On today’s episode, Aaron Kornblum covers the evolution of security threats (from hacking to phishing to smishing), and describes the importance of identity management. Tune in for insights on integrating security practices, fostering accountability, and leveraging legal frameworks to enhance both security and customer trust.
Aaron Kornblum, head of legal at Oleria, discusses why security functions are increasingly important for legal departments. Aaron covers the evolution of security threats (from hacking to phishing to smishing), and describes the importance of identity management. Listen for insights on integrating security practices, fostering accountability, and leveraging legal frameworks to enhance both security and customer trust.
---------
CINDY: The best defense is a great offense in terms of, do we have our processes in place? Do we have our playbooks? Have we tabletopped? and this is assuming you have all your fundamentals, like all your tools, technology in place to really establish the security for the company.
AARON: It's that phishing attack to get Cindy's username and password. It's that smish, it's that fake text message to Jessica that is purportedly from her CEO asking for the password to send a wire transfer to the bank account. It's more and more prevalent to get in the door and then do all kinds of bad things once they're inside that juicy interior environment. So understanding what normal behavior looks like within your own environment, within your own ecosystem, is more important than ever. That hygiene, if you will, of accounts and account credentials, passwords, two factor auth, or multi factor authentication, to ensure that the person trying to log in really is the person trying who's trying to log or no one are supposed to be logging in.
AARON: If you think about some of the areas that we just touched on, so information security, so that building the great wall to keep out folks. But also inside the company, provisioning access and then reporting or doing compliance work. These might be separate teams within a single organization. Maybe it's a small company, and it's one person. But regardless, having that robust communication between the different parts of the company responsible, say for, maybe it's the CIO, and the CTO, and the Head of Legal or GC, and then the Chief Information Security Officer, each one of these professionals has a role in helping to build this portfolio of defensive measures.
AARON: What do you have in place to protect your identity security? How often do you conduct training for your employees? It's much more difficult to secure, much more expensive to, to take down.
---------
00:37 - Meet our co-host, Cindy
01:58 - Meet our guest, Aaron
05:34 - Security incidents that keep us up at night
07:27 - Being prepared
15:43 - Ensuring cohesion
19:21 - Risk mitigation
25:43 - What’s in the news
34:14 - Keep or redline?
38:16 - Final take aways
---------
Find Aaron Kornblum on LinkedIn
Find Jessica Nguyen on LinkedIn
More about Docusign
Jessica: Welcome to In House, the podcast for InHouse Legal by InHouse Legal. I'm Jessica Nguyen, Deputy General Counsel at DocuSign and your host. Today we have a really interesting topic because I'm seeing more and more frequently the security function roll up to legal. Very interesting. And let's be honest here. I think I have about two or three pages of Okta tiles. There are so many different software applications that we use day to day to do our jobs. And so there's a lot of risk entailed with that. I'm excited to have a co host today from DocuSign, my colleague, Cindy Rosser, Deputy General Counsel. Hi, Cindy, at DocuSign. Cindy, how are you doing?
[00:00:49] Cindy: I am great. How are you doing, Jessica?
[00:00:52] Jessica: I don't know if you can tell because I'm really good at faking it till I make it, but I'm extraordinarily tired because I'm 33 weeks pregnant.
[00:01:01] Cindy: Remember those days. I remember those days.
[00:01:03] Jessica: Tell the audience who's listening, about yourself!
[00:01:07] Wow.
[00:01:10] Cindy: Uh, sometimes I go by Cynthia. You can call me whatever you want for this podcast or otherwise. Uh, I'm here at DocuSign, uh, at Deputy General Counsel of Growth and Trust. I'm located in the San Francisco, California area, and I've been with DocuSign for about almost five years.
[00:01:28] I, uh, I joined the company right before COVID, about two weeks before we went on shutdown. So it's been a, it's been an interesting ride through kind of COVID and post COVID and everything, but I'm still standing.
[00:01:40] Jessica: You are an amazing attorney and colleague. And when I first joined DocuSign via the Lexicon Acquisition and you helped me with the project, I was just so impressed by your knowledge, work product, and expediency. Because, you know, us startup folk, we like to get things done fast.
[00:01:58] I would also like to introduce the folks today, a very special guest, Aaron Kornblum, who's going to help Cindy and I also learn more about identity based security incidents. Aaron, nice, nice to have you here today. How are you doing?
