A

You're listening to the Cyberwire Network powered by N2K.

B

This exclusive N2K Pro subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere. Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you're here for this season's journey. On today's episode, I sit down with N2K's lead analyst and editor, Ethan Cook. This episode is a little different. Ethan and I are taking a step back to reflect on the conversation we've had so far around regulation and where the landscape is headed next. Ethan will also be joining me from time to time throughout this season after we cover new topics to share his analysis and keep us grounded in the bigger picture. So let's dive in. So we spent the first episode talking about the regulatory landscape and interactions with the federal government, so particularly given your background and shameless plug for your podcast as well, thank you. I'm curious as to your thoughts regarding some of the things that Ben talked about and that we discussed. Talk to me.

A

Yeah, so one, thank you for the shout out for caveat, which is for the listeners who aren't aware it's a more political focused show, almost exclusively politics, but not like the drama of politics, but what's going on and the impacts that's going to have on people. And Ben on that show always makes jokes at his own expense, saying how the people are coming with pitchforks for him with some of his takes on items especially related to the current administration. And I could tell he was holding back on some of the criticisms he was levying rather than being as blunt about of the actions that were happening. It was more so this is going to be very impactful rather than I think this is personally a bad decision or something along those lines. So I think that was some of the the holdout I really enjoyed throughout the conversation, the framing of the DOGE cuts and the impacts that's having, especially on like Kim, you brought it up on the cutting of the Cyber Review Board. Yeah and the even taking that one example in a vacuum, that will have dramatic impacts on the industry. And then we can take a step back and expand that, not just within cyber, but other branch industries, and it will have very similar impacts regarding who owns the burden of managing and protecting themselves.

B

Yeah, it's getting really interesting in that regard. I am not a believer that regulation solves everything. I just don't believe you can regulate yourself into a place of total solutioning. So I do believe that there is such a thing as too much regulation out there.

A

Absolutely.

B

But the counterpoint to that is there's also such a thing as too little. I genuinely and sincerely do not believe, and I'm with Churchill, you know, you know, democracy is the worst form of government there is with the. Except with the exception, of course, of all the others. So, you know, I do believe that there is such a thing as too little, because within this democratic republic, we have tried as much free market capitalism and free market environment and laissez faire attitude, and we've left large segments in the dust for doing that. And we've created large amounts of risk in the environment by doing that. So rather than swinging the pendulum back towards the center, it feels like we've gone from one extreme to the other extreme, not realizing that both extremes are bad. And I just, I wonder sometimes at our inability to actually walk the middle path on our objection to it. And one of the areas I really want to dig into, you know, going back to Doge as well, Ethan, is not just the loss of the csr, but the exposure or the breaking down of the firewalls regarding Social Security data within the environment. Talk to me.

A

So I think we're talking about privacy. And this is going to be a conversation that comes up throughout the remainder episodes of this season. But when we think about privacy, we have this mindset that. And I think it's not intrinsic to the U.S. but the U.S. has, I think, a worse symptom to, so to speak, of it, of my information is already out there, so why bother? You know, and it's frustrating especially, and I'm sure it's frustrating for you, but whether it be health care data, whether it be Social Security data, et cetera, and I think we often frame that conversation regarding businesses and how businesses handle our data or, you know, this private entity does not handle my data. Well. Oh, well, is what it is. Maybe I can sue and get some recourse from the government.

B

Yeah, I'm going to interrupt for half a second here just to dovetail on that I'm wondering if that mindset has been deliberately instantiated with malice aforethought on behalf of business. I mean, I often speak to. There are two things that you can do if you want to create an environment where I'm providing data to the omnivorous data engine. I can either convince you that I have built Fort Knox on steroids and that nothing is ever going to happen, or I can either devalue the data or convince you that this level of exposure is normal and that the benefits outweigh the potential risk. So I'm wondering, I mean, I'm agreeing with everything you said, but I'm wondering if we did that deliberately and we've allowed that to happen. What do you think?

A

I think it's multifaceted. I think on behalf of the consumer, it's born out of ignorance. And I'm not gonna blame ignorance on the consumer. Obviously, everyone is. I do support the thing that it's your job to inform yourself. It's someone's responsibility to inform you. But I do think the system is currently set up in a way and technology is evolving in a way that is incredibly hard for someone who especially does not have the background to stay up to date on what it means to be secure from a privacy standpoint. You know, if you go around and you ask people, you know what encryption is, most of the people could not tell you. You go ask around and you ask, like, how does a VPN protect your data? Most people could not tell you. And I think these basic security privacy concepts that we know like the back of our hand is not commonplace. And so when you talk about securing data, people simply just don't know. They don't understand the implications of this.

