Podcasts
CISO Perspectives (Pro)
Ep 136
CISO Perspectives (Pro) 6.10.25
Ep 136 | 6.10.25

Mid season reflection with Kim Jones.

Show Notes
Transcript

Ethan Cook: Welcome back to "CISO Perspectives." I'm Ethan Cook, lead analyst at N2K and editor of the "CISO Perspectives" podcast. Throughout this series Kim's been venturing in to uncharted territories and tackling some of the most complex emerging issues facing our industry from every angle. Over the past few episodes we've had some incredible guests, leaders who've built, broken, and rebuilt security programs, grappled with emerging technologies, and reshaped what it means to be a strategic leader in cybersecurity. Now we're pulling back the curtain a bit to give you a deeper look in to what we've been building here at "CISO Perspectives." In this episode we're hitting pause to reflect on the insights we've uncovered so far and set the stage for what's next. Today the mic turns to Kim as he becomes a guest. I'll be asking him to look back on the past several episodes and share what stood out and talk about where the conversation goes from here. Let's get in to it. [ Music ]

Kim Jones: Ethan, welcome back.

 

Ethan Cook: Good to be back.

 

Kim Jones: I love when we did this not only last season, but I also loved when we did this earlier. It's a great opportunity for us to just have the discussions regarding some of the material that's out there and get a little more probative on some of these pieces and parts. So I think last time because the focus was more policy and law which was heavy in to what your background is I think I was the one being more probative of you. So what I'm going to ask you to do this time since the topics seem to be more I want to say of a technical bent I'm going to ask you to let's flip the script and have you be a little more probative of me. So floor is yours.

 

Ethan Cook: So as a quick, you know, recap, we've had two major themes going on. We've been talking about privacy and how that's been evolving and the ways we can look at that as well as fraud and identity and the impacts that newer technologies are having on that and the way threat actors are evolving attacks on identity and committing fraud. As a quick recap for you all. So I think for me, you know, I know a good amount about privacy. Not the technical sides of it, but from a policy standpoint. So I think let's start with the identity side because that's something that's a little less grounded for me. And maybe I can pick your brain a little bit. So one of the conversations that we had was about the impacts of AI and how AI is changing the face of identity and how it's going to change the face of identity. And we talked about different recommendations and ways to manage AI and how AI's kind of just proliferating through every business and how it's becoming really difficult to kind of limit its access. How are you see that and what is really driving you? And what do you think are the best ways for practitioners to evolve that?

 

Kim Jones: Well, great questions and I'll start with the last part which is, yeah, what are the best ways. Yeah. That's a good question. I think we're all trying to figure that out right now. But an interesting concept that I've been having lots of conversations about regarding identity and AI, so I like to go broad when we talk about topics like this. So if we understand the basic concept of identity which is for lack of a better term I think we talk about it more -- Richard talks about it phenomenally well about basically how do I determine that you are who you say you are and then associate permissions to do things with that in the environment. Now if we think about this conceptually every time an application, let's get down to applications, does something on your behalf as in, you know, auto loads your password even on a web based application or goes forth and fetches data from a system on your application, that application is acting in limited fashion as you. It is interfacing with another system on your behalf to do certain things within the environment. Now let's apply this, and it's not a perfect analogy -- let's apply this to AI. AI can be boundless in terms of what it does for you. So if I establish an AI agent, and my terminology's flawed, I understand, within my browser, etcetera, to do certain things then I give that AI agent permissions to act as me. That AI agent can do almost boundless things on my behalf. Now let's take it to the next step. If that AI agent is hacked then that AI agent on my behalf can do malicious things within the environment. So are we getting to a point where not just AI is making it easier to commit fraud because of speed or the reality or the seeming reality that ejects in to scams, etcetera, within the environment, but are we getting to the point where the AI agent needs to be addressed as a separate persona if you will? So there's Kim Jones, you know, the physical entity that is authorizing apps, and then there's the, you know -- the Kim Jones persona or technical or digital clone that also has potentially boundless ability to do things within certain environments. And that I need to start thinking about this in terms of accountability, in terms of assignment of permissions. Do I need to track that AI entity or the Kim Jones AI entity as a separate different entity from Kim Jones the individual authorizing applications? And I'm hearing a lot of discussions regarding that as people see the potential boundless capability of AI. What is that going to do to that function of identity? Not just for fraud, not just for scam, but this thing now beginning to for lack of a better term anthropomorphize in to a separate entity which is another step of evolution in terms of how we address our -- yeah. How we address technology, our concept of -- I hate to get metaphysical here, but our concept of big air quotes "humanity." What it takes to do that within the environment. And then on the scary side are we a step closer to Skynet? I don't know, but these are the type of conversations as AI has accelerated within the environment. So where's the accountability? Is it me? Do you track that as me? Or do you track that separately? How do you investigate? What do you do? These are interesting questions.

