Future of Data Security

Kate Helin, Legal Director of Privacy & Data Security at Snyk, argues that agents have already become the biggest security risk in most enterprise tech stacks, and that most organizations are not set up to address it. The core problem is not a lack of controls. It is that no single function has full visibility into how agents behave. Kate's approach is to convene legal, security, R&D, and GRC before any mitigation decision is made, because legal cannot counsel on obligations until the technical teams explain how the technology actually works. The composition of that conversation determines whether the resulting control is technical, human, or both.Kate also draws a direct line from GDPR implementation to today's AI governance challenges. She describes how building privacy programs under early GDPR, when implementation details were absent and community norms had to substitute for regulatory guidance, prepared her to operate in the same conditions now present in AI. Her operating principle is to meet the spirit of the law when the prescriptive details have not been written yet.Topics discussed:Why agentic AI has become the biggest current security risk across most enterprise tech stacksStructuring cross-functional roundtables across legal, security, R&D, and GRC before agentic risk controls are selectedHow early GDPR implementation under regulatory ambiguity prepared privacy counsel for today's AI governance challengesApplying the spirit of the law when prescriptive AI regulation has not yet been written or enforcedWhy technology consistently outpaces regulation and what that means for security teams building compliant programs todayUsing AI as a distillation tool for complex legal and security analysis while maintaining human-in-the-loop validationWhy junior lawyers and engineers still need mentorship to develop judgment that AI-generated outputs cannot replace

Stephen Fridakis, CISO in Residence at Cyderes, comes to this conversation with a framework that cuts against how most security teams still operate: stop thinking about perimeters, start thinking about consequences. His argument is that the question of "are we secure or not" is not just unhelpful, it's the wrong unit of measurement entirely, and he offers a more honest alternative built around what an organization can afford to lose versus what must never leave.Stephen makes a precise and underappreciated case for why shadow AI is fundamentally different from every other control problem a CISO has faced. Once sensitive data is submitted to a public model, it is embedded, transformed, and learned. There is no rollback. The most effective response is not detection after the fact but building organizational awareness before the decision to submit is ever made. He also breaks down why static trust models have collapsed under AI, arguing that just-in-time data access and ephemeral credentials are no longer aspirational, they are necessary, and why past behavior can no longer serve as a proxy for future safety.Topics discussed:Reframing CISO governance around consequence management rather than perimeter defense or binary secure/not-secure assessmentsApplying the afford-to-lose framework to prioritize finite security budgets against the data that matters mostUnderstanding AI irreversibility as a distinct control problem where sensitive data submitted to public models cannot be retrievedShifting shadow AI strategy from post-submission detection to pre-decision awareness building across the organizationReplacing static role-based trust models with context-driven identity evaluation that accounts for data stage and purposeMoving toward ephemeral credentials and just-in-time data access as the foundation of modern security architectureEvaluating where AI delivers real operational value versus where uncontrolled use produces unreliable and unexplainable outputsAdvising new CISOs to build both technical depth and business fluency to avoid the most common leadership failure points

TELUS didn't wait for generative AI to arrive before building governance infrastructure. Jesslyn Dymond, Director of AI Governance & Data Ethics, joined the company in 2019 to stand up responsible AI practices alongside the machine learning teams building them, which meant that when generative AI hit, the governance scaffolding was already there. Jesslyn walks through the specific structures TELUS uses to govern AI at scale: a CEO-led AI board that includes the CIO, Chief AI Officer, and Chief Data and Trust Officer; a network of hundreds of data stewards embedded across business units and appointed by VPs; and a unified intake process called a Data Enablement Plan that consolidates privacy, security, and responsible AI review into a single workflow instead of separate forms and sign-offs.Jesslyn also shares how TELUS certified its first generative AI customer support tool to the international Privacy by Design standard and then had it independently audited, and what that process required the team to work through on transparency and user experience. She makes a pointed case for why shadow AI is best addressed with access to better internal tools rather than policy restriction alone, explains how her team grades levels of agency within their agentic AI framework to determine what controls need to be in place before approving systems, and describes how TELUS took the concept of purple teaming out of the security world and applied it to AI governance, including running those sessions with students and the general public.Topics discussed:Building proactive AI governance infrastructure before adoption by embedding responsible AI practices alongside ML development teamsStructuring enterprise AI oversight through a CEO-led board including CIO, Chief AI Officer, and Chief Data and Trust OfficerDeploying VP-appointed data stewards across business units to connect governance policy with on-the-ground AI implementationConsolidating privacy, security, and responsible AI review into a single Data Enablement Plan to reduce friction and improve compliance Certifying a generative AI customer support tool to the international Privacy by Design standard and navigating external audit requirementsGrading levels of agency within an agentic AI framework to determine appropriate controlsCountering shadow AI by prioritizing internal tool access and functionality over policy restriction aloneApplying purple teaming from security practice to AI governance to test systems collaboratively across various teams

Polymer's runtime security approach operates at the file and message level, intercepting content in real-time within workflows like Slack and Zendesk to redact, block, or grant granular access based on specific entities found inside documents. This contrasts with traditional perimeter-based security where access is binary: you're either in the club or out. Yasir Ali, Founder & CEO of PolymerHQ DLP, explains how financial services has operated under workflow-level distrust for over a decade, with every file interaction requiring labeling and ethical wall policies between trading and investment banking divisions, and why the rest of the enterprise world is finally moving toward this model.Yasir also touches on a critical gap in current security architectures: control planes across network, identity, and content layers don't communicate with each other. His team works to triangulate telemetric data from tools like Zscaler with Polymer's ground-level content controls, creating unified policy layers without forcing organizations into single-vendor platforms. He also addresses a tension in AI-powered security: probabilistic detection models work well for entity recognition, but policy enforcement must remain deterministic. You can't have AI deciding some days to block sensitive data and other days letting it through.Topics discussed:Implementing runtime security at file and message level to enable partial document sharing based on entity-level access policiesSolving the binary sharing problem in unstructured datasets where traditional security forces all-or-nothing file access Adopting financial services workflow-level distrust model that requires labeling and ethical wall policies for all file interactionsAddressing enterprise AI adoption barriers through proper identity modeling for non-human agents and machine-to-machine interactions within IAM systemsTriangulating telemetric data across network, identity, and content control planes to create unified policy layers without vendor lock-inBalancing probabilistic AI detection models for entity recognition with deterministic policy enforcement to maintain response certaintyBuilding enterprise software teams by prioritizing cultural fit and collaboration ability over hiring 10x engineers

