What if the key to stronger data security isn’t technology… but curiosity?

In this episode, Christian Ghigliotty, Head of Enterprise Security Engineering, joins us to unpack what it really takes to build a security-first culture in today’s AI-driven world. From champion programs to collaboration councils, Christian shares how curiosity, communication, and connection are redefining how modern teams protect data. He also opens up about his unconventional career path and why he believes writing and relationship-building are two of the most underrated skills in tech. Whether you’re leading enterprise security or just getting started in data protection, this conversation will leave you thinking differently about how trust, empathy, and engagement fuel resilience.

Takeaways:

• Identify and Empower Champions: Find individuals passionate about data security within your organization and empower them to act as liaisons or "champions" to bridge gaps between teams.
• Create a Council or Working Group: Bring together your champions or stakeholders regularly, not just for updates but for active participation, problem-solving, and sharing ownership of outcomes.
• Leverage Awareness Opportunities: Use events like Cybersecurity Awareness Month to elevate champions, share success stories, and recruit new advocates.
• Apply Your Unique Skills: Leverage your background and strengths (e.g., communication, writing, teaching) to add value in security roles, even if you come from a non-technical background.
• Gamify Security Initiatives: Consider using gamification (leaderboards, rewards, or friendly competition) to incentivize good security practices and increase engagement.
• Document and Share Successes: Regularly communicate wins and lessons learned to maintain momentum and encourage broader participation.
• Don’t Wait for the “Right” Time: Security awareness and improvement should be ongoing, not just tied to special months or events.

Quote of the Show:

• “Cybersecurity doesn't always have to wait till October. Of course, we love to highlight cybersecurity awareness month, but every month we're working together on these things.” - Christian Ghigliotty

Links:

• LinkedIn: https://www.linkedin.com/in/ghigliottyc/

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What happens when AI adoption moves faster than your security strategy?

Today, Ward sits down with Adrian Guevara, Chief Information Security Officer at TELUS Digital Solutions, to unpack one of the biggest challenges facing organizations today: how to secure your business in an AI-driven world. Adrian brings over two decades of IT and cybersecurity experience and a refreshingly candid take on what it really takes to lead through massive change. Adrian shares insights on the impact of AI on businesses, the importance of understanding and tinkering with technology, and the crucial role of building trust and relationships within an organization. He emphasizes the need for a culture of continuous feedback and collaboration, especially in rapidly growing and technologically evolving environments. The episode also delves into Adrian's fascinating career journey from an IT director who was voluntold to be a security officer to his current role as a CISO, highlighting key strategies for navigating the ever-changing landscape of data security.

Takeaways:

• Ask “Can We Do It Better?”: Regularly question existing processes and tools. Encourage feedback from your team to drive continuous improvement.
• Create a Path of Least Resistance: Make secure, approved tools and processes as easy to use as possible to reduce the temptation for employees to circumvent security.
• Build a Culture of Trust and Approachability: Be visible, approachable, and responsive. Building trust makes it easier to implement change and get buy-in.
• Leverage Feedback for Better Security: Involve your team in decision-making, listen to their feedback, and let them help shape security policies and tool choices.
• Invest in Tools that Support Security: Provide employees with tools like password managers to make secure practices easier to follow.
• Build Relationships: Strong professional relationships help you navigate change, get buy-in, and create a more fulfilling work environment.
• Be Transparent and Communicate the “Why”: When implementing new policies or changes, explain the reasoning and how it benefits the team and organization.

Quote of the Show:

• “ You gotta love what you're doing because there's gonna be hard times and there's gonna be times you have to learn things on your own. Without that love, it just makes it much harder to do.” - Adrian Guevara

Links:

• LinkedIn: https://www.linkedin.com/in/adrian-guevara17/ 
• Website: https://www.telusdigital.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

Are we so obsessed with new AI tools that we’ve forgotten the basics of security?

