CyberWire Daily - The impact of data privacy on cyber. [CISO Perspectives]
Episode Date: October 28, 2025Privacy is one of the most universally valued rights. Yet, despite its importance, data breaches exposing millions of people's sensitive information have become routine. Many have come to assume that ...their personal data has already been, or inevitably will be, compromised. Despite this reality, prioritizing privacy is more important than ever. In this episode of CISO Perspectives, host Kim Jones sits down with Kristy Westphal, the Global Security Director of Spirent Communications, to explore data privacy's impacts on cybersecurity efforts. Together, Kristy and Kim discuss why privacy cannot be an afterthought but rather must be something actively addressed through proactive security efforts, shifting security culture mindsets, and staying ahead of rapidly changing technologies. This episode of N2K Pro's CISO Perspectives podcast is brought to you by our sponsor, Meter. Meter provides a full-stack, enterprise-grade networking solution—wired, wireless, and cellular—designed, deployed, and managed end-to-end. From hardware to software, ISP to security, Meter delivers seamless, secure, and scalable connectivity for modern business environments. Learn more about Meter. Want more CISO Perspectives? Check out a companion blog post by our very own Ethan Cook, where he breaks down key insights, shares behind-the-scenes context, and highlights research that complements this episode. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
This exclusive N2K Pro subscriber-only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter, building full-stack zero-trust networks from the ground up.
Trusted by security and network leaders everywhere, meter delivers fast, secure by digital.
design and scalable connectivity without the frustration, friction, complexity, and cost of managing an endless proliferation of vendors and tools.
Meter gives your enterprise a complete networking stack, secure wired, wireless, and cellular in one integrated solution built for performance, resilience, and scale.
Go to meter.com slash CISOP today to learn more and book your demo.
That's M-E-T-E-R-com
slash C-I-S-O-P.
Pop quiz today. Which of the following situations is a violation of privacy?
One, a national retailer utilizes purchases you make with them
to send you advertisements about.
products you might enjoy your need.
Two, a reputable search engine utilizes data about you from previous searches and other products
to better tailor its content to your needs.
Or three, a government entity utilizes data in the public domain to hone in on potential criminals.
If you answered anything but it depends on this quiz, you haven't been following the nuances of the
privacy debate.
Let's get a little deeper into each of these examples for just a moment.
In 2012, Tarki came under media scrutiny for utilizing data analytics to predict which
of its shoppers might be pregnant. The retailer then began sending coupons to those shoppers
for things like baby clothes, strollers, etc. The story made news when one Minnesota father
noticed that his teenage daughter was receiving these materials.
The irate father marched into a local target, demanding to see a manager, and accused the
retailer of attempting to encourage his daughter to get pregnant, only to find out from his
daughter that she was indeed already pregnant. Target's analytics had identified her pregnancy
before her own father knew. In 2024, Amazon celebrated its 30th birthday. One of the features this
massive online retailer is known for is utilizing knowledge of your shopping habits to send you
advertisements about products and services which you might enjoy. Amazon continues pushing the envelope
around this concept and has taken a patent out on what it's describing as anticipatory shipping.
Utilizing the data it already has about you, the mega retailer intends to just start sending
you items which it believes you want before you purchase them, arguing that the
the success rate of its algorithms as such that the number of returns would not exceed the benefits
reaped by this level of customer service.
About a decade ago, people started noticing that their search engines, in particular Google,
were displaying different sets of results for the same question.
Upon further exploration, people discovered, or rather realized,
that most search engines utilize data from your location and your browser history to better
customized answers for you.
Providing such customization makes it easier to retrieve more meaningful results for the consumer
would shorten search time.
It also makes it easier to tailor advertisements to the consumer that he or she might be
interested in.
The downside, of course, is that it may also be masking important, it contradictory information
that is relevant to the individual search, thus reinforcing research bias.
Note, you can turn off customization, as Google refers to it, but it's difficult to find out how on their support site.