Teij Janki, CISO & Director of IT Governance Risk & Compliance at Arbor Memorial, has spent 30 years moving through the full stack of security, and his view is that the sequencing most teams follow is backwards. His principle is that technology does not solve processes, it amplifies them. That means deploying a tool before fixing the underlying process weakness just scales the problem. The implication for AI adoption is direct and worth hearing spelled out.On the budget side, Teij makes a case that privacy legislation is a more reliable governance lever than cybersecurity risk alone because privacy laws carry consequences that executive teams will actually act on. He also walks through the gating sequence his team built for AI tool adoption wherein sensitive data gets slowed down and scrutinized, lower-sensitivity use cases move through faster, and staff have a service catalog to work from rather than a blanket ban. Topics discussed:Applying a people-process-technology sequence to security programs before introducing AI or automation toolingUsing privacy legislation as an executive governance lever when cybersecurity risk alone fails to drive budget decisionsBuilding a gating sequence for AI tool adoption that separates sensitive from low-sensitivity data use casesReplacing blanket AI bans with a structured service catalog that lets staff self-select and move tools through approvalIdentifying process weaknesses before deploying technology to avoid amplifying existing security vulnerabilities at scaleProgressing security from a technical cost center to a strategic business enabler using the CMMI maturity modelApplying martial arts principles of discipline, clear expectations, and target-setting to cybersecurity team leadershipEvaluating where generative AI delivers in security operations versus where magical thinking still outpaces real-world performance

At Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.Topics discussed:Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logsEvaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature listsManaging freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developersIdentifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deploymentUsing AI agents to generate security tests during development, shifting validation from security teams to automated testingApplying security hygiene fundamentals before adopting specialized vendor solutionsHiring security teams based on three unteachable traits: initiative, attitude, and aptitude

Carl Stern, VP of Information Security at Age of Learning, explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it. He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days. Topics discussed:Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battlesTreating certifications as validation of operational security rather than the primary program goalPairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policiesApplying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protectionCalculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed servicesWhy attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirementsExplaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targetsArguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream

André Boucher, SVP Technology and Information Security (CTO/CISO) at National Bank of Canada, managed the transition from commanding Canadian Forces Cyber Command to leading security at a systemically important financial institution by recognizing that governance expertise matters more than technical depth at scale. His approach to shadow AI involves enabling experimentation early with secure platforms that business teams actually prefer, reducing the appeal of unauthorized tools. Rather than aggressive detection that drives behavior underground, they created environments where innovation happens within guardrails. This shifts security from adversarial to collaborative, treating 31,000 employees as team participants rather than risks to manage.Andre emphasizes that data inventory across structured and unstructured environments remains the hardest unsolved problem, not because organizations lack tools but because they haven't achieved ecosystem maturity around taxonomy and classification. He explains why third-party risk management is reaching crisis levels as major vendors embed AI features without notice or transparency, creating blind spots in supply chains that regulatory frameworks can't yet address. Topics discussed:The translation of military governance and strategy frameworks into private sector security at systemically important financial institutions.Shadow AI management through platform enablement and secure experimentation rather than detection and prevention tactics.Data inventory and classification as the foundational challenge most organizations underestimate despite its criticality for AI governance.The board strategy mandate versus grassroots adoption pressure dynamic and how platform teams bridge the gap without creating friction.Third-party risk amplification as vendors embed AI features without transparency, notice, or updated contractual language.How awareness training reaches its limits when synthetic actors become indistinguishable from humans in video communications.AI use cases in security tooling focused on modeling normal behavior and reducing triage burden rather than autonomous response.Building high-performing security teams around ethics, mission, and non-linear career experience rather than purely technical credentials.Treating employees as security team participants at scale and how that shifts organizational dynamics from adversarial to collaborative.

When manufacturers discover their IP and other valuable data points have been encrypted or deleted, the company faces existential risk. Paul Knight, VP Information Technology & CISO at Turntide, explains why OT security operates under fundamentally different constraints than IT: you can't patch legacy systems when regulatory requirements lock down production lines, and manufacturer obsolescence means the only "upgrade" path is a pricey machine replacement. His zero trust implementation focuses on compensating controls around unpatchable assets rather than attempting wholesale modernization. Paul's crown jewel methodology starts with regulatory requirements and threat actor motivations specific to manufacturing. Paul also touches on how AI testing delivered 300-400% speed improvements analyzing embedded firmware logs and identifying real-time patterns in test data, eliminating the Monday-morning bottleneck of manual log review. Their NDA automation failed on consistency, revealing the current boundary: AI handles quantitative pattern detection but can't replace judgment-dependent tasks. Paul warns the security industry remains in the "sprinkling stage" where vendors add superficial AI features, while the real shift comes when threat actors weaponize sophisticated models, creating an arms race where defensive operations must match offensive AI processing power.   Topics discussed: Implementing zero trust architecture around unpatchable legacy OT systems when regulatory requirements prevent upgrades Identifying manufacturing crown jewels through threat actor motivation analysis, like production stoppage and CNC instruction sets Achieving 300-400% faster embedded firmware testing cycles using AI for real-time log analysis and pattern detection in test data Understanding AI consistency failures in legal document automation where 80% accuracy creates liability rather than delivering value Applying compensating security controls when manufacturer obsolescence makes the only upgrade path a costly replacement  Navigating the current "sprinkling stage" of security AI where vendors add superficial features rather than reimagining defensive operations Preparing for AI-driven threat landscape evolution where offensive operations force defensive systems to match sophisticated model processing power Building trust frameworks for AI adoption when executives question data exposure risks from systems requiring high-level access

Rupa Parameswaran, VP of Security & IT at Handshake, tackles AI security by starting with mapping happy paths: document every legitimate route for accessing, adding, moving, and removing your crown jewels, then flag everything outside those paths. When vendors like ChatGPT inadvertently get connected to an entire workspace instead of individual accounts (scope creep that she's witnessed firsthand), these baselines become your detection layer. She suggests building lightweight apps that crawl vendor sites for consent and control changes, addressing the reality that nobody reads those policy update emails.   Rupa also reflects on the data labeling bottlenecks that block AI adoption at scale. Most organizations can't safely connect AI tools to Google Drive or OneDrive because they lack visibility into what sensitive data exists across their corpus. Regulated industries handle this better, not because they're more sophisticated, but because compliance requirements force the discovery work. Her recommendation for organizations hitting this wall is self-hosted solutions contained within a single cloud provider rather than reverting to bare metal infrastructure. The shift treats security as quality engineering, making just-in-time access and audit trails the default path, not an impediment to velocity. Topics discussed:   Mapping happy paths for accessing, adding, moving, and removing crown jewels to establish baselines for anomaly detection systems Building lightweight applications that crawl vendor websites to automatically detect consent and control changes in third-party tools Understanding why data labeling and discovery across unstructured corpus databases blocks AI adoption beyond pilot stage deployments Implementing just-in-time access controls and audit trails as default engineering paths rather than friction points for development velocity Evaluating self-hosted AI solutions within single cloud providers versus bare metal infrastructure for containing data exposure risks Preventing inadvertent workspace-wide AI integrations when individual account connections get accidentally expanded in scope during rollouts Treating security as a pillar of quality engineering to make secure options easier than insecure alternatives for teams Addressing authenticity and provenance challenges in AI-curated data where validation of truthfulness becomes nearly impossible currently

