The Future of Shared Breach and Security Data
Jeff Jockisch is the CEO at PrivacyPlan, a company that offers privacy datasets, consulting, and training. Jeff is a Certified Information Privacy Professional who specializes in data privacy laws, data broker research, data breach reporting, AI regulation, and privacy-enhancing technologies. Jeff also curates a privacy podcast database.
Previously, Jeff was the Director of Marketing for CSR Privacy Solutions, Inc., the Content Manager for Treatment Management Company, and the Creative Strategist for Fractl.
Here’s a glimpse of what you’ll learn:
- Jeff Jockisch describes how his previous professional experiences led to his current position at PrivacyPlan
- Jeff discusses Cyber Event Self-Reporting (CESR) and how it helps companies report data breaches without taking a PR hit
- How can the approach to ransomware become more collaborative versus competitive?
- Jeff’s top privacy and security tip: use passphrases instead of passwords
In this episode…
Cybercrime is running rampant throughout this country. However, most companies hesitate to report a problem for fear of a huge PR scandal. There’s a lack of data sharing, reporting standards, and breach alert systems for businesses. But, what if there was one place you could go to manage data breach and security reports?
The team at Data Collaboration Alliance is making this a reality with their Cyber Event Self-Reporting (CESR) Collab. The goal of this project is to create a system where companies can report security incidents and breaches using zero-copy technology, thereby sharing the information with the rest of the industry anonymously. By doing this, they can report data safely and securely without taking a PR hit.
In this episode of She Said Privacy/He Said Security, Jodi and Justin Daniels sit down with Jeff Jockisch, the CEO of PrivacyPlan, to discuss the future of shared breach and security data. Jeff talks about the inspiration behind Cyber Event Self-Reporting (CESR), how to create a collaborative approach to ransomware, and his top privacy and security tips.
Resources Mentioned in this episode
- Jeff Jockisch on LinkedIn
- Privacy Podcast Database
- Data Collaboration Alliance – CESR
- Jodi Daniels on LinkedIn
- Justin Daniels on LinkedIn
- Red Clover Advisors
- Red Clover Advisors on LinkedIn
- Red Clover Advisors on Facebook
- Red Clover Advisors’ email: email@example.com
Sponsor for this episode…
This episode is brought to you by Red Clover Advisors.
Red Clover Advisors uses data privacy to transform the way that companies do business together and create a future where there is greater trust between companies and consumers.
Founded by Jodi Daniels, Red Clover Advisors helps their clients comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. They work with companies in a variety of fields, including technology, SaaS, ecommerce, media agencies, professional services, and financial services.
You can get a copy of their free guide, “Privacy Resource Pack,” through this link.
You can also learn more about Red Clover Advisors by visiting their website or sending an email to firstname.lastname@example.org.
Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.
Jodi Daniels 0:20
HI, Jodi Daniels here. I'm the founder and CEO of Red Clover Advisors, a certified women's privacy consultancy. I'm a privacy consultant, and a certified Information Privacy professional, and provide practical privacy advice to overwhelmed companies. And I'm joined by
Justin Daniels 0:36
Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches.
Jodi Daniels 0:52
And this episode is brought to you by much better drum roll on the other day. We help come at this episode is brought to you by Red Clover Advisors. So you got me all that stuff with my drum rolls, which by the way, is celebrating four years as we record this episode, very exciting. But we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e commerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. And together, we're creating a future where there's greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. So who do we have with us today? Justin? What Jodi? Oh, no, did we have? Okay, Jodi? We love when people miss that, say who we are. So we're gonna have a little fun today. Friday, when we're recording, why not? We have a fabulous guest today. We're so excited that Jeff Jockisch can come and join us. And if you don't know, Jeff is the CEO at PrivacyPlan. And he's also a Certified Information Privacy professional. He lives at the intersection of privacy and data, Jeff, the ontology of data privacy laws, Data Broker research, data breach, reporting, ai regulation, privacy enhancing technologies. He has a really awesome privacy podcast database, you can find ours in it. And we're delighted that you are with us today.
