S3 E12: Building a Security and Privacy Culture

Audio version

Building a Security and Privacy Culture

Transcript

Jordan Eisner: All right, here we go. Another episode of Compliance Pointers and another… unique or special episode where we’ve got a guest, a client guest in this instance, Clark Haynes of Modere. Hey, Clark. How are you?

Clark Haynes: I’m great. How are you?

Jordan Eisner: Pretty good. Pretty good. It’s good to see you in this capacity. Feels like more times than not when I’ve seen you, actually, because most of our calls are audio only, has been in person. So it’s a little unique seeing you in the box, as they say.

Clark Haynes: There you go. Yeah, the camera and the Meet Now, things that Zoom and Teams have brought to the table have really changed how we communicate and how often we see each other face-to-face. Sometimes it’s good, sometimes it’s bad, right? We don’t get to fly around and realize some of those personal connections as much.

Jordan Eisner: Yeah, before the pandemic, I never did video. I just was like, man, what’s the point? And Join Me, Call Bridge, that sort of thing. But then the moment we shut down, it was vital, it felt like.

Well, for our viewers and our listeners, Clark is the Senior Director of Enterprise Cloud Security at Modere. I’m going to let him say a little something about Modere here in a second. He and Modere have been a client of ours for seven years, seven, eight years really at this point since I think 2018.

Clark Haynes: I think so. I want to say we were introduced in 17. We definitely got underway there, 18 and 19.

Jordan Eisner: Definitely. So been a lot of good collaboration. We’ve seen advancements, I think, on both sides from an organizational standpoint, from your career standpoint, my career standpoint. But it’s been a very, I think, valuable relationship. At least I can say that from our end. This is being recorded, but you can say if not.

Clark Haynes: Yeah. No, it’s huge.

Jordan Eisner: Clark, you have more than 30 years of experience, hard to believe, managing technology, security. I know that there are some other things in between that you’ve worked on, too. Maybe we’ll get into this podcast.

You are officially, I mean, you’re a rodeo person, right? What do you say?

Clark Haynes: I took a little time out in 2023 and won two world championship buckles in senior pro rodeo. That’s right. I rode saddle bronc horses and got a buckle or two. It was awesome.

Jordan Eisner: Yes, a true cowboy. Today, we’re going to talk about challenges he’s encountered, not just from a rodeo standpoint, but from a technology and security standpoint, lessons you’ve learned along the way, and maybe even dip into what you anticipate with the future. ai and whatnot it’s all the buzz everywhere i’d be curious to hear your thoughts on all of that.

But first and foremost for our viewers and our listeners uh tell us about Modere tell us about your time there I think it’s probably been close to a decade if not more.

Clark Haynes: Yep just about 14 years now I’ve worked here at Modere we are a direct marketing company we’re health and wellness as far as our manufacturing our products we follow kind of the traditional direct marketing world except for about eight years ago when we really rebranded things we went towards a social marketer or a social selling aspect to it so we’re trying to pioneer the way the world is working now and it’s really helped keep us on the forefront of what we do so a lot of technology behind that.

Jordan Eisner: And when you started at Modere 14 years ago, was it IT? What was the role?

Clark Haynes: I came in as an infrastructure engineer. We had several co-locations facilities and IT communities spread out in each one of our geographical locations. We had people in Europe, in Australia, in Japan, in China, Malaysia. We had them spread out through Canada and North America and a few other spots.

If you went back 14 years, you’d see you were just ending that internet revolution. where we were getting fiber through the ocean, we were increasing bandwidth everywhere. But before that, we had to have business management systems in play in each geographic region to be able to calculate our commissions, to sell our products, to manufacture our products. Part of my job was to bring that all back here to Utah, more globalization as we DIT the map.

And so the first 10 years of my 14 years, we’re pretty much committed to consolidating all those business systems and all of those personnel into more of a corporate-facing system.

Jordan Eisner: Wow. 10 years?

Clark Haynes: Yeah. Took a while.

Jordan Eisner: Is that fast? Is that long? Is that typical? Is that just the nature of it with how global and widespread it was at that time?

