Everything is a data security problem now

Samuel Hill (00:18) Hello everyone. Welcome back to Mind What Matters. My name is Samuel Hill, and I'm joined by my friend and co-host Landen Brown. Landen, there's a lot on my mind today. How are you, bud?

Landen Brown (00:30) I'm doing well — a lot on my mind as well. Certainly a busy week for the Brown family. I feel like I say that every single time we talk, Sam, but things are really well here. On the business and MIND side, we're also just killing it as a team. So nothing but good marks this week for me.

Samuel Hill (00:45) You know, I told my boss this, so I'll say it publicly. MIND has now officially been the best job I've ever had in my entire life — for some time now. There are some high bars in my history and career. MIND is officially at the top of the heap at this point.

Landen Brown (00:54) Wow. That's amazing. That's amazing. We get to share it together.

Samuel Hill (01:06) Yeah. So what's going on in your world, man? What's on your mind today?

Landen Brown (01:14) Man, we had a busy weekend. One thing that me and my family have gotten into pretty heavily over the past month or so is desert racing. We all have dirt bikes — we've been dirt bikers for a long time and we've competed in some races here and there. I'm not willing to break my neck when I have five kids to feed, so I compete at a very much amateur level.

My son, on the other hand — he's three years old, the youngest racer out there — and he took first place this weekend in his Pee Wee Beginners class. Pretty huge accomplishment for him. I get to live through him a little bit in terms of competition and lack of fear. It was certainly a fun weekend for the Brown family.

Samuel Hill (01:44) That's amazing. You sent a video in our team Slack of you on that race. You said you're not willing to risk your neck, but the video did include a noticeable crash on your dirt bike.

Landen Brown (02:08) That's right. And it seems like every single time I crash, it's into a sagebrush — the most amazing, pillow-like landing. If you watch that video, you see all the branches just explode into chaos at the same time. But those aren't on purpose, Samuel.

Samuel Hill (02:30) I know they're not on purpose, Landen. That's why I bring it up. If you did it on purpose, we'd be having a different conversation. Sagebrush probably smells delicious too, so bonus. Hey, so this weekend was busy for us too. Flag football in the spring — my two boys both do flag football at their different age levels. My youngest, who is five and a half, had his very first ever flag football game. Bunch of five-year-olds running around a football field — what an experience.

He made this great play, the first flag pull for our team of the year. He kind of dove in, grabbed the flag, and was just so proud of it. And then a little later in the game, he took a handoff and immediately ran and hid behind me, because I'm the coach on the field. I'm trying not to move because I don't want to be that coach who's blocking for his five-year-old. I kind of stood there, and he ended up ducking out behind me and juked the entire defense for a long touchdown run. Lots and lots of cheers.

Landen Brown (03:27) That is awesome. Proud parents this weekend for sure.

Samuel Hill (03:32) Yeah, also living vicariously through our children. I wish I was that good at football when I was five. I was not. But here we are. Well, Landen, let's dive into what's happening in our world as we mind the headlines.

The first story I want to bring up — there's new research published by the National Association of CIOs along with Deloitte. It was directed at security leaders in the public sector: state and local governments, the people charged with protecting the data of their citizens and residents. And some interesting points came out of this survey. Only 26% of these CISOs say they are confident in their state's data protection. That's down from 48% in 2022, and a new low since the survey began. Shocking numbers. The decline is pretty striking.

Landen Brown (04:40) Yeah, it's really interesting. I can't imagine being in the position of a state CISO. They're probably some of the most tenured people in the industry and get less praise than they deserve. And one of the things I think about is everything moving toward technology — not just AI. We think about water, irrigation, electricity, production and manufacturing. Everything is moving toward an IT focus. That's before AI even enters the picture. You can start to understand why CISOs are becoming less confident that they can protect their information assets within the state. And then you layer on AI and generative AI on top of that. It doesn't shock me that this stat is going down, especially considering the public sector tends to lag behind the private sector in terms of responding to these things.

Samuel Hill (05:29) They certainly do, probably for some good reasons and some frustrating reasons as well. The other stat to pull out here: 63% say they're not very confident that their local government or public universities can protect citizen data. What struck me about that is we did some primary research here at MIND, and that number was almost identical — 65% of our respondents said they were not very confident in their data security, especially for AI. It really goes to show that the predominance of security leaders are struggling to get their hands around how to secure data in the world of AI today.

