Classify First, Secure Everything Else - Cory Zaner - Guardians of the Data

Securing the Future - Jason Torres - Guardians of the Data - Episode # 46

What would happen if someone asked your team right now who has access to your most sensitive data and why? For most organizations, that question alone exposes just how far they still have to go. In this episode, Jason Torres draws on over 20 years of experience in healthcare cybersecurity to make the case that data security still comes down to two fundamentals that most organizations haven't cracked, knowing where your data lives, and knowing who is attached to it. Jason breaks down why regulated industries like healthcare face a uniquely relentless challenge where data creation never stops, clinical staff have little patience for security friction, and the stakes of getting it wrong are measured in patient trust and breach costs. He also shares why AI governance committees are the non negotiable first step before any organization touches AI tools.  Takeaways: * Start with the basics, know where your data lives. Before any tooling, framework, or governance program can take hold, organizations need to first identify, locate, and classify their data. It sounds simple, but most companies still can't confidently answer that question, and everything else depends on it. * Access and ownership are two different problems. Knowing who should have access to data is not the same as knowing who does. Closing that gap requires ongoing partnership between security teams and business stakeholders, not just a one time audit. * AI governance must come before AI adoption. Throwing AI tools at the business without establishing governance frameworks, leadership buyin, and usage policies is, in Jason's words, "the Wild Wild West." Forming an AI governance committee to define expectations and outcomes is the essential first step. * The business case for security tools has fundamentally changed. Where organizations once needed dedicated headcount to implement and run new solutions, AI-driven automation is shifting that model, enabling teams to repurpose existing talent rather than request new hires, and to justify investments with clearer, metrics backed ROI. * Diverse backgrounds build stronger security teams. Some of the most effective security professionals didn't come up through traditional IT paths. Bringing in people with backgrounds in finance, communications, or even ministry, as Jason did, creates the range of perspectives and communication styles that make security teams more resilient and well rounded. Quote of the Show: * “Every journey begins with the first step. There's no blueprint for becoming a security leader. It all depends on the time you put in, the knowledge you develop, the action you put forth — and ultimately the relationships you build along the way." - Jason Torres Links: * LinkedIn: https://www.linkedin.com/in/jasontorres/ [https://www.linkedin.com/in/jasontorres/]  Ways to Tune In: * Transistor: https://guardiansofthedata.show/ [https://guardiansofthedata.show/]   * Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ [https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ]  * Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 [https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323]  * Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data [https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data] * iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/ [https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/] * YouTube: https://www.youtube.com/@GuardiansoftheDataPod [https://www.youtube.com/@GuardiansoftheDataPod]

Where Are Your Crown Jewels? - Tony Schimizzi - Guardians of the Data - Episode #45

What if someone asked you right now where your most sensitive data lives? Most organizations would struggle to give a confident answer. In this episode, Tony Schimizzi draws on years of consulting experience to make a point that cuts to the core of modern data security: this is no longer just a cybersecurity problem. It has become a large-scale business operations and governance challenge. Tony breaks down why data sprawl across SaaS products, cloud apps, and collaboration tools has made it nearly impossible for most companies to know where their data is, let alone where the crown jewels are and how well they are protected. Takeaways: ~ Do the Fundamentals First: Asset management, visibility, access control, data classification. These have not changed, and they will not. Most breaches happen because the basics were not in place. ~ Security Is a Double Negative: IT can point to uptime as value. Security cannot point to revenue. Understanding that dynamic and learning to communicate in KPIs and measurable outcomes is how security teams earn their seat at the table. ~ Say Yes, And: The most effective security professionals are not the ones saying no. They find the compensating control that lets the business move forward safely. Never no, but. Always yes, and. ~ Build a Risk Council: Instead of having security engineers fight business decisions above their pay grade, bring the right leaders together: CISO, IT, HR, marketing, legal. Let them hash it out. Decisions made there carry weight decisions made at the engineer level never will. ~ If It Matters, It Should Be Measurable: KPIs taken to the board quarterly, along with examples of incidents that did not escalate because controls were in place, are how security teams demonstrate value without a direct revenue line. ~ Understand How the Business Makes Money: Before you can evaluate risk, you need to know what the business actually runs on. If your initiative would slow down the revenue engine, you need to know that going in. ~ Take Risks When You Are Young: Professionally and personally, the window to experiment, grind, and separate yourself is in your 20s. It is easier to course correct early than to try to change direction later. Quote of the Show: "Companies no longer fully understand or control identity, access, and the data movement across their environments." Tony Schimizzi Links: ~ LinkedIn:https://www.linkedin.com/in/anthony-schimizzi-cissp-ccsp-cism-issap-045b7a82/ Ways to Tune In: ~ Transistor: https://guardiansofthedata.show/   ~ Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ  ~ Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323  ~ Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data ~ iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/ ~ YouTube: https://www.youtube.com/@GuardiansoftheDataPod