Clark Haynes: Because each time we were collapsing a business system into another, we had both the physical infrastructure needs, we had the change control and the culture shifts from in-house IT in each one of these regions to have to shift and look at the corporate group for support and ongoing changes and where we were headed. And then the next one.

And so they would take more than a year of planning and execution each with some gaps on who really wanted to let go of that cookie jar locally. So change management was probably half of the time for sure.

Jordan Eisner: And somewhere along those 10 years, you were pegged as, or maybe you had previous experience in this, the security guy too. How’d that happen?

Clark Haynes: That’s right. I came to Modere with some security and privacy understandings. Magellan 21, the company I had before we came here, we consulted for healthcare companies, law firms on being HIPAA compliant and meeting the HITECH Act rules to be able to bill for their… Medicaid and Medicare worlds and start translating from the physical binders to the electronic processing of medical records.
That’s where I picked up a lot of my security and a lot of my audit processes, a lot about privacy. A little bit before the GDPR and CCPA things came around, we were dealing with that. I had a partner at that company that had gone to law school, so we had the legal side, and then we had the physical and compliance pieces of it. And I brought that with me to Modere.

Jordan Eisner: That’s what I was going to ask. So then you’re at Modere. Are you advertising that? Were you trying to bury that very deeply so nobody knew about it? Could be either or, you know, maybe you wanted to do this stuff. Maybe you didn’t. Maybe you’re the only guy that could. Maybe you were the right guy.

Clark Haynes: Yeah. As Modere grew, it was more and more apparent that we, at least 13 years ago we didn’t have a very strong privacy and security culture. We did things, we had smart people the good stewards of data where things were kept encrypted and passwords were protected and so on. We didn’t have it as a culture as the company your end users weren’t didn’t have necessarily have regular training and weren’t kept up to date on new phishing ideas, all the new scam things that can happen.

And really, I just took it upon myself and became the security officer in 2014. We started the security chair. We started talking about what we were doing, what we weren’t doing. And then that kind of started leading towards our introduction to CompliancePoint there later in 2017.

Jordan Eisner: So you took it upon yourself, was it part of, a little bit was you were protecting the baby, I would say. You’re responsible for this transformation over infrastructure to your point, bringing all of it home. Seems like it would be detrimental in general to have a bad security incident, something happen, but when you’re responsible for building it and all the work and sweat equity that went into you doing all that so it was it was a little bit more just personal ownership that you took on and then eventually the organization was like well Clark’s doing a lot of this already he knows it really well make him security officer and when we need compliance requirements that have to do with information assurance or cyber security he’s the person.

Clark Haynes: That’s correct. And I kept up my skill base by, you know, partnering with groups like CompliancePoint so that my gaps in in house training and changes in the world as we were coming along, we brought in good partners. We’ve maintained regular audits. Like I said, we created an in-house. Information security steering committee to where we maintained our higher-level groups our CEO and our chief legal counsel sat on that board so we could bounce things off of each other and make sure that we were staying up to date.

We’ve worked with other companies like CR&T that did the physical security with our Barracuda firewalls, our Sentinel approach to email and spam phishing. Our LIMS devices came from a recommendation from CompliancePoint.

Right there in 17, 18, we really dove into privacy, right? We’ve started. Recognizing there’s always a deep need for security. But on the privacy side, we had to increase our understanding and change our culture to adopt people’s information as another level of security that really needed to be protected as well.

Jordan Eisner: Yeah. Earlier, when you were talking about bringing everything back to Utah from the global infrastructure standpoint, you talked about change management being difficult and some resistance to that. I’ve seen that from a compliance standpoint or, hey, these are the new policies, the new procedures, the new governance, no tailgating on the badges. I know that’s a trivial, easy one, but you need organizational change when you start adopting security and privacy protocols across organizations. Did you see that as a challenge there as well?

Clark Haynes: It seemed almost insurmountable. Everywhere I went, someone else had an idea of what security and privacy should be. And if it didn’t align with what it needed to be, there would always be a debate and long-term struggle or even some divisiveness. From some longer-term employees who just didn’t think it needed to happen. It lasted this long one way, it can keep going.

