Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Ep 105: Punishing the Victim: What’s Broken in Cybersecurity Law
0 Plays2 seconds ago
What if the legal system punishes the victim instead of the attacker? That question drives Andy Lunsford, founder and CEO of BreachRx, to rethink how companies prepare for and respond to data breaches.
In this episode, Andy joins host Tyler Finn to share his journey from litigation consultant to legal tech entrepreneur—and why he believes incident response should be treated like any other core business process. Separating privileges from factual records to rethinking executive liability, Andy offers practical insights for legal counsels navigating a regulatory maze, rising risk, and increasing accountability.
Read detailed summary: https://www.spotdraft.com/podcast/episode-105
Topics
Introduction – 00:00
Andy’s path into privacy law: From philosophy to shaping early FTC breach cases—02:07
The shift from rare black swan breaches to everyday business risk—6:19
How GDPR’s 72-hour rule changed incident response expectations – 08:54
Founding Beacon Group: bridging litigation, incident response, and expert testimony—13:53
The law punishes victims: why breach response is legally broken—16:53
Defending the defenders: Mental toll and leadership under breach pressure—21:00
Personal Risk in Cybersecurity: Why CISOs and Legal Leaders Need Protection Too – 22:48
How GCs Can Prepare for Breaches: Building Systems, Not Just Plans—27:28
Rising executive accountability: how GCs can protect their teams and companies—32:23
From legal consultant to tech CEO: building BreachRx as a category-defining platform—34:49
The challenge of early-market education and building industry standards—40:52
Rapid-fire Questions—42:35
Connect with us:
Andy Lunsford - https://www.linkedin.com/in/andersonlunsford/
Tyler Finn - https://www.linkedin.com/in/tylerhfinn
SpotDraft - https://www.linkedin.com/company/spotdraft
SpotDraft is a leading contract lifecycle management platform that solves your end-to-end contract management issues. Visit https://www.spotdraft.com to learn more.
Recommended
Transcript
Unfair Treatment of Cybersecurity Victims
00:00:00
Speaker
If ah your house gets broken into and thief comes in and steals a bunch of your stuff. And so you had like good industry standard locks in the doors. um But certainly they found a way to get into your home.
00:00:14
Speaker
If after the fact, the police took you to jail or find you both, everybody would say that is fundamentally not fair. That that doesn't make any sense.
00:00:25
Speaker
Like that you, you lost, you lost goods. You, you went through the trauma of of getting attacked. um But that's not the way we do it in cybersecurity world. It's okay. This has happened to you You better do this with surgical precision and how you respond. You better tell people on this date, this date, and this date.
00:00:42
Speaker
um And you better have a record to show that you did everything perfectly after you got attacked. Okay.
00:00:51
Speaker
What if the legal system punishes the victim and in the process makes it harder to attract top security and privacy leaders to take on this sort of increased personal risk associated with these roles?
Introduction to Andy Lunsford
00:01:06
Speaker
Today on the abstract, I am joined by Andy Lunsford, co-founder and CEO of BreachRx, a company pioneering the automation of incident response for enterprises.
00:01:21
Speaker
Andy's story is interesting. It spans law, compliance, and entrepreneurship, which is kind of fitting given that the platform he's building today is sitting at the intersection of legal risk, operational chaos, and executive accountability.
00:01:37
Speaker
We'll dive into what inspired him to build BreachRx, how the legal system may be, in some ways, failing both companies and their security leaders, and what he sees as the future of incident response. And Andy was actually a referral, which I love, on the podcast from Joe Sullivan, a recent podcast guest. um So yeah, Andy, thanks so much for joining me today for this episode of The Abstract.
00:02:05
Speaker
Thanks for having me, Tyler. It's great to be here. Okay, so you started your career trained to be a lawyer, you know, did the clerkship thing. Take us back to sort of the moment in time when when you were getting started in the law and thinking about, hey, what do I want to do with this? What direction do I want to take it? And um ultimately ended up becoming more of ah more of a consultant, like a litigation consultant.
00:02:30
Speaker
Yeah, yeah. So, yeah, it's crazy how fast the years go by. Like, like ah you blink and you've gone through so many different um parts of your career. Yeah, i think early early days, um I guess for me, a ton of my interest in law started um in undergrad. i I was a philosophy major um and I um got exposed to a class.
00:02:53
Speaker
cold philosophy law and we we talked about the right to privacy and I really got hooked into that idea and that was like an early foundation and it actually kind of connects with like in high school some of my favorite books for 1984 and Brave New World and so just getting you know kind of in these ideas of what is a surveillance society like and all these different things that are or all around what is your personal privacy and so and I got so into it in that class that i ended up writing my honors thesis in college on right privacy.
Andy's Early Career in Privacy Law
00:03:23
Speaker
um And then I, you know, going into law school is like, hey, i want to do law in this space. I just like love this intersection where technology, privacy, cybersecurity, the law, policy, it's all intersecting. And it's just incredibly intellectually stimulating for me to think about it because there's so many tradeoffs. in and ah and Yeah,
00:03:42
Speaker
got so many good things, so many bad things. um And I feel like as I've gone along in this career, all these things just continue to to surface. And, our you know, um um yeah it's yeah, it's just been super invigorating. But yeah, that was my my early foundation. But I i jumped in.
