Welcome to Season 2 and Episode 13 of the Building a Life and Career in Security Podcast.
Today’s guest is Nick Merker.
Nick started his career in IT information technology and security but then went to law school at night. Now he is an attorney combining his knowledge of security with the law. Nick is currently an attorney with Ice Miller.
Links Mentioned In This Episode:
[content_toggle style=”1" label=”Show%20Episode%20Transcript” hide_label=”Hide”]
Nick Merker: When you want to buy a cyber insurance you really have to look at each policy and actually read each policy and understand what coverage you are getting and maybe work with an insurance lawyer probably to understand what type of coverage you are getting because it really is the Wild West. Each policy is very different from the next one.
Male: From the Jay Shulman.com studio, this is building a life and career in security podcast. Now your host Jay Schulman.
Jay Schulman: Hey it is Jay and welcome to Season Two of the building a life and career in security podcast. The podcast where you get to hear other information security professional’s career journey. Thanks for coming back to the winter semester. If you missed season one, I encourage you to start with my season one master class episode from December which walk through all of our guests. If you’d like to keep up-to-date with the podcast, text security to 33444 to be added to the podcast mailing list. It is just going to capture your email and not your phone number. No one is going to be texting to you, I promise. To kick off season two, I really have an interesting guest Nick Merker.
Nick started his career in IT information technology and security but then went to law school at night. Now he is an attorney combining his knowledge of security with the law. Here is Nick’s journey.
Nick Merker: I started as a systems engineer with a very small internet service provider in my hometown at age 14. I actually volunteered after school I would go until 8 o’clock at night and kind of learn the in’s and out’s of systems engineering from a good friend Kevin Astry, who actually was on your podcast couple of weeks ago I think. From there, I didn’t really care about security and I worked at the local internet service provider for a while. Then I went to the University of Illinois and started working at a bioacoustics research lab as a systems engineer again. Again I didn’t care about security. It never was on the top of my mind. I was just in Linux and Solaris boxes kind of poke around making sure things would work for people that needed it.
It wasn’t until maybe a year into that position that we were hacked pretty badly and some research data for one of the graduate students was lost. A hacker came in and I don’t know why but his goal was to just trash the system that we were using for research. This person lost some research data that wasn’t being backed up as frequently as it probably should have been. It was that moments when I was a sophomore I guess at the University of Illinois that I started to actually care about security and realize that this is a very big issue in computing. It is not enough just to make infrastructure work. You have to also protect that infrastructure from unauthorized third parties and I learnt that the hard way.
It is from here after I graduated with a computer science degree at the University of Illinois, Kevin Nastry again brought me up to Chicago to work for classified ventures or probably better known as Cars.com. I worked there for a while as a systems and network engineer and then I led our information security team from a corporate perspective. That was incredibly interesting for me because I started to being able to … Cars.com was broken out into multiple verticals with different systems infrastructure. There was a Linux Group. There was a Windows group and there was a Solaris team as well. I was able to apply security concepts across all of these different environments, and it was an interesting challenge.
It also was my first kind of corporate experience as well because coming from the bioacoustics research lab and a small internet service provider, I really didn’t have any of that corporate kind of politics stuff. It was just a very interesting and exciting experience for me as a young information security person. I decided that while I was there, I wanted to get another degree and I didn’t really know what I wanted to do but I decided to go to law school at the time. I was working full time at Cars.com and then going to law school part time in the evenings. When I graduated there, I got a position at IceMiller in Indianapolis where I am at today.
I eventually started a data security and privacy group at IceMiller with the goal of “Hey I have this technology background. I have this legal experience now. I think I can kind of be a nexus between an information technology group and a general counsel’s office because I am sure you’ve worked with lawyers before. There are a very few lawyers that have a technology background. I think my differentiator is I can come talk to your IT folks. I can talk to your information security folks. I can see these bullet signs that come in that kind of scare most general counsel’s office of a latest data breach at some place and kind of understand whether the exploit happened there would have any impact in your company.” Being able to take the shock value news and try to turn into something tangible for a client.