Kraig Faulkner, Field CTO at Infolock, joins the show to discuss the pressing challenges and solutions around data security, particularly focusing on AI and access control. Kraig elaborates on the importance of understanding business data, securing AI access, and the necessary steps organizations need to take to prevent data exfiltration. He shares his professional journey and thoughts on the future trends in data security, including a potential shift back to on-prem solutions and the integration of AI into larger security portfolios. The episode highlights key strategies for implementing and securing AI within organizations, making it a must-listen for security leaders.

Takeaways:

• Start Small, Don’t Boil the Ocean: Begin with a manageable subset of data or a pilot group rather than trying to secure everything at once.
• Audit Access Regularly: Conduct regular audits to determine who has access to what data, why they have access, and whether that access is still appropriate.
• Implement Role-Based Access Controls (RBAC): Use RBAC to ensure only the right people have access to sensitive data, and review these controls periodically.
• Control AI and Tool Access: Roll out generative AI and other new tools methodically. Test with small, trusted groups before wider deployment, and avoid unsanctioned tools.
• Validate AI Outputs: Always verify the accuracy and appropriateness of AI-generated outputs before acting on them or sharing them.
• Involve HR in Identity Management: Ensure HR processes are integrated with IT to manage onboarding, offboarding, and changes in access as roles evolve.
• Prepare for Ongoing Change: Recognize that securing data and managing access is an ongoing process. Regularly revisit policies, tools, and practices as technology and business needs evolve.

Quote of the Show:

• “We have gotten so fascinated with what's new, what's hot, what's moving the needle, right? And we forget about some of the basics.” - Kraig Faulkner

Links:

• LinkedIn: https://www.linkedin.com/in/kraigfaulkner/ 
• Website: https://www.infolock.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What happens when your organization doesn’t know what it needs to protect?

Today Ward welcomes Hans Vargas, Enterprise Data Protection Lead at Marathon Petroleum Corporation, who brings over two decades of experience in cybersecurity. Hans shares insights on the importance of understanding what data needs to be protected, and the challenges organizations face in this area, especially with the adoption of cloud services. He discusses the significance of communicating the value of data protection to business leaders and data owners, and offers practical advice on data discovery, retention, and governance. Hans emphasizes the necessity of including data security considerations in the early stages of application development and innovation. He also shares his personal journey from Peru to a successful career in the U.S., highlighting the importance of mentorship, continuous learning, and proactive problem-solving in cybersecurity. This episode provides valuable strategies for integrating data security into organizational processes and fostering collaboration between cybersecurity professionals and business stakeholders.

Takeaways:

• Know What You Need to Protect: Start with data discovery and identify what data you have, where it is, and what is sensitive. You can't protect what you don't know exists.
• Engage Data Owners Directly: Build relationships with data owners, not just stakeholders. Have open conversations to understand what is truly sensitive and important to the business.
• Communicate the Value of Data Protection: Clearly explain to business units why data protection matters, using relatable analogies if needed (e.g., moving houses, hoarding).
• Establish and Strengthen Data Governance: Ensure your organization has clear data governance policies covering the entire data lifecycle from creation to disposition.
• Collaborate Across Teams: Work closely with data governance, legal, and business units. Data security is a two-way street; share discoveries and insights to improve overall protection.
• Don’t Rely Solely on Tools: Deploying a tool is not enough. Make sure processes and responsibilities are in place before or alongside technology adoption.
• Consider the Full CIA Triad: Don’t focus only on confidentiality. Ensure data integrity and availability are also prioritized to keep the business running smoothly.

Quote of the Show:

• “If you don't know what you need to protect, that's a problem.” - Hans Vargas

Links:

• LinkedIn: https://www.linkedin.com/in/hansvargas/ 
• Website: https://www.marathonpetroleum.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What’s harder than stopping a breach? Convincing leadership your data security program is worth the investment.