B

And it's that last point you just made that I think is the more important point. You know, I use the example when I teach at university, if you're not a finance guy or gal, do you understand mark to market accounting? If you're not mechanically inclined, do you understand how to change the timing belt on a 67 Chevy within the environment? And many people for that last example don't. But you do know how to drive the car.

A

Yes.

B

And you do know how to make the car get you from point A to point B. And you understand what the risks are of driving the car in certain ways within the environment and doing things within the environment that are potentially dangerous. So I don't need someone to understand how encryption works or how a VPN works, but I need them to understand the potential negative implications of not using them. In terms of the impacts, just the way you understand what it means to drive your car at 150 miles an hour in a 25 mile an hour zone in the middle of a raging thunderstorm. Every person listening to this can understand the trade offs and potential consequences there without ever having done that. We have not set up our security education ecosystem enough to make sure. I don't need you to understand encryption. I need you to understand that trade off.

A

Exactly. And I think that's what I mean by understanding encryption, the value that it brings to you. People go, oh, it protects me somehow, but I don't really don't know not how it protects me, but what it even protects me from. I don't understand these things. And again, I think part of it is technology evolves so quickly it's hard to keep up if you're not in the space. And I think the other part of it is there is an active incentive to not. Because the data industry is massive. It is one of the largest industries in the US There is a ton of money that comes in and out of this. We have had multiple scandals or incidents that have occurred from companies mishandling data. And whether it be from, let's say, a health care group who loses a ton of health care records because they were being sloppy because it was just not convenient for them to bother, or you have other cases like political scandals where massive data scraping has happened on social media sites to harvest this. And I think so part of it is there's so much money behind this industry. Getting people informed is not really to the incentive of a business. And while I'm never going to sit here and be like, oh, we shouldn't make money, I think we can all agree that there's certain ethical lines that should be drawn regarding protecting people from businesses that are malicious or putting information in places that are not secure or opening them up to potential fraud cases. And I think that also inhibits the US from a regulatory perspective, from a lobbying perspective. It's not to the incentive of businesses to want a privacy law that is going to actively impact their bottom line.

B

So what is in your mind the impact of, and I hate to use the term because it may sound pejorative, but I believe it reflects the environment of a laissez fair regulatory environment around privacy data.

A

And yeah, so I, you know, I think a great, I'm going to use the bingo card, Kim. I'm going to pull it out. The dreaded AI word. I think the AI AI is a really good example that people can look at slightly different than privacy. But I think the one to one is very self evident where we look at AI and we say right now it is the wild west, especially at the federal level there is nothing and the current administration has no interest in regulating. Now on the state level there is regulation. Whether that remains in the future. There's been some efforts to remove some of this stuff, but particularly with the.

B

President's plan saying for those states that overly regulate and overly not being well defined, you're going to lose incentives at the federal level regarding AI.

A

Exactly. So whether that's still there in the future is tbd, but at the moment it's there. But I think when you look at the AI ecosystem and how we regulate, there's this broad consensus that even among AI developers that the industry needs regulation. You've had anthropic OpenAI, Sam Altman from OpenAI come out and say there needs to be government action on this, there has to be something. Because right now there's nothing. And that opens the door for malicious actors, it opens the door for insecure.

B

Systems, also opens the door for misuse. Have you read recently regarding anthropic settlement?

A

Yes, absolutely. And I think right there is the perfect example of what a laissez faire system gets you. There are people who are misusing AI, there are people who are improperly setting up AI, people who are overly relying. I mean there's been cases and stories come out where lawyers are citing AI or citing cases that don't exist. That don't exist. Right. Because the AI has hallucinated and said oh and this versus this, this happened. And everyone's like that's not a case. And I think because there is no accountability, because there are no regulations, it just opens this door. And I think privacy is very similar because the US has such a laissez faire system when it comes to privacy. You see data getting misused, you see data not being stored properly, you're seeing people using. And right now the big push is to better protect child's online data to prevent them from being targeted advertising and algorithms locking them into social media for five hours on end every day and compare that system to what Europe has. And now I don't think the GDPR is perfect. I think you can argue the GDPR is economically restrictive at times. I think there's a lot of holes we can poke at the gdpr, but across the board, from a security perspective, from a privacy perspective, it's like the gold standard at the moment where sure, it's not perfect I don't think any system is perfect. I don't think you're ever going to find the perfect system that does not have that. Someone's always going to fall through a crack from a business perspective and someone's always going to get hurt from a individual perspective, from a misuse case.

