Protection. Data protection is the practice to secure sensitive data as it’s used, stored, and transmitted. Data protection practices are driven by the alignment of data strategy, policies, practices, and controls with business objectives. Proper alignment of these elements allows organizations to focus on where security is needed the most to employ effective cyber defenses and efficiently meet audit objectives. Some examples of data protection are the use of virtual private networks to secure the access of internal sensitive data from external locations, email encryption for the safe exchange of sensitive data, and encrypted shared drives and database encryption when storing sensitive data.
It has been said that the currency of the modern world is not gold, but information. If that is true, then nearly every business is storing financial information, emails, and other private information that can be invaluable to cybercriminals or other nefarious actors. What is every business required to do to protect its customers’ and clients’ private information?
As a part of our series about “Five Things Every Business Needs To Know About Storing and Protecting Their Customers’ Information”, I had the pleasure of interviewing Jason Shockey, CISSP, CEH, Security+, ITIL, founder of mycyberpath.com. He is currently a Cybersecurity SME in Columbia, MD. Prior to founding My Cyber Path he served as the Chief Information Security Officer at a publicly traded company in the greater New York City area. Prior to his CISO role, Jason served 20 years active duty in the US Marine Corps as a technology leader conducting cybersecurity operations, incident response, and cyber risk management.
Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?
I grew up in Northern California an hour North of San Francisco and was lightly parented for my first 18 years of life. That gave me the opportunity to explore how the world worked and how I thought I should work in it. The temperate weather in my hometown allowed me to continually interact with different people and try different things all year round. I played sports starting from about four or five years old where running until the muscles in between my ribs hurt and getting pounded by the cold, rough Pacific Ocean waves was an everyday occurrence. I have an older brother, my Irish twin, 14 months older than me. He and his friends contributed to my upbringing in a rough way but we were all rough with each other. I wouldn’t replace that rough handling from a young age because it built habits and prepared me to meet and beat many challenges later in life.
I was always interested in science, fascinated with its logic to help us discover the truth by testing ideas. The combination of focusing on scientific logic and an upbring in sports led me to major in Chemistry and have a 20 year active duty career in the US Marine Corps as a technology leader conducting cybersecurity operations, incident response, and cyber risk management.
I grew up in a fortunate pre-Internet time period and saw the Internet rise. My time in the analog world before digital allows me to easily relate physical world realities with aspirational non-physical Internet complements. After all, technology is supposed to make our lives more efficient not waste our time.
Is there a particular story that inspired you to pursue your particular career path? We’d love to hear it.
There is a place in San Francisco called the Exploratorium. A huge warehouse near the Palace of Fine Arts filled with science and practical experience stations where you can have focused interaction with the real world and have the science explained- echo tubes, light, mirrors, optical illusions, magnetism. My mom would take me and my brother there when we were kids. We’d spend hours walking around and never get tired from interacting with the people, the scientists, and the hands-on labs.
I remember on one of the days we visited, I walked up to a plexiglass enclosed kiosk that had a flat, white table butted up against the glass. The position of the kiosk allowed the table to be just at eye level with me but the person in the booth was slightly elevated above our heads. On the table to his right was a scalpel on his left, a cow eye. I stood and watched the dissection of a cow eye, right there on the table right in front of me, about a foot away from my face. I had a magical but eerie feeling when I watched the eye being explored, a lot like when the main character from the 80’s movie Big interacted with Zoltar Speaks.
Seeing that cow eye opened and explained made me think of all the unseen detail in everyday things. Really sparked my curiosity and fired up an interest in me to learn. I imagine the world of cybersecurity like this- my computer has a brushed aluminum case and a touch screen. It is perfect, beautiful, and looks so simple but “dissect” it and there is so much more underneath. Imagine for a second if your eye could see the electrical signals that emanate from computers and networks. That’s cool! That magical feeling and my curiosity to discover led me into cybersecurity.
Can you share the most interesting story that happened to you since you began your career?
I remember one of the very first exercises in the Marine Corps where I was in charge of the communications section. We were responsible for setting up a fully converged telecommunications network in the field. This means the users had access to voice, video, and data on the open Internet somewhere in the world. We set up the network in about two days and everything seemed fine- users could make secure phone calls, send encrypted emails, and search the Internet. On day three of the exercise, we received a notice from a US government entity to monitor network traffic on their behalf where my section didn’t know that traffic existed. I thought, how can that US entity see traffic in my network that’s not supposed to be there but then tell us to monitor it and not stop the traffic. That was super interesting and started me down the path of focusing on Defensive Cyber Operations (DCO), adding Offensive Cyberspace Operations (OCO), and layering Cyber Threat Intelligence into both of those.