 

Ethan Cook: And I would think, you know, this -- just you saying that I think there's another angle to that which I know you guys talked a little bit about, but the similar conversations that emerged with cloud and how, you know -- when we -- when cloud first came out I think, and to this day we still kind of see this which is a huge problem with cloud environments is misconfiguration. And I'm sure that's a similar thing that's popping up with AI right now. Everyone's so ready to get in to it that people aren't really taking a step back and making sure that its scope is limited, that it is properly secured not just from a "Oh. Someone's going to hack in to this" but so it doesn't creep out on its own and start doing things without permission.

 

Kim Jones: Yeah. And I tend to downplay the misconfiguration concern a little bit. Not that it isn't a concern even, but even the best configured systems can go wrong.

 

Ethan Cook: Yeah.

 

Kim Jones: Because these best configured systems at the fundamental end are made by human beings. And human beings are flawed. For us to say that a system is perfectly configured therefore it will not be compromised and something won't go wrong is the fallacy of the concept or perception of perfect security. And when I teach at Berkeley and other places I tell people perfect security's an oxymoron. It doesn't exist. You want perfect security? Close up shop. Wipe your systems. Dunk your computers in Lucite and drop them in the Marianas Trench. Fantastic. Perfect security. Can't get anything done, but perfect security. So, you know, I agree from the configuration standpoint it is important. I agree that we're not understanding the potential impacts. It's the classic ready fire aim associated with, you know, new tech that's out there. But even if we take the time to slow down and do it right stuff is still going to go wrong.

 

Ethan Cook: Yeah. So let's -- you mentioned this earlier and I think it's, you know, we had this conversation. We really dove in to the concepts of scams and frauds as an attack method with Mel. And we talked about how kind of the major themes that have been persisting one of which -- and this is a little different from that AI side, but you know the challenges we're seeing on the identity side. And I think we talked about a variety of scams from cryptocurrency scams kind of being the common one that has emerged over recent years, but we also talked about employment scams. And we talked about, you know, the nomenclature is pig butchering, but it sounds very harsh. I, you know -- I think Mel referred to it as like friendship scams or something along those lines. You know, out of these three kind of major scams that she highlighted and what they're seeing at the BBB one of them that stood out to me was the employment side. And how, you know, companies are being tricked in to hiring people who are not who they say they are and giving them access in to things. How do you manage that? What -- how can we -- you know, especially as we get more digital and people -- remote workers more prevalent, you know, how does that -- how can we get a handle on those things?

 

Kim Jones: Well, I want to first talk about the other end of that. You talked about companies hiring people who are not who they say they are. My first portion of that is there are mechanisms that exist in place right now in terms of background checks, etcetera, depending upon how much money you wish to spend and how, if you'll excuse the language, proctological you want to get regarding your hiring practices. And heavily regulated organizations do a lot of that. I want to talk about the scam from the other end. It's so funny because -- yeah. Because I regularly am on somebody's list right now that sends me a text and says, "Hey, you know, so and so is hiring," my old company Intuit. I got to attest. Intuit is hiring. And it's like yeah no. So, you know, in terms of fake jobs. And in an economy where people -- in particular when people are struggling or they're looking for opportunities they are providing information regarding themselves. They want to background checks. So they ask you to put in a social security number. Congratulations. You've just given them the keys to your kingdom. And those are the ones that bother me the most or that job scam area. And this gets back in to again concepts of identity. Right now right this second if I need, you know, from an identity concept standpoint identity is one directional or unidirectional. I have to prove that I am who I say I am to gain access to the systems. Where do the systems have to prove that they are who they say they are to me? And the identity paradigm is set up to be unidirectional and has been for a while. So the answer to your question from my perspective, Ethan, gets down to we have to get to a point where we need to start rethinking the identity paradigm. And until we break that identity paradigm it's going to be very hard to get in front of this and still allow this data driven economy to move. So I think fundamentally we've got to break the identity paradigm. We've got to change it. And I'm not hearing as much talk other than folks like Richard and a few of the people I know who are working on saying, "How do we do this effectively without over burdening the user or demanding more information from them than they're willing to give us?" So it's hard.