B

So here's a potential counterpoint. This is a genuine ask. The genuine ask being, you're right, that is the gold standard. Now let's look at innovation within GDPR regulated countries and are we seeing the levels of innovation in those organizations? And is regulation a factor? I mean, maybe. And this is playing devil's advocate.

C

Yeah.

B

You know, maybe the current administration is correct in terms of swinging the pendulum, at least back a bit, or maybe even swinging it as far as it's gone.

A

You know, I think regarding innovation, outside of a privacy perspective, we're bringing it back to AI, Right. Because Europe had this very aggressive let's regulate AI approach. And if you've noticed for people to start tracking that shift is changing. There's been a lot of movement in the past nine months in Europe to say we're going to regulate and. But maybe we can scale back some of these things. Maybe we don't need to be as aggressive. Maybe we can extend timelines, let's make deals. And that has been, I think, a pretty big push to say let's have that economic investment and innovation that the US is currently dominating across the world with. Because everyone sees AI as the golden egg, I think with privacy. That can still be said. When you think of some of the largest data brokers, a lot of them are at least housed in the US or have a huge part in the US or actively use. I mean, when you think of like let's say Google, right, one of the largest data brokers in the world, we don't think of Google as a data broker, but it absolutely is a data broker that is in the U.S. right. When you think of Meta, one of the largest data brokers, there aren't a lot of data brokers. There are ones across the world. But when you think of the biggest players, they're all within the US So.

B

The argument here then says if I were to say that all of those big players have come up and succeeded under the regulatory umbrella as it existed. So that argument seems to say that under this supposedly restrictive regulatory environment, you have Google, you have Meta, you have Amazon, you have Microsoft, the list goes on.

A

Yeah, I. 100%.

B

What are we complaining about?

A

I think the modern complaints are to maintain what they have Personally, that's my personal take on these things.

B

I look at maintain what they have or take inability to exploit what they have further than they can.

A

So let's take a great example which I've been tracking a lot, which is the numerous laws that have been forming at the state level and attempted at the federal level regarding privacy for online safety for kids. Yeah, you have Cosa, you have Copa 2.0, you have a bunch of state laws that have been going through and people were kind of shocked when you have companies like Meta, Snapchat, Discord, etc. Saying we're totally good with it, like we're totally good with protecting the kids. And the first thought was why would you want to do that? Right. Like that's actively inhibiting your economics. Right. Like you make money off these products from, you know, the, the, the, the monopolization of young people's minds. Why, what that incentive is. And I think a great angle to take on that is saying in order to validate all this information that you are a minor or not a minor, you have to submit personally identifiable information. Some states are requiring driver licenses or other identification cards or things. Not just a click. The birth date. I am an 18 year old. Right? That's data like we don't like, you know, sure, it's, you know, it's, it's a data on adults, right? That's more data. If you upload a picture of your driver's license, you have date of birth, you have eye color, weight, hair, or not weight, but hair. Right. You have all these things, pictures, all these things that maybe they weren't necessarily wanting but can now get access to. And while there are some stipulations and laws that are saying you can only use this for age verification and they're.

B

There, but once it's in the data lake. Exactly, it's in the data lake.

A

And to me that's just more data, more processing data is being processed faster than ever with AI capabilities and machine learning. And you know, I would hedge the bet that these companies have enough money to do the economic assessment of whether or not this law is going to cost them on the bottom line. And they've made the bet and said it's not going to cost us because what we get back in return is worth far more than that.

C

What's your 2am Security worry? Is it do I have the right controls in place? Maybe are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes that's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's v a n t a dot com cyber at talas they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales. T H A L E S learn more@talasgroup.com cyber.

B

So question we've talked a bit about the pendulum in terms of regulation within the environment. What do you see and it's changed obviously here in the US what do you see as the role, the appropriate role for regulation and we'll stay federal at the federal level as pertains to cyber. What is the role? What should we be focused on in a general sense?