00:04:01
Speaker
law school i actually thought about politics and tried to get involved in the policy side of this stuff for a bit my my family had some ties to and arkansas politics and so i actually did some interning on capitol hill um cool office um very quickly saw what i felt like was a very toxic environment developing you are some game it's all about winning and losing and Well, I'll turn it into a political discussion here today, but um decided, you know, I just don't think I have the stomach for that business, even though my my family had a lot of involvement there.
00:04:34
Speaker
um And so then I said, let me think about the private side. Like, how do I get involved with, you know, law firms that are in this space? And in the early 2000s, there really wasn't anybody doing what has become this privacy law cybersecurity practice that is, know, one of those.
00:04:49
Speaker
the biggest growing practices of every major law firm. and When I went around like literally going to every law firm I could find online, like nobody was doing
Transition to Consulting and Co-Founding Beacon Group
00:04:58
Speaker
privacy law. and I found one one firm um that had It was a very boutique firm where a partner had Actually, for the privacy OGs out there, he'd worked with Alan Weston back in the day and he was huh the FTC um and and was getting work on some of these very earliest data breaches that went before the Federal Trade Commission. And so it was awesome learning opportunity for me.
00:05:20
Speaker
to you know be in privacy law, feel some of the, what's the ramifications of when a company has a breach and all those early early early things around litigation. Yeah. And then i I worked in-house in Walmart's general counsel's office for a bit.
00:05:36
Speaker
Um, then, um, had this opportunity where my brother was leaving a big consulting firm. He'd been doing litigation consulting. actually has more an engineering background and, um, a few partners he'd worked with that we were going to come together and decided to build what became Beacon Group, um, where we had a whole stable of experts that could testify on different topics and,
00:05:59
Speaker
I, know, litigation legal background was a nice bridge um between technical experts and, you know, legal teams. And um yeah, did that for ah quite a while, got more data breach litigation experience
Evolution of Data Breach Laws
00:06:14
Speaker
along the way. And um yeah, that's kind of the early the early part of the story.
00:06:19
Speaker
Okay, that's pretty cool. So you got to actually work on or observe or watch some of the early data breaches. I don't know. I mean, here's a question. Like, did it feel like a little bit of a bigger deal then? Or did it feel like the reputational sort of harm for a company was huge? I mean, on the one hand, you're kind of making it up. But also, if it hasn't happened a lot, like maybe it was like front page news at the time, as opposed to today, in some ways, it feels like a data breach is...
00:06:45
Speaker
I get an email once a month from a company that my dad, I got one from my, my insurance, my health insurance provider like two weeks ago. No, There's serious, uh, what people call breach fatigue. Cause you just, you get, them yeah you know, you don't think about it. Yeah. I think early days it was certainly thought of as a black swan event. You're like, Oh man, a terrible thing. But,
00:07:06
Speaker
It was there also at that that point was very, it was the very early days where we had um not every state had a data breach law. It was like, it was one of the ones that was out in front and that was one of the issues, but basically the early litigation process,
00:07:21
Speaker
was around this, you Article 5, deceptive trade practices where, you know, there are issues around what are you saying about your privacy and security on your website? That's always kind of been piece of it, but it was also the fact that companies were making the choice to notify, know,
00:07:38
Speaker
California residents, but maybe not all of the residents across the the country that that their data was impacted because there wasn't a legal requirement to do it in X, Y, and Z. It was just in these these handful of states.
00:07:51
Speaker
The FTC is like, hey, wait a minute, like ah everybody um should be getting notified about this. And so that was what a lot of the early debates were about. Then yeah we quickly you know turned into a place where every state had its own law.
00:08:04
Speaker
we've moved now to where internationally we've got over 200 different data breach privacy. Wow. I didn't know that. That's a big number. Yeah. It's quite the maze. Um, and it gets more complex. I think what's, you know, as a lawyer can appreciate it. It's like, it's not just that you have um these individual laws and all these places, but they get amended all the time and get changed. You have a new, you know, California is a classic example where had California data breach law, then you have CCPA, and then you have CPRA, and then you've got, you know, more things that happen administratively for each of those ah laws. And so um it's really a lot to keep up with when you think about multiplication of that. So it's like 200 base laws. But when you think about how many times they've been amended, you're talking about keeping up with like, you know, different things, you know, a lot to track down um and and stay on top of.
00:08:55
Speaker
What was it in your experience? I mean, I guess you had this sort of privacy background, you're helping run the Beacon Group, you know, doing this sort of litigation consulting work. What starts to nudge you towards the idea that maybe there should be a sort of like tech solution in the data breach space?
00:09:12
Speaker
ah well we What was the sort of early thing that maybe led to BreachRx? Yeah, so there were a few different key pieces. I think one, as just a changing... yeah We talked about it being a black swan event for a breach before.
