of the prominent ones. So I really like the combination there.
[00:08:25] Shawn Tuma: Well, uh, you know, I appreciate that Stan. And I tell you, it's not, um, I've never been the smartest guy around, but I do try to work hard and I try to learn from experience and, and, you know, One of the problems that that I saw, um, back in 2014, I was speaking at secure world. I was doing a talk at secure world.
[00:08:51] And, uh, and I was doing the old, it's not a matter of if, but when routine, you know, kind of what we were all doing back then. And [00:09:00] it's not a matter of if, but when, and when it happens, it's going to be catastrophic. So you better prepare today. And I had someone asked me, they said, well, so what you're telling me is it's inevitable.
[00:09:10] There's nothing I can do about it. And when it happens, I'm, I'm done. Okay. Nevermind then that's a risk. I can't do anything about next issue. And it hit me hard. I was like, Whoa, that's a great point. And so we may not be able to get them to 80 percent secure, but if we can get them from 5%. To 40 percent with some basic foundational kind of things, we're helping a whole lot in reducing that risk.
[00:09:39] You see
[00:09:39] Stan Wisseman: another driver out there as far as helping with some of that block and tackling some of the fundamentals, um, expectations of insurance companies. If you want to have cyber insurance, you need to have. Some of those fundamentals using some kind of, um, recognized industry standard. Is that something [00:10:00] one, are you seeing more companies explore?
[00:10:03] You know, cyber insurance. And two, is that helping raise the bar in some cases?
[00:10:08] Shawn Tuma: Yeah, absolutely. To both questions. So we are seeing an increase in cyber insurance, and I'm a huge advocate of cyber insurance. I mean, look, if you don't have the money or the budget to put in a incident or a security program or better your security.
[00:10:26] You're not going to have the money or budget to manage an incident response either. And, and poorly managing an incident response can lead to, to having it be much worse. Then it could have been if you'd have done it the right way to the next part of your question. Um, there is a, a strong trend of insurance companies becoming more and more engaged in, in deeper evaluation of what those.
[00:10:55] What a company's risk is so like five years ago, you know, we [00:11:00] saw one page applications, you know, that would be like three or four basic questions. Now, we are seeing much more detailed questions. We're seeing much more informed questions. formed questions too. And we're seeing, uh, you know, when, when we're looking at larger policy amounts, um, you know, up to 5 million or so the underwriting team for that carrier, they're going to want to get.
[00:11:26] people on the phone and talk to them and go in and maybe even ask for, you know, pen testing or risk assessments or things of that nature. And they are incredibly knowledgeable people. From what we're hearing, uh, they've been hit so hard this past year with, uh, you know, ransomware in particular that the, they're going to become much more stringent here, you know, as we move forward.
[00:11:53] So companies need to be ready for that. And, and they need to learn from it, too, because what the [00:12:00] insurance companies do, they use the same process that I use. It's, what have we seen that has caused our losses? Those are the things we're going to look for and ask about in our diligence process. And so you need to listen to what the insurance underwriters are focusing on, because they're looking at, at data and statistics of, of all these events they've had in the past through their, you know, actuarial process.
[00:12:30] And it's incredibly informed. And, and it's a great learning opportunity for the company to be able to, you know, to get the right people involved. And I say the right people because far too many times, you know, I talked to a CISO of a company and they don't even know if they've got cyber insurance. They weren't even consulted in that process and brought into the discussion.
[00:12:54] And how the heck do you do that? Especially now these days, when you've got to start answering all these technical [00:13:00] questions.
[00:13:02] Rob Aragao: Right over the course of your career. And when you look at the CISO kind of, you know, even if it was five years ago, but to where they are today, right? Have you seen that true pivot of reality where it's a critical need for whatever type of business an organization is going after to ensure that they have a CISO that's focused and with the right investment and voice at the table versus that kind of, you know, nice to have.
[00:13:26] Checkbox approach for compliance regulatory needs. I mean, is that evolution? You know something you're actually seeing day in day out in your customer engagement.
[00:13:33] Shawn Tuma: It is rob. It's something i'm seeing It's something i'm advocating for very strongly And and i'm hoping the trend continues. It's still not enough I'll come back to that humility point.
[00:13:48] I made earlier that we all have to remember We got a lot to learn, you know, and we're going to always have a lot to learn, but I view the CISO role, or [00:14:00] whatever the equivalent is within that organization as really the most one of the most important people. in the organization. And I say that because number one, cyber, in my view, is the biggest risk companies face today.
