Future of Data Security

• EP 16 — KPMG’s Orson Lucas on Why One-Time Security Investments Tend to Fail

  The world of data security has fundamentally changed, yet many organizations still approach it as a one-time project rather than an ongoing journey. In this episode of The Future of Data Security, Orson Lucas, Principal at KPMG, draws on his 20+ years of experience to challenge the "one-and-done" approach that dooms many security initiatives. After witnessing the evolution from obscure privacy regulations to strategic business differentiators, Orson walks Jean through why even the most sophisticated organizations struggle with fundamental data governance and how the rise of AI assistants is creating unprecedented new risks.   Orson discusses why privacy is fundamentally a data governance problem, how to balance comprehensive security with practical investment limits, and why the most effective security strategies build on existing technology ecosystems rather than creating parallel systems. He also shares candid insights about how AI assistants like Microsoft Copilot are changing the risk equation by inheriting user permissions to access sensitive data that humans would never realistically browse through.   Topics discussed:   The critical shift from viewing data security as a one-time project to an ongoing journey requiring continuous investment, as threat landscapes constantly evolve even when controls remain static. Why fundamental data discovery (what you have, where it is, how it flows) remains the most challenging yet essential foundation for effective security, with organizations often attempting to "boil the ocean" rather than taking a risk-based approach. The evolution of enterprise security governance structures, with privacy teams increasingly functioning as second-line policy setters while security teams handle operational implementation. How "hanging access" creates major security vulnerabilities when departed employees leave behind orphaned permissions with no clear ownership, especially in unstructured data environments. The emerging risk paradigm where AI assistants inherit user permissions but access far more data than humans realistically would, turning theoretical access risks into actual exposure. Practical strategies for managing shadow AI by creating internal, managed alternatives that provide similar functionality with proper security guardrails rather than simply blocking innovation. Why effective security strategies often build upon existing technology investments rather than creating parallel systems, using tools like DLP for broader data discovery purposes. The limitations of viewing data residency as merely a compliance checkbox, with more sophisticated organizations focusing on broader supply chain integrity and provenance issues. How balanced security partnerships require understanding stakeholder priorities across legal, privacy, security, data governance and marketing teams to achieve organizational alignment. Approaches for managing third-party risk as vendors increasingly integrate AI features without proper opt-in controls or transparency about data usage for model training.

  --------  

  37:04
• EP 15 — Morgan Stanley's Faith Rotimi-Ajayi on AI as Security's "Double Agent"

  The security landscape has radically shifted from "if you get breached" to "when you get breached" — and Morgan Stanley's approach to data protection reflects this fundamental change in mindset. In this episode of The Future of Data Security, Faith Rotimi-Ajayi, AVP of Operational Risk, discusses how sophisticated attackers are now researching and targeting specific financial institutions rather than relying on opportunistic attacks.    Faith tells Jean why social engineering attacks have evolved to target entire family units, including compromising newborns' Social Security numbers for future fraud, and why third-party risk management demands rigorous new approaches as vendors increasingly implement AI without adequate security governance. She also shares her experience implementing dedicated AI governance committees, using risk-based authentication that adjusts friction based on user behavior analysis, and how the pandemic accelerated zero trust implementation by eliminating location-based security models.   Topics discussed:   The challenges of maintaining operational resilience against increasingly sophisticated targeted attacks rather than merely opportunistic ones in the financial sector. The evolution of third-party risk management as attackers now strategically target trusted vendors to gain backdoor access to financial environments. How AI functions as a "double agent" in security, enhancing defensive capabilities while simultaneously enabling sophisticated deep fakes and voice cloning attacks. The emergence of shadow AI and strategies to mitigate risks through dedicated AI governance committees and internal alternative applications. Why regulatory compliance is an innovation driver rather than an obstacle, using frameworks like GDPR, GLBA, and DORA as baselines for robust security programs. Implementing security-by-design principles and risk-based authentication that adjusts friction based on context rather than applying uniform controls. Using user behavior analysis (UBA) and indications of compromise (IOCs) to create security measures that don't interrupt legitimate user activities. How the pandemic accelerated zero trust implementation by eliminating location-based security models and forcing more sophisticated endpoint security approaches. The importance of creating business-aligned data security frameworks that prioritize based on risk exposure rather than applying uniform protection. Why Faith emphasizes continuous monitoring and testing alongside preventative controls to maintain 24/7 visibility across distributed environments.

