CyberWire Daily – The Impact of Data Privacy on Cyber [CISO Perspectives]

Date: October 28, 2025
Host: Kim Jones (N2K Networks)
Guest: Christy Westfall (Global Security Director, Spirent Communications)

Episode Overview

This episode explores the complex and evolving relationship between data privacy and cybersecurity, focusing on how privacy concerns and regulations directly impact security leaders and practitioners. Host Kim Jones sits down with Christy Westfall, a seasoned security executive and legal studies expert, to unpack definitions of privacy, legislative changes, privacy-enabling technologies such as encryption, and the operational realities for CISOs (Chief Information Security Officers) in the modern world. The discussion is rich with personal anecdotes, legal insight, and strategic advice for organizations of all sizes.

Key Discussion Points and Insights

1. The Nuanced Nature of Privacy

Timestamp: 00:11–08:51

• Kim Jones opens with illustrative privacy dilemmas, emphasizing that the correct answer to “what is a privacy violation?” is usually “it depends.”
• Real-world cases discussed, such as Target’s analytics identifying a teenager’s pregnancy and Amazon’s anticipatory shipping patents, illustrate how “situational privacy” is replacing clear-cut definitions of private data.
• Quote:

  "Gone are the days we could simply state that X data is private. Indeed, we are moving more to an environment of situational privacy where the data itself isn't as much of an issue as how the data is used." (Kim Jones, 07:20)

• Privacy expectations are often at odds with how consumers freely share data, fueling confusion and outrage when data is analyzed or misused by third parties.

2. The Interplay of Privacy and Security

Timestamp: 09:20–13:39

• Christy Westfall defines privacy as:

  "Protecting data that you don't want others to know...That can be different for everyone. Right. So therein lies the challenge." (Christy Westfall, 13:25)

• Kim Jones reflects on the subjective, ever-changing landscape, acknowledging the ongoing struggle to balance privacy needs and technological advancements.

3. The Evolving Regulatory Landscape

Timestamp: 14:02–16:54

• Survey of key laws and policy events since the 1990s:
  • Wassenaar Arrangement, U.S. Clipper Chip debate, post-Snowden regulatory discussions.
  • The federal privacy law remains elusive.
  • Cloud Act (2018): Makes it easier for international authorities to access data, even encrypted, stored abroad in certain cases.
• Quote:

  "They [the UK] can request us to compel any sort of data that resides in their country to be handed over to them. And that... is still being acted out in the courts. Now Apple seems to maybe have a foot up, but we still don't know how that's going to work out." (Christy Westfall, 15:28)

4. Encryption—Security Panacea or Mirage?

Timestamp: 16:54–19:35

• Encryption is often treated as a "get out of jail free" card under many state and federal breach notification laws.
• In practice, however, there are significant exceptions and loopholes.
• Case Study: The 2016 San Bernardino terrorist iPhone case—Apple refused to unlock the phone, but the FBI accessed the data anyway using a third-party tool.
• Quote:

  "You can encrypt your data, but there are other ways around trying to find that key." (Christy Westfall, 18:31)

• Encryption isn't infallible; attackers and investigators often succeed via indirect means (social engineering, digital forensics, etc.).

5. CISO Realities: Navigating the Privacy Minefield

Timestamp: 19:53–23:45

• Christy’s advice for new CISOs:
  1. “Become friends with your legal counsel…Part of their job…is to try and keep up with this stuff.”
  2. “Keep up with [the law/regulations] yourself, too.”
  3. Know your contracts—some stipulate you may only cooperate with customers, not law enforcement, in investigations.
• Quote:

  "I have seen this come across where there's data privacy requirements that say you will cooperate in an investigation, but you will only cooperate with us. You won't cooperate directly with law enforcement." (Christy Westfall, 21:58)

6. Legal and Compliance Evolution

Timestamp: 25:07–26:50

• Past gaps in legal understanding (safe harbor, EU data regulations) are closing as legal departments gain expertise, especially as more organizations operate globally and must comply with GDPR, China’s PIPL, and other international laws.

