A Q&A with Melissa Ventrone of Clark Hill
Melissa Ventrone, a cybersecurity, data protection, and privacy attorney with Clark Hill, got her start in the Marine Corps where she served for 21 years and specialized in logistics. This training serves her well today, when she helps clients navigate the complex, time-sensitive process of responding to and remediating cyber incidents. We talked to her about her unique background, the threats she’s seeing on the ground, and her predictions for cybersecurity in the coming months.
Can you describe a pivotal moment or decision in your life that had a significant impact on where you are today? What lessons did you learn from that experience?
Without a doubt, going into the military was a pivotal moment. I went to college for one year on a music scholarship, and I just wasn’t academically or psychologically prepared to focus. If you live in Illinois and enlist, you get free tuition to any state school, so after that first year, I decided to take a break from college, and enlist in the military.
After four years, I completed active duty and stayed in the reserves. I went back to undergraduate study and the difference was huge. I still remember getting my first transcript when I went back—I was so anxious that I was holding the envelope up to the light and trying to read the contents from the outside. My mom finally opened it for me, and I was shocked to learn that I got all A’s. The military helped me get my head on straight and develop not only the discipline, but the confidence and belief in myself I needed to accomplish whatever I set my mind to.
I went to law school and shortly after I got my degree, 9/11 happened. I was commissioned in the Marine Corps as a logistics officer and had a few deployments before coming back to the States and starting my career as a cyber attorney.
How has your military background and experience affected your career and/or the work that you do now with Clark Hill?
I was deployed in Afghanistan as the executive officer or number two for a maintenance unit. We did the secondary repairables—vehicles that were blown up on the battlefield across all component areas. Before that I had been working in a small law firm. After I was downsized illegally, I was considering leaving the legal field altogether and focusing on logistics.
I already had an offer to work as a logistician in Stuttgart, Germany. One day I got an email forwarded from an attorney in Chicago, who was looking for a chief of staff or executive officer who was licensed in Illinois and could focus on privacy and cyber. I sent in my resume and we had a 45-minute phone call. I had to explain that we were on a DNS service and there would be a delay when I was speaking, that it might cut off, and I would contact them to finish the interview.
When they sent me an offer, they said they appreciated that I had military skills and experience but that I could also translate my knowledge to civilian speak. Now that I am working on the civilian side, I really do think the military has benefited me in many different ways. One is that while I understand that cyber attacks are stressful for organizations, it’s not as stressful as being deployed in Afghanistan, so it’s a matter of perspective. It allows me to be calm and reassure my clients that they will be fine and we will get through it.
My experience in logistics taught me that it’s really all about getting the right people together on the right team. Cyber and privacy work is essentially the same thing. I’m really lucky to find a job that was so synergistic with my military experience.
If you could share one piece of cyber advice with any stakeholders doing business today, what would it be?
Go on a data diet. If you don’t need it, don’t keep it; don’t collect it. It’s kind of like the clothes in your closet. If you haven’t touched them for several years, then box them up and put them in storage so they’re not in your house. Same thing with data. We may have legal obligations to maintain or keep the data, but if it’s been several years since you touched it, archive it and move it off your main systems. Once the reason to hold the data has expired, you no longer need to keep it at all.
You’ve continued to move forward and your data keeping practices should reflect that. At the end of the day, audit your document retention policies and eliminate what you don’t need.
Looking at the evolving cyber landscape in, say, the next year or two, what do you expect will change or continue to change? What do you expect will stay the same?
Attackers are going to continue to change their tactics. The early attackers who started off with ransomware would hack in and encrypt systems. We didn’t have adequate backups, so there was no choice but to pay a ransom. Then organizations started to have adequate backups, and now when the attackers get in, they steal data and threaten to publish it and use that leverage to extort victims.
We’re going to continue to see attacks get more expensive and more damaging because it heightens the value of what the attackers are doing. We will continue to see data be taken and released on the dark web. It’ll be interesting to see how the geopolitical context affects the cyber attacks that we see within the U.S. and other well-established nations—particularly who funds the attacks and why.
What are some of the most common mistakes and/or misconceptions you find when dealing with clients who experience a cyber incident?
Often clients think that if there’s a breach in their email, they only need to change the password. They don’t really look at the root cause or systemic issues causing the incident.
Clients also don’t understand how pervasive data is throughout their system. It’s not in file cabinets. It’s not stacked in boxes. You’re not paying rental storage for it. And so the amount of data that we have today blows away the amount of data that we’ve had in the past, and it just continues to proliferate. When they get involved in a security incident or have a cyber attack, clients are quite surprised to learn how much data could be compromised.
Lastly, most clients are quite surprised by the time and cost involved in incident response and recovery. The media pushes this concept that if my data is compromised, you should notify me tomorrow. And it’s just not that easy. Think about how long it takes you to read through a document. Now think about millions of documents that you have to read in order to identify the personal information. It’s a long and complex process.
What is one thing you wish more people knew about your firm?
Well, there are a few things! Clark Hill is a very entrepreneurial firm dedicated to serving clients in the best manner possible. It allows our attorneys to be creative in how we approach and service our clients, bringing them additional products—like in-house crisis communications, data mining and other services—that will actually help them face their privacy risks, and respond to incidents.
We view ourselves as partners to our clients and we look to provide a diversity of expertise and diversity of backgrounds on our team. One of our specialty areas is the public sector. We work with municipalities, governments, and government contractors.
We are very, very good at keeping our clients out of the news. When a client has a cyber incident, we go into the situation focused on putting the client’s best interests first. An example is when we saved a recent client $17.3 million on the cost of avoiding a mailing when we determined that there was no forensic evidence of a suspected data compromise. A previous attorney had told them otherwise but we could confirm that it was not necessary to notify customers.
Finally, another thing that sets Clark Hill apart is that we have offices in Mexico City and Dublin so our reach is truly international.