Click for Full Transcript

Intro 0:01

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage we will debate, evaluate and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels 0:21

Hi, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed company.

Justin Daniels 0:36

Hello Justin Daniels here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels 0:53

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, ecommerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and to check out our new best selling book, Data Reimagined: Building Trust One Bite at a Time, visit You know what I realized in my introduction this morning, I have a lot of peas. It’s like Peter Piper picked a peck of pickled peppers. Have a lot of those in my introduction? I bet you can’t do that. Peter Piper picked a peck of pickled peppers.

Justin Daniels 1:48

I wouldn’t even try.

Jodi Daniels 1:52

Okay, we can get back to our topic today.

Justin Daniels 1:54

I know I can’t believe it’s now going to be December. Indeed, I know. But we’re gonna head to your one of my favorite and interesting topics today which Jodi is becoming an expert. The blockchain. We’re excited this morning to have with us is an Zenobia Godschalk, who is the founder of ZAG Communications, SVP of comms at swirls labs and driving adoption of Hadera the greenest and most used distributive ledger on the market today. Hello.

Jodi Daniels 2:29

How are you guys? Well, we’re good. We’re gonna Justin’s having a field day today. It’s a busy day for Justin.

Zenobia Godschalk 2:38

Sun every day, it’s a busy day for you, too.

Jodi Daniels 2:41

It’s a busy day for everybody. We’re all busy with our own little universes. But today, we’re going to talk about blockchain universe. So we always like to start and understand how people got to where they are today. And Zenobia if you can walk us through how your career evolved to your current role.

Zenobia Godschalk 2:57

Absolutely. So there are going to be some sharp left turns on this journey. I think, you know, a lot of people, you know, get asked what they want to be when they grow up. And they keep getting asked that when they graduate from college and things like that. And you know, one of the things that I have learned along the journey is that probably the most interesting things you will do are things you have not expected that you will do and and you know, if you’re open to that, and letting the journey just unfold, it can be very rewarding. So my background, when I graduated from school, I went to work for Intel and finance. My degree is in economics and industrial engineering. And while Intel was a great training ground, there were very prescriptive things about what they wanted you to do. And you had a small role. And when you were done with that job for the day, that was great. And that was a little bit too boring for me. So I was introduced to a woman who is running marketing at a company called They were one of the first companies selling digitally downloadable software, crazy concept. In 1999. I went to work for them in marketing and doing some marketing analytics. From there, I was recruited to a company that at the time was called loud cloud. Started by Marc Andreessen and Ben Horowitz. We grew that company, we actually sold off part of the company to EDS, changed the name to Opsware and I ran communications for the company. We eventually sold that to HP. And fortuitous timing. my then boyfriend proposed now husband, and he was living in Atlanta, so we thought it was probably best to live in the same city. And I came to Atlanta. At the time, there was not a lot of Tech in Atlanta. So I had had some conversations with a few software companies that were here but they were you know, they were few and far between. So I took a role as a sell side analyst for an investment bank here in town covering of all things Internet security and infrastructure. And while Lau cloud had been an infrastructure play, that was really my first introduction to the world of cybersecurity. And it was actually a great training ground, we at the time, produced an annual report of all of the private cybersecurity companies in the space. When we did that, there were about 700 of them. And as you both know, you know, today there are probably what 5000 of those companies. So the industry has grown quite a bit from there. But I pretty quickly realized that while I was getting a great education in cybersecurity, I did not want to be an investment banking. And so I went back to PR and investor relations started that communications and grew it from there. So Zags still runs today, there’s a team of about a dozen folks who do full stack marketing for cybersecurity companies. And in 2015, we started working with a duo of co founders who had come out of the identity world. So Mance Harmon and Lehman Baird, Manse was in the office of the CTO at Ping Identity. And both of them had a cybersecurity background. But they started talking to me about this concept of shared worlds and how something called the distributed ledger could help us with this next phase of computing, where you would get to sort of control who is part of your world you would get to control who is you know, it’s a shared infrastructure. So it’s not owned by a singular entity, like a Facebook or a Google. And you could sort of carve out your own piece of cyberspace. And that really appealed to the security side of me. And then things grew from there. So initially, the company was called swirls and focused on private permissioned blockchain or private permission, Ledger’s. In 2018, we launched Hadera hash graph, which is a public distributed ledger. And so from there, we have grown on this journey. There’s now an entire ecosystem supporting Hadera. First and foremost, driven by the people building on top of the platform, building some amazing applications and infrastructure and bridges. There is the Hadera Governing Council, which oversees the governance of the network and the direction of the network and runs the initial network nodes. And there’s an h bar foundation that does grant giving for applications building on top of the network, and then swirls Labs, which is responsible for still most of the engineering development of the network and related activities in support of just growing the overall Hadera ecosystem.

