Future of Data Security

The security landscape has radically shifted from "if you get breached" to "when you get breached" — and Morgan Stanley's approach to data protection reflects this fundamental change in mindset. In this episode of The Future of Data Security, Faith Rotimi-Ajayi, AVP of Operational Risk, discusses how sophisticated attackers are now researching and targeting specific financial institutions rather than relying on opportunistic attacks. 
 
Faith tells Jean why social engineering attacks have evolved to target entire family units, including compromising newborns' Social Security numbers for future fraud, and why third-party risk management demands rigorous new approaches as vendors increasingly implement AI without adequate security governance. She also shares her experience implementing dedicated AI governance committees, using risk-based authentication that adjusts friction based on user behavior analysis, and how the pandemic accelerated zero trust implementation by eliminating location-based security models.
 
Topics discussed:
 
The challenges of maintaining operational resilience against increasingly sophisticated targeted attacks rather than merely opportunistic ones in the financial sector.
The evolution of third-party risk management as attackers now strategically target trusted vendors to gain backdoor access to financial environments.
How AI functions as a "double agent" in security, enhancing defensive capabilities while simultaneously enabling sophisticated deep fakes and voice cloning attacks.
The emergence of shadow AI and strategies to mitigate risks through dedicated AI governance committees and internal alternative applications.
Why regulatory compliance is an innovation driver rather than an obstacle, using frameworks like GDPR, GLBA, and DORA as baselines for robust security programs.
Implementing security-by-design principles and risk-based authentication that adjusts friction based on context rather than applying uniform controls.
Using user behavior analysis (UBA) and indications of compromise (IOCs) to create security measures that don't interrupt legitimate user activities.
How the pandemic accelerated zero trust implementation by eliminating location-based security models and forcing more sophisticated endpoint security approaches.
The importance of creating business-aligned data security frameworks that prioritize based on risk exposure rather than applying uniform protection.
Why Faith emphasizes continuous monitoring and testing alongside preventative controls to maintain 24/7 visibility across distributed environments.

"If you aren't investing in penetration testing, if you aren't investing in having external auditing and third party reporting like gray and black box type testing, you're leaving your program extremely exploitable because you're just admiring the beauty of your own ideas." This blunt assessment from George Al-Koura, CISO at ruby, encapsulates his refreshingly practical approach to data security. 
 
In this episode of The Future of Data Security, George challenges conventional wisdom by predicting a major shift back to controlled data centers as organizations struggle with securing AI implementations in the cloud. He reflects on why no one has successfully created secure LLMs that can safely communicate with the open web, exposes the growing threat of "force-enabled" AI tools being integrated without proper consent, and explains why technical skills are actually the easiest part of building an effective security team. With threat actors now operating with enterprise-level organization and sophistication," George also shares battle-tested strategies for communicating risk effectively to boards and establishing security programs that can withstand sophisticated attacks.
 
Topics discussed:
 
How skills from signals intelligence directly transfer to cybersecurity leadership, particularly the ability to provide concise risk-based analysis and make decisive decisions under pressure.
The challenge of getting organizations to invest in data security beyond compliance standards, while facing increasingly sophisticated threat actors who operate with enterprise-level organization.
The importance of establishing clear leadership accountability with properly designated roles (RACI), investing in appropriate technology, and implementing rigorous third-party auditing beyond certification standards.
The gradual shift in board attitudes toward cybersecurity as a top-level concern, and how security leaders can effectively articulate business risk to secure necessary resources.
How privacy requirements are increasingly driving security investments, creating a data-centric risk management framework that requires security leaders to articulate both concerns.
The struggle to securely deploy LLMs that can communicate with the open web while protecting sensitive data, paired with the trend of returning to controlled data center environments.
How major platforms are integrating AI capabilities with minimal user consent, creating shadow AI risks and forcing security teams to develop agile assessment processes.
Looking beyond technical skills to prioritize integrity, work ethic, problem-solving ability, and social integration when forming security teams that can handle high-pressure situations.

