CyberWire Daily — CISO Perspectives

Episode: Regulation Takeaways with Ethan Cook (October 21, 2025)
Host: Kim Jones (B), N2K Networks
Guest: Ethan Cook (A), N2K’s Lead Analyst and Editor

Episode Overview

This special open episode of CISO Perspectives features a candid discussion between host Kim Jones and lead analyst Ethan Cook, reflecting on key regulatory themes in cybersecurity and analyzing broader policy trends at both federal and state levels. Drawing from recent federal cuts, the challenge of finding a regulatory "middle path," and the evolving relationship between industry, government, and public, they explore the impact of regulation (both too much and too little), data privacy, industry incentives, innovation, and the human realities behind cyber risks. The episode is rich with pragmatic insights for CISOs seeking to understand and adapt to the shifting cyber regulatory and threat landscape.

Key Discussion Points & Insights

1. The Challenge of Regulatory Balance

• Initial Framing: Kim and Ethan reflect on previous discussions with Ben (of the "Caveat" podcast), noting the cautious tone experts often use when critiquing current cybersecurity policy.

  • Notable quote (Ethan Cook, 02:29):
    “Ben on that show always makes jokes at his own expense… I could tell he was holding back on some of the criticisms he was levying rather than being as blunt.”

• Regulatory Cuts and Industry Impact:

  • The recent downsizing of federal cyber bodies, including the Cyber Safety Review Board, is seen as having "dramatic impacts" (02:52) not only in cyber but in adjacent industries, shifting the burden of protection to organizations themselves.

• Regulation: Not a Silver Bullet

  • Kim offers skepticism regarding heavy-handed regulation, emphasizing the pitfalls of both extremes (03:55):

    “I am not a believer that regulation solves everything. I just don't believe you can regulate yourself into a place of total solutioning.”

  • However, Kim also warns against laissez-faire approaches, referencing Churchill:

    “Both extremes are bad... rather than swinging the pendulum back towards the center, it feels like we've gone from one extreme to the other.”

2. Data Privacy, Consumer Mindset, and Industry Incentives

• US Cultural Attitude Toward Data Exposure

  • Ethan observes that many Americans are resigned about their personal data being out there, a mindset that is exploited or reinforced by the business community (05:39):

    “We have this mindset… my information is already out there, so why bother?... I think we often frame that conversation regarding businesses and how businesses handle our data.”

• Shaping Consumer Apathy

  • Kim raises a provocative question: Has business deliberately fostered this resignation for profit? (06:31)

    “I can either devalue the data or convince you that this level of exposure is normal and that the benefits outweigh the potential risk.”

• Education Gap:

  • Ethan points out the technical illiteracy among the public and how this aids exploitation. Even basic concepts like VPNs or encryption are misunderstood (07:37).
  • Kim adds that while the public doesn't need deep technical knowledge, they must grasp the risks:

    “I don't need someone to understand how encryption works... I need them to understand the potential negative implications of not using them.” (09:00)

• Industry Incentive Structure:

  • There’s little incentive for data-centric companies to support robust privacy regulations, given the financial stakes (10:00–11:37).

3. Laissez-Faire Regulation: AI and Privacy Parallels

• AI Regulation as a Mirror for Privacy

  • Ethan discusses the "wild west" nature of AI regulation—federally, there is little, despite recognition from industry leaders that government oversight is needed (11:53–13:16).

    "Because there is no accountability ... it just opens this door." (13:05)

• Comparing US and EU Models:

  • The GDPR is acknowledged as the current “gold standard” for privacy, with plenty of flaws but offering real consumer protections absent in the US.
  • Kim asks whether GDPR-style regulations in Europe have stifled innovation; Ethan notes regulatory attitudes are shifting even in Europe to balance risk and economic growth (14:54–16:43).

4. Big Tech, Data, and Regulation

• Corporate Adaptation to New Regulations
  • Despite claims of restriction, big US tech has thrived under the current regulatory environment (16:43–17:10).
  • The seemingly welcoming stance of firms like Meta and Snapchat towards age verification laws may be driven by opportunities to collect even more personal data (18:00–19:05):

    “That's just more data, more processing... what we get back in return is worth far more than that.” (19:05)

5. Appropriate Role of Federal Regulation in Cybersecurity

• Guidance Over Mandates
  • Ethan argues federal government’s role should be “to provide guidance, instruct and support,” rather than impose rigid mandates that may not fit all organizations’ capabilities or needs (22:10–23:13).
  • Mandates are justified when there is “tangible human cost,” scaled appropriately (23:39).
  • Kim counters that “potential energy” harms—like data harvested now being exploited years later—are real, especially for vulnerable populations (25:57–28:06):

    “The potential energy harm that exists… can be fairly huge to someone who's living on the margins.”

6. Human Impact and State-Federal Friction

• The Forgotten Individual

  • Ethan and Kim lament how actual human impacts—especially on lower-income, rural, or otherwise marginalized individuals—are often overlooked amid the scale of breaches and abstract policy debates (28:06–29:14).

