The impact of data privacy on cyber.
[ Music ]
Kim Jones: Pop quiz today. Which of the following situations is a violation of privacy? One, a national retailer utilizes purchases you make with them to send you advertisements about products you might enjoy or need. Two, a reputable search engine utilizes data about you from previous searches and other products to better tailor its content to your needs. Or three, a government entity utilizes data in the public domain to hone in on potential criminals. If you answered anything but it depends on this quiz, you haven't been following the nuances of the privacy debate. Let's get a little deeper into each of these examples for just a moment. In 2012, Target came under media scrutiny for utilizing data analytics to predict which of its shoppers might be pregnant. The retailer then began sending coupons to those shoppers for things like baby clothes, strollers, et cetera. The story made news when one Minnesota father noticed that his teenage daughter was receiving these materials. The irate father marched into a local Target, demanding to see a manager, and accused the retailer of attempting to encourage his daughter to get pregnant, only to find out from his daughter that she was indeed already pregnant. Target's analytics had identified her pregnancy before her own father knew. In 2024, Amazon celebrated its 30th birthday. One of the features this massive online retailer is known for is utilizing knowledge of your shopping habits to send you advertisements about products and services which you might enjoy. Amazon continues pushing the envelope around this concept and has taken a patent out on what it's describing as anticipatory shipping. Utilizing the data it already has about you, the mega-retailer intends to just start sending you items which it believes you want before you purchase them, arguing that the success rate of its algorithms is such that the number returned would not exceed the benefits reaped by this level of customer service. About a decade ago, people started noticing that their search engines, in particular Google, were displaying different sets of results for the same question. Upon further exploration, people discovered, or rather realized, that most search engines utilize data from your location and your browser history to better customize answers for you. Providing such customization makes it easier to retrieve more meaningful results with consumer, which shortened search time. It also makes it easier to tailor advertisements to the consumer, that he or she might be interested in. The downside, of course, is that it may also be masking important yet contradictory information that is relevant to the individual search, thus reinforcing research bias. Note you can turn off customization, as Google refers to it, but it's difficult to find out how on their support site. In June 2013, Edward Snowden exposed the NSA's domestic cellular collection program. The general public was outraged that the government would utilize cellular metadata, such as location information, to spy on its citizens. However, these same citizens exhibited no qualms about carrying a device that regularly broadcasts location, or the use of that locational data by other governmental entities and agencies. The examples above are illustrative of the complexity around privacy. Gone are the days we can simply state that X data is private. Indeed, we are moving more toward an environment of situational privacy, where the data itself isn't as much of an issue as how the data is used. Consumers freely and openly volunteer exabytes of data daily for seemingly innocuous transactions, yet they are regularly shocked and angered as this data is combined with other seemingly innocuous and freely given pieces of data to provide predictive intelligence to marketers, corporations, and yes, to government entities. Remembering that privacy itself is impossible without appropriate security controls, the situational nature of data mining and appropriate data usage makes the protection equation daunting. Do we wrap a cocoon of Pentagon-level protection around the data lake, even though 99% of the data within it is considered publicly available? Do we inject ourselves into the data analytics process and become part of the arbitration question regarding should we use the data in a certain fashion? Can we monitor and limit or restrict data combinations, similar to the way in which systems can monitor for segregation of duties access control issues? Let's take it a step further. Remembering that corporate data analytics seeks to, among other things, improve the sale cycle and make marketing campaigns more efficient, imagine the implications if the bad guys choose to take such an approach. Consider, your systems are penetrated, your data is stolen, but none of the data is regulated by current privacy law or regulation. Six months later, the bad guys run data analytics against the acquired data and determine the best targets for fraud or scam. You protected the data in your borders reasonably and can show a tiered approach to your controls, and those controls were appropriate for your environment. You even prevented the breach from reaching the most sensitive data stores. Yet data stolen from you was used to target your customers in the same manner that your marketing and sales team targets prospects. Imagine the liability issues that will circulate through the courts. As your organizations recognize the value of the data they hold, it is important that we, as security professionals, remind people of the larger risk in privacy landscapes out there. We can not rely solely on the legal and regulatory framework to guide us, as the potential brand risks go beyond what the hodgepodge of privacy regulations currently addresses. As we continue to enable our businesses, we must ensure that the aforementioned questions, and dozens more, are acknowledged and addressed by our business leaders. My 2 cents. [ Music ] Welcome back to CISO Perspectives. I'm Kim Jones, and I'm thrilled that you are here for this season's journey. Throughout this season we will be exploring some of our most pressing problems facing our industry, and discussing with experts how we can better address them. Today we explore how data privacy is impacting cyber efforts. [ Music ] Kristy Westphal is one of the finest security operators that I know. Her knowledge of the technology combined with her understanding of the regulatory landscape make her a force to be reckoned with in the world of cyber. I had a chance to sit down with Kristy to discuss one of her passion areas, privacy and its impact on security organizations. Kristy, thank you for making the time, and welcome.
