59. Susan Lindberg – GableGotwals – What Businesses Should Know About Cyber Security in 2021

Robert Wagner:

Our guest today is Susan Lindberg. Susan is attorney and shareholder with GableGotwals based in Tulsa, Oklahoma. She has more than 25 years of experience as an attorney working in the energy sector, working on a wide variety of issues, including oil and gas upstream, midstream, interstate natural gas pipeline, and tanking and terminal businesses. She specializes in company transforming transactions, corporate governance and compliance matters. She served as a general counsel for public companies, and she has also held key legal and public affairs positions in the interstate pipeline businesses at Duke Energy and Enron. Susan, thanks for being with us today.

Susan Lindberg:

Thanks so much for having me. First a quick disclaimer. While I do want to share are some insights that I hope will be useful, my remarks are not intended to be legal advice or to be a substitute for the listener seeking advice of counsel for specific legal questions.

Robert Wagner:

All right. Get your disclaimer out of the way. I totally get it. So Susan, you've had a lot of experience in the energy sector and in corporate governance, and I'm sure you've done a lot of interesting things, but we want to talk about cyber today and you sort of carved out a niche for yourself in the cyber security area. So how did that happen?

Susan Lindberg:

Well, I've always been fascinated by computer technology. When I was a first grader here in Tulsa I saw The Computer Wore Tennis Shoes, starting Kurt Russell, I don't don't know you remember that movie.

Robert Wagner:

Oh, wow. Yeah.

Susan Lindberg:

Well, in the movie, as you know, Russell plays a college student whose brain gets overwritten by a computer during an electrical storm, and he becomes unbelievably smart. I was captivated by this and very inspired, and so I went straight to work constructing this very large pretend computer in my room. My parents, as you might imagine, were taken aback, not that they had anything against computers but this was the early '70s and this was just a really unfamiliar area for them. Anyway, I believe that was a point at which they stepped in and steered me onto the straight and narrow path to law school. So my law degree served me well, of course, but last year I, like a lot of people, had a chance to pause and reflect. And I realized that Tulsa, the University of Tulsa has this outstanding and highly accredited cyber security master's degree program and pursuing that suddenly seemed like an obvious choice. And so I'm finding that my studies compliment very well my experience as an energy company executive.

Susan Lindberg:

So I've been working on cyber security at GableGotwals, I'm partnered with two other attorneys working in that area. One was banking background and another with a department of justice background. So we're able to offer the full gamut of cyber related legal services.

Robert Wagner:

Yeah. We enjoy our relationship with Gable and have reached out to you guys on a few cyber issues for our own cyber security policies, so we appreciate the expertise that you guys have and that you built.

Susan Lindberg:

Well, we're very happy to be working with you.

Robert Wagner:

So let's just start with kind of a big, broad question related to the law itself. And just in terms of cyber security is the law up to date with cyber where the bad guys are, or is it behind, which is where I figure it is, or could it be possibly ahead of where the bad guys are?

Susan Lindberg:

Well, you're right. You were right at first. Unfortunately in many industries business practices are generally lagging and the laws are too. I think the US government and state governments have been acknowledging that new legal requirements aren't going to be enough. For many, many years they've been encouraging the private sector to put security measures in place in report incidents because they realize this is going to have to be a multi-layered approach. This year we've seen a few new regulations. I mean, there's always a raft of legislation at the state and federal level every year and most of the time we don't see that. And this year, I think last week for example, we saw some very rare federal legislation come out on K through 12 cyber security. And so the CISA, the Cyber Infrastructure Security Administration, part of the Department of Homeland Security, is being tasked with looking at or studying cyber security in an education environment and providing resources to that community on cyber security. So it's not really a mandate to anyone except the federal agency at this point.

Susan Lindberg:

It kind of points to the fact that different industries have different sets of vulnerabilities, and it just really has to be customized. But there were a couple of new regulations that have come out this year that I thought could be of interest to your listeners.

Robert Wagner:

Go ahead.

