CISO Series Podcast: "Data Minimization Means We Don’t Tell You What We’re Collecting"
Air Date: April 22, 2025
Hosts: David Spark, Andy Ellis
Guest: Mandy Huth, SVP & CISO, Ultra Clean Technology
Episode Overview
This episode tackles the hot-button issue of data minimization and why organizations are so hesitant to be transparent about what data they're collecting. The hosts and guest explore whether security awareness training is truly effective, discuss the pros and cons of cybersecurity apprenticeships, debate the root causes of security problems, and examine if privacy can be a strategic business differentiator. The conversation is expert, light-hearted, and rich with real-world examples, making it essential listening for practitioners and leaders in cybersecurity.
Key Discussion Points & Insights
1. The Effectiveness – or Futility – of Security Awareness Training
- Study Findings (05:00): Referencing a 2025 IEEE study, David Spark introduces JM Porup's claim: "Security awareness training is at best a waste of time and at worst, actively harmful to security."
- Phishing failure rates improve only marginally despite training.
- Employees prioritize business tasks over security (05:45).
- Technical Controls vs. Training: Porup advocates for technical enforcement (e.g., mandatory 2FA) instead of opt-in models.
- Andy Ellis (06:11):
"Security awareness training is blind compliance. We do a thing because we're told to do it and it actively makes it worse... The problem is that our technologies are fundamentally bad."
- The real fault lies with insecure systems, not user mistakes.
- Andy Ellis (06:11):
- Role of Communication:
- Mandy Huth (08:13):
"Employees are incentivized to only do their jobs. Security is an add-on, a bolt-on... If something bad happens and your business goes out of business, everybody loses. So why isn't security part of every single person's job?"
- Mandy Huth (08:13):
- Minimalist Approach:
- Andy Ellis (09:09):
"It was a cron job that emailed people a link that said come here to click the button to say you got trained... because I know this is a waste of your time, so I'm gonna minimize the waste of time."
- Five people a year actually read the material and gave thoughtful feedback (09:54).
- Andy Ellis (09:09):
- Conclusion: Security efforts should focus on better system design and meaningful technical controls, rather than repetitious training.
2. Developing the Next Generation: Cybersecurity Apprenticeships & Remote Work
- Talent Pipeline Challenges (12:00):
Traditional hiring is slow; developing internal pipelines takes intention and effort.- Mandy Huth (12:11):
"Why don't we have a pipeline and spend that six to nine months training someone the way that we need them... it also takes intentionality that you have to have good teachers."
- Mandy Huth (12:11):
- Beyond Apprenticeships:
- Andy Ellis (13:30):
"The first thing you should do is commit to developing every member of your staff... Once you’ve committed to doing that, now it’s easier for you to take people in."
- Real growth requires continuous investment in both upskilling existing staff and onboarding diverse backgrounds.
- Andy Ellis (13:30):
- Remote Work Limitation (15:00):
- David Spark notes loss of “adjacency osmosis” in remote work—junior employees miss informal mentoring.
- Andy Ellis (15:36):
"Most places don't know how to teach people other than through adjacency osmosis. Fix that if you want to be a remote work establishment."
3. What's Worse? Game: APT vs. Gaps in Incident Response (18:08)
Dilemma:
- APT group in your network for a year
- Discovering major gaps in your incident response during a real attack
Both Andy and Mandy agree: the APT is worse.- Andy Ellis (20:02):
"One is I have been owned for a year and the second is I need to improve my processes. I'm going to take improve my processes over being owned for a year."
- Mandy Huth (20:47):
"Incident commander is in charge. And if they've practiced and even if there are things missing..."
- Andy Ellis (20:02):
- Key Insight: It's expected to find response plan gaps and adapt on the fly; undetected attackers mean more risk and less historical forensic coverage.
4. Root Causes of Security Issues: Software Bugs vs. Configuration Mistakes (26:00)
Ross Haliluk's assertion: "There are only two sources of security issues: software bugs and configuration mistakes."
- Andy’s Extension (26:02):
"The only source of security issues comes from a gap between expectation and implementation. The customer expects something and you have implemented something different."
- Not So Simple:
- Social engineering, human error, and operational mistakes go beyond bugs/config errors.
- Mandy Huth (27:03):
"How do you stop the misdelivery of information from like a data exposure? Oops, I accidentally sent this to 50 people... I think they're missing the human piece of it."
- Practical Approach: Start with hardened defaults (“secure by default”) and loosen as needed, flipping the typical security paradigm to be business-enabling, not restrictive (28:32).
5. Privacy as Strategic Advantage – Or Not? (29:37)
- Consumer Emphasis vs. Business Reality:
- 75% of Americans support data minimization laws.
- Boards rarely see privacy as a differentiator—only 6% think so.
- Apple as Example:
- Mandy Huth (30:44):
"I have always felt that Apple will go to bat to protect my privacy... what companies in my mind need to really work towards... they don't communicate and act that way."
- Mandy Huth (30:44):
- Convenience > Privacy:
- Andy Ellis (32:59):
"People say they care about privacy, but then they make choices that make it very obvious that they will trade away their privacy for just about everything."
- The public’s actions (e.g., using TikTok alternatives) contradict their stated privacy concerns.
- Andy Ellis (32:59):
- Complex Web of Data Sharing:
- David Spark (33:47):
"It was like a privacy explosion. And I think the problem is it's so damn confusing that no one can really understand how their privacy is being abused."
- David Spark (33:47):
- Vendor Pet Peeve:
- Andy Ellis (35:10):
"If you're listening to this podcast and you work for a vendor, your company should never call my cell phone ever. Unless I have a contractual relationship."
- Andy Ellis (35:10):
- Bottom Line: Until privacy is an actionable, visible business value, convenience and unclear data flows will continue to erode it.
Notable Quotes & Memorable Moments
- On Inefficacy of Security Awareness:
"Security awareness training is blind compliance... and it actively makes it worse." — Andy Ellis [06:11] - Security Should Be Everyone's Job:
"Why isn’t security part of every single person's job?" — Mandy Huth [08:13] - On Apprenticeships vs. Internal Development:
"The first thing you should do is commit to developing every member of your staff..." — Andy Ellis [13:30] - On Real Risks of APTs:
"If you've been in there a year, my logs probably only go back nine months." — Mandy Huth [19:54] - On Human Error and Security:
"How do you stop the misdelivery of information... you can't code for that." — Mandy Huth [27:03] - Privacy Paradox:
"People say they care about privacy, but then they make choices that make it very obvious that they will trade away their privacy for just about everything." — Andy Ellis [32:59]
Timestamps for Key Segments
- Security Awareness Training Debate: 04:45 – 11:20
- Cybersecurity Hiring & Apprenticeships: 12:00 – 16:14
- What's Worse? (Game): 17:44 – 24:45
- Causes of Security Issues: 26:00 – 29:31
- Privacy as Business Value: 29:37 – 36:24
Final Thoughts
The episode underscores that the real improvements in security come not from perfunctory training or siloed technical fixes, but from investing in technical controls, robust pipelines for talent, and making privacy and security accessible and meaningful for everyone. Until organizations align incentives, simplify expectations, and communicate clear value to both users and boards, they’ll struggle to bridge persistent gaps.
For past episodes, show notes, and participation options, visit cisoseries.com.