Kristy Westphal: Thank you, it is a pleasure to be here. Always like chatting with you.
Kim Jones: Oh, likewise. Likewise. So - a quick note that the opinions expressed by Kristy in this segment are personal and should not be interpreted as representing the opinions of any organization that Kristy has worked for, past or present - so, you and I have known each other for longer than either of us care to admit, but my audience might not. So how about spending some time telling them who Kristy Westphal is?
Kristy Westphal: So, Kristy Westphal, global security director at Spirent Communications, right now. I got into security, as many of us do these days, in a weird way. I was actually a finance major out of college, then stumbled into IT, and then stumbled again into security, and that was so long ago I don't count anymore. And then I've just been doing a variety of roles. I've done pretty much everything from being an engineer, to an analyst, to - been an IT admin, and - and everything in between. Written policies, and then finally at one point I said, you know what? We need good security leaders. And so I decided that was going to be my focus, and I have been doing that ever since. So it's always a privilege to lead a time, and I try my best to be a good leader every day.
Kim Jones: And you succeed, and I have personal experience with that as well, and you've sat the big chair more than once, if I remember correctly?
Kristy Westphal: I have. I realize it's been about 20 years since I've been in the chair. I was one of the - one of the early CISOs, and so it's changed quite a bit since then, but it's -
Kim Jones: Yeah.
Kristy Westphal: It's been a fun run.
Kim Jones: Well, fun, you know, define your terms, [laughter], but I think we all say that.
Kristy Westphal: Oh, come on, [laughter].
Kim Jones: But we just keep coming back to play.
Kristy Westphal: Yeah, that's - that's true. I am dedicated, [laughter].
Kim Jones: Yeah. So, those changes are part of the reason that I wanted to talk with you, because somewhere within your storied history, you went and got a master's, if I remember correctly, in legal studies.
Kristy Westphal: I did. I -
Kim Jones: Mm hmm.
Kristy Westphal: It's funny, so about 10 years ago, I decided I - I needed to go back and study some legal stuff. So I got a master's in legal studies at ASU, Arizona State, and the reason I went into that was honestly I had - I'd been reading so many contracts as a part of my role in security.
Kim Jones: Yep.
Kristy Westphal: I wanted to make sure that I wasn't missing anything. So that was my goal. I ended up hating contracts. It was - it was the worst class I took.
Kim Jones: [Laughter].
Kristy Westphal: But then I got an opportunity to do an independent study, and so I was like, alright, well what am I going - what am I going to study? And I thought, you know, privacy and security intersect all the time, in weird ways. And one of the most interesting ways that they do intersect is through the use of encryption. And boy, once I started peeling back the layers of that, that became a really interesting topic, and that became my independent study paper.
Kim Jones: As someone who actually read your dissertation, we're going to spend a lot -
Kristy Westphal: You - you survived, I'm really impressed, [laughter].