Zach Luze, Data Security Advisory Practice Director at TBD Cyber joins Ward today to focus on the challenges organizations face in demonstrating the value of data security. Zach explains how the inability to show value can impact budgets and resources, emphasizing that many data security programs struggle with meaningful key performance indicators (KPIs). He suggests a blended approach to data discovery and provides insights into building metrics that highlight the value of security programs. Zach also shares his career journey from an IT auditor to his current role, highlighting his work in assessing, designing, and building data security programs. The conversation touches on various aspects of data security, including data discovery, cloud transformation, insider threats, and the burgeoning role of AI in improving data detection and response. The episode concludes with Zach's predictions on AI's growing influence in data security through 2026 and advice for those looking to break into the field.

Takeaways:

• Focus on Meaningful Metrics: Prioritize data security metrics that reflect real impact, not just what’s easiest to measure.
• Align People, Process, and Technology: Engage stakeholders across teams and ensure your data security approach integrates people, processes, and technology from the start.
• Eliminate Stale Data for Savings: Regularly identify and remove outdated or unused data to reduce risk and demonstrate cost savings.
• Adopt an Agile Discovery Mindset: Stay flexible and ready to adjust your data discovery strategy as new information and challenges arise.
• Look Beyond the Obvious: Investigate areas where sensitive data might be hiding, even if you don’t expect to find it there.
• Demonstrate Value Clearly: Communicate the benefits and results of your data security efforts to build support and momentum.

Quote of the Show:

• “Metrics are great. Stories are just as good to back those up and through your insider threat program, that’s where you get the case notes to develop those stories.” - Zach Luze

Links:

• LinkedIn: https://www.linkedin.com/in/zachluze/ 
• Website: https://www.tbdcyber.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

Think hackers are your biggest data threat? Think again.

Daley Varghese, a seasoned privacy expert, joins Ward Balcerzak to reveal why data sprawl and AI misuse may be even more dangerous, and what companies can do to get ahead. Daley emphasizes the importance of governance strategies, data mapping, and the need for cross-functional collaboration among privacy, security, and data governance teams. The episode also highlights the pressing need for education and clear communication within organizations to mitigate risks and build trust with consumers. Daley shares insights on how to start privacy initiatives, manage assessment fatigue, and the role of education and relationships in overcoming these challenges. Additionally, Daley provides advice for professionals looking to enter the privacy field and discusses the evolving landscape of privacy regulations.

Takeaways:

• Engage Governance Early: Start conversations with privacy, legal, security, and data governance professionals as early as possible in any project involving sensitive data.
• Keep Assessments Simple and Understandable: Design privacy and security assessments in clear, layman’s terms so business users can complete them without excessive handholding.
• Educate Continuously: Go beyond mandatory training. Join team meetings, host town halls, and make privacy and security topics relevant and accessible to all employees.
• Mitigate, Don’t Just Identify Risks: Once risks are identified, take concrete steps to address them. Add them to your roadmap and allocate resources to resolve them over time.
• Leverage Privacy and Security Champions: Train and empower champions within business units to advocate for privacy and security, spreading knowledge and best practices.
• Trust, But Verify: Always verify the output of AI and data-driven tools, especially when using external or generative AI systems.
• Stay Informed on Regulations: Partner with legal and policy teams, use industry tools, and pursue certifications to keep up with evolving privacy and security regulations.

Quote of the Show:

• “No company is perfect; every company is struggling with this. It's okay to have these risks identified. What is not okay is once you know that these risks are identified, don't do nothing.” - Daley Varghese

Links:

• LinkedIn: https://www.linkedin.com/in/daley-varghese/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

How does the accidental insider pose a threat to your company’s security?

Today, Ward dives deep into data security challenges with Rick Scot, the global CISO at Elevate Textiles. With almost 20 years of cybersecurity experience, Rick emphasizes the critical importance of addressing insider threats, especially those posed by well-meaning employees unaware of their risky actions. He shares real-world experiences, the evolution of cyber awareness training, the necessity of building strong internal relationships, and insights into his multifaceted career journey. The episode is packed with expert advice for cybersecurity professionals on fostering a culture of security within an organization and tips for young professionals to find a mentor.