In June 2013, Edward Snowden exposed the NSA's domestic cellular collection program.
The general public was outraged that the government would utilize cellular metadata, such as location information, to spy on its citizens.
However, these same citizens exhibited no qualms about carrying a device that regularly broadcasts location
or the use of that locational data by other governmental entities and agencies.
The examples above are illustrative of the complexity around privacy.
Gone of the days, we could simply state that X data is private.
Indeed, we are moving more to an environment of situational privacy,
where the data itself isn't as much of an issue as how the data is used.
Consumers freely and openly volunteer exabytes of data daily for seemingly innocuous transactions.
Yet they are regularly shocked and angered as this data is combined with other seemingly innocuous
and freely given pieces of data to provide predictive intelligence to marketers, corporations,
and yes, the government entities.
Remembering that privacy itself is impossible without appropriate security controls,
the situational nature of data mining and appropriate data usage makes the protection equation daunting.
Do we wrap a cocoon of Pentagon-level protection around the data lake, even though 99% of the data within it is considered publicly available?
Do we inject ourselves into the data analytics process and become part of the arbitration question regarding should we use the data in a certain fashion?
certain fashion? Can we monitor and limit or restrict data combinations similar to the way in
which systems can monitor for separation of duties access control issues? Let's take it a step
further. Remembering that corporate data analytics seeks to, among other things, improve the
sales cycle and make marketing campaigns more efficient, imagine the implications if the bad guys
choose to take such an approach.
Consider, your systems are penetrated and your data is stolen, but none of the data is regulated
by current privacy law or regulation.
Six months later, the bad guys run data analytics against the acquired data and determine
the best targets for fraud or scam.
You protected the data and your borders reasonably and can show a tiered approach to your
controls, and those controls were appropriate for your environment, you even prevented
the breach from reaching the most sensitive data stores.
Yet data stolen from you was used to target your customers in the same manner
that your marketing and sales team targets prospects.
Imagine the liability issues that will circulate through the courts.
As your organizations recognize the value of the data they hold,
it is important that we as security professionals remind people of the larger risk in privacy
landscapes out there. We cannot rely solely on the legal and regulatory framework to guide us,
as the potential brand risks go beyond what the hodgepodge of privacy regulations currently addresses.
As we continue to enable our businesses, we must ensure that the aforementioned questions,
and dozens more, are acknowledged and addressed by our business leaders.
My Two Sets.
Welcome back to CISO Perspectives.
I'm Kim Jones, and I'm thrilled that you were here for this season's journey.
Throughout this season, we will be exploring some of our most pressing problems facing our
industry, and discussing with experts how we can better address them.
Today, we explore how data privacy is impacting cyber efforts.
Christy Westfall is one of the finest security operators that I know.
Her knowledge of the technology combined with her understanding of the regulatory landscape,
make her a force to be reckoned with in the world of cyber.
I had a chance to sit down with Christy to discuss one of her passion areas,
privacy, and its impact on security organizations.
Christy, thank you for making the time and welcome.
Thank you.
It is a pleasure to be here.
Always like chatting with you.
Likewise, likewise.
A quick note that the opinions expressed by Christy in this segment are personal
and should not be interpreted as representing the opinions of any organization
that Christy has worked for, past or present.
So you and I have known each other for longer than either.
service care to admit, but my audience might not.
So how about spending some time telling them who Christy Westfall is?
So Christy Westfall, a global security director at Spire Communications right now,
I got into security, as many of us do these days, in a weird way.
I was actually a finance major out of college, then stumbled into IT, and then stumbled again
into security, and that was so long ago I don't count anymore. And then I've just been doing a
variety of roles. I've done pretty much everything from being an engineer to an analyst to
in an IT admin and everything in between written policies. And then I'm finally at one point,
I said, you know what, we need good security leaders. And so I decided that was going to be my focus.
and I have been doing that ever since.
So it's always a privilege to lead a team,
and I try my best to be a good leader every day.