A

I, you know it's I, I tend to be a big government guy but I recognize the flaws in there. Right. Like I don't think it's perfect. I do think there are a lot of cracks that form when you go big government. I would say the role of federal government should be never to mandate. It should be to provide guidance, instruct and support. I think when you start getting into hardline mandates of your system has to be X, Y and Z. You create an overly rigid structure. This just simply does not work in a lot of cases. The US is massive. It's one of the largest countries in the world. You could argue that California could be its own country. Making an entire legal system that every state has to abide by is just not practical. And I think that's where we get into the to your point, the bad side of regulation where I don't care if you don't have the money to do this, I don't care if you don't have the technical expertise to do this, you're going to do it or we're going to find you millions of dollars. Okay, But I think that's what you can do.

B

If, if I, we, you don't do it, we're going to find you millions of dollars. That's beyond guidance though, isn't it? That becomes mandate.

A

That's what I mean, that's what, that's where I don't, I don't want us. I think that's where that's the problem. And I think to the point we could argue that the Biden administration was a little heavy handed with some of these mentalities where it was, we've got over systems started becoming more mandate y, more you are going to do this. Less. Let's help you do this.

B

Okay?

A

I think support is the best way. I do think there should be, I think where quote unquote mandates or requirements should come into play is where there's tangible human cost that gets associated with them and it has to be scaled to an appropriate level. Right. Like if you take, let's say data breach, your hospital, your data breach, you are a rural hospital, you don't have the funding of a major city hospital, you don't have the sport, you don't have, et cetera. The people who get impacted by you getting data breached should be entitled to financial compensation. Right? They've been impacted by this. Whether that's because of insurance fraud or medical leaks, whatever happens.

B

Yeah, and I guess, and I see where you're coming from and it's not that I disagree. I'm not a big government guy, believe it or not, but I did and I don't disagree. But the question when we talk about tangible impact, I think is one of the concerns that we have. I mean, right now we know that because of Quantum coming up, there are a lot of bad actors right now who are taking a philosophy of harvest now, break later, because they know they can't break the encryption now. But if this encryption algorithm is not quantum assured, then when it goes in there, they're going to get it. So right now, right this second, there is no tangible impact, there is no tangible harm. Not a dollar has been lost or stolen. I may be inconvenienced within the environment. So do I sit here and say, well, because there is no harm, I therefore am not going to mandate that you do anything. And because I can't place tangible kinetic harm on you as an individual, we should be more laissez faire. Because the challenge that we have here is for the vast majority of us who are not or, and have not lived in even the lower fourth or lower third of the economic spectrum within the environment. When I say us, I mean the folks probably listening to this podcast. The level of that tangible harm is difficult for us to visualize.

A

Absolutely.

B

Yeah. And now the ability to say, okay, let me bring it into the physical space. And again, we're talking federal regulation, so there's no way to do so without being somewhat political. And I apologize about that for our audience. But I think the analogies are potentially relevant right now. We've seen places where here in Arizona, you know, polling places, et cetera, have been shut down as we've consolidated for cost, et cetera. We'll leave gerrymandering all that other stuff out of it. We've seen a campaign to eliminate mail in ballots and voting machines because of a false mantra regarding levels of fraud. And I can say false mantra because Arizona has had mail in balloting for decades and we know how to make it work. And it's been working well for decades. So we know, we know how to make this work well. But do people understand that for the single mother who's working two jobs when election day is not a paid holiday, what you have just done is say, in order for me to actually be heard, I have to forego a day's wages and I have to forego the ability. So it's either not be heard and be marginalized or money out of my pocket. And there's real tangibility that exists there that most of us don't see. So when my data gets compromised or you utilize my data to mine information about me so that you can market to me accordingly, and that data is compromised within the environment, there is an argument that says, okay, there may not be kinetic harm right now, but the potential energy harm that exists that I may not see for another week or month, etcetera, can be fairly huge to someone who's living on the margins. So saying kinetic harm I get, but ignoring the potential energy of that harm in the environment that we're dealing with right now, I think is dangerous.

A

100% agree. I think, you know, to your point, most people in the US live paycheck to paycheck. Yeah. Most people in the US have less than $2,000 in a bank account across all their bank accounts. Right. Most people, it's, you know, interest rates are high, costs are up. It's a tough time at the moment. It is not a what I, you know, I think a friendly economic situation to someone who is lower class or lower middle class or middle class. I think that. And it's really Easy to forget the human aspect of this. Right. You know, when we're talking about, you know, terabytes upon terabytes, billions and billions of dollars, it's really easy to forget the, the individual cases. And you're never going to have a perfect system that accounts for everyone. It's just unfortunately, the reality of, especially at a country at our size.