 

Ethan Cook: Yeah. And I think, you know, I still always come back to this thing when it comes down with identity and people abusing identity and the exploitation of the human factor and how for years it is -- we've always had this conversation. And to your point earlier which is you can have the best system, the best security, etcetera, do all these things, but it still manage -- or there's still some human aspect to this. And when you introduce that in to it fallibility happens. Mistakes happen. People are taken advantage of. And this human factor where we target people through social engineering makes it really difficult especially when some of these people are, you know, social engineering has only seemingly gotten better and more prolific year over year. How do we manage that side of identity? And getting people to not get taken advantage of in a way that we haven't already attempted.

 

Kim Jones: So you asked a very broad question at the front in terms of how do we manage the human side. The first answer is you don't. Let me give you a physical example. Okay? Physical crime. Law enforcement has been around for at least centuries realistically millennia.

 

Ethan Cook: Yeah.

 

Kim Jones: Okay? Murder's still a thing. Theft is still a thing. Kidnapping is still a thing. And the list goes on. I believe that there is an expectation of perfection within the techno ecosystem that is not realistic.

 

Ethan Cook: Yeah.

 

Kim Jones: I believe that we should be in a situation to say "Look. If we can't stop crime in the physical world how the hell do you expect to make it go away in the technological world?"

 

Ethan Cook: When the scale and the speed --

 

Kim Jones: Yeah. That is an unrealistic expectation. And business for in order to drive the data driven economy and cyber practitioners in order to drive our profession in my opinion have set that false expectation to the rest of the world.

 

Ethan Cook: Yeah.

 

Kim Jones: Now -- so one. In terms of how do you manage it you don't. That said it doesn't mean it can't get better. If you look across statistics in the U.S from the peak -- I was looking at this in my Berkeley class and the numbers are going to be off, but the trend line isn't because I don't remember the numbers top of my head. For a while I was looking at, you know, murder rates climb in up to the '80s where it peaked and then took a drastic -- a drastic downturn for about 1980 down to about 2010 within the environment. So we and I believe the FBI measures number per 100,000, etcetera, within the environment. And it wasn't just a change in how they measured, but we were beginning to see different programs come in to play, different incentives, different incarceration guidelines, different things happening which were forcing the rates down. They did peak a little bit I believe during the COVID year, but are beginning to come back down, you know, within that environment as well. So looking at that trend line and trying to make a comparison to say the fact that we can't control it doesn't mean we can't make it better.

 

Ethan Cook: We can't reduce it to some extent.

 

Kim Jones: Reduce it. But we have to start with look. Let's be real. I can do everything in my power and say that I'm tough on crime. I can protect the bejesus out of the environment. Something's going to happen. I need to understand that. But what I can do is I can reduce the probability and I can reduce the impact. Or likelihood impact risk. I can reduce the risk within the environment. I genuinely and sincerely believe that we need to focus on are we reducing the risk reasonably within our environments. Now let's take another half step back. The broader question is what aren't we already doing. I just finished a great book by Ezra Klein which was looking at why certain things within this great nation may not necessarily be working the way that we want them to. And frankly isn't picking -- and Ezra Klein is very, very liberal and is actually castigating liberals within the environment. So, you know, for those of you who are like "Oh. He's criticizing." No. He's actually poking at liberals to say "You're the ones who say you want these sorts of things. We're the ones getting in the way of these sorts of things." It's a good read. But he talks about innovation and what we have tended to do with innovation and looking at grants for truly new and innovative technologies. And he uses the example of RNA and I can't -- I think it's MRNA. Basically the annoying technology that created the COVID vaccine. He talks about the original ideas and concepts regarding use of RNA to do things from a vaccination standpoint are 20 to 25 years old. And he gives the history of the woman who came up with this and for the better part of decades could not get grants, funding, any traction at all within the environment. And he even goes further to talk about studies that have shown that as we look at government grants and support for innovation and things of that nature we have tended to support more things that are focused around -- I use the old Bloom County tint control. You have modify existing things versus truly innovative groundbreaking ideas.