It’s the main reason I started this security committee. I was able to bring in a person from each one of the branches and our operational staff, our GMs from around the world, our legal counsel, and that way when we made a decision, it didn’t seem so unilateral coming from the security guy.

We looked at what… the norm is what best practice is what we are what level of risk we are willing to take and what we were going to implement. Then when we pushed it out, we kind of pushed it out as a team, so didn’t just come from me and I started seeing huge changes in adoption at a lot faster rate. I’m not saying that it’s perfect because I think as long as we have security, it’s going to be a hindrance to the end user as far as they’re concerned and and we’re going to need to continue to manage that delicately.

Jordan Eisner: Yeah, it’s a balance. I think that’s a great point. You know, you need to buy in from the business folks. Everybody’s a business person, but you know what I mean. You mentioned the GMs and other parts of the organization and getting their input and then they feel bought into that. They’re more receptive and adoptive to the concept and then that spreads, right? That scales across the organization. You get more. cohesion because I agree yeah it does seem insurmountable. It’s like trying to boil the ocean. You know everybody unified on a privacy or security so yeah partnering and collaborating with the business very important and something that we try and bring up a lot of times because we’ll be introduced to a company for the first time and we’ll be talking to information security or even IT and the intersection of legal and compliance, and it’s always siloed.

What’s the business think about that? They go, why do you ask that? Because their cooperation or at least participation in this is going to be vital to the success. And I think you tapped into that.

Clark Haynes: I think that from an IT standpoint, you also end up with those silos where your business partners sometimes are kept at arm’s length. A vendor comes and said hey I’d really like to know your legal department I’d like to know your marketing department, I know why because in the marketing world is where we introduce those cookies and change the front end and all the privacy things that we want to have disclosures around they need to be involved. Legal needs to be involved because if we don’t get their adoption are we checking contracts for the correct disclosure statements we need for data transfer agreements and so on. All kinds of things your company needs to know from my company. It’s hard I can’t imagine how hard it is just to go and just me with an IT department in your first relationship it’s almost uphill. Like I just said, because of that arm’s length and the siloing that that might still be going on in the technology groups. I don’t think there’s much room for it in the future. We’re going to be working together or we won’t be working at all.

The technology is catching up to an area where you don’t really need as much specific information or intelligence around technology specifically to run a company or to make good decisions. The cloud, the AI, the changes that we’ve made to being able to point and click in terms of your e-commerce store on without ever talking to an IT group has made a big difference in where that gap is.

If you’re going to have technology partners, there needs to be a lot of trust so that we’re sharing that information and we’re moving people forward. Maintaining a secure path.

Jordan Eisner: Yeah, especially if it’s a new venture, right? You mentioned GDPR earlier. You mentioned security becoming more and more at the forefront back in the, it sounded like the early 2018 years.
I think you get to a point where some of these, like an annual PCI attestation, that as you increase maturity around that, that can be solid to a group, to an IT or you’re working with, and it’s several years into that reserve. But anytime you’re getting into something new, yeah, you’re exactly right, organizational adoption is key.

Okay. So aside from that. What’s another one or two big challenges you found on the cybersecurity, evangelizing, or data privacy, or really maturing the organization in those areas? What were some of the other roadblocks you faced?

Clark Haynes: Well, again, culture will overrun process any day of the week. We come up with new procedures, policies, processes to make sure that we’re keeping our data workflows up to date, our data at rest encrypted, your emails deleted past a certain date. These are areas where you can write them down and you can tell everybody about them, but you can’t twist their arm and just get it done. That’s something I will continue to try to socialize. Get everybody on board with somewhere along the line.
But there’s always somebody, and it always seems like they’re illegal, and they need 27 years of PSDs. They cannot delete their emails. It can’t be done. Just mask them. It can’t be done. And so a little education, a little bit more understanding around the rest of the world and how this works is helpful.
I like that limbs product you guys introduced us to, I can’t remember the name of it or I’d give it a plug here. We go out and and we ask all of our users worldwide to take a phishing course to take an email management course to take a physical security course, no tailgating with your badge or notice those people around you. Is somebody plugging into the wall that you don’t think works here?