Landen Brown (06:14) Yeah, and it highlights more and more every day that data security isn't a siloed function anymore. It's not just a Postgres database or a SQL database. It's an ever-present, ever-pressing threat to the organization that impacts everything. And probably more accurately: everything else impacts it. This "not very confident" statistic matches what we're hearing from the peers we're talking to, as well as what we're seeing in the public sector.

Samuel Hill (06:48) Yeah, and then budgets are getting cut this year. A couple of years ago they were flat — not increasing, but not decreasing. Now budgets are going down. I wonder if that's because they're projecting cost savings and efficiencies from AI while still not feeling very confident in their ability to secure data.

Landen Brown (07:02) Yeah, it's hard to tell. I'm not going to pretend to be an expert on why the budgets are being cut. But you can certainly say it has an effect. It reminds me of the conversation we had with Linn Friedman about AI regulation — there's an interesting dichotomy between cutting the budget and the forbidding of state-by-state AI regulation at the same time. Those two things are loosely correlated, and the challenge states are facing now is: we can't regulate AI and our budgets are being cut. It seems like a pretty obvious answer that confidence in data security programs is going to decline.

Samuel Hill (07:55) Yeah, in general. I think it goes to show that state and local security leaders have their own unique challenges within their vertical. Most organizations have their own unique challenges. They're not unique in that theirs might be higher than others' perhaps, but at the end of the day, most security leaders are struggling mightily around data security and keeping sensitive information safe from those who would be attacking it.

And moving on — also speaking of sensitive information being attacked — Medtronic, the large medical device manufacturer, confirmed through their 8-K filing that Shiny Hunters has ransomed them and threatened a data leak involving millions of very sensitive records. Do you know anything about this attack, Landen?

Landen Brown (08:49) Yeah, it seems unfortunately very similar to the majority of breaches we're seeing. A lot of SSO credential theft — it starts with phishing, maybe some vishing. Impacted by MFA fatigue or token theft. But it always ends the same way: a bulk export of data. This is a topic you and I are very keen on tracking, which is the accidental, negligent or malicious exfiltration of sensitive data.

What this really highlights is there are elements of identity and access compromise, elements of SaaS and cloud data exposure, but also just poor segmentation inside their corporate IT environment. It's a perfect segue from the CISO statistics — everything is impacting data security, and we can't just have a data security team anymore. We're starting to see data security incorporated into the broader security team as a member and stakeholder in a more structured and predictable way. Usually these teams have been siloed off. "You guys handle data security, we'll do real security — EDR, identity, threat investigation." Now we're starting to see how many things impact data security. That steward needs to be in the room at all times.

Samuel Hill (10:24) It's hard. Medtronic is a very large company — billions of dollars in revenue. Large companies inevitably have siloed functions to manage scale. But the reason we have security in the first place is because there is sensitive data we must protect: intellectual property, patient records, customer records, things that would be very damaging if they got out.

I think we're seeing this trend line toward getting back to basics: we have sensitive information that is fundamental to how our business operates, and we have to keep that safe. The tools we've built — our SIEM, our SOAR — are in service of that. They exist to keep data safe. What do you make of all that, Landen?

Landen Brown (11:28) Yeah, I think we're entering uncharted territory. We're encouraging shadow IT and shadow AI to break down barriers and democratize security internally — while at the same time trying to protect against it. And then we have situations like this where the foundations of security are still being challenged. Even organizations with billions in revenue can't put together a program or hire enough people to manage it at scale.

It makes you wonder on two fronts. One: what is the answer in an AI future? Are we going to have more extensible, modular ways to handle enterprise defense end to end? And two: as an average American citizen — with the number of SSNs, email addresses and physical addresses that get leaked — there has got to be a better way to sign up for a brokerage account or apply for a home loan. Too much data is freely accessible to the world at this point. I think AI and the acceleration of data loss in this industry may actually usher in a new way of verifying human identity as well.

Samuel Hill (12:56) Yeah. Half the time I go to a doctor's office — I took my kid to the orthodontist recently — and I think: why do you need this information? What about this treatment plan requires this particular piece of data? I think as citizens and consumers, we should be asking those hard questions: "I'm not giving you my social security number. You don't need that." Partly because I don't trust that the piece of paper you want me to write it on is going to stay safe, or that you're not going to enter it into a system broadly accessible to the open internet. Asking those hard questions is a good thing. And yeah, maybe there is some structural change needed around how we identify people and use their information to provide service.

So okay, let's move on. I've been looking forward to this part. We're going to call this segment: Speak Your Mind.