 

Ethan Cook: Break the status quo.

 

Kim Jones: Modify the status quo by half a percent versus go here. And in a later episode where we talk about investment, etcetera, I give a very pointed example of that regarding identity. Stay tuned listeners. It's coming up.

 

Ethan Cook: Yes. I --

 

Kim Jones: You know what I'm talking about.

 

Ethan Cook: I do, and I think there is a -- you kind of point at -- not to dive down on that, but I think there's obviously an incentive to keeping the status quo the same and that is the conversation that people should tune in to.

 

Kim Jones: And if what we want to do in terms of what we -- aren't we doing now that we could be doing, that we ought to be looking at doing better, is to burn the books. Is to throw away the status quo. It's to truly look at the problem differently and to embrace that level of true innovation out there. I think within the paradigm that we have set we're doing just about everything we can and ought to and should do within the environment. But it's time to break the paradigm, you know, and figure out, you know, is there a better way. And I do think regarding identity going back to what we started in this conversation there are ways to do these things, but they're so different it scares people. And because it scares people we walk away and just reinvent the same wheel with a new label and, you know, shinier stuff. [ Music ]

 

Ethan Cook: So let's -- you referenced it a little earlier and I think this is a good segue in to the conversation regarding some of the challenges that we're seeing year over year and kind of instead of changing them we're just kind of approaching it from a new way, but it's really the same way with just a new coat of paint on it. And that's how we handle privacy. And I think that's been evolving year over year and I think, you know, from a policy standpoint I have a ton of passion behind this and there's a lot of concerns not just regarding, you know, how algorithms are going after and, you know, getting data, but how AI is going to transform these things and the scale at which it can transform how we process data about people. So the first conversation was with Christie and we talked about the impacts on privacy from a small business perspective and the expectations on small businesses, especially ones that echo across state lines or go across country lines. We talked about the impacts of AI. We talked about how we can manage contracts and how we can manage how much privacy we give out, etcetera. I think one of the things that stood out to me in this conversation was -- and I just referenced it, but the expectations on small businesses who don't have the scale to be able to effectively manage privacy across let's say 50 different state privacy laws because the U.S has essential privacy law, but it's not really impactful in the same way let's say the GDPR is. When we look at that, how -- how do you interpret that conversation? How do you say to a small business or someone who doesn't have the scale, but they are an internet platform who anyone from -- let's say they're based in Oregon. Someone from Florida can click in and buy their products and have it shipped across state lines, but they've got to give up credit card information, address information, you know, personal name, etcetera, email, all of that. How does that small business that does not have the scale to hire 50 different lawyers that are experts manage those things? And how can we begin approaching that in a more effective way?

 