00:09:29
Speaker
I could really see, and like anybody that was experienced in the cybersecurity and privacy space would start to say, it's not if, but when. Mm-hmm. but like it's like everybody's going to experience this and then i think and that was even in my mind at that time underplaying the frequency because it's not just everybody's going to have one day to reach it's like right everybody has incidents they're happening all the time so that's a change in this dynamic and then and on top of that we've got more and more regulations we've got set and now we've got 200 plus we were starting to see
00:10:03
Speaker
more and more regulations. And for me, the tipping point on the regulatory front was when GDPR was proposed in 2016, went in into effect in 2018. yeah This was the first time we had a really short timeline on notification with what felt like very significant teeth on the penalty. So to be able to have to notify in 72 hours, pace up to 4% of revenue as a penalty,
00:10:29
Speaker
ah two Okay, this is the next way. It's not just that we've got a duty to notify. It's like, okay, you're going to have to do this very fast. And when you've got this complex web of laws, how are you going to sort through that in a matter of hours?
00:10:44
Speaker
And then I think also,
Vision for BreachRx
00:10:45
Speaker
so that that was probably factor that was factor two. And the third was um just seeing in litigation all this all these times, all these cases of just how,
00:10:55
Speaker
kind of footfalls in different ways about how a company would respond to an incident and how they didn't have a good enough record about it or they were you not transparent enough about it. And we had a real mentality across the legal profession. It's like our best advice to clients on breaches and incidents was don't write anything down, minimize communication about this. Like let's, let's contain this as small as possible because, know,
00:11:21
Speaker
every word about this is additional liability. And so um and the reality was that part of why these breaches would go so badly was because companies had viewed them as ah security, technical issue, and not bigger business problem than it really becomes that it really spread over the long tail. And so felt like, okay,
00:11:43
Speaker
let's rethink the way we handle incidents. And one, think about this is actually an area, an area of transparency. And so like, I need to have a record. I need to show that I took responsible action because these do happen all the time. It's not something that's black swan unexpected and okay, i mean finally didn't know you were doing.
00:12:03
Speaker
There's an expectation that you you take a systematic approach. Um, And how can you and, you know, with 200 plus different obligations, regulatory wise, plus contracts, plus cyber insurance, plus trolls, all these other things that dictate what you have to do with an incident, sorting it through that in seconds is not a good task for a human being.
00:12:25
Speaker
It's something you really should apply some automation to. um And so, know, you think about the way that we, you know, use like TurboTax and the tax code. It's like, okay, you have nobody's memorizing every good of tax code.
00:12:40
Speaker
Yeah. like automation here. And this was a space to me that made sense. It's like, let's apply automation around a lot of these allegations. Let's have a place where you can build a factual record to work and um really coordinate across the team and in a meaningful way so that it's clear who's doing what when and and and making it very easy to have that record after
Entrepreneurial Journey and Market Challenges
00:13:02
Speaker
the fact. And so um that was yeah part of my vision. and I think I also just said, look, I've seen and lived all these
00:13:11
Speaker
worst case consequences with clients. Yeah. This is where it all fouls up. And how did I look at this problem? A lot of people look at problems head on. I'm like, okay, I come across this problem. What do I do next? do I do next?
00:13:24
Speaker
Let's look at it actually from backwards to forwards and say, okay, these are all the worst things that can happen. How do I engineer a process so that as many of these as possible are taken off the table?
00:13:35
Speaker
um And so that was a real focus for my CalFood co-founder and I, Matt, on how do we build a platform that really minimizes the impact? And we turn this from what every person every always talks about as chaos into what should be a routine business process because it is an expected thing to happen.
00:13:54
Speaker
Mm hmm. When did you feel like you wanted to go all in? I mean, because like, you know, Beacon Group was doing very well, right? It was a very sort of successful business. On the one hand, I suppose that gives you the confidence that you can do the entrepreneurship thing, right? You didn't just think of yourself as lawyer, right? um yeah But yeah when did you decide that it was it was time or that like that you wanted to go all in?
00:14:16
Speaker
Yeah, I think, um you know, going into, so I guess being a risk averse lawyer, i had these ideas about BreachRx.
00:14:27
Speaker
I didn't have the name for the company at that point, but i like thought a you platform needs to exist here to do this. Um, and I had, uh, the opportunity to do um, the executive MBA program at Wharton.
00:14:40
Speaker
And so I, I actually decided, Hey, I'm going to go do this program and i'm going to take my idea and I'm going use all of their great entrepreneurship coursework.
00:14:51
Speaker
You cause I'd been a philosophy major and then a lawyer and I i hadn't had like formal business. Like, I mean, I'd built a business, so I like know what I learned once I got to school was like, oh, actually, i know a lot of this stuff. I've experienced a number of these things, but it it was awesome background, the network, all those logbo great reasons to go to Wharton and very happy I did.
00:15:11
Speaker
um But yeah, I took it through that. And then it it was right around that time, 2016, when GDPR was coming down, it was kind of like, okay. this is This is real. And that for me as a lawyer, I'm like, okay, that's real penalty. Everybody's got to start getting in line with it.
00:15:28
Speaker
And this is where the vision of where things are going. um What I did learn hard way was yeah just because a law gets passed doesn't mean everybody goes and and changes their behavior. there's Propensity of let's wait and see some people get burned first and then we we might change the way we do things.