Susan Lindberg:

One of that's probably familiar already to some people listening is the CMMC, the Cyber security Maturity Model Certification. It's a recent requirement from the US Department of Defense, so it's going to get gradually rolled out. This year, the DOD is starting with 15 prime contracts and they'll start issuing request for proposal that contains some CMMC requirements. And then by 2026, all Department of Defense contracts will have to have CMMC certification.

Robert Wagner:

So you're going to have to have some level of standard to do business with the DOD. This is where this is going, is what you're saying?

Susan Lindberg:

Yes, that's right. Anyone that wants a federal Department of Defense contract is going to have to have some level of certification. And the level that you have to get will depend a lot on the types of information that you're handling, and I won't go into detail on that. But a lot of the requirements are very detailed, I guess my point in saying that is that companies wanting to do this or continue to have defense contracts are going to need to prepare. Even to get certified you have to have a certain level of maturity in order to even start that process. So it's something to look at now, look at early, if you are interested in that.

Susan Lindberg:

The other area I wanted to mention was the area of consumer protection, cyber security, this is an area where legislation and regulation is fairly mature. And many people listening, if they handle consumer data at all know that a lot of states have reporting requirements in case of breach, and the Federal Trade Commission also looks after this area. I would say, if you're doing business over the internet, if you're handling transactions with the internet, it's possible you do business in all 50 states, it's important to watch what's going on because that area's still evolving depending on what state you're looking at and there has been some activity this year in that area. And on the FTC side you can be exposed if you don't properly safeguard consumer information, the FTC can bring a case against you. I noticed that there's a bill in the US legislature that would allow the FTC to seek restitution on the behalf of consumers. So, that's another area of potential exposure. Yeah. I mean, I think that they had been seeking those kinds of damages and courts were pushing back and so now they're trying to get that bill passed.

Robert Wagner:

Yeah. So I want to skip, you've kind of touched on something makes me want to skip ahead in my thinking of questions that I wanted to ask you. Just, let's take the DOD example if I'm a government contractor and we think of the big government contractors but there's hundreds and hundreds of small companies that contract with the federal governments they've built themselves to do that.

Susan Lindberg:

That's right.

Robert Wagner:

So it just seems like, and for everyone, these things are just a new tax on business. This is just a cost now of doing business of having obviously all of the stuff in your firewalls and all of those things. But having to be up to date on compliance that you just mentioned and understanding and having a response policy and being prepared to respond to a breach and things like that, I mean, those things all cost money. Is that's just where we're at? This is just the price of doing business in the world we live in today?

Susan Lindberg:

I think that is where we're at. Security threats affect everyone, no one's immune unless somehow you're not connected to the internet or don't use the internet. So in a sense it starts out as a level playing field. I mean, I think when you look at sets of requirements like the CMMC and you see them all at once, it's really a lot and it seems very prescriptive, I mean, that's one way to do it. I think I said earlier the approach really needs to be tailored to your particular industry and set of risks you face and the type of data you're handling, whether you have critical infrastructure, whether you're handling customer information. I think business owners will have an advantage to figure out how to efficiently manage the risk.

Susan Lindberg:

When you look at solutions for smaller companies, I think using still the CMMC example, there's really a rush by some service providers to come up with an efficient solution for those small businesses so that they can stay in. And also there's been a dialogue with the Department of Defense on how really feasible this is to do, which is why they're phasing it in. But yeah, it's a lot. It kind of reminds me of back when Sarbanes–Oxley was new and a lot of companies were having to decide, are we going to be public? Can we really do this? And if so, how do we do it? And some companies had to do it a couple of times to get it right. It was a lot of cost. It was a lot of time and resources. But I do think that I don't want to really compare them beyond that, but this is a big change-

Susan Lindberg:

Want to really compare them beyond that, but this is a big change for many companies, especially if they're new companies or they're smaller and wanting to grow. I think that if someone asks me where to start, there are some things, generally, that I could point out. Maybe that would be helpful.