Takeaways:

• Prioritize People in Data Security: Recognize that most data breaches are caused by insiders who make mistakes. Focus on educating and supporting employees to reduce accidental risks.
• Stay Vigilant Against Social Engineering: Be aware of sophisticated phishing and social engineering tactics, especially those leveraging personal information from social media and deepfakes. Always verify requests for sensitive information, even if they appear to come from trusted sources.
• Make Security Training Personal and Relevant: Move beyond generic, checkbox-style training. Tailor security awareness programs to real-life scenarios and make them relatable to employees’ daily experiences.
• Know Your Data and Its Value: Understand what data your organization holds, where it resides, and why it’s valuable. This knowledge is crucial for protecting sensitive information and responding to incidents.
• Build Relationships Across the Organization: Foster open communication and trust between security teams and other departments. Building relationships makes it easier for employees to ask questions and report suspicious activity.
• Balance Security and Trust: Implement necessary controls without creating a culture of distrust. Explain the “why” behind security measures to avoid alienating employees.
• Network and Seek Mentorship: Build a professional network inside and outside your organization. Seek mentors, and be open to mentoring others to grow your knowledge and resilience in the field.

Quote of the Show:

• “ I always feel like if I have the institutional knowledge, then I can better protect the company if I understand the business.” - Rick Scot

Links:

• LinkedIn: https://www.linkedin.com/in/ricksscot/ 
• Website: https://www.elevatetextiles.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What’s the meaning behind the data your team is collecting?

Derek Fisher, Director of the Cybersecurity Defense and Information Assurance Program at Temple University, joins Ward to hash out the ‘why’ behind data security. Derek emphasizes the importance of understanding the integrity and proper usage of data, especially in scenarios like healthcare and financial services. The conversation also explores the differences in data security practices across various industries such as healthcare, financial services, and higher education. Derek shares insights on teaching the next generation of cybersecurity professionals and the relevance of the NIST NICE framework in aligning education and job roles. The episode offers practical advice for aspiring and current cybersecurity professionals on staying curious, demonstrating skills, and the importance of understanding the broader ecosystem of data security.

Takeaways:

• Question Every Data Collection: Before collecting any data, ask yourself if you truly need it. If the answer is no, don’t collect it. This reduces your responsibility to protect unnecessary information and minimizes risk.
• Show Your Work and Stand Out: Document and share your work, especially if you’re entering a new field like cybersecurity. Demonstrating your process and achievements helps you differentiate yourself from others.
• Data Minimization for Security: Avoid collecting data just because you might need it in the future. Every piece of data you store increases your attack surface. Only collect what is essential to reduce potential vulnerabilities.
• Use the NIST NICE Framework for Career Growth: Leverage frameworks like NIST NICE to understand the skills and knowledge required for specific roles. This can help you target your learning and career development more effectively.
• Stay Curious and Threat Model: Maintain a curious mindset and always think like an attacker. Regularly ask, “What can go wrong?” and “What will we do about it?” Practicing basic threat modeling is a critical skill for navigating today’s security landscape.
• Risk-Based Approach to Data Decryption: When deciding whether to decrypt data, use a risk-based approach. Work with legal and HR teams to set clear guidelines and avoid decrypting sensitive categories like healthcare unless necessary.

Quote of the Show:

• “ For me, teaching this next generation of cyber individuals or technologists, it's about showing them sort of the entire picture.” - Derek Fisher

Links:

• LinkedIn: https://www.linkedin.com/in/derek-fisher-sec-arch/ 
• Website: https://www.securelybuilt.com/ 
• Substack: https://substack.com/@securelybuilt

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

Human risk is the most unpredictable factor in cybersecurity and insider risk.

Lisa Gunning, a counterintelligence and insider risk expert with over 18 years of experience in both the public and private sectors, joins Ward today to dive into human risk. Lisa shares her unique perspective on the human element in cybersecurity, the evolving landscape of insider threats, and the critical importance of building a strong security culture within organizations. The conversation covers the intersection of AI, human behavior, and data protection, offering practical advice for organizations of all sizes. She provides actionable recommendations and stories around her experiences that any listener can benefit from.