Jodi Daniels 7:52

Like how you described all kinds of left turns it, it isn’t really fascinating set of twisty tartans I think that you’ve had because I can see how some of them are all interconnected. It’ll be fun to see where it goes next.

Justin Daniels 8:06

Are you looking at me strangely, or not? So speaking of Hadera, can you educate our audience a little bit about what is Hadera? And how is it different from other blockchains? Like, say Ethereum?

Zenobia Godschalk 8:21

Sure. So Hadera is layer one network similar to Ethereum, or other layer one networks, I think there are technical differences. And then there are governance differences. And both of those things are important. So Hadera, has always been built with security in mind. It is a BFT asynchronous Byzantine fault tolerant, I won’t get into all the details of what that means. But in terms of resilience to DDoS and other attacks, that was very important to Lehman, you know, from day one, it is fast, it is not designed with proof of work mechanism, which actually forces the blockchain to slow down, it’s designed with something called leaderless proof of stake. So it can be fast, and it also, again, less susceptible to attacks. And then another big concern was, you know, you hear a lot about the energy consumption of different blockchains. And we wanted to make sure and Lehman really wanted to make sure that the energy required to put transactions on the network would not be detrimental, essentially, to you know, to the environment would not be highly energy consumptive. And again, because it’s not proof of work, because it is this leaderless proof of stake. Hedera is actually carbon negative network. So we buy a couple $100 worth of carbon credits every quarter and that is enough to make up for the amount of energy used by the network. If you think about, you know, transactions on for example, the visa network, it would take over seven days. As you know, it would take over 70 transactions on Hadera to use the same amount of energy as one swipe of your Visa card. So super energy efficient. Those are the technical aspects on the governance side. Manse, who is Lehman’s co founder and the CO CEO of swirls labs, realized that if you don’t build in place a governance model to ensure ongoing distributed government governance, you will have entropy, and you will have sort of a reversion to the mean. And you will end up having small groups or cabals of, you know, people who run networks, I think you saw before, you know, before China banned Bitcoin mining, China owned, you know, 80% of the hashing, right? That’s, that is something that probably was not designed for, but as an unintended consequence of not having strong governance. So Hadera is governed by a governing council of up to 39 of the world’s largest enterprises and other organizations like research universities. And the goal of that is to really say, hey, these guys, first of all, they’re not going to collude, right, there’s no reason why someone like a Google and a Boeing and an IBM first of all, they’re in completely different industries and geographies. And, you know, Shin Han bank and Korea and Standard Bank in Africa. You don’t want them to collude, you want them to bring diverse viewpoints, and you want them to have big enough brands were doing anything that would be, you know, harmful to their reputation is just not worth it. Right, their brand stand alone is worth so much more than their participation in the network, that they’re not going to be incented to do bad things. So the governance model is very different. It does mean that things work a little bit slower in terms of, you know, changes to the network, because there is that discussion, there is that debate there is you have to come to consensus. But it also means that you have designed from day one, very, very distributed governance, so that governance will never fall to a small handful of people.

Jodi Daniels 12:13

Not that entire point of what we just discussed. But one of the things that I think is so interesting is the carbon offset, as I was doing a little bit of some Black Friday, or Cyber Monday or cyber weekend sale shopping, one of my companies I bought from then, you know, emphasize they do carbon offset, and I got a whole separate email about my contribution and how I was helping, and I’m thinking how you could apply this going forward. And not only my transaction, and you know, how its packaged and the environmental impact of just that delivery piece. But you could have this piece as well, and how it will help also from a marketing standpoint.