Arvind Raman — Board-level Cybersecurity Executive | CISO roles at Blackberry & Mitel, rebuilt cybersecurity from a compliance function into a business differentiator. His approach reveals why organizations focusing solely on tools miss the fundamental issue: without clear data ownership and accountability, no technology stack solves visibility and control problems. He identifies the critical blind spot that too many enterprises overlook in their rush to adopt AI and cloud services without proper governance frameworks, particularly around well-meaning employees who create insider risks through improper data usage rather than malicious intent.   The convergence of cyber risk and resilience is reshaping CISO responsibilities beyond traditional security boundaries. Arvind explains why quantum readiness requires faster encryption agility than most organizations anticipate, and how machine-speed governance will need to operate in real time, embedded directly into tech stacks and business objectives by 2030.  Topics discussed:   How cybersecurity evolved from compliance checkboxes to business enablement and resilience strategies that boards actually care about. The critical blind spots in enterprise data security, including unclear data ownership, accountability gaps, and insider risks. How shadow AI creates different risks than shadow IT, requiring governance committees and internal alternatives, not prohibition. Strategies for balancing security with innovation speed by baking security into development pipelines and business objectives. Why AI functions as both threat vector and defensive tool, particularly in detection, response, and autonomous SOC capabilities. The importance of data governance frameworks that define what data can enter AI models, with proper versioning, testing, and monitoring. How quantum computing readiness requires encryption agility much faster than organizations anticipate. The emerging convergence of cyber risk and resilience, eliminating silos between IT security and business continuity. Why optimal CISO reporting structures depend on organizational maturity and industry. The rise of Chief Data Officers and their partnerships with CISOs for managing data sprawl, ownership, and holistic risk governance.

AI coding assistants are generating pull requests with 3x more commits than human developers, creating a code review bottleneck that manual processes can't handle. Karen Cohen, VP of Product Management of Apiiro, warns how AI-generated code introduces different risk patterns, particularly around privilege management, that are harder to detect than traditional syntax errors. Her research shows the shift from surface-level bugs to deeper architectural vulnerabilities that slip through code reviews, making automation not just helpful but essential for security teams.   Karen’s framework for contextual risk assessment evaluates whether vulnerabilities are actually exploitable by checking if they're deployed, internet-exposed, and tied to sensitive data, moving beyond generic vulnerability scores to application-specific threat modeling. She argues developers overwhelmingly want to ship quality code, but security becomes another checkbox when leadership doesn't prioritize it alongside feature delivery.  Topics discussed: AI coding assistants generating 3x more commits per pull request, overwhelming manual code review processes and security gates. Shift from syntax-based vulnerabilities to privilege management risks in AI-generated code that are harder to identify during reviews. Implementing top-down and bottom-up security strategies to secure executive buy-in while building grassroots developer credibility and engagement. Contextual risk assessment framework evaluating deployment status, internet exposure, and secret validity to prioritize app-specific vulnerabilities beyond CVSS scores. Transitioning from siloed AppSec scanners to unified application risk graphs that connect vulnerabilities, APIs, PII, and AI agents. Developer overwhelm driving security deprioritization when leadership doesn't communicate how vulnerabilities impact real end users and business outcomes. Future of code security involving agentic systems that continuously scan using architecture context and real-time threat intelligence feeds. Balancing career growth by choosing scary positions with psychological safety and gaining experience as both independent contributor and team player.

When IBM acquired Datastax, they inherited an experiment that proved something remarkable about enterprise AI adoption. Project Catalyst gave everyone in the company — not just engineers — a budget to build whatever they wanted using AI coding assistants. Nic Chavez, CISO of Data & AI, explains why this matters for the 99% of enterprise AI projects currently stuck in pilot purgatory: technical barriers for creating useful tools have collapsed.    As a member of the World Economic Forum's CISO reference group, Nic has visibility into how the world's largest organizations approach AI security. The unanimous concern is that employees are accidentally exfiltrating sensitive data into free LLMs faster than security teams can deploy internal alternatives. The winning strategy isn't blocking external AI tools, but deploying better internal options that employees actually want to use.   Topics discussed:   Why less than 1% of enterprise AI projects move from pilot to production. How vendor push versus customer pull dynamics create misalignment with overall enterprise strategy. The emergence of accidental data exfiltration as the primary AI security risk when employees dump confidential information into free LLMs. How Project Catalyst democratized AI development by giving non-technical employees budgets to build with coding assistants, proving the technical barrier for useful tool creation has dropped dramatically. The strategy of making enterprise AI "the cool house to hang out at" by deploying internal tools better than external options. Why the velocity gap between attackers and enterprises in AI deployment comes down to procurement cycles versus instant hacker decisions for deepfake creation. How the World Economic Forum's Chatham House rule enables CISOs from the world's largest companies to freely exchange ideas about AI governance without attribution concerns. The role of LLM optimization in preventing super intelligence trained on poison data by establishing data provenance verification. Why Anthropic's copyright settlement signals the end of the “ask forgiveness not permission” approach to training data sourcing. How edge intelligence versus cloud centralization decisions depend on data freshness requirements and whether streaming updates from vector databases can supplement local models.

What if inertia — not attackers — is security's greatest enemy? At Databricks, CISO Omar Khawaja transformed this insight into a systematic approach that flips traditional security thinking on its head and treats employees as assets rather than threats.   Omar offers his T-junction methodology for breaking organizational inertia: instead of letting teams default to existing behaviors, he creates explicit decision points where continuing the status quo becomes impossible. This approach drove thousands of employees to voluntarily take optional security training in a single year.   There’s also Databricks' systematic response to AI security chaos. Rather than succumb to "top five AI risks" thinking, Omar's team catalogued 62 specific AI risks across four subsystems: data operations, model operations, serving layer, and unified governance. Their public Databricks AI Security Framework (DASF) provides enterprise-ready controls for each risk, moving beyond generic guidance to actionable frameworks that work regardless of whether you're a Databricks customer.   Topics discussed:   The T-Junction Framework to systematically break organizational inertia by eliminating default paths and forcing explicit decision-making Human risk management strategy of moving to behavior-driven programs that convert employees from liabilities to champions 62-Risk AI security classifications of data layer, model operations, serving layer, and governance risks with specific controls for each Methods for understanding true organizational risk appetite across business units, including the "double-check your math" approach Four-component agent definition and specific risks emerging from chain-of-thought reasoning and multi-system connectivity Why "AI strategy" creates shiny object syndrome and how to instead use AI to accelerate existing business strategy