Robert Wagner:

Yeah. Sure.

Susan Lindberg:

Okay, I'm going to talk about five different steps. So if I get too long-winded, just stop me. But as a starting point, every organization needs someone to be responsible for security. That's part of that person's job. That person is empowered. They have goals that are set for them or that they set and that'll have incentives for good performance. It's that important. You've got to have that particular person.

Susan Lindberg:

The second step would be to inventory your digital assets. And by that, I mean your information, your software, your hardware, everything, and figure out what the crown jewels are that have to be protected. And sometimes these are physical assets if you have critical infrastructure. Sometimes it's proprietary information if you have customer information that's particularly sensitive as well. And so you need to know where this information is, and a lot of companies will continue to do an ongoing inventory to make sure they know what's connected to their system as well.

Susan Lindberg:

Number three would be to then know what laws and regulations, or other requirements, may be applicable that are going to determine your must-have security activities. And then the fourth step, there are a lot of readily-available tools out there that are public. They're free. They can really be great starting points when you want to know what you're getting into with cyber security. And a couple of good examples are the NIST publications, their Cyber security Framework, their more specific publications that they have. And then also, the Center for Internet Security has a really good guide for small- and medium-sized businesses to use. So that's worth looking at. Those are really useful starting points for analyzing and categorizing your risk and knowing what the controls would be that you may need to implement. And then if you're handling consumer information, the FTC published some guidance a few years ago that's pretty clear. It's got a lot of the same things you might see in NIST or in CIS.

Susan Lindberg:

And then, finally, with this background, then it's time to decide where to dedicate your resources. What is it you're actually going to do? And this important person that I talked about that you appoint to be in charge, this is where they really have some challenges. I mean, you have to decide, are you going to take up employee time to do some of this or can you implement some of these solutions with open-source solutions, minimal cost, or sometimes things are built into the software that you buy. It just totally depends on your company. You may need an outside expert for some of this, someone to really dig in, come up with solutions, and then to help you monitor how successful that is. So that's where to start. I know that's a lot, but those are the basic steps that you would need to think about.

Robert Wagner:

Yeah. I love the concept of putting someone in charge because, as long as you pick the right person, then something will happen. Progress will be made. And so I think that's a great first step. Again, we're talking about the cost of business. There's a cost to that. But I know we've done that here at Hub and Taylor. In addition to our IT department, we have someone who is really just responsible for our data. And when GDPR came out, she researched that and fully understood it and we made changes as a result. So I think that's really great advice. So let's dive down just a little bit deeper and talk about ransomware. And in doing some research for our time today, I was listening to you on another podcast, and you used a term that blew my mind. It's called Ransomware as a Service, which I like to think of we do things as a service, but ransomware would not be one of them. So what is that?

Susan Lindberg:

Well, I'll start with what is ransomware. Hopefully, very few people have first-hand experience with this, but I know you've read about it. But this is a type of malware that locks down your system, sometimes also exfiltrates data. It's called ransomware because those who deploy it use it to make money from the ransom that they want you to pay to get your system and your data back. And I think you'd have to have to been living under a rock to know this is an increasing problem. And ransomware attacks are increasing, the amounts of ransom that are being demanded are increasing, and it's something that really has the attention of the US government and law enforcement. And they have been making some inroads on that. I can talk about that a little bit later, but back to your original question on Ransomware as a Service.

Susan Lindberg:

You've heard of Software as a Service-

Robert Wagner:

Yeah.

Susan Lindberg:

...which is just delivering and licensing software online by subscription rather than the old-fashioned way of getting the software out of the box and installing it on individual computers. And cloud-based Software as a Service platforms have become very common, as you probably know. So the shady side of Software as a Service is Ransomware as a Service. And this has become a really profitable and well-organized business. And you'll hear even the Department of Treasury using the term Ransomware as a Service. It really just makes things really convenient for bad actors. The service provider will generate the software or the malware and sell it on the dark web. So it's already been written. You don't have to... If you're a bad actor, you don't have to-

Robert Wagner:

So this is like a supply-

Susan Lindberg:

Yeah.