Kim Jones: Great question. I'm going to answer your question because I think it -- I think it's absolutely relevant. And then I'm going to go broad again as we begin to talk about the concept of privacy. Christie does a great job I think near the end of that particular episode in because we ask that question very directly. And the short version is the short flippant yet accurate version is the best you can. The -- you know, the less short, less flippant, yet equally accurate version is you're going to have to go to third party resources out there, invest a part of your revenue in making sure you're staying ahead of that. Many companies -- for example, let's go to, you know PC iPhone regulations, they outsource their card. You know their card management system and their card holder data environment to a third party who then assumes all of that risk and regulatory overhead, etcetera. You're going to have to do that sooner or later. Now do you have to do that [inaudible 00:24:24] depending on your business when you have two customers in Oregon and everyone else in your backyard? Or you're going to have to do that large, you know, because you're working very small and you have no intention of expanding. The biggest thing for a small business to do is to not ignore it, ask questions. Most -- many of your chambers of commerce out there, the better business bureau as well, may have resources that can point you in the right direction for that. So for a small business the short answer is just don't ignore it. That's the answer there. But let's take a look at the larger question. And there's some interesting paradigms and paradigm shifts happening with privacy. And let's just talk within the U.S. We'll leave the international piece along because that would take us another hour. So we'll just stay here within the U.S. We all understand that the paradigm for data privacy within the U.S is markedly different than say Europe and a lot of other -- a lot of other countries in terms of data ownership and what organizations can do. You know, way back in the day I give you my data. You could do whatever the hell you want with it. That paradigm is shifting here in the U.S, but it still hasn't shifted fully because of the potential impacts on this data driven economy that we have created here within the environment. But I will also state that given this data driven economy we have also seen shifts in expectations of privacy that are decidedly generational within the environment. Now my son, shout out to my son Scott -- my son went to the honors college, you know, here at the university. And the honors college has an undergraduate thesis that they have to give and defend in order to graduate. And he did his on the shifting paradigms of privacy. And when I read his dissertation and went to his defense I'll never forget the comment that was made by one of his students or one of his classmates rather who talked about their willingness to surrender data of any sort. And I'm quoting, you know, "I will give up any of my data to get a 5% discount at my local Starbucks." Okay. And, you know, that's a 22 year old 10 years ago. That's a markedly different attitude regarding privacy within the environment. That feeling that the stuff that I'm being asked to give up is not as valuable as the service or the return that I will get for it. We do that with -- and again not picking on Google. We do that with Google all the time. Google freely admits that its spider crawls anything you put within its systems, within its Gmail, within its documentation, to figure out how to better market and advertise to you. Yet we use Google regularly because it's free. You know, what we give up for that we believe is not as valuable as the services that we get. The dangers of AI combined with cloud computing, etcetera, is that relation. And again I don't know if I say it here, but I know I've said it in the past regarding data versus information versus intelligence. So we take the raw data. We put it in to context to create information. And then using processing speed as well as machine learning we can extract intelligence about you as an individual in many cases beyond what you really intended to give up. This goes back to, you know, the first Target breach in terms of someone just looking at surfing patterns for a 15/16 year old online determined that the young lady was pregnant before she had told her parents that she was pregnant. Now what we have is with AI and machine learning and the speed of processing the ability for us to take that innocuous data, contextualize it to create information, and then extract meaningful intelligence out of it is absolutely scary. And that's the big change that I think has got people worried from a privacy standpoint. That's the scary part that's going to have a massive impact upon our perception of privacy and our actual privacy in my opinion. So there's my doom and gloom speech.

 

Ethan Cook: So I -- I want to actually pivot a little bit because you mentioned how the data that we give up, right -- I saw a great report a couple weeks ago not about the data that you and I give up, right, but the data that company employees are entering in to AI systems to help speed up their work flow. Data that which is confidential, sensitive, etcetera, and they're viewing it as, "Oh. I'm speeding up my job." Right? This is data that I already had access to that I was working with. So like from a legal stretch of it they individually are fine. I guess this gets back to that previous conversation regarding different personas and what we can manage, but because AI is I guess so proliferated people haven't really gotten their handles on it. Companies certainly haven't. People are entering data in to databases, Excel sheets, etcetera, in to AI models.

 

Kim Jones: It's not the proliferation problem, Ethan. I know where you're going. It's not the proliferation problem. AI is getting as close to -- you know, I'm going to share my geek creds. As close to Majel Barrett's voice on "Star Trek: Next Generation" and being that computer. And to that point of we assume that this thing is not just somebody else's compute power in somebody else's data center.

 

Ethan Cook: Yeah.

 

Kim Jones: We assume that this is just this thing that I can use and that, you know, we don't even think about what's in the back end. We're all having visions of "Star Trek." That's what's happening. You know, the technology and our expectations of the technology are interfering with the reality. A war story for you that, you know, I'm going to go and show my old that probably predates you because you're just a whipper snapper.

 

Ethan Cook: Yeah.

 

Kim Jones: So okay. Do you remember when Siri first came out and IBM restricting the use of Siri?

 

Ethan Cook: Yes.

 

Kim Jones: You remember that?

 

Ethan Cook: Yes.

 

Kim Jones: That's the -- this is a similar case. And for those who don't remember that, you know, there were folks at IBM when Siri came out that were asking Siri questions to help speed up their work flow and solve problems not recognizing that that translates to what's happening is that question is going in to servers --

 

Ethan Cook: Database somewhere and being processed and analyzed.

 

Kim Jones: So that they can process and answer it. So since we were competing with Apple you're giving away competitive data. So when IBM finally realized that they said no Siri use in the office. This is just the advanced placement version of that problem.

