April 30, 2025 • 13 mins
Cameron and Gabe return after a brief hiatus to explore major developments in security, privacy, and resilience. They dive into insights from the IAPP conference and VeeamOn, examining how AI governance and outdated privacy tools are reshaping the industry landscape.
• AI governance frameworks dominated IAPP discussions with companies "building the plane as they're flying"
• Verizon's Data Breach Report debunks overblown AI security fears, showing real risks are data leakage and poor access controls
• Growing frustration with outdated privacy management tools is driving demand for better solutions
• Security posture isn't about using recognized brands but about architecture without dangerous gaps
• Sam Altman's virtual appearance at IAPP disappointed attendees expecting an in-person keynote
Stay tuned for our bonus episode covering even more developments from this busy week in privacy and security!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
All righty, then.
Ladies and gentlemen, welcomeback to another episode of
Privacy.
Please.
Cameron Ivey, here with GabeGumbs, we are back.
We are so sorry.
It's been a few weeks.
Things have been crazy, gabe.
How you doing, man?
I know you're back fromtraveling as well.
Speaker 2 (00:15):
I am well.
It's been a couple of busyweeks for security, privacy,
resiliency.
We got a lot to cover and not alot of time to cover it.
Speaker 1 (00:27):
No, there never is enough time there's never enough
time and I'm good.
I'm good, yeah, traveling um,finally back at home and had ipp
last week.
I was about to say last year Ihad it last year also yeah, ipp
last week was awesome.
We'll dig into that in a fewminutes.
(00:48):
I know that you were at anevent last week as well.
Speaker 2 (00:51):
I was out at VeeamOn the Veeam user conference, veeam
being the backup and resiliencycompany, the leader of backup
and resilience software and oneof Myoda's technology alliance
partners.
An awesome, awesome event.
We had some customers there,got a great chance to meet with
(01:15):
some more of the Veeam folks,really just you know, get
further into the Veeam communityReally excited to continue to
serve them.
Speaker 1 (01:24):
Love that, so does that make you guys Veeamers?
Speaker 2 (01:27):
Ooh it does now, now that you said it yes, yes, yes,
it does.
Okay, so was.
Speaker 1 (01:32):
I APP.
It was good, but wait, wait,wait, wait, wait Before we dive
into that yeah, because you knowwe have security folks on here
too.
Speaker 2 (01:45):
Anything you want to leave anybody with that isn't
too familiar with these eventsor anything cool that.
So resiliency, in particular,has become an absolute necessity
in security, right?
So this week RSA is going onright, big deal, huge deal.
And you had the biggestarguably the privacy version of
RSA, right so IAPP, so that washappening.
This week also, the VerizonData Breach Investigator Report
(02:08):
dropped as well.
It's been a busy week in thesecurity and privacy space.
But, yeah, on the resilienceside, well, hell, even at RSA
this week you're seeing agrowing number of resilience
providers.
Right so, the Veeams of theworld showing up at RSA, because
resiliency is a securityproblem, which shouldn't come to
(02:28):
a surprise to anyone who'slistened to this show for a
while.
We talk a lot aboutconfidentiality, integrity and
availability.
Those are the three things thatencompass security and they are
the backbone of resiliency.
Love that.
Speaker 1 (02:40):
Yeah, so okay, ipp, we got a lot of privacy
listeners as well.
I don't know if any of youlisteners were able to make it.
If not, we can kind of give youa little recap.
There was a lot that went on, alot of good stuff.
I don't know where we shouldstart, but let me just I'll
start by saying this the majortheme of this year's conference
(03:01):
was the development of AIgovernance and their frameworks.
That was a huge thing.
Companies are navigating, ofcourse, the complexities of AI
risks and compliance.
What's one of the quotes?
I don't know who said this, butbuilding the plane as they're
flying.
It was one of the main quotesthat I took from that.
So the focus was onunderstanding regulatory
requirements, addressingbusiness needs and delivering
(03:22):
concrete outcomes, like expandeddata protection impact
assessments, so DPIAs.
Speaker 2 (03:29):
You know what's interesting about that?
What's?
Speaker 1 (03:31):
that.
Speaker 2 (03:31):
As a juxtaposition to that Verizon Data Breach
Investigative report.
They subtly debunk a bunch ofoverblown fears around AI and
security Around AI and security,because attackers are still
very much experimenting with AI.
But they highlight that thereal risks are a bit more
mundane.
It's data leakage, it's poorlycontrolled access, it's
governance gaps, it's theprivacy concerns that AI is
(03:55):
really driving, not so much thesecurity concerns, yet that's a
good point.