00:15:48
Speaker
um And I think as and yeah as a CEO of a company, yeah it's not that people do that because they don't want to do right by the law.
00:15:59
Speaker
There's just a reality of hardcore compliance with every single thing is a cost. And everybody's making risk-based decisions all the time. um And what ends up happening in the legal field a lot of ways is that you've got to start to see the shape of like, what do the regulators actually care about? What are they actually going to penalize people for? And then let's adjust our behavior to that. and that So that's just the common approach that has helped you out.
00:16:28
Speaker
Yeah, so i it was, although it made sense to me and in, you know, 2018 when I quit Beacon Group to do this full time, um it was very early to market. And um yeah, it took grinding through some early days. But now our, like the vision of where I thought everything was going is really clean out and we're really seeing the company take off, which has been awesome.
Effectiveness of Data Breach Laws
00:16:54
Speaker
We'll come back, I think, you know towards the end of our conversation to talk a little bit more about the product and maybe your experiences as a founder. um I am really curious in the substance of this, right? And like maybe talking for a minute about ah how data breach laws work, um whether they work,
00:17:14
Speaker
ah I mean, you know, I mean, one idea, maybe something to start us off with is it makes sense if companies are not investing heavily in data security that you would structure sort of incentive, right? Or a disincentive to not invest, right? and Double negative, but like a disincentive to not invest, right? If you don't invest in this and then this bad thing happens and consumers are harmed, right?
00:17:36
Speaker
We're going fine you. yeah But the companies are victims here, too. And the world has also evolved from that place. So I don't know. What's your perspective on that and the way that most of these laws are structured?
00:17:48
Speaker
yeah i Yeah, I think that it's to your point, like that the mean the mean, the reason they're structured that way is to incentivize people to be good with data. It's like, hey, if you're going to take on a bunch of customer data, you need to be good steward of it. You need to protect it, take it seriously.
00:18:05
Speaker
gets out there. It can our arm people in different ways. But the reality is that I think that was the starting point with a but less education and understanding of what it actually means to, and the challenge, the evolving challenge it is to defend the digital economy. and And that is, you know, there are, you know, when you think especially about what we have now today between automation and AI around technology,
00:18:36
Speaker
the amount of attacks that a business is under every single day and they only have to win once. You've got to defend it every time. and no And so it's like, I always, you know, this idea that the law is set up in the cybersecurity world to punish victims is what really kind of burns at me. And i was like also another piece of like starting the company that really um made this a very passionate endeavor for me is that,
00:19:03
Speaker
i i Yes, I believe businesses need to be responsible with data, but I don't think it's fair when people are doing the right thing, doing the best they can with smart people that you should be coming and taking the hammer to them. So, you know, and the example I go is like, say you're at your, know, it's not a perfect analogy, but oh if ah your house gets broken into and thief comes in and steals a bunch of your stuff,
00:19:28
Speaker
And so you had like good industry standard locks in the doors, um but certainly they found a way to get into your home. If after the fact, the police took you to jail or find you or both, everybody would say that is fundamentally not fair. That that doesn't make any sense.
00:19:48
Speaker
Like that you lost. You lost goods. You you went through the trauma of of getting attacked. um But that's not the way we do it in cybersecurity world. It's okay. This has happened to you You better do this with surgical precision and how you respond. You better tell people on this day, this day and this day.
00:20:06
Speaker
um And you better have a record to show that that you did everything perfectly after you got attacked. And I think there's, so much focus on like in the cybersecurity world on the defense side of this and it's definitely important you don't want to leave the doors wide open but you're actually your company the security team the legal team everybody is judged more on how they handle an incident than they are whether they descended a breach because it is expected that incidents happen hackers are going to get in accidents happen stuff mistakenly gets shared in different directions at times
00:20:44
Speaker
um I fundamentally don't think that it's fair if a company has a really good systematic approach, they take this seriously, they're responsible about it, that you should be having the sledgehammer come down on you ah for it. I think there's better better ways to incentivize that behavior.
00:21:00
Speaker
Yeah, I mean, I think the other thing that folks sometimes don't appreciate is um Some of these actors are either nation state actors or backed by nation state actors. And I think we're going to see even more more of that.
00:21:16
Speaker
um And, you know, I mean, even the largest corporate and most sophisticated sort of security teams in the world, the company like ah Microsoft or a Meta or is going to struggle against a a you know a a team movie a hacking team that is funded by north korea or funded by china or funded by russia even if it's not an like actual arm of the government right um i don't know so i i think that uh this problem is not going away in other words and like even the most sort of sophisticated corporations in the world are going to continue to to get hacked that just seems like a reality of of of doing business
00:21:55
Speaker
Yeah. Well, and, and like, you know, unlike a yeah physical theft where somebody has got to like break into your physical facility, like you can be anywhere in the world but ah and be sending out malicious code, and doing all kinds of things because of our interconnected, um the way everything everything, everything's connected to the web.
00:22:15
Speaker
And so in those countries, you know, yes, nation states. And then just in general, the fact that like, we have no jurisdiction over people um to come after them in some of these countries and those countries, maybe whether they sponsored them or not, don't have incentive to help us go after them. And so that's part where like the true wrongdoer, it can take many years to bring that person to justice and you've got to get lucky in a number of directions for that to happen. And so, ah yeah, it's it's ahs a real, it's a real challenge.