Kim Jones: No, no, no. Not only did I survive, I volunteered and asked you for it, so, [laughter].
Kristy Westphal: No, no, no, no, yes.
Kim Jones: I - I really want to spend a lot of time talking about that intersect between privacy and security, and I want to go back and get to very basic brass tacks. Walk it through some of the things that you saw when you were writing the dissertation, some of the things you've seen now within the environment, and then maybe deep dive into that privacy and encryption intersect that you saw, that you wrote about so many years ago. So I'm going to take it back to basics, and let's start with the basic question. How would you define the term privacy?
Kristy Westphal: It's protecting data that you don't want others to know. And I think that's the key, because that can be different for everyone, right? So therein lies the challenge.
Kim Jones: That would be an understatement, yeah. So, if I look at it from protecting data, as you said, that you don't want others to know, how has that evolved, changed within, let's just talk about the decade or so since you actually first deep dived - deep dove into this topic. Talk to me.
Kristy Westphal: Well, so that's the - the really fascinating part. So, up until my paper was published in 2016, there was a lot of activity, right? I mean, we had the Wassenaar Agreement, which was in the 90s, and that essentially started the whole protection of exporting encryption. There was the Clinton Administration wanting to centralize management of encryption keys. So there was just -
Kim Jones: Clipper chip.
Kristy Westphal: Yes, the Clipper chip. Absolutely. There was just all kinds of crazy things going on at that time, and so then I went and I looked back in the - over the last decade. I said, well what's changed? I haven't necessarily kept my thumb on it, and when I did some research, I'm like, not much has changed. We were trying to craft a federal privacy law back then, still haven't done that. We've actually kind of made it more difficult to protect privacy by enacting things like the CLOUD Act of 2018. Mm hmm?
Kim Jones: Talk to me about that, for those who may not be as familiar with the CLOUD Act as you and I are.
Kristy Westphal: Well, and I just recently educated myself on this as well. So in 2018, the Clarifying Lawful Overseas Use of Data Act was passed.
Kim Jones: Wow.
Kristy Westphal: And this made it easier when there were agreements between different countries that we could basically request access to encrypted data stored abroad, right? At the -
Kim Jones: Mm hmm.
Kristy Westphal: At the base level. So if we engaged in this type of agreement with other countries, which we have with Australia and the UK, basically they can request us to compel any sort of data that resides in their country to be handed over to them. And that - lots of problem with that, and we're already seeing it manifest. The UK has asked Apple to put a backdoor in their operating system.
Kim Jones: Yep.
Kristy Westphal: And gee, that's not a problem. If you could see my face, you'd know how - how puzzled I am that this is going on. It's still - that is still being acted out in the courts now. Apple seems to maybe have a foot up, but we still don't know how that's going to work out. The interesting thing is, about that case, is that we went into, I - I believe a five-year agreement with Apple, and it was silently renewed in 2024, and so there's still - it was - there's still - it's still going to be around for a while, and they can still demand this access, unless we take any action to amend the regulations.
Kim Jones: Yeah.
Kristy Westphal: So, it's - it's interesting. Australia hasn't really, seemingly, acted on this yet, but the UK is all about surveillance, and so they're going to see what they can do.
Kim Jones: Keep this at an enterprise level first before we go down to individuals, and I - I love where you started talking about the encryption, and some of the legislation that exists around that. You know, the average user believes that encryption is a panacea, and many of our regulatory frameworks, at least here in the U.S., you know, give you an alibi or a bye when encryption comes to play. You know, you have all sorts of requirements that exist here, you know, if your data is lost or stolen or compromised, except, of course, if it's encrypted, then you're okay. HIPAA comes to mind, if I remember correctly, and my memory may not be, you know, I will yield to you if I'm incorrect here. And a lot of the state breach notification laws tend to impose heavier requirements and burdens on organizations, unless, of course, the data that was stolen is encrypted, then of course, you know, let us know, but you're okay. But when you think about things like the CLOUD Act, and some of the other things going on, I - I guess my question is, are we all living under that false sense of security, because in reality there are enough loopholes, and we haven't even begun to talk about quantum. There are enough loopholes, et cetera, that exist when dealing with encryption. I - I would welcome your opinion on this.