Sendbird had AI agents take backend actions on behalf of customers while processing sensitive support data across multiple LLM providers. This required building contractual frameworks that prevent customer data from training generic models while maintaining the feedback loops needed for enterprise-grade AI performance.   CISO Yashvier Kosaraju walks Jean through their approach to securing agentic AI platforms that serve enterprise customers. Instead of treating AI security as a compliance checkbox, they've built verification pipelines that let customers see exactly what decisions the AI is making and adjust configurations in real-time.   But the biggest operational win isn't replacing security analysts: it's eliminating query languages entirely. Natural language processing now lets incident responders ask direct questions like "show me when Yash logged into his laptop over the last 90 days" instead of learning vendor-specific syntax. This cuts incident response time while making it easier to onboard new team members and switch between security tools without retraining.    Topics discussed:   Reframing zero trust as explicit and continuously verified trust rather than eliminating trust entirely from security architectures. Building contractual frameworks with LLM providers to prevent customer data from training generic models in enterprise AI deployments. Implementing verification pipelines and feedback loops that allow customers to review AI decisions and adjust agentic configurations. Using natural language processing to eliminate vendor-specific query languages during incident response and security investigations. Managing security culture across multicultural organizations through physical presence and collaborative problem-solving approaches rather than enforcement. Addressing shadow AI adoption by understanding underlying problems employees solve instead of punishing policy violations. Implementing shared responsibility models for AI data security across LLM providers, platform vendors, and enterprise customers. Prioritizing internal employee authentication and enterprise security basics in startup scaling patterns from zero to hundred employees.

What happens when you scale a crypto company across 160+ countries while maintaining the same security standards as Wells Fargo? At MoonPay, it meant rethinking how traditional banking security translates to high-velocity fintech environments. Doug Innocenti, CISO, breaks down how his team achieved PCI, SOC 2 Type 2, and regulatory licenses like BitLicense and MiCA without slowing product development. The secret is the ability to test multiple security tools in parallel and pivot quickly when something isn't working.   But velocity alone isn't enough, he cautions Jean. Doug's approach to AI in security reveals a critical insight: although AI-powered tools can dramatically reduce SOC response times and automate incident analysis, the "gut instinct gap" remains. His team uses AI to enable faster decisions, not replace human judgment — especially when patterns don't match what the algorithms expect to see.    Topics discussed:   Maintaining bank-level security posture while enabling startup velocity through security-first architecture and platform design principles. Scaling compliance across 160+ countries using pre-built infrastructure that accommodates PCI, SOC 2, BitLicense, and MiCA requirements. Implementing parallel security tool testing to accelerate vendor evaluation and avoid bureaucratic delays in enterprise environments. Adopting next-generation DLP solutions like DoControl that use AI-powered business intelligence for dynamic data boundary creation. Balancing insider threat monitoring with external threat defense through compensated controls and rapid reaction capabilities. Managing AI adoption risks while embracing acceleration benefits through defensive technology investment and vendor selection criteria. Using AI-enhanced SOC and SIEM operations to reduce incident response times while preserving human judgment for pattern recognition. Building transparent security culture where all employees become security professionals rather than maintaining background security operations.

Myke Lyons brings an unconventional background to cybersecurity leadership, having trained as a chef before discovering his passion for breaking and rebuilding IT systems. As CISO at Cribl, he applies culinary principles like mise en place to security operations while solving the fundamental economics problem facing every security team.   The math is unforgiving, he tells Jean: data volumes grow at 28% annually while security budgets remain flat. Myke's solution involves intelligent data hierarchies that route critical authentication logs to expensive SIEM systems while automatically sending regulatory compliance data to cheaper cold storage, reducing costs by 70-80% through format optimization.   Topics discussed:   The fundamental economics challenge of increasing annual data growth versus flat security budgets and how intelligent data hierarchies solve this by routing critical logs to expensive systems while storing compliance data in cheaper cold storage. Smart data pipeline architecture that eliminates vendor lock-in by enabling simultaneous testing of multiple security technologies on identical datasets while maintaining complete data ownership across any storage platform. Building security culture through partnership rather than punishment, including automated nudges for personal account security and micro-bonus rewards for completing security training. AI agent implementation for automated phishing response that performs tier-two-level analysis, hunts across email environments, and provides cohesive incident summaries with risk ratings for security analysts. The evolution from manual security operations to AI-powered automation, with predictions that full tier one analyst capabilities will be available within months for organizations with comprehensive security telemetry. Data format optimization strategies that reduce log storage costs by 70-80% through UNIX timestamp conversion and elimination of redundant vendor-specific wrapper formats that create unnecessary data bloat. Mise en place principles from professional kitchens applied to security incident response, treating procedures like recipes with clear preparation steps and proper tooling to reduce response time and improve consistency. The importance of establishing data architecture early in security programs to avoid complicated remediation of poor data decisions that become exponentially more expensive to fix over time. LLM integration for security operations including query writing assistance, pipeline creation, sensitive data redaction, and context-aware threat intelligence that reduces analyst toil and improves detection capabilities.

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses why 100% data coverage doesn’t equal 100% protection.    Would you like to have Jean answer one of your questions in a future episode? Email [email protected] with your question and a short summary of why you're looking for an answer!    

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses how data visibility can turn crisis into calm.  Would you like to have Jean answer one of your questions in a future episode? Email [email protected] with your question and a short summary of why you're looking for an answer!

Robert Kang, Professorial Lecturer of Cybersecurity & National Security, The George Washington University Law School, has been building enterprise cybersecurity programs since 2009, making him one of the “OG” practitioners when most organizations didn't even have dedicated cyber counsel. His unique perspective comes from protecting both critical infrastructure and social media platforms, highlighting how the same governance, risk management, and compliance framework applies across radically different threat landscapes.    In his conversation with Jean, he shares why organizations face equal risks from implementing AI too quickly or prohibiting it entirely, and how complete AI prohibition drives employees to use personal accounts for business purposes, eliminating organizational oversight entirely. Robert's systematic approach to building relationships with law enforcement agencies before crisis situations emerge provides a practical framework most organizations ignore. From free services like InfraGard to subscription-based programs like the National Cyber Forensics Training Alliance, these partnerships deliver both threat intelligence and confidential channels for sharing information with federal agencies.     Topics discussed:   The fundamental differences between protecting critical infrastructure versus social media platforms while using identical governance, risk management, and compliance frameworks. Why complete AI prohibition creates shadow adoption risks where employees use personal accounts for business purposes, eliminating organizational oversight and control. Building systematic relationships with law enforcement agencies through programs like InfraGard and the National Cyber Forensics Training Alliance before crisis situations emerge. The evolution of enterprise cybersecurity legal programs from non-existent in 2009 to essential business functions requiring dedicated counsel and executive sponsorship. How anticipating technology trends years in advance, rather than reacting to current adoption, positions cybersecurity professionals ahead of emerging threats. Training methodologies for technology lawyers that combine legal knowledge with technical understanding of AI, cybersecurity, and privacy frameworks. Essential certification pathways for legal professionals entering technology risk management including CC, CIPP, and AIGP credentials. Government threat-intelligence-sharing programs ranging from free public services to subscription-based personalized assistance for specific industries. Why law schools must teach both the law of AI and the technology of AI to prepare students for the transformed legal profession.