And you succeed, and I have personal experience with that as well.
And you've sat the big chair more than once, if I remember correctly?
I have.
I realized it's been about 20 years since I've been in the chair.
I was one of the early CSOs,
and so it's changed quite a bit since then.
But it's been a fun road.
Well, fun, you know, define your terms.
But I think we all say that.
We just keep coming back to play.
Yeah, that's true.
I am dedicated.
So those changes are part of the reason that I want to talk with you because somewhere
within your story history, you went and got a master's, if I remember correctly, in legal studies.
I did.
It's funny.
So about 10 years ago, I decided I needed to go back and study some legal stuff.
So got a master's in legal studies at ASU, Arizona State.
And the reason I went into that was, honestly, I had been reading so many contracts as a part of my role in security.
I wanted to make sure that I wasn't missing anything.
So that was my goal.
I ended up hating contracts.
It was the worst class I took.
But then I got an opportunity to do an independent study.
And so I was like, all right, well, what am I going to study?
And I thought, you know, privacy and security intersect all the time in weird ways.
And one of the most interesting ways that they do intersect is through the use of encryption.
And boy, once I started peeling back the layers of that, that became a really interesting topic.
and that became my independent study paper.
As someone who actually read your dissertation, we're going to spend a lot.
You survived.
I'm really impressed.
No, no, no.
Not only did I survive, I volunteered and asked you for it.
I really want to spend a lot of time talking about that intersect between privacy and security.
And I want to go back and get to very basic brass hacks, walk it through some of the things
that you saw when you were writing the dissertation, some of the things you see now within the
environment, and then maybe deep dive into that privacy and encryption intersect that you
saw, that you wrote about some years ago. So I'm going to take it back to basics. And let's start
with the basic question. How would you define the term privacy? It's protecting data that you don't
want others to know. And I think that's the key, because that can be different for everyone,
right? So therein lies the challenge. That would be an understatement. Yeah. So if I look at it
from protecting data, as you said, that you don't want others to know, how has that evolved,
changed within, let's just talk about the decade or so since you actually first deep dove into
this topic. Talk to me. Well, so that's the really fascinating part. So up until my paper was
published in 2016, there was a lot of activity. We had the Wassener Agreement, which was in the
90s, and that essentially started the whole protection of exporting encryption. There was the Clinton
administration, wanting to centralize management of encryption keys.
So there was just...
Clipper chip.
Yes, the clipper chip.
Absolutely.
There was just all kinds of crazy things going on at that time.
And so then I went and I looked back over the last decade.
I said, well, what's changed?
I haven't necessarily kept my thumb on it.
And when I did some research, I'm like, wow, not much has changed.
We were trying to pass a federal privacy law back then.
Still haven't done that.
We've actually kind of made it more difficult to protect privacy by enacting things like the Cloud Act of 2018.
Talk to me about that for those who may not be as familiar with the Cloud Act as you and I are.
Well, and I just recently educated myself on this as well.
So in 2018, the clarifying lawful overseas use of data act was passed.
And this made it easier when there were agreements between,
different countries that we could basically request access to encrypted data stored abroad, right, at the base level.
So if we engaged in this type of agreement with other countries, which we have with Australia and the U.K., basically they can request us to compel any sort of data that resides in their country to be handed over to them.
And lots of problems with that, and we're already seeing it manifest, the U.K. has asked Apple to put a backdoor in their operating system.
Yep.
And, gee, that's not a problem. If you could see my face, you'd know how puzzled I am that this is going on.
It's still, that is still being acted out in the courts now.
Apple seems to maybe have a foot up, but we still don't know how that's going to work out.
The interesting thing is about that case is that we went into, I believe, a five-year agreement with Apple, and it was silently renewed in 2024.
And so it's still going to be around for a while, and they can still demand this access unless we take any action to amend the regulation.
So it's interesting. Australia hasn't really seemingly acted on this yet, but the UK is all about surveillance.
and so they're going to see what they can do.