B

Yeah. But to even accounting for the plurality, I mean, are we truly representing, you know, even a plurality of interest out there? The argument says yes, maybe.

A

But if at the federal level, I would say no.

B

Yeah.

A

At the state level, I would say depends on the state. There are certainly states that care more than others and that maybe is not. Care is maybe not the right word, but are more attentive than others. Because I do think there are great legislators, state legislators across the country in every state. But I think part of this, you know, we actually had a great conversation on caveat, not similar, but regarding CISA and the cuts that have been made there and the impacts that's going to have at the state level. And regardless of whether you agree with the state, the cuts, it says it or not, there is a concern that states just don't have the technical expertise to make up, both from a budgetary perspective as well as a talent acquisition perspective, to get in people and get them interested, to come to a rural place that they've never been before and when they've been in a big city and they have all the enjoyments of that and leave and uproot themselves to go there. And so while they may want them at the state level, it may not just be feasible at the state level. And I think that's the value of federal support is it accounts for the inherent caps that states are going to have because states just don't have the funding to do all these things.

B

And it'll be very interesting because statistically, in terms of support of some of the initiatives for the current administration, seeing, and I'm not a politician and I'm not deep into the data seeing that there's a large amount of that support in those rural areas that are about to be negatively impacted massively within the environment.

A

Yeah. And I think part of that goes to the previous conversation we were having a couple minutes ago regarding just a lack of understanding about what this means for the average person. When we talk about deregulation and the impacts of having an unregulated AI network or an unregulated privacy system. And I think part of it is just lack of technical understanding and not from the Uber Details of the ins and outs of a coding, all the nitty gritty. But from just the high level, from the overview and understanding what it means to have a data breach happen to you, what is the impact of it? How if this gets exposed, how can that impact you and translate to a case of identity fraud?

B

Have we, my peers and I, are we the architect of this chaos? Because there's an argument to be said that we're the ones who have complained, and I use the term deliberately complained, about levels of complexity associated with cybersecurity, et cetera, to the point that we've made it seem like magic. So are we at least in part to blame for this? And if we are, is it a bigger part than we, we're willing to admit?

A

Yeah, I, I would say yes. I think that's the, the hard truth that it is, yes. I don't think it's hard truths here.

B

That's good.

A

I don't think it's solely on cyber security professionals. I do think there, there is more to it than that, but I think there is culpability there, I would say. To what degree The, I think the fault lies in part of it being the myth that we can stop all breaches and this, I'm going to be the best ever and that breaches are never going to happen. And like this, this illusion that was prescribed and that, that I think businesses adopted and people just said, oh, you know, if that breach is never going to happen, I don't need to worry about it. Like the illusion of safety.

B

And when we failed in that, we went straight to the alternative to say, well, if I can't stop everything, then why the hell am I worrying about it?

A

Exactly. And I think, and to that point as well, when a breach did happen, the numbers were so astronomically high. Like when we say a 300 million person breach, people don't like, people are.

B

Like, okay, you can't visualize that.

A

Exactly. And you can't visualize the impacts. So people get sold this tale that it's never going to happen, it's just never going to happen. And then when it does happen, it's a, well, what do I do? Like, what am I supposed to do when, you know, company X or Company Y exposes 10, $10 billion worth of medical records, like what? And that is, I think, part of it, and that's both on security professionals and on businesses themselves. Because it's not just a business, it's not just security professionals saying that there are businesses who actively gone out and said that as well, so I think that is a huge degree of culpability. I don't, I think the. I, I really enjoy the way you have phrased it, Kim, which is, I can't stop a breach. It's going to happen, but I can make it hard. I can limit the impact, I can limit the scale. That's, I think, the right way to phrase it. And I wish companies would say that more. It doesn't sound good to say because no one wants to say, what do you mean I could get breached? Right.

B

No one likes the truth.

A

Exactly. I think there's an ignorance like, or a plausible deniability, like. Right. But I think it's the reality. And even if it's not the reality we announce to the public all the time, it's a reality that has certainly has to be acknowledged at the board level as well at the political level and say, okay, look, healthcare providers are going to get breached, banks are going to get breached. It is going to happen. It's not about never allowing it to happen. It's about how do we recover quickly, how do we minimize how many people are impacted. Because you're right, when these things happen, it is the single mother who's living paycheck to paycheck and can barely afford groceries who is impacted. It's not the guy who's getting $500 million as a yearly bonus who is really going to feel this at all. Exactly.