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses the fastest way to reduce data security risk.    Would you like to have Jean answer one of your questions in a future episode? Email [email protected] with your question and a short summary of why you're looking for an answer! Get in touch with your host, Jean Le Bouthillier:  LinkedIn    Listen to more episodes:  Apple  Spotify YouTube 

The healthcare industry's digital transformation has created unprecedented opportunities for patient care delivery, but it's also introduced complex security challenges that extend far beyond traditional compliance frameworks. Michael Hensley, Director of Cyber Security at Modern Health, brings a unique perspective to protecting private — and heavily regulated — health data while maintaining the innovation velocity essential for startup success. Healthcare security teams must balance regulatory requirements with business agility, creating frameworks that protect patients without stifling innovation.    Michael's journey from professional musician to software engineer to cybersecurity leader shaped his understanding that effective security programs prioritize people and processes alongside technology investments. His approach demonstrates how healthcare organizations can build security frameworks that enable rather than restrict innovation, creating speedy review processes for new technologies while maintaining rigorous patient data protection standards. His conversation with Jean also explores the evolving landscape of healthcare cybersecurity, from shadow AI risks to the misconceptions surrounding HIPAA compliance.   Topics discussed:   The fundamental difference between healthcare cybersecurity and other industries, focusing on real-world patient impact rather than just financial or reputational damage from data breaches. Common misconceptions about HIPAA compliance, including the regulation's flexibility and how organizations must interpret general requirements based on their specific business models and patient populations. How telehealth expansion created new security paradigms, enabling rapid service deployment through cloud-native platforms while introducing risks from easy misconfigurations and third-party integrations. Shadow AI emergence in healthcare environments where employees seek productivity gains through unauthorized AI tools, potentially exposing patient data to non-compliant platforms without understanding regulatory implications. Organizational strategies for safe AI adoption in regulated industries, including dedicated review processes, governance committees, and internal tool development that unlocks productivity while maintaining compliance. The evolution from traditional on-premises healthcare security models to cloud-native architectures where services can be deployed with minimal friction but require sophisticated guardrails to prevent data exposure. Advanced approaches to vendor risk management in healthcare technology, balancing the need for third-party integrations with rigorous security and compliance vetting processes. Why effective cybersecurity programs treat people and processes as equally important to technology investments, focusing on ownership models and operational sustainability rather than just tool deployment. Building security teams that enable business objectives through speedy review processes and treating compliance requests as first-class problems rather than obstacles to innovation.

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses how GenAI is reshaping data security risk.  Would you like to have Jean answer one of your questions in a future episode? Email [email protected] with your question and a short summary of why you're looking for an answer! Get in touch with your host, Jean Le Bouthillier:  LinkedIn  Listen to more episodes of Future of Data Security:  Apple  Spotify YouTube 

The world of data security has fundamentally changed, yet many organizations still approach it as a one-time project rather than an ongoing journey. In this episode of The Future of Data Security, Orson Lucas, Principal at KPMG, draws on his 20+ years of experience to challenge the "one-and-done" approach that dooms many security initiatives. After witnessing the evolution from obscure privacy regulations to strategic business differentiators, Orson walks Jean through why even the most sophisticated organizations struggle with fundamental data governance and how the rise of AI assistants is creating unprecedented new risks.   Orson discusses why privacy is fundamentally a data governance problem, how to balance comprehensive security with practical investment limits, and why the most effective security strategies build on existing technology ecosystems rather than creating parallel systems. He also shares candid insights about how AI assistants like Microsoft Copilot are changing the risk equation by inheriting user permissions to access sensitive data that humans would never realistically browse through.   Topics discussed:   The critical shift from viewing data security as a one-time project to an ongoing journey requiring continuous investment, as threat landscapes constantly evolve even when controls remain static. Why fundamental data discovery (what you have, where it is, how it flows) remains the most challenging yet essential foundation for effective security, with organizations often attempting to "boil the ocean" rather than taking a risk-based approach. The evolution of enterprise security governance structures, with privacy teams increasingly functioning as second-line policy setters while security teams handle operational implementation. How "hanging access" creates major security vulnerabilities when departed employees leave behind orphaned permissions with no clear ownership, especially in unstructured data environments. The emerging risk paradigm where AI assistants inherit user permissions but access far more data than humans realistically would, turning theoretical access risks into actual exposure. Practical strategies for managing shadow AI by creating internal, managed alternatives that provide similar functionality with proper security guardrails rather than simply blocking innovation. Why effective security strategies often build upon existing technology investments rather than creating parallel systems, using tools like DLP for broader data discovery purposes. The limitations of viewing data residency as merely a compliance checkbox, with more sophisticated organizations focusing on broader supply chain integrity and provenance issues. How balanced security partnerships require understanding stakeholder priorities across legal, privacy, security, data governance and marketing teams to achieve organizational alignment. Approaches for managing third-party risk as vendors increasingly integrate AI features without proper opt-in controls or transparency about data usage for model training.

The security landscape has radically shifted from "if you get breached" to "when you get breached" — and Morgan Stanley's approach to data protection reflects this fundamental change in mindset. In this episode of The Future of Data Security, Faith Rotimi-Ajayi, AVP of Operational Risk, discusses how sophisticated attackers are now researching and targeting specific financial institutions rather than relying on opportunistic attacks.    Faith tells Jean why social engineering attacks have evolved to target entire family units, including compromising newborns' Social Security numbers for future fraud, and why third-party risk management demands rigorous new approaches as vendors increasingly implement AI without adequate security governance. She also shares her experience implementing dedicated AI governance committees, using risk-based authentication that adjusts friction based on user behavior analysis, and how the pandemic accelerated zero trust implementation by eliminating location-based security models.   Topics discussed:   The challenges of maintaining operational resilience against increasingly sophisticated targeted attacks rather than merely opportunistic ones in the financial sector. The evolution of third-party risk management as attackers now strategically target trusted vendors to gain backdoor access to financial environments. How AI functions as a "double agent" in security, enhancing defensive capabilities while simultaneously enabling sophisticated deep fakes and voice cloning attacks. The emergence of shadow AI and strategies to mitigate risks through dedicated AI governance committees and internal alternative applications. Why regulatory compliance is an innovation driver rather than an obstacle, using frameworks like GDPR, GLBA, and DORA as baselines for robust security programs. Implementing security-by-design principles and risk-based authentication that adjusts friction based on context rather than applying uniform controls. Using user behavior analysis (UBA) and indications of compromise (IOCs) to create security measures that don't interrupt legitimate user activities. How the pandemic accelerated zero trust implementation by eliminating location-based security models and forcing more sophisticated endpoint security approaches. The importance of creating business-aligned data security frameworks that prioritize based on risk exposure rather than applying uniform protection. Why Faith emphasizes continuous monitoring and testing alongside preventative controls to maintain 24/7 visibility across distributed environments.

