CyberWire Daily: “A midseason takeaway.” [CISO Perspectives]

Date: November 25, 2025
Host: Ethan Cook (N2K Networks)
Guest: Kim Jones
Focus: Reflections on privacy, identity, fraud, and AI across the first half of the current CISO Perspectives season.

Episode Overview

This midseason special “unlocks” an N2K Pro episode for all listeners, with host Ethan Cook interviewing series regular Kim Jones. The episode takes a reflective turn, recapping major insights from prior discussions about the evolving risks and challenges around privacy, identity, and fraud, with a central focus on how AI is reshaping these domains. Kim turns from interviewer to guest, sharing candid commentary and practical perspectives for CISOs on grappling with rapid tech change.

Key Discussion Points & Insights

1. The Two Overarching Themes: Privacy & Identity (03:03)

• Privacy: How evolving norms and regulatory frameworks impact organizations, especially small businesses.
• Identity & Fraud: Challenges in confirming and maintaining identity as technological capabilities expand, especially with AI.
• AI’s Impact: Concern over how AI “proliferates through every business” and its role in transforming both privacy risks and identity fraud.

“AI is kind of just proliferating through every business and...it's becoming really difficult to kind of limit its access.” – Ethan Cook (03:03)

2. AI, Identity, and The Concept of Digital Personas (04:10–08:58)

Kim explores how AI agents may represent users in increasingly autonomous ways, raising new accountability questions:

• Digital Clones: AI agents empowered to act on behalf of individuals may themselves become separate identity entities, complicating permission and risk management.
• Fraud Risks: If an AI agent is compromised, it could potentially commit fraud at scale, blurring lines of responsibility.
• Anthropomorphizing Technology: The concept of “Kim Jones” the individual vs. “the Kim Jones AI entity.”

“Are we getting to a point where...the AI agent needs to be addressed as a separate Persona?” – Kim Jones (06:30)

• Accountability: Who is responsible when an AI agent acts—user or machine?

“Do you track that as me, or do you track that separately? How do you investigate?” – Ethan Cook (08:13)

3. The Fallacy of Perfect Security and Human Fallibility (08:58–10:10)

• Configuration Isn’t a Panacea: Even the best-set up systems are vulnerable due to human error and inherent imperfection.

“Perfect security is an oxymoron. It doesn't exist. You want perfect security? ...Dunk your computers in the Marianas Trench.” – Kim Jones (09:17)

4. Fraud and Social Engineering: The Human Factor (10:10–17:27)

Discussion delves into recent fraud trends and why traditional defenses still fall short:

• Emerging Scams: Crypto, employment, “friendship”/pig butchering scams.
• Identity Verification is One-Way: Current systems require users to prove identity but rarely require organizations to credential themselves to individuals.
• Need to “Break the Identity Paradigm”: The unidirectional model is outdated.

“Identity is one directional or unidirectional. I have to prove that I am who I say I am...Where do these systems have to prove that they are who they say they are?” – Kim Jones (12:50)

• Human Nature: Social engineering thrives; complete prevention is unrealistic.

“If we can't stop crime in the physical world, how the hell do you expect to make it go away in the technological world...?” – Kim Jones (15:16)

• Aim for Risk Reduction, Not Zero Risk: “We can't reduce it to zero, but we can reduce probability and impact.”

5. Innovation, Regulation, and Status Quo (17:27–20:45)

• Stagnation in Solutions: Systems tend to focus on incremental improvements rather than disruptive innovation.
• Innovation Barriers: Institutional inertia and risk aversion (drawing on Ezra Klein’s analysis) mean breakthroughs in areas like identity are rare.

“It's time to break the paradox and figure out is there a better way. And I do think regarding identity...there are ways to do these things, but they're so different, it scares people.” – Kim Jones (20:45)

6. Privacy: Regulatory & Generational Complexity (24:11–32:09)

• Small Business Dilemmas: Hard to comply with patchwork privacy regs; many must rely on third-party solutions.

“The short, flippant...version is: the best you can. The less short...version is you're going to have to go to third party resources." – Kim Jones (26:30)

• Generational Shifts: Younger generations may trade privacy for convenience (“I’ll give up any of my data to get a 5% discount at Starbucks.”)
• AI’s Role in Privacy Erosion: The ability to generate insights from “innocuous” data is a seismic change.