Keep this at an enterprise level first before we go down to individuals.
And I love where you started talking about the encryption
and some of the legislation that exists around that.
You know, the average use believes that encryption is a panacea.
And many of our regulatory frameworks, at least here in the U.S.,
give you an alibi or buy when encryption comes to play.
You know, you have all sorts of requirements that exist here, you know, if your data is lost or stolen or compromised, except, of course, if it's encrypted, then you're okay.
HIPAA comes to mind, if I remember correctly, my memory may not be, I will yield to you if I'm incorrect here.
And a lot of the state breach notification laws tend to impose heavier requirements and burdens on organizations.
Unless, of course, the data that was stolen is encrypted, then, of course, you know, let us know.
okay. But when you think about things like the Cloud Act and some of the other things going
on, I guess my question is, are we all living under that false sense of security? Because in
reality, there are enough loopholes, and we haven't even begun to talk about quantum,
there are enough loopholes, et cetera, that exists when dealing with encryption. I would welcome
your opinion on this. So there's been a couple of cases where we've seen that, yes, the data was
encrypted, but the government went after it anyway. Probably the most clear one that came about,
this was in 2016, the San Bernardino terrorist. One of the... Yes, I use that one in class, please.
They were trying to get Apple at that time to turn over the data on one of the shooter's phones.
And Apple said, nope, not doing it. And what does the FBI do? They went off and found a tool to do it on their own.
So you can encrypt your data, but there are other ways around trying to find that key.
And I'll give a recent example, and this has nothing to do with legal cases.
In fact, one of my classes, in the last couple of weeks, I gave my students computer image to do forensics on.
And it's got a hidden partition in it that's encrypted.
And I said, what is this?
That was one of my basic questions, and can you see what's on it?
Well, one of my students literally didn't have the key,
but spent the time doing research on what he could find
on the rest of the drive that wasn't encrypted
and figured out the password and was able to deal it.
And nobody's done that before.
So not only was I impressed, but I was also terrified,
and how good he is at this.
But anyway, so you can see there's,
you don't have to legally, there's fine lines, to be able to get that password.
So there was an A and extra credit.
There was an A and extra credit.
He probably passed.
So now let's think about this as a C-SO.
You know, you're sitting in the chair now.
What does this situation mean for you?
and your peers sitting the chair as we think about data privacy,
as we think about customer expectation,
as we think about entangling regulation in different states
as well as different nations.
I believe your company is an international company,
so you've got multiple nations to deal with as well.
So what does this mean for the person who, congratulations,
you is now the CISO, your first time in the chair
and you realize that your previous boss wasn't an idiot
in terms of what's going on
because now all these problems are yours.
What are these problems as we talk about privacy?
Oh, my gosh.
You have no idea.
So number one...
That's why we're here.
Number one, become friends with your legal counsel,
whether they're internal or external,
because part of their job, sadly,
is to try and keep up with this stuff.
Number two, you yourself need to keep up with it, too, because you're going to probably be put in a situation at some point where you don't want to step on that landline, right?
So there are ways to keep up with this that don't make you tear your hair out, which is good, but you have to kind of understand how to navigate that.
But the thing that I would do, if you're new to the chair and you're just getting used to this in your organization, I would start diving in your contracts because I have seen this come across where there's data privacy requirements that say you will cooperate in an investigation, but you will only cooperate with us.
You won't cooperate directly with law enforcement.
Wow.
Yeah.
That's a problem.
That's a problem.
It's really specific and bold, and it's pretty, it's pretty interesting.
So knowing those requirements and knowing, like, which customers exactly do require that instead of, you know, you don't want to turn something over in cooperating with law enforcement and then find out you just violated a customer agreement as well.
So it's very challenging.
And then we haven't even gotten to the state privacy laws that you have to try and navigate and understand, like, if you have a data breach, what are the reporting requirements?
How are you going to report those? Are they different? Yes, they are. Per state. And which ones require which ones?