Robert Wagner:

...chain for bad guys?

Susan Lindberg:

That's right. That's right. And sometimes the service provider will take a cut of the ransom. Very often, they will provide support services to that actor.

Robert Wagner:

Like a help desk.

Susan Lindberg:

No. Yeah, so it's just-

Robert Wagner:

"It's not going well. I need some help."

Susan Lindberg:

Yeah. And so they use the cloud just like a legitimate business would.

Robert Wagner:

Yeah, that's mind-boggling. Wow. So one thing that's been happening in the area of ransomware, my understanding the original defense was just to have great backups, right? And lock down your data and we say, "No problem. I got backups." And you go back to your backup. Well, now they're getting clever and they encrypt your backups before they encrypt your data, right? So I mean, I've heard that scenario. So it's just getting harder and harder. But we've seen this. We had the pipeline company recently that paid a ransom, and you do hear about this. If I pay a ransom, am I committing a crime?

Susan Lindberg:

Well, as lawyers like to say-

Robert Wagner:

It depends.

Susan Lindberg:

...it depends. Right. So the federal government, the FBI, and the Cyber Infrastructure Security Agency, CISA, are discouraging victims of ransomware attacks from paying the ransom because paying the criminals just helps fuel the cyber crime. Well, that's easy for them to say. It's another thing when you're in a crisis situation. You can't figure any other way out. You're not sufficiently backed up, even if you thought you were, or the backup's been encrypted, or something else. But yes, to answer your question, it can be illegal to pay a ransom if it's paid to certain entities that the US Office of Foreign Assets Control, or OFAC, has identified on their sanctions list, basically. So they've issued prohibitions on dealing with certain countries like Iran, Syria, North Korea. And they also have a list of specifically-designated nationals. And they have been adding people to the blocked-person lists that includes known malicious cyber actors.

Robert Wagner:

Well, what's the result? I mean, are companies getting fined or people going to jail for paying ransom? I mean, what do they actually do, I guess if you...?

Susan Lindberg:

I mean, OFAC can issue substantial penalties if they are able to find out that you've paid a ransom to someone on the sanctions list. It's getting a little bit... They're really focusing in on some bad actors that affect a lot of these transactions. A few weeks ago, they designated a virtual currency exchange called SUEX, S-U-E-X, which is involved in facilitating all kinds of ransomware activities. So I mean, if you, or someone on your behalf, pays a ransom to someone that you haven't been able to identify one or way or the other if it's on this list, well, they may be going through this exchange. So it broadens the possibility that you could be running afoul of this list. OFAC has come out, and they put this on their website.

Susan Lindberg:

They've come out with some guidance saying that if you are the victim of a ransomware attack and you don't know who it is or you do know who it is, to come to them and they'll work with you. And if you end up paying the ransom, the implication, of their post on the website, is that they may be more lenient on you if you have come forward. But it's tough. A lot of times you don't know who you're dealing with, and it's a stressful time. I think that companies should probably talk about this situation before it happens and decide, "Okay, what will be decision tree on this? How are we going to figure this out if it happens to us?"

Robert Wagner:

Yeah. Again, it's good to do those things, but when it really happens and you're shut down, it gets really real at that point about what are we really...? Things we said we probably would never do, we might do if we're really faced with it. So, in the current environment, what's the defense? I mean, if I'm running a mid-size company or even a nonprofit... I mean, we tell our clients... We feel like too many of our clients

Robert Wagner:

Tell our clients. We feel like too many of our clients feel like they're too small or they're a nonprofit who's watching. Well, the bad guys are going after everyone all the time. So how do I defend myself against this stuff?