Kristy Westphal: So there's been a couple of cases where we've seen that yes, the data was encrypted, but the government went after it anyway. Probably the most clear one that came about, this was in 2016. The San Bernardino terrorist, one of the -
Kim Jones: Yes. I use that one in class, please.
Kristy Westphal: They were trying to get Apple, at that time, to turn over the data on the - on one of the shooter's phones. And Apple said nope, not doing it. And what does the FBI do? They went off and found a tool to do it on their own. So you can encrypt your data, but there are other ways around trying to find that key. And I'll - I'll give a recent example.
Kim Jones: Please.
Kristy Westphal: And this has nothing to do with legal cases. In fact, one of my classes, in the last couple of weeks I gave my students a computer image to do forensics on. And it's got a hidden partition in it that's encrypted. And I said, what is this? That was one of my basic questions, and - and can you see what's on it? Well, one of my students literally didn't have the key, but spent the time doing research on what he could find on the rest of the drive that wasn't encrypted, and figured out the password, and was able to decrypt it, [laughter].
Kim Jones: Wow.
Kristy Westphal: And nobody's done that before. So not only was I impressed, but I was also terrified, [laughter], at how good he is at this.
Kim Jones: Yeah, yeah.
Kristy Westphal: But anyway, so you can see, there's - you don't have to legally - there - there's fine lines to be able to - to get that password, so -
Kim Jones: So there was an A, and, [laughter].
Kristy Westphal: Exactly. Extra credit, [laughter].
Kim Jones: [Laughter], that was an A and extra credit. He probably passed.
Kristy Westphal: Yep.
Kim Jones: So, now let's think about this as a CISO. You know, you're - you're sitting in the chair now. What does this situation mean for you and your peers sitting in the chair, as we think about data privacy, as we think about customer expectation, as we think about entangling regulation in different states as well as different nations. I believe your company is an international company, so you've got multiple nations to deal with as well. So what does this mean for the person who, congratulations, you are now the CISO. Your first time in the chair, and you realize that your previous boss wasn't an idiot in terms of what's going on, because now all of these problems are yours. What are these problems, as we talk about privacy?
Kristy Westphal: Oh my gosh. You have no idea. So number one -
Kim Jones: That's why we're here, [laughter].
Kristy Westphal: Number one, become friends with your legal counsel, because - whether they're internal or external, because they - part of their job, sadly, is to try and keep up with this stuff. Number two, you yourself need to keep up with it too, because you're going to probably be put in a situation at some point where you don't want to step on that landmine, right? So there are - there are ways to keep up with this that don't make you tear your hair out, which is good, but you have to kind of understand how to navigate that. The - the thing that I would do, if you're new to the chair, and you're just getting used to this in your organization, I would start diving in your contracts. Because I have seen this come across where there's data privacy requirements that say you will cooperate in an investigation, but you will only cooperate with us. You won't cooperate directly with law enforcement.
Kim Jones: Wow.
Kristy Westphal: Yeah.
Kim Jones: [Laughter], that's a problem.