In this insightful episode of The Future of Data Security, Jean Le Bouthillier speaks with Daniel Maynard, VP of Privacy and Data Risk Management & CPO at Early Warning, shares his journey from law to privacy and offers a practical framework for assessing AI implementation risks — distinguishing between controllable technical risks and more complex model provenance concerns. 
 
Daniel tells Jean about the critical challenges facing financial institutions, including data quality issues, AI ethics considerations, and the paradox of balancing fraud prevention with privacy protection. Daniel provides actionable governance strategies for managing shadow AI, addresses emerging threats from AI-powered fraud, and offers valuable insights on the evolving regulatory landscape. His balanced approach emphasizes documented risk assessment processes while acknowledging varying organizational risk tolerances.
 
Topics discussed:
 
The importance of data quality as a foundation for all other security and privacy initiatives in financial services.
Emerging challenges with AI ethics and trust, particularly regarding data provenance and transparency in model development.
Practical governance frameworks for implementing AI tools while documenting risk-based decision processes with executive buy-in.
Model provenance risks and IP concerns when using AI tools to create potentially valuable intellectual property.
Shadow AI challenges and strategies for managing employee use of AI tools while maintaining appropriate security controls.
File access risks with AI assistants that can search through user-accessible content more thoroughly than humans typically would.
The paradoxical relationship between stronger fraud protections and potential negative privacy impacts from increased data collection.
Predictions about federal AI regulation in the United States versus the more restrictive approach seen in Europe.
Career advice for privacy professionals, including gaining cross-functional experience and maintaining a positive, problem-solving mindset.

Within just four hours of implementing controls at one healthcare organization, Patrick Carter, Sr. Practice Director at Cyderes, and his team caught an employee secretly selling sensitive patient data. Patrick doesn't just tell Jean his war stories, however — he provides a practical framework for quantifying security risks using the FAIR model and sounds the alarm on shadow AI becoming the single biggest threat to data security. From discovering that 10% of AI-generated code contains vulnerabilities to developing detection tools for unauthorized AI usage, Patrick offers a masterclass in navigating both the dangers and opportunities of AI for security leaders.
 
Topics discussed:
 
Building a specialized data protection practice from the ground up, with insights into how Patrick scaled his team to 40 consultants while maintaining excellence in service delivery.
The dual challenge organizations face with data security: understanding complex compliance requirements and gaining visibility into what sensitive data exists in their environments, where it's stored, and how it moves.
Shadow AI emerging as the most significant threat to data security in 2025, with statistics showing 60% of employees using free AI platforms and approximately 10% of prompts containing sensitive data.
Using the FAIR risk model to translate complex security concepts into quantifiable financial impacts that help CISOs make data-driven investment decisions.
A real-world case study where implementing data tagging and DLP controls uncovered an internal data theft operation at a healthcare organization within just four hours of deployment.
The strategic integration of AI into service delivery, including developing an AI agent that functions as a Level 1 data analyst for managed DLP services.
The critical importance of follow-through in professional growth, and how it’s the single most important trait for success in the cybersecurity field.

The cybersecurity landscape is entering an AI arms race, and Kevin Kirkwood, CISO at Exabeam, is on the frontlines building defenses that can match the speed of machine-powered threats. As Exabeam's "Customer Zero," Kevin shares candid insights from transitioning through three platform generations in three years, reflecting on how each migration exposed previously undetected attack patterns in Microsoft environments. 
 
His experience leading the rapid adoption of 700+ UEBA rules simultaneously (against recommended practice) offers valuable lessons for security leaders pushing the boundaries of detection capabilities. Kevin envisions a future where AI-assisted systems can propose new detection rules for zero-days within minutes, while grappling with immediate challenges — like the day Microsoft Edge suddenly claimed his company had authorized Copilot without CISO approval — highlighting the complex reality of managing AI tool permissions in enterprise environments.
 