Jeff Jockisch 2:21
Hey, thanks, Jody. And Justin. I got I'm glad I got those two names right after your you played around there for a little bit.
Jodi Daniels 2:31
It's hard, it can be confusing here. We are. Very glad to be here. Absolutely. Well, Justin, why don't you kick us off?
Justin Daniels 2:38
All right. Well, Jeff, let's start from the beginning. Talk to us a little bit about your career arc and how you got to where you are today?
Jeff Jockisch 2:45
Well, yeah, I think I think I give a little bit different story. Every time I tell that origin story. I'm not like much of a superhero. But I think I think everybody has an interesting story. I think we sort of reinvent ourselves when we when we we talk about ourselves. But I sort of started out being a an entrepreneur, I guess, when I graduated college, I turned down a bunch of opportunities to sort of work in the corporate space and started my own company and pretty much failed miserably. And then then went back into the corporate world and work for Citicorp for a while. But I really couldn't get that entrepreneurial bug out of myself. So I started several different tech companies and was sort of moderately successful, but I really sort of ended up staying in that tech space for quite a while went through sort of the first tech bubble and then ended up at a startup called Chacha where we sort of started a text based search engine. And that was really, really compelling in sort of, fundamental to my development, I think as, as a professional as a marketer as a data researcher, right? Because we were really sort of building sort of a Google back end to a really interesting front end, which was a sort of a q&a service where people would text us a question, and we would text them an answer. And so it was a very interesting business because it sort of brought me sort of into a b2c business where we're interacting directly with consumers, but was also sort of a technology business where we get to deal a lot with cognitive computing and natural language processing, and a whole lot of interesting tech stuff that is becoming really critical to our economy now, right? Because we're talking a lot about AI and a lot about, you know, search and a lot about the things that really impact privacy in today's world. So that was sort of my really first introduction to some of the privacy concepts that that I'm dealing with a lot more closely. today. We have To deal with can spam and have to deal with COPPA. And I wasn't really thinking about them really as privacy concepts a lot back in those days. I mean, they were privacy, but I wasn't really thinking about them quite in the same way as I do today. But as Chacha sort of, never really made, the cut profitably ended up closing at stores, about five or six years ago, I started looking around for what I want to do next. And I eventually sort of landed as a director of marketing for a privacy consultancy, here in South Florida. And I This was right about is the time where GDPR was taking, taking form and taking off and I said, Wow, this is really going to be big. And so I sort of started to, to focus my career choice in that direction. And I still was sort of casting about for exactly how I wanted to form that part of my career. But eventually, I realized that I needed to take what I had been doing at chacha, which was was a lot of work with data, data sets, and building knowledge graphs, and in doing that kind of analysis, and apply that to the world of data privacy, which very few other people seem to be doing. And so that's really what I've done with PrivacyPlan over the last couple of years, is really tried to bring, I guess, data science. I don't really consider myself a data scientist, right. But bring that sort of level of analysis to the world of data privacy.
Jodi Daniels 6:33
Well, that's a really cool and very fascinating story. I love how it intertwines with corporate and technology and entrepreneurship, and of course, leading us to being a privacy professional. Now, can you share a little bit about what you're working on today? Because you have a really interesting collaboration that you're building?