Takeaways:

• Recognize the Human Element: Understand that human behavior is often the biggest risk in data security. Both intentional and accidental actions by insiders can create vulnerabilities.
• Foster Security Culture: Build a culture where security is everyone’s responsibility. Encourage open conversations about risks and make security policies clear and rational.
• Partner Across Departments: Collaborate with stakeholders like HR, compliance, IT, and business leaders to address insider risk from multiple angles.
• Iterate Policies: Keep security and data policies up to date. Make them flexible enough to adapt to new technologies and edge cases, rather than relying on rigid, outdated rules.
• Monitor for Insider Threats: Identify high-risk individuals and roles, not just executives or IT admins, but anyone with access to sensitive data or mission-critical processes.
• Leverage Counterintelligence Tactics: Use counterintelligence strategies to understand what assets are valuable to adversaries and how your organization might be targeted.
• Be Transparent About AI Tools: Set clear guidelines for the use of AI note-takers and other digital assistants, especially in confidential meetings.

Quote of the Show:

• “Human behavior is the biggest risk. We are an unpredictable, ever-evolving group, and as a very wise colleague of mine once said, humans are gonna human.” - Lisa Gunning

Links:

• LinkedIn: https://www.linkedin.com/in/lisa-gunning/ 
• Website: https://www.vaillancegroup.com/ 
• Substack: https://lotstounpackthere.substack.com/  

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What’s the balance between data governance and data stewardship?

Lance Fischer, Principal Security Architect at Guidepoint Security, joins the show today and dives into the complexities of data security, highlighting the differences between data governance and data stewardship. He emphasizes the significance of visibility and collaboration among stakeholders in maintaining robust data security frameworks. Lance shares insights from his extensive career, revealing the practical challenges and strategies in improving data security through governance, tool rationalization, and pragmatic approaches. The discussion also touches on the evolving landscape of AI, APIs, and the critical importance of securing sensitive data. This episode provides a comprehensive look into the foundational aspects of data security and offers practical advice for organizations to enhance their data protection efforts.

Takeaways:

• Prioritize Visibility First: Before implementing controls or buying tools, ensure you have a clear understanding of what data you have, where it resides, and how it flows within your organization.
• Clarify Data Governance vs. Data Stewardship: Define clear roles. Governance sets the policies and rules; stewardship ensures those rules are applied consistently. Foster communication and cooperation between these groups.
• Start Small and Scale: Don’t try to solve everything at once. Tackle visibility and controls in manageable pieces. Focus on a subset of data or a specific business unit to build momentum.
• Engage Stakeholders Across the Business: Involve HR, Legal, IT, and business units early to ensure policies are practical and have buy-in. Encourage open dialogue rather than top-down mandates.
• Understand and Plan for Resource Needs: Assess the people, time, and budget required for data security initiatives before launching. Avoid overburdening staff with too many roles; dedicate resources where possible.
• Document Decisions and Processes: Track inputs and outputs from governance meetings and policy changes for audit and continuous improvement.
• Anticipate and Manage Tool Sprawl: Regularly review existing tools for effectiveness and eliminate redundant or unused solutions. Don’t assume swapping tools will solve underlying process or visibility issues.

Quote of the Show:

• “What we're talking about here is not visibility, just from putting in a DLP tool. We're also talking about business: having those conversations between real humans to get a sense for what's going on.” - Lance Fischer

Links:

• LinkedIn: https://www.linkedin.com/in/lance-fischer-a0301219/ 
• Website: https://www.guidepointsecurity.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

How can cybersecurity professionals balance both the regulatory requirements and the fundamentals of data protection?

Today, Trevor Dolan, VP Senior Director of Cybersecurity Data Protection and Governance at Fidelity National Financial, shares insights on balancing regulatory compliance with the fundamentals of data protection, designing holistic data protection programs, and the importance of strategic planning. He delves into the five main areas of developing data protection organizations: governance and leadership, risk assessment, policies and procedures, training and awareness, and team and organizational structure. Trevor also offers practical advice for young professionals starting in the field and discusses the significance of building trustworthy relationships with stakeholders. For organizations facing budget and hiring challenges, he suggests prioritizing top-risk areas and leveraging existing resources effectively. The episode concludes with Trevor reflecting on his career journey and sharing his contact information for further connection.