Topics discussed:
The strategic shift from total log collection to intelligent edge filtering, rethinking the "collect everything" approach while maintaining forensic capabilities through AI-powered agents at the edge.
Specific examples of Microsoft Copilot attempting wholesale access to contact lists and email histories, and tactical approaches to implementing granular controls.
Implementing UEBA at scale, including transitioning from basic logging to behavior analytics capable of detecting subtle "living off the land" attacks that manipulate normal business functions.
How reframing "security vulnerabilities" as "security defects" fundamentally changed developer engagement.
Technical insights into how attackers are using GenAI to transform sophisticated exploits across programming languages, and defensive approaches to match this velocity.
Managing bimodal security architecture and balancing edge-based detection with centralized analysis, including specific identity management challenges in the context of AI tool adoption.
A detailed framework for embedding security professionals within development teams while maintaining the balance between velocity and control.
Technical requirements for near real-time zero-day detection and the evolution toward AI-assisted rule generation.

Drawing on his unique background in high-energy physics experimentation, Robert Roser, CISO & Director of Cyber Security at Idaho National Laboratory, offers valuable insights into the parallels between managing complex scientific detectors and securing critical national research infrastructure. He explores the evolving landscape of scientific computing security, from the open science environment of Fermilab to the classified research world of nuclear energy. 
 
Rob's practical experience implementing zero-trust architecture, managing international collaborations, and navigating federal compliance requirements provides a comprehensive view of modern cybersecurity challenges in sensitive research environments. His candid discussion of AI's impact on both security threats and solutions, particularly in the context of high-performance computing and shadow AI risks, also offers valuable perspective on the future of data protection in scientific research.  
 
Topics discussed:
 
The transition from particle physics to cybersecurity leadership, highlighting transferable skills in managing complex systems and critical operations.
The evolution of scientific computing security from open science environments to classified research protection at national laboratories.
Implementation of zero-trust architecture for managing diverse international collaborations while protecting sensitive nuclear research data.
The challenges of securing high-performance computing infrastructure while maintaining accessibility for legitimate research needs.
Balancing federal compliance requirements with risk-based security approaches in government-funded research environments.
The impact of AI on both security threats and defensive capabilities, including advanced phishing and automated security operations.
Management of shadow AI risks and unauthorized cloud service usage in sensitive research environments.
Future trends in data protection and infrastructure security, focusing on automation and advanced threat detection.
Strategies for securing remote access while supporting global scientific collaboration and research initiatives.
Career advice for aspiring cybersecurity professionals, emphasizing the importance of diverse experiences and continuous learning.

Drawing from his diverse background in both private and public sectors, Chris Pahl, CPO of the County Executive Office of the County of Santa Clara, tells Jean how organizations can transform privacy from a compliance burden into a strategic asset on this episode of The Future of Data Security Show. 
 
Chris’s "U R IT" framework emphasizes the crucial role of employees in data protection, and his practical approach to managing AI risks and surveillance technologies offers a blueprint for modern privacy leadership. He demonstrates how to build privacy programs from the ground up, foster cross-departmental collaboration, and navigate the evolving landscape of data governance in an AI-driven world, all while maintaining a human-centric approach that puts trust and transparency first. 
 
Topics discussed:
Building trust in public sector privacy while balancing transparency with data protection requirements
Transforming privacy from a cost center into a strategic partner that enhances organizational mission
Managing the emerging risks of generative AI while enabling innovation and efficiency for employees
Implementing effective employee surveillance through transparency and clear communication
Evolution of the Chief Privacy Officer role toward holistic data governance and technical expertise
Strategies for measuring privacy program success through integration and cultural adoption
Importance of proactive relationship building and avoiding the "department of no" mentality
Developing privacy programs incrementally while building cross-functional partnerships

In this episode of The Future of Data Security Show, Jean speaks with Orrie Dinstein, Global Chief Privacy Officer at Marsh McLennan. Orrie shares his extensive experience in data privacy, highlighting the shift from compliance-focused programs to a more integrated approach that encompasses information governance. 
 
Orrie also sheds light on the misconception of data ownership among executives, the complexities of navigating global privacy laws, and the critical need for collaboration between privacy and security teams. He also offers his strategies for how organizations can effectively manage data protection while fostering innovation. 
 