None of us are able to achieve success without some help along the way. Is there a particular person to whom you are grateful who helped get you to where you are? Can you share a story about that?
Absolutely. As a leader shared with me very early on in my career, be sure to send the elevator back downstairs so it can pull someone else up. Meaning give back to the community when you can.
I’m very grateful for retired Master Sergeant Ron Mehring, USMC who had a huge hand in where I am today. At my first Marine Corps duty station in 2000 Ron taught me CISSP concepts and Computer Network Defense before I knew CISSP was a certification.
Ron taught me the value of starting from the start. He told me to get an A+ book and read it. At first when he told me that I thought, this is the seasoned Gunny messing with the brand new 2nd Lieutenant and everyone was going to laugh. No. He wasn’t fooling around and was exactly right, A+ was the cornerstone of me getting my certs and applying those in my daily job and career. The lessons learned from Ron were both technical and soft skills and allowed me to grow into the cyber leader I am today. Thank you Ron.
Are you working on any exciting new projects now? How do you think that will help people?
Yes! I’m working on a project to help close the cybersecurity workforce gap, mycyberpath.com!
mycyberpath.com matches people’s personality traits to cyber work roles and provides career pathways that show the right type and sequence of certifications, experience, training, and education to pursue relative to their matched role. People can use the career pathways and start from any point, beginner or professional, and achieve mastery without being technical or knowing how to code.
Mycyberpath.com can be used by anyone interested in a cybersecurity career, any organization looking to increase the capability of their cybersecurity workforce, and anyone responsible for teaching, guiding, or counseling cybersecurity students.
The pathways are mapped to the NIST NICE Framework, CyberSeek, and other frameworks to help people focus their job hunting.
My Cyber Path intends to help close the cybersecurity workforce gap and assist millions of people get on their unique path to have the opportunity to get a cyber job for life.
What advice would you give to your colleagues to help them to thrive and not “burn out”?
Stay curious. Stay fascinated. Work on things after hours that you like to do. Work on things after hours that fill you up and keep you charged. Even if it’s Linux command line or writing scripts. The fundamentals always make me smile. Fundamentals that most people take for granted and erode if you don’t give them your time everyday. Moving meditation helps, that’s why I like to workout everyday too.
Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. Privacy regulation and rights have been changing across the world in recent years. Nearly every business collects some financial information, emails, etc, about their clients and customers. For the benefit of our readers, can you help articulate what the legal requirements are for a business to protect its customers’ and clients’ private information?
Privacy regulation and customer rights is such a dynamic space with numerous laws and regulations such as PCI DSS, GDPR, HIPAA, CCPA, PIPEDA, and 23 NYCRR 500.
To provide a tweetable comment and summarize the legal requirements for a business to protect its customers and clients private information, “If you don’t need it, don’t collect it.” In other words, collect private information only if needed to conduct legitimate business operations and not indefinitely. Also, all private information should be protected as if it was your own.
Beyond the legal requirements, is there a prudent ‘best practice’? Should customer information be destroyed at a certain point?
It’s a best practice for companies to keep pace with regulatory changes by using an agile framework.
A framework I’ve successfully used to protect data, reassure customers, and demonstrate compliance is the NIST Cybersecurity Framework with its 5 Core Functions- Identify, Protect, Detect, Respond, Recover.
Organizations should strive to protect private information by relating it to the five core functions of the NIST CSF. An organization with a mature cybersecurity program will be able to identify and protect its customers’ and clients’ private information. Additionally, that organization will be able to detect, respond, and recover from potential cyber events that effect private data. That’s at a high level but when the NIST CSF is used with NIST SP 800–53 the controls become granular and actionable.
An added benefit of using the NIST CSF is how that framework integrates with Information Technology general controls (ITGC) and SOX compliance.
As a general rule, if the data is not needed to conduct core business functions, don’t collect the data. And yes, customer data should be destroyed at a certain point or at least anonymized.
In the face of this changing landscape, how has your data retention policy evolved over the years?
Data collected is stored, protected, retained, and disposed of in accordance with regulations.
Are you able to tell our readers a bit about your specific policies about data retention? How do you store data? What type of data is stored or is not? Is there a length to how long data is stored?
Data collected is stored, protected, retained, and disposed of in accordance with regulations.
Has any particular legislation related to data privacy, data retention or the like, affected you in recent years? Is there any new or pending legislation that has you worrying about the future?
No particular single privacy regulation has produced affects but a concern is the combination of all of the privacy laws. Not a worry but something to focus on is making sure that your company has an overarching framework to protect private information and meet compliance with those changing and numerous regulations.
In your opinion have tools matured to help manage data retention practices? Are there any that you’d recommend?
