Podcast Summary:
To The Point – Cybersecurity
Episode: Stepping Beyond Checkbox Compliance: Building Real Security and Meeting Legal Demands with De'von Carter
Date: February 3, 2026
Host: Rachael Lyon (A) & Jonathan Knepher (B)
Guest: De’von Carter (C) – Cybersecurity Expert & Attorney
Main Theme & Purpose
This episode delves into the evolving cybersecurity landscape, focusing on the tension between "checkbox compliance" and true security. De'von Carter, a seasoned cybersecurity expert and privacy law specialist, shares real-world insights on navigating regulatory demands, building proactive security postures, integrating legal perspectives, and preparing for both current and emerging threats—especially in a world rapidly shaped by AI and complex regulations.
Detailed Discussion Breakdown
1. De’von Carter’s Holistic Approach to Cybersecurity
- Background:
- Carter started as a network engineer, shifted to security (firewalls, penetration testing), then moved to law, blending technical, legal, and business perspectives.
- Quote:
"I like a holistic view of everything ... it's not just about compliance. It's not just about the architecture. It's not just about the legal side or just the technical. They all have to work together." (03:06)
2. Checkbox Compliance vs. Real Security
- Key Insight:
- Many organizations view compliance as a checklist to avoid fines rather than as the foundation for genuine security.
- Better organizations prioritize actual security, which naturally leads to compliance.
- Quote:
"Just because you're compliant with the law doesn't mean you're actually secure." (04:32)
- Risks:
- Budget constraints often lead to minimum, compliance-only efforts, which can leave real vulnerabilities unaddressed.
3. Regulatory Trends and Challenges
- Increasing Prescriptiveness:
- Regulations are becoming less vague, specifying concrete security practices.
- Carter warns against overly prescriptive regulations that limit organizational flexibility.
- Quote:
"Now they're telling you more... you need to do X, Y and Z ... But we have to be careful... companies need the autonomy and the flexibility to choose which solutions best fit them." (05:45)
- Operationalizing New Regulations:
- Large companies must align multiple stakeholders, update policies, and communicate risk.
- Small businesses can act more nimbly, though may struggle with resources.
- Guidance:
- Always consult legal and compliance teams to capture both the "letter" and the "spirit" of new laws. (07:51)
4. Evidence Collection – Making Compliance Tangible
- Consistency is Key:
- Use modern compliance tools to standardize and automate evidence gathering.
- Uniform evidence allows progress tracking and easier audits.
- Quote:
"Having a uniform process for the specific type of evidence that you require... compliance needs to go through and see what evidence is even available." (10:28)
5. "Wait and See" Approach to Regulation
- On Delaying Compliance:
- Some organizations opt to pay fines rather than comply immediately (e.g., with GDPR).
- Carter strongly advises against “doing nothing”—incremental plans mitigate risks and limit regulatory backlash.
- Quote:
"It's always a good thing to be able to demonstrate, even if you're not fully compliant, that you have a plan... and that you've been executing on that plan consistently over time." (12:26)
6. Privacy, Data Collection, and Third Parties
- Business Understanding:
- Security must be built on understanding the business, necessity of data collection, and minimizing risk exposure.
- Ensure transparency about data practices, and secure third-party agreements.
- Quote:
"When you can minimize the amount of data that you're collecting, it really minimizes your risk from a privacy standpoint." (13:51)
7. Legal and Fiduciary Responsibilities
- Evolving Board Accountability:
- Board members and CISOs are facing growing legal responsibilities for cybersecurity.
- Rise in including CISOs under D&O insurance, increased conservatism in leadership approaches.
- Incident Response Planning:
- Growing rigor in tabletop exercises, response plans, and legal involvement.
- Importance of External Counsel:
- External legal counsel helps preserve privilege during breach investigations.
- Quote:
"When you hire external counsel for the breach, there's automatically a legal implication ... it's much easier for privilege to attach." (16:33)
8. Technical Foundations of Incident Response
- Essential Capabilities:
- Logging/monitoring, backup and recovery (especially for ransomware).
- Quote:
"The easiest way to get over a ransomware attack is... making sure your backups and your disaster recovery processes are sound. ... you can tell the ransomware guys to kick rocks." (22:09–23:32)
9. Insider Threat—Malicious vs. Accidental
- Prevailing Risks:
- Most breaches stem from accidental insider actions, not malicious intent.
- Zero trust is crucial—everyone is a potential threat, so authenticate and authorize every action.
- Quote:
"My mantra is, you know, the buzzword zero trust, right. Treat everybody like they're a risk or they're a threat." (23:47–24:41)
10. AI—Threats and Opportunities in Security
- Same Attacks, New Wrapping:
- AI accelerates old attack vectors but doesn't fundamentally change them.
