[co-authors: Jason Remillard*, Jenny Hamilton]
Editor’s Note: As part of the interview series called Wisdom From The Women Leading The Cybersecurity Industry, author, interviewer, and CEO of Data443 Risk Mitigation, Inc., Jason Remillard, recently shared the following interview with HaystackID Deputy General Counsel of Global Discovery and Privacy, Jenny Hamilton. Published in Authority Magazine, a periodical focused on leadership lessons from authorities in business, pop culture, wellness, social impact, and tech, the full text of the interview is provided with permission.
An Interview with Jenny Hamilton by Jason Remillard*
The cybersecurity industry has become so essential and exciting. What is coming around the corner? What are the concerns we should keep an eye out for? How does one succeed in the cybersecurity industry? As a part of this interview series called “Wisdom From The Women Leading The Cybersecurity Industry”, we had the pleasure of interviewing Jenny Hamilton, Deputy General Counsel for Global Discovery and Privacy at HaystackID.
In her current role, Jenny serves as a resource for corporate clients, supports legal and compliance operations, and continues to grow the Enterprise Managed Solutions Group, the company’s specialized offerings for corporations and law firms wishing to transform their business of law practices. She has extensive experience in data privacy, electronic records management, investigations, and litigation. She is a widely-respected innovator in the industry for her disciplined approach to building compliance and discovery programs and cross-border data transfer protocols. An industry thought leader, she served as co-chair of the Corporate Counsel Committee for The Sedona Conference Working Group 6 on Data Protection & eDiscovery, on the board of CeDIV, an association that fosters the exchange of best practices and know-how on Cross-border eDiscovery, Privacy & Investigations, and as faculty for the Federal Judicial Conference, training 60 federal judges on digital discovery issues. Jenny currently serves as a co-chair for the Chicago Chapter of OneTrust’s Privacy Connect.
Thank you so much for doing this with us! Before we dig in, our readers would like to get to know you a bit. Can you tell us a bit about your backstory and how you grew up?
I was raised by an artist and a technologist. I joke that my childhood was essentially a full left brain and right brain workout.
My mother came from a long line of beautiful, fashionable women. Her grandmother had a clothing store, and her mother taught her to sew by Vogue patterns from a young age. Yet as a southern mother, it was important to fit in and respect the rules.
My father started his career in computer sales and eventually developed an accounting system for complex, class action law firms. One of my father’s most interesting qualities is his ability to see around corners and take unpopular stands. When software was still “green screens,” he rebuilt his program in Microsoft Access. And even then, he became an early Apple convert.
His favorite quote is: “The reasonable man adapts to the world. The unreasonable man makes the world adapt to him. Therefore, all progress is made by the unreasonable man.”
So, while I inherited a respect for the rules and human connection from my mother, I was challenged to think critically and push the limits from my father.
Is there a particular book, film, or podcast that made a significant impact on you? Can you share a story or explain why it resonated with you so much?
The book that I have drawn on the most in my career as a lawyer is A Civil Action. It’s a real-life journey through a case where a trial attorney, who has been successful in settling personal injury cases in state court, tries a complex class action involving medical and environmental claims in federal court and ultimately gets schooled by the judge, opposing counsel and his own clients for not taking the time to learn the rules of civil procedure. The movie, based on the book, shows the interplay between John Travolta (the main character), Robert Duval (opposing counsel) and Kathleen Quinlan (the mother) in unparalleled performances about the intersection between values, ego, and money.
I refer to this case when dealing with multiple aspects of trial practice but extend it to new emerging areas of the law like data privacy and handling cyber events. And the unspoken rules are like pieces to the puzzle, without which, you cannot effectively manage the back end of a cyber event unless you know the rules that are guiding the stakeholders.
Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.
I started off in litigation and dispute resolution. A lot of attorneys in the privacy and cybersecurity space start their journeys as transactional lawyers — negotiating agreements, drafting policies, etc. But there is a whole area of cyber law that is more like crisis management where the carefully crafted playbook goes out the window.
The start of my career in cyber happened during a mediation class at Pepperdine Law School when the teacher — and world-class mediator — explained that mediations are more like improvisations. While there are stages of a mediation, in real life, the action moves fluidly and sometimes rapidly through each stage — and in both directions. To keep the mediation moving forward, there is one rule — you have to say “yes, and” to anything that has been presented to you on stage.
That is how I have built my career and managed the most complex projects — by saying “yes, and.” Yes, I will help build a discovery practice for a large company, and yes, I will extend our discovery processes and tools to support our cybersecurity practice.
Back to the moral of A Civil Action, you must appreciate the key facts, the rules of engagement, such as the rules of what is regulated health or personal information and what is reportable. And you need to be right, as even seemingly small cyber events can result in the need to certify facts to regulators. Sometimes, if you’re really unlucky, it can result in massive litigation.
Can you share a story about the funniest mistake you made when you were first starting? Can you tell us what lesson you learned from that?