That’s kind of where my career started and has ended up and I am still playing with the kind of a legal role here at IceMiller.
Jay Schulman: Its just a fascinating combination and I’ve seen myself as I’ve kind of read through regulations that we all have to abide HIPAA, Gramm Leach Bliley and things like that. Security people were often placed in that role of having to pretend to be an attorney. Here you are kind of with the same security background and yet you are actually a real attorney. Can you talk a little bit about kind of the relationship between being a lawyer and a security guy?
Nick Merker: Yeah. I’ve joked with some clients before that. Sometimes I feel like I am playing the role of a divorce attorney at some companies because generally with a general counsel’s office in an information technology group or a security group you are speaking different languages. The general counsel’s office is trying to say how important is compliance stuff is and information security folks are saying look we don’t want to spend our money in that area because it doesn’t have value to us or whatever. When they are speaking different languages, they often butt heads. When I come into an environment and I understand where both sides are coming from and try to get them to meet in the middle and get something that’s a value add for the company from a security prospect that also mitigates whatever the concerns the legal folks have.
I often just sit in the middle and translate from one side to the other and help create policies and procedures and implement security controls that makes sense for a company in that way. Also kind of another thing that there’s a lot of folks in information security that come in and do kind of gap analyses and vulnerability assessment. Sometimes that isn’t cloaked in privilege. General Counsel’s office sometimes will hire me to come in and help them procure that consultant that wants to do the gap analysis. Also when I am directing the work and I am commenting on the work and providing value there, whatever I am doing is hopefully protected by attorney client privilege where a gap analysis from a consultant might not be.
For example an information security consultant finds a massive vulnerability at a company and recommends a security control that may cost $1 for a laptop. Let’s say there is a massive risk you don’t encrypt your laptops. We recommend that you clip your laptops to your desk so they can’t be stolen. Those clips are 1$ per clip let’s say. The company decides “Look we have 5000 laptops. I don’t want to spend $5000 on this” and that goes into a file somewhere. Now let’s say you have a breach related to stolen laptops and that file now contains a report that says you could have mitigated that risk for $5000. That’s not great from a litigation standpoint. Hopefully when I come in and help you do those assessments, whatever I do is cloaked in privilege. That type of report wouldn’t be discoverable is the hope.
Jay Schulman: If only all of our vulnerabilities were fixable for a dollar a laptop. When you enter law school, you have your preconceived notions of information security and this is how you do security and all of those things that kind of you’ve had from your initial experience. Then you go through law school did law school change your perspective on how you viewed either the role of being in information security or how people should be securing their networks?
Nick Merker: For me, no because it is all about really doing a risk assessment and coming up with assessing risk in a way that makes sense for a company. I think I knew that before into law school but I think law school only hammered that home because a lawyer, not a technology lawyer, not anyone involved in information security. A lawyer’s role is to assess risk for a company and help a company mitigate that risk where they want to. I think an information security person’s role is the exact same thing. Just reinforce that identifying and assessing risk is kind of my bread and butter.
Jay Schulman: When we first met, you brought something to me that I certainly didn’t have a lot of background in and it has paid off a lot for me personally. If we could talk about that a little bit because I think that everybody here would appreciate that education as well. It is around cyber insurance and that misconceived notion that I had that you just go out and sign a cyber insurance policy and your company is protected. I think part of the goal of the podcast is to show people’s careers, but also teach them something in the information security career as well. I think there’s a huge gap a lot of information security people have and amazingly with your role as an attorney, you have this really unique perspective. Can you talk a little bit about some of the misnomers of cyber insurance?
Nick Merker: Yeah definitely. It is an exciting area for information security folks and insurance folks. If you have a fire in your office, you would know immediately which and you talk to an insurance lawyer about how you are going to cover that fire. Your insurance lawyer will immediately know what policies apply and be able to point you in the right direction. Probably without even reading your policy know whether that’s going to be covered or not because the standard CGL policy Arizona’s Mission’s insurance policies have been around forever. That is not the case in cyber risk insurance policies; each insurance provider writes their policy differently.