You can set up your basic framework around the most restricted ones like CCPA, but you have to be able to respond appropriately.
to each state when that happens.
At Talas, they know cyber security can be tough and you can't protect everything.
But with Talas, you can secure what matters most.
With Talas's industry-leading platforms, you can protect critical.
applications, data and identities, anywhere and at scale with the highest ROI. That's why the most
trusted brands and largest banks, retailers, and healthcare companies in the world rely on
TALIS to protect what matters most. Applications, data, and identity. That's TALIS. T-H-A-L-E-S. Learn more at
talusgroup.com slash cyber.
And now a word from our sponsor, Threat Locker,
the powerful zero-trust enterprise solution that stops ransomware in its tracks.
Allow listing is a deny-by-default software that makes application control simple and fast.
Ring fencing is an application containment strategy, ensuring apps can only access the files,
registry keys, network resources, and other applications they truly.
need to function. Shut out cybercriminals with world-class endpoint protection from threat locker.
Let me ask a couple of questions. You talked about contracts and you talked about cooperating
with legal, all of which are great things, obviously. So let's start with legal. Way back when,
when dinosaurs run the earth and I had taken my first chair, I sat down and said to my general
Council, well, okay, I understand we have database administrators in the UK, and I know we have
UK data, so what are we doing about the EU Privacy Directive and Safe Harbor?
And my general counsel looked at me and says, what the hell are you talking about?
What is that?
So I'm curious, are you getting the sense of that, I mean, again, this was decades ago,
that lack of knowledge, has that gap been closed, and is there a level of focus and understanding
by our legal brethren regarding the importance of these issues?
I think that's really changed.
I would agree with you back then.
It was kind of Deer in the Headlights response.
But I know my current legal counsel is really,
she's an expert on this kind of topic.
And it's because the compliance aspect,
you have to, for example, GDPR,
you can't just ignore that being a global company.
Yeah.
China's PIPL, personal information protection law, that if you do business in China, you have to be compliant with that as well.
So you can't just pretend these things don't happen anymore.
And again, you need to be prepared for that data breach because trying to untangle that during the chaos of an incident or just shortly thereafter is not a good look.
Yeah, I feel you.
Yeah. So let's talk about, you know, you're a sizable international organization. What do we do about that small shop that all of a sudden finds out that it has customers, you know, or is servicing customers or gets one or two customers from the UK in a small business and is now subject to GDPR or is subject to, you know, I'm a small mom and pop. I operate in four.
states in New England, but all of a sudden I have an online presence and I'm shipping
product to California. Now all of a sudden I'm subject to potentially CCPA. The possibility
of getting blindsided by regulatory compliance in this heavily connected world for companies who
don't have our resources or our experience is huge. So how do you prepare for that? How do you
understand that. How do you make yourself ready for that if you haven't been there, done that,
got the T-shirt, the coffee mug like you and me? That is a great question. And I think it's not only
a privacy issue, it's a security issue, honestly, because it's the same problem. Like, how do we
ensure that our small businesses that are vital to our economy are protected properly? And, you know,
not stepping on a landmine without knowing it.
My recommendation, if you're a small business,
you probably don't have a full-time legal counsel,
but you've got somebody, ask them and just start that conversation.
This might be an opportunity for a V-C-Sos
or a fractional C-So to help advise,
like what are the best base things you can do
to make sure that you're protected on both fronts.
Fantastic.
So let's segue back into contracts.
I know this has only ever happened to me,
where, you know, the sales team all of a sudden
has an opportunity to land a whale of a customer
and agrees to anything that all of a sudden
skirts by the legal review.
And all of a sudden now you have requirements
for either security or privacy,
all of the, you can only
cooperate with us during an investigation.
Well, that's not going to go over pretty well when the bureau knocks in your door or you
have requirements from states to cooperate.
And all of a sudden, you're in that exact situation that you have described where in order
to do the job and do the job and meet the requirements, you're going to be in breach of
contract.