Zenobia Godschalk 12:52

Yeah, and I think, you know, one of the key tenants of our philosophy is we do believe that the, you know, the balance sheet of the planet will live on a public ledger, right? So it is great that you were able to participate in that and that you were able to say, yes, I’d like to purchase a carbon offset. How do you as a company then prove, Hey, Jodi, that same carbon offset that I sold, you wasn’t also sold to someone else, right, there wasn’t a double spend that tree that, you know, in this part of the farm is not also being allocated to Delta Airlines or someone else who wants to buy a bunch of carbon offsets. So I think there’s both the idea that these systems have to be green, and they have to be energy efficient, but also that they can bring a new level of accountability and transparency to some of these initiatives, because everybody wants to participate, right? All of these companies want to participate, and they are early in their journey. But as they start to mature, we’re seeing them say, wait a minute, I do need to have that accountability. And I need to have that proof, not only for my auditors, but also for my consumers that what I’m telling them is true.

Jodi Daniels 14:03

That makes a lot of sense coming from the former financial statement auditor. So you know, security and I talked about privacy all day long. And a lot of times, it’s a challenge. It’s hard for companies to figure out how to incorporate these principles, these concepts and these requirements. Why do you think cybersecurity is a persistent problem in blockchain?

Zenobia Godschalk 14:28

So I’m not sure that it’s actually any more a persistent problem in blockchain than it is in any other type of software. So, you know, as you know, software is built by humans, humans are fallible. We have not yet sort of shifted left, right, the the internet was sort of built on the premise that people would use it to do good things. Turns out, you know, the underlying premise should have been assume everything. Everyone will do anything bad, but they can. So I think in some ways, we’re actually Early we are further along that journey with Blockchain, because people came into it with the awareness of people are going to do bad things. Right now, humans are still building all of the software, and it is much more public for people to see those flaws, right? They’re being exposed as they happen. They are, you know, a lot of these networks are public, a lot of the bridges are public, everything that people are using is public. So there is, you know, they’re sort of failing in public, but probably not at higher rates than software failed in private in enterprises early on. I do think, you know, anytime you inject a huge amount of capital and wildly fluctuating valuations into a system, there is going to be more incentive for hackers to say, let me go tinker around with that and see what vulnerabilities I can find. But that doesn’t mean that the software is any less secure than previous things that came before it, it’s just that it’s got a wider set of folks taking a look at it and making it a target early on. So ideally, you know, that means that we can get to a place of a higher level of security in blockchain faster than we did in some previously closed systems where you know that those things would happen that you wouldn’t care about it. And so you’d have one organization vulnerable to one kind of an attack, and then the same, you know, the same attack being able to be applied to other closed systems.

Jodi Daniels 16:34

Mr. Security, man, let’s say you,

Justin Daniels 16:36

let’s say me, I think Zenobia makes a good point, where I struggle a little bit more is, I like to see the contrast, as Zenobia you talked about Hedera. Security was a primary consideration in building the network. I don’t know that I can say the same thing. When I’ve done a deep dive on how x infinity got hacked? Basically, it was transaction speed. How do we get there? Well, we’re just gonna have five out of nine validators. But yeah, once you hacked, actually, you got to all five, and they needed to scale quickly. And I think that’s, there’s Zenobia’s point, that’s not just a blockchain problem, but it really rears its head when you have a system that’s completely dependent upon

Zenobia Godschalk 17:21

code. Yeah. And I think, you know, the good news is, in this space, there are a lot of published papers, a lot of the code is open source, people can go and look at, you know, not only what are the values that the projects are presenting, but you know, really, how are they built? Right? So it is hard because there is an onus on the users and the developers who are building on this platform to say, Okay, I really have to think about at every layer, and with every technology that I’m integrating it has security been first and foremost.

Justin Daniels 17:56

Well, kind of continuing on this theme around security and blockchain is, you know, someone who’s dealt with venture capital companies. I’d love to get your perspective on how you think venture capital will start having more and maybe different kinds of security requirements for blockchain companies.