“The ability...to take that innocuous data, contextualize it...and then extract meaningful intelligence out of it is absolutely scary.” – Kim Jones (31:20)

7. Employees, AI, and Data Leakage (32:09–35:38)

• Unintentional Risk: Employees input confidential company info into AI tools, accelerating work but risking leakage.
• Misconceptions Persist: Many view AI tools as personal assistants or “neutral” helpers, ignoring back-end risks.
• Historical Precedent: Early incidents (e.g., IBM banning Siri) show such issues are not new, just amplified.

8. IoT Devices and Unmanaged Data Collection (37:05–44:28)

• “Unseen World” of Privacy: IoT sensors (notably cars) collect massive, granular contextual data.
• Corporate Remediation Measures: Harden networks and segment IoT devices—it’s rarely feasible to “secure the device” fully.

“What I can control is the network they communicate on.” – Kim Jones (38:54)

• Educational Gaps: End-users and sometimes even organizations underestimate how much data is retained by IoT, including vehicles.

9. Closing Reflections: Where Do We Go From Here? (44:28–end)

• Both privacy and identity are transforming rapidly—but the “gaps” are large and getting larger.
• Meaningful risk reduction will require disrupting existing models and expanding education for both organizations and individuals.

“As we sit back...this illustrates a great point about the not just the evolving nature of these two subjects, privacy and identity...but the gaps that we are still contending with...” – Ethan Cook (44:28)

Notable Quotes & Moments

• AI as Identity Entity
  “That AI agent on my behalf can do malicious things within the environment… do I need to track that AI entity...as a separate, different entity from Kim Jones, the individual authorizing applications?” – Kim Jones (06:05)

• On Perfect Security
  “Perfect security is an oxymoron. It doesn't exist...You want perfect security? Close up shop...drop [your computers] in the Marianas Trench.” – Kim Jones (09:17)

• The One-sided Nature of Identity Verification
  “Identity is...unidirectional. I have to prove that I am who I say I am...Where do these systems have to prove that they are who they say they are?” – Kim Jones (12:50)

• Human Imperfection in Security
  “You asked a very broad question...how do we manage the human side. The first answer is: you don't.” – Kim Jones (14:58)

• AI and Employee Data Leakage
  “It’s not the proliferation problem… we assume that...this thing is not just somebody else’s compute power in somebody else’s data center.” – Kim Jones (32:58)

• IoT and Personal Privacy
  “Your car is harvesting your data… it’s way more widespread.” – Kim Jones (43:02)

Timestamps of Important Segments

| Time | Topic | |----------|---------------------------------------------| | 03:03 | Introducing privacy & identity as major season themes; AI’s impact highlighted | | 04:10 | Deep dive: AI and shifting identity boundaries (digital personas, accountability) | | 08:58 | Why “perfect security” cannot exist; human error as a constant | | 10:10 | Fraud & scams—how identity is under attack; employment scam example | | 12:50 | Unidirectional identity; call to break the paradigm | | 14:58 | The futility of absolute security; focus on risk reduction | | 17:30 | Why innovation stalls—regulatory & institutional inertia | | 24:11 | Managing privacy as a small business; regulatory burden | | 30:10 | Generational paradigms of privacy value; evolving data exploitation capabilities | | 32:09 | The risk of leaking confidential data into AI tools (employee side) | | 37:05 | IoT/“unseen world” case—cars as data centers; parallels to broader IoT risks | | 38:57 | Practical advice: IoT network segmentation as primary control | | 41:00+ | Education needed for personal IoT/data disposal (case: printers, cars) | | 44:28 | Concluding reflections: gaps and collective responsibilities moving forward |

Summary Takeaway

This episode pivots from technical “how-tos” to strategic “what-ifs,” pressing CISOs and security professionals to rethink their assumptions about identity, privacy, and organizational boundaries in the age of ubiquitous AI and IoT. Kim Jones pushes for breaking existing paradigms—both in how we secure identities and how we educate users—arguing that true innovation is overdue. The ongoing challenge: Not to eliminate risk, but to recognize its shape as it changes, and to be brave enough to redesign inherited systems instead of merely patching them.