"If you aren't investing in penetration testing, if you aren't investing in having external auditing and third party reporting like gray and black box type testing, you're leaving your program extremely exploitable because you're just admiring the beauty of your own ideas." This blunt assessment from George Al-Koura, CISO at ruby, encapsulates his refreshingly practical approach to data security.    In this episode of The Future of Data Security, George challenges conventional wisdom by predicting a major shift back to controlled data centers as organizations struggle with securing AI implementations in the cloud. He reflects on why no one has successfully created secure LLMs that can safely communicate with the open web, exposes the growing threat of "force-enabled" AI tools being integrated without proper consent, and explains why technical skills are actually the easiest part of building an effective security team. With threat actors now operating with enterprise-level organization and sophistication," George also shares battle-tested strategies for communicating risk effectively to boards and establishing security programs that can withstand sophisticated attacks.   Topics discussed:   How skills from signals intelligence directly transfer to cybersecurity leadership, particularly the ability to provide concise risk-based analysis and make decisive decisions under pressure. The challenge of getting organizations to invest in data security beyond compliance standards, while facing increasingly sophisticated threat actors who operate with enterprise-level organization. The importance of establishing clear leadership accountability with properly designated roles (RACI), investing in appropriate technology, and implementing rigorous third-party auditing beyond certification standards. The gradual shift in board attitudes toward cybersecurity as a top-level concern, and how security leaders can effectively articulate business risk to secure necessary resources. How privacy requirements are increasingly driving security investments, creating a data-centric risk management framework that requires security leaders to articulate both concerns. The struggle to securely deploy LLMs that can communicate with the open web while protecting sensitive data, paired with the trend of returning to controlled data center environments. How major platforms are integrating AI capabilities with minimal user consent, creating shadow AI risks and forcing security teams to develop agile assessment processes. Looking beyond technical skills to prioritize integrity, work ethic, problem-solving ability, and social integration when forming security teams that can handle high-pressure situations.

In this insightful episode of The Future of Data Security, Jean Le Bouthillier speaks with Daniel Maynard, VP of Privacy and Data Risk Management & CPO at Early Warning, shares his journey from law to privacy and offers a practical framework for assessing AI implementation risks — distinguishing between controllable technical risks and more complex model provenance concerns.    Daniel tells Jean about the critical challenges facing financial institutions, including data quality issues, AI ethics considerations, and the paradox of balancing fraud prevention with privacy protection. Daniel provides actionable governance strategies for managing shadow AI, addresses emerging threats from AI-powered fraud, and offers valuable insights on the evolving regulatory landscape. His balanced approach emphasizes documented risk assessment processes while acknowledging varying organizational risk tolerances.   Topics discussed:   The importance of data quality as a foundation for all other security and privacy initiatives in financial services. Emerging challenges with AI ethics and trust, particularly regarding data provenance and transparency in model development. Practical governance frameworks for implementing AI tools while documenting risk-based decision processes with executive buy-in. Model provenance risks and IP concerns when using AI tools to create potentially valuable intellectual property. Shadow AI challenges and strategies for managing employee use of AI tools while maintaining appropriate security controls. File access risks with AI assistants that can search through user-accessible content more thoroughly than humans typically would. The paradoxical relationship between stronger fraud protections and potential negative privacy impacts from increased data collection. Predictions about federal AI regulation in the United States versus the more restrictive approach seen in Europe. Career advice for privacy professionals, including gaining cross-functional experience and maintaining a positive, problem-solving mindset.

Within just four hours of implementing controls at one healthcare organization, Patrick Carter, Sr. Practice Director at Cyderes, and his team caught an employee secretly selling sensitive patient data. Patrick doesn't just tell Jean his war stories, however — he provides a practical framework for quantifying security risks using the FAIR model and sounds the alarm on shadow AI becoming the single biggest threat to data security. From discovering that 10% of AI-generated code contains vulnerabilities to developing detection tools for unauthorized AI usage, Patrick offers a masterclass in navigating both the dangers and opportunities of AI for security leaders.   Topics discussed:   Building a specialized data protection practice from the ground up, with insights into how Patrick scaled his team to 40 consultants while maintaining excellence in service delivery. The dual challenge organizations face with data security: understanding complex compliance requirements and gaining visibility into what sensitive data exists in their environments, where it's stored, and how it moves. Shadow AI emerging as the most significant threat to data security in 2025, with statistics showing 60% of employees using free AI platforms and approximately 10% of prompts containing sensitive data. Using the FAIR risk model to translate complex security concepts into quantifiable financial impacts that help CISOs make data-driven investment decisions. A real-world case study where implementing data tagging and DLP controls uncovered an internal data theft operation at a healthcare organization within just four hours of deployment. The strategic integration of AI into service delivery, including developing an AI agent that functions as a Level 1 data analyst for managed DLP services. The critical importance of follow-through in professional growth, and how it’s the single most important trait for success in the cybersecurity field.

The cybersecurity landscape is entering an AI arms race, and Kevin Kirkwood, CISO at Exabeam, is on the frontlines building defenses that can match the speed of machine-powered threats. As Exabeam's "Customer Zero," Kevin shares candid insights from transitioning through three platform generations in three years, reflecting on how each migration exposed previously undetected attack patterns in Microsoft environments.    His experience leading the rapid adoption of 700+ UEBA rules simultaneously (against recommended practice) offers valuable lessons for security leaders pushing the boundaries of detection capabilities. Kevin envisions a future where AI-assisted systems can propose new detection rules for zero-days within minutes, while grappling with immediate challenges — like the day Microsoft Edge suddenly claimed his company had authorized Copilot without CISO approval — highlighting the complex reality of managing AI tool permissions in enterprise environments.   Topics discussed: The strategic shift from total log collection to intelligent edge filtering, rethinking the "collect everything" approach while maintaining forensic capabilities through AI-powered agents at the edge. Specific examples of Microsoft Copilot attempting wholesale access to contact lists and email histories, and tactical approaches to implementing granular controls. Implementing UEBA at scale, including transitioning from basic logging to behavior analytics capable of detecting subtle "living off the land" attacks that manipulate normal business functions. How reframing "security vulnerabilities" as "security defects" fundamentally changed developer engagement. Technical insights into how attackers are using GenAI to transform sophisticated exploits across programming languages, and defensive approaches to match this velocity. Managing bimodal security architecture and balancing edge-based detection with centralized analysis, including specific identity management challenges in the context of AI tool adoption. A detailed framework for embedding security professionals within development teams while maintaining the balance between velocity and control. Technical requirements for near real-time zero-day detection and the evolution toward AI-assisted rule generation.