All kinds of these things are still so important because they’re the most vulnerable aspects to our data and to our intellectual properties as a company.

Jordan Eisner: Yeah, I had a client, I think they dropped 100 USB little devices all over their corporate offices. And to their amazement, something like 40% were plugged into computers.

Clark Haynes: Just picked up and plugged in.

Jordan Eisner: People are curious. What’s all this? What did I find? What is this thing? Yeah, that was a pretty bad test for them.

Clark Haynes: I would be curious, even if you printed on it, do not plug into a corporate computer. It may get you in trouble. Something like that would still count how many people are like… But would it really get me in trouble?

Jordan Eisner: Yeah. What do they not want me to see on this?

Clark Haynes: I mean, maybe I could use it for my home pictures or something. Who knows? No, I’m with you. And no matter how secure you are, things get in. We’ve had plenty of opportunities at this company to recognize that the stronger we build the wall on the right, somebody’s coming in from the left. There’s always another approach to accessing your… intellectual properties your data and your people. So got to keep a culture up, everybody aware.

Jordan Eisner: Yep culture is very important.

What about industry, not regulations, not by law requirements or obligations you’ve got, but what about voluntary industry best practices, frameworks, things you’ve adopted that have been beneficial for you in your career that you know have helped you lean on expertise even outside of your organization but it’s something that’s just available or generic or that is easy to access?

Clark Haynes: I have many vendors like you.

Jordan Eisner: That’s what I mean you know something widely available.

Clark Haynes: We follow NIST practices. We started out with NIST CSF and we started to align all of our work there. We have a lot of privacy in this company where we have such a large presence in Europe. Spread out through the US is buying into this a lot and so we follow the guidance of CompliancePoint. But at the same time, we use that NIST privacy sheet now, too, to kind of make sure that we continue what you’ve probably already heard me say on our time, is risk-based decisioning. We can’t be perfect. So I really always start with the big swings. You know, where are we most vulnerable? What are we doing absolutely wrong? And then narrow down to what we could do better and better. I’ve always liked the NIST work that way for moving it towards green, right? That nobody’s perfect unless, I guess, maybe you might be the NSA if you’ve got that kind of time and money to really lock things down, but then your end users have to carry five badges.

Jordan Eisner: It’s about the criticality of the data that you’re processing? And it’s building a model based on your risk appetite, the sensitivity of the data. and your risk profile and the threats to your organization. So that’s, I agree. I think this is a handy one. It’s one we recommend a lot.

What about shifting gears here? What are you using AI for today, if anything? You strike me as somebody, Clark, and tell me if I have a right read on this. Well, I guess I’m going to be right one or the other. It’s either full bore in on AI, I can’t wait to leverage it across the or I don’t touch that stuff it’s it’s not giving anywhere near my systems.

Clark Haynes: We are full bore. We can’t be competitive without embracing it and I wish we had even more time and money to invest in the different areas. Starting out, we’ve got AI, and we’ve had AI for a while in our chatbots, in our customer service realm, trying to help with our products. Like I said, we manufacture them, so a lot of the details about them are specific to us. So in product, questions and refunds and regular day-to-day operations AI is helping us all the time now and it’s growing really fast.
We’re working with a company called Hocknergy. They are going to do some AI work with actual voice as we’ve consolidated our call centers around the world like we did our data centers. This gives us a follow the sun kind of approach but a centralized area where we can maintain talent and have the same kind of answers and questions happening.

But in call deterrence, and I hate to use the word deterrence, but in the opportunity to decrease the amount of time people need to stay on the phone to talk to someone, to find out about our products, to get a copy of their last paycheck from us was. Whatever they want to know, we’ve made that quite available, and it’s growing every day in AI. That’s the first place that we used it.

Clark Haynes: And I want to hear the rest of this too, but I was going to say, nobody wants to spend a lot of time on the phone no matter what. But I find as a society, we are becoming increasingly less patient. The time on the phone to do anything, we want it instantly, we want it now. And yeah, AI could be a big answer to a lot of that. And just being able to access it without ever even having to pick up a phone, to me, that seems to be… really the priority for most consumers. And myself too, you know, just being able to, how can I do this without talking to anybody? But then at the same time, the frustration with the AI, why doesn’t it know what I mean? No, that’s not what I meant. Why don’t I have any other chat? You know, they want the personalization of a human at the end. They want their cake and to eat it too. But yeah, so I think that makes a lot of sense for how you’re leveraging AI there.

