Future of Data Security

Arvind Raman — Board-level Cybersecurity Executive | CISO roles at Blackberry & Mitel, rebuilt cybersecurity from a compliance function into a business differentiator. His approach reveals why organizations focusing solely on tools miss the fundamental issue: without clear data ownership and accountability, no technology stack solves visibility and control problems. He identifies the critical blind spot that too many enterprises overlook in their rush to adopt AI and cloud services without proper governance frameworks, particularly around well-meaning employees who create insider risks through improper data usage rather than malicious intent.   The convergence of cyber risk and resilience is reshaping CISO responsibilities beyond traditional security boundaries. Arvind explains why quantum readiness requires faster encryption agility than most organizations anticipate, and how machine-speed governance will need to operate in real time, embedded directly into tech stacks and business objectives by 2030.  Topics discussed:   How cybersecurity evolved from compliance checkboxes to business enablement and resilience strategies that boards actually care about. The critical blind spots in enterprise data security, including unclear data ownership, accountability gaps, and insider risks. How shadow AI creates different risks than shadow IT, requiring governance committees and internal alternatives, not prohibition. Strategies for balancing security with innovation speed by baking security into development pipelines and business objectives. Why AI functions as both threat vector and defensive tool, particularly in detection, response, and autonomous SOC capabilities. The importance of data governance frameworks that define what data can enter AI models, with proper versioning, testing, and monitoring. How quantum computing readiness requires encryption agility much faster than organizations anticipate. The emerging convergence of cyber risk and resilience, eliminating silos between IT security and business continuity. Why optimal CISO reporting structures depend on organizational maturity and industry. The rise of Chief Data Officers and their partnerships with CISOs for managing data sprawl, ownership, and holistic risk governance.

AI coding assistants are generating pull requests with 3x more commits than human developers, creating a code review bottleneck that manual processes can't handle. Karen Cohen, VP of Product Management of Apiiro, warns how AI-generated code introduces different risk patterns, particularly around privilege management, that are harder to detect than traditional syntax errors. Her research shows the shift from surface-level bugs to deeper architectural vulnerabilities that slip through code reviews, making automation not just helpful but essential for security teams.   Karen’s framework for contextual risk assessment evaluates whether vulnerabilities are actually exploitable by checking if they're deployed, internet-exposed, and tied to sensitive data, moving beyond generic vulnerability scores to application-specific threat modeling. She argues developers overwhelmingly want to ship quality code, but security becomes another checkbox when leadership doesn't prioritize it alongside feature delivery.  Topics discussed: AI coding assistants generating 3x more commits per pull request, overwhelming manual code review processes and security gates. Shift from syntax-based vulnerabilities to privilege management risks in AI-generated code that are harder to identify during reviews. Implementing top-down and bottom-up security strategies to secure executive buy-in while building grassroots developer credibility and engagement. Contextual risk assessment framework evaluating deployment status, internet exposure, and secret validity to prioritize app-specific vulnerabilities beyond CVSS scores. Transitioning from siloed AppSec scanners to unified application risk graphs that connect vulnerabilities, APIs, PII, and AI agents. Developer overwhelm driving security deprioritization when leadership doesn't communicate how vulnerabilities impact real end users and business outcomes. Future of code security involving agentic systems that continuously scan using architecture context and real-time threat intelligence feeds. Balancing career growth by choosing scary positions with psychological safety and gaining experience as both independent contributor and team player.

Nic Chavez, CISO of Data & AI at IBM and former DataStax leader, dives into the challenges of enterprise AI. He discusses how Project Catalyst democratized AI development, showing anyone can innovate with coding assistants. Nic highlights that over 99% of AI projects stall due to data security risks, especially accidental leaks into free LLMs. He argues for creating appealing internal tools over banning external ones. Also, he predicts AGI could emerge by 2029, emphasizing the need for robust security talent development.

