Future of Data Security

Teij Janki, CISO & Director of IT Governance Risk & Compliance at Arbor Memorial, has spent 30 years moving through the full stack of security, and his view is that the sequencing most teams follow is backwards. His principle is that technology does not solve processes, it amplifies them. That means deploying a tool before fixing the underlying process weakness just scales the problem. The implication for AI adoption is direct and worth hearing spelled out.
On the budget side, Teij makes a case that privacy legislation is a more reliable governance lever than cybersecurity risk alone because privacy laws carry consequences that executive teams will actually act on. He also walks through the gating sequence his team built for AI tool adoption wherein sensitive data gets slowed down and scrutinized, lower-sensitivity use cases move through faster, and staff have a service catalog to work from rather than a blanket ban. 
Topics discussed:
Applying a people-process-technology sequence to security programs before introducing AI or automation tooling

Using privacy legislation as an executive governance lever when cybersecurity risk alone fails to drive budget decisions

Building a gating sequence for AI tool adoption that separates sensitive from low-sensitivity data use cases

Replacing blanket AI bans with a structured service catalog that lets staff self-select and move tools through approval

Identifying process weaknesses before deploying technology to avoid amplifying existing security vulnerabilities at scale

Progressing security from a technical cost center to a strategic business enabler using the CMMI maturity model

Applying martial arts principles of discipline, clear expectations, and target-setting to cybersecurity team leadership

Evaluating where generative AI delivers in security operations versus where magical thinking still outpaces real-world performance

At Postman's scale of 40 million developers generating billions of API requests, Sam Chehab, Head of Security & IT, centers on three enforcement domains: authenticated and encrypted data paths, zero-trust inter-service communication, and runtime instrumentation. His vendor evaluation is just as precise, cutting past feature lists to one demand: show me the architecture diagram and walk through exactly how your solution addresses my threat models.
Sam identifies why generative AI creates fundamentally new risk: the combination of private data access, untrusted content processing, and external communication capability. This trifecta explains why browser-based AI is nearly impossible to contain; it touches local machines, queries the open web, and executes actions on your behalf. Sam also covers how he screens for three traits he can't train: initiative to self-direct research, attitude to absorb constant setbacks, and aptitude to process how rapidly this field moves.
Topics discussed:
Implementing data path integrity, zero-trust inter-service authentication, and runtime instrumentation with immutable logs

Evaluating cybersecurity vendors by demanding architecture diagrams and specific threat model solutions rather than feature lists

Managing freemium platform security with anomaly detection, rate limiting, and abuse prevention across 40 million developers

Identifying AI security's dangerous trifecta: private data access, untrusted content processing, and external communication capabilities 

Building MCP generators that enable least-privilege API servers by allowing developers to select only required methods before deployment

Using AI agents to generate security tests during development, shifting validation from security teams to automated testing

Applying security hygiene fundamentals before adopting specialized vendor solutions

Hiring security teams based on three unteachable traits: initiative, attitude, and aptitude

Carl Stern, VP of Information Security at Age of Learning, explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it. 
He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days. 
Topics discussed:
Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battles

Treating certifications as validation of operational security rather than the primary program goal

Pairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policies

Applying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protection

Calculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed services

Why attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirements

Explaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targets

Arguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream

André Boucher, SVP Technology and Information Security (CTO/CISO) at National Bank of Canada, managed the transition from commanding Canadian Forces Cyber Command to leading security at a systemically important financial institution by recognizing that governance expertise matters more than technical depth at scale. His approach to shadow AI involves enabling experimentation early with secure platforms that business teams actually prefer, reducing the appeal of unauthorized tools. Rather than aggressive detection that drives behavior underground, they created environments where innovation happens within guardrails. This shifts security from adversarial to collaborative, treating 31,000 employees as team participants rather than risks to manage.
Andre emphasizes that data inventory across structured and unstructured environments remains the hardest unsolved problem, not because organizations lack tools but because they haven't achieved ecosystem maturity around taxonomy and classification. He explains why third-party risk management is reaching crisis levels as major vendors embed AI features without notice or transparency, creating blind spots in supply chains that regulatory frameworks can't yet address. 
Topics discussed:
The translation of military governance and strategy frameworks into private sector security at systemically important financial institutions.

Shadow AI management through platform enablement and secure experimentation rather than detection and prevention tactics.

Data inventory and classification as the foundational challenge most organizations underestimate despite its criticality for AI governance.

The board strategy mandate versus grassroots adoption pressure dynamic and how platform teams bridge the gap without creating friction.

Third-party risk amplification as vendors embed AI features without transparency, notice, or updated contractual language.

How awareness training reaches its limits when synthetic actors become indistinguishable from humans in video communications.

AI use cases in security tooling focused on modeling normal behavior and reducing triage burden rather than autonomous response.

Building high-performing security teams around ethics, mission, and non-linear career experience rather than purely technical credentials.

Treating employees as security team participants at scale and how that shifts organizational dynamics from adversarial to collaborative.

When manufacturers discover their IP and other valuable data points have been encrypted or deleted, the company faces existential risk. Paul Knight, VP Information Technology & CISO at Turntide, explains why OT security operates under fundamentally different constraints than IT: you can't patch legacy systems when regulatory requirements lock down production lines, and manufacturer obsolescence means the only "upgrade" path is a pricey machine replacement. His zero trust implementation focuses on compensating controls around unpatchable assets rather than attempting wholesale modernization. Paul's crown jewel methodology starts with regulatory requirements and threat actor motivations specific to manufacturing.

Paul also touches on how AI testing delivered 300-400% speed improvements analyzing embedded firmware logs and identifying real-time patterns in test data, eliminating the Monday-morning bottleneck of manual log review. Their NDA automation failed on consistency, revealing the current boundary: AI handles quantitative pattern detection but can't replace judgment-dependent tasks. Paul warns the security industry remains in the "sprinkling stage" where vendors add superficial AI features, while the real shift comes when threat actors weaponize sophisticated models, creating an arms race where defensive operations must match offensive AI processing power.  

Topics discussed:

Implementing zero trust architecture around unpatchable legacy OT systems when regulatory requirements prevent upgrades

Identifying manufacturing crown jewels through threat actor motivation analysis, like production stoppage and CNC instruction sets

Achieving 300-400% faster embedded firmware testing cycles using AI for real-time log analysis and pattern detection in test data

Understanding AI consistency failures in legal document automation where 80% accuracy creates liability rather than delivering value

Applying compensating security controls when manufacturer obsolescence makes the only upgrade path a costly replacement 

Navigating the current "sprinkling stage" of security AI where vendors add superficial features rather than reimagining defensive operations

Preparing for AI-driven threat landscape evolution where offensive operations force defensive systems to match sophisticated model processing power

Building trust frameworks for AI adoption when executives question data exposure risks from systems requiring high-level access