00:22:49
Speaker
I mean, the other thing that you layer, or we we we see being layered on top of this, I guess, is um calls for more executive level accountability, which I don't think...
00:23:01
Speaker
in a broad sense is necessarily a bad thing, right? Like the idea that CEOs or others who are making decisions about where to allocate resources in businesses that have real world consequences or have consequences for consumers, right? Ordinary people, right? I mean, there should be accountability in corporate America.
Accountability in Data Breaches
00:23:19
Speaker
um we started to see as a few cases, not a ton, but a few cases where CISOs, chief privacy officers, um, are, are targeted for civil or or sort of criminal enforcement actions, um, based on how they've handled incidents like this. Uh, and know, what, I mean, what do you think about that?
00:23:40
Speaker
And, and the potential sort of, think chilling effect that some folks are worried about, um, not trying to say, no one should ever be held personally accountable for criminal activity or really bad decision-making. Right.
00:23:54
Speaker
Right. But it seems like that could, could keep, ah keep good people from wanting to take on sort of the top job in these, in these functions.
00:24:07
Speaker
Yeah, I think we've we've seen that. We've seen um especially the CISO community and and then some of the civil security legal community of people saying, hey, it's just not worth the personal risk um to continue doing this because, you know, I think think about other issues again, other areas the law. There's other things like normally if you're going to hold and an executive personally accountable for something that for a criminal and fraud, all these things, that' they've done something truly nefarious. Like they're stealing their to stake to shareholders. there yeah There's things that they're doing that
00:24:45
Speaker
are truly bad. um where and you When you look at the cybersecurity workforce, and and this is like a bigger issue, is I think this space is is unique in that we can't rely on you know federal government to defend all these companies. like And so you help the have to have teams within um all of yeah corporate America.
00:25:09
Speaker
And they're really ultimately ah the front line in defending our economy. like you you you You think about the impact if there's no good cybersecurity at all these companies, like the whole the whole world's vulnerable to Absolutely.
00:25:25
Speaker
um really important that those people that are mission driven that want to fight that fight, um, kind of somewhat, you actually see a lot of people that come from the military that, that,
00:25:36
Speaker
getting all the power security because they love that mission aspect of it. um We really need to incentivize them to want to do this job and feel that it's rewarding. And it's not just like, oh, if I you know go there and I am doing my best that I might actually end up in jail.
00:25:51
Speaker
um yeah Obviously, if you hacked the company or insider and you you you yeah facilitate that,
00:26:02
Speaker
That's something completely different than, hey, we got attacked and the business didn't respond well enough. and I think there's also so many business decisions get made in that incident response process and how many resources you dedicate towards cybersecurity. There's all of that these risk-based decisions that go into having as good of a cybersecurity program as you can under the circumstances.
00:26:29
Speaker
That, yeah, it just really feels unfair to say like, hey, let's go after these people personally. And and that's where we kind of have a mission in our company about, we say, defend the defenders. like we We want to part of the solution that keeps those people feeling like they're covered. they like they like we're We're easing that liability for them. so they just need to go do their job and do what they're really good at.
00:26:52
Speaker
Mm-hmm. And I think I think that is going to be a change over time, how long it takes us to get there. um I don't know. But um I think, yeah, it's it's there's different. There's like negligent acts and like just saying, hey, we're not going invest in cybersecurity. We're just going to.
00:27:09
Speaker
or we're not going to care about how we handle data. like That's one thing, but it's totally different when you look at the people that have been that have been you know charged personally in these cases, these high-profile cases. It hasn't been that type of situation.
00:27:27
Speaker
folks who are listening are are mostly sort of in-house lawyers, as you know, GCs. um suppose they can advocate, but they're probably not going to change 50 different state data breach laws in the structures. and They're not going to convince the SEC or a U.S. s attorney in a particular area not to go after their CISO.
00:27:49
Speaker
Something they can definitely control is is as these incidents happen and will happen to their businesses, they can control the sort of response. um you've seen, i don't know how many, many hundreds, thousands probably of of breaches. i mean,
00:28:05
Speaker
What should companies do in these situations? How do they document in the right way? how has that changed as we've we've sort of touched on over time?
Handling Data Breaches Systematically
00:28:14
Speaker
How is the approach very different today sort of around transparency and and um showing your so when you're trying to do the right thing all the way through? yeah yeah what What can companies do? What can GCs who are listening due to to protect their businesses?
00:28:29
Speaker
Yeah, I think it's um starting with that fundamental understanding that because you know this is a real possibility, a real risk is sin. Okay, how are we going to proactively prepare for it so that when it happens, we're not running around trying to figure out what to do at the time? i think, you know, part of the older, you know, legacy mentality had been like, well, I'll just have really great experts on call. Like I'll have my outside counsel firm. I'll have forensic firm that I've got a retainer with my cyber insurance or whatever. and I'm just going to, you know, dial them up.