Speaker 1 (03:59):
Yeah, is that something that would be obvious?
I mean, like, does that seemlike it's not very shocking to
you?
Speaker 2 (04:07):
I think for me it's not super shocking because, as
someone who is both an ethicalhacker and a user of a lot of AI
tools, including, like AIcoding tools, there's a lot that
it is very capable of doing.
That definitely makes anattacker's job easier for a
(04:27):
traditional attacker to besuccessful.
That, if we're being honest,attackers are.
They're creatures of habit.
They are like water and theywill find they will find their
level and whatever crevice theycan get through, and they also
prefer to use the least amountof effort to get success.
So retooling or, you know,completely modernizing their own
(04:50):
tool stack to include AI isn'treally worth the return on
effort yet, considering they'restill making bank on
conventional methods.
So attackers are doing a lot ofexperimenting, but there's a
lot of people out there justbanging the drums going AI is
going to make security Like AIis turning people into super
hackers and I'm like I don'tknow about that.
(05:10):
And so the report does suggestthe exact same, but points out
that the real problems are verymuch around leakage and
governance.
That's the real problem.
Speaker 1 (05:21):
Yeah, yeah, that makes sense.
Now I wonder if that kind offalls in line with this next
point that I'm going to make.
So another big thing from theconference from IPP was around
technology right, and you canjust hear this in rumblings from
groups, from people you're justtalking to on the floor.
Of course, anyone listeningknows that I work for a company
(05:41):
called Transcend, but, honestly,the growing frustration with
outdated privacy managementtools is still like that is one
of the biggest things that wasbeing heard on the floor from
others, from just rumors goingaround.
It's something that's beentalked about even in the past
few years, but that's one of thebig like demands that people
(06:02):
are looking for a better,innovative product that can grow
with them, and privacy leadersare looking for scalable
solutions that can integratewith their broader data
governance that offers likeautomation and reduces manual
work.
I feel like that we've heardthis years and years and years
as like this isn't anything new,but it seems like leadership is
(06:22):
really trying to movethemselves from those outdated
tools, tools and this is a verytouchy subject too, gabe,
because I know being in aleadership role.
It's one of those things whereit's like it's hard for someone
to say that I need to move onfrom a tool that you have, not
only because it almost says well, I failed at picking this tool,
(06:45):
I need to put in another tooland you need to give me money
for it.
It's hard to do that on theprivacy side because the funding
is lower and usually you'recoming off of either security
funding or you definitely havelower funding than the security
team, depending on how yourcompany is structured.
So I mean that's a bigchallenge too.
Speaker 2 (07:05):
Isn't it weird, though, that we just said that
confidentiality, integrity andavailability are the pillars of
security, the C being the firstthing confidentiality and yet
somehow security doesn't have aprivacy budget of their own, so
the only tool in their bag isessentially encryption for
(07:27):
confidentiality, then, and, Iguess, maybe, by extension,
identity, and so everythingstarts looking like a nail.
It just doesn't add up that thesecurity budget doesn't include
privacy dollars.
How else does one keep thingsconfidential?
That's a good question.
Speaker 1 (07:44):
I mean that's the other challenge.
There's so many you hearcomplaints about smaller
companies and smaller privacyteams that don't have the
backing or support like some ofthe major companies that care
about privacy.
But it's a little bit differentin terms of being able to
(08:09):
afford those types of tools thatcan be innovative at the same
time.
I don't know, that's achallenge, but it's nice to know
that people are looking for abetter, innovative tool rather
than just sticking withsomething that's known, kind of
like OneTrust.
I'm just going to name bombLike OneTrust.
Everybody knows who OneTrust is, but they've been around a long
time and there are betterinnovative tools out there that
(08:32):
can kind of fit your needs alittle bit better, that are more
customizable, more integratablethings that you don't
necessarily need to haveengineering experience to
operate this tool to beefficient in your privacy um, in
your privacy game.
So you're spot on.
Speaker 2 (08:49):
I've said it before about security posture, but you
can't as we've talked aboutliterally since the first
episode of this show over fiveyears ago you can't separate
privacy and security, right likeyou can't have privacy without
security and arguably, you can'thave security without privacy,
considering that confidentialityis a core part of security and
security and privacy postureisn't about logos, it's about
architecture.
It's not about the fact thatyou bought the most known logo
(09:11):
and I've heard it before,literally quote we use the best
in class tools Awesome butattackers don't care about your
brand stack and humans makingmistakes don't care about your
brand stack, they care about thegaps in between.