Jordan Eisner: What were the other ones you were going to get into?

Clark Haynes: Well, next, we partner with a company called NowSite. That’s to help AI build video and duplication models for our sellers to communicate with their many different social media streams, read ahead on what’s being said so that they know if they’re promoting a product correctly, if they’re making good sales, where maybe my own investments wouldn’t add up to much. CompliancePoint knows that the right partner for this company really moves us ahead of the competition quickly. And so we partnered with some good companies that have some good ideas around helping out our direct sellers.

We’re working in IT specifically around AI and data analytics. uh what was a data lake and we’re run we’re just now opening up some machine learning around that to try and kind of help Salesforce casting watching for changes in data and then of course security, security, security. AI is a great tool to recognize when you have east to west traffic changes. If some file that hasn’t been touched for a very long time all of a sudden is being touched, depending on authentication and login. Microsoft has some new ai functionality around their um agner management.

I’ll tell you personally, ChatGPT is my ea. It checks my spelling, checks my wording, keeps track of the project I’m going through once I get everything done. Hey, formulate me a quick PowerPoint on this. It has changed my day-to-day work and communication with my business partners. It’s cut hours out of every day.

Jordan Eisner: So, and you knew this was coming, how are you managing risk with AI?

Clark Haynes: Yes, that’s going to be the big one for sure. The AI that we have at customer service is limited through our API realm. They don’t have direct access to anybody’s data. They have to be asked a question to get an answer. That answer is logged. So we have kind of a SIM around that to pay attention to any leakage. That’s the big piece of it.

In the individual. AI environments, like I said in ChatGPT, you have to be very careful in educating your users of what is proprietary information and privacy information that should and shouldn’t be organized in an AI realm, especially third-party AI realm.

Jordan Eisner: So you have a policy, like an employee use of AI policy?

Clark Haynes: Yes. And you have to read it, take a class and sign it, and then we’re going to work on improving that. What I don’t want to do is take the risk and have it shut us down from our employees being able to take advantage of this, to move faster, to have the capital advantage, I guess would be the word, over everybody else.

This is a tool, if you use it right, it should propel us ahead of our competitors. If we use it wrong, then… could compel us ahead into a disaster point.

So that policy, that communication, that education is the same way we’re going to handle it as we do endpoints. We’re going to have to educate around it while we work on actual guardrails and things around AI to support themselves a little better.

So, AI aside, looking into the future, your role there, cloud security. And that’s a little, this hasn’t always been cloud security. That’s a change, right? Since we’ve been working together.

Clark Haynes: So like I’ve had quite a progression of my career here at this company. I was brought in specifically because the data centers were full of HP UX systems. Old data systems spread out around the world and I knew a lot about that and the business systems that they were running on them so I helped convert them to Linux-based environments more up-to-date data systems and then slowly to a single business management system that we went out of house for called Exigo.

Anyways that was my first few years I as I did that I moved from infrastructure I took over security as I did that I moved into the GA side of the development processes partly for security reasons originally but also because we really didn’t have a holistic QA and automation approach to what we were doing with all of our in-house written applications.

Four or five years into that, I took over development as well. Today, I’m acting as head of IT. So I answer to the president of the company and everything technology falls to me.

Jordan Eisner: Got it. Okay. So AI aside, looking out on the horizon, what’s your task of doing as head of IT? From a security standpoint or compliance standpoint? What’s keeping you up? Is it AI governance? Or I know I said aside from that, maybe that’s the focal point, but what other things are you thinking about or do you see coming to the forefront that are going to be challenges from a security or privacy standpoint?

Clark Haynes: I think it’s going to be adopting the specific data center around AI. So everybody has their own opinions on this. The individual’s ability to upload data to it right now and then it be stored where and by who is a little difficult.