Susan Lindberg:

I think that when you're talking about the governance of a small company or a nonprofit, I think that it really highlights the need for companies or organizations on an industry-wide basis to have some resources available to them. And I think that for nonprofits, I don't know any off the top of my head, but it seems like a good idea if it doesn't exist already within the sector that you're operating, whether it's arts or healthcare or whatever, to find out what resources might be available to you, and also have someone on your board that's knowledgeable, that may be able to point you in the right direction, if you don't have a full-time position available for someone like that.

Robert Wagner:

1. All right. So where's the insurance industry on how they're thinking about this and mitigating this risk? How can you use your insurance program to help you with this?

Susan Lindberg:

Well, most companies will have a commercial general liability policy, or maybe an all risk property insurance, other kinds of coverage. And there's certainly been a lot of stories about, and even law lawsuits about, companies making claims for damages resulting from cyber security breaches.

Susan Lindberg:

And so I would say as a part of analyzing your risk, looking at specific cyber security policies could be worthwhile as this specifically covers. It may still have some exclusions in there, but those types of policies are going to be specifically designed to cover cost to restore your system, fines and penalties, their regulatory or contractual litigation damages resulting from breach, business interruption and all that. So, I always tell people to just ask questions, have an attorney review your policy or someone knowledgeable about insurance review your policy, and see if it matches those kind of concerns that you have or risks that you've identified.

Susan Lindberg:

One thing going back to your planning for your cyber security investments, one thing I think is worth doing is to look at what's the worst case scenario, or not only that, but what kinds of breaches are likely to happen, what kind of risks, what kind of losses are you the most likely to incur? And then what's the cost of the risk mitigation, be it insurance or some technology? And then look at how much of the risk do you get rid of. How do the numbers improve when you look at that?

Susan Lindberg:

That ties into a point I wanted to make too, though, that the cyber insurance market is still really immature because there's a real lack of data. People don't report breaches. The only place where that's not true is probably on the financial and the consumer information. Since there's required reporting, there's a little bit more data there, and so they're better able to price those products. But for other things, the prices are just going up because of ransomware payments.

Robert Wagner:

Right. So, are people using or able to use insurance proceeds to pay ransomware? Sometimes that's going to be much cheaper than remediation.

Susan Lindberg:

Right. Yes, some policies do cover ransoms.

Robert Wagner:

Okay.

Susan Lindberg:

And I have heard that hackers are now targeting the insurance companies so they can get the policies and see what the limits are on that kind of payment.

Robert Wagner:

That's very strategic.

Susan Lindberg:

Yeah. They really are. You do hear of hackers that are hacktivists. They just want to prove a point or have some social cause that they are trying to advance. But lately, the hacks that you're hearing about have to do with just pure profit motive.

Robert Wagner:

Right. Okay. Wow. So, Susan, I want to ask you a question that I've been asking for years now. I think I started thinking about this after the original Target breach or one of the big original breaches. And really isn't about cybers, it's more about individuals and e-commerce, and just how we're going to live in this world.

Robert Wagner:

And the question is, once the bad guys know everything there is to know about us, all of our personal information... So they know my date of birth, they know my social security number, they know my mother's maiden name, they know all my favorite passwords or whatever all those things are, which I feel like, given the number of breaches that we've had, some huge percentage of that data is out there or it's going to be. So once it's all there, how are we going to do business? How is Amazon or PayPal or someone know it's me that's in this transaction?

Susan Lindberg:

I think that you're right. I think they soon, if they don't already, they soon will know all the information that we've communicated online or transmitted online in any kind of a transaction.

Susan Lindberg:

I think that companies can still reliably identify and authenticate customers. I don't think we're going to go back to you've got to show up in person and show your ID. I just don't see that happen. I think that we're permanently past that. Everyone listening is probably familiar with two-factor authentication. If you bank online, you probably are using two-factor authentication. So you have to use your password, but then prove it's you by providing a code that they sent your phone or your email. And that works fine except that if someone has gotten into your phone, then that method of authentication doesn't prove that it's you. It just proves that someone with your password is holding the phone. So, it's really not perfect.