B

At all. So given this brave new world regarding the outlook from the regulatory standpoint at the federal level, last question to you. What's one thing my peers and I can or should be doing differently or should be looking at differently, given this environment?

A

Yeah. So, you know, with this changing world, new administration, from a policy perspective, I think it's first really important to understand what is going away. You can't know what is going to change if you don't. You can't understand the change if you don't know what is changing. It's not enough just to know, okay, cuts are happening. What cuts? How do, what did those cuts impact? What skills and resources? Right. If you can understand the downs, not saying they're necessarily bad. I'm trying to stay as neutral as I can, but not saying they're necessarily bad. But if cuts happen, what resources are now going away and how is that going to impact your business? And maybe it's not an instant material impact. Maybe it's not like, oh, I'm losing a funding or I'm losing this, but if a breach happens, normally I would rely on this resource Or I could utilize this resource that is no longer available. So if a breach happens, what is my option? What is my go to? And I think that's really important.

B

So reflecting back, we talk about the importance of asset inventory. Part of that asset inventory might be looking at processes, external agencies, et cetera, that you have made assumptions about that will be there or that are contributing within the environment, understanding what those are and then doing at least a, you know, a double click down to see where are they now? If not, where are they going to be at the end of the year? Because the assumptions that you make may no longer be accurate.

A

And it's not just going to be federal resources. It could be companies that got grants that no longer can function and operate at the way they used to.

B

The more support that you're getting from universities. And we know what's happening in that arena.

A

Exactly. So I think when you, it's not just about understanding, okay, cuts are happening thing, you got to understand. And you know, I love the line, follow the money. Where is the money coming from? What was that money touching? And not just, oh, it was touching this program, but what did that program go to? And I know that's really cumbersome and you got to go through a lot of legalese and it's exhausting, but going through that and understanding that is going to set you up and your business up and your customers up for four years of better protection that they would have had, they would not have had if you just went, oh, I hope it works. And I think that's a huge part of this brave new world. And I think the other thing that is really important, and the last thing I'll say is it's not about whether or not you agree with this or the changes that are happening. They are happening. And the impacts that they are going to have to your point with harvesting data aren't necessarily going to be felt tomorrow. They're not going to be felt in a month. They may be felt in five to eight years, long after this administration is gone. That doesn't mean that turning a blind eye will absolve you of culpability. And that doesn't mean that the impacts won't trickle down eventually to someone who really will be impacted by this.

B

No, I like that and I love what you said regarding right, wrong, or not liking it or liking it, et cetera. It reminds me what I used to say to my son when he was growing up. It's like, look, son, it's not good, bad, right or wrong. It is. Yep, and as you rail against it, you have to figure out how to survive it.

A

Exactly.

B

To do that you have to understand it. So that makes good sense to me and we will leave it at that. Always good. Ethan, I appreciate you coming on board and I think you gotta plan to do this a couple other times during the season.

A

I'm looking forward to it.

B

And that's a wrap for this episode of CISO Perspectives. I hope today's conversation gave you new insights and practical takeaways to navigate the ever evolving world of cybersecurity. Leadership, strategy and shared knowledge are key to staying ahead and we're glad to have you on this journey with us. To access the full season of the show and get exclusive content, head over to thecyberwire.com pro. As a member of N2K Pro, you'll enjoy ad free podcasts, access to resource filled blog posts, diving deeper into the CServe, perspectives, research, and a wealth of additional content designed to keep you informed and at the front of CyberSecurity development. Visit TheCyberWire.com PRO to get the full experience and stay ahead in the fast paced world of cybersecurity. We'd absolutely love to hear your thoughts. Your feedback helps us bring you the insights that matter most. If you enjoyed the show, please take a moment to leave a rating and review in your podcast app. This episode was edited by Ethan Cook with content strategy provided by Mayan Plout, produced by Liz Stokes, exactly executive produced by Jennifer Ivan and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones and thank you for listening.

C

And now a word from our sponsor. The Johns Hopkins University Information Security Institute is seeking qualified applicants for its innovative Master of Science in Security Informatics degree program. Study alongside world class interdisciplinary experts and gain unparalleled educational research and professional experience in information security and assurance. Interested U.S. citizens should consider the Department of Defense's Cyber Service Academy program, which covers tuition, textbooks and a laptop, as well as providing a $34,000 additional annual stipend. Apply for the fall 2026 semester and for this scholarship by February 28th. Learn more at CS JHU.