Takeaways:

• Establish Strong Governance and Leadership: Build a solid foundation by defining the scope of your data protection program.
• Conduct a Comprehensive Risk Assessment: Use frameworks like NIST CSF or CIS Controls to assess your current state and maturity. Be honest about gaps and deficiencies; use data to drive consensus and prioritize improvements.
• Develop and Maintain Clear Policies and Procedures: Ensure policies map directly to regulatory, legal, and contractual requirements. Create a hierarchy: policies, procedures, standards, and control implementation patterns.
• Invest in Targeted Training and Awareness: Go beyond generic security training; provide specific modules for privacy, incident management, and data protection. Reinforce training with assessments that encourage critical thinking, not just box-checking.
• Be Flexible and Resourceful with Budget and Staffing: If faced with budget or hiring freezes, focus on top-priority risks and use available tools creatively (“gold, silver, bronze” approach).
• Use Data to Drive Decisions and Build Consensus: Bring objective data to stakeholder discussions to resolve disagreements and focus on solving real problems.
• Continuously Improve and Adapt: Treat your data protection program as a living, evolving effort. Regularly revisit your risk assessments, policies, and training to ensure they remain effective and aligned with business objectives.

Quote of the Show:

• “ Make sure that those expectations are well communicated, but do it in a way that helps them to really incorporate that in their day-to-day so that they feel empowered as far as protecting the organization's data, and they feel part of the mission.” - Trevor Dolan

Links:

• LinkedIn: https://www.linkedin.com/in/trevor-dolan-91a1ab12/ 
• Website: https://www.fnf.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/  
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

What are the people concerns when it comes to cybersecurity?

Today Ward welcomes seasoned security veteran and CEO of Nexasure, Rick McElroy. Rick, with over 25 years of experience in cybersecurity, shares his insights on the primary challenges organizations face in data security, focusing on the often-overlooked human and cultural elements. He emphasizes the importance of education, awareness, and the need for a balanced investment between technology and people. Rick also delves into the dynamics of cross-generational training and the impact of organizational culture on security programs. Additionally, he shares his personal journey in cybersecurity, discusses the significance of continuous learning and volunteering, and offers advice for individuals looking to enter or advance in the field. The episode highlights the need for a holistic approach to data security that includes both technological solutions and human factors.

Takeaways:

• Prioritize People and Culture in Security: Invest in security awareness and education at all levels of the organization, not just in technology.
• Engage Leadership Early: Start security conversations at the highest levels (C-suite) to ensure buy-in and proper governance. Clarify who is responsible for risk and ensure decision-makers are educated on security issues.
• Balance Technology with Human Factors: Don’t rely solely on technical solutions; consider how changes impact people and workflows. Design security controls and processes with end users in mind to minimize friction and maximize adoption.
• Invest in Prevention and Smart Tooling: Focus on effective, well-managed controls rather than constantly switching tools. Choose vendors and solutions that can scale with your organization and minimize switching costs.
• Tailor Security Training to Your Audience: Use multimodal training approaches (video, experiential, written) to reach different generations and learning styles.
• Support Career Growth and Entry into Cybersecurity: Take advantage of free vendor training and volunteer opportunities to gain experience.

Quote of the Show:

• “What I'm actually interested in is a change in behavior to the positive, even if that's a tiny thing that one user does that's more secure than it was yesterday.” - Rick McElroy

Links:

• LinkedIn: https://www.linkedin.com/in/rickdecrypts/ 
• Website: https://nexasure.ai/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/ 
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

How can you protect your data if you don’t know where it is?

