¶ Intro / Opening
All righty , then . Ladies and gentlemen , welcome back to another episode of Privacy . Please . Cameron Ivey , here with Gabe Gumbs , we are back . We are so sorry . It's been a few weeks . Things have been crazy , gabe . How you doing , man ? I know you're back from traveling as well .
I am well . It's been a couple of busy weeks for security , privacy , resiliency . We got a lot to cover and not a lot of time to cover it .
No , there never is enough time there's never enough time and I'm good . I'm good , yeah , traveling um , finally back at home and had ipp last week . I was about to say last year I had it last year also yeah , ipp last week was awesome . We'll dig into that in a few minutes . I know that you were at an event last week as well .
I was out at VeeamOn the Veeam user conference , veeam being the backup and resiliency company , the leader of backup and resilience software and one of Myoda's technology alliance partners . An awesome , awesome event .
We had some customers there , got a great chance to meet with some more of the Veeam folks , really just you know , get further into the Veeam community Really excited to continue to serve them .
Love that , so does that make you guys Veeamers ?
Ooh
¶ Welcome Back After a Break
it does now , now that you said it yes , yes , yes , it does . Okay , so was .
I APP . It was good , but wait , wait , wait , wait , wait Before we dive into that yeah , because you know we have security folks on here too .
Anything you want to leave anybody with that isn't too familiar with these events or anything cool that . So resiliency , in particular , has become an absolute necessity in security , right ? So this week RSA is going on right , big deal , huge deal . And you had the biggest arguably the privacy version of RSA , right so IAPP , so that was happening .
This week also , the Verizon Data Breach Investigator Report dropped as well . It's been a busy week in the security and privacy space . But , yeah , on the resilience side , well , hell , even at RSA this week you're seeing a growing number of resilience providers . Right so , the Veeams of the world showing up at RSA , because
¶ Security and Resilience Developments
resiliency is a security problem , which shouldn't come to a surprise to anyone who's listened to this show for a while . We talk a lot about confidentiality , integrity and availability . Those are the three things that encompass security and they are the backbone of resiliency . Love that .
Yeah , so okay , ipp , we got a lot of privacy listeners as well . I don't know if any of you listeners were able to make it . If not , we can kind of give you a little recap . There was a lot that went on , a lot of good stuff .
I don't know where we should start , but let me just I'll start by saying this the major theme of this year's conference was the development of AI governance and their frameworks . That was a huge thing . Companies are navigating , of course , the complexities of AI risks and compliance . What's one of the quotes ?
I don't know who said this , but building the plane as they're flying . It was one of the main quotes that I took from that . So the focus was on understanding regulatory requirements , addressing business needs and delivering concrete outcomes , like expanded data protection impact assessments , so DPIAs .
You know what's interesting about that ? What's ?
that .
As a juxtaposition to that Verizon Data Breach Investigative report . They subtly debunk a bunch of overblown fears around AI and security Around AI and security , because attackers are still very much experimenting with AI . But they highlight that the real risks are a bit more mundane .
It's data leakage , it's poorly controlled access , it's governance gaps , it's the privacy concerns that AI is really driving , not so much the security concerns , yet that's a good point .
Yeah , is that something that would be obvious ? I mean , like , does that seem like it's not very shocking to you ?
I think for me it's not super shocking because , as someone who is both an ethical hacker and
¶ IAPP Conference and AI Governance
a user of a lot of AI tools , including , like AI coding tools , there's a lot that it is very capable of doing . That definitely makes an attacker's job easier for a traditional attacker to be successful . That , if we're being honest , attackers are . They're creatures of habit .
They are like water and they will find they will find their level and whatever crevice they can get through , and they also prefer to use the least amount of effort to get success .
So retooling or , you know , completely modernizing their own tool stack to include AI isn't really worth the return on effort yet , considering they're still making bank on conventional methods .
So attackers are doing a lot of experimenting , but there's a lot of people out there just banging the drums going AI is going to make security Like AI is turning people into super hackers and I'm like I don't know about that . And so the report does suggest the exact same , but points out that the real problems are very much around leakage and governance .
That's the real problem .
Yeah , yeah , that makes sense . Now I wonder if that kind of falls in line with this next point that I'm going to make . So another big thing from the conference from IPP was around technology right , and you can just hear this in rumblings from groups , from people you're just talking to on the floor .
Of course , anyone listening knows that I work for a company called Transcend , but , honestly , the growing frustration with outdated privacy management tools is still like that is one of the biggest things that was being heard on the floor from others , from just rumors going around .