ChatGPT’s OpenAI has some of its own guards on it. It’s careful. You know, if you try and upload a spreadsheet of Clark’s name and address and so on, it’ll say, you really shouldn’t do this. I shouldn’t be looking at this information. I definitely won’t record it.

That’s cool. But there’s plenty of other ones that will. And your face is out there and they’re coming and going. So what we can do is we can work on what kinds of data is okay for this company and how much risk we’re willing to take.

So what kind of things can we do with AI? And then educate around that. And then watch for the opportunity for the rest of the world to help us understand what, again, those guardrails should be.
I’m not really laying up awake at night. There’s little here for our end users to share that’ll get us in deep water.

Jordan Eisner: Plus, you’re tired from working at the ranch after your day job, right?

Clark Haynes: That’s right. Exactly. I’ve been having a lot of fun this year with my horses and goofing off too. I play just as hard as I work, for sure.

Jordan Eisner: I had a point on all that I was going to get to, but it has escaped me. Were you going to say something more before I interrupted with the rancher comment.

Clark Haynes: I don’t know, a couple years ago I did that saddleback stuff that you brought up super fun getting in senior rodeo so late in life, tested my body. There’s a LinkedIn page for it. It has a lot to do with how you train your mind to deal with critical circumstances, critical situations, muscle memory and reaction. It’s not that different you know when we’re talking about pulling up a disaster recovery plan in the middle of a ransomware attack and shutting stuff down and following step by step all these things you rehearse over and over again high pressure as you see the company blinking before your eyes. Things like this I found a great personal life, it always translates right back to why I’m in this desk and why love doing it. It’s a challenge, and it’s hard to find real challenges in day-to-day life these days.

We’ve moved on from rodeo, and we’re doing skijoring now. If you look up skijoringutah.com, I’m a big part of that. We’re doing five or six events a year.

Jordan Eisner: Hold on. I think this is the one. Wait, what is this? What’s it called?

Clark Haynes: Skijoring. S -K -I -J -O -R -I -N -G.

Jordan Eisner: Is this where you ski on the back of horses?

Clark Haynes: That’s right. Behind the horses. That’s right.

Jordan Eisner: That’s what you were doing last time I was in Utah. I think you were doing that with some friends or something. We missed you.

Clark Haynes: There are some good pictures of me crashing really hard the last couple events, but I won. I did win second place at Bear Lake in the rookie competition, so I got a small check and a Fireplace. But my wife, Janelle, who just this very event decided she would compete. We had been kind of pressuring her for a little bit. It was outside her comfort zone. And she took second of 30 pro horses and got herself a belt buckle last weekend. So we won’t be bringing her again. No, just kidding. I’m so proud of her for that. I wanted the buckle before her, but my horse had a mishap and I got taken out of the running.

Jordan Eisner: It’s always next year.

Clark Haynes: Yes, always next year. As long as my body will hold together. Yeah, yeah.
Jordan Eisner: Well, it’s about mental commitment, right?

Clark Haynes: Oh, I’m mentally committed. Just my right shoulder might need a little rebuild by Onyx first.

Jordan Eisner: I hear you. Mind over matter. Well, Clark, I think that’ll just about do it. This has been good. Good detail. Your journey there, some of the things you did, how it translated into some security and privacy, how you… evolved into those areas how you’re managing things now new challenges with AI and whatnot I think it all comes down to some of the key things you said which is people, right culture, and collaboration as you’re looking at security and privacy and compliance and other functions. Also people too as your high risk area for a lot of a lot of these potential things that could go wrong with the company. So keeping the troops in line, keeping them bought in, and keeping them trained well, and then hardening systems, of course, across the organization is very key stuff.

We appreciate you spending some time with us. I know you always tell me you’re free around 2:00 Eastern, which is 12 your time. Do you not eat lunch?

Clark Haynes: Not very often. I book a lunch every day. But lots of times I fill in midweek. I bring food with me. There’s food in the night. I have a little fridge.

Jordan Eisner: All right. Well, good stuff, man. We’ll need to catch up soon outside of this podcast. But it was great having you on. And we’ll have to do it again sometime.

Clark Haynes: Great. Tell the whole team I said hi.

Jordan Eisner: I will do so, Clark. See ya.