Fighting AI Risk with AI - Kevin Feck - Guardians of the Data - Ep #42
GOTD - Kevin Feck
===
Speaker: [00:00:00] Welcome to Guardians of the Data. I'm your host, ward Balza. Each episode will explore the passions, expertise, and real world experiences of security leaders who are helping the future of data security and governance. Guardians of the data is made possible by support from Centro. To learn more about our AI powered data security platform, please visit sentra.io.
Let's dive in.
Ward Balcerzak: Welcome back to another episode of Guardians of the Data. My guest today has worked in cybersecurity for over 20 years across industries like automotive, financial services, software, and manufacturing. He's the founding director of the Ohio River Valley Cloud Security Alliance. Currently a director of data protection and security architect at a financial services organization. Kevin Feck, welcome to the show.
Kevin Feck: Hey, thanks for having me, ward. I appreciate it. It's great to be here.
Ward Balcerzak: Glad we were finally able to get this going.
Kevin Feck: Couple, couple, uh, speed bumps, little challenges. Yeah.
Ward Balcerzak: Yeah. We, we got there though. So, Kevin, in your [00:01:00] professional opinion, what's the biggest challenge organizations are facing with data security?
Kevin Feck: So I've got multiple answers for that. I, I think the biggest one, the biggest one that's in everybody's face today is ai. And I hate to be, I hate to be that boy that cries well for join onto that AI panic train. But I do think, I do think, I've always been a data security guy. I've always been, my first question, I've been a security architect for, geez, I don't even know.
Formerly for probably 16 years. I've been doing information security for 25, 26, I guess now. Um, and I've always been, I've always focused on the data more than I focused on the technology because in my mind it was always the technology is there to support and secure the data. Right? And, and people get lost in that, especially in IT space.
We. We're all, uh, we're all geeks and nerds or whatever you want to call it these days. I don't know which one of those, but, which, which one of those is pejorative? I don't know. But, uh, we all like technology and we all get, uh, we all [00:02:00] get consumed by the newest flashy object. Um. But it, for me, it's always been about the data.
Tell me what that data is and I'll tell you how much I have to care about it from a security perspective. And I think so I've always been that way and I think AI and copilot and any of these LLM models where I can put my own data in it, or I can have that data go and find answers for me across networks that may not be secured, has extrapolated that risk exponentially.
And I'm not trying to be that cry boy that cried wolf, but what used to take me. weeks or months or, or forever to go out and Splunk data resources, I mean, go search file shares, which one can you get into? Which one can you not? Let's go find sensitive data. Same thing with SharePoint and sites like that, right before AI come along, it was all manual splunking and you probably set off some alerts and alarm somewhere and copilot now can go find that for you in a matter of seconds.
So it, it has really exacerbated the issue with properly securing data. According to its value, [00:03:00] according to the risk and according to regulatory repercussions.
Ward Balcerzak: Totally, totally agree with you and, and, and, yeah, like when I, when I started out on this podcast, I was like, man, I hope we don't talk a lot about ai.
Kevin Feck: I know.
Ward Balcerzak: the thing, like, I mean, you as You know, right, being in the industry like myself, you can't go into LinkedIn. You can't go onto the internet, you can't go to a conference without seeing or hearing ai.
And was actually just at one earlier this week, I was at the Innovate Conference down in Marco Islands. You know, first and foremost for the listeners, if, if you're not involved to innovate, you definitely should go. No, I don't get paid by them. But man, was it amazing? I share
Kevin Feck: The location. The location by itself is enough, right? Yeah.
Ward Balcerzak: yeah, yeah. Beautiful Florida this time of year. Absolutely, absolutely. But, um, everybody, all the leaders I talked to an AI concern
Kevin Feck: Yep.
Ward Balcerzak: Of it was either understanding. [00:04:00] What kind of AI's in place, right? Shadow AI and all that. Obviously a big issue, but, but shadow services is, is not new at all. the other one was, what the heck does my AI have access to? Which also,
Kevin Feck: Yeah.
Ward Balcerzak: Problem, but what you just said, sir. Absolutely.