00:29:02
Speaker
They'll come take care of it. And then. but and But and and there are super talented people that do great work in those spaces, but it's still ah it's a business problem and it actually requires being well coordinated across the business. So like it doesn't matter if you have the best, the best professionals coming in after something has happened.
00:29:24
Speaker
they can't fix your business coordination problem and they're not going to have the record keeping in place for you to show that you really um thoughtfully prepared for these type of incidents. And so that comes with having a real systematic approach.
00:29:41
Speaker
It's not just, I think this is a changing mentality too, is it used to be like, Oh, I've got a paper incident response plan um written that we've written down that, yeah The reality is it was a template that was given to them or somebody else wrote it or one person writes it and most people don't read it.
00:29:57
Speaker
um It's really just an escalation document. doesn't actually tell people what to do. But having that and running an annual tabletop, we're kind of like, oh, we've been proactively prepared.
00:30:08
Speaker
um But that's really not sufficient today. Now it's like, no, you you you need to have a cross-functional team that practices together on a regular basis and you need to have a system of record to show, okay,
00:30:22
Speaker
when an incident happens, who, who dealt with it, who escalated it what time do they escalate it? um And, know, as that workflow, know, you know, yeah spreads across the organization that it's well-cordered people are on the same page. There's a system of record, there's single source of truth um and be very intentional about how you handle attorney client privilege that unfortunately, historically it was like fine with just,
00:30:48
Speaker
do this stuff in email or or, you know, that messaging apps like Slack, we're seeing that, you know, by not really intentionally separating out the factual record you have to build from your privileged communications,
00:31:02
Speaker
All of that's coming into evidence. And I've worked with the Sedona Conference on some of the commentary in that space. And that's what we've seen when we look at all the different court cases we've had on privilege and cybersecurity context, that um the mixing of that, those the factual and and using business systems that aren't specifically designed for the the use case, all those things weigh against you and all this evidence, smoking guns come in better are like interesting Oh, they yeah should have passed this, you know, two years ago. And like a lot of the stuff that yeah that people think is going to be like internally protected, it all ends up coming in evidence, which is is really unfortunate.
Leadership and Challenges at BreachRx
00:31:43
Speaker
Interesting. So how waits how do you solve for that? Like, how do you keep those sorts of communication streams ah separate or segregated in the right way? Yeah, it's it's this intentional choice of doing it in in ah and you have a, it's part of your policy and it's actually the policy you follow that is, here is where we build the factual record and this is the pieces go into that.
00:32:08
Speaker
And this is the out-of-band place that we do the communicating separated from that record and they're not and not intertwined. That's the that's the the real key from a technology perspective.
00:32:23
Speaker
So i would imagine your role now or your, you know, as as the founder, as the CEO is an interesting kind of mix of advising clients on how the landscape is evolving while also having to build a tech solution, tech implementation, cetera. How do you draw on the different experiences you've had to do to do both of those things? and And do you like that sort of context switching?
00:32:49
Speaker
Talk to us a little bit about that. Yeah, I think that was you know one of the reasons why I love this job. i think that it it taps... so many different skill sets for me where I think sometimes, you know, as a litigator, um, got, know, it's been a lot of time on strategy and all the different aspects of what go into litigation.
00:33:10
Speaker
But, um, it, there was an amount of where I felt like i wasn't really learning as much anymore. Um, whereas, yeah, now I, you know, I have a board that I, that I, you know, accountable to, and I have, um, you know,
00:33:25
Speaker
growing employee base that you know has all kinds of challenges as you're growing a company very fast and um yeah it's very different to sell an enterprise products software products where it is to sell your services you know like as a service provider consulting litigation lawyer you're there's a lot you get a lot of like i do really good work for this person and then they refer me to others and you're also getting right paid for things immediately um and this type of business. You spend a lot of effort building out this product, invest a lot in that, and then and then you sell it. and gri Obviously, the business model is much more scalable once you get there with that early investment.
00:34:05
Speaker
It's just a different mentality. but you know Back to your question, i love all the different problem solving you in the different directions and and i think it's also um you're more um interacting with people a very soon all the time you know whether that's a partner an investor a customer an employee all all that stuff in the course of my day um versus kind of being in my like silo of like i'm in the law i'm in my case and i've got a couple you know people that i'm working on this case with maybe it's yeah a broader team but it's it's
00:34:40
Speaker
it's um yeah It's not as diverse, and and and I yeah feel very invigorated by all the the different things I i guess do every day. Do you feel like you're, because you were a leader and and sort of like one of the execs who helped grow the Beacon Group, but do you feel like your leadership style or or the way that you approach your work has had to evolve in any meaningful ways now that you're in more of the venture backspace and probably have it more diverse sort of team than you used to working with software engineers, et cetera?
00:35:15
Speaker
Yeah. um Yeah, I think that it's been certainly, yeah, it's very different bill different types of business to build. Whereas it before, it's like I was selling my relationships and i was finding ways to leverage to our team, like our services, my opportunities to like grow. Okay, we start with this level of service for a client and what are the, like, what's the next level, the next level. And then they bring us on to do that.