The tools have definitely matured to help data collection, classification, protection, and retention practices. One of the most useful features in some of the tools today is their ability to crawl large data sets to discover and then tag data according to classification and retention guidance. The best tools on the market today combine this crawling feature to discover data, data governance, classification, and metrics showing sensitive data usage.
There have been some recent well publicized cloud outages and major breaches. Have any of these tempered or affected the way you go about your operations or store information?
The recent and publicized major breaches show the severity of what could happen. You can’t control what the adversary does but you can control how you respond to what the adversary does. It’s best to continue your operations with the consistent governance and frameworks that you have in place instead of drastically changing your network environment based on the most recent cyber attack that happened to someone else. If your organization was the victim of the cyber attack that’s a different story. In that case you’ll have direct action to take based on the root cause of breach. It’s best to use lessons learned from those major breaches to inform incremental changes in your network based on your policies and environment.
Ok, thank you for all of that. Now let’s talk about how to put all of these ideas into practice. Can you please share “Five Things Every Business Needs To Know In Order Properly Store and Protect Their Customers’ Information?” (Please share a story or example for each.)
- Governance. Data Governance deals with the structure of how the organization’s data privacy and protection strategy drive internal policies. The goal of data governance is to strike the right balance between using the data collected and securing the data. An example of this is when organizations rush to collect as much data as they can without first having the proper structure in place to make sure the data is operationalized for maximum business use and don’t have an idea of the types of controls needed to secure the data. Without proper governance teams will waste time and money performing recalculations and searching for data that would otherwise be readily accessible.
- Provenance. Data provenance, tied to data lineage, deals with how internal data is created, tagged, and indexed. Based on the amount of data most businesses have available today this is a critical step to ensure all available data can be accessed to perform analytics. If there is a misstep in this area you might have vast data lakes but only access limited portions of valuable data. When done correctly data provenance allows organizations to tag data according to the internal classification guidance and have a readily available searchable data lake to analyze and maximize business value.
- Classification. Data classification is the set of categories used in an organization to distinguish between sensitive data and releasable data. Data classification allows for the efficient allocation of resources to protect sensitive data. It makes little sense to protect all data at the highest protection levels if that data only has a small subset of sensitive data. Data should be classified based on business requirements and should be kept simple. An example of a simple data classification structure would be to align to the regulatory definitions of sensitive data with 3 classification levels from low to high as follows: public releasable, internal use, and restricted (limited internal distribution only). Remember it’s best to assign work roles in the data classification guidance to avoid confusion and allow only authorized individuals to handle sensitive data. Two examples of these roles are: i) data owner, the business partner responsible for the data that goes into the system and ii) the system owner, the person responsible to maintain the system that holds the data owner’s data.
- Protection. Data protection is the practice to secure sensitive data as it’s used, stored, and transmitted. Data protection practices are driven by the alignment of data strategy, policies, practices, and controls with business objectives. Proper alignment of these elements allows organizations to focus on where security is needed the most to employ effective cyber defenses and efficiently meet audit objectives. Some examples of data protection are the use of virtual private networks to secure the access of internal sensitive data from external locations, email encryption for the safe exchange of sensitive data, and encrypted shared drives and database encryption when storing sensitive data.
- Controls. Data controls are the mechanism to ensure a privacy program functions properly and manages risk. The controls make up a framework to assess and measure the intended outcomes from the organization’s aligned policies, practices, and tools that achieve the proper data protection. The derived metrics from the controls can be used as audit evidence and inform cybersecurity budget decisions. Controls are a main portion of the framework to assess an organizations cybersecurity program. NIST SP 800–53 can be used to assign controls as needed depending on your organizational policies and measure the effectiveness of those controls to manage risk. An example priority 1 high impact control from NIST SP 800–53 is SA-12 Supply Chain Protection, which describes if the organization protects against supply chain threats to the information system, system component, or information system service by employing technology as part of a comprehensive, defense-in-breadth information security strategy.
You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂 (Think, simple, fast, effective and something everyone can do!)
Close the cybersecurity workforce gap! There’s a place for everyone on the cybersecurity team. You don’t have to be technical and you don’t have to know how to code. Passion, curiosity, and drive are the main ingredients to achieve cybersecurity mastery. It’s been said if you know cybersecurity you have a guaranteed job for life. Tell a friend and inspire someone to get into cyber!
How can our readers further follow your work online?
You can find me on LinkedIn https://www.linkedin.com/in/jason-shockey/. Please check out our website and sign up for our newsletter at https://mycyberpath.com/ and please follow MyCyberPath on LinkedIn at https://www.linkedin.com/company/mycyberpath.
This was very inspiring and informative. Thank you so much for the time you spent with this interview!