I wore a hot pink suit to a group photo shoot commemorating the 150th year of the law firm at which I had just started working. The day before, we were told under no circumstances could we wear black. And on the day of the shoot, every non-black suit I owned (but the pink) was at the dry cleaners. No big deal — we were told the photograph was to be published in black and white. So, no one would know about my “Legally Blonde” moment. However, when I showed up for the celebratory lunch after the shoot, someone had placed 12×16 size prints of the group photo in the middle of every table — in COLOR. Initially, I was mortified. But I come from a long line of fashion pioneers, and why not stand out in a sea of navy blue?
Are you working on any exciting new projects now? How do you think that will help people?
Nothing excites me more than to contribute at the forefront of change. The days of planning for incident response were great fun, but the forefront now is Cyber Discovery, conducting post-cyber breach discovery and review so our clients have the data they need to remediate and report unauthorized access to company records. To churn through the volume of data at risk, we’re developing sophisticated models using artificial intelligence and expert industry veterans to meet ultra-short deadlines and still maintain rigorous quality control standards.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. The Cybersecurity industry seems so exciting right now. What are the 3 things in particular that most excite you about the industry? Can you explain or give an example?
First, it’s everywhere. Open a newspaper and read about the resources that governments are pouring into security, starting with Biden’s recent executive order. Second, it’s global. Look up the recent G7 conference centered on free transfer of data. Third, it affects every organization. Big or small, companies are employing data protection officers (DPOs) at an unprecedented rate, up 700% after two years since the General Data Protection Regulation went into effect.
What are the 3 things that concern you about the Cybersecurity industry? Can you explain? What can be done to address those concerns?
We are not beating back the cyber criminals fast enough, and we won’t unless we band together. To outsmart the criminals, it will literally take all types of people, yet we still lack diversity of background and expertise to win. I vividly recall Dr. Arin Reeves presenting on the woeful lack of diversity in the legal profession, citing a study showing that a jury of all one gender and race will all too quickly come to a verdict and miss critical evidence.
Similarly, Johnson & Johnson’s Chief Information Security Officer, Marene Allison, advocates for a seat at the table for everyone — not just software developers and cyber operation managers but also crisis management experts, artists and journalists. I would include records and information managers and eDiscovery experts — with the added bonus that these are the “pink collar” areas of law and compliance where women and people of color have been able to be recognized and move up quickly.
Lastly, I am concerned with the silos that tend to develop in organizations that keep the most critical information hidden away in their time of need. My roots are in eDiscovery, and these professionals are the ones who have unparalleled understanding of how data flows in and out of a company. Why wouldn’t we want to give voice to that experience? As Marene Allison puts it, this is a team sport with all hands-on deck.
Looking ahead to the near future, are there critical threats on the horizon that you think companies need to start preparing for? Can you explain?
Ransomware continues to be the primary concern on the horizon. However, it’s not yesterday’s ransomware. The criminals are not just encrypting your data but now they are also exfiltrating it.
To prepare, companies need a strong ransomware plan in place. Though this is part of the overall breach response plan, it really requires its own plan because of the complex ethical and Office of Foreign Assets Control (OFAC) considerations. This includes (1) whether it makes sense to pay, and (2) a backup plan where the data can be restored fast enough so that you don’t need to pay.
Can you share a story from your experience about a cybersecurity breach that you helped fix or stop? What were the main takeaways from that story?
I would tell you, but then I would have to kill you.
No one is prepared for the emotional toll of managing a cyber event. You live in a state that Eckhart Tolle calls “psychological time.” Every day, you wake up and replay every major decision, every call you made or didn’t make, and every possible future ramification. Meanwhile, you’re losing time to deal with the new day at hand. If Tolle was giving cyber advice, he would tell you to simply be present, ignore the inner chatter, and listen deeply to your team and the experts who surround you to help manage through it.
The main takeaway here can be summed up in three words: audit, audit, audit. Be in a state of continuous audit of your highest priority systems and processes. Some of the best professionals in the electronic discovery and cyber world are accountants and auditors. They get the importance of knowing the rules and auditing against them for failures. At the same time, this is hard on an organization and its employees, and we forget that people thrive on positive reinforcement — and react fearfully and inconsistently with what’s in the best interest of an organization when their mistakes are on display. Transparency and accountability must be backstopped with psychological safety for audits to be truly effective. Otherwise, audits can promote a false sense of security.
What are the main cybersecurity tools that you use on a frequent basis? For the benefit of our readers can you briefly explain what they do?
There are three. First, start with two-factor authentication — if you have an iPhone, you know how this works. Second, endpoint monitoring is critical to find leakage in your firewall. Third, we need granular logging to determine what happened when. A less direct benefit to sophisticated, name-brand tools is that they become a deterrent to the attackers — when attackers encounter them, they may decide not to proceed.
As you know, breaches or hacks can occur even for those who are best prepared, and no one will be aware of it for a while. Are there 3 or 4 signs that a layperson can see or look for that might indicate that something might be amiss?