Topics discussed:
 
The shift in data privacy from a compliance-focused approach to a more integrated information governance strategy that encompasses various data types and uses.  
The misconception among executives that they own the data, when in reality, they are custodians responsible for managing it ethically and legally.  
Navigating diverse global privacy laws, which often have different definitions and requirements, making compliance a challenging endeavor for organizations.  
The importance of understanding high-level principles of data protection rather than getting lost in the specific legal nuances of various jurisdictions.  
The critical need for collaboration between Chief Privacy Officers and Chief Information Security Officers to effectively manage data risks and security measures.  
The role of privacy by design in ensuring compliance while allowing organizations to innovate and leverage data effectively for business growth.  
The challenges posed by artificial intelligence and data minimization principles, which can conflict with the need for larger datasets to improve AI models.  
The evolving responsibilities of privacy professionals, who must now focus on data governance and monetization in addition to traditional privacy concerns.  
Fostering a culture of transparency and awareness within organizations to encourage reporting of data breaches and privacy concerns.  
The necessity of continuous dialogue between privacy and technology teams to bridge communication gaps and enhance understanding of each other's objectives and challenges.

In this episode of The Future of Data Security Show, Jean speaks with Hugo Teufel, VP; Deputy General Counsel for Cyber, Privacy, Records; & Chief Privacy Officer at Lumen Technologies. Hugo shares his expertise on the evolving landscape of data privacy and security, such as the significant impact of AI on data security, emphasizing the need for organizations to understand various AI use cases and implement robust governance frameworks. 
 
Hugo also highlights the importance of employee training in mitigating risks, noting that human error remains a critical vulnerability. Additionally, he explores the complexities of navigating global data privacy regulations and the necessity of aligning privacy strategies with organizational risk appetites. Tune in for valuable insights! 
 
Topics discussed:
The evolution of data privacy and security in the context of an increasingly digital and interconnected global marketplace.  
The significance of understanding AI use cases within organizations to effectively manage data security risks and compliance.  
The role of employee training in preventing data breaches and enhancing overall cybersecurity awareness among staff members.  
The challenges of navigating international data privacy regulations and the importance of a principles-based framework for compliance.  
The impact of cultural differences on data privacy perceptions and practices across various regions and jurisdictions.  
The necessity of aligning privacy strategies with the risk appetite of leadership to maintain credibility and effectiveness.  
The importance of incorporating privacy by design in product development to address privacy implications early in the process.  
The potential risks associated with shadow AI and the need for organizations to maintain visibility over AI usage.  
The implications of the NIST AI Risk Management Framework for organizations looking to adopt AI technologies responsibly.  
The future of data security in an AI-driven era and the ongoing challenges posed by cybercriminals and threat actors. 
 

In this episode of The Future of Data Security Show, Jean speaks with Sylvia Klasovec Kingsmill, Senior Fellow, Future of Privacy Forum and Founder of Trusteva. They explore the critical distinctions between data privacy and data security, emphasizing their complementary roles in protecting individual rights and safeguarding data. 
Sylvia also addresses the complexities AI introduces to privacy regulations, particularly around consent and data scraping. Additionally, she highlights the importance of adopting a "privacy by design" philosophy, urging organizations to proactively integrate privacy measures into their systems. 
 
Topics discussed:
The distinction between data privacy and data security, highlighting how they are complementary yet fundamentally different disciplines in protecting individual rights and data integrity.
The importance of consent in data privacy, particularly in the context of AI and machine learning, and the challenges posed by data scraping practices.
The evolving regulatory landscape for data privacy, including the complexities faced by organizations trying to comply with various laws across different jurisdictions.
The role of privacy by design as a proactive approach to integrating privacy measures into systems and processes from the outset.
The significance of a risk-based approach to compliance, allowing organizations to prioritize their privacy efforts based on the most significant risks.
The need for harmonization among global privacy regulations, especially as organizations expand their operations across different jurisdictions with varying laws.
The impact of AI on traditional privacy principles, and the necessity for regulators to adopt flexible interpretations to support innovation while ensuring compliance.
The importance of multidisciplinary collaboration among privacy professionals, cybersecurity experts, and legal teams to effectively address complex data challenges.
The growing demand for privacy-enhancing technologies and how organizations can leverage them to ensure ethical and responsible data use.
The future of data privacy as a dynamic field, emphasizing the need for professionals to continuously upskill and adapt to emerging technologies and regulations.