
Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
S6, E240 - From IAPP Insights to Security Challenges: What Really Matters
Cameron and Gabe return after a brief hiatus to explore major developments in security, privacy, and resilience. They dive into insights from the IAPP conference and VeeamOn, examining how AI governance and outdated privacy tools are reshaping the industry landscape.
• AI governance frameworks dominated IAPP discussions with companies "building the plane as they're flying"
• Verizon's Data Breach Report debunks overblown AI security fears, showing real risks are data leakage and poor access controls
• Growing frustration with outdated privacy management tools is driving demand for better solutions
• Security posture isn't about using recognized brands but about architecture without dangerous gaps
• Sam Altman's virtual appearance at IAPP disappointed attendees expecting an in-person keynote
Stay tuned for our bonus episode covering even more developments from this busy week in privacy and security!
All righty, then. Ladies and gentlemen, welcome back to another episode of Privacy. Please. Cameron Ivey, here with Gabe Gumbs, we are back. We are so sorry. It's been a few weeks. Things have been crazy, gabe. How you doing, man? I know you're back from traveling as well.
Speaker 2:I am well. It's been a couple of busy weeks for security, privacy, resiliency. We got a lot to cover and not a lot of time to cover it.
Speaker 1:No, there never is enough time there's never enough time and I'm good. I'm good, yeah, traveling um, finally back at home and had ipp last week. I was about to say last year I had it last year also yeah, ipp last week was awesome. We'll dig into that in a few minutes. I know that you were at an event last week as well.
Speaker 2:I was out at VeeamOn the Veeam user conference, veeam being the backup and resiliency company, the leader of backup and resilience software and one of Myoda's technology alliance partners. An awesome, awesome event. We had some customers there, got a great chance to meet with some more of the Veeam folks, really just you know, get further into the Veeam community Really excited to continue to serve them.
Speaker 1:Love that, so does that make you guys Veeamers?
Speaker 2:Ooh it does now, now that you said it yes, yes, yes, it does. Okay, so was.
Speaker 1:I APP. It was good, but wait, wait, wait, wait, wait Before we dive into that yeah, because you know we have security folks on here too.
Speaker 2:Anything you want to leave anybody with that isn't too familiar with these events or anything cool that. So resiliency, in particular, has become an absolute necessity in security, right? So this week RSA is going on right, big deal, huge deal. And you had the biggest arguably the privacy version of RSA, right so IAPP, so that was happening. This week also, the Verizon Data Breach Investigator Report dropped as well. It's been a busy week in the security and privacy space. But, yeah, on the resilience side, well, hell, even at RSA this week you're seeing a growing number of resilience providers. Right so, the Veeams of the world showing up at RSA, because resiliency is a security problem, which shouldn't come to a surprise to anyone who's listened to this show for a while. We talk a lot about confidentiality, integrity and availability. Those are the three things that encompass security and they are the backbone of resiliency. Love that.
Speaker 1:Yeah, so okay, ipp, we got a lot of privacy listeners as well. I don't know if any of you listeners were able to make it. If not, we can kind of give you a little recap. There was a lot that went on, a lot of good stuff. I don't know where we should start, but let me just I'll start by saying this the major theme of this year's conference was the development of AI governance and their frameworks. That was a huge thing. Companies are navigating, of course, the complexities of AI risks and compliance. What's one of the quotes? I don't know who said this, but building the plane as they're flying. It was one of the main quotes that I took from that. So the focus was on understanding regulatory requirements, addressing business needs and delivering concrete outcomes, like expanded data protection impact assessments, so DPIAs.
Speaker 2:You know what's interesting about that? What's?
Speaker 1:that.
Speaker 2:As a juxtaposition to that Verizon Data Breach Investigative report. They subtly debunk a bunch of overblown fears around AI and security Around AI and security, because attackers are still very much experimenting with AI. But they highlight that the real risks are a bit more mundane. It's data leakage, it's poorly controlled access, it's governance gaps, it's the privacy concerns that AI is really driving, not so much the security concerns, yet that's a good point.
Speaker 1:Yeah, is that something that would be obvious? I mean, like, does that seem like it's not very shocking to you?
Speaker 2:I think for me it's not super shocking because, as someone who is both an ethical hacker and a user of a lot of AI tools, including, like AI coding tools, there's a lot that it is very capable of doing. That definitely makes an attacker's job easier for a traditional attacker to be successful. That, if we're being honest, attackers are. They're creatures of habit. They are like water and they will find they will find their level and whatever crevice they can get through, and they also prefer to use the least amount of effort to get success.
Speaker 2:So retooling or, you know, completely modernizing their own tool stack to include AI isn't really worth the return on effort yet, considering they're still making bank on conventional methods. So attackers are doing a lot of experimenting, but there's a lot of people out there just banging the drums going AI is going to make security Like AI is turning people into super hackers and I'm like I don't know about that. And so the report does suggest the exact same, but points out that the real problems are very much around leakage and governance. That's the real problem.