Zenobia Godschalk 18:15

Yeah, I mean, I think, you know, the, and the silver lining to any kind of freeze or slowdown in funding is that due diligence can be applied in a much more thoughtful way than perhaps it has been over the last few years, right, when you read about some of these deals and how they happened, and what a lack of due diligence, as you know, has been, has been shown, I don’t think companies will be able to get away with that, right, they are going to have to demonstrate their security practices, we are starting to see even sort of more traditional audits and traditional standards being applied. And some of these companies coming to maturity where they’re saying, okay, great, you know, now I can apply things like, like ISO and other best practices. So I do think VCs are going to ask for that a lot more. I think you’re also going to see them say, wait a minute, I need to understand that. The, the fundamentals of the business and they need to align with the, you know, the, the, the laws of physics still apply, right? So all of the things that used to apply still apply, for example, in blockchain for a long time. You know, there was not a question from VCs about, okay, what is your underlying cost of goods model? So, if you tell me that you’re building on blockchain X, and their cost of transactions fluctuates with the cost with the price of the related cryptocurrency. I tried to run this by my dad who’s a former CFO and he was like, You mean to tell me that my cost per transaction today could be five sense and my cost per transaction tomorrow could be $100. And I as both the VC and then also the CFO Greenlining. This project, I’m just supposed to say yes, that’s fine. That doesn’t make any sense. So I think you’re gonna see VCs apply a different level of rigor in terms of, okay, how is your business model structured? And that goes to everything from, you know, the cost of goods, the cost of transactions on networks, and, you know, the security audits across the board, I think we’ll just see a deeper level of due diligence.

Justin Daniels 20:33

Why do you think? I’m hopeful that Zenobia is right. Unfortunately, where I struggle a little bit is having handled ransomware events for multiple venture capital or private equity firms. Their desire to change their ways after they’ve had the first ransomware event. They seem to struggle with it, because it’s a cash outlay. And I think it’s almost like, remember, when banks used to start charging for ATM fees, and the first bank got pillared? And then all the other ones did the same exact thing. Yeah, that’s what I’m kind of thinking will happen here. Because I look at the venture capital firms and the investors as an economic incentive way to put pressure on companies to build security by design, because it’s going to be required to get investment. That’s what I’d like to see happen. I just don’t know that we’re there yet.

Zenobia Godschalk 21:31

And I do think, you know, in in the DLT space users are, you know, they’re not necessarily more fickle, but they have a lot of options. So I think you are going to see some of these companies be affected by these breaches, which then for the VCs, that translates into Wait a minute, now my evaluation on this company has dropped because the number of users has dropped. So hopefully, that helps drive some of what, you know what Justin’s talking about.

Jodi Daniels 21:55

That makes sense.

Justin Daniels 21:59

I guess one other kind of security related question wanted to talk to you about is a lot of people are talking about emphasizing decentralized finance and other protocols. Yet, they don’t really talk about how they’re going to manage security for something that’s completely reliant on software. And so how do you build trust in these protocols without security?