Kristy Westphal: I mean, they were getting really specific and bold, and it's - it's pretty - it's pretty interesting. So knowing those requirements and knowing, like, which customers exactly do require that, instead of, you know, you don't want to turn something over in cooperating with the - with law enforcement, and then find out you just violated a customer agreement as well. So it's - it's very challenging, and then we haven't got into the state privacy laws that you have to try and navigate and understand. Like if you have a data breach, what are the reporting requirements? How are you going to report those? Are they different - yes they are - per state, and which ones require which ones? You can set up your basic framework around the most restricted ones, like CCPA, but you have to be able to respond appropriately to each state when that happens. [ Music ]
Kim Jones: Let me ask a couple of questions. You talked about contracts, and you talked about cooperating with legal, all - all of which are great things, obviously. So let's start with legal. Way back when, when dinosaurs roamed the Earth, and I had taken my first chair, I - I sat down and said to my general counsel, well, okay, I understand we have database administrators in the UK, and I know we have UK data, so what are we doing about the E-Privacy Directive and Safe Harbor? And my general counsel looked at me and says, what the hell are you talking about? What is that? So I - I'm curious, are you getting the sense of, that - and then again, this was decades ago. That lack of knowledge, has that gap been closed, and is there a level of focus and understanding by our legal brethren regarding the importance of these issues?
Kristy Westphal: I think that's really changed.
Kim Jones: Good.
Kristy Westphal: I would agree with you, back then it was kind of deer in the headlights response, but I - I know my - my current legal counsel is really - she's an expert on this kind of topic. And it's because the compliance aspect, you have to, for example, GDPR. You - you can't just ignore that, being a global company.
Kim Jones: Yeah.
Kristy Westphal: China's PIPL, Personal Information Protection Law. That, if you do business in China, you have to - you have to be compliant with that as well. So you - you can't just pretend these things don't happen anymore, and again, you need to be prepared for that data breach, because trying to untangle that during the chaos of an incident, or just shortly thereafter, is not a good look.
Kim Jones: Yeah, I feel ya. Yeah, I - yeah, [laughter], so let's talk about, you know, you're a sizable international organization. What do we do about that small shop that all of a sudden finds out that it has customers, you know, or is servicing customers, or gets one or two customers from the UK in a small business, and is now subject to GDPR, or you know, is subject to, you know, I - I'm a small mom and pop. I operate in four states in New England, but all of a sudden I have an online presence and I'm shipping product to California, now all of a sudden I'm subject to potentially CCPA. The possibility of getting blindsided by regulatory compliance in this heavily-connected world, for companies who don't have our resources or our experience, is huge. So how do you prepare for that? How do you understand that? How do you make yourself ready for that if, you know, you haven't been there, done that, got the t-shirt and the coffee mug like you and me?
Kristy Westphal: That is a great question, and I think it's not only a privacy issue, it's a security issue, honestly.
Kim Jones: Mm hmm.
Kristy Westphal: Because it's the same problem. Like, how do we ensure that our small businesses, that are vital to our economy, are protected properly? And you know, not stepping on a landmine without knowing it. My recommendation, if you're a small business, you probably don't have a full-time legal counsel, but you've got somebody. Ask them, and just start that conversation. This might be an opportunity for a V-CISO, or a fractional CIO to help advise, like, what are - what are the best base things you can do to make sure that you're protected on both fronts?
Kim Jones: Fantastic. So let's segue back into contracts. I - I know this has only ever happened to me, where you know, the sales team all of a sudden has an opportunity to land a whale of a customer, and agrees to anything that all of a sudden skirts by the legal review, and all of a sudden now you have requirements for either security or privacy a la the you can only cooperate with us during an investigation. Well, that's not going to go over pretty well when the Bureau knocks on your door, or you have requirements from states to cooperate, and all of a sudden you're in - in that exact situation that you have described, where in order to do the job, and do the job, and meet the requirements, you're going to be in breach of contract. How do you avoid that? That's question one, but I'm going to give you the follow-on. You and I have both parachuted into environments to do cleanup on aisle five, and have run into, we agreed to what? How do you deal with that on the ground? Let's take those both, if you don't mind.
Kristy Westphal: Oh boy.
Kim Jones: [Laughter].
Kristy Westphal: I wish I had a magic wand, the first one. Law enforcement's knocking at your door. You can't just - you have to be in concert with your legal counsel. Again, you need to make sure you understand the requirements and that you understand the risks of complying or not complying, right?