7. Small Business Challenges

Timestamp: 26:50–28:48

• SMEs are increasingly at risk of unintentionally falling under complex privacy laws, e.g., GDPR, CCPA, simply by acquiring a handful of out-of-state or international customers.
• Practical advice: Proactively consult with your legal advisor, consider VCISO (virtual/fractional CISO) services for affordable guidance, and establish baseline practices for privacy and security compliance.

8. Contracts: Pitfalls and Process

Timestamp: 28:48–35:05

• Sales often agree to stringent terms to win big deals, creating security/privacy obligations that may conflict with law enforcement or future compliance.
• Christy stresses reviewing every contract, using standard security clauses, and strong communication between security, legal, and sales teams.
• Standard contract clauses are helpful but rarely "standard" for long—every customer has unique requirements.

9. Threat Modeling and Moving Beyond “Security Culture of No”

Timestamp: 35:13–38:18

• Threat modeling is essential: Don’t just know what your data is and what the gaps are—think about which attackers might target you (direct and opportunistic).
• Cultural challenge: Many in cyber still focus only on exploiting vulnerabilities, ignoring the balance between risk and business objectives.
• Quote:

  "We are still building a security culture of no, and we're getting better...But we need to get out of our own heads." (Christy Westfall, 37:16)

10. The Ongoing Struggle for Privacy Awareness and Protection

Timestamp: 38:22–39:51

• There are no easy answers; consumers can take steps to protect their privacy, but meaningful protection is daunting and often requires tradeoffs (e.g., between digital convenience and privacy).
• The security and privacy community must continue to innovate and advocate for user-friendly solutions and public awareness.

Notable Quotes & Memorable Moments

• Kim Jones (07:20):
  "Gone are the days we could simply state that X data is private. Indeed, we are moving more to an environment of situational privacy where the data itself isn't as much of an issue as how the data is used."

• Christy Westfall (13:25):
  "It's protecting data that you don't want others to know. And I think that's the key, because that can be different for everyone. Right. So therein lies the challenge."

• Christy Westfall (15:28):
  "They [the UK] can request us to compel any sort of data that resides in their country to be handed over to them. And that... is still being acted out in the courts."

• Christy Westfall (18:31):
  "You can encrypt your data, but there are other ways around trying to find that key."

• Christy Westfall (21:58):
  "I have seen this come across where there's data privacy requirements that say you will cooperate in an investigation, but you will only cooperate with us. You won't cooperate directly with law enforcement."

• Christy Westfall (37:16):
  "We are still building a security culture of no, and we're getting better...But we need to get out of our own heads."

Timestamps for Key Segments

| Time | Segment Description | |-------------|-----------------------------------| | 00:11–08:51 | Privacy dilemmas, situational privacy, real-world examples | | 13:25–14:02 | Defining privacy | | 14:02–16:54 | Legal landscape, Cloud Act, encryption law | | 16:54–19:35 | Encryption fallacies, anecdotal cases | | 19:53–23:45 | CISO advice, practical realities | | 25:07–26:50 | Legal knowledge evolution in security| | 26:50–28:48 | Small business regulatory risk/preparedness| | 28:48–35:05 | Contract pitfalls, best practices, team education| | 35:13–38:18 | Threat modeling, culture of 'No,' integrating with business| | 38:22–39:51 | The continuing fight for privacy; awareness and actionable protection|

Final Thoughts

Christy Westfall wraps up with two major themes:

• The importance of integrating threat modeling—thinking like adversaries but in a way that serves broader organizational interests, not just patching holes for the sake of it.
• The urgent need for both consumer and enterprise awareness about the practical (and often messy) realities of protecting privacy in the digital age.

The conversation underscores that privacy and security are deeply interwoven, shaped by legal shifts, cultural attitudes, and business needs. Success requires ongoing education, cross-departmental communication, and pragmatism in the face of emerging threats and complex contracts.

This episode is essential listening for CISOs, privacy officers, legal counsel, and anyone interested in the real-world tensions between advancing technology, regulatory complexity, and the evolving meaning of privacy in the digital age.