Classify First, Secure Everything Else - Cory Zaner - Guardians of the Data

What's your biggest data security blind spot? Today's guest, Cory Zaner, Senior Enterprise Architect for critical infrastructure and trusted advisor to executive leaders, joins Ward to discuss why organizations continue to struggle with data security fundamentals, and what it actually takes to fix them. With over 20 years of experience across energy, manufacturing, and defense industries, Cory draws on his military background, time at Raytheon, and hands-on work in OT/ICS environments to break down the data security challenges most organizations are still getting wrong. Takeaways: * Start with Data Classification, Not Tools: Before reaching for the latest shiny object, organizations need to define their data tiers. Cory recommends aligning to an established framework like NIST, then mapping your tiers to a simple color-coded system,red, yellow, green, so users can actually act on it. * Keep It Simple: Over-complicated classification schemes with 10–20 tags and sub-tags are a recipe for failure. If your users need a secret decoder ring to understand how to classify data, the program has already failed. * The Data Owner Classifies the Data: Not IT. Not the tool. The person who knows what the data is worth is the one who should be tagging it. Technology can assist, but it can't make that judgment call for you. * Align to a Framework, Then Scope It: Whether it's NIST, ISO, or another standard, anchoring your program to an established framework takes the argument off the security team's plate. You're not asking people to trust your ideas; you're pointing to an industry consensus. * Start with Unstructured Data First: Cory recommends beginning with your M365 or G Suite environment, where user-generated content lives, before tackling structured data like SQL databases. That's where the real user behavior risk is. * Build the Right Committee: Data classification can't live in a security silo. Legal, privacy, and HR are essential early partners. Build a governance committee with real ownership, not just initial enthusiasm that fades after the first few meetings. Quote of the Show: "Garbage in, garbage out. AI can make things prettier, but we cannot change the mindset of people with technology.” - Cory Zaner Links: * LinkedIn: https://www.linkedin.com/in/cory-zaner/ [https://www.linkedin.com/in/cory-zaner/] Ways to Tune In: * Transistor: https://guardiansofthedata.show/ [https://guardiansofthedata.show/]   * Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ [https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ]  * Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 [https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323]  * Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data [https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data] * iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/ [https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/] * YouTube: https://www.youtube.com/@GuardiansoftheDataPod [https://www.youtube.com/@GuardiansoftheDataPod]