I just received an email warning me that my Norton anti-virus software would be renewed for $350 unless I contact the billing department right away — and I received nine of these emails in a row. I almost clicked the link on the first one, but the number and velocity of the emails were key giveaways.
To make it simple, I use “SOS” when evaluating an email such as this:
- Sudden: Did the request come out of the blue? Was it unexpected?
- Off: Was it sloppy or even inaccurate?
- Scary: Does it induce fear or shame? Does it make you feel the need to act too quickly?
Then pause and ask yourself, considering the importance of the message, is this how you would expect to be contacted by this organization? For example, would you expect the IRS to leave you a voicemail that you might be arrested if you don’t call them back? You can’t get them to answer their own phone, let alone call you out of the blue!
But the scammers have tapped into our biggest weakness — fear and shame. And I mean every human walking the planet. I heard of a general counsel who clicked the link in a phishing campaign — even after he was told that it would be a test. Everyone experiences fear, it’s a basic survival mechanism. This explains why so many phishing emails are written the way they are.
After a company is made aware of a data or security breach, what are the most important things they should do to protect themselves further, as well as protect their customers?
Three things: You must make decisions quickly, you must have all-hands on deck (again, it takes a village!), and you must be transparent. This last one is unconventional, and it is not a one-size-fits-all event. But for some situations, like a ransomware, consider the credibility you can build by letting key customers know you’re under attack. One of the greatest inventions worth communicating is the FAQ. I’ve used it as a key communication tool in nearly every project I’ve been a part of — especially for a ransomware event.
What are the most common data security and cybersecurity mistakes you have seen companies make? What are the essential steps that companies should take to avoid or correct those errors?
Two things. First, companies often fail to conduct a real risk assessment to effectively measure the risk on cybersecurity. This assessment can tell you how much you should spend and how to prioritize your resources. Second, organizations fail to appreciate both the amount and the location of personally identifiable information sitting in their systems and on employee assets. Rare is the company that has gone through the exercise of identifying what and where its crown jewels are.
Let’s zoom out a bit and talk in broader terms. Are you currently satisfied with the status quo regarding women in STEM? If not, what specific changes do you think are needed to change the status quo?
I am seeing changes every day. We are going in the right direction, and we need to keep pushing in ways that appeal to young women. It’s like LEGO® Friends — a toy primarily designed for girls, that invites them to design a house or an island using colors outside the primary spectrum. To combat cybercrime, it will take every type of expert, from communications and PR to software developer. Forrester recommends expanding searches for talent and cross-pollinating disciplines with transferrable skillsets. Marene Allison recently echoed this sentiment at The WSJ Pro Cybersecurity Executive Forum, saying that diversity of thought is what we need in cyber.
What are the “myths” that you would like to dispel about working in the cybersecurity industry? Can you explain what you mean?
I’d like to dispel the myth that to be successful in this field, you must be a cybergeek. Or lack fashion sense!
Thank you for all of this. Here is the main question of our discussion. What are your “5 Leadership Lessons I Learned From My Experience as a Woman in Tech” and why? (Please share a story or example for each.)
Lesson one: Don’t panic. The first report is usually wrong. Identify what will be the key facts and verify them.
Lesson two: Practice self-awareness. Recognize when others are coming from a place of shame or fear. The easiest sign that you are hampered by negative emotions in your decision making is that you’ve lost your sense of humor.
Lesson three: Connect then lead. Remember that the relationship comes first and the project comes second. Always be willing to hear the other person out before coming to a conclusion.
Lesson four: Girl, stop apologizing. Loyalty to your team is important; however, loyalty to yourself is mission critical. And I’m not talking about feeding ego-driven insecurity. I’m talking about being loyal to your values and owning when something or someone is not.
Lesson five: The skills that got you here cannot and will not get you there. We are growth-minded beings who need a reboot every three-five years. This could mean repotting your career, your city, and even your relationships. I did all three in the last 18 months. It was the most painful yet exhilarating time in my life, but it didn’t just happen. I had to pave the way through reading, therapy, spirituality, and willingness to change myself after years of operating a certain way. Even with four young children, I didn’t let lack of time be an excuse. I started getting up at 5 am and looking for bite-sized resources. Here are my favorites:
- Blinkist app for summaries of groundbreaking books on leadership, like Dare to Lead and Radical Candor
- The Year of Living Brilliantly for five-minute videos of well-recognized leadership gurus
- LinkedIn posts by:
- Dennis Garcia — assistant general counsel of Microsoft
- Jacob Morgan — author & futurist
- Ray Dalio — author of Principles: Life and Work
We are very blessed that very prominent leaders read this column. Is there a person in the world, or in the US with whom you would like to have a private breakfast or lunch, and why? He or she might just see this if we tag them
I’d have to say Oprah. I admire her ability to lead significant social change without losing her audience. For example, Oprah ignored strong headwinds to explore personal spirituality on daytime television. I would love to hear how she found the fortitude to recreate the path over and over again.
Thank you so much for these excellent stories and insights. We wish you continued success in your great work!
*CEO of Data443 Risk Mitigation, Inc.