The Future of Shared Breach and Security Data

Intro  0:01  

Welcome to the She Said Privacy/He Said Security podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:20  

HI, Jodi Daniels here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant, and a certified Information Privacy professional, and provide practical privacy advice to overwhelmed companies. And I’m joined by

Justin Daniels  0:36  

Justin Daniels. Here I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback, helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:52  

And this episode is brought to you by much better drum roll on the other day. We help come at this episode is brought to you by Red Clover Advisors. So you got me all that stuff with my drum rolls, which by the way, is celebrating four years as we record this episode, very exciting. But we help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, SAS, e commerce, media agencies, and professional and financial services. In short, we use data privacy to transform the way companies do business. And together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, visit redcloveradvisors.com. So who do we have with us today? Justin? What Jodi? Oh, no, did we have? Okay, Jodi? We love when people miss that, say who we are. So we’re gonna have a little fun today. Friday, when we’re recording, why not? We have a fabulous guest today. We’re so excited that Jeff Jockisch can come and join us. And if you don’t know, Jeff is the CEO at PrivacyPlan. And he’s also a Certified Information Privacy professional. He lives at the intersection of privacy and data, Jeff, the ontology of data privacy laws, Data Broker research, data breach, reporting, ai regulation, privacy enhancing technologies. He has a really awesome privacy podcast database, you can find ours in it. And we’re delighted that you are with us today.

Jeff Jockisch  2:21  

Hey, thanks, Jody. And Justin. I got I’m glad I got those two names right after your you played around there for a little bit.

Jodi Daniels  2:31  

It’s hard, it can be confusing here. We are. Very glad to be here. Absolutely. Well, Justin, why don’t you kick us off?

Justin Daniels  2:38  

All right. Well, Jeff, let’s start from the beginning. Talk to us a little bit about your career arc and how you got to where you are today?

Jeff Jockisch  2:45  

Well, yeah, I think I think I give a little bit different story. Every time I tell that origin story. I’m not like much of a superhero. But I think I think everybody has an interesting story. I think we sort of reinvent ourselves when we when we we talk about ourselves. But I sort of started out being a an entrepreneur, I guess, when I graduated college, I turned down a bunch of opportunities to sort of work in the corporate space and started my own company and pretty much failed miserably. And then then went back into the corporate world and work for Citicorp for a while. But I really couldn’t get that entrepreneurial bug out of myself. So I started several different tech companies and was sort of moderately successful, but I really sort of ended up staying in that tech space for quite a while went through sort of the first tech bubble and then ended up at a startup called Chacha where we sort of started a text based search engine. And that was really, really compelling in sort of, fundamental to my development, I think as, as a professional as a marketer as a data researcher, right? Because we were really sort of building sort of a Google back end to a really interesting front end, which was a sort of a q&a service where people would text us a question, and we would text them an answer. And so it was a very interesting business because it sort of brought me sort of into a b2c business where we’re interacting directly with consumers, but was also sort of a technology business where we get to deal a lot with cognitive computing and natural language processing, and a whole lot of interesting tech stuff that is becoming really critical to our economy now, right? Because we’re talking a lot about AI and a lot about, you know, search and a lot about the things that really impact privacy in today’s world. So that was sort of my really first introduction to some of the privacy concepts that that I’m dealing with a lot more closely. today. We have To deal with can spam and have to deal with COPPA. And I wasn’t really thinking about them really as privacy concepts a lot back in those days. I mean, they were privacy, but I wasn’t really thinking about them quite in the same way as I do today. But as Chacha sort of, never really made, the cut profitably ended up closing at stores, about five or six years ago, I started looking around for what I want to do next. And I eventually sort of landed as a director of marketing for a privacy consultancy, here in South Florida. And I This was right about is the time where GDPR was taking, taking form and taking off and I said, Wow, this is really going to be big. And so I sort of started to, to focus my career choice in that direction. And I still was sort of casting about for exactly how I wanted to form that part of my career. But eventually, I realized that I needed to take what I had been doing at chacha, which was was a lot of work with data, data sets, and building knowledge graphs, and in doing that kind of analysis, and apply that to the world of data privacy, which very few other people seem to be doing. And so that’s really what I’ve done with PrivacyPlan over the last couple of years, is really tried to bring, I guess, data science. I don’t really consider myself a data scientist, right. But bring that sort of level of analysis to the world of data privacy.