Kim Jones: Mm hmm.
Kristy Westphal: And this is a good tabletop exercise for you and your legal counsel, because you need to make sure that everybody's on board. Like, I review all the contracts before they're signed.
Kim Jones: Mm hmm.
Kristy Westphal: And so at least I'm aware of new requirements that come in, for both security and data privacy, and so I can - I can have those conversations. If - if I'm coming in and cleaning up later, then I would say, you know, read contracts and make sure you know what's in them. Use AI if you have to, and make sure that you understand those requirements and present those risks back to the business, because if they are trying to claim ignorance right now, that doesn't fly anymore. You can't just say that. Oh, I didn't know that was in there. You need to make sure.
Kim Jones: Ignorance may be a good reason, but it's still no excuse. You're in trouble.
Kristy Westphal: Exactly, exactly. So you need to - you just need to bring those to the surface and come up with a - a plan of attack.
Kim Jones: Do you recommend standard security contract language?
Kristy Westphal: I think it helps the security team, right, because at least we know what we're requiring of our third parties. I wish everybody had the same standards, because they're all so different, [laughter], and even if - even if we all are trying to adhere to the ISO standard, they've modified it some specific weird way that they require for their company, that you have to make sure you adhere to, if it applies. So I like standard contract clauses, but they - they never stay standard.
Kim Jones: So, you know, one of the things we - I used to do is I did draft standard - the standard security contract clause for my company, and the argument was if they won't sign our language as is, then I have to review the contract. And if they want to modify our language, then I - I have to approve the modification. And in a lot of cases that eliminated enough of the surprise factor that was out there, and it encouraged the sales team to say look, if you can arm twist people to sign our existing language, this will go a lot faster for you, but if you really honestly and truly want, you know, to agree to what's going on, then I have to actually read the contract and figure out what's going on. And speaking of that, do you do all of the contract reads yourself?
Kristy Westphal: Yes.
Kim Jones: Okay. Always?
Kristy Westphal: Yes.
Kim Jones: Okay. So I have as well. I guess the question is, how do you scale that within a large organization?
Kristy Westphal: Yeah, you need to, I think, to your point, standard contract languages, or standard contract clauses, at least we know what we're committing to, and then get the red pen out, right, and just start, you know, working through it. These things take time. It's funny. Like, people think that these contract reviews will go through like that, and a vendor will have their - their sale by the end of, you know, end of the week.
Kim Jones: Tomorrow, because it's the end of the month, [laughter].
Kristy Westphal: Good luck. And - and it never works that way, right? I've seen some contracts go years with back and forth. And - I'm not even joking. And so, I think it's important to get right, and so yes, you need help. I mean, if I was in a larger organization, there's no way I could - I could sustain that. But you just have to have kind of that standard. Here's what I'm looking for, here's what I won't commit to, and then just compare that with whatever gets thrown at you.
Kim Jones: That - that speaks to or seems like there's also some education that happens there, on your part, in terms of educating the sales force, and maybe even educating your primary contacts on legal regarding, here's what I won't agree to, here's why I won't agree to it, so that you knock those out. Are you doing that as well?
Kristy Westphal: I do. When I see weird things, like, I'm always trying to make sure we don't have to respond to security incidents within 24 hours, because I think no one can actually, [laughter], sort of do that across the board. So I always scratch it out and put 72 hours, and try throw that in there, for example. And so my - my legal team that I work with, they're like oh, yeah, I know you're not going to like this. And so they are - any communication up front with the team definitely helps, because you know the lawyers do all the reading too, and read everything you read anyway, just to make sure, and so if - if they know what you don't like or won't agree to, it makes it so much easier for the whole process.
Kim Jones: What are two things we haven't talked about that you would want our audience to know, understand, or hear from you?