Landen, sometimes on podcasts you can get the most milquetoast opinions — "I just really want to echo what so-and-so said." Here's my Speak Your Mind: I am done with conference speaking panels. Absolutely done. If I wanted to hear a group of people all say the same thing, I would open whatever echo chamber of choice is available where everyone agrees. I want to hear challenging opinions, diverse perspectives — things I may not agree with but that make me think. As Mark Twain famously said, it's not what you don't know that gets you. It's what you know for sure that just ain't so. I would love to discover the things I think are true that just aren't — so I can go about my life better. I'm done with milquetoast takes from speaking panels where everyone claps each other on the shoulder and no one dares push back on a prevailing narrative.

Landen Brown (15:20) You know, it's hilarious, Sam, because I couldn't agree more. I'm saying that on purpose, by the way, to underscore your point.

My related opinion — and I'm going to make some people upset, so hopefully this doesn't go too viral — is that we've done a real disservice in the cybersecurity industry by elevating vendors to give speaking presentations at an absurd rate. The reason this happens is because they pay for the conference. Conferences wouldn't exist without vendor booth money. The commission you give a vendor for securing their booth space is often a speaking slot. And the challenge is that vendors frequently have no idea what it's like to be a practitioner.

To be fair, Samuel, I've probably been guilty of this at times in my career. But what it's led to is exactly what you're describing: very stale, "let me tell you exactly what you already know" presentations in front of 250 people. And everyone claps not because the points were great, but because someone got up on stage. That props up what we call "thought leaders" and suppresses the actual tinkerers and doers — the people who don't want to be on a stage and aren't going to pay $200,000 for a booth, but who have really, really good insights into how to actually practice data security. I'd like to see fewer vendors pretending to be practitioners and more actual thought leaders who sit in the seat every day bringing up controversial opinions on how they handle cybersecurity.

Samuel Hill (16:50) Yeah. I saw somebody post after RSA — I thought this was really interesting — they said there were too many suit jackets on the floor. "Where's the guy in Doc Martens and a kilt who installed Linux at 12 and has been writing code and breaking things ever since?" You're right. We've elevated the suit jackets over the people who have hands on keyboard — who get the spidey sense about that one alert that hits the system and say, "Hold on, this one's a little weird," and then dig into it. Those people are worth their weight in gold, and we should hear more from them. The problem is most of them aren't always easy to listen to, unfortunately.

Landen Brown (18:07) Right. Yeah, it makes me wonder if there's a new form coming for getting that information out — not on a stage. New blog models, a reverse-blog format where you post an idea and debate the crowd and it builds the content from their insights. How do we elevate the people who are actually doing things right but don't have 20 hours a week to prepare a conference speech? They don't have the time because they're doing their job, and they're doing it well. Anyway, that's my hot take, Samuel.

Samuel Hill (18:42) I love it. And I agree with you for the most part. The vendor community does have our own bent on the narrative we want to get across — which is why we pay to be at the conference. But I will offer one defense of vendors speaking at conferences.

Landen, how many customer environments do you see in a given week? Dozens — whether it's pre-sales engagements or working with existing customers. You see the nuance and complexity that differs organization to organization. And that can be genuinely useful to a practitioner who is heads down in their own specific version of mess. Being able to say, "We've seen this customer solve a similar problem in a similar environment — here's what they did" — that's the one thing a vendor community can provide. We see more breadth, even if we don't understand your depth. I think that's what you're calling out.

Landen Brown (19:56) Yeah, that's a fair point, Sam.

Samuel Hill (19:59) Glad we agree.

Landen Brown (20:01) Ha.

Samuel Hill (20:05) All right, let's dive into What Matters Now.

Landen, I think what matters today is the reality of cybersecurity focused on data. You and I have talked about this a lot, both privately and publicly — the convergence, the breaking down of silo walls between cybersecurity disciplines and tooling. Most disciplines were built around specific tools. We're now starting to see the categories merge around data security as the common focus. The industry will throw out acronyms, as it does. But I think we're both clear on what matters for companies today: what data do you have, who has access to it, and what are they doing with it? Because at the end of the day, cybersecurity is about data.

Landen Brown (21:02) Yeah. If you're making an investment in cybersecurity — time, resources, headcount or product — the thing you should be evaluating most right now is what is building the connective tissue to let you see how everything is impacting your data.