Jeff Jockisch 6:53
Yeah, yeah, I'm working on a lot of projects. But one of the things that really has piqued my interest is this a new project that I've been working on with the Data Collaboration Alliance. And it's a project called CESR, we've actually just renamed it so nobody's probably going to be real familiar with that name. But CESR is a new. Sorry, I'm trying to find my notes here. And I've got too many windows open, where are the notes? Sorry. So CESR is a is a cyber event, self reporting colab. And the concept here is, I think maybe we need to sort of back up a little bit, right? We've got a big problem in this country with with cybercrime, right with ransomware. And with all of those different problems, I think if we were to try to sort of encapsulate the problem, we'd say something like this, right? That cybercrime is rampant, right, that there's a lack of data sharing, that there's a lack of reporting standards, that there's really no breach alert system for businesses, that there's that there's no one place you can go to get all the breach and security data in one place not to download it not to query it, not to get real time trends and projections, right. There are some good datasets out there. They're fragmented, they have different focuses, they're generally grappling publicly available data that is after the fact right that that's been reported, you know, and is, is after companies have already been breached in its 30 6090 120 days, post fact, right? data sets like stuff from the identity theft Resource Center, they've got a great data set. verus has a great data set that Verizon uses to create the DB IR. But and there are a bunch of other ones too, right. But the data is very scattered, right. And the biggest problem is that there's this huge road roadblock right that in server coming corporate re Tyson's and retirements of even government organizations and nonprofits to want to report a breach. They've got this you know, we Tyson's in a look lit really a legitimate fear of liability and negative PR hits. Right. You don't want to tell people that you've had this huge problem. Part of that is because you know, it's it's a bad thing that's happened to you, but but also because you all you often don't know really what's happened yet, right? You're still searching for the details yourself. Right? I listened in on a webinar just a few days ago on crisis communications that was put on by Edelman, and it was really a very good webinar. A lot of sound risk mitigating advice, but primarily what they were saying was, you know, don't communicate if it's a breach that don't communicate that it is a breach right before that, you know, it's a breach because that word It has legal connotations. And they also send in a sort of don't communicate before, you know, the ground truth, which is really, you know, let the forensic folks do their thing before you start talking. And, you know, don't make promises that you can't keep, like, you know, timelines for the release of information, all really awesome advice. Right? They also said, you know, this is great for reducing exposure. But you also live in a world now where you can't afford to not release information, you have to respond right? to customers and employees and investors and regulators, right. So you have to tell people something, right, you're sort of stuck in between a rock and a hard place here. You don't want to say anything wrong. But you have to say something, right? So it's a very tough situation. So that's sort of the situation we're living in, right? And that kind of a world. So how do we do something better when we've got this huge problem, and companies don't want to say anything, but they have to say something. So we came up with this idea of the CESR call lab, which is the cyber event self reporting. And the idea really, is to create a system where companies can report security incidents and breaches using zero copy technology in an anonymous way, so that they can get that information shared with the greater world and to their other folks in their industry without actually having to give away their identity. So it's essentially trying to say, hey, we've got technology now that allows you to share information safely and securely, without actually having to take that PR hit right. With that legal risk, we think that this might actually work. And essentially, this project is a way to test out that hypothesis.
Jodi Daniels 11:49
Well, that's nice. Are you nodding, smiling along, our listeners can hear it and see all the smiles and nods want to share a little bit more?
Justin Daniels 11:58
I'm just, I'm just laughing, because the art of incident response is to do exactly what Jeff said, which is how do you thread the needle with I don't know everything, but I gotta say something because if all I do is protect my legal derriere, I may lose a bunch of customers. And then what do I have left is business nothing. And that, in essence, is the art of incident response, which makes it so tough, so stressful, and you have to have excellent judgment. But I guess, Jeff, when I listened to what you're talking about, you know, with this problem, you know, I've talked to people in financial services and healthcare, and they have these things called information sharing and analysis centers. I've also spoken to the FBI who would love to do things more proactively. But one of the challenges that I see coming from a legal perspective, and you alluded to it, which is well, I'm afraid to share information, because now I don't control it anymore. And this could put me out to legal liability. And so how do you what do you think we need to do to eliminate that barrier? Because I really think we do need to share more. But when I go into my legal hat, my legal role, it's a struggle to balance that. Yeah. Well,
Jeff Jockisch 13:06
I'm not sure I know the answer to that, right. And I'm not sure that we've necessarily got the solution yet. But this project is really a way to test that what we really want to do is create sort of a minimum viable product, right? to test out that concept, right. And then run some experiments. The idea of the Data Collaboration Alliance in ion, which is essentially sort of the testing accelerator for these ideas, is to trial them out. It's not really to develop the ideas fully and release them into the wild. But really, to test them out and make sure that they're viable, and then hopefully see them into fruition but under the ages of someone else, right. The data collaboration Alliance doesn't want to run this project if it if it's viable. We'd want to sort of put it out under some other nonprofit organization right. But we want to we want to see whether it actually works right. And and I don't know whether we can get enough security and incentives to overcome that corporate re Tyson's but I have an inkling that maybe we could with with enough carrots, because I think the problem is becoming so big right, that the the scariness is, is is beginning to become, you know, just so problematic that companies are going to start to take risks on the other side of the equation.