[00:02:13] Aaron: Hi Jessica, thanks for having me on today. I'm doing great, thrilled to hear that things are going well with you and yours, all of yours, including your next.
[00:02:21] Jessica: Know, they're all doing great. Aaron and I go way back, some fun facts that we, we may or may not live pretty near each other. And in addition to being an amazing attorney, and really knowledgeable about identity, Identity based security incidents, as you can hear, Aaron is quite the, quite the voice and a professional sports announcer. Is that, is that a job?
[00:02:44] Aaron: It is a job, it's not my full time gig, uh, that's not, uh, how we pay the bills to, to live here in Greater Seattle, but yes, uh, I guess I'd call it an active hobby. So, sports public address announcing, not the TV play by play that you see on your set or radio, but in the venue, in the arena. The, the voice, the voice of God that you hear with the starting lineups, your, uh, action on the court or on the field and thanking fans and hoping that they drive, wishing them that they drive safely on their way home. That guy.
[00:03:18] Jessica: Voice of God, amazing LinkedIn, LinkedIn profile header, by the way, but in addition to being the voice of God, Aaron can you tell us more about Oleria and your background and your legal background?
[00:03:30] Aaron: So I'm head of legal at Oleria. I joined about seven months ago. I've served as general counsel for several companies, including in the video game space. The educational technology and online learning space, virtual worlds as well, but spent a good deal of time in technology at Microsoft before that, and started at a, uh, Law firm, and before that, in the United States Air Force JAG Corps.
[00:03:53] So I've practiced in the military, in private practice, and now the bulk of my career in house, and mostly in technology, at the intersection of trust and users, and that's a lot of what I'm doing at Olerio, which is a software as a service offering. in the identity security space. So, uh, selling an offering that helps companies to understand their own environment, the identity security in their own networks, who, uh, and answer important questions like who has access to what, how did they get that access, and, uh, how are they using that access within their own customer environments.
[00:04:30] Jessica: So folks, if in case you're surprised, the topic of the day is how can we as legal help prevent identity based security incidents and the role we can play to mitigate those risks for our organizations and even for our customers and users. For folks who are learning more and more about data security issues and security incidents, there are many different types of security incidents.
[00:04:56] Cindy, the ones that keep me up at night in general. Are more about the employees and what they, how they mishandle intentionally or accidentally are sensitive or confidential or personal, personal data. And the other type of security incidents that keep me up at night are related to phishing attempts, especially as, um, I deal with aging parents.
[00:05:20] I swear they click every link. Or text, in a text or email thinking, Hi, I think that looks legitimate. It was from, you know, this big tech company or, um, I won a prize. Isn't that amazing? Cindy, what keeps you up at night when it comes to security incidents?
[00:05:38] Cindy: I think exactly the things that you were saying, it's just the day to day things that we deal with. Um, I get emails all the time about, uh, just recently from Apple about my storage is filled up and I got to click on this link to get more storage.
[00:05:52] Jessica: looks real too, right?
[00:05:54] Cindy: so real. I've got, You know, text messages that kind of like, smishing is the latest thing, right?
[00:06:00] The, all the SMSs that's, that's coming, and you just don't even know, like, is it legitimate or not? So I, I am very concerned. I'm the chief privacy officer here at DocuSign, and I really dog food my own practice, and so I am just really careful of all that. But, um, What really keeps me up at night is, look, these things are going to happen.
[00:06:18] We can't prevent, uh, you know, have a perfect world where they don't happen. So, the best defense is a great offense in terms of, um, do we have our processes in place? Do we have our playbooks? Have we tabletopped? Um, and this is assuming you have all your fundamentals, like all your tools, technology in place to really, um, you know, establish the security for the company. Um, and a lot of times it's not about the technology. It's about the people, right? It's to your point of clicking, right? You can have the best, um, tools out there to secure all that data you have, but you just got that one person that accidentally clicked that button and then what happens?
[00:06:58] It can blow everything up. So it's a mix of everything. And, um, uh, I think it's that, you know, making sure you've got, you know, your boundary and your security protocols just in every which way, um, out there and you just can't rely on the one, one thing to protect you.
[00:07:15] Jessica: I'm really glad you mentioned tools because that's a nice segue into my question for you, Aaron, is, you know, you're, you're knee deep in it. You work for an identity access management tool company. How do you think about data breach preparedness, prevention, and mitigation at Oleria? Yeah.