There is no standard form. There is no standard language and some insurance providers have policies that completely conflict with one another. One policy looks completely different than a very similarly named policy that they are providing as well. It is interesting because there’s not any standard language. We looked at policies where there is a key definitional term that just fades away half way through a sentence. The sentence just isn’t finished. Because of that we are not really sure what the coverage is. If that type of stuff is happening in cyber risk insurance, it is really the Wild West out there. What coverage you are getting for what policies you buy are not immediately known.
There’s stories that we’ve not worked on but there’s stories of cyber risk insurance policies that were completely written for electronic data and electronic communications being applied to paper records just because definitional terms are not defined properly and you can read that that includes paper records as well. It is just a very, very interesting market out there.
Jay Schulman: Is there a resource that you can recommend for people who want to kind of get up to speed in this area?
Nick Merker: I don’t know of any offhand and I’ve gone to many presentations and talks about cyber insurance and the risk out there, but I don’t know of any just book you can pick up or blog you can read about cyber insurance. You really have to when you want to buy a cyber insurance you really have to look at each policy and actually read each policy and understand what coverage you are getting and maybe work with an insurance lawyer probably to understand what type of coverage you are getting because it really is the Wild West. Each policy is very different from the next one. What you think might be covered may not be covered. An insurance lawyer I work with, he has this joke that he says when people buy insurance their broker sits down with them and their broker puts out 3 different options in front of them.
You don’t want to be the cheap guy, so you always buy the second cheapest option. He says it is like buying wine at a restaurant. You don’t want to show the table you are going to buy the cheapest bottle. You buy the second cheapest bottle. He says people buy insurance the exact same way and you can’t do that with this cyber risk insurance because the policies are just so wildly different.
Jay Schulman: I imagine that there’s a probably a lot of things that people buy exactly like that. That’s very interesting. Thinking about primarily students I think or maybe people early on in their career, you can pivot in so many different directions. There’s now masters of information security. There are a wide variety of certifications and additional education that you can get to kind of further your career. You took this pivot to go to law school. Turning back around and giving advice to your younger self or to all the people listening who are at that pivot point, would you recommend going to law school again? Kind of weigh some of the pros of cons of what you did?
Nick Merker: I would do the exact same thing again and I would advice my younger self to do it earlier. If I can give advice to anyone considering going to law school that has a technology background I think it is good to do the part time approach that I did. If you can keep a full time technology career while going to law school at night and at the end of your law school graduation be able to have that real world technology experience that will set you apart from other attorneys in the space who don’t have that. One negative though is that that approach you don’t have the standard summer associate type of experience that a lot of law school graduates have which some big law firms look for.
I think my technology experience is something I would never give up. I think it really sets me apart from other attorneys that try to practice in this space.
Jay Schulman: Oddly enough I teach a lot of continuing legal education classes, go figure. I know that there are some requirements to continue your legal education. On top of all that, trying to keep up with technology and security is in and of itself is a challenge for many people. How do you balance trying to keep up your legal knowledge with also trying to keep up your security and technology knowledge?
Nick Merker: That’s a great question and I identified that issue when I first started as an attorney. I double dip. I am a trainer for the International Association of Privacy Professionals where I train their CIPT program which is a certified information privacy technologist program. When I train that, I have to stay abreast of the current privacy and data security loss concerning the materials that I am training people on but I always talk about real world situations or hypotheticals that gets people in the audience talking about technology issues, so I can stay abreast that way. I also go to conferences as often I can and try to just stay knowledgeable that way.
I am not practicing in technology so I’ve accepted that 5–10 years from now, I will have a bigger technology gap than I do today but I am doing everything I can to try to stay on top of that by being out there and teaching materials and going to sessions where I can learn from others.
Jay Schulman: You actually mentioned two things that I think is really interesting and maybe as a lawyer, you have an interesting perspective on that. In some worlds, privacy and security are in fact the same thing; in some worlds and some organizations privacy and security report up different chains and on an irregular basis. What’s you kind of view on the intersection of privacy and security?