The answer is you can’t. Rick DeLoach, Deputy CISO at ADT, joins Ward on this week’s episode to discuss the crucial aspects of data security and governance. Rick shares his two decades of experience in the field, emphasizing the importance of data discovery, classification, and the implementation of structured programs involving process, policy, and technology. The conversation also covers the challenges of integrating AI technologies within organizations and the significance of ongoing business alignment to enhance security practices. Lastly, Rick's journey from finance student to cybersecurity leader offers valuable insights and advice for aspiring professionals in the field.

Takeaways:

• Start with Data Discovery and Classification: You can't protect what you don't know you have. Begin by inventorying and classifying your data assets.
• Establish Strong Governance and Policy Frameworks: Before investing in technology, ensure you have clear, organization-wide policies and processes for data handling and security.
• Align Security with Business Needs: Engage business stakeholders to understand what data is most critical, why it matters, and the impact if it’s lost or exposed.
• Educate and Partner with Business Users: Move from being the “department of no” to a partner that educates and collaborates with business units on secure data practices.
• Be Proactive, Not Reactive: Build and maintain a data inventory to enable rapid response and assessment in the event of a breach or incident.
• Balance Innovation and Security: Embrace new technologies like AI, but ensure their use is governed by clear policies and risk assessments.
• Stay Adaptable: The security landscape changes rapidly—be ready to adjust your approach as new challenges and technologies emerge.

Quote of the Show:

• “You don't know how to protect something if you don't know what it is and where it's at.” - Rick DeLoach

Links:

• LinkedIn: https://www.linkedin.com/in/rdeloach/ 
• Website: https://www.adt.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/ 
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/podcast/ciso-titans-unencrypted-unfiltered-unpatched/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8 
• iHeart Radio: https://feeds.transistor.fm/ciso-titans-unencrypted-unfiltered-unpatched 
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

How can simplifying your data governance strategy revolutionize your security posture?

In the inaugural episode of Guardians of the Data, host Ward Balcerzak sits down with Luis Valenzuela, Director of Data Governance and Data Loss Prevention at InComm Payments. Luis, who brings two decades of cybersecurity experience, dives into the often-overlooked fundamentals of data security. Discover why understanding and categorizing your most critical data is paramount, how robust governance can transform your approach, and the strategic role of tools in a well-defined process. Luis also shares his inspiring journey from Colombia to becoming a cybersecurity leader, highlighting the power of hard work, resilience, and cultivating strong relationships and processes.

Takeaways:

• Prioritize Data Governance: Establish clear data governance frameworks that are practical and actionable. Avoid lengthy, complicated documents that no one will read.
• Simplify Data Classifications: Reduce complex data categories into a smaller number of easily understandable types. This helps with better adherence across the organization.
• Combine Tools with Processes: Utilize both technological tools and well-defined processes to manage data security effectively. Tools should complement your strategic planning and governance efforts.
• Training and Awareness: Regularly educate and train employees about data security policies and procedures. Tailor this training to specific departments to make it relevant and practical.
• Document Sensitivity: Label and classify data accurately to ensure that sensitive information is appropriately protected according to its level of sensitivity.
• Foster Trust: Collaborate with different teams and leaders to build trust. This eases the implementation of security measures and reduces the typical friction between security teams and business units.
• Focus on People and Relationships: Invest time in understanding the needs and operations of different departments. Effective data security is as much about relationship management as it is about technical measures.

Quote of the Show:

• “The emphasis is on process. The more I work in cyber, I realize that's what we need to work more on.” - Luis Valenzuela

Links:

• LinkedIn: https://www.linkedin.com/in/luisvalenzuela28323623/ 
• Website: https://www.incomm.com/ 

Ways to Tune In:

• Transistor: https://guardiansofthedata.show/ 
• Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ 
• Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 
• Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data
• iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/
• YouTube: https://www.youtube.com/@GuardiansoftheDataPod 

Welcome to Guardians of the Data! Join host, Ward Balcerzak, each week as he dives deep into the passions, expertise, and experiences of CISOs, Chief Data Officers, and more. Guardians of the Data is sponsored by Sentra - AI-powered data security platform that discovers and classifies all your data accurately and automatically to achieve enterprise-scale data protection without the fuss.