Drawing on his unique background in high-energy physics experimentation, Robert Roser, CISO & Director of Cyber Security at Idaho National Laboratory, offers valuable insights into the parallels between managing complex scientific detectors and securing critical national research infrastructure. He explores the evolving landscape of scientific computing security, from the open science environment of Fermilab to the classified research world of nuclear energy.    Rob's practical experience implementing zero-trust architecture, managing international collaborations, and navigating federal compliance requirements provides a comprehensive view of modern cybersecurity challenges in sensitive research environments. His candid discussion of AI's impact on both security threats and solutions, particularly in the context of high-performance computing and shadow AI risks, also offers valuable perspective on the future of data protection in scientific research.     Topics discussed:   The transition from particle physics to cybersecurity leadership, highlighting transferable skills in managing complex systems and critical operations. The evolution of scientific computing security from open science environments to classified research protection at national laboratories. Implementation of zero-trust architecture for managing diverse international collaborations while protecting sensitive nuclear research data. The challenges of securing high-performance computing infrastructure while maintaining accessibility for legitimate research needs. Balancing federal compliance requirements with risk-based security approaches in government-funded research environments. The impact of AI on both security threats and defensive capabilities, including advanced phishing and automated security operations. Management of shadow AI risks and unauthorized cloud service usage in sensitive research environments. Future trends in data protection and infrastructure security, focusing on automation and advanced threat detection. Strategies for securing remote access while supporting global scientific collaboration and research initiatives. Career advice for aspiring cybersecurity professionals, emphasizing the importance of diverse experiences and continuous learning.

Drawing from his diverse background in both private and public sectors, Chris Pahl, CPO of the County Executive Office of the County of Santa Clara, tells Jean how organizations can transform privacy from a compliance burden into a strategic asset on this episode of The Future of Data Security Show.    Chris’s "U R IT" framework emphasizes the crucial role of employees in data protection, and his practical approach to managing AI risks and surveillance technologies offers a blueprint for modern privacy leadership. He demonstrates how to build privacy programs from the ground up, foster cross-departmental collaboration, and navigate the evolving landscape of data governance in an AI-driven world, all while maintaining a human-centric approach that puts trust and transparency first.    Topics discussed: Building trust in public sector privacy while balancing transparency with data protection requirements Transforming privacy from a cost center into a strategic partner that enhances organizational mission Managing the emerging risks of generative AI while enabling innovation and efficiency for employees Implementing effective employee surveillance through transparency and clear communication Evolution of the Chief Privacy Officer role toward holistic data governance and technical expertise Strategies for measuring privacy program success through integration and cultural adoption Importance of proactive relationship building and avoiding the "department of no" mentality Developing privacy programs incrementally while building cross-functional partnerships

In this episode of The Future of Data Security Show, Jean speaks with Orrie Dinstein, Global Chief Privacy Officer at Marsh McLennan. Orrie shares his extensive experience in data privacy, highlighting the shift from compliance-focused programs to a more integrated approach that encompasses information governance.    Orrie also sheds light on the misconception of data ownership among executives, the complexities of navigating global privacy laws, and the critical need for collaboration between privacy and security teams. He also offers his strategies for how organizations can effectively manage data protection while fostering innovation.    Topics discussed:   The shift in data privacy from a compliance-focused approach to a more integrated information governance strategy that encompasses various data types and uses.   The misconception among executives that they own the data, when in reality, they are custodians responsible for managing it ethically and legally.   Navigating diverse global privacy laws, which often have different definitions and requirements, making compliance a challenging endeavor for organizations.   The importance of understanding high-level principles of data protection rather than getting lost in the specific legal nuances of various jurisdictions.   The critical need for collaboration between Chief Privacy Officers and Chief Information Security Officers to effectively manage data risks and security measures.   The role of privacy by design in ensuring compliance while allowing organizations to innovate and leverage data effectively for business growth.   The challenges posed by artificial intelligence and data minimization principles, which can conflict with the need for larger datasets to improve AI models.   The evolving responsibilities of privacy professionals, who must now focus on data governance and monetization in addition to traditional privacy concerns.   Fostering a culture of transparency and awareness within organizations to encourage reporting of data breaches and privacy concerns.   The necessity of continuous dialogue between privacy and technology teams to bridge communication gaps and enhance understanding of each other's objectives and challenges.

In this episode of The Future of Data Security Show, Jean speaks with Hugo Teufel, VP; Deputy General Counsel for Cyber, Privacy, Records; & Chief Privacy Officer at Lumen Technologies. Hugo shares his expertise on the evolving landscape of data privacy and security, such as the significant impact of AI on data security, emphasizing the need for organizations to understand various AI use cases and implement robust governance frameworks.    Hugo also highlights the importance of employee training in mitigating risks, noting that human error remains a critical vulnerability. Additionally, he explores the complexities of navigating global data privacy regulations and the necessity of aligning privacy strategies with organizational risk appetites. Tune in for valuable insights!    Topics discussed: The evolution of data privacy and security in the context of an increasingly digital and interconnected global marketplace.   The significance of understanding AI use cases within organizations to effectively manage data security risks and compliance.   The role of employee training in preventing data breaches and enhancing overall cybersecurity awareness among staff members.   The challenges of navigating international data privacy regulations and the importance of a principles-based framework for compliance.   The impact of cultural differences on data privacy perceptions and practices across various regions and jurisdictions.   The necessity of aligning privacy strategies with the risk appetite of leadership to maintain credibility and effectiveness.   The importance of incorporating privacy by design in product development to address privacy implications early in the process.   The potential risks associated with shadow AI and the need for organizations to maintain visibility over AI usage.   The implications of the NIST AI Risk Management Framework for organizations looking to adopt AI technologies responsibly.   The future of data security in an AI-driven era and the ongoing challenges posed by cybercriminals and threat actors.   

In this episode of The Future of Data Security Show, Jean speaks with Sylvia Klasovec Kingsmill, Senior Fellow, Future of Privacy Forum and Founder of Trusteva. They explore the critical distinctions between data privacy and data security, emphasizing their complementary roles in protecting individual rights and safeguarding data.  Sylvia also addresses the complexities AI introduces to privacy regulations, particularly around consent and data scraping. Additionally, she highlights the importance of adopting a "privacy by design" philosophy, urging organizations to proactively integrate privacy measures into their systems.    Topics discussed: The distinction between data privacy and data security, highlighting how they are complementary yet fundamentally different disciplines in protecting individual rights and data integrity. The importance of consent in data privacy, particularly in the context of AI and machine learning, and the challenges posed by data scraping practices. The evolving regulatory landscape for data privacy, including the complexities faced by organizations trying to comply with various laws across different jurisdictions. The role of privacy by design as a proactive approach to integrating privacy measures into systems and processes from the outset. The significance of a risk-based approach to compliance, allowing organizations to prioritize their privacy efforts based on the most significant risks. The need for harmonization among global privacy regulations, especially as organizations expand their operations across different jurisdictions with varying laws. The impact of AI on traditional privacy principles, and the necessity for regulators to adopt flexible interpretations to support innovation while ensuring compliance. The importance of multidisciplinary collaboration among privacy professionals, cybersecurity experts, and legal teams to effectively address complex data challenges. The growing demand for privacy-enhancing technologies and how organizations can leverage them to ensure ethical and responsible data use. The future of data privacy as a dynamic field, emphasizing the need for professionals to continuously upskill and adapt to emerging technologies and regulations. 