Jodi Daniels  6:33  

Well, that’s a really cool and very fascinating story. I love how it intertwines with corporate and technology and entrepreneurship, and of course, leading us to being a privacy professional. Now, can you share a little bit about what you’re working on today? Because you have a really interesting collaboration that you’re building?

Jeff Jockisch  6:53  

Yeah, yeah, I’m working on a lot of projects. But one of the things that really has piqued my interest is this a new project that I’ve been working on with the Data Collaboration Alliance. And it’s a project called CESR, we’ve actually just renamed it so nobody’s probably going to be real familiar with that name. But CESR is a new. Sorry, I’m trying to find my notes here. And I’ve got too many windows open, where are the notes? Sorry. So CESR is a is a cyber event, self reporting colab. And the concept here is, I think maybe we need to sort of back up a little bit, right? We’ve got a big problem in this country with with cybercrime, right with ransomware. And with all of those different problems, I think if we were to try to sort of encapsulate the problem, we’d say something like this, right? That cybercrime is rampant, right, that there’s a lack of data sharing, that there’s a lack of reporting standards, that there’s really no breach alert system for businesses, that there’s that there’s no one place you can go to get all the breach and security data in one place not to download it not to query it, not to get real time trends and projections, right. There are some good datasets out there. They’re fragmented, they have different focuses, they’re generally grappling publicly available data that is after the fact right that that’s been reported, you know, and is, is after companies have already been breached in its 30 6090 120 days, post fact, right? data sets like stuff from the identity theft Resource Center, they’ve got a great data set. verus has a great data set that Verizon uses to create the DB IR. But and there are a bunch of other ones too, right. But the data is very scattered, right. And the biggest problem is that there’s this huge road roadblock right that in server coming corporate re Tyson’s and retirements of even government organizations and nonprofits to want to report a breach. They’ve got this you know, we Tyson’s in a look lit really a legitimate fear of liability and negative PR hits. Right. You don’t want to tell people that you’ve had this huge problem. Part of that is because you know, it’s it’s a bad thing that’s happened to you, but but also because you all you often don’t know really what’s happened yet, right? You’re still searching for the details yourself. Right? I listened in on a webinar just a few days ago on crisis communications that was put on by Edelman, and it was really a very good webinar. A lot of sound risk mitigating advice, but primarily what they were saying was, you know, don’t communicate if it’s a breach that don’t communicate that it is a breach right before that, you know, it’s a breach because that word It has legal connotations. And they also send in a sort of don’t communicate before, you know, the ground truth, which is really, you know, let the forensic folks do their thing before you start talking. And, you know, don’t make promises that you can’t keep, like, you know, timelines for the release of information, all really awesome advice. Right? They also said, you know, this is great for reducing exposure. But you also live in a world now where you can’t afford to not release information, you have to respond right? to customers and employees and investors and regulators, right. So you have to tell people something, right, you’re sort of stuck in between a rock and a hard place here. You don’t want to say anything wrong. But you have to say something, right? So it’s a very tough situation. So that’s sort of the situation we’re living in, right? And that kind of a world. So how do we do something better when we’ve got this huge problem, and companies don’t want to say anything, but they have to say something. So we came up with this idea of the CESR call lab, which is the cyber event self reporting. And the idea really, is to create a system where companies can report security incidents and breaches using zero copy technology in an anonymous way, so that they can get that information shared with the greater world and to their other folks in their industry without actually having to give away their identity. So it’s essentially trying to say, hey, we’ve got technology now that allows you to share information safely and securely, without actually having to take that PR hit right. With that legal risk, we think that this might actually work. And essentially, this project is a way to test out that hypothesis.

Jodi Daniels  11:49  

Well, that’s nice. Are you nodding, smiling along, our listeners can hear it and see all the smiles and nods want to share a little bit more?

Justin Daniels  11:58  

I’m just, I’m just laughing, because the art of incident response is to do exactly what Jeff said, which is how do you thread the needle with I don’t know everything, but I gotta say something because if all I do is protect my legal derriere, I may lose a bunch of customers. And then what do I have left is business nothing. And that, in essence, is the art of incident response, which makes it so tough, so stressful, and you have to have excellent judgment. But I guess, Jeff, when I listened to what you’re talking about, you know, with this problem, you know, I’ve talked to people in financial services and healthcare, and they have these things called information sharing and analysis centers. I’ve also spoken to the FBI who would love to do things more proactively. But one of the challenges that I see coming from a legal perspective, and you alluded to it, which is well, I’m afraid to share information, because now I don’t control it anymore. And this could put me out to legal liability. And so how do you what do you think we need to do to eliminate that barrier? Because I really think we do need to share more. But when I go into my legal hat, my legal role, it’s a struggle to balance that. Yeah. Well,