 

Ethan Cook: Yeah. And I think, you know, I -- there's this -- I guess the logical progression of that problem. Right? Where before that was an isolated business case that as a competitor we don't want to give them, etcetera. But now it's not even competitive. Right? You have companies that do not work in AI at all, have no involvement in AI, and so it's not a competitive thing, but to the point the employee is sitting there saying, "I have to get through all this data." Or "I have to pull meaningful insights from this data and I've got to do it by the end of the day plus 10 other things." But then I think what people don't realize, and I think from a company perspective like, "Oh, my god. This person's so great. They're getting their work done fast." There's this gap that is formed. And maybe it's because of the lack of understanding about what's happening on the back end, lack of understanding how these algorithms work, or they're just willing to accept, "Hey, it's not my responsibility." How do we manage that side of it? Because I think that's a -- that's something that I think at least from what I understand is only getting more prevalent.

 

Kim Jones: It gets down to several things in that regard where now I'm well leaning over my skis because now we get in to hiring practices, expectations of employees, employee leadership, in addition to the tech. And that's collectively across the board. So leaning over my skis it gets down to if I'm going to provide somebody a tool and telling them not to use it I think is a gesture in stupidity. You know the tool is there. You as a -- we should want to be able to use the tool. How do I use first the tool responsibly within the environment? And I think, you know, big underline and big, you know, caveats here -- I think we're beginning to grapple with that because I think people are saying if AI can do a lot of this entry level basic analytics piece then my expectation of you should be beyond just doing that entry level analytics piece because that which I would pay you to struggle through you can now have somebody do with 80% accuracy within the next -- within 10 minutes. So what else should I expect of you beyond that in order to advance?

 

Ethan Cook: So I think to hit on the last conversation that we've had during this section and that was our conversation with Mary about use cases and kind of the unseen world of privacy we all know that, you know, you agree to the terms of service when you enter a website or I agree to tracking cookies. You know, these are common things that we kind of just accept now or you know I am ordering something. I'm entering my personal information in. But there's a whole other side of privacy that I don't think it's the attention and, you know, I think Mary brings up a great use case regarding cars, but let's expand that to the broader conversation of IOT devices in general and how they are these finely tuned sensors that can pick up significant amounts of contextual data, correlate that data with other pieces of data that they've already collected, and get insights at a significantly higher level than we would ever expect. Mary talked about cars. And we talked about how they can get access to your phone. Contact information. Locations that you've been driving to. Times that you were driving to them. Etcetera. That is one use case. But I think as an IOT taking a step back and looking at IOT as a general concept how do we as a security professional, as a business leader, get a handle on devices that seem to be just every year there's more of them? And they collect more.

 

Kim Jones: Inside my environment you're not going to end up hardening IOT. I'm talking corporate. You're not going to be able to harden IOT the way that you want to harden IOT collectively within the environment because you're going to drive cost points up the wazoo. And it's not going to happen. It's going to defeat the purpose. And it's going to, you know -- I'm not necessarily sure the devices we're talking about could handle that. What I can control is the network they communicate on.

 

Ethan Cook: Yeah.

 

Kim Jones: And I can monitor and manage and understand that IOTs transmit and receive and I can control the transmission and the reception and where things are going, etcetera. So my first response is within a particular network understand that IOT is not your average technology device within the environment and what you can do within that environment, you know, to IOT and with IOT is something that's slightly different than maybe what you've seen before. Look at it as a separate entity. Talk about the use cases within the environment. Do the threat modeling associated with IOT. And then solve the problem. Big air quotes around solve. Solve the problem at the network layer.

 

Ethan Cook: So I think that's a great -- one great solution. I think the -- I think the gap where I see is on personal devices. So in privacy for cars they put out a great paper. Highly recommend reading it. But they bring up a great case study where they got access to a car that used to be owned by a military contractor. And a military contractor they were able to -- and that was their personal vehicle. Was able to harvest significant amount of data about that person. Nothing confidential, but certainly stuff that would -- a military contractor would probably not want out in the public such as email addresses, personal home addresses, military location addresses that they had driven to, etcetera. But that's not necessarily always under the purview of a company. That's -- that's something that, hey, that's their personal vehicle. That's their right to manage. But there's this weird gray zone where it's yeah it's their personal vehicle, but it has sensitive information on it that the company would probably not want out. How do you manage that?

 

Kim Jones: I go back to what we said in terms of crime. You don't.

 

Ethan Cook: Okay.