Omar Khawaja, CISO at Databricks and expert in enterprise security and AI risk, shares insights on overcoming organizational inertia in security. He introduces the T-junction methodology, which forces explicit decision-making and turns employees into security champions. Omar reveals a comprehensive approach to AI risks, cataloging 62 specific threats across various subsystems. He emphasizes practical AI use cases that enhance efficiency while warning against the pitfalls of shiny-object syndrome in technology.

Sendbird had AI agents take backend actions on behalf of customers while processing sensitive support data across multiple LLM providers. This required building contractual frameworks that prevent customer data from training generic models while maintaining the feedback loops needed for enterprise-grade AI performance.   CISO Yashvier Kosaraju walks Jean through their approach to securing agentic AI platforms that serve enterprise customers. Instead of treating AI security as a compliance checkbox, they've built verification pipelines that let customers see exactly what decisions the AI is making and adjust configurations in real-time.   But the biggest operational win isn't replacing security analysts: it's eliminating query languages entirely. Natural language processing now lets incident responders ask direct questions like "show me when Yash logged into his laptop over the last 90 days" instead of learning vendor-specific syntax. This cuts incident response time while making it easier to onboard new team members and switch between security tools without retraining.    Topics discussed:   Reframing zero trust as explicit and continuously verified trust rather than eliminating trust entirely from security architectures. Building contractual frameworks with LLM providers to prevent customer data from training generic models in enterprise AI deployments. Implementing verification pipelines and feedback loops that allow customers to review AI decisions and adjust agentic configurations. Using natural language processing to eliminate vendor-specific query languages during incident response and security investigations. Managing security culture across multicultural organizations through physical presence and collaborative problem-solving approaches rather than enforcement. Addressing shadow AI adoption by understanding underlying problems employees solve instead of punishing policy violations. Implementing shared responsibility models for AI data security across LLM providers, platform vendors, and enterprise customers. Prioritizing internal employee authentication and enterprise security basics in startup scaling patterns from zero to hundred employees.

What happens when you scale a crypto company across 160+ countries while maintaining the same security standards as Wells Fargo? At MoonPay, it meant rethinking how traditional banking security translates to high-velocity fintech environments. Doug Innocenti, CISO, breaks down how his team achieved PCI, SOC 2 Type 2, and regulatory licenses like BitLicense and MiCA without slowing product development. The secret is the ability to test multiple security tools in parallel and pivot quickly when something isn't working.   But velocity alone isn't enough, he cautions Jean. Doug's approach to AI in security reveals a critical insight: although AI-powered tools can dramatically reduce SOC response times and automate incident analysis, the "gut instinct gap" remains. His team uses AI to enable faster decisions, not replace human judgment — especially when patterns don't match what the algorithms expect to see.    Topics discussed:   Maintaining bank-level security posture while enabling startup velocity through security-first architecture and platform design principles. Scaling compliance across 160+ countries using pre-built infrastructure that accommodates PCI, SOC 2, BitLicense, and MiCA requirements. Implementing parallel security tool testing to accelerate vendor evaluation and avoid bureaucratic delays in enterprise environments. Adopting next-generation DLP solutions like DoControl that use AI-powered business intelligence for dynamic data boundary creation. Balancing insider threat monitoring with external threat defense through compensated controls and rapid reaction capabilities. Managing AI adoption risks while embracing acceleration benefits through defensive technology investment and vendor selection criteria. Using AI-enhanced SOC and SIEM operations to reduce incident response times while preserving human judgment for pattern recognition. Building transparent security culture where all employees become security professionals rather than maintaining background security operations.