Jodi Daniels 14:33
Are you starting in any particular size company or any any industry? Or is it kind of open for all in anyone?
Jeff Jockisch 14:41
Well, I don't know yet. The idea? I think one of the next steps is that we're going to do some surveys of CSOs to find out what their what their response is going to be to this concept. Right. So we're really trying to, to define the concept. Well, we've actually got a lot of people sort of working on this with us, right who might Myself and Chris McCall and that at cinci. And Sharon Bower from bamboo and list a few names here, Ross Saunders and kailyn silo and David Krieger from app CO and Debbie Reynolds, James Lee from identity theft recent Resource Center, even Dan Knapp from from your company, red clover contributing to this and there's a whole bunch more that I'm missing here. But that's just a few people that are sort of contributing to this, this idea generation, but I think what we have to do is is, you know, refine the idea until we really got it, you know, fleshed out, well, we're not trying to build a functional tool to test this out, right? All you want to do is be able to put this in front of a C, A C, so and say, Hey, if if this thing worked functionally, right? Would you be able to use it? Would you be able to get, you know, the people in your organization, your CEO to sign off on, you know, contributing information to this when you had a breach and do a survey of organizations of all sizes and see what that responses? And if we got a positive response, then we'd want to move forward on?
Jodi Daniels 16:09
That's fair. I know you're so excited to ask question. But I have another one. No, go ahead. Do you have an anticipated timeframe for where you're thinking about the survey phase, and maybe a first MVP being released?
Jeff Jockisch 16:23
So I don't I don't know that we've got that timeframe dialed in yet. But I'd say probably in the next three months.
Jodi Daniels 16:29
That's great. Be nice to have maybe before you kick off the new year in 2022. Yeah, absolutely.
Jeff Jockisch 16:34
I think we have to move fast. Because, you know, the situation is getting pretty dire here. Right? And there's so much momentum with with, you know, politicians actually wanting to act, I think the time is ripe to do something. Well,
Justin Daniels 16:46
I guess a related question I wanted to ask you and I know you've seen this, when you and I correspond on LinkedIn is there's another groundswell movement when it comes to cybercrime over just simply outlawing ransomware payments. Yeah. And so there's been a ton of debate on that, it's a different way to approach the problem than what you're doing. Because what you're doing is far more of a structural, systemic, collaborative approach, which helps us in a lot of areas, but for our audience, I'd love if you just talk about what your thoughts are about, well, do you think that's good or not to actually make it illegal to make a ransomware payment?
Jeff Jockisch 17:20
So I don't really like it. Right? I think that really hamstrings companies. And I think what we'll probably do is just push those payments underground, I think companies would still do it, and you just make their actions illegal. So now I don't really like it. I guess it could probably be say more about that. But I don't think it would probably solve the problem.
Justin Daniels 17:41
I just think what you're talking about is a fundamental shift in our approach, because what I see from my perspective, is, we live in an environment where we're so interconnected. And usually in the business sector, hey, we're competing with Company A, B, C, and D. But when it comes to handling cybercrime, you kind of have to set it aside. And so you know, what, how do we collaborate with Company A, B, C, and D. And so it sounds to me like that's really at the heart of your program and how you're trying to shift how we view how we have to approach it from a, you know, typically competitive to more of a collaborative approach.