Zenobia Godschalk 22:24

Yeah, I mean, I think, you know, you’ve certainly seen the industry have some, you know, have some big missteps. Right. But I think there is a so first of all, I think you have to take a step back and apply the sort of, hey, common sense law, right? If somebody is telling you that you can get a return on your investment, that is wildly out of proportion with any other return that you can get on your investment. There’s probably something askew there, right? You don’t get 100% returns, or 1,000%, returns on any other investment. So like I said, the laws of physics still apply. So when you are seeing companies make these kinds of claims, you know, you have to apply that same level of Wait a minute that that can’t sustain, right. And then I think what you’ve seen over the last couple of years is where where people were calling it defy, it really was not defy right. It was almost synthetic finance, rather than truly distributed, and decentralized. So it does take, you know, there’s more onus on the user, right? You cannot just say, Yep, I trust this. There is no FDIC backing there is there are none of those kinds of backstops. So if you are going to get into this space, you really need to make sure that you understand the underlying, you know, the underlying protocols, the underlying stack of technology that is, is being used. And you know, that that may mean that that hampers adoption of this space until we can get more regulations until we can get more regulatory clarity. And until we make it simpler for people to interact with these systems, through ways that they’re already used to interacting. So for example, I chatted with the folks at WorldPay, fis a couple of weeks ago when we were at TechCrunch. And they talked about, you know, maybe defy should be enabled through your regular banking apps, right? Maybe you want to be able to say on your Bank of America Mobile App, great, I’m going to allocate this percentage of my savings to you know, to crypto and I, you know, I want to stake a certain number of things and I want to get a certain yield there. Right? That is that is then backed by sort of the trust that Bank of America has already engendered with their existing customers, right? So until we make it so that there is that sort of seamless way to interact and we build it into systems that people are used to, you know, it’s probably good to have a Little bit of a tapping on the brakes to say, wait a minute, let’s make sure that everybody getting into this actually understands what they’re getting into.

Jodi Daniels 25:07

So piggybacking a little bit on what you just said, Right, we’re in this place where people want to be able to trust those transactions. And we have an industry that promised really great returns. And there’s been some players that that didn’t work out, and they’ve gone bankrupt. As a result, what are your thoughts about what the industry needs to do to be able to recover from some might call it a black eye? And on those exchanges?

Zenobia Godschalk 25:35

Sure. So, you know, it’s really it’s almost eerie. I remember when I was at loud cloud, and we had competitors in the, you know, data center and data center operations market, who were, we could not figure out how are they getting these deals? And how are they selling these deals? And how are they making this margin? And the math just does not work? Right? It turns out, they were not doing the right things. They were doing revenue swaps with their customers, they were doing all kinds of things that were were, you know, illegal, quite frankly. And yet, you know, that did not stop the progression of the internet, right? There were a ton of articles that said, Oh, we can write off this experiment of the internet, like slam the door go home, we’re finally going to get all back to our regular way of life. And you know, us having this conversation on video over zoom like we are, you know, that is very much proof that that did not happen. Right. So I think it’s actually good to get away from the overhyped returns, because similar to the internet, that’s when we then saw, okay, people who actually want to build things and actually have problems that they’re trying to solve with this technology can now do that without having, you know, VC saying, Well, gosh, you’re not going to give me x return, or Gosh, you’re not going to grow at this rate that these other folks are claiming they’re going to grow. So there is a more realistic and pragmatic environment where people can actually go and build the things that are going to make a difference, and are going to, you know, to change the way that we do commerce, the way that we hold ourselves accountable, you know, the way that we communicate, but all of those things will happen, and they will be less sexy. But inevitably, they will be much more useful to us.

Justin Daniels 27:24

See, I think she makes a great point, because you know, Zenobia, I was thinking about when you were talking about Bank of America. So when we traded emails, you know, to get prepared for this show. That gets rid of the middleman of the mailman. Nobody thinks about the system or the underlying technology that’s behind email, we just know that we trade email. So maybe when we get to Bank of America, and I think this is what will start to happen is people say, Oh, well, this is a way that you can now get your digital tickets. We won’t talk about that. It’s a blockchain and NF T’s it’s just this is your digital ticket. It’s dynamic. And people won’t think as much about the technology that’s underlying it. Much like the email app? I don’t know. That’s where I think it goes,

Zenobia Godschalk 27:24

I think you’re spot on. So I don’t have daughters. But my understanding is that, you know, queuing up for Taylor Swift tickets. So going to use that as an example. was a hot mess, right? And when you think about what a distributed ledger is designed to do, it is essentially designed to order transactions, right? So imagine if I did not have to go onto a website, and like 700 times, click my way to prove where I was in a line, and then have the system crash on me and have my you know, me as one of the most loyal fans and have a terrible experience, right? I just queue up in the, you know, in I have my place in the ledger, I know exactly where I am, you know, and my transactions go through. And there’s fairness in the ordering of where that comes through. You know, I think, again, those fans do not care what the underlying technology is, but they certainly care about fairness of ordering and fairness of how those transactions got into you.