[00:07:35] Aaron: Yeah, well, identity really has become the new security perimeter, because I think we have this vision of, you know, of hackers in their basement with, with, uh, cans of, of jolt cola working through the night to break into Cindy's, uh, defense in depth and, and break through the, the, the great walls that, that we've erected around our, our sensitive data and, and customer data.
[00:08:02] Um, and, and what's, I think, much more closer to the truth is that Our bad guys, our very motivated cybercriminals, are finding credentials, they're finding the keys to get in, to unlock the door, and let themselves in. They're logging in to our trusted networks. They're not hacking in necessarily, although you could think of it as one and the same.
[00:08:24] But technically, it's that phishing attack to get Cindy's username and password. It's that smish, it's that fake text message to Jessica that is purportedly from her CEO asking for the password to send a wire transfer to the bank account. That's more and more prevalent to get in the door and then do all kinds of bad things once they're inside that, that juicy interior environment.
[00:08:53] So understanding what normal behavior looks like within your own environment, within your own ecosystem, Is more important than ever. So, um, that hygiene, if you will, of accounts and account credentials, passwords, uh, two factor, uh, auth, or, or multi factor authentication
[00:09:13] Jessica: Mm hmm.
[00:09:13] Aaron: to ensure that the person trying to log in really is the person trying who's trying to log or no one are supposed to be logging in.
[00:09:21] So those are the sorts of things that software is really good at looking for patterns, looking for deviations from those patterns. You mentioned insider threat and someone on the inside doing bad things. If I make, uh, zero downloads and suddenly start making a whole lot of downloads, that's a deviation from standard behavior.
[00:09:41] Um, if I know to look, At certain employees who, uh, maybe I know are going to leave the company just to keep an extra eye on them because what do employees hypothetically do when they find out they're leaving or know that they're leaving but the company doesn't? They might start exfiltrating data or content or doing bad things.
[00:10:02] So that telemetry, that data of knowing what's going on inside your own environment is more important than ever, Jessica.
[00:10:10] Jessica: So I'm actually not an expert in this space. What are the type of tools that are available now, in addition to the great tool of Oleria, to really prevent that harm? Because the reality is, I mean, Cindy mentioned it, some of those emails, like from Apple about my storage space, they look so incredibly authentic, even to a very educated, uh, person, uh, well versed user, so what can we do to prevent like the accidental click thinking it's illegitimate? What, what are the kind of tools to protect us?
[00:10:43] Aaron: Well, not only do those mails look awfully genuine now, more than ever, but, you know, I'm sure that you're just lounging at your desk eating bonbons like Cindy, doing nothing all day, but studying these emails as they arrive at your inbox, and, you know, checking the domain name, checking the spelling, check, you know, looking for indicia of--NO! We're all asking our employees to do more with less, they're working really hard, they're
[00:11:07] Jessica: Yeah, they're moving fast.
[00:11:08] Aaron: Fast, exactly. And so, that also leads to the next strategy that bad guys use. Or bad gals, which is to give that immediacy, that call to action. You must do this now or something bad is going to
[00:11:22] Jessica: right,
[00:11:23] Aaron: subscription will be cut off. Your iPhone storage will be terminated. We're going to delete all your photos or some nonsense like that.
[00:11:30] So,
[00:11:31] Jessica: urgency. I get it. Yeah.
[00:11:32] Aaron: urgency. So sometimes you need to go fast or go slow to go fast. And this is one of those scenarios where Taking a moment to look and think about the, the ask that's in that email or that, uh, that request that you've received. Is it, is it genuine or not? Um, technology can do a lot in this space. You mentioned Okta. There are several other large players. Okta is, is one of many, like Oleria, focused in the identity, uh, uh, domain, thinking about how can we use identity as a tool to identify wrongful or bad conduct or deviating from the norm conduct and help companies be smarter with, uh, protecting their assets.
[00:12:13] Training is another area. So, helping our employees from time to time, maybe with a fake phishing attack, or a simulated attack to see how many people click the link in a fake phishing mail. And just doing standard training on what the latest and greatest attack vectors and techniques are is also great, something to think about. But, um, more often than not, it's also about communication. So, if you think about some of the areas that we just touched on, so information security, so that building the great wall to keep out folks. Um, but also inside the company, provisioning access, uh, and then reporting or doing compliance work.