• Capacity at the State Level

  • Many states lack the funding or technical talent to fill gaps created by federal cuts, highlighting the need for continued federal support (29:14–30:25).

7. Responsibility of the Cybersecurity Profession

• Cultural Mythmaking
  • Kim asks if the complexity and “magic” of cybersecurity have been exaggerated by the community itself, alienating laypeople and fostering fatalism (31:30–32:13).
  • Ethan admits to industry culpability in mythologizing perfect security, which set the public up for disappointment and resignation when breaches inevitably occur (32:58–33:19):

    “People get sold this tale that [breaches aren’t going to happen]. And then when it does happen, it’s a, well, what do I do?”

  • Kim:

    “No one likes the truth... It's not about never allowing [a breach] to happen. It's about how do we recover quickly, how do we minimize how many people are impacted.” (34:22)

8. Strategic Takeaways for CISOs

• Adapting to a Changing Landscape

  • Key advice from Ethan (35:35):

    “With this changing world, new administration… it’s first really important to understand what is going away. You can’t understand the change if you don’t know what is changing.”

• Asset Inventory Includes External Supports:

  • Kim suggests looking not just at IT assets but also at dependencies on outside resources—companies, government programs, universities—that may be affected by regulatory or funding changes (36:36–37:27).

• Follow the Money:

  • Ethan:

    “Follow the money. Where is the money coming from? What was that money touching?” (37:27)

• Prepare for Delayed Impact:

  • The knock-on effects of today’s policy choices may not manifest until years after those responsible have left office (37:27–38:43):

    “They may be felt in five to eight years, long after this administration is gone. That doesn't mean that turning a blind eye will absolve you of culpability.”

• Realism Over Idealism:

  • Kim underscores the importance of adapting to reality, regardless of personal opinions on regulatory policy (38:43):

    “It's not good, bad, right or wrong. It is. And as you rail against it, you have to figure out how to survive it.”

Notable Quotes & Memorable Moments

• Ethan Cook on US Privacy Mindset:
  05:39 — “My information is already out there, so why bother?... it's frustrating... people simply just don't know. They don't understand the implications of this.”

• Kim Jones on the Limitations of Regulation:
  03:55 — “I am not a believer that regulation solves everything... there is such a thing as too much regulation out there.”

• AI and the Wild West:
  13:05 — "Because there is no accountability, because there are no regulations, it just opens this door."

• On GDPR's Effectiveness and Innovation:
  14:54 — “From a security perspective, from a privacy perspective, [GDPR is] the gold standard at the moment... but across the board, it's not perfect.”

• On the Motivation Behind Support for Youth Online Safety Laws:
  19:05 — “That's just more data, more processing data is being processed faster than ever... they've made the bet that what we get back is worth far more.”

• Kim Jones on the Cyclical Harm of Data Exposure:
  25:57 — “There may not be kinetic harm right now, but the potential energy harm... can be fairly huge to someone who's living on the margins.”

• Ethan Cook on Industry Responsibility:
  33:06 — “People get sold this tale that it's never going to happen... The myth that we can stop all breaches... businesses adopted and people just said, 'Oh, you know, if that breach is never going to happen, I don't need to worry about it.'”

• On Adapting to Regulatory Change:
  38:43 — “It’s not about whether or not you agree with the changes that are happening. They are happening... the impacts… may be felt in five to eight years, long after this administration is gone.”

Key Timestamps for Important Segments

| Timestamp | Segment | |------------|-----------------------------------------------------| | 02:29-03:55| Regulation balance; influence of federal cuts | | 05:39-11:37| US privacy attitudes; industry incentives | | 11:53-16:43| Laissez-faire regulation; AI and privacy | | 18:00-19:50| Big Tech and child online safety law implications | | 22:10-24:19| Role of federal government—guidance vs. mandates | | 25:57-29:14| Human impact and state-level gaps | | 32:06-34:22| Security industry’s role in messaging/fatalism | | 35:35-38:43| CISO strategies for adapting to policy changes |

Takeaways for CISOs and Cybersecurity Leaders

• Stay Informed and Update Assumptions:
  Patch your understanding of external supports and dependencies; regulatory and budgetary environments change, and resources you rely on may vanish.
• Follow the Money:
  Regulatory cuts ripple out—track not just stated policies, but the funding structures and what those reductions ultimately touch.
• Prepare for Delayed Consequences:
  Harms from today’s policy choices may lie dormant for years but will eventually impact real people, often the most vulnerable.
• Be Honest with Your Organizations:
  Move from the false promise of “zero breaches” to a candid focus on resilience, response, and minimizing human harm.
• Advocate for Pragmatic Regulatory Guidance:
  Encourage policies that support, instruct, and enable organizations, rather than rigid, "one size fits all" mandates—except where clear, tangible human harm is at stake.
• Re-frame Security Education:
  Shift from technical rabbit holes to practical, consequence-based education for users and decision-makers.

This episode is a must-listen for leaders seeking to shift from compliance reactiveness to informed proactivity in a world of uncertain, evolving cybersecurity regulation and real human stakes.