Jeff Jockisch 18:18
Yeah. I mean, you make a really good point there. Right. I mean, there's there's also been some discussion about, you know, if this is, you know, if this is really a national security threat, should the government government be more? Why are businesses at the frontline of a, what appears to be cyber war, cyber warfare, right? Should the government be taking a more active role? And I don't necessarily think the answer to that is yes. But if you talk about war in any other context, right, do you think it would be the government that would be responding that businesses, right, so that's sort of an interesting thought process, if nothing else, and you know, we've had laws like, you know, the cyber security information sharing act, right? 19, what it was at 80, something that the never really worked, that was supposed to sort of improve the sharing of information. But the incentives, there just weren't enough, right to get anybody to actually share information effectively with the government. So that was actually sort of one of the purposes of this CESR program was to try to actually, you know, live up to those, you know, those goals that that that legislation tried to put into effect. But I think you're right, you know, sharing is hard. And how do you get businesses that fundamentally want to compete to actually share information
Unknown Speaker 19:36
as remember, sharing is caring. What I try to tell my kids that start Clark, the Shark, shark, the Clark Clark the shark, and because our book
Justin Daniels 19:47
Yes, I can relate all cybersecurity principles to my children, my children's books.
Jodi Daniels 19:52
Absolutely. Well, Justin, you spend so much time in the privacy and security space, what are some of your best tips that you apply? I personally that others might be able to learn from
Jeff Jockisch 20:03
Well, I think my favorite one to give people is stop using passwords and start using passphrases. You know? Yes. One of Justin's favorites. Yeah, I mean, you got to use longer passwords, right? Forget about these complicated Dino, you know, pound sign, exclamation point, one, five, capital H, lowercase b, you know, just use a phrase, you know, 30 characters long a, you know, you know, with several different words in it that aren't used together. It's much easier to remember and much more effective.
Jodi Daniels 20:39
I do that. And I still can't remember the password resets. For me. It's OSU, what new phrase Can I come up with?
Jeff Jockisch 20:47
Well, you know, I've had this idea for a while, and I haven't got anybody. Nobody seems to take me very seriously. But I've got this idea of creating an affinity and affinity password passphrase generator, right? Or like, say, Justin, you say you really liked classic cars, and cryptocurrency and rap music, right? And so you pick those, those three affinities and press a button, and then it would generate, you know, a passphrase that grabbed a word from each of those buckets of words, right, one from cryptocurrency and one from classic cars and one from rap music. And it would then take pick up generate a passphrase from those things and maybe throws in another random word to and then there's your passphrase.
Justin Daniels 21:32
Can I add intentionally misspelling my wife's name?
Jeff Jockisch 21:34
Yeah. Right. You know, and you could you could have all kinds of little things. Oh, wouldn't that be cool?
Justin Daniels 21:40
Yeah, that's a password generator. That's, uh, that's interesting. Well, for our last and most important question, when you're not out, trailblazing in the privacy world. What does Jeff like to do for fun?
Jeff Jockisch 21:50
Yeah, well, I don't know that I do a whole lot. But I've been trying to I actually took up golf last year, you know, but I'm not. I'm not doing as well as I would like. So I'm still playing golf, right. But I've switched sports. And now I'm actually starting to play disc golf. is B golf.
Jodi Daniels 22:09
We thought that that's a it's growing here. There's a few different golf like disc golf courses here. And we even bought you some disc golf things. Yes. for Father's Day. Last year. It's Oh, nice. Yeah, I think they're collecting dust still. So that's my. Well, Jeff, I'm so glad that you were able to join us today. How can people connect with you and learn more about the great work that you're doing?
Jeff Jockisch 22:32
Well, I'm always on LinkedIn, you can find me there and go to my website, privacyplan.net. Lots of good resources there and all my contact information. Is there.
Jodi Daniels 22:41
Wonderful. And what about if they want to hear more about the CESR collaboration or participate in the survey? Oh,
Jeff Jockisch 22:48
that's a great question. I would say good Data Collaboration Alliance. And also put something up on my websites as easy to get to that sounds wonderful. Well, Jeff,
Jodi Daniels 22:58
thank you again for joining us today. We really appreciate you sharing all the great work that you are doing for the industry. Appreciate you. Thanks for the time.
Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven't already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.