- Attackers leverage AI for efficiency; security teams must respond in kind.
- Quote:
"They're the same attacks with different gift wrapping… AI has helped bad guys a lot... But it's still the same type of attack." (25:59)
- Warning Against Overreliance:
- Carter cautions against security teams losing core reasoning and technical skills due to AI dependence.
- Memorable Moment:
"AI is very, very good. We have to be careful societally to not allow AI to make us dumb." (29:04)
11. Global Regulatory Complexity
-
Navigating Jurisdictions:
- Many organizations aim to comply with the strictest applicable law to simplify the effort, but this brings cost and risk.
- Some smaller companies consider "geofencing" out entire jurisdictions with unfavorable laws.
- Quote:
"It was a business decision... should we just geofence this state and just, like, not allow people from that state to gain access to our website?... If you've been in business for 10 years and you're not making any money from that state and it's going to cost you a few hundred grand, maybe I can do without them." (32:35–35:36)
-
Need for Federal Law:
- Federal baseline regulation is seen as necessary to reduce the patchwork, but states want autonomy over stricter/enhanced laws.
- Timeline for federal action remains unclear; Carter skeptical about near-term changes. (37:55–39:36)
- Quote:
"There's a middle ground. I just don't think we know what it is yet. Maybe at the federal level, put some key baseline requirements in, and then still maybe allow the states to ... do things up to a certain point." (36:02)
-
Public Value of Personal Data:
- Carter laments our tendency to undervalue personal data; regaining control is likely impossible.
- EU is stricter but risks overburdening small businesses.
12. Personal Journey and The Case for Cybersecurity Education in Law
- Carter’s Background:
- Inspired by legal dramas, he blended tech acumen and legal ambition after a serendipitous encounter with an attorney.
- Cybersecurity for Lawyers:
- Advocates for baseline cybersecurity and privacy education for all law students.
- Quote:
"There should be some level of introduction to cybersecurity, at least the terms and concepts… Everybody should take a data privacy course." (43:13–44:36)
Notable Quotes & Memorable Moments
- "Just because you're compliant with the law doesn't mean you're actually secure." – De'von Carter (04:32)
- "When you can minimize the amount of data that you're collecting, it really minimizes your risk from a privacy standpoint." – De'von Carter (13:51)
- "AI is very, very good. We have to be careful societally to not allow AI to make us dumb." – De'von Carter (29:04)
- "[Incident Response:] Even a bad plan is better than no plan. ... Having something documented to know who to call, that goes a long way." – De'von Carter (16:33)
- "The easiest way to get over a ransomware attack is... making sure your backups and your disaster recovery processes are sound." (22:09–23:32)
- "It's always a good thing to demonstrate you've been executing on a plan... Even small bites, over time you get through that whole elephant." (12:26)
Key Timestamps for Important Segments
- De’von Carter’s holistic approach: 02:32–03:24
- Checkbox compliance vs. real security: 04:32–05:34
- Regulatory trends: 05:45–07:09
- Operationalizing new regulations: 07:51–10:06
- Evidence collection: 10:28–11:56
- Delaying compliance (“wait and see”): 11:56–13:29
- Privacy/data collection/third parties: 13:51–15:45
- Legal/fiduciary responsibilities: 15:48–19:41
- Role of external counsel in incidents: 16:33–20:25
- Logging, monitoring, backup necessity: 22:09–23:32
- Insider threat—accidental/malicious: 23:47–25:41
- AI and threat evolution: 25:59–29:40
- Skills and overreliance on AI: 29:04–31:44
- Handling global regulatory landscape: 32:35–37:55
- Need for federal regulation: 36:01–39:39
- Valuing personal data and EU complexity: 40:01–41:10
- Carter’s personal legal and tech journey: 41:40–43:13
- Cyber law education recommendations: 43:13–44:36
Episode Takeaways
- Regulatory compliance is a foundation, not a finish line. True security requires proactive, thoughtful adaptation—not just checking boxes.
- Regulations are getting more specific; organizations must balance clarity with autonomy.
- Business understanding is vital for effective security, privacy, and risk mitigation.
- Incident response, evidence gathering, and legal counsel—especially external—are essential for modern risk management.
- Most security failures are accidental; fostering a zero-trust environment is critical.
- AI is a double-edged sword. Leverage it for defense, but don’t lose core technical and reasoning skills.
- Global regulatory patchwork is growing in complexity; future federal baselines may help, but challenges remain.
- Cybersecurity and privacy education should be core elements of both IT and law curriculums.
For further details and access to the episode, visit: Forcepoint To The Point Cybersecurity Podcast