How do you avoid that?
That's question one.
But I'm going to give you the follow on.
you and I have both parachuted into environments to do cleanup on aisle five and have run into we agreed to what how do you deal with that on the ground let's take those both if you don't find oh boy um we should have had a magic wand the first one um law enforcement's knocking at your door you can't just you have to be um in concert with your legal counsel again you need to make sure you understand the requirements
and that you understand the risk of complying or not complying, right?
And this is a good tabletop exercise for you and your legal counsel
because you need to make sure that everybody's on board.
Like, I review all the contracts before they're signed.
And so at least I'm aware of new requirements that come in for both security and data privacy.
and so I can have those conversations.
If I'm coming in and cleaning up later,
then I would say, you know, read contracts
and make sure you know what's in them.
Use AI if you had to,
and make sure that you understand those requirements
and present those risks back to the business.
Because if they are trying to claim ignorance right now,
that doesn't fly anymore.
You can't just say that.
oh i didn't know that was in there um you need to make sure there's maybe a good reason but it's still
no excuse you're in trouble exactly exactly see you need to you just need to bring those to the
surface and come up with a plan of attack do you recommend standard security contract language
i think it helps the security team right because at least we know what we're requiring of our
third parties um i wish everybody had the same standards because they're all so
difference. And even if
we all are trying to adhere to
the ISO standard, they've modified
it some specific,
weird way that they
require for their company that you have
to make sure you
adhere to if it applies.
So I like standard
contract clauses, but
they never stay standard.
So, you know,
one of the things we,
I used to do is I did
draft standard, the standard security
contract clause for my company and the argument was if they won't sign our language as is then
I have to review the contract and if they want to modify our language then I have to approve the
modification and in a lot of cases that eliminated enough of the surprise factor that was out there
and it encouraged the sales team to say look if you can arm twist people to sign our existing language
this will go a lot faster for you.
But if you really honestly and truly want, you know, to agree to what's going on,
then I have to actually read the contract and figure out what's going on.
And speaking of that, do you do all of the contract reads yourself?
Yes.
Okay.
Always?
Yes.
Okay.
So I have as well, I guess the question is, how do you scale that within a large organization?
Yeah.
You need to, I think, to your point, standard contract languages or standard contract clauses,
at least we know what we're committing to, and then get the red pen out, right, and just start,
you know, working through it.
These things take time.
It's funny.
Like, people think that these contract reviews will go through like that, and a vendor will have their sale by the end of, you know, end of the week.
Tomorrow.
This is the end of the month.
And it never works that way, right?
I've seen some contracts go years with back and forth.
And I'm not even joking.
And so I think it's important to get right.
And so, yes, you need help.
I mean, if I was in a larger organization, there's no way I could sustain that.
But you just have to have kind of the standards.
Here's what I'm looking for.
Here's what I won't commit to.
And then just compare that with whatever gets thrown at you.
That speaks to or seems like there's also some education that happens there on your part in terms of educating the sales force and maybe even educating your primary contacts on legal regarding here's what I won't agree to.
Here's why I won't agree to it so that, you know, are you doing that as well?
I do. When I see weird things, like I'm always trying to make sure we don't have to respond to security incidents within 24 hours because I think no one can actually.
do that across the board.
So I always scratch it out and put 72 hours and try to throw that in there, for example.
And so my legal team that I work with, they're like, oh, yeah, I know you're not going to like this.
And so any communication up front with a team definitely helps because you know the lawyers do all the reading too
and read everything you read anyway just to make sure.
And so if they know what you don't like or won't agree to, it makes it so much.
much easier for the whole process.
What are two things we haven't talked about that you would want our audience to know,
understand, or hear from you?
When I parachute in and I'm trying to clean things up, I forgot.
My other big thing that we don't do enough of, once we know the landscape and all those
types of good things, threat model, right?
You brought it, you reminded me that I hadn't talked about that.
Yes, you can know where all the things are.
