Redpoint Cyber Vice President of Client Engagement Violet Sullivan, CIPP/US, is a seasoned privacy professional with extensive experience on both sides of cyber incident response.
As a breach response specialist with AllClear ID Health, Sullivan handled recent U.S. data breaches, including at Anthem Blue Cross and Blue Shield, Home Depot and Sony Group. At Redpoint Cyber, she works with the technical team, helping clients who sustained cyberattacks or data breaches understand “how” an attack occurred based on the technological components of their networks.
Sullivan spoke with IAPP Staff Writer Alex LaCasse to discuss her work in cyber incident response, as well as the cybersecurity threats and trends privacy pros should look for in 2023.
Editor’s note: This conversation has been edited for length and clarity.
The Privacy Advisor: How did you get your start in privacy, and what most interests you about this field?
Sullivan: I started in privacy almost a decade ago, and I feel like most people who started in this field at least five years ago kind of fell into it. They suddenly got handed a project in privacy and that project really turned their lives around. I did litigation through criminal law in a public defender's office. I handled some passionate cases, such as sexual assaults and homicides. They were interesting cases, but they also helped later on with privacy because it is ultimately a civil liberties issue.
The Privacy Advisor: What would you say was your breakthrough moment in the privacy industry?
Sullivan: I was doing oil and gas transaction work at CONSOL Energy and some other things that didn't quite fit. I knew I wanted to use my MBA and my JD/MBA, and I was looking for that next step. I lucked into AllClear ID, which was doing this thing called “data breaches.” The nature of the work involved responding to them as that consumer touch point with resources for companies, so they could feel better about losing everyone's information. AllClear ID hired me as one of the first attorneys who communicated with privacy counsel, technical teams, operational teams and clients. I learned so much there, and that's what sparked my love and privacy. I took my CIPP exam (in 2015) and I worked on the Home Depot breach. I worked on Sony and Anthem. I cut my teeth during my first year in privacy on some pretty huge cases and also met some amazing people that have become lifelong friends.
The Privacy Advisor: You started working at AllClear ID in 2015. How would you say breach responses have changed from then to today?
Sullivan: There are pros and cons to the evolution of privacy since I started in the breach-response world. The pros are that legislation has improved and focuses more on the consumer. We've made a lot of progress when it comes to holding entities that cause harm to consumer rights accountable. One of the cons is, back then, everything was new. When companies had a cyber incident, they were a lot more customized and in-tune with the customer on what they needed, how they could help them recover and identify what remedy was required. Now it feels like more of a formula. Data breaches have become so common and, I think, expected, that a company’s response doesn’t always benefit the consumer anymore. The response is typically: “How do we meet the legal requirements?”
I remember being on the phone in 2015 with a client company, who told me: “Here's what we lost in this attack. Does what we lost equate with how we're making our customers whole?” They were very conscious about trying to link those things together. I was hoping that’s how the privacy industry would be, but it's evolved into more of a machine. We've gotten bigger and scaled, and, as a group, I think there's a lot of people who are going through the motions and just meeting the regulations.
The Privacy Advisor: When going about your job doing incident responses, how do you try to add a personal touch to your work with each client?
Sullivan: You have to bring your passion for the work and you have to build trust. We’ve been saying privacy and data privacy over and over for many years and nothing was changing. Now we put that in the idea of consumer trust… I think keeping that in mind, my passion for privacy, but also channeling this trust into relationships is helping to keep authenticity in business right now.
The Privacy Advisor: Walk me through your day-to-day work when you first get notified about a client’s new cyber incident.
Sullivan: For any organization that has a cybersecurity issue, there are usually two different ways it can happen. You go through a response process with preestablished vendors and you know how to work with everybody. Companies really do need experts because they aren't big enough to have their own internal response teams. Exceptions are big companies that have an existing and established team on their security group to help coordinate if there's an issue. Those are people with a lot of data and a lot of assets.
Companies either do that internally, or they have cyber insurance to help them. I mostly work on the cyber insurance side. Usually, an organization calls its cyber insurance in the event of a breach. They first loop in the legal expert or breach coach. That breach coach is the law firm that talks a company through the legal obligations. They're the ones that know the 50 different states' written notification guidelines on the back of their hand. So, that's one side — legal. We are on the technical side.
Just like companies need a legal background on trends in the history of the law and the application of privacy to a cyber incident, they also usually need a second opinion on the technical evidence. What I love about my work now is I'm a privacy professional leaning more towards security. I work with a technical team, and we're going to look at the server, log in through company credentials and see where the threat actor went. We're going to see what data they accessed. We might even negotiate the ransom with the threat actor. And I think it's very interesting.
The Privacy Advisor: What are some common pitfalls you see in cybersecurity?
Sullivan: One of the biggest pitfalls is not having your privacy and security interests aligned because sometimes we operate in silos. That’s why I love the Privacy. Security. Risk. conference, because it tries to encourage collaboration. Another thing to realize is (vulnerability occurs when) security teams are constantly told they're making it harder for efficiencies and technology. I'm sure privacy teams get the same feedback.
As far as big holes in companies’ security, like a lack of multifactor authentication, not having another layer of verification is a super vulnerable place to be in. A password can be stolen or threat actors can brute force (their way) in. If you don't have another layer as a defense, it’s like having a weak lock.
The Privacy Advisor: Are you saying you find its still fairly common that organizations aren’t using multifactor authentication?
Sullivan: Yes. We’ve seen a lot of issues where small companies can't employ a full-time IT person. They go to a managed service provider or outsource it, and put all the reliance on that IT person. Often, security is not a functionality of every person that puts technology together. They don't have a security brain all the time; they don't have privacy knowledge to apply. When you just hand over all the technology to an outside party without a vested interest in the data, it's sometimes a recipe for disaster.
The Privacy Advisor: Looking ahead to this upcoming year, what have you identified as some of the top cybersecurity trends and what are some of the major emerging threats everyone should be aware of?
Sullivan: Artificial Intelligence is a little bit scary. AI, ChatGPT and all kinds of simulated content are going to make phishing emails even trickier. It's going to make it sound more like the voice of whoever they're trying to pretend to be, such as the CEO. So trust is going to be harder and social engineering is going to be tougher to spot. We’re going to have to continue with trainings and being more proactive.