Jeff Jockisch  13:06  

I’m not sure I know the answer to that, right. And I’m not sure that we’ve necessarily got the solution yet. But this project is really a way to test that what we really want to do is create sort of a minimum viable product, right? to test out that concept, right. And then run some experiments. The idea of the Data Collaboration Alliance in ion, which is essentially sort of the testing accelerator for these ideas, is to trial them out. It’s not really to develop the ideas fully and release them into the wild. But really, to test them out and make sure that they’re viable, and then hopefully see them into fruition but under the ages of someone else, right. The data collaboration Alliance doesn’t want to run this project if it if it’s viable. We’d want to sort of put it out under some other nonprofit organization right. But we want to we want to see whether it actually works right. And and I don’t know whether we can get enough security and incentives to overcome that corporate re Tyson’s but I have an inkling that maybe we could with with enough carrots, because I think the problem is becoming so big right, that the the scariness is, is is beginning to become, you know, just so problematic that companies are going to start to take risks on the other side of the equation.

Jodi Daniels  14:33  

Are you starting in any particular size company or any any industry? Or is it kind of open for all in anyone?

Jeff Jockisch  14:41  

Well, I don’t know yet. The idea? I think one of the next steps is that we’re going to do some surveys of CSOs to find out what their what their response is going to be to this concept. Right. So we’re really trying to, to define the concept. Well, we’ve actually got a lot of people sort of working on this with us, right who might Myself and Chris McCall and that at cinci. And Sharon Bower from bamboo and list a few names here, Ross Saunders and kailyn silo and David Krieger from app CO and Debbie Reynolds, James Lee from identity theft recent Resource Center, even Dan Knapp from from your company, red clover contributing to this and there’s a whole bunch more that I’m missing here. But that’s just a few people that are sort of contributing to this, this idea generation, but I think what we have to do is is, you know, refine the idea until we really got it, you know, fleshed out, well, we’re not trying to build a functional tool to test this out, right? All you want to do is be able to put this in front of a C, A C, so and say, Hey, if if this thing worked functionally, right? Would you be able to use it? Would you be able to get, you know, the people in your organization, your CEO to sign off on, you know, contributing information to this when you had a breach and do a survey of organizations of all sizes and see what that responses? And if we got a positive response, then we’d want to move forward on?

Jodi Daniels  16:09  

That’s fair. I know you’re so excited to ask question. But I have another one. No, go ahead. Do you have an anticipated timeframe for where you’re thinking about the survey phase, and maybe a first MVP being released?

Jeff Jockisch  16:23  

So I don’t I don’t know that we’ve got that timeframe dialed in yet. But I’d say probably in the next three months.

Jodi Daniels  16:29  

That’s great. Be nice to have maybe before you kick off the new year in 2022. Yeah, absolutely.

Jeff Jockisch  16:34  

I think we have to move fast. Because, you know, the situation is getting pretty dire here. Right? And there’s so much momentum with with, you know, politicians actually wanting to act, I think the time is ripe to do something. Well,

Justin Daniels  16:46  

I guess a related question I wanted to ask you and I know you’ve seen this, when you and I correspond on LinkedIn is there’s another groundswell movement when it comes to cybercrime over just simply outlawing ransomware payments. Yeah. And so there’s been a ton of debate on that, it’s a different way to approach the problem than what you’re doing. Because what you’re doing is far more of a structural, systemic, collaborative approach, which helps us in a lot of areas, but for our audience, I’d love if you just talk about what your thoughts are about, well, do you think that’s good or not to actually make it illegal to make a ransomware payment?

Jeff Jockisch  17:20  

So I don’t really like it. Right? I think that really hamstrings companies. And I think what we’ll probably do is just push those payments underground, I think companies would still do it, and you just make their actions illegal. So now I don’t really like it. I guess it could probably be say more about that. But I don’t think it would probably solve the problem.

Justin Daniels  17:41  

I just think what you’re talking about is a fundamental shift in our approach, because what I see from my perspective, is, we live in an environment where we’re so interconnected. And usually in the business sector, hey, we’re competing with Company A, B, C, and D. But when it comes to handling cybercrime, you kind of have to set it aside. And so you know, what, how do we collaborate with Company A, B, C, and D. And so it sounds to me like that’s really at the heart of your program and how you’re trying to shift how we view how we have to approach it from a, you know, typically competitive to more of a collaborative approach.