Navigating the Data Maze - Brian Cherry - Guardians of the Data - Episode # 43

What data do you have, where does it live, and who has access to it? These three questions sit at the heart of every data security challenge and according to Brian Cherry, most organizations still can't answer them.  In this episode, Brian, a Global Director of Information Security with over 20 years in cybersecurity, joins Ward to dig into the sprawling reality of data security: why data never stays where you think it does, how shadow IT and bad governance quietly create massive exposure, and why AI is raising the stakes on all of it.  Brian also shares how curiosity, mentorship, and asking the right questions shaped his entire career and why those same instincts are the most powerful tools any security professional can have.   Takeaways: * Know your data before you protect it. You can't secure what you can't find. Start by asking four foundational questions: What data needs protection? Where does it live? Have you truly looked everywhere? And who has access and how did they get it? These questions sound simple, but most organizations haven't fully answered any of them. * Act like an investigative journalist when talking to the business. Going into stakeholder conversations without pretending to have all the answers actually gets you further. When people feel like they're teaching you, they open up and that's when you learn where the real data risks are hiding. * Governance isn't sexy, but it's where the real power is. Red team exercises find problems, but governance is what actually prevents them. Policies, controls, and proper data classification programs are what keep businesses from accidentally creating their own worst security incidents. * AI is amplifying your existing data problems, not creating new ones. If sensitive data is scattered in shared directories, staging environments, or forgotten backups, any AI tool with access to it becomes a liability. Getting AI-ready means solving the fundamentals first classification, access control, and visibility. * Find a mentor, and be one. A mentor who pushes you to understand the business side of security, not just the technical side, can completely change your trajectory. And when you've made it, look back. The best investment you can make in the profession is helping someone else ask the next question. Quote of the Show: * "If you don't ask questions, you're never going to know the answer. That's where my career started, and it's still the most powerful tool I have." - Brian Cherry Links: * LinkedIn: https://www.linkedin.com/in/cherrybrian/ [https://www.linkedin.com/in/cherrybrian/]  Ways to Tune In: * Transistor: https://guardiansofthedata.show/ [https://guardiansofthedata.show/]   * Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ [https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ]  * Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 [https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323]  * Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data [https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data] * iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/ [https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/] * YouTube: https://www.youtube.com/@GuardiansoftheDataPod [https://www.youtube.com/@GuardiansoftheDataPod]

Fighting AI Risk with AI - Kevin Feck - Guardians of the Data - Ep #42

What would happen if your AI searched all your data right now? Today’s guest, Kevin Feck, Director of Data Protection and Security Architect, joins Ward to unpack how AI is reshaping the data security landscape. With over two decades in cybersecurity, Kevin shares why the industry’s long-standing challenges of data classification, access control, and visibility have suddenly become urgent in the age of AI. From the risks of copilots and LLMs to the reality of “AI readiness,” this conversation dives into what organizations are getting wrong and how to fix it. Kevin also breaks down why trying to “boil the ocean” with data security initiatives often fails, how to scope efforts effectively, and why security teams must evolve from perceived roadblocks to true business enablers.   Takeaways: * Classify Your Data Before Connecting AI to It: AI tools like Copilot can instantly surface sensitive data that used to take weeks to find manually. Granular, contextual data classification is the foundation. * Correlate Sensitive Data With Permissions: Knowing where your sensitive data lives isn't enough. Lock it down to authorized users so AI agents can only access what they should. * Fight AI with AI: Regex based DLP tools are no longer sufficient. Invest in AI powered data security that can understand context, not just patterns. * Build an AI Governance Program: Get lawyers, procurement, security, and technical staff aligned on what "AI" actually means in each vendor contract. Not all "AI" is equal. * Treat User Education as a Core Security Control: No tool is 100% effective without trained users. Ongoing security awareness training is essential to make data classification stick culturally. * Prioritize "Better Together" over a single pane of glass fantasy: No one tool covers every environment perfectly. Integrated tooling with shared intelligence is more effective than waiting for a perfect unified solution. * Hire For Passion, Not Just Credentials: In a field evolving daily, someone deeply motivated to do the right thing will outperform a technically skilled person who is just checking boxes. Quote of the Show: “It’s always been about the data. Tell me what that data is and I’ll tell you how much I have to care about it.” - Kevin Feck Links: * LinkedIn: https://www.linkedin.com/in/kevin-feck-756ab91/ [https://www.linkedin.com/in/kevin-feck-756ab91/]  Ways to Tune In: * Transistor: https://guardiansofthedata.show/ [https://guardiansofthedata.show/]   * Spotify: https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ [https://open.spotify.com/show/5gZXInkb12Qrs2Lyv0hstQ]  * Apple Podcasts: https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323 [https://podcasts.apple.com/us/podcast/guardians-of-the-data/id1826819323]  * Amazon Music: https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data [https://music.amazon.com/podcasts/0754cdde-f1c4-4f6c-92a2-e263f7840eb8/guardians-of-the-data] * iHeart Radio: https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/ [https://www.iheart.com/podcast/269-guardians-of-the-data-285972170/] * YouTube: https://www.youtube.com/@GuardiansoftheDataPod [https://www.youtube.com/@GuardiansoftheDataPod]