[00:12:54] These might be separate teams within a single organization. Maybe it's not, maybe it's a small company, and it's one person. But regardless, having that robust communication between the different parts of the company responsible, say for, maybe it's the CIO, and the CTO, and the Head of Legal or GC, and then the Chief Information Security Officer, each one of these professionals has a role in helping to build this portfolio of defensive measures.
[00:13:23] They have to be talking. They have to be working together to understand what's happening and what each, each team is seeing. Jessica, you and I both worked at Microsoft and you know there were separate teams that handled account provisioning. So receiving your account, getting set up with your email account within the Microsoft domain.
[00:13:41] That was, that was the CIO and the Information Technology Office. Security was handled by a different team. And sometimes we found that they They were not harmonized. They were not aligned on practices and accounts would not be closed or the hygiene, uh, you know, there were opportunities to improve the hygiene.
[00:13:58] So, uh, that's also communicate. Robust communication is also critically important.
[00:14:03] Cindy: You've hit the nail on the head on that one because I think there are signals that one team will read and it may seem innocuous and innocent, uh, and so I think that's part of it is making sure the right hand is talking with the left hand. Uh, definitely one of the things to help bolster companies.
[00:14:18] I think another thing also is To your point earlier, you made a statement about you have all these different players. I have seen many companies I've worked at to say, hey, that's a security thing. Like security needs to own that and they tell us what to do. And it really is each one of us, like you can't have security, the be all and end all.
[00:14:38] It really is us. And so a lot of the counseling and the client work that I do, Um, internally with kind of my key business partners are really to say, look, um, you need to have just as much information as security, right? You need to know and anticipate when things are working and when things aren't working because you know, every, we're all the eyes and the ears, right?
[00:14:57] The technology can only go so far, there's the people piece of it, and we all need to recognize that we all play a role in kind of the entire ecosystem.
[00:15:05] Jessica: so Cindy and aaron knowing that there's these Silos, you know, they're not malicious. It's just the, it's just the nature of working at large organizations.
[00:15:16] Where have you seen effective tactics or strategies to actually create more cohesiveness? Like, for example, would there be a Uh, a designated owner within information security and within IT or the, the, the department that owns provisioning of accounts and software to have a designated contact. And those two individuals own it, the relationship and talk to one another regularly.
[00:15:43] What have you both seen?
[00:15:45] Aaron: accountability is key and that's so important. I'm going to say it again. Accountability.
[00:15:51] Jessica: that language.
[00:15:52] Aaron: And what that means in practice, in reality, is that if there's an incident and something goes sideways and the board of directors comes calling, they're going to want to know what happened and they'll call the CEO on the carpet who in turn he or she will call who, who are they going to call on the carpet as accountable.
[00:16:13] Someone is going to be responsible. Accountable at the company for what happened. And so thinking about who that is before that incident occurs and the board of directors comes calling and what plan do they have in place and who's accountable for executing against that plan and when will it be done and how will it be monitored going forward for compliance and hygiene and continuous improvement.
[00:16:39] These are things that should be thinking about now and Parts of these areas, like account provisioning, don't fall neatly or naturally into the legal department remit or the legal team, uh, function, but, uh, attorneys are good at asking questions, and so part of our role, as I understand it, is to ask those questions, to be that person in the room, to be thinking about the when animals attack scenarios right now, before the animals actually attack, And be in front of and keep in front of these sorts of issues because once something goes sideways, it's too late.
[00:17:16] Cindy: Yeah, it's, it's really interesting because I think in a perfect world, you'd like to think about, hey, there's a security incident and ABC happens, right? And you go step by step in your playbook. It, it never happens that way, right? And there's always nuances to it. To things where in that moment, you're like, I don't know if it is me, right?
[00:17:33] Like, I know the playbook says it's me, but there's these other things that I, I just don't know if I'm the decision maker for this. So I think the playbooks are really key, but I think that it's really important also for the teams to be able to, um, be able to be a little bit fluid in those moments, um, so that we are acting quickly, even in the moments of uncertainty.
[00:17:53] And I think that's the key for organizations that if we can do that and have the confidence around, okay, I'm I'm not sure if it's me, but let's, let's, like, let me take as much ownership as I can, and let me move this forward, and if everybody has that mentality, then we can get to where we need to go, but it's the finger pointing of, it's not me, it's not me, right, and like, go talk to that team over there, and then you're talking to seven different teams, especially within legal, when you're just trying to get information, like, who can tell me this piece of information, and they're like, Well, it might be this team, it might be that team, right?