That architecture.
And the gap between perceptionand reality is not just academic
, it's operational, it'sstrategic.
Speaker 1 (09:30):
That's a good point, man, we could see.
This is why I wish we had somemore time.
Speaker 2 (09:35):
Well, we do.
I think we're going to have tospend the next couple of
episodes like really diving intothis because it feels.
It feels like the narrativeneeds a bit more informing out
there.
Speaker 1 (09:47):
Well, yeah, because the other, the other problem is
that privacy people are alwaysjust kind of seen as compliance
gatekeepers, and that's not whatthey are, that's not what they
want to be, and I think that'sanother shift that's happening
and you know, I think it's justit's just going to take time
because it is getting bigger andbetter and it's just going to
take time to be taken moreseriously, and I think it's it's
on the right path.
Now I will say one one downsidefrom the ipp that everybody was
(10:09):
like, uh, kind of disappointedabout was sam altman from open
ai.
He was like the big piece totalk, um, and he ended up
showing virtually at the bigtalk at the end.
So everybody was like what?
I felt kind of bad for peoplethat waited around for him
Cheated yeah.
Yeah, it almost like.
Do you think that it wasrecorded?
(10:30):
Like, was that actually himlive.
Speaker 2 (10:32):
How am I supposed to hit him in the face with a pie?
Speaker 1 (10:34):
if he's only virtual.
Speaker 2 (10:35):
It's a lot of questions, Aya.
Speaker 1 (10:37):
A lot of questions.
I mean, I get it, everybody'sbusy.
I'm sure he's busy, but it'sjust interesting that he was the
.
He was the big keynote speaker,um, and he showed up virtually.
Speaker 2 (10:48):
So I know I'm being honest with you, if I'm the head
of open ai, I don't really wantto get in front of a bunch of
privacy people and answerquestions.
Holy shit, that's fair.
Speaker 1 (10:55):
That's fair, I'd be afraid yeah, and and just I'll
close this out with saying likeit was so awesome to see so many
cool people and some reallynice people that I ran into that
listened to our podcast, Gabe.
It's just really neat to runinto people in person and it's
cool to hear that what we'redoing is still something that's
important to others, that theytune in and they actually say
(11:17):
you know they have good feedbackand so we appreciate it.
Speaker 2 (11:20):
Maybe we hit them with a bonus episode this week.
We may want to hit them with abonus episode this week to catch
him up on, because there's beena lot happening this week, so
let's do that, yeah let's dothat, ok.
Speaker 1 (11:30):
well, we'll end it here on this one and we'll get
that little bonus one out aswell.
But thank you, guys, and we'llsee you in the next one.
All righty, then.
Ladies and gentlemen, welcomeback to another episode of
Privacy.
Please.
Cameron Ivey, here with GabeGumbs, we are back.
We are so sorry.
It's been a few weeks.
Things have been crazy, gabe.
How you doing, man?
I know you're back fromtraveling as well.
Speaker 2 (00:15):
I am well.
It's been a couple of busyweeks for security, privacy,
resiliency.
We got a lot to cover and not alot of time to cover it.
Speaker 1 (00:27):
No, there never is enough time there's never enough
time and I'm good.
I'm good, yeah, traveling um,finally back at home and had ipp
last week.
I was about to say last year Ihad it last year also yeah, ipp
last week was awesome.
We'll dig into that in a fewminutes.
(00:48):
I know that you were at anevent last week as well.
Speaker 2 (00:51):
I was out at VeeamOn the Veeam user conference, veeam
being the backup and resiliencycompany, the leader of backup
and resilience software and oneof Myoda's technology alliance
partners.
An awesome, awesome event.
We had some customers there,got a great chance to meet with
(01:15):
some more of the Veeam folks,really just you know, get
further into the Veeam communityReally excited to continue to
serve them.
Speaker 1 (01:24):
Love that, so does that make you guys Veeamers?
Speaker 2 (01:27):
Ooh it does now, now that you said it yes, yes, yes,
it does.
Okay, so was.
Speaker 1 (01:32):
I APP.
It was good, but wait, wait,wait, wait, wait Before we dive
into that yeah, because you knowwe have security folks on here
too.
Speaker 2 (01:45):
Anything you want to leave anybody with that isn't
too familiar with these eventsor anything cool that.
So resiliency, in particular,has become an absolute necessity
in security, right?
So this week RSA is going onright, big deal, huge deal.
And you had the biggestarguably the privacy version of
RSA, right so IAPP, so that washappening.
