Christy Westfall

You're listening to the Cyberwire Network powered by N2K.

Kim Jones

This exclusive N2K Pro subscriber only episode of CISO Perspectives has been unlocked for all Cyberwire listeners through the generous support of Meter building full stack zero trust networks from the ground up. Trusted by security and network leaders everywhere, Meter delivers fast, secure by design and scalable connectivity without the frustration, friction, complexity and cost of managing an endless proliferation of vendors and tools. Meter gives your enterprise a complete networking stack, secure, wired, wireless and cellular in one integrated solution built for performance, resilience and scale. Go to meter.com CISOP today to learn more and book your demo. That's M-E T E R.com CISOP Foreign which of the following situations is a violation of privacy? 1. A national retailer utilizes purchases you make with them to send you advertisements about products you might enjoy or need 2. A reputable search engine utilizes data about you from previous searches and other products to better tailor its content to your needs or 3 a government entity utilizes data in the public domain to hone in on potential criminals. If you answered anything but it depends on this quiz, you haven't been following the nuances of the privacy debate. Let's get a little deeper into each of these examples for just a moment. In 2012, Target came under media scrutiny for utilizing data analytics to predict which of its shoppers might be pregnant. The retailer then began sending coupons to those shoppers for things like baby clothes, strollers, et cetera. The story made news when one Minnesota father noticed that his teenage daughter was was receiving these materials. The irate father marched into a local Target demanding to see a manager, and accused the retailer of attempting to encourage his daughter to get pregnant, only to find out from his daughter that she was indeed already pregnant. Target's analytics had identified her pregnancy before her own father knew. In 2024, Amazon celebrated its 30th birthday. One of the features this massive online retailer is known for is utilizing knowledge of your shopping habits to send you advertisements about products and services which you might enjoy. Amazon continues pushing the envelope around this concept and has taken a patent out on what it's describing as anticipatory shipping utilizing the data it already has about you. The mega retailer intends to just start sending you items which it believes you want before you purchase them, arguing that the success rate of its algorithms is such that the number of returns would not exceed the benefits reaped by this level of customer service. About a decade ago, people started noticing that their search engines, in particular Google, were displaying different sets of results for the same question. Upon further exploration, people discovered, or rather realized, that most search engines utilize data from your location and your browser history to better customize answers for you. Providing such customization makes it easier to retrieve more meaningful results for the consumer with shortened search time. It also makes it easier to tailor advertisements to the consumer that he or she might be interested in. The downside, of course, is that it may also be masking important yet contradictory information that is relevant to the individual search, thus reinforcing research bias. Note. You can turn off customization as Google refers to it, but it's difficult to find out how on their Support Site In June 2013, Edward Snowden exposed the NSA's domestic cellular collection program. The general public was outraged that the government would utilize cellular metadata such as location information to spy on its citizens. However, these same citizens exhibited no qualms about carrying a device that regularly broadcasts location it was the use of that location of data by other governmental entities and agencies. The examples above are illustrative of the complexity around privacy. Gone are the days we could simply state that X data is private. Indeed, we are moving more to an environment of situational privacy where the data itself isn't as much of an issue as how the data is used. Consumers freely and openly volunteer exabytes of data daily for seemingly innocuous transactions. Yet they are regularly shocked and angered as this data is combined with other seemingly innocuous and freely given pieces of data to provide predictive intelligence to marketers, corporations, and yes, the government entities. Remembering that privacy itself is impossible without appropriate security controls, the situational nature of data mining and appropriate data usage makes the protection equation daunting. Do we wrap a cocoon of Pentagon level protection around the data lake Even though 99% of the data within it is considered publicly available? Do we inject ourselves into the data analytics process and become part of the arbitration question regarding should we use the data in a certain fashion? Can we monitor and limit or restrict data combinations similar to the way in which systems can monitor for separation of duties access control issues? Let's take it a step further, remembering that corporate data analytics seeks to, among other things, improve the sales cycle and make marketing campaigns more efficient. Imagine the implications if the bad guys choose to take such an approach. Consider your systems are penetrated and your data is stolen, but none of the data is regulated by current privacy law or regulation. Six months later, the bad guys run data analytics against the acquired data and determine the best targets for fraud or scam. You protected the data in your borders reasonably and can show a tiered approach to your controls, and those controls were appropriate for your environment. You even prevented the breach from reaching the most sensitive data stores. Yet. Data stolen from you was used to target your customers in the same manner that your marketing and sales team targets prospects. Imagine the liability issues that will circulate through the courts as your organizations recognize the value of the data they hold. It is important that we as security professionals remind people of the larger risk and privacy landscapes out there. We cannot rely solely on the legal and regulatory framework to guide us as the potential brand risks go beyond what the hodgepodge of privacy regulations currently addresses. As we continue to enable our businesses, we must ensure that the aforementioned questions and dozens more are acknowledged and addressed by our business leaders. My two Sets welcome back to CISO Perspectives. I'm Kim Jones and I'm thrilled that you are here for this season's journey. Throughout this season we will be exploring some of our most pressing problems facing our industry and discussing with experts how we can better address them. Today we explore how data privacy is impacting cyber efforts. Christy Westfall is one of the finest security operators that I know. Her knowledge of the technology combined with her understanding of the regulatory landscape make her a force to be reckoned with in the world of cyber. I had a chance to sit down with Christy to discuss one of her passion areas, privacy and its impact on security organizations. Christy, thank you for making the time and welcome.