[00:18:22] I think it starts out with, um, like early alerting system. So just a heads up, something's happening, right? That typically what happens is something is happening. I don't know how serious it is right now, but let's all like, cautiously monitor and things start to unfold. But It'll start out as one alert over here, and then we'll get another alert over here, and then another alert, and we're trying to figure out, are they the same alerts or different alerts?
[00:18:47] What's going on? And then sometimes they converge and sometimes they don't converge. So many times in incidences, you've got parallel incidences running. It's never a single clean one. And so again, I think it really is, right? Your teams just have to be ready for that disaster scenario and be able to work closely together to navigate through those moments of uncertainty.
[00:19:07] for the opportunity.
[00:19:09] Jessica: Another role that we can play in legal for risk mitigation, because that is a big part of our role, is the contracts. So, oh, you know, I would love to hear, let's kick it off with you, Aaron, what do you think are reasonable expectations for customers when they're buying identity or other security protection software or tools to expect from vendors and what, like what's reasonable? And what's unreasonable? Cause I'm sure you've dealt with a lot of unreasonable asks. I sure have in my B2B software career.
[00:19:43] Aaron: Absolutely. Well, I can give you the perfect lawyer answer, Jessica. You know what I'm
[00:19:47] Jessica: No, don't say it depends. Don't
[00:19:49] Aaron: It depends. It depends. No, I think, I think the point I'd land here is that as much as, as much as our world and our, our legal and information security ecosystems are changing, a lot of the things in the contracting space for identity solutions for information or InfoSec software, remain the same.
[00:20:10] And so if you're a counsel negotiating a contract with a vendor or supplier, which I do both of now, I'm looking at key provisions as I always have. And as much as there's change, those things as far as level of importance and where I should be spending time remain the same. So, limitation of liability, indemnity, governing law, how the mechanics of the contract works in case something goes sideways.
[00:20:37] So, Breach mechanics, cure period, how, you know, how can the parties make this, uh, if something goes sideways. If an animal does attack, how do we put it back in its cage and move forward, uh, back to happy, happy, joy, joy, contract state. So, the analysis remains somewhat static.
[00:20:54] I think some of the more interesting things that have popped would be insurance. So, cyber insurance in the information security space used to be a huge profit center for insurance companies. Uh, this was an area, I'm talking now 20 years ago, when breaches liability associated with breaches was not yet really a thing.
[00:21:18] And so I think if you were looking to get, uh, to, uh, to purchase a policy to secure coverage or a line of coverage for, for information security or cyber insurance, it was relatively straightforward. There wasn't a lot of due diligence. You could secure quite a bit of coverage at a reasonable cost. Well, those days are gone. Those days are long gone
[00:21:40] Jessica: Aaron, insurance is expensive now, cybersecurity.
[00:21:43] Aaron: And it's not just the cost of the policy, the due diligence associated with the application has also, talk about going up and to the right, it has gone up and to the right. We're talking about pages and pages of detailed questions from the insurance company, from the potential insurer, asking about the potential insurer's posture, asking about their hygiene.
[00:22:07] Thank you What do you have in place to protect your identity security? How often do you conduct training for your employees? Uh, It's much more difficult to secure, much more expensive to, to take down. And from a contracting perspective, I see it more than ever now. That there's a minimum threshold, which has been going up from both directions, uh, as a, as a prerequisite to do business with company X, because it is such on the minds, uh, think recent events and in the news with companies like CrowdStrike, where people do think about the real world impact of, uh, information security products or services and, and what that means for their business.
[00:22:49] Jessica: yeah. What have you seen, Cindy, as well?
[00:22:53] Cindy: Yeah, I think the response times are getting pulled in and I think that they're asking for, you know, at least from a DocuSign contracting, I look at it from both ways, right? We have it where we're contracting with our vendors supplying us something, so Aaron, I may be asking you for a lot. A lot, um,
[00:23:12] Jessica: Get
[00:23:12] Aaron: love to have, I'd love to have that conversation. Just put a pin in that for now.
[00:23:17] Cindy: And then we have the other side where the customers are coming to us here at DocuSign asking for things. And, we have to take a look at it. What's on paper versus like what operationally we can actually do here. But, um, there is like the fear is increasing. I got to tell you that, right? Um, we're coming down to like, you know, six hours of a breach, you gotta tell us, and you're like, I, I don't even know within six hours if it is really a breach, right? Like, how, how am I really gonna do this? And, hey, by the way, I have, you know, millions of customers. How am I gonna tell you versus the other?
[00:23:48] So I think, you know, going to, again, like, what's in the contracts, especially for the product that we sell, Just Care at DocuSign, right? It's. It's, it's knowing what are those notification obligations and that's always a big question mark when, um, incidents do happen of like what are our obligations, what are those timeframes, how quickly we have to trigger insurance notifications, how much information we need to have, all that good stuff, right?
[00:24:09] Jessica: but that's what you're seeing Cindy. Wow.
[00:24:11] Cindy: Well, you know, on the extreme ends, I think that it matters who you talk to, right? If you're talking to the, uh, security savvy person, we're just like, really, are you, do you think we're really going to be able to notify you then? Like, I think our number one priority is mitigating what's happening and containing the breach, right?
[00:24:27] Like, you want to spending our time doing that rather than, like, pinging you by email, right? That, that really is where the critical work is in those early moments of a, of an incident.
[00:24:36] Aaron: yeah, it, um, SLAs have become much more intense than notification requirements or proposed contractual terms have become much more robust.
[00:24:45] Cindy: Mm
[00:24:46] Jessica: All right. So I'm learning stuff, new things today. So notification requirements is the new most favored nation clause.
[00:24:54] Aaron: really just the modern day extension of the old adage, no surprises. I don't like surprises. I presume that you also don't like surprises. I know my boss doesn't like surprises, good or bad. And so, I want to know about something that's happening. Whether it's arising out of this contract or tangential to it, but I want to place a duty to be notified so that I know about it before I read about it in Drudge Report or on the front page of the New York Times.
[00:25:22] Cindy: Mm hmm. Mm hmm.
[00:25:25] Jessica: Erin, you're speaking my language. I am not a surprise kind of gal. I know the gender of the baby. It's a girl.
[00:25:30] Aaron: Oh, congratulations.
[00:25:33] Cindy: Congrats!
[00:25:35] Jessica: All right. Well, speaking of the news recently, I read in the news that a very prominent mobile carrier, uh, was being sued for a consumer protection claim for not taking action on various security vulnerabilities. While that's all being sorted out, the lesson though that I'm hoping that you can help the listeners work through is if you were in the shoes of in house counsel or outside counsel for that mobile carrier, what any advice that you can have for our listeners to help influence the business, to accelerate taking action, to actually take security seriously. Like what can we do to help, help our listeners here? Cause oftentimes we know what the right thing to do is we counsel. Our clients to do the right thing. And they're like, thanks for the advice.
[00:26:30] And then they sort of shelve that. It's not a priority, not a priority. And then lo and behold, surprise. The, the attorney general is suing your organization under consumer protection laws. And what horrible press that your CEO does not want to see in the news. Uh, Cindy, do you want to kick off your thoughts there on any tactics or tips for our listeners?
[00:26:52] Cindy: Yeah. So I think, uh, you know, as attorneys, our clients don't seem to react well to the sky is falling claim, right? And, and they, they're like, I don't, I don't see the sky falling. What it like, it's not falling over here. So I'm good. I'm good. Right? Like that's, that's usually the reaction. But I think for me, it's, it's really, it's not that the sky is falling now, but when the sky does fall, like what, what's the first thing you're going to do?
[00:27:15] And let's walk through that and like go into your point about not being surprised, you know, I work with our business partners very closely in terms of, okay, we get a letter, we get a letter of a complaint, uh, you know, what's our next four steps? Who's taking point? What's the response? What are the things that we can say that we've done?
[00:27:35] And where are the things that we know that we haven't done it, right? And then I think on the places that we know that we haven't done it, uh, The question is, was that an informed choice that we didn't do it, right? And if it is informed and that we went into it eyes wide open and we make risk calls around that, then, uh, Going back to accountable, whoever is accountable for making that decision for the business, right?
[00:27:57] I, I expect them to say, I'm comfortable with this, and here's our plan to mitigate. Um, and at the end of the day, if I have to shut down the business because that's, you know, we can't operate, we can't be a, uh, operating company under these circumstances, if something happens, then, like, you've made the call, right?
[00:28:13] If that's the extreme. But in most cases, look, I'm, I'm looking for what are the levers that I can pull Pull here and do we have a defensible position like the first response out the gate is do we feel that we took the reasonable steps that we could have under the circumstances and that's really kind of the basis of, uh, of like my counseling and how I think about it with my, my clients, but Aaron, I'd, I'd love to learn from you.
[00:28:36] And what is some of the tricks and strategies from your end?
[00:28:39] Aaron: Well, you got a saying that you never should let a good crisis go to waste. So
[00:28:45] Cindy: too. There is
[00:28:45] Aaron: I, I would say that the, uh, the legal counsel at that, uh, company that you mentioned, Jessica, probably doesn't need any firepower to convince their teams that security is important and that we need to spend some time doing.
[00:28:59] Some introspection on our current posture. And I'd say they have the ammunition that they need. Uh, similarly, a few years ago, back in February of 2020, I'll never forget. It was our last day in the office before all offices were closed. And, uh, we were on around the table asking for, for new developments.
[00:29:20] And I, I remember saying. Well, I'd like to introduce everyone to a new concept called force majeure and what that clause means and why we're going to be talking a lot about it for the next year and a half. Uh, and then just recently here in the greater Seattle area where Jessica and I are, uh, we just had a big windstorm come through, a bomb cyclone, which sounds terrifying, knocked out power and utilities for a good deal of greater Seattle for several days.
[00:29:48] And wouldn't you know it, our first day back in the office with our team, the business continuity plan comes up in conversation and who's accountable for that. And when will that be done? So I'd say, you know, when a crisis occurs, that's always a good trigger and a good opportunity to seize, to highlight the, well, now the sky really is falling or the sky's falling right over there.
[00:30:11] And so we need to think about if that were to happen here, Uh, that's a little closer to the pin, but in advance of that and absent that, uh, there are other hooks that you can think about. One is the due diligence hook. So if you're at a, a startup or a VC backed company or a company that might be looking for funding in, in the near future, investors are always wanting to know about the, when animals attack, sky is falling preparedness and where's that plan and have you thought about this?
[00:30:40] The CEO or founder never wants the answer to be, well, we don't have that, or we haven't thought about that. So, um, investor funding due diligence is one good hook as well to think, to mention, like, we're going to need this sooner rather than later. And then even at a more established company like DocuSign or some of the larger enterprises we've, we've referenced on this call, uh, the, the thing that.
[00:31:02] Uh, the thing that attorneys always should be thinking about is how can I add value? How can I drive impact to the enterprise or to the business? And so maybe we have a program focused on business continuity, but have we thought about this scenario or is this something that, uh, our teams are already including in their playbook?
[00:31:21] Um, Uh, there, you'd be surprised, uh, once you have a playbook, the temptation to put that playbook in a drawer and not run that tabletop exercise, which Cindy referenced. And so, over time, those playbooks get stale, and they might not be up to date or include the current scenarios. Uh, and so, having that, taking that approach also can be an effective hook, I've found.
[00:31:43] Jessica: Great, really great advice, folks. And one of my core professional values is customer obsession. So a lot of the way, a lot of, when I think about positioning and trying to influence the business to take a certain direction, uh, I always focus on what does the customer want, so, or need or require, not just what the law requires.
[00:32:05] Which again, As you said, Cindy, that doesn't really always land well with our internal business colleagues. And so thinking about how do I frame it as if there's any competitors, this could be a competitive differentiator against one of our top competitors who don't take, you know, having a stronger security posturing can help us win deals and in turn lead to growth and revenue, so that could be another way to think about positioning folks.
[00:32:32] Um,
[00:32:32] Aaron: that's a terrific call out, and, and I'd be remiss if I didn't say Elyria has, uh, Taking that approach as well, we have a trust center, Olaria Trust Center, which speaks to our certifications and the protections that we put in place as we know and are trusted. Trust is our number one corporate value with the responsibility of helping to keep our customers safe that we ourselves are buttoned up from a security perspective.
[00:32:57] Compliance perspective. So yes, differentiation is an excellent, uh, that's a great call out, Jessica.
[00:33:04] Jessica: I imagine Cindy that resonates with you too, There's trust in your title, isn't there, Cindy?
[00:33:09] Cindy: Yeah, absolutely. Look, we're, we're, you know, processing those really sensitive agreements with a lot of information to our customers. And we take that very seriously. Security is one of our top pillars, um, as well as privacy, right? That's That's where the space that I primarily play in, um, and so we know what our customers need.