[00:14:16] It's I mean, look, even COVID didn't shut down operations overnight. In most cases, one ransomware attack. I mean, the CEO goes to bed tonight dreaming of profitability and numbers and vacations and wakes up with a call from the CISO tomorrow morning going, we are now technically out of business unless we can recover.
[00:14:39] I know we all like to talk about the lack of funding and the lack of resources and all these things, but in my own personal experience, The biggest problem I see in companies is not really a lack of funding or, uh, you know, even of manpower many times, or of, of not [00:15:00] having the right tools, gadgets, gizmos, or whatever.
[00:15:04] It's a lack of a strategic vision of strategic leadership, because somebody you've got to have a head coach that sees. How the whole playing field is working, how all of these resources are working together and developing that strategic plan. That's, that head coach is your CISO, you know, and, and so having that CISO in that role, I believe is of critical importance.
[00:15:33] And I also believe they need a seat at the table with your board of directors or your upper management or whoever that decision maker is, because that. We'll say the board in many cases, because that's what people typically like to talk about. You know, I've counseled many clients on on their reporting to the board and the engagement between [00:16:00] security and the board.
[00:16:02] And if you just ask your CISO for a for a written report. To provide to the board, you, you're going to get something very simple. You know, all risks are being managed and the company is doing well, you know, boom, something, or maybe a paragraph or something. And what does that mean? You know, it, it, it either means you don't recognize all the risks to recognize that we can all be attacked and hit, or it means you're too aloof to, to appreciate it.
[00:16:38] Or too arrogant to think you can be hit. Or it means you're too intimidated by the board. You're scared to death to tell 'em what the real situation is because they're gonna come down on you and fire you.
[00:16:49] Stan Wisseman: Yeah. That un un unvarnished truth sometimes is a scary thing to share with the, uh, the board. It
[00:16:56] Shawn Tuma: really is.
[00:16:56] And the only way you can [00:17:00] overcome that, um, is, is by a dialogue, by a conversation, and by talking and explaining to them, look, you know, I know what you want to hear. You want to hear that we're fine and there are no risk. But that doesn't exist in today's world. So let me tell you the real state of where we are.
[00:17:18] We're in a process of continuously trying to reassess what our risks are, you know, and, and go through your process and explain it and say, you know, we're doing the best we can under the circumstances. Here's things we could improve upon if we had more resources.
[00:17:37] Rob Aragao: When you look at the role of the the CISO right there, there's been a forced, if you will.
[00:17:41] maturity in that role, right? A lot of the historical kind of buildup was, you know, how technically sound are you to secure our environment? Reality is that, that doesn't, that doesn't solve the problem to your point. It's like, I can give you a list that says we've assessed the risks and we feel pretty good about this stuff.
[00:17:58] What does that mean? Right? So it's that [00:18:00] translation of going into each different type of business could even be in the same vertical. You need to assess, right, what's most relevant, what's most important to them. And as you've been talking about, you know, one of the themes that we've discussed many times in this, in this podcast is, is focus around that mindset and pivot to being more resilient, right?
[00:18:18] Cyber resilient. And as you've said, even as you've gone through and you've learned for yourself and in different client engagements, you know, how to evolve and make it better and understand kind of what's next that we need to be paying attention to. It's the same thing. Right for the CISO to be able to say I I now understand The given business i'm in and what you actually are desiring of us to ensure We're doing the best we can to make this a resilient environment when?
[00:18:42] A security incident occurs, right? I mean, that's what I'm seeing a lot of out there is finally this evolution of that role coming into a more business minded individual. So
[00:18:51] Stan Wisseman: Shawn one of the things I wanted to ask you about, another prominent player in these incident responses, typically is law enforcement.[00:19:00]
[00:19:00] And you've probably seen their Capabilities evolve over the years and how they deal with cyber as they've gotten up to speed as well. Um, How do you set expectations with the firms that you have as clients on what they can expect from law enforcement and their role? and an incident response.
[00:19:26] Shawn Tuma: I think they have a crucial role, but we also have to know when, when we're going to try to bring them in and what role they play, which goes to your question of, you know, they're not your company's IT department.
[00:19:40] They're not your, your security team. You're not going to call them and then have three agents show up with, you know, bags to take hard drives and go analyze and, and get you back up and running. That's not their role. Their role is to investigate crimes, pursue criminals and see [00:20:00] them get convicted. And what that means is in a lot of cases, Um, you know, they're overwhelmed.