00:35:41
Speaker
Cause, um, you know, this, that you know, I've really built around me, reach RX, amazing leaders who different functions of of the business. Um,
00:35:52
Speaker
Whereas like feel like, you know, a beacon, it was kind of like I was capable of doing everything and it was like finding people that I could give pieces of it um Part of like my role as CEO at Preacher X is like, what are things, you know, gaps I have, you know, like.
00:36:11
Speaker
a you know, I need a chief revenue officer. I need a head of marketing. I i need, you know, my co-founders, you know, chief product officer, chief technical technology officer. He's, you know, everything tech and he's got a team of engineers and like,
00:36:27
Speaker
um I really enjoy like bringing on experts in their piece and having them have carte blanche that to run with that aspect of the business.
Early Market Challenges for BreachRx
00:36:39
Speaker
um And you know then we just yeah work together on the things when when when our issues overlap. I've got a couple more substantive questions for you before we get to the sort of fun closing questions.
00:36:53
Speaker
You mentioned earlier that you felt like you were somewhat early to market with with BreachRx. I'm really curious about that and how you sort of cross that chasm or chasm or however you say that word. It's escaping me at the moment. and and yeah know Because that's that's a hard thing, right? I mean, a lot of companies sort of die because they're five years too early or 10 years too early. And might be a really great idea, but they just can't get the sort of like product market fit or the traction that they need, the revenue that they need to to keep going and raise another round and and and make it to sort of the next stage. um
00:37:30
Speaker
Yeah. how was How was that experience for you? How did how did you do that? Yeah. i mean it was, yeah, one of the... absolutely the hardest part of the journey. I mean, it's been, know, you, you believe in a vision and i that I believed in and i kind of talked about all these motivations I had for like wanting to do it. And and really lean in that when you're hitting the wall on things, you're like, okay,
00:37:56
Speaker
And it gets so frustrating when you like you have all these conversations with prospective customers early days. We're like, yeah, that's a great idea. like Everybody should be doing this. Why isn't everybody doing this? And then you're like, but then actually getting somebody to to invest and pay the money into it and i was was real challenge at first because you don't have enough like, yeah you know, this product hasn't existed before. And like, why would we change from this existing way, even though we know the existing way sucks for all these people?
00:38:27
Speaker
There's all these problems with it. So you have to, you know, it, you really, you've got to find those early adopters that like, but that like share your vision or excited about it. And then, um yeah know, they, they really help you start to evangelize it beyond them. And then you start to build enough critical mass, um,
00:38:46
Speaker
where that really helps like referenceable, like, oh yeah, we've already done this work for this company that you know, and this other company. And then it starts, that starts to build. But I think it also for us was just like the fever pitch of what knew was happening. And it was like, you know, we went GDFRI, I was in 2018, but you know, these new SEC rules that they came down, new,
00:39:12
Speaker
new it's more and more of the global expansion of these laws um new york dfs and the financial services like a much much more hardcore on on these issues um and so you started to see people say okay yeah the status quo legacy approach isn't good enough and we really gotta do gotta do better and so but yeah it was tough and yeah you have a lot of it you know um conversations at times with um your family like okay hey how how are you gonna keep pushing on this you know and uh you've got to be a little crazy like a little bit like i believe in this so so badly but i'm i'm gonna run this through to the last dog guys like
00:40:01
Speaker
We will just continue to punch through brick wall after
Future Vision for BreachRx
00:40:05
Speaker
brick wall. And that's sort of, yeah, I think every entrepreneur you talk to has to do some of that. Like, I think that we, you know you read the story in the news that sounds like, oh, this company just like launched and just, you know, took off like a rocket ship.
00:40:20
Speaker
um If you actually spend time with pretty much any entrepreneur, you know, they it's a roller coaster you you had you know days where you're like am i gonna be able to pay and my vendors i can have to pause payroll like people can face these things that i think in you know bigger corporate america like are just not things you you face but um it's it's um it's really fun though it's so gratifying because you like you go through that and so like all the more when you you start start having success
00:40:52
Speaker
Last sort of substantive question for you, Andy. um It's where do you see incident response and BreachRx going over the next few years? Where do you where do you want to to take not just your company, but sort of maybe if you have an ability to shape this ecosystem, where you know where where do you want to take it?
00:41:13
Speaker
Yeah, I think it's it's setting the standard for the industry and saying, like look, this was that were we're we're changing the bar as to what it means to be ah to do instant response. Instant yeah incident response isn't this technical cybersecurity problem. It's a business problem.
00:41:31
Speaker
And it means you need a holistic solution that is going to work across the business from the very beginning days, starting of an event all the way through to the end. um And, you know, that that is that level is just the expectation. And and um I think that that.
00:41:51
Speaker
I think hopefully will also, you know, impact some these bigger picture things that we were talking about before. It's like, okay, and if that becomes the standard of how businesses are dealing with it, then this, you know, personal liability and these massive fines for facing things that are outside of your control, um that that it seems to be, make more sense to say, okay, as long as you have a really good system in place and you dealt with this responsibly, then,
00:42:16
Speaker
um you know, no big deal. Like, well, let's move on. And so I think if if that narrative, if we're able to change that narrative and some of the new standard, um that is incredibly satisfying to
Reflections and Leadership Advice
00:42:31
Speaker
me. And it and um where I think we're going.