Christy Westfall

Thank you. It is a pleasure to be here. Always like chatting with you.

Kim Jones

Likewise. Likewise. So a quick note that the opinions expressed by Christy in this segment are personal and should not be interpreted as representing the opinions of any organization that Christy has worked for, past or present. So you and I have known each other for longer than either of us care to admit, but my audience might not. So how about spending some time telling them who Kristi Westfall is?

Christy Westfall

So Christy Westfall, a Global Security Director at Spiren Communications right now I got into security as many of us do these days in a weird way. I was actually a finance major out of college, then stumbled into IT and then stumbled again into security. And that was so long ago I don't count anymore. And then I've just been doing a variety of roles. I've done pretty much everything from being an engineer to an analyst to being an IT admin and everything in between written policies. And then I'm finally at one point I said, you know what? We need good security leaders. And so I decided that was going to be my focus and I have been doing that ever since. So it's always a privilege to lead a team. And I try my best to be a good leader every day.

Kim Jones

And you succeed. And I have personal experience with that as well. And you've sat the big chair more than once, if I remember correctly.

Christy Westfall

I have. I realize it's been about 20 years since I've been in the chair. I was one of the early CISOs, and so it's changed quite a bit since then, but it's been a fun road.

Kim Jones

Well, fun. You know, define your terms, but I think we all say that we just keep coming back to play.

Christy Westfall

Yeah, that's. That's true. I am dedicated.

Kim Jones

So those changes are part of the reason that I wanted to talk with you, because somewhere within your. Your storied history, you went and got a master's, if I remember correctly, in legal studies.

Christy Westfall

I did. I. It's funny. So about 10 years ago, I decided I needed to go back and study some legal stuff, so got a master's in legal studies at asu, Arizona State. And the reason I went into that was, honestly, I've been reading so many contracts as a part of my role in security. I wanted to make sure that I wasn't missing anything. So that was my goal. I ended up hating contracts. It was. It was the worst class I took. But then I got an opportunity to do an independent study, and so I was like, all right, well, what am I going. What am I going to study? And I thought, you know, privacy and security intersect all the time in weird ways. And one of the most interesting ways that they do intersect is through the use of encryption. And, boy, once I started peeling back the layers of that, that became a really interesting topic, and that became my independent study paper.

Kim Jones

As someone who actually read your dissertation, we're going to spend a lot.

Christy Westfall

You survived. I'm really impressed.

Kim Jones

No, no, no. Not only did I survive, I volunteered and asked you for it. So I really want to spend a lot of time talking about that intersect between privacy and security. And I want to go back and get to very basic brass tacks, walk it through some of the things that you saw when you were writing the dissertation, some of the things you see now within the environment and then maybe deep dive into that privacy and encryption intersect that you saw that you wrote about some years ago. So I'm going to take it back to basics, and let's start with the basic question. How would you define the term privacy?

Christy Westfall

It's protecting data that you don't want others to know. And I think that's the key, because that can be different for everyone. Right. So therein lies the challenge.