This week also, the VerizonData Breach Investigator Report
(02:08):
dropped as well.
It's been a busy week in thesecurity and privacy space.
But, yeah, on the resilienceside, well, hell, even at RSA
this week you're seeing agrowing number of resilience
providers.
Right so, the Veeams of theworld showing up at RSA, because
resiliency is a securityproblem, which shouldn't come to
(02:28):
a surprise to anyone who'slistened to this show for a
while.
We talk a lot aboutconfidentiality, integrity and
availability.
Those are the three things thatencompass security and they are
the backbone of resiliency.
Love that.
Speaker 1 (02:40):
Yeah, so okay, ipp, we got a lot of privacy
listeners as well.
I don't know if any of youlisteners were able to make it.
If not, we can kind of give youa little recap.
There was a lot that went on, alot of good stuff.
I don't know where we shouldstart, but let me just I'll
start by saying this the majortheme of this year's conference
(03:01):
was the development of AIgovernance and their frameworks.
That was a huge thing.
Companies are navigating, ofcourse, the complexities of AI
risks and compliance.
What's one of the quotes?
I don't know who said this, butbuilding the plane as they're
flying.
It was one of the main quotesthat I took from that.
So the focus was onunderstanding regulatory
requirements, addressingbusiness needs and delivering
(03:22):
concrete outcomes, like expandeddata protection impact
assessments, so DPIAs.
Speaker 2 (03:29):
You know what's interesting about that?
What's?
Speaker 1 (03:31):
that.
Speaker 2 (03:31):
As a juxtaposition to that Verizon Data Breach
Investigative report.
They subtly debunk a bunch ofoverblown fears around AI and
security Around AI and security,because attackers are still
very much experimenting with AI.
But they highlight that thereal risks are a bit more
mundane.
It's data leakage, it's poorlycontrolled access, it's
governance gaps, it's theprivacy concerns that AI is
(03:55):
really driving, not so much thesecurity concerns, yet that's a
good point.
Speaker 1 (03:59):
Yeah, is that something that would be obvious?
I mean, like, does that seemlike it's not very shocking to
you?
Speaker 2 (04:07):
I think for me it's not super shocking because, as
someone who is both an ethicalhacker and a user of a lot of AI
tools, including, like AIcoding tools, there's a lot that
it is very capable of doing.
That definitely makes anattacker's job easier for a
(04:27):
traditional attacker to besuccessful.
That, if we're being honest,attackers are.
They're creatures of habit.
They are like water and theywill find they will find their
level and whatever crevice theycan get through, and they also
prefer to use the least amountof effort to get success.
So retooling or, you know,completely modernizing their own
(04:50):
tool stack to include AI isn'treally worth the return on
effort yet, considering they'restill making bank on
conventional methods.
So attackers are doing a lot ofexperimenting, but there's a
lot of people out there justbanging the drums going AI is
going to make security Like AIis turning people into super
hackers and I'm like I don'tknow about that.
(05:10):
And so the report does suggestthe exact same, but points out
that the real problems are verymuch around leakage and
governance.
That's the real problem.
Speaker 1 (05:21):
Yeah, yeah, that makes sense.
Now I wonder if that kind offalls in line with this next
point that I'm going to make.
So another big thing from theconference from IPP was around
technology right, and you canjust hear this in rumblings from
groups, from people you're justtalking to on the floor.
Of course, anyone listeningknows that I work for a company
(05:41):
called Transcend, but, honestly,the growing frustration with
outdated privacy managementtools is still like that is one
of the biggest things that wasbeing heard on the floor from
others, from just rumors goingaround.
It's something that's beentalked about even in the past
few years, but that's one of thebig like demands that people
(06:02):
are looking for a better,innovative product that can grow
with them, and privacy leadersare looking for scalable
solutions that can integratewith their broader data
governance that offers likeautomation and reduces manual
work.
I feel like that we've heardthis years and years and years
as like this isn't anything new,but it seems like leadership is
(06:22):
really trying to movethemselves from those outdated
tools, tools and this is a verytouchy subject too, gabe,
because I know being in aleadership role.
It's one of those things whereit's like it's hard for someone
to say that I need to move onfrom a tool that you have, not
only because it almost says well, I failed at picking this tool,
(06:45):
I need to put in another tooland you need to give me money
for it.
It's hard to do that on theprivacy side because the funding
is lower and usually you'recoming off of either security
funding or you definitely havelower funding than the security
team, depending on how yourcompany is structured.
So I mean that's a bigchallenge too.