[00:20:07] I mean, they are dealing with so many cases. They don't have the resources to come and investigate every ransomware case we have. Um, they don't have the resources to investigate every insider theft or whatnot. And so they, they look for kind of a materiality requirement. Um, and it's not like a publicly stated, but you know, it's gotta be a big matter.
[00:20:32] It's either got to involve public health and safety. Or some substantial amount of loss that would justify their resources to the question of expectations. I tell my clients. Look, in most cases, we're going to report to law enforcement. Um, we're probably not going to see them engage back. We got to do our work independent of them.
[00:20:56] because they're not going to come in and save the day. And [00:21:00] the first step in that process is many times to file that ic3. gov report, which is what they will usually tell you to do. But if you're in a case where you think it may be material or meaningful, I mean, not just some little phishing email, um, but you know, maybe it's a phishing that led to a business email compromise of half a million bucks.
[00:21:25] Then You need to let them know quickly, right? Because they have a kill chain in place where they can stop a lot of that. But filing that ic3. gov report usually isn't going to get you there. You've got to have a personal relationship with someone either in secret service or FBI or both. And you need to do that before you have an incident because look, they want to work with the public.
[00:21:53] They work very hard. Many times it's through InfraGard or through other, you know, just attending [00:22:00] conferences or whatnot. Um, they want to, to know the security leaders. And they want to have those relationships, but but you've got to make it happen. Right. And so you need to reach out to your local field office, let them know, hey, you know, I'm the CISO of this company, we're here in your jurisdiction.
[00:22:22] And we'd just like to visit about maybe what we can do to be better protected, who we can call if a problem arises. And, and in my experience, they jump at that opportunity when they can. And, and, you know, if someone doesn't have the ability to contact them, let me know. I'll reach out, you know, connect you to my people local here.
[00:22:44] And, and wherever else.
[00:22:46] Stan Wisseman: And that's part of what you do, right? Shawn you help connect folks to the right resources to pull them in.
[00:22:51] Shawn Tuma: That's, that's exactly right. Stan, you know, um, as I mentioned earlier, I'm not a technical guy, I'm a lawyer, but my most [00:23:00] valuable role many times is the connections and the resources that I have to bring in the right partners, the right people at the right time.
[00:23:10] To help get done what needs to be done.
[00:23:14] Rob Aragao: What do you think is the kind of concern that people have in building that relationship ahead of time? I don't get it.
[00:23:19] Shawn Tuma: When I'm referring to law enforcement, typically I mean federal law enforcement, your FBI and your Secret Service. And there is something a little bit intimidating about that.
[00:23:28] You know, maybe it's the TV shows, you know, FBI's Most Wanted or whatever, the mystique we've built around all that. They're regular people out doing a job and they recognize that they can do their job better if they have the exponential reach of the relationships of those of us in the private sector.
[00:23:50] I've heard of companies in the past who did not want to involve law enforcement at any level because [00:24:00] they knew they had something to hide. And so it's like, do not ever bring them into our environment. I've heard those stories, but by and large, if, if your company is not doing illegal activity, you don't have anything to really fear there.
[00:24:17] I mean, there are these. Fear stories of the FBI is going to come in and seize your servers and they're going to shut down your network for a week and blah, blah, blah. You know, I've never seen it happen. One thing I will say is there's no privilege with communications to law enforcement. And so you do need to be careful in what you say and how you say it, certainly when you're providing written updates or whatnot.
[00:24:47] But other than that, I just. I've never experienced it. I hope I never do because I don't want to be burned by, uh, by sitting here saying this. Agreed.
[00:24:58] Rob Aragao: Agreed. Well, [00:25:00]Shawn hey, listen, I'll tell you, we're very excited that you were able to join us here today for this episode and give us the different perspective, right?
[00:25:06] The legal aspects, your, your, your experience and your passion. for this space is very prevalent in the conversation we're having. Your multi pronged based approach keeps it pretty simple, in my opinion, which I think is very key. And as you mentioned, right, the blocking and tackling, like just the good security cyber hygiene.
[00:25:23] We've had those conversations for way too long. It's like, just let's go do this stuff and let's be more business minded in how we approach how we're protecting the organization. So we really appreciate your time and hopefully we'll have you on again in
[00:25:34] Shawn Tuma: the future. Hey, it's my pleasure. Anytime you guys want me, you can tell I love to just sit here and ramble on.
[00:25:42] So I'm always happy to jump on. So thank you so much. It's been a pleasure. Look forward to next time. Thanks,
[00:25:48] Stan Wisseman: Sean. Thanks, Shawn.