Jeff Jockisch  18:18  

Yeah. I mean, you make a really good point there. Right. I mean, there’s there’s also been some discussion about, you know, if this is, you know, if this is really a national security threat, should the government government be more? Why are businesses at the frontline of a, what appears to be cyber war, cyber warfare, right? Should the government be taking a more active role? And I don’t necessarily think the answer to that is yes. But if you talk about war in any other context, right, do you think it would be the government that would be responding that businesses, right, so that’s sort of an interesting thought process, if nothing else, and you know, we’ve had laws like, you know, the cyber security information sharing act, right? 19, what it was at 80, something that the never really worked, that was supposed to sort of improve the sharing of information. But the incentives, there just weren’t enough, right to get anybody to actually share information effectively with the government. So that was actually sort of one of the purposes of this CESR program was to try to actually, you know, live up to those, you know, those goals that that that legislation tried to put into effect. But I think you’re right, you know, sharing is hard. And how do you get businesses that fundamentally want to compete to actually share information

Unknown Speaker  19:36  

as remember, sharing is caring. What I try to tell my kids that start Clark, the Shark, shark, the Clark Clark the shark, and because our book

Justin Daniels  19:47  

Yes, I can relate all cybersecurity principles to my children, my children’s books.

Jodi Daniels  19:52  

Absolutely. Well, Justin, you spend so much time in the privacy and security space, what are some of your best tips that you apply? I personally that others might be able to learn from

Jeff Jockisch  20:03  

Well, I think my favorite one to give people is stop using passwords and start using passphrases. You know? Yes. One of Justin’s favorites. Yeah, I mean, you got to use longer passwords, right? Forget about these complicated Dino, you know, pound sign, exclamation point, one, five, capital H, lowercase b, you know, just use a phrase, you know, 30 characters long a, you know, you know, with several different words in it that aren’t used together. It’s much easier to remember and much more effective.

Jodi Daniels  20:39  

I do that. And I still can’t remember the password resets. For me. It’s OSU, what new phrase Can I come up with?

Jeff Jockisch  20:47  

Well, you know, I’ve had this idea for a while, and I haven’t got anybody. Nobody seems to take me very seriously. But I’ve got this idea of creating an affinity and affinity password passphrase generator, right? Or like, say, Justin, you say you really liked classic cars, and cryptocurrency and rap music, right? And so you pick those, those three affinities and press a button, and then it would generate, you know, a passphrase that grabbed a word from each of those buckets of words, right, one from cryptocurrency and one from classic cars and one from rap music. And it would then take pick up generate a passphrase from those things and maybe throws in another random word to and then there’s your passphrase.

Justin Daniels  21:32  

Can I add intentionally misspelling my wife’s name?

Jeff Jockisch  21:34  

Yeah. Right. You know, and you could you could have all kinds of little things. Oh, wouldn’t that be cool?

Justin Daniels  21:40  

Yeah, that’s a password generator. That’s, uh, that’s interesting. Well, for our last and most important question, when you’re not out, trailblazing in the privacy world. What does Jeff like to do for fun?

Jeff Jockisch  21:50  

Yeah, well, I don’t know that I do a whole lot. But I’ve been trying to I actually took up golf last year, you know, but I’m not. I’m not doing as well as I would like. So I’m still playing golf, right. But I’ve switched sports. And now I’m actually starting to play disc golf. is B golf.

Jodi Daniels  22:09  

We thought that that’s a it’s growing here. There’s a few different golf like disc golf courses here. And we even bought you some disc golf things. Yes. for Father’s Day. Last year. It’s Oh, nice. Yeah, I think they’re collecting dust still. So that’s my. Well, Jeff, I’m so glad that you were able to join us today. How can people connect with you and learn more about the great work that you’re doing?

Jeff Jockisch  22:32  

Well, I’m always on LinkedIn, you can find me there and go to my website, privacyplan.net. Lots of good resources there and all my contact information. Is there.

Jodi Daniels  22:41  

Wonderful. And what about if they want to hear more about the CESR collaboration or participate in the survey? Oh,

Jeff Jockisch  22:48  

that’s a great question. I would say good Data Collaboration Alliance. And also put something up on my websites as easy to get to that sounds wonderful. Well, Jeff,

Jodi Daniels  22:58  

thank you again for joining us today. We really appreciate you sharing all the great work that you are doing for the industry. Appreciate you. Thanks for the time.

Outro  23:10  

Thanks for listening to the She Said Privacy/He Said Security podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.