Speaker 1:Yeah, yeah, that makes sense. Now I wonder if that kind of falls in line with this next point that I'm going to make. So another big thing from the conference from IPP was around technology right, and you can just hear this in rumblings from groups, from people you're just talking to on the floor. Of course, anyone listening knows that I work for a company called Transcend, but, honestly, the growing frustration with outdated privacy management tools is still like that is one of the biggest things that was being heard on the floor from others, from just rumors going around. It's something that's been talked about even in the past few years, but that's one of the big like demands that people are looking for a better, innovative product that can grow with them, and privacy leaders are looking for scalable solutions that can integrate with their broader data governance that offers like automation and reduces manual work.
Speaker 1:I feel like that we've heard this years and years and years as like this isn't anything new, but it seems like leadership is really trying to move themselves from those outdated tools, tools and this is a very touchy subject too, gabe, because I know being in a leadership role. It's one of those things where it's like it's hard for someone to say that I need to move on from a tool that you have, not only because it almost says well, I failed at picking this tool, I need to put in another tool and you need to give me money for it. It's hard to do that on the privacy side because the funding is lower and usually you're coming off of either security funding or you definitely have lower funding than the security team, depending on how your company is structured. So I mean that's a big challenge too.
Speaker 2:Isn't it weird, though, that we just said that confidentiality, integrity and availability are the pillars of security, the C being the first thing confidentiality and yet somehow security doesn't have a privacy budget of their own, so the only tool in their bag is essentially encryption for confidentiality, then, and, I guess, maybe, by extension, identity, and so everything starts looking like a nail. It just doesn't add up that the security budget doesn't include privacy dollars. How else does one keep things confidential? That's a good question.
Speaker 1:I mean that's the other challenge. There's so many you hear complaints about smaller companies and smaller privacy teams that don't have the backing or support like some of the major companies that care about privacy. But it's a little bit different in terms of being able to afford those types of tools that can be innovative at the same time. I don't know, that's a challenge, but it's nice to know that people are looking for a better, innovative tool rather than just sticking with something that's known, kind of like OneTrust. I'm just going to name bomb Like OneTrust. Everybody knows who OneTrust is, but they've been around a long time and there are better innovative tools out there that can kind of fit your needs a little bit better, that are more customizable, more integratable things that you don't necessarily need to have engineering experience to operate this tool to be efficient in your privacy um, in your privacy game. So you're spot on.
Speaker 2:I've said it before about security posture, but you can't as we've talked about literally since the first episode of this show over five years ago you can't separate privacy and security, right like you can't have privacy without security and arguably, you can't have security without privacy, considering that confidentiality is a core part of security and security and privacy posture isn't about logos, it's about architecture. It's not about the fact that you bought the most known logo and I've heard it before, literally quote we use the best in class tools Awesome but attackers don't care about your brand stack and humans making mistakes don't care about your brand stack, they care about the gaps in between. That architecture. And the gap between perception and reality is not just academic, it's operational, it's strategic.
Speaker 1:That's a good point, man, we could see. This is why I wish we had some more time.
Speaker 2:Well, we do. I think we're going to have to spend the next couple of episodes like really diving into this because it feels. It feels like the narrative needs a bit more informing out there.
Speaker 1:Well, yeah, because the other, the other problem is that privacy people are always just kind of seen as compliance gatekeepers, and that's not what they are, that's not what they want to be, and I think that's another shift that's happening and you know, I think it's just it's just going to take time because it is getting bigger and better and it's just going to take time to be taken more seriously, and I think it's it's on the right path. Now I will say one one downside from the ipp that everybody was like, uh, kind of disappointed about was sam altman from open ai. He was like the big piece to talk, um, and he ended up showing virtually at the big talk at the end. So everybody was like what? I felt kind of bad for people that waited around for him Cheated yeah.
Speaker 1:Yeah, it almost like. Do you think that it was recorded? Like, was that actually him live.
Speaker 2:How am I supposed to hit him in the face with a pie?
Speaker 1:if he's only virtual.
Speaker 2:It's a lot of questions, Aya.
Speaker 1:A lot of questions. I mean, I get it, everybody's busy. I'm sure he's busy, but it's just interesting that he was the. He was the big keynote speaker, um, and he showed up virtually.
Speaker 2:So I know I'm being honest with you, if I'm the head of open ai, I don't really want to get in front of a bunch of privacy people and answer questions. Holy shit, that's fair.
Speaker 1:That's fair, I'd be afraid yeah, and and just I'll close this out with saying like it was so awesome to see so many cool people and some really nice people that I ran into that listened to our podcast, Gabe. It's just really neat to run into people in person and it's cool to hear that what we're doing is still something that's important to others, that they tune in and they actually say you know they have good feedback and so we appreciate it.
Speaker 2:Maybe we hit them with a bonus episode this week. We may want to hit them with a bonus episode this week to catch him up on, because there's been a lot happening this week, so let's do that, yeah let's do that, ok.
Speaker 1:well, we'll end it here on this one and we'll get that little bonus one out as well. But thank you, guys, and we'll see you in the next one.