You can look at your gaps.
Start threat modeling.
What kind of, you know, you have to have that realization of who might be after you,
even if it's, you know, maybe not a direct attack.
What if it's just some, you know, opportunistic type of attack?
You need to keep those things in mind because if you don't think like that,
then your security program and your data security program are not going to best protect your organization.
Let me dive there for a little bit, but hold your thought.
I want to make sure we talk about the things that you want to talk about.
How do we break the mentality that seems to have arisen a decade behind us that says,
all I need to know is to figure out how the bad guy works and nobody gives a crap about anything else to get into cyber?
Because I've got a lot of folks who will spend a lot of time on this is how the bad guy works, thinks and breathes.
If you don't plug this hole, then you're an idiot, and the organization is stupid,
despite the fact that that hole is driving $10 billion worth of revenue through your environment.
And when you ask that same person, how do I do this without breaking it?
They say, I don't care.
And there's still a lot of that going on in, I'm going to put my old hat on,
in the generation that's behind us.
How do we break that model?
Because what I'm seeing is I'm seeing lots of threat modeling not applied to the business enterprise.
and not truly saying, how do I take this and this and come up with a practical solution that doesn't shut me down?
How do we do that, or am I just old and shaking my cane, telling people to get off my lawn, and it's really not like that?
Well, I think that's part of why we're still struggling to succeed as an industry.
And here's where I get philosophical.
We are still building a security culture of no.
and we're not, we're getting better, I will say that.
I'm seeing a lot more of embedding in the business, talking business risk, but we need to get
out of our own heads.
We can't just be like, oh, my security program, and I'm gesturing and making a very narrow gesture,
I'm just focusing on these things and we need to fix these vulnerabilities and would be perfect.
We cannot operate like that.
It doesn't work.
We've seen it again and again.
we've got to be part of the business, right?
And we've got to have a broader impact.
And so I think that Frette model isn't just, oh, are my security tools going to work?
Well, maybe, but let's prioritize that with the impact it's going to have on the overall organization.
Here, here.
And I cut you all, so please, give us the rest of it.
So I think the other thing I do want to just throw in there, and it's a problem that I
I want to solve. I just don't know how. It's, you know, people want to, okay, if I'm concerned about
privacy, I want to protect my privacy. How do we tell people how to do it? It is not easy. I mean,
you can tell them to stay off social media, but then if I have a Gmail account, Google can access
saw my email, right?
So the challenge we have in the space is to keep awareness up and find ways to help if you truly want to protect your privacy,
support organizations and tools and services and industry professionals that help do this.
So I end with a problem, but I think it's a challenge for our industry to continue to work through solving.
Christy, you and I have known each other again for longer than I've ever cared to admit,
but I will say this repeatedly.
You know, you are and remain one of the brightest, most effective cyber professionals that I know,
and I really appreciate you taking the time to spend some time with me to help educate our audience.
Thank you so much.
Thank you for having me. This was a blast.
And that's a wrap for today's episode.
Thanks so much for tuning in and for your support.
as N2K Pro subscribers.
Your continued support
enables us to keep making shows like this one
and we couldn't do it without you.
If you enjoyed today's conversation
and are interested in learning more,
please visit the CISO Perspectives page
to read our accompanying blog post,
which provides you with additional resources
and analysis on today's topic.
There's a link in the show notes.
This episode was edited by Ethan Cook,
with content strategy provided by
My Own Plout, produced by Liz Stokes, executive produced by Jennifer Ibin, and mixing
sound design and original music by Elliot Peltzman.
I'm Kim Jones. See you next episode.
What's your 2 a.m. security worry? Is it, do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. They're trust.
management platform continuously monitors your systems, centralizes your data, and simplifies your
security at scale. And it fits right into your workflows, using AI to streamline evidence
collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything
you need to move faster, scale confidently, and finally get back to sleep. Get started at Vanta.com
slash cyber. That's v-a-n-a-a-com slash cyber.