There's also an equally harmful focus on "we just need to buy more data security solutions." In the case of the Shiny Hunters and Medtronic breach, that wasn't the answer. Yes, they could have put some safeguards in place that might have delayed the attackers. But the reality is all of the surrounding infrastructure was the reason the data was exfiltrated as easily as it was. So if we're making investments and choices about how to mature our data security organization, we should be looking at how all the different functions of the business feed into data security — and ensuring we have a step-by-step ladder of maturity that all benefits data security as a common level.

Samuel Hill (22:03) It also gets data security people out of their chairs and talking to the network security folks, the cloud security teams, the app sec teams — all of whom are either transporting, storing, using or manipulating data. And that's before we add AI systems and tools into the mix.

We've been doing a lot of thinking on this: the end of security by obscurity. It used to be that a sensitive file could be sitting in a SharePoint and no one knew it was there, so it was probably fine. That's just not the case anymore. Copilot is connected to that SharePoint and has broadly exposed that file at a level that's unprecedented. Your SharePoint admin now needs to be concerned about data security because they're connecting Copilot to the entirety of their M365 environment. Everything is funneling down to the fundamentals of data security.

Landen Brown (22:55) And there are adjacent areas we see a lot in customer environments: Azure File Sync turned on, OneDrive File Sync turned on, public links attached to OneDrive — and because it's synced to endpoints, data that lives on a desktop is actually publicly accessible. Now AI is attached and can see it. What they didn't think AI could touch because it was on their local machine is now uploaded and synced into Microsoft Teams or OneDrive. These are infrastructure configuration issues creating interconnected problems.

The other challenge is budget and training. We always default to building a better process, buying a better solution. But for 20 years, we've kind of laughed at the cybersecurity training company. Those organizations might become very lucrative very soon — if they can also teach how to build that connective tissue across the enterprise.

Samuel Hill (24:05) That's an interesting thought. The three things in cybersecurity are people, process and technology. You've identified that processes can be cleaned up. Technology in the right spots is a force multiplier. But it all comes back to data.

I read somewhere — maybe on social — that companies are starting to say: "I'm not going to just buy more AI tokens. I might hire a junior developer to handle the low-level work we all thought AI was going to do, because it's now too expensive to just throw tokens at a problem." And on the other side: having good people, training your people — that's a wonderful way to improve your cybersecurity posture. Great point.

Landen Brown (24:42) Yeah, 100%. I think training is going to be the most overlooked focus of this year. There are areas of tech typically held by people who are less technically passionate — governance, privacy, legal — and hyper-technical teams like DevOps and SREs. These two groups have coexisted with steering committees and shared forums. I don't think that's going to be sufficient anymore.

We really need to focus on how we train people — either to become agentic engineers or just to become better cybersecurity professionals in general. The organizations that actually care about developing their people, that don't just feed them to the wolves and wait to get breached — those are the ones that are going to stay great or get great this year.

Samuel Hill (25:59) May we all work for that organization. And as I said earlier, it's a wonderful thing to be in a place like that. Well, Landen, let's wrap up as we do every single episode. What did you learn today?

Landen Brown (26:05) Samuel, I learned that you and I are never short of hot takes. Even when we disagree, we also agree at the same time. But seriously — almost every time we talk, I'm reminded of how much focus we put into thinking through these problems to better serve our customers. And also that, at the end of the day, the most important things we have are our families. The fact that we start every episode sharing what we're proud of with our kids and then get into the hot takes — it's just really fun. Learning that a good balance of everything, in security as well as in life, is kind of an essential path forward.

Samuel Hill (26:59) Maybe one day we'll start a podcast without sharing kid stories or talking about random things. I don't know. Probably not next episode. I'm not sure. It's probably going to be about our kids again. But I want to echo everything you said. You said it really well.

And I'll say it differently: I think what I learned today is the more things change, the more things stay the same. If you treat your people right and do your best with what you can control, things generally work out. Coaching flag football, watching five-year-olds — I can't make them understand the play any better because they're five. Quite literally, the entire playbook is "hand it to Billy." That's it. Can it get more complicated than that? My wife came to practice on Thursday — she enjoys watching football but she's not a football person by any stretch — and she was watching and she said, "I don't think I can follow more than play one, two or three." And I told her: it can definitely get more complicated. She said she didn't think she could go further than number three.

But I can't really control them once the play starts. So: control what you can, and do right by the people who have been trusted to you.

All that to say — Landen, thanks for chatting again today. And to all of you watching and listening, thank you as well. For Landen Brown, my name is Samuel Hill, and that's all for now.