00:42:35
Speaker
Some fun questions for you as as we start to wrap up that I like to ask all my guests. yeah The first is if you have a favorite part of your day to day. ah favorite part of my dayto day to day.
00:42:48
Speaker
um I would say getting back to just like the diversity of things that I'm doing, you know, that I, like i yeah, have, you know, quick qualms on with my co-founder and I've got all these different people on the team that I interact with. But yeah, its to go through the course of a day and talk to my internal team, I have meetings with customers, have meetings of partners, investors.
00:43:11
Speaker
Um, and, and I think as time goes and you get more and more people on the journey with you, it's just really fun. And it's like more and more people that, that like kind of celebrate with you when things are good, you know, when things are going and people that are there to help you when things are not going so well. And it's like,
00:43:30
Speaker
um But I think that broad, expanding people on the boat with you is is kind of fun to to continue to interact with and grow with every day.
00:43:44
Speaker
I think this is kind of a fun question. It's if you have a professional pet peeve.
00:43:51
Speaker
Yeah, um I'm i' generally ah like an easygoing guy in a number of ways. i've Obviously, ah i' type A in a number of ways. I wouldn't be running. But I think the biggest deal for me is I've got no patience for ****.
00:44:06
Speaker
It's just like it's a waste energy on being to jerk somebody. Like you can disagree with people. You can have a heated argument. But there's just a ah baseline that like I just don't have tolerance for for assholes. And I don't want to, you know, no matter how smart and whatever you are, if you're an asshole, I don't want to work with you.
00:44:28
Speaker
That's a good rule. i I agree with that rule. I think most businesses should have a no **** rule.
00:44:35
Speaker
and Okay. ah I often ask my guests about a book they'd recommend, but I know you're a big podcast guy. so I'll take the opportunity to ask you if there's a podcast or two that you would recommend for our audience, things something you think it would be interesting for them to listen to.
00:44:54
Speaker
Yeah, I think um for me, I get really into ah some of the more entrepreneurial type of podcasts. And so like when like one that I i bring up to people a lot, especially if you're someone that's listening that's either on an entrepreneurial journey or you're thinking about it.
00:45:11
Speaker
um When I was going through some of the hardest times, and this is also, yeah you know, you didn't even talk about it, and like the middle of COVID, you know, and everything. so i that was that was the same time we were going through the hardest parts of the business.
00:45:23
Speaker
um But there's a podcast um called The Reboot that Jerry Colonna um started and and he was a former VC turned executive coach, but he basically has on.
00:45:37
Speaker
entrepreneurs talking about their journey and talking about ah challenges they face. um It kind of borders into like therapy sessions sort of like like, but as an entrepreneur and a CEO founder, like there's so many things that you deal with day to day where you kind of feel like you're on an island thinking about and figuring out. and it's like a way to, you know, everybody's got different things, but you're like, oh yeah, I can understand that. You kind just,
00:46:05
Speaker
get into that person's shoes in a way that normalizes, I think some of the stuff and and it, and it just feels great. So I think that one was awesome. Um, there was startup podcast. I think it's called the startup, um, without getting what media that one was fun one. Um, and I used to always enjoy the guy Ross, like how I built this. Oh yeah. Those are fun. I haven't listened to that in years. Oh, that's a good idea. I like that. Yeah.
00:46:31
Speaker
and All right, Andy, last question for you. at My traditional closing question for my guests. It's if you could look back on your days as a young lawyer, just getting started something that you know now that you wish that you'd known back then.
00:46:49
Speaker
I think the biggest thing is that there, you can do so many things with a law degree. I think going into law school um and the way that everything is so structured, the Socratic method, all the different things that you do, they're just like, okay, this is the way we've always done it. This is the the path. And I think, you know,
00:47:07
Speaker
A lot of the career services opportunities tend to be around like, okay, well, this is, you know, check this box and you can do the next thing, jump to this suit and this suit. And it's like, there's just this one path in the legal world.
00:47:18
Speaker
um And that was kind of like, permeates the mentality ah i think during law school or did at the time hopefully it's evolving but when you come out of law school and you realize like there are a million different things you can do and you don't have to do the exact you know path that everybody else has done and um i think you know fully being ready for that i think is is a piece too is like because i went i was one of those that went straight from undergrad to law school and you just kind of get used to like okay school always puts the next hoop for me to jump in
00:47:50
Speaker
Do it. Then you get out and you're working. It's like you've got to decide what's the hoop you want to jump through next. And I think also just don't also don't lose, you know, fate. And like sometimes you can get frustrated and not like what you're doing.
00:48:04
Speaker
um But like when you look back at your life and your career path, um a lot of these things you go through, they're meant to be and they like inform you for the next job you do. And like there's things that you do at one point.
00:48:17
Speaker
that really help you do something later in your life. and You don't even realize it at the time. And I think that's definitely been true for me. That's a great answer and very fitting with the sort of thematic thread through all of these podcast episodes.
00:48:32
Speaker
Andy, thanks so much for joining me for this episode. This has been a lot of fun. My pleasure. Thanks for having me on. and to all of our listeners, thank you so much for tuning in and we hope to see and next time.