Susan Lindberg:

None of these authentication measures, whether it be in cyber security 101, it's something you know, a password, something you are, so biometric, your fingerprint or your iris or something you have like a token. And I think tokens work pretty well until they get hacked. RSA tokens are good until somebody hacked that. But the answer is two-factor authentication, while it seems like an extra step, I think we're headed towards more, not less authentication. I have heard reports of three-factor authentication coming on the horizon and probably will see other methods of two-factor authentication besides just the phone because hackers are getting around that.

Susan Lindberg:

I don't know if you've seen this, but I think that there's a little bit of a consumer backlash. In other words, once you realize that there are security risks there, I think some people are being a little more careful with the apps they use. I know people who have completely left Facebook because they decided that the intrusion on their personal data or the risk of getting hacked was not worth it. That's sort of an easy example. But also anyone who's looked at all the apps, you can scan your system, your home system and devices for all the apps you've downloaded, which I know they make it easy to do. So it's easy to download an app on impulse, but then you're creating this extra vulnerability. You've put more information out there. If you scan your system for all your apps, I know that I started to be more careful about what I downloaded. It's just not worth the trouble.

Robert Wagner:

Right, right. Yeah. You eventually realize that you are the product, as they say.

Susan Lindberg:

Right.

Robert Wagner:

Right. And who you are and your identity and all things that someone could do if they had your identity. So I guess one question just wrapping up here before we get to our five question is just about the law itself. You gave us some things that have happened recently. Do you have any, I don't know if this would be your personal opinions, or just where the law needs to go to help primarily companies with this issue?

Susan Lindberg:

I think any new legislation or regulation is going to be most effective if it requires disclosure and if it has science accountability. I think that private industry probably needs some help in responding to breaches or having resources available for small businesses, like you said.

Susan Lindberg:

But I think transparency is generally a good thing. Companies have been hesitant to report breaches, and there are some laws out there that will protect companies if they share information, because the government wants the information. And so they may help you ensure that your information can't be obtained through a foyer request or something like that, or that remains privileged, can't be used as evidence, et cetera. I think that if they could still make it a little bit easier and safer, make people feel safer, to provide data, I think that that's going to be helpful.

Susan Lindberg:

But I want to emphasize that the laws are really not the only way to encourage cyber security, and some of the most effective rules have really come out of private industry groups. I think a really good example is the credit card industry. Now you cannot use a major payment card without following the rules. It's called the PCI DSS, Payment Card Industry Data Security Standard, and it was created by all the major credit card companies. And so it's a very strict standard to follow and there are penalties, and these are all private penalties, these are contractual. And so I think that's an example of something that's, obviously, credit card information-

Susan Lindberg:

... of something that's... Obviously, credit card information still gets stolen, but these rules provide a powerful incentive for companies to put certain security measures into place. You can lose your ability to take credit cards if you don't follow this. So I think that even though I'm in the law business, I would really prefer to see more of this industry self-regulation. I just think that it takes shape faster, it works off economic incentives instead of... More of an efficient way to regulate, because you get people from the industry writing the rules, rather than someone who's not a business-person. And it's time and effort. It's something that is proactive, and so some industries have been better at it. The power industry has been one, and that's been quasi-regulatory.

Robert Wagner:

Yeah. I love that idea. You made a point early about standards, and there's different standards in different industries, and there is a movement to create tools that are easier to use. We have seen that, and at HoganTaylor, we have professionals with some of these certifications around the various tools. But there's some great, basically, software applications being built where you can plug in how you stand up to the various standards for your industry, and it will grade you and give you remediation. So those things are being created to help smaller organizations, frankly, deal with these things, because they're very complex and they do change all the time. So just either hiring a lawyer, or hiring someone internally to keep up with those things, is pretty tough. So the good old free market system is working in some sense of what you're talking about of creating some capabilities for smaller companies to deal with these things.