Myke Lyons brings an unconventional background to cybersecurity leadership, having trained as a chef before discovering his passion for breaking and rebuilding IT systems. As CISO at Cribl, he applies culinary principles like mise en place to security operations while solving the fundamental economics problem facing every security team.   The math is unforgiving, he tells Jean: data volumes grow at 28% annually while security budgets remain flat. Myke's solution involves intelligent data hierarchies that route critical authentication logs to expensive SIEM systems while automatically sending regulatory compliance data to cheaper cold storage, reducing costs by 70-80% through format optimization.   Topics discussed:   The fundamental economics challenge of increasing annual data growth versus flat security budgets and how intelligent data hierarchies solve this by routing critical logs to expensive systems while storing compliance data in cheaper cold storage. Smart data pipeline architecture that eliminates vendor lock-in by enabling simultaneous testing of multiple security technologies on identical datasets while maintaining complete data ownership across any storage platform. Building security culture through partnership rather than punishment, including automated nudges for personal account security and micro-bonus rewards for completing security training. AI agent implementation for automated phishing response that performs tier-two-level analysis, hunts across email environments, and provides cohesive incident summaries with risk ratings for security analysts. The evolution from manual security operations to AI-powered automation, with predictions that full tier one analyst capabilities will be available within months for organizations with comprehensive security telemetry. Data format optimization strategies that reduce log storage costs by 70-80% through UNIX timestamp conversion and elimination of redundant vendor-specific wrapper formats that create unnecessary data bloat. Mise en place principles from professional kitchens applied to security incident response, treating procedures like recipes with clear preparation steps and proper tooling to reduce response time and improve consistency. The importance of establishing data architecture early in security programs to avoid complicated remediation of poor data decisions that become exponentially more expensive to fix over time. LLM integration for security operations including query writing assistance, pipeline creation, sensitive data redaction, and context-aware threat intelligence that reduces analyst toil and improves detection capabilities.

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses why 100% data coverage doesn’t equal 100% protection.    Would you like to have Jean answer one of your questions in a future episode? Email podcast@qohash.com with your question and a short summary of why you're looking for an answer!    

Welcome to a special edition of Future of Data Security, where our host Jean Le Bouthillier answers the top questions our listeners have asked us. In today's episode, Jean addresses how data visibility can turn crisis into calm.  Would you like to have Jean answer one of your questions in a future episode? Email podcast@qohash.com with your question and a short summary of why you're looking for an answer!

Robert Kang, Professorial Lecturer of Cybersecurity & National Security, The George Washington University Law School, has been building enterprise cybersecurity programs since 2009, making him one of the “OG” practitioners when most organizations didn't even have dedicated cyber counsel. His unique perspective comes from protecting both critical infrastructure and social media platforms, highlighting how the same governance, risk management, and compliance framework applies across radically different threat landscapes.    In his conversation with Jean, he shares why organizations face equal risks from implementing AI too quickly or prohibiting it entirely, and how complete AI prohibition drives employees to use personal accounts for business purposes, eliminating organizational oversight entirely. Robert's systematic approach to building relationships with law enforcement agencies before crisis situations emerge provides a practical framework most organizations ignore. From free services like InfraGard to subscription-based programs like the National Cyber Forensics Training Alliance, these partnerships deliver both threat intelligence and confidential channels for sharing information with federal agencies.     Topics discussed:   The fundamental differences between protecting critical infrastructure versus social media platforms while using identical governance, risk management, and compliance frameworks. Why complete AI prohibition creates shadow adoption risks where employees use personal accounts for business purposes, eliminating organizational oversight and control. Building systematic relationships with law enforcement agencies through programs like InfraGard and the National Cyber Forensics Training Alliance before crisis situations emerge. The evolution of enterprise cybersecurity legal programs from non-existent in 2009 to essential business functions requiring dedicated counsel and executive sponsorship. How anticipating technology trends years in advance, rather than reacting to current adoption, positions cybersecurity professionals ahead of emerging threats. Training methodologies for technology lawyers that combine legal knowledge with technical understanding of AI, cybersecurity, and privacy frameworks. Essential certification pathways for legal professionals entering technology risk management including CC, CIPP, and AIGP credentials. Government threat-intelligence-sharing programs ranging from free public services to subscription-based personalized assistance for specific industries. Why law schools must teach both the law of AI and the technology of AI to prepare students for the transformed legal profession.