  --------  

  27:40
• EP 14 — ruby’s George Al-Koura on Why Your Third-Party Security Audits Aren't Enough

  "If you aren't investing in penetration testing, if you aren't investing in having external auditing and third party reporting like gray and black box type testing, you're leaving your program extremely exploitable because you're just admiring the beauty of your own ideas." This blunt assessment from George Al-Koura, CISO at ruby, encapsulates his refreshingly practical approach to data security.    In this episode of The Future of Data Security, George challenges conventional wisdom by predicting a major shift back to controlled data centers as organizations struggle with securing AI implementations in the cloud. He reflects on why no one has successfully created secure LLMs that can safely communicate with the open web, exposes the growing threat of "force-enabled" AI tools being integrated without proper consent, and explains why technical skills are actually the easiest part of building an effective security team. With threat actors now operating with enterprise-level organization and sophistication," George also shares battle-tested strategies for communicating risk effectively to boards and establishing security programs that can withstand sophisticated attacks.   Topics discussed:   How skills from signals intelligence directly transfer to cybersecurity leadership, particularly the ability to provide concise risk-based analysis and make decisive decisions under pressure. The challenge of getting organizations to invest in data security beyond compliance standards, while facing increasingly sophisticated threat actors who operate with enterprise-level organization. The importance of establishing clear leadership accountability with properly designated roles (RACI), investing in appropriate technology, and implementing rigorous third-party auditing beyond certification standards. The gradual shift in board attitudes toward cybersecurity as a top-level concern, and how security leaders can effectively articulate business risk to secure necessary resources. How privacy requirements are increasingly driving security investments, creating a data-centric risk management framework that requires security leaders to articulate both concerns. The struggle to securely deploy LLMs that can communicate with the open web while protecting sensitive data, paired with the trend of returning to controlled data center environments. How major platforms are integrating AI capabilities with minimal user consent, creating shadow AI risks and forcing security teams to develop agile assessment processes. Looking beyond technical skills to prioritize integrity, work ethic, problem-solving ability, and social integration when forming security teams that can handle high-pressure situations.

  --------  

  44:55
• EP 13 — Early Warning's Daniel Maynard on AI Governance and Data Risk Management

  In this insightful episode of The Future of Data Security, Jean Le Bouthillier speaks with Daniel Maynard, VP of Privacy and Data Risk Management & CPO at Early Warning, shares his journey from law to privacy and offers a practical framework for assessing AI implementation risks — distinguishing between controllable technical risks and more complex model provenance concerns.    Daniel tells Jean about the critical challenges facing financial institutions, including data quality issues, AI ethics considerations, and the paradox of balancing fraud prevention with privacy protection. Daniel provides actionable governance strategies for managing shadow AI, addresses emerging threats from AI-powered fraud, and offers valuable insights on the evolving regulatory landscape. His balanced approach emphasizes documented risk assessment processes while acknowledging varying organizational risk tolerances.   Topics discussed:   The importance of data quality as a foundation for all other security and privacy initiatives in financial services. Emerging challenges with AI ethics and trust, particularly regarding data provenance and transparency in model development. Practical governance frameworks for implementing AI tools while documenting risk-based decision processes with executive buy-in. Model provenance risks and IP concerns when using AI tools to create potentially valuable intellectual property. Shadow AI challenges and strategies for managing employee use of AI tools while maintaining appropriate security controls. File access risks with AI assistants that can search through user-accessible content more thoroughly than humans typically would. The paradoxical relationship between stronger fraud protections and potential negative privacy impacts from increased data collection. Predictions about federal AI regulation in the United States versus the more restrictive approach seen in Europe. Career advice for privacy professionals, including gaining cross-functional experience and maintaining a positive, problem-solving mindset.

  --------  

  25:36
• EP 12 — Cyderes’ Patrick Carter on Data Tagging As the Missing Link in GenAI Security Strategy

  Within just four hours of implementing controls at one healthcare organization, Patrick Carter, Sr. Practice Director at Cyderes, and his team caught an employee secretly selling sensitive patient data. Patrick doesn't just tell Jean his war stories, however — he provides a practical framework for quantifying security risks using the FAIR model and sounds the alarm on shadow AI becoming the single biggest threat to data security. From discovering that 10% of AI-generated code contains vulnerabilities to developing detection tools for unauthorized AI usage, Patrick offers a masterclass in navigating both the dangers and opportunities of AI for security leaders.   Topics discussed:   Building a specialized data protection practice from the ground up, with insights into how Patrick scaled his team to 40 consultants while maintaining excellence in service delivery. The dual challenge organizations face with data security: understanding complex compliance requirements and gaining visibility into what sensitive data exists in their environments, where it's stored, and how it moves. Shadow AI emerging as the most significant threat to data security in 2025, with statistics showing 60% of employees using free AI platforms and approximately 10% of prompts containing sensitive data. Using the FAIR risk model to translate complex security concepts into quantifiable financial impacts that help CISOs make data-driven investment decisions. A real-world case study where implementing data tagging and DLP controls uncovered an internal data theft operation at a healthcare organization within just four hours of deployment. The strategic integration of AI into service delivery, including developing an AI agent that functions as a Level 1 data analyst for managed DLP services. The critical importance of follow-through in professional growth, and how it’s the single most important trait for success in the cybersecurity field.

  --------  

  22:49

More Technology podcasts

Trending Technology podcasts

About Future of Data Security