Jodi Daniels 29:18

It was literally going to say, Taylor Swift Fans, and that concert would be a perfect test case, because it was I didn’t even I didn’t even try, because he was his weekend to come in Atlanta. But yeah,

Justin Daniels 29:33

I think that’s why. And I think that’s why you saw the deal between dapper labs and Live Nation because Ticketmaster has to know that everybody hates Ticketmaster because they’re the right you know, the poster child of paying the intermediary. My ticket was 15 bucks, but yet I paid $20 In Yes, okay. And transaction fees. Everybody hates that. Yeah.

Jodi Daniels 29:55

And there’s no there’s there’s there’s no trust but we’re not going to make this a ticket slamming session. Oh, Hey,

Justin Daniels 30:01

just gonna bring a snack. I know. But when people think the blockchain is kind of crazy, and it’s Hocus Pocus, because they conflate it with crypto, you give them an example like this. And then Oh, that makes sense to me. Right, which is why we do our show. Indeed. All right, you’re up? Well,

Jodi Daniels 30:19

because we’ve been having so much fun talking about privacy, and will really more security today. We always like to know, in your world, what is the best personal cyber tip that you might offer your friends when you’re hanging out?

Zenobia Godschalk 30:34

Yes, so aside from you know, if something is too good to be true, it’s probably too good to be true. And, you know, I think just a very, very pragmatic one is, take a breath, right? Like, you don’t have to answer, click, you know, respond right away. If you, you know, for the layperson, if you wait a day or two days to respond to something that you know. So, you know, first of all, look at everything with an extremely cynical eye, right. But even if you feel like, gosh, this could be real, or this could be something potentially, that I need to respond to. It never hurts to wait, because a lot of these scams and a lot of the folks who you know who perpetrate them, sometimes they will get taken down within that time, right. So you’ll save yourself a lot of hassle and a lot of headache, by just making sure that, you know, you you you take a pause before you respond to anything. And a lot of times they will sort of, you know, try to make it so urgent that you need to respond today. You know, no one, no one is sending you an email that you must respond to right away. You know, use those other uses other channels, right, pick up the phone, which I know if you’re a you know, if you’re a millennial, that is, you know, why would I ever use a phone to actually call someone, but pick up the phone, think about those other channels that you can use to communicate with, you know, whoever that potential person is that’s asking you to do something that might seem a little bit strange.

Justin Daniels 32:07

Good advice, except when I get something from my wife saying, I need you to read an NDA that has to be responded to mediate.

Jodi Daniels 32:14

Absolutely. Yes, absolutely. You know, the sending source. So it’s been well vetted. It’s not a dirty bot, are you sure it’s been well vetted? Scream it through the house, not J

Zenobia Godschalk 32:27

ODL. D. And

Justin Daniels 32:32

so, when you’re not talking about security in the blockchain, what do you like to do for fun? Oh,

Zenobia Godschalk 32:39

my goodness. Well, I know we were chatting about this, you know, we we all have children who keep us very, very busy on the weekends. There’s nothing better than watching the delight on their faces as they, you know, play, play baseball, or, you know, score in a basketball game, or whatever it might be on the weekends. You know, but I think one of the things that we have really enjoyed picking back up this year is travel. I think it’s also just great to, especially in this industry, people are so scattered, but they’re everywhere. So we spent some personal time in New York this summer, but got to meet up with a bunch of folks who are also in the industry. You know, it’s such a welcoming community. And it’s such a diverse and geographically spread out community that it’s it’s fun to travel for personal reasons, but also to get to meet up with people who are part of our professional lives.

Jodi Daniels 33:36

And if people would like to connect with you and learn more, where should we send them?

Zenobia Godschalk 33:40

Yes, you can hit me up at Zenobia at Or I’m on LinkedIn or on Twitter at Zenobiazag.

Jodi Daniels 33:52

Well, thank you so much. It has been a fun and enlightening conversation.

Zenobia Godschalk 33:56

Absolutely. Thank you guys, and keep up the great work. This is much needed. Thank you.

Outro 34:07

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.

Privacy doesn’t have to be complicated.