Kevin Feck: Yeah, absolutely. It, it extrapolates all those issues that we've known about in the past, but kind, not, not really ignored, but, You know, they, maybe they weren't high enough risk to raise up like they were, like they are now. But now it's just something you can't ignore. You just can't. It's in your face. And if you, and if you don't secure that data, it's gonna be exposed.
Ward Balcerzak: Exactly. So I mean, it's a big problem. We all know it. Um, it's been around for a long time. how are you it's being solved today? Like what, what are, what are you trying to drive to actually try to solve this issue?
Kevin Feck: Well, um, one of the, the big initiative, big, big initiatives that I am working on is securing [00:05:00] my M 365 data, right. Um. Obviously we're, well not obviously, but we're a copilot shop. Copilot is great. It has changed the way I work. It has, it has made creating security documents or security of literature so much easier and quicker.
And You know, I don't have to worry about all the. All of the, uh, grammar and everything else I used to have to worry about in the past, it does that for me. I just have to read the content, You know, I, being able to put my basic needs in a prompt and have it scour my resources, have it scour my repos and create documents for me, has made me better at my job and way more efficient.
Um, so our first, or my company's first, first. Goal this year with a limited AI footprint. And I, I say that knowing all about shadow, shadow ai, right? But with a limited authorized AI footprint is securing that M 365 data. Um. And, You know, we are a data classification [00:06:00] shop. Um, we are a DLP shop that actively blocks certain data types, but the tools that we currently have today are limited in functionality.
They just, You know, they're regex based, they're pattern based. Um, they're, they're, uh, recognition based of certain, specific, very specific documents. And there's only so much you can do with that. Right. So, I mean, I don't have to tell you 'cause I know you're in the same space, but You know. I have low hanging fruit, um, policies in place where I will block certain data types going outbound, but I have to turn, I have to tune that so much to get my false positive rate low, that I know that I've got false negatives.
I know I've got good data getting out because somebody left the hyphen out of a social security number or left the, left the keyword off, right? So for me, it's, it's moving beyond those basic tool, basic tool sets that I have today. And honestly, You know. I'm, I'm, I'm trying to fix my AI problem with ai. I mean, you, you [00:07:00] just can't make it up, right?
So I, I'm saying, Hey, You know, what? Tools and technologies out there can help me get beyond RegX to identify all my sensitive information across my, across my SharePoint, OneDrive, and team sites, right? Granular data classification, contextual data classification, and then I can correlate that sensitive data with the permissions on that data, right?
And I can lock that down. And then when somebody spins up a copilot chat. Or a, um, one of the agents, You know, one of the copilot agents, and it can scour basically any of my, my M 365 instance. I know that I've got my sensitive data locked down to authorized users. So that's the number one. The number one goal for me in 2026 and probably early 2027, is securing my M 365.
And it's simply because we're a copilot shop and You know, Up until recently, I think that, uh, our security team was seen as a roadblock for opening up the floodgates on AI because we knew, right? Because we knew that that data wasn't as [00:08:00] secure as we needed it to be. And we have to, we have to be seen as a business enabler 'cause they're gonna find a way anyways.
So getting that, getting that, getting that M 365, um, those data repositories up to speed so we can enable a business to do their, their AI usages is a huge, huge win for us in the company.
Ward Balcerzak: I, I really love something, I really love a lot of what you said there, Kevin, but, but something I, I wanna call out for the listeners is your goal is scoped,
Kevin Feck: Yeah, I can't do.
Ward Balcerzak: of, a lot of folks I talk to, they're like, oh yeah, we have an AI problem and we're gonna look to conquer the world, right? We're gonna look to understand all of our data repos and all of our data and all these things, and. A lot of these conversations I end up having. I say, why? Right? That's my first question. Why are you looking to do that, right? What, what are you really trying to drive? And obviously the why is well, we're scared, right? We're
Kevin Feck: Sure.
Ward Balcerzak: all these things and un unfortunately, the logical conclusion [00:09:00] You know, because you are scoped, is you're not going to be able to do that ocean on day one,
Kevin Feck: Nope.
Ward Balcerzak: You're not gonna be able to do all the things, at least not well. Be able to stand behind it and say, look, we are secure. so I love that you said, Hey, You know, we are using for, for you, it's M 365 for someone else, another listener, maybe your AWS, whatever it is, right? Figure out what, what is your use case?
What are you trying to do, and go after that. absolