Wisdom From The Women Leading The Cybersecurity Industry, With Lisa Sotto of Hunton Andrews Kurth

An Interview With Jason Remillard

…My secret sauce is to take a step back, look at the big picture and consider the answer in context. The larger strategy may not involve the law at all — it may just be a matter of exercising good judgment.

The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Lisa Sotto.

Lisa Sotto is the managing partner of Hunton Andrews Kurth’s New York office and chair of the firm’s global privacy and cybersecurity practice. Lisa was named among The National Law Journal’s “100 Most Influential Lawyers,” and has received recognition for her work in the areas of privacy and cybersecurity. Nicknamed both the “Priestess of Privacy” and “Queen of Breach” by her clients, Lisa assists in identifying, evaluating and managing risks associated with privacy and data security practices.

Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?

I was raised in the Riverdale section of the Bronx, which made for an idyllic childhood given the number of parks, playgrounds and cement sidewalks for roller skating and bike riding. My mother worked for the New York City school system and my father was a Holocaust survivor who became an executive for an internationally known fashion designer. I attended the Bronx High School of Science before going on to Cornell and then Penn Law School.

Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?

I read David McCullough’s biography of John Adams years ago and it has stayed with me to this day. The book reads like a great novel, bringing Adams to life for the reader. Adams was brilliant, of course, but it was his fearlessness and persistence that really made him stand out. More recently, I enjoyed Dave Eggers’s “The Parade.” His Hemingway-esque writing style is simple, but then the last page just shatters you.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I can draw a straight line from where I am today to one event 16 years ago. You might say it was the call that changed my life. It came late in the afternoon, unexpectedly, from a man I did not know. I was in my office in the MetLife building, above Grand Central Station in midtown Manhattan. The voice on the other end of the line had an ominous message: Go home, it instructed, pack your bags, and wait for a black car that will take you to Teterboro Airport.

While I did not know the caller, I paid attention because he identified himself as the president of a well-known resort and casino. Data breaches were a novel phenomenon then, but I knew that casinos store highly sensitive information. Among other digital secrets, the potential client maintained a list of some tens of thousands of high rollers, including internationally famous celebrities and sports figures, with detailed information on their bank accounts and credit limits. I complied with the president’s request, went to my apartment to pack a bag and await the car that appeared outside at 3 p.m. Together, we traveled to Teterboro, and from there to the Caribbean to the site of the data breach. The work I did that fateful week at the casino serves as the basis for the notification letters I write on behalf of clients experiencing data breaches today.

Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?

When I was a first-year associate practicing law for about a month, a partner gave me an Environmental Protection Agency consent order and asked me to “review” it. He did not tell me what to do with it, so I followed his instructions and read it. I corrected a couple of typos in the document, but that was about it. The following day I got the document back with a note saying, “I expect never to see this kind of work product from you again.” And to this day (and we later became very good friends), I still do not know I was supposed to do. So, the lesson is to not be afraid to ask questions.

Are you working on any exciting new projects now? How do you think that will help people?

Colonial Pipeline — I’m advising the company on its well-known ransomware incident. The recent spate of ransomware attacks has put the issue on the radar screen for senior management and boards alike. Despite the adverse consequences to companies of a ransomware attack, the increased awareness of this threat is a positive development because it provides further incentive to implement enhanced safeguards to protect the security of the country’s critical infrastructure and other business networks.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?

1. The pace of change. We are dealing with an exceptionally dynamic environment, moving at the speed of light and struggling to keep up with the evolving threat landscape. We need to move very quickly to stay one step ahead of the threat actors.
2. The cutting-edge nature of this practice. In many ways, we are making it up as we go along. The law is relatively nascent in this area, and we are creating the playbook.
3. The deep societal relevance of this field. At the moment, U.S. companies are under siege from ransomware actors and cyber extortionists. When I’m helping a company manage this sort of incident, I’m doing much more than just practicing law — I’m helping the company navigate the immediate crisis, manage reputational risk and, most importantly, get up and running again.

What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?

1. The law is not keeping up with the pace of change in the threat environment. Our legislators and policy makers need to increase their level of education and sophistication in this area to be able to issue more effective cybersecurity rules.
2. The audaciousness of the threat actors and the deeply malicious nature of the current threat landscape outmatches the paucity of skilled professionals in this area. We need to significantly augment the number of trained information security professionals in this country to meet the current level of threat.
3. The U.S. government has been slow to address what is a massive threat to our country — our businesses are under siege, our governmental entities are being trounced, and our citizenry is under attack by cyber criminals. I am sometimes asked how I measure cyber risk against nuclear risk — and the answer in my view is that cyber risk is far more dangerous because we know who has nuclear capabilities and we can contain that risk, but anyone, anywhere can have significant cyber capabilities that can bring governments and critical infrastructure to their knees.

Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?

The cyber threat environment is deeply malicious. The threats we faced a decade ago look like child’s play in comparison. Nation-states certainly are going to continue to employ sophisticated and creative cyber espionage techniques, and criminal attackers will continue to ramp up their efforts to steal data, whether personal information, intellectual property, critical infrastructure data, financial information, source code or other data of interest. Companies need to continue to prepare, every minute of every day, to fend off the myriad cyber attackers who inevitably will keep trying to hack into corporate systems.

Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?

Yes. Last month, we received a tip from law enforcement indicating that there was chatter among members of an attacker group suggesting that they were looking to hack into a client’s network. We were able to quickly retain forensic experts to assist in adding immediate protections to thwart the ransomware that was about to be deployed. We also provided critical information to law enforcement to help them bring down these criminal actors. The lesson learned is that if a company is vigilant and identifies anomalies in its system quickly enough or pays close attention to external hints, then we might be able to get in fast enough to thwart an attack.

What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?

Being a cyber professional takes a lot more than just technical knowledge. It is very important to be able to communicate effectively with senior leadership and to understand the various risks in the context of all the factors that impact the company. The best CISOs are strategic thinkers, not technologists.

As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?

The most successful attack vector right now is phishing. So, it is important to train employees to understand the signs of a phishing campaign and to be vigilant about not clicking on links in a phishing email. Of course, phishing emails often look like they are from a company you know and trust, but upon closer examination the sender’s email address may be off by a single character. Fraudsters often tell a compelling story to trick users into clicking on a link or opening an attachment. “Your bank account needs to be verified…” Don’t ever provide your personal information via emails requesting it.

After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?

One important way a company can mitigate harm in the event of a security breach is to take proactive steps in advance of an incident. It is critical to have an up-to-date incident response plan that has been practiced through tabletop exercises. Companies should have well-rehearsed incident response teams composed of members who know their various roles and responsibilities should a breach occur. Of course, every business needs to implement basic protections, such as multi-factor authentication, lengthy and complex passwords, software patching and appropriate network segmentation. Organizations should constantly be testing their systems, through penetration tests, code reviews, red team testing and the like. And, of course, any vulnerabilities that are identified must be patched quickly.

Once a company is made aware of a cyberattack, it must quickly bring in the right experts to assist, including experienced legal counsel, a forensic investigation firm, a ransomware negotiator if hit with ransomware, and an external communications firm, if appropriate under the circumstances. The company would be well advised to coordinate with law enforcement, which often can assist in providing indicators of compromise or other information about the threat actor that will help the team expedite recovery.

What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?

Not using multifactor authentication, failing to patch identified vulnerabilities, and not requiring complex passwords and rotating them frequently.

Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?

There is a dearth of cybersecurity professionals in the United States, male or female, but certainly the female representation is extremely low, percentage-wise. We must focus on bringing more women into the field and mentoring them.

What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?

I am asked routinely if I have a computer science background. No, I was an American Colonial history major. The key is to learn enough of the language to be able to understand what the technologists and forensic experts are saying and to not be afraid to ask questions.

Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)

1. Keep your blinders on — ignore errant comments.
2. Be super-responsive in any situation.
3. My secret sauce is to take a step back, look at the big picture and consider the answer in context. The larger strategy may not involve the law at all — it may just be a matter of exercising good judgment.
4. Relationships are incredibly important. And so is showing empathy in moments of extreme stress.
5. Don’t be afraid to be audacious.

We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them :-)

I would have loved to have had an audience with Ruth Bader Ginsburg. She was an icon in every way. She flourished in the face of adversity and was a force to be reckoned with in all aspects of her life. She cleared the path for professional women in the U.S.

Thank you so much for these excellent stories and insights. We wish you continued success in your great work!