Nick Merker: That’s another great question and it depends on the size of the organization what industry you are in. If you are a massive organization I think that privacy and data security have to be distinct disciples. They overlap and if you look at the key principles of privacy, one of them and if you look at privacy loss, one of them is protecting information, implementing commercially reasonable security safeguards to protect information. That’s one area that you have to address but privacy cares so much more than that. They care about providing notice to consumers about what information you are collecting, how you are going to use that information to? Whom you are going to disclose that information to?
What I usually say to highlight the distinction in my classes when that I train is with security you really don’t care about how you got the information. You are given a mandate of I have this information asset that I need to protect. I am going to assess the risks associated with it and implement security controls to mitigate that risk. With privacy, how I got that information and why I have the information is the first question that I ask because I don’t want to have that information I if I don’t need it. Why did we collect that information is always the first question that I ask.
Two kind of distinct drivers and you see in privacy and security there’s some times where there is conflict between the two. In a security situation if an HR department is about to terminate someone, they may want to a security person may want to monitor that person’s activity before the firing and after the firing to make sure that no information leaves the company; however, the privacy person may say hold on we don’t want to monitor this employee’s traffic in our environment. We don’t want to look at their emails and such unless we absolutely have to because we don’t want to invade that person’s privacy. There’s conflicts there that has to be addressed by the company.
If you have both disciplines reporting up to the same person or within the same organization that conflict isn’t assessed appropriately.
Jay Schulman: If you just zoned out, for whatever reason on that answer go back and listen to it. I think you did a fabulous job Nick of kind of explaining how different they are and yet how much overlap there is. I thank you for that. Two last questions that we ask everybody. I’ll ask you. Thinking back to your career so far, has there been a decision that you really agonize over but looking back man it was absolutely the right thing to do?
Nick Merker: Yeah for me it was when I started as an attorney I actually started doing patent and just general intellectual property work. I was doing computer science based patent applications. I still do some of that work and I enjoy it but I didn’t get into data security and privacy until maybe a year into being a lawyer. Our law firm didn’t have a … We did this work but we didn’t have a group set aside to do data security and privacy and really focus in on that area from a business development perspective. When we created that group and really pushed to get out there and kind of highlight our technology experience with the firm, I think it has really worked out well for us. I think we are serving our clients well in this area.
Jay Schulman: The last question that we want to ask everybody is thinking through back to your career, is there something that you’d want to do over next time do it better, do it differently. Is there example of something like that in your career?
Nick Merker: Definitely I think this is something that I still see in companies today. When I first started out in information security I employed what I call check box security. I had a set of security controls out there that people are implementing and I just had a checklist and I went down my checklist. I implemented the things that were on that checklist without really thinking about why I was implementing them or what risk I was trying to mitigate. I would never do that again. I hope that no companies will do that. Now I really advocate the companies have to do a risk assessment and mitigate what risk they want with security controls that make sense for them rather than just trying to check a bunch of boxes.
Jay Schulman: Outstanding. Hey thanks for coming on and doing this. I think it is really unique to have somebody with this legal background that certainly today I don’t see that as prevalence as many other kind of combination degrees. With that said, if people are interested in reaching out to you for legal advice or for career advice, where can they find you?
Nick Merker: I am Nick Merker. [email protected]; also at @nmerker on Twitter.
Jay Schulman: Right thanks for joining us today.
Nick Merker: Thanks Jay take care.
Jay Schulman: Thanks Nick. Nick can be hugely valuable to the information security community. We have such a small number of people who understand both security and the law as well as Nick. Thanks again Nick. Thanks for listening. If you like to keep up date with the podcast text security to 33444 to be added to the podcast mailing list. Again I promise you no one will be texting you other than just to get your email address. Thanks again and talk to you next week.
Male: Thank you for listening to the building a life and career in security podcast with Jay Schulman. For more information and to subscribe go to Jayschulman.com.