It's something that's been talked about even in the past few years , but that's one of the big like demands that people are looking for a better , innovative product that can grow with them , and privacy leaders are looking for scalable solutions that can integrate with their broader data governance that offers like automation and reduces manual work .
I feel like that we've heard this years and years and years as like this isn't anything new , but it seems like leadership is really trying to move themselves from those outdated tools , tools and this is a very touchy subject too , gabe , because I know being in a leadership role .
It's one of those things where it's like it's hard for someone to say that I need to move on from a tool that you have , not only because it almost says well , I failed at picking this tool , I need to put in another tool and you need to give me money for it . It's hard to do that on the privacy side because
¶ Technology Frustrations in Privacy Management
the funding is lower and usually you're coming off of either security funding or you definitely have lower funding than the security team , depending on how your company is structured . So I mean that's a big challenge too .
Isn't it weird , though , that we just said that confidentiality , integrity and availability are the pillars of security , the C being the first thing confidentiality and yet somehow security doesn't have a privacy budget of their own , so the only tool in their bag is essentially encryption for confidentiality , then , and , I guess , maybe , by extension , identity , and so
everything starts looking like a nail . It just doesn't add up that the security budget doesn't include privacy dollars . How else does one keep things confidential ? That's a good question .
I mean that's the other challenge . There's so many you hear complaints about smaller companies and smaller privacy teams that don't have the backing or support like some of the major companies that care about privacy . But it's a little bit different in terms of being able to afford those types of tools that can be innovative at the same time .
I don't know , that's a challenge , but it's nice to know that people are looking for a better , innovative tool rather than just sticking with something that's known , kind of like OneTrust . I'm just going to name bomb Like OneTrust .
Everybody knows who OneTrust is , but they've been around a long time and there are better innovative tools out there that can kind of fit your needs a little bit better , that are more customizable , more integratable things that you don't necessarily need to have engineering experience to operate this tool to be efficient in your privacy um , in your privacy game .
So you're spot on .
I've said it before about security posture , but you can't as we've talked about literally since the first episode of this show over five years ago you can't separate privacy and security , right like you can't have privacy without security and arguably , you can't have security without privacy , considering that confidentiality is a core part of security and security and
privacy posture isn't about logos , it's about architecture . It's not about the fact that you bought the most known logo and I've heard it before , literally quote we use the best in class tools Awesome but attackers don't care about your brand stack and humans making mistakes don't care about your brand stack , they care about the gaps in between . That architecture .
And the gap between perception and reality is not just academic , it's operational , it's strategic .
That's a good point , man , we could see . This is why I wish we had some more time .
Well , we do . I think we're going to have to spend the next couple of episodes like really diving into this because it feels . It feels like the narrative needs a bit more informing out there .
Well , yeah , because the other , the other problem is that privacy people are always just kind of seen as compliance gatekeepers , and that's not what they are , that's not what they want to be , and I think that's another shift that's happening and you know , I think it's just it's just going to take time because it is getting bigger and better and it's just going
to take time to be taken more seriously , and I think it's it's on the right path . Now I will say one one downside from the ipp that everybody was like , uh , kind of disappointed about was sam altman from open ai . He was like the big piece to talk , um , and he ended up showing virtually at the big talk at the end . So everybody was like what ?
I felt kind of bad for people that waited around for him Cheated yeah . Yeah , it almost like . Do you think that it was recorded ? Like , was that actually him live .
How am I supposed to hit him in the face with a pie ?
if he's only virtual .
It's a lot of questions , Aya .
A lot of questions . I mean , I get it , everybody's busy . I'm sure he's busy , but it's just interesting that he was the . He was the big keynote speaker , um , and he showed up virtually .
So I know I'm being honest with you , if I'm the head of open ai , I don't really want to get in front of a bunch of privacy people and answer questions . Holy shit , that's fair .
That's
¶ Security Without Privacy Budget
fair , I'd be afraid yeah , and and just I'll close this out with saying like it was so awesome to see so many cool people and some really nice people that I ran into that listened to our podcast , Gabe .
It's just really neat to run into people in person and it's cool to hear that what we're doing is still something that's important to others , that they tune in and they actually say you know they have good feedback and so we appreciate it .
Maybe we hit them with a bonus episode this week . We may want to hit them with a bonus episode this week to catch him up on , because there's been a lot happening this week , so let's do that , yeah let's do that , ok .
well , we'll end it here on this one and we'll get that little bonus one out as well . But thank you , guys , and we'll see you in the next one .