[00:33:30] We know what they demand. Um, we compete with a lot of, uh, in the e signature side of the house, we compete with a lot of startups that, you know, think it's easy to do e signature and maybe on the surface it is. But you know what? Do they have kind of the deep tendrils into making sure that the data is protected and secure?
[00:33:48] We've got a plan because it's not static, it's not one and done, it's just with these threats that are evolving constantly, we are continuing to invest in that for our customers and for ourselves as a company and so, yeah, that's extremely important for us.
[00:34:02] Jessica: Absolutely, even though I have empathy for startups too. Alright, for our final and last segment, we'd like to end with a very fun note. The segment is called, Do You Keep It or Do You Redline It Out?
[00:34:17] Okay, guys, Aaron, you know, we've known each other for a very long time. You know, I'm a big nerd when it comes to all things agreements. So that's what it, that's the references.
[00:34:28] Aaron: I do. Yes.
[00:34:30] Jessica: Yes, I'm a big nerd. I've negotiated hundreds or thousands of agreements and so I do a lot of webinars, Cindy, about agreement negotiation tips and tactics.
[00:34:37] Aaron: you do. I've been there.
[00:34:39] Jessica: Oh, yeah, and you've been in done with them with me. You're so good. You're always so popular
[00:34:44] Aaron: I feel honored and privileged, honored and privileged to have, uh, redlined contracts with you in real time. I mean, how many people can say that about doing, doing that together with Jessica? That's exciting.
[00:34:56] Cindy: I mean, those are life goals. I, I,
[00:34:59] Jessica: don't know
[00:34:59] Cindy: Jessica, I've not had the chance to, I, I feel like I need to put it on my list.
[00:35:05] Jessica: All right, we'll put on your legal bucket list. All right, so three questions. They're going to be fun. I'm going to start with something. Really fun because you work at Oleria is keep a red line, saving your passwords to a handwritten notebook, asking for a friend who may actually have a cute one from TJ Maxx, go, keep a red line, Aaron.
[00:35:28] Aaron: So, okay. Just to clarify, cause I need to clarify the redline scenario. This is, this is a contract from a counterparty and they're demanding that I keep my passwords in an offline notebook. Is that what you're saying?
[00:35:42] Jessica: No, just like your personal passwords. Do you use fancy tools like 1password or do you just write it down somewhere? Like. Like.
[00:35:53] Aaron: a combination. I'd say a combination. Yeah. Yeah. Yeah. So wait, wait, wait, wait. It depends. So there are some scenarios, uh, where for more sensitive, uh, matters that I, I would use hypothetically use a password manager, but for a short term usage password scenario, I, you, you might catch me writing it down just in, in the short term,
[00:36:21] Cindy: Oh, that's, you know, I, I, I keep my passwords the same, much longer than I should. So if it wasn't for the forced password change, you could probably hack into my accounts. And, uh, I've been found on the dark web quite often, too, so.
[00:36:40] Jessica: Second question for you, Aaron, is the general counsel reporting to anybody but the CEO? Keep a red line.
[00:36:49] Aaron: I think it's so important to have a critically robust relationship with the CEO. I think it's so important. Whether that needs to be a direct reporting structure, it depends. It depends on the CEO. It depends on the company. It depends on you and what's important to you and your relationship with the CEO. I'll say my strongest Opportunities for impact have been in a direct reporting structure relationship.
[00:37:19] Jessica: Okay. Cindy, anything you'd like to add there?
[00:37:23] Cindy: I view Aaron as CEO and general counsel one day. That's my, that's my crystal ball. So, it doesn't have to be an either or. There you go.
[00:37:33] Aaron: It's a high bar, Cindy, it's a high bar. I, I, uh, hope to live up to your expectation. Thank you.
[00:37:39] Jessica: love that response, Cindy. Well, Aaron, it was such a pleasure to have you as our guest today on our podcast. Thank you so much, Cindy, as well, for taking time to podcast with me.
[00:37:49] Cindy: Thank you for having me, and it was great chatting with you, Aaron.
[00:37:52] Aaron: And for our listeners, you can learn more about Oleria at Oleria.com
[00:38:00] Jessica: I respect your opportunist as being ready for that, Aaron, because for folks who can't see, Aaron is also wearing an Oleria branded hat. So I respect that and I love that move.
[00:38:13] Aaron: And thank you so much again for the invitation.
[00:38:15] Jessica: of course.