Robert Wagner:

Well, Susan, I appreciate all of the information. It's very interesting. It's a very complex topic and it's moving quickly, and by virtue of things like ransomware as a service, you can see the bad guys are at it every day, all day. So it's a very timely topic as well. But we do have five questions that we ask every guest. So are you ready?

Susan Lindberg:

Yes.

Robert Wagner:

Okay. All right. What was the first way you made money?

Susan Lindberg:

My first job was dog-sitting.

Robert Wagner:

Okay.

Susan Lindberg:

And charge was this very anxious whippet named Phyllis.

Robert Wagner:

Phyllis?

Susan Lindberg:

Yeah. She was really fast and she was always getting away from me, and since I wasn't driving yet, I had to chase her down on my bike. And that was pretty challenging. I babysat too, around the same time, and that was a lot easier.

Robert Wagner:

I can just imagine a terrified kid that you've lost the dog. That's good. So if you were not a lawyer, not helping companies with their legal affairs, what do you think you would be doing?

Susan Lindberg:

I think I would have gone into a STEM field of some kind. I think of myself as a creative person and I think that that's a way for a creative person to make a big difference, to go into science, technology, engineering, I guess art. I guess it's really STEAM.

Robert Wagner:

Yeah. I've heard that. Yeah.

Susan Lindberg:

Yeah. I probably wouldn't have gone into the M, the math part, but the others, or something.

Robert Wagner:

So you'd have taken what I assume was a cardboard computer or something when you were a kid and turned that into something. Right?

Susan Lindberg:

Exactly.

Robert Wagner:

Right. All right. Susan, what would you tell your 20-year-old self?

Susan Lindberg:

Getting the right answer is important, but making straight A's in school is only going to get you so far in life. You really need to ask more questions, and also learn how to ask really good questions.

Robert Wagner:

Okay. All right. Were the A's pretty easy for you?

Susan Lindberg:

I wouldn't say easy, but I probably worked too hard for them.

Robert Wagner:

Okay. At the expense of other things, maybe. All right. So what will the title of your book be?

Susan Lindberg:

I think that a biography title, even if it's an autobiography, may be better bestowed by someone else, like a nickname, and hopefully by someone who has some respect, but one of my theme songs has always been Don't Stop Believing, so I think that might make a good working title at least.

Robert Wagner:

Good. So how does that play out for you? Why is that meaningful to you?

Susan Lindberg:

No, I really like to take on challenging things and sometimes I have some naysayers and I just have to keep believing.

Robert Wagner:

Yeah. Okay. All right, last question. So what's the best piece of advice you've ever been given?

Susan Lindberg:

One of my early mentors had been in the military and he always liked to tell me, "Fly low so you can dodge the bullets."

Robert Wagner:

Okay.

Susan Lindberg:

And I'm still not quite sure what that means, but I know coming from him, it was really good advice.

Robert Wagner:

Okay. Okay. Do you feel like you have bullets flying at you?

Susan Lindberg:

No, I must be flying low, because...

Robert Wagner:

Okay. That's awesome. Well, Susan, thanks so much for being with us. So if folks want to find out about your practice, particularly your cyber security practice, how can they get ahold of you?

Susan Lindberg:

You can find my information at www.gablelaw.com. That's G-A-B-L-E-L-A-W.com. And we would love to talk to you about what we do every day.

Robert Wagner:

Yeah. All right. And I would remind listeners as well that Hogan Taylor does have a very active technology practice, and we have, as I said, folks that are certified in the cyber security area that can help out as well. So thanks for listening, and Susan, thanks for being with us.

Susan Lindberg:

Thanks very much.

Robert Wagner:

That's all for this episode of How That Happened. Thank you for listening. Be sure to visit howthathappened.com for show-notes and additional episodes. You can also subscribe to our show on iTunes, Spotify, Google Podcasts or Stitcher. Thanks for listening. This content is for informational purposes only and does not constitute professional advice. Copyright 2021 HoganTaylor LLP, all rights reserved. To review the HoganTaylor general terms and conditions, visit www.hogantaylor.com.