Speaker 2 (07:05):
Isn't it weird, though, that we just said that
confidentiality, integrity andavailability are the pillars of
security, the C being the firstthing confidentiality and yet
somehow security doesn't have aprivacy budget of their own, so
the only tool in their bag isessentially encryption for
(07:27):
confidentiality, then, and, Iguess, maybe, by extension,
identity, and so everythingstarts looking like a nail.
It just doesn't add up that thesecurity budget doesn't include
privacy dollars.
How else does one keep thingsconfidential?
That's a good question.
Speaker 1 (07:44):
I mean that's the other challenge.
There's so many you hearcomplaints about smaller
companies and smaller privacyteams that don't have the
backing or support like some ofthe major companies that care
about privacy.
But it's a little bit differentin terms of being able to
(08:09):
afford those types of tools thatcan be innovative at the same
time.
I don't know, that's achallenge, but it's nice to know
that people are looking for abetter, innovative tool rather
than just sticking withsomething that's known, kind of
like OneTrust.
I'm just going to name bombLike OneTrust.
Everybody knows who OneTrust is, but they've been around a long
time and there are betterinnovative tools out there that
(08:32):
can kind of fit your needs alittle bit better, that are more
customizable, more integratablethings that you don't
necessarily need to haveengineering experience to
operate this tool to beefficient in your privacy um, in
your privacy game.
So you're spot on.
Speaker 2 (08:49):
I've said it before about security posture, but you
can't as we've talked aboutliterally since the first
episode of this show over fiveyears ago you can't separate
privacy and security, right likeyou can't have privacy without
security and arguably, you can'thave security without privacy,
considering that confidentialityis a core part of security and
security and privacy postureisn't about logos, it's about
architecture.
It's not about the fact thatyou bought the most known logo
(09:11):
and I've heard it before,literally quote we use the best
in class tools Awesome butattackers don't care about your
brand stack and humans makingmistakes don't care about your
brand stack, they care about thegaps in between.
That architecture.
And the gap between perceptionand reality is not just academic
, it's operational, it'sstrategic.
Speaker 1 (09:30):
That's a good point, man, we could see.
This is why I wish we had somemore time.
Speaker 2 (09:35):
Well, we do.
I think we're going to have tospend the next couple of
episodes like really diving intothis because it feels.
It feels like the narrativeneeds a bit more informing out
there.
Speaker 1 (09:47):
Well, yeah, because the other, the other problem is
that privacy people are alwaysjust kind of seen as compliance
gatekeepers, and that's not whatthey are, that's not what they
want to be, and I think that'sanother shift that's happening
and you know, I think it's justit's just going to take time
because it is getting bigger andbetter and it's just going to
take time to be taken moreseriously, and I think it's it's
on the right path.
Now I will say one one downsidefrom the ipp that everybody was
(10:09):
like, uh, kind of disappointedabout was sam altman from open
ai.
He was like the big piece totalk, um, and he ended up
showing virtually at the bigtalk at the end.
So everybody was like what?
I felt kind of bad for peoplethat waited around for him
Cheated yeah.
Yeah, it almost like.
Do you think that it wasrecorded?
(10:30):
Like, was that actually himlive.
Speaker 2 (10:32):
How am I supposed to hit him in the face with a pie?
Speaker 1 (10:34):
if he's only virtual.
Speaker 2 (10:35):
It's a lot of questions, Aya.
Speaker 1 (10:37):
A lot of questions.
I mean, I get it, everybody'sbusy.
I'm sure he's busy, but it'sjust interesting that he was the
.
He was the big keynote speaker,um, and he showed up virtually.
Speaker 2 (10:48):
So I know I'm being honest with you, if I'm the head
of open ai, I don't really wantto get in front of a bunch of
privacy people and answerquestions.
Holy shit, that's fair.
Speaker 1 (10:55):
That's fair, I'd be afraid yeah, and and just I'll
close this out with saying likeit was so awesome to see so many
cool people and some reallynice people that I ran into that
listened to our podcast, Gabe.
It's just really neat to runinto people in person and it's
cool to hear that what we'redoing is still something that's
important to others, that theytune in and they actually say
(11:17):
you know they have good feedbackand so we appreciate it.
Speaker 2 (11:20):
Maybe we hit them with a bonus episode this week.
We may want to hit them with abonus episode this week to catch
him up on, because there's beena lot happening this week, so
let's do that, yeah let's dothat, ok.
Speaker 1 (11:30):
well, we'll end it here on this one and we'll get
that little bonus one out aswell.
But thank you, guys, and we'llsee you in the next one.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!