 

Kim Jones: But there's an education piece here. So let's back up for a second. First there's an education piece. I'm old enough to remember when people realized that corporate printers had hard drives.

 

Ethan Cook: Yeah.

 

Kim Jones: And that as part of their technology disposal they have to get rid of the hard drives within their corporate printers. That wasn't always a thing. And it was, "Oh, my god. Think about all of the information that leaks out." Because all I did was throw the printer on the scrap heap.

 

Ethan Cook: Yeah.

 

Kim Jones: So we copy paste that information where possible to different devices that we have. You know, I don't know because I've been out of the military for over 20 years now -- I don't know if as part of, you know, the military educating its people on security says "Just remember to -- " You know, if you sell your car do what you can to wipe the devices accordingly within the environment or eliminate your contacts, eliminate the tracking data, etcetera. I don't know if the military and individuals will end up pushing these vendors to understand this within the environment. I don't know if as an individual I have the ability if I sell my smart car to say "I want you to go remove the hard drive in that smart car. Give it to me so I can drill through it or put a nail down in it." And then replace it, you know, at your cost. You know, but it starts with education. And, you know, by the way I echo your comments regarding Mary's paper remembering to, you know, read the paper. It's absolutely phenomenal. But it's first the understanding that things that we do not think about are actually potential vectors for harm and are actually part of the IOT. And I've got to bring up this point because so for any of you who are still struggling with the concept of your car as a member of the internet of things I urge you to go, you know, research that. It's go -- it started Monday. It's happening now within the environment. So just it was relevant. I said yeah. I got to --

 

Ethan Cook: No. I think it's a perfect example of the kind of like the whole that when we think about privacy everybody's like, "Oh yeah. Company. YouTube's harvesting my data. Social media's harvesting my data, what I look at. Right?"

 

Kim Jones: Your car is harvesting your data.

 

Ethan Cook: It's more than just the social media algorithm. It's way more widespread. But --

 

Kim Jones: But it's got to start with the education piece. It is only -- I mean, you know, the military probably has a better purview in terms of controlling both its borders and what its members can do. But you're going to be hard pressed to tell a military member that all you can buy is a purely manual no software car to drive on an installation assuming you can still find one out there. Even the cheapest cars have computers in them these days. So that's going to be very difficult to do. So all you can do is educate within the environment. Or should we collectively be able to influence the people like car makers the way we influence, you know, people who create corporate printers to say "Okay. Yeah. I understand the hard drive is here. It needs to be here. Can I influence you enough as a cyber industry or as privacy kicks up to say place the hard drive in the car such that it can be easily swapped out as an option should I wish to maintain my privacy?" I love all the bells and whistles, but give me the hard drive so I can do what I do with my computers that I scrap and put a nail gun to it before I throw it away. And that's going to take in my mind probably another four to five years assuming there's enough human cry out there.

 

Ethan Cook: Yeah. I think that's a great point to leave this off on, Kim. And I think as we sit back and we think about the reflection and we think about the past several episodes I think this illustrates a great point about the -- not just the evolving nature of these two subjects, privacy and identity slash fraud, but the gaps that we are still contending with and the gaps that we as a collective need to get a better handle on. So I thank you for sharing your insights. I thank you for taking the time to have this conversation with me and I look forward to our next reflection. [ Music ]

 

Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K pro subscribers. Your continued support enables us to keep making shows like this one and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more please visit the "CISO Perspectives" page to read our accompanying blog post which provides you with additional resources and analysis on today's topic. And there's a link to the show notes. This episode was edited by Ethan Cook with content strategy provided by Myon Plot [assumed spelling], produced by Liz Stokes, executive produced by Jennifer Eiben. And mixing, sound design, and original music by Elliott Peltzman. I'm Kim Jones. See you next episode. [ Music ]

CISO Perspectives (Pro)
Podcast Info
HOST(S):
Kim Jones
Kim Jones is an intelligence, security, and risk management expert with nearly 40 years of experience in information security strategy, governance and compliance, and security operations. He has built, operated, and led security programs across industries, and is the principal architect of one of Arizona State University's cybersecurity education programs. Kim also teaches in SANS' leadership curriculum and UC Berkeley's MICS program. He holds a B.S. in Computer Science from West Point, an M.S. in Information Assurance from Norwich University, and CISM and CISSP certifications.
Schedule: Tuesdays (in season)
Creator: N2K CyberWire