Kim Jones

That would be an understatement. Yeah. So if I look at it from protecting data, as you said, that you don't want others to know, how has that evolved, changed within. Let's just talk about the decade or so since you actually first deep dive, deep dove into this topic. Talk to me.

Christy Westfall

Well, so that's the really fascinating part. So up till my paper was published in 2016, there was a lot of activity, right. We had the Wassener agreement, which was in the 90s and that essentially started the whole protection of exporting encryption. There was the Clinton administration wanting to centralize management of encryption keys.

Kim Jones

So there was just Clipper chip.

Christy Westfall

Yes, the Clipper chip, absolutely. There was just all kinds of crazy things going on at that time. And so then I went and I look back in the last, over the last decade, I said, well, what's changed? I haven't necessarily kept my thumb on it. And when I did some research, I'm like, wow, not much has changed. We were trying to pass a federal privacy law back then. Still haven't done that. We've actually kind of made it more difficult to protect privacy by enacting things like the Cloud act of 2018.

Kim Jones

Talk to me about that for those who may not be as familiar with the Cloud act as you and I are.

Christy Westfall

Well, and I just recently educated myself on this as well. So in 2018, the clarifying lawful Overseas Use of Data act was passed. And this made it easier when there were agreements between different countries that we could basically request access to encrypted data stored abroad. Right. At a base level. So if we engaged in this type of agreement with other countries, which we have with Australia and the uk, basically, they can request us to compel any sort of data that resides in their country to be handed over to them. And that lots of problems with that and we're already seeing it manifest. The UK has asked Apple to put a backdoor in their operating system and gee, that's not a problem. If you could see my face, you'd know how puzzled I am that this is going on. That is still being acted out in the courts. Now Apple seems to maybe have a foot up, but we still don't know how that's going to work out. The interesting thing is about that case is that we went into, I believe a five year agreement with Apple and it was silently renewed in 2024. And so there's still, it was, there's still, it's still going to be around for a while and they can still demand this access unless we take any action to amend the regulation. So it's interesting, Australia hasn't really seeming acted on this yet, but the UK is all about surveillance and so they're going to see what they can do.

Kim Jones

Keep this at an enterprise level first before we go down to individuals. And I love where you started talking about the encryption and some of the legislation that exists around that. You know, the average user believes that encryption is a panacea and many of our regulatory frameworks, at least here in the U.S. you know, give you an alibi or a buyer when encryption comes to play. You have all sorts of requirements that exist here. If your data is lost or stolen or compromised, except of course, if it's encrypted, then you're okay. HIPAA comes to mind. If I remember correctly, my memory may not be. I will yield to you if I'm incorrect here. And a lot of the state breach notification laws tend to impose heavier requirements and burdens on organizations. Unless of course the data that was stolen is encrypted. Then of course, you know, let us. But you're okay. But when you think about things like the Cloud act and some of the other things going on, I guess my question is, are we all living under that false sense of security? Because in reality there are enough loopholes and we haven't even begun to talk about quantum. There are enough loopholes, et cetera, that exist when dealing with encryption. I would welcome your opinion on this.

Christy Westfall

So there's been a couple of cases where we've seen that yes, the data was encrypted, but the government went after it anyway. Probably the most clear one that came about, this was in 2016, the San Bernardino terrorist. One of the.

Kim Jones

Yes, I used that one in class. Please.

Christy Westfall

They were trying to get Apple at that time to turn over the data on one of the shooters phones and Apple said, nope, not doing it. And what does the FBI do? They went off and found a tool to do it on their own. So you can encrypt your data, but there are other ways around trying to find that key. And I'll give a recent example. And this has nothing to do with legal cases. In fact, one of my classes in the last couple of weeks, I gave my students a computer image to do forensics on and it's got a hidden partition in it that's encrypted. And I said, what is this? That was one of my basic questions. And can you see what's on it? Well, one of my students literally didn't have the key, but spent the time doing research on what he could find on the rest of the drive that wasn't encrypted and figured out the password and was able to decrypt it.

Kim Jones

Wow.

Christy Westfall

Nobody's done that before. So not only was I impressed, but I was also terrified at how good he is at this. But anyway, so you can see there's. You don't have to legally, there's fine lines to be able to get that password.