Kristy Westphal: When I parachute in, and I'm trying to clean things up, I forgot. My other big thing that we don't do enough of, once we know the landscape and all those types of good things, threat model, right? You - you brought it - you - you reminded me that I hadn't talked about that. Yes, you can know where all the things are, you can look at your gaps. Start threat modeling. What kind of - you know, you have to have that realization of who might be after you, even if it's, you know, maybe not a direct attack. What if it's just some, you know, opportunistic type of attack? You need to keep those things in mind, because if you don't think like that, then your - your security program and your data security program are not going to best protect your organization.
Kim Jones: Let me - let me dive there for a little bit, but hold - hold - hold your thought.
Kristy Westphal: Sure.
Kim Jones: I know, I want to make sure, you know, we - we talk about the things that you want to talk about. How do we break the mentality that seems to have arisen a decade behind us, that says all I need to know is to figure out how the bad guy works, and nobody gives a crap about anything else, to get into cyber? Because I've got a lot of folks who will spend a lot of time on, this is how the bad guy works, thinks, and breathes, and if you don't plug this hole, then you're an idiot, and the organization is stupid, despite the fact that that hole is driving $10 billion worth of revenue through your environment. Oh, you ask that same person, how do I do this without breaking it? They say, I don't care. And there's still a lot of that going on in, I'm going to - I'm going to put my old hat on, in the generation that's behind us. How do we break that model, because what I'm seeing is I'm seeing lots of threat modeling not applied to the business enterprise, and not truly saying, how do I take this and this and come up with a practical solution that doesn't shut me down? How do we do that, or am I just old and telling - shaking my cane, telling people to get off my lawn, and it's really not like that?
Kristy Westphal: Well, I think that's part of why we're still struggling to succeed as an industry, and here's where I get philosophical. We are still building a security culture of no, and we're not - we're getting better. I will say that. I'm seeing a lot more of embedding in the business, talking business risk, but we need to get out of our own heads. We can't just be like, oh, my security program, and I'm gesturing and making a very narrow gesture, I'm just focusing on these things, and we need to fix these vulnerabilities, and we'll be perfect.
Kim Jones: Yeah.
Kristy Westphal: We cannot operate like that. It doesn't work. We've seen it again and again. We've got to be part of the business, right, and we've got to have a broader impact. And so I think that threat model isn't just, oh, are my security tools going to work? Well, maybe, but let's prioritize that with the impact it's going to have in the overall organization, so -
Kim Jones: Hear, hear. And I cut you off, so please, give us the rest of it.
Kristy Westphal: So, I think, the other thing I do want to just throw in there, and it's - it's a problem that I - I want to solve, I just don't know how. It's, you know, people want to - okay, if I'm concerned about privacy, I want to protect my privacy. How do we tell people how to do it? It is not easy. I mean, you can tell them to stay off social media, but then if I have a Gmail account, Google can access all my email, right?
Kim Jones: Mm hmm.
Kristy Westphal: So, the challenge we have in this space is to keep awareness up, and find ways to help, if you truly want to protect your privacy, support organizations, and tools, and services, and industry professionals that help - help do this. So I end with a problem, but I think it's a challenge for our industry to continue to work towards solving. [ Music ]
Kim Jones: Kristy, you - you and I have known each other, again, for longer than either of us care to admit, but I will say this repeatedly, you know, you are and remain one of the brightest, most effective cyber professionals that I know, and I really appreciate you taking the time to spend some time with me, to help educate our audience. Thank you so much.
Kristy Westphal: Thank you for having me. This was a blast.
Kim Jones: And that's a wrap for today's episode. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. If you enjoyed today's conversation and are interested in learning more, please visit the CISO Perspectives page to read our accompanying blog post, which provides you with additional resources and analysis on today's topic. There's a link in the show notes. This episode was edited by Ethan Cook, with content strategy provided by Ma'ayan Plaut, produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design, and original music by Elliott Peltzman. I'm Kim Jones. See you next episode. [ Music ]