In this episode of The Future of Data Security Show, Jean speaks with Martin Dinel, Assistant Deputy Minister & CISO, Cybersecurity Division of the Government of Alberta. Martin uses his extensive experience in cybersecurity and the evolving landscape of data protection to explore the significant impact of AI on enhancing data security measures, emphasizing a risk-based approach to adopting new technologies.    Martin also delves into the challenges and strategies of cloud adoption in the public sector, highlighting how centralized data management can improve security. Additionally, he addresses the importance of collaboration among government entities to strengthen cybersecurity efforts across Alberta.  Topics discussed:   The evolution of the data security landscape in the public sector and how it has changed since the early days of cloud adoption.   The role of AI in enhancing cybersecurity measures, including user behavior analysis and incident management for quicker response times.   The importance of a risk-based approach to cybersecurity, balancing security needs with business objectives and organizational goals.   Strategies for cloud adoption in the public sector, focusing on centralized data management and leveraging vendor expertise to improve security.   The challenges of increasing attack surfaces when moving data to the cloud and how to mitigate associated risks effectively.   The significance of collaboration among government entities to strengthen cybersecurity efforts and share valuable insights and lessons learned.   The potential risks associated with generative AI tools and the importance of implementing guidelines for safe usage within organizations.   The impact of legacy systems on current cybersecurity strategies and the need to address vulnerabilities in older applications.   The necessity for cybersecurity professionals to maintain close communication with senior management to ensure informed decision-making regarding security measures.   The ongoing talent challenges in the public sector and how engaging projects can attract and retain skilled cybersecurity professionals.   

In this episode of The Future of Data Security Show, Jean speaks with Ward Balcerzak, AVP and Director of Data Security & Insider Risk at Fidelity National Financial, who shares his expertise on the evolving challenges of data security in today’s cloud-first landscape. Ward discusses the critical importance of establishing a comprehensive data inventory and discovery process to effectively manage sensitive information.    Ward also offers his insights into the implications of generative AI on data protection, highlighting the need for robust governance strategies to mitigate risks. With a focus on collaboration across departments, this episode offers valuable insights for organizations looking to enhance their data security practices in an increasingly complex environment.   Topics discussed:   The shift from traditional data security to cloud-first strategies and the challenges that come with managing sensitive data in a decentralized environment.   The unique data protection challenges faced by organizations in the financial services and real estate sectors, particularly regarding title services and sensitive information.   The complexities of managing structured versus unstructured data and the importance of understanding data types for effective protection and compliance.   The role of generative AI in transforming data security practices and the need for organizations to adapt their strategies accordingly.   The significance of building a comprehensive data inventory and discovery process to identify and protect sensitive information across various platforms.   The importance of collaboration between departments, such as IT, HR, and legal, to gain a holistic view of data security needs.   Strategies for implementing effective governance processes around AI usage to ensure sensitive data is not inadvertently exposed or mishandled.   The challenges of data loss prevention technologies and how they can be used to mitigate risks associated with new AI tools.   The necessity of having well-defined policies and enforcement mechanisms to support data security efforts and prevent user pushback.  

In this episode of The Future of Data Security podcast, Jean speaks with Terry Ray, SVP of Data Security GTM & Field CTO at Imperva, who shares his extensive experience in the field of data security. He discusses the evolving landscape of cybersecurity, particularly the challenges posed by generative AI and its implications for data protection.    Terry emphasizes the importance of understanding data usage and implementing robust monitoring practices to mitigate risks. He also highlights the need for clear communication within organizations to enhance security efforts. He also shares his invaluable insights on how to navigate the complexities of data security in today’s digital environment and ensure your organization stays protected.  Topics discussed: How the data security landscape has transformed over the past two decades, particularly with the rise of cloud technologies. The implications of generative AI on data security and the need for organizations to understand its risks and benefits. The various ways individuals can access sensitive data and the importance of monitoring and controlling these access points effectively. The necessity for organizations to allocate appropriate budgets for data security measures, especially during audits and regulatory assessments. Common gaps in data access reporting, and how organizations can improve their reporting mechanisms to ensure compliance and security. The challenges of protecting unstructured data, which remains a significant risk area for many organizations today. The need for cybersecurity professionals to effectively communicate risks and metrics to executives and boards to secure necessary funding. Best practices for data protection, including understanding data types and implementing comprehensive security measures across all data assets. The importance of communication skills for technical professionals, highlighting how effective storytelling can enhance understanding and collaboration.

In this episode of The Future of Data Security podcast, Michael Sheron, Director of Privacy and GRC at the University of Kentucky, shares his journey into data privacy and the challenges faced in managing sensitive information within a large academic institution.    He emphasizes the importance of establishing solid privacy policies and fostering a culture of cybersecurity awareness among staff. Michael also discusses the unique data management challenges posed by high student turnover and the need for collaboration across departments to ensure effective data stewardship.  Topics discussed:   The challenges of managing data due to the influx of over 6,000 new students each year and its implications for data security. The process of developing policies and practices to handle sensitive data effectively within a large university setting. The importance of working with various university departments to ensure everyone understands their role in data protection. The necessity of training staff and students to recognize and respond to potential data security threats. The complexities of managing unstructured data and the insider knowledge required to secure it effectively within the university. How to measure success in data security and privacy initiatives, including the importance of community engagement and inquiries. The need to stay updated on new regulations and laws affecting data privacy and how they impact university operations. The importance of ongoing education in the field of data privacy and the value of asking questions.

In the very first episode of The Future of Data Security podcast, our host, Co-Founder and CEO of Qohash, Jean Le Bouthillier, speaks with Pilar Garcia, Director of Privacy and Security at Help Scout. Pilar shares her journey into data privacy and security, emphasizing the significance of a people-centric approach to building robust security teams.  She discusses the delicate balance between innovation and risk, highlighting the importance of effective communication within organizations. Pilar also touches on the evolving challenges posed by AI in the security landscape, particularly with phishing.  Topics discussed: Transitioning from a background in physics to a career in data privacy and security. The importance of empowering teams with the knowledge and tools needed to foster a proactive data privacy and security culture. How effective communication within a company is crucial for balancing innovation with the risks associated with data security. The future challenges posed by AI, particularly in the context of phishing and other security threats. How to build a strong data privacy and security team that can adapt to ever-changing tech landscapes. How proper security training is essential, moving beyond just checking a box to truly educating employees on best practices. The need to communicate technical risks in a way that business teams can easily understand. The pitfalls of implementing security measures that look good on paper but are not effective in practice. The value of mentorship and shares personal experiences with mentors who have guided her in the field.