Kim Jones

So there was an A and extra credit. There was an A and extra credit. He probably passed. So now let's think about this as a ciso, you know, you're sitting in the chair now. What does this situation mean for you and your peers sitting in the chair? As we think about data privacy, as we think about customer expectation, as we think about entangling regulation in different states as well as different nations, I believe your company is an international company, so you've got multiple nations to deal with as well. So what does this mean for the person who, congratulations, you is now the cso? Your first time in the chair and you realize that your previous boss wasn't an idiot in terms of what's going on, because now all these problems are yours. What are these problems as we talk about privacy?

Christy Westfall

Oh, my gosh, you have no idea. So, number one, that's why we're here. Number one, become friends with your legal counsel, because whether they're internal or external, because they. Part of their job, sadly, is to try and keep up with this stuff. Number two, you yourself need to keep up with it too, because you're going to probably be put in a situation at some point where you don't want to step on that landline. Right. So there are ways to keep up with this that don't make you tear your hair out, which is good, but you have to kind of understand how to navigate that. The thing that I would do, if you're new to the, new to the chair, and you're just getting used to this in your organization, I would start diving in your contracts because I have seen this come across where there's data privacy requirements that say you will cooperate in an investigation, but you will only cooperate with us. You won't cooperate directly with law enforcement.

Kim Jones

Wow.

Christy Westfall

Yeah, that's a problem. Specific and bold, and it's pretty interesting. So knowing those requirements and knowing which customers exactly do require that instead of, you don't want to turn something over in cooperating with law enforcement and then find out you just violated A customer agreement as well. So it's, it's very challenging. And then we haven't even gotten to the state privacy laws that you have to try and navigate and understand. Like if you have a data breach, what are the reporting requirements? How are you going to report those? Are they different? Yes, they are per state and which ones require which ones. You can set up your basic framework around the most restricted ones like ccpa, but you have to be able to respond appropriately to each state when that happens.

Sponsor/Announcer

At Talas, they know cyber security can be tough and you can't be protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most, applications, data and identity. That's Thales T H A L E S learn more@thalesgroup.com cyber and now a word from our sponsor, ThreatLocker, the powerful Zero Trust Enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and free. Fast Ring Fencing is an application containment strategy ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Kim Jones

Let me ask a couple of questions. You talked about contracts and you talked about cooperating with legal, all of which are great things obviously. So let's start with legal. Way back when dinosaurs roamed the earth and I had taken my first chair, I sat down and said to my general counsel, well, okay, I understand we have database administrators in the UK and I know we have UK data, so what are we doing about the EU Privacy directive in safe harbor? And my general counsel looked at me and says what the hell are you talking about? What is that? So I'm curious, are you getting the sense of that? I mean again, this was decades ago that lack of knowledge. Has that gap been closed? And is there a level of focus and understanding by our legal brethren regarding the importance of these issues?

Christy Westfall

I think that's really changed. I would agree with you. Back then it was kind of deer in the headlights response. But I know my current legal counsel is really, she's an expert on this kind of topic. And it's because the compliance aspect, you have to, for example gdpr, you can't just ignore that being a global company. China's PIPL personal Information protection law, that if you do business in China, you have to be compliant with that as well. So you can't just pretend these things don't happen anymore. And again, you need to be prepared for that data breach because trying to untangle that during the chaos of an incident or just shortly thereafter is not a good look.

Kim Jones

Yeah, I feel you. Yeah. So let's talk about, you know, you're a sizable international organization. What do we do about that small shop that all of a sudden finds out that it has customers or is servicing customers or gets one or two customers from the UK in its small business and is now subject to GDPR or is subject to. I'm a small mom and pop. I operate in four states in New England, but all of a sudden I have an online presence and I'm shipping product to California. Now all of a sudden I'm subject to potentially ccpa. The possibility of getting blindsided by regulatory compliance in this heavily connected world for companies who don't have our resources or our experience is huge. So how do you prepare for that? How do you understand that? How do you make yourself ready for that if you haven't been there, done that, got the T shirt, the coffee mug like you and me.

Christy Westfall

That is a great question. And I think it's not only a privacy issue, it's a security issue, honestly, because it's the same problem, like how do we ensure that our small businesses that are vital to our economy are protected properly and not stepping on a landmine without knowing it. My recommendation, if you're a small business, you probably don't have a full time legal counsel, but you've got somebody, ask them and just start that conversation. This might be an opportunity for a VCISO or a fractional CISO to help advise. Like, what are, what are the best base things you can do to make sure that you're protected on both fronts?

Kim Jones

Fantastic. So let's segue back into contracts. I know this has only ever happened to me where the sales team all of a sudden has an opportunity to land a whale of a customer and agrees to anything that all of a sudden skirts by the legal review. And all of a sudden now you have requirements for either security or privacy. Allah the you can only cooperate with us during an investigation. Well, that's not going to go over pretty well when the bureau knocks on your door or you have requirements from states to cooperate. And all of a sudden you're in that exact situation that you have described where in order to do the job and do the job and meet the requirements, you're going to be in breach of contract. How do you avoid that? That's question one, but I'm going to give you the follow on. You and I have both parachuted into environments to do cleanup on aisle five and have run into. We agreed to what? How do you deal with that on the ground? Let's take those both, if you don't mind.

Christy Westfall

Oh, boy. We should have had a magic wand. The first one. Law enforcement's knocking at your door. You can't just. You have to be in concert with your legal counsel. Again, you need to make sure you understand the requirements and that you understand the risks of complying or not complying. Right. And this is a good tabletop exercise for you and your legal counsel because you need to make sure that everybody's on board. Like, I review all the contracts before they're signed. And so at least I'm aware of new requirements that come in for both security and data privacy. And so I can. I can have those conversations if, If I'm coming in and cleaning up later, then I would say read contracts and make sure you know what's in them. Use AI if you have to, and make sure that you understand those requirements and present those risks back to the business. Because if they are trying to claim ignorance right now, that doesn't fly anymore. You can't just say that, oh, I didn't know that was in there.

Kim Jones

You need to be a good reason, but it's still no excuse. You're in trouble.

Christy Westfall

Exactly. Exactly. See, you just need to bring those to the surface and come up with a plan of attack.

Kim Jones

Do you recommend standard security contract language?

Christy Westfall

I think it helps the security team.

Sponsor/Announcer

Right.

Christy Westfall

Because at least we know what we're requiring of our third parties. I wish everybody had the same standards because they're all so different. And even if. Even if we all are trying to adhere to the ISO standard, they've modified it some specific weird way that they require for their company that you have to make sure you adhere to if it applies. So I like standard contract clauses, but they. They never stay standard.

Kim Jones

So, you know, one of the things we. I used to do is I did draft standard, the standard security contract clause for my company. And the argument was if they won't sign our language as is, then I have to review the contract, and if they want to modify our language, then I have to approve the modification. And in a lot of cases, that eliminated enough of the surprise factor that was out there. And it encouraged the sales team to say, look, if you can Arm twist people to sign our existing language. This will go a lot faster. Faster for you. But if you really, honestly and truly want to agree to what's going on, then I have to actually read the contract and figure out what's going on. And speaking of that, do you do all the contract reads yourself? Yes, always.

Christy Westfall

Yes.

Kim Jones

So I have as well. I guess the question is how do you scale that within a large organization?

Christy Westfall

Yeah, you need to, I think to your point, standard contract languages or standard contract clauses. At least we know what we're committing to and then get the red pen out right. And just start, you know, working through it. These things take time. It's funny, like people think that these contract reviews will go through like that and the vendor will have their, their sale by the end of the, you know, end of the week tomorrow because.

Kim Jones

It'S the end of the month and.

Christy Westfall

It never works that way. Right. I've seen some contracts go years with back and forth and I'm not even joking. And so I think it's important to get right. And so, yes, you need help. I mean, if I was in a larger organization, there's no way I could, I could sustain that. But you just have to have kind of that standards. Here's what I'm looking for, here's what I won't commit to. And then just compare that with whatever.

Kim Jones

Gets thrown at you that, that speaks to or. Seems like there's also some education that happens there on your part in terms of educating the sales force and maybe even educating your primary contacts on legal. Regarding. Here's what I won't agree to, here's why I won't agree to it. So that you knock those out. Are you doing that as well?

Christy Westfall

I do when I see weird things like I'm always trying to make sure we don't have to respond to security incidents within 24 hours because I think no one can actually do that across the board. So I always scratch it out and put 72 hours and try to throw that in there, for example. And so my, my legal team that I work with, they're like, oh yeah, I know you're not going to like this. And so they are. Any communication up front with the team definitely helps because, you know, the lawyer's do all the reading too and read everything you read anyway just to make sure. And so if they know what you don't like or won't agree to, it makes it so much easier for the whole process.

Kim Jones

What are two things we haven't talked about that you would want Our audience to know, understand, or hear from you.

Christy Westfall

When I parachute in and I'm trying to clean things up, I forgot my other big thing that we don't do enough of once we know the landscape and all those types of good things. Threat model. Right. You. You brought it. You. You reminded me that I hadn't talked about that. Yes, you can know where all the things are. You can look at your gaps, start threat modeling. What kind of, you know, you have to have that realization of who might be after you. Even if it's, you know, maybe not a direct attack. What if it's just some, you know, opportunistic type of attack? You need to keep those things in mind because if you don't think like that, then you're your security program and your data security program are not going to best protect your organization.

Kim Jones

Let me, Let me dive there for a little bit. But hold, hold, hold your thought. I want to make sure we talk about the things that you want to talk about. How do we break the mentality that seems to have arisen a decade behind us that says all I need to know is to figure out how the bad guy works?

Christy Westfall

And.

Kim Jones

And nobody gives a crap about anything else to get into cyber, because I've got a lot of folks who will spend a lot of time on this is how the bad guy works, thinks, and breathes. And if you don't plug this hole, then you're an idiot and the organization is stupid, despite the fact that that hole is driving $10 billion worth of revenue through your environment. And when you ask that same person, how do I do this without breaking it? They say, I don't care. And there's still a lot of that going on in. I'm going to put my old hat on in the generation that's behind us. How do we break that model? Because what I'm seeing is I'm seeing lots of threat modeling not applied to the business enterprise and not truly saying, how do I take this and this and come up with a practical solution that doesn't shut me down? How do we do that? Or am I just old and shaking my cane, telling people to get off my lawn? And it's really not like that.

Christy Westfall

Well, I think that's part of why we're still struggling to succeed as an industry. And here's where I get philosophical. We are still building a security culture of no, and we're getting better. I will say that I'm seeing a lot more of embedding in the business, talking business risk, but we need to get out of our own heads. We can't just be like, oh, my security program. And I'm gesturing, I'm making a very narrow gesture. I'm just focusing on these things and we need to fix these vulnerabilities and we'll be perfect. We cannot operate like that. It doesn't work. We've seen it again and again. We've got to be part of the business, right. And we've got to have a broader impact. And so I think that prep model isn't just, oh, are my security tools going to work? Well, maybe, but let's prioritize that with the impact it's going to have on the overall organization.

Kim Jones

Here, here. And I cut you off. So please give us the rest of it.

Christy Westfall

So I think the other thing I do want to just throw in there and it's a problem that I want to solve. I just don't know how. It's, you know, people want to, okay, if I'm concerned about privacy, I want to protect my privacy. How do we tell people how to do is not easy. I mean, you can tell them to stay off social media, but then if I have a Gmail account, Google can access all my email. Right. So the challenge we have in this space is to keep awareness up and find ways to help if you truly want to protect your privacy. Support organizations and tools and services and industry professionals that help do this. So I end with a problem, but I think it's a challenge for our industry to continue to work to solving.

Kim Jones

Christy, you and I have known each other again for longer than I first care to admit, but I will say this repeatedly. You know, you are and remain one of the brightest, most effective cyber professionals that I know. And I really appreciate you taking the time to spend some time with me to help educate our audience. Thank you so much.

Christy Westfall

Thank you for having me. This was a blast.

Kim Jones

And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. This episode was edited by Ethan Cook with content strategy provided by Mayon Plout, produced by Liz Stokes, executive produced by Jennifer Ibin and mixing sound design and original music by Elliot Peltzman. I'm Kim Jones. See you next episode.

Sponsor/Announcer

What's your 2am security worry? Is it do I have the right controls in place? Maybe? Are my vendors secure? Or the one that really keeps you up at night? How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence, and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data, and simplifies your security at scale. And it fits right into your workflows, using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently, and finally get back to sleep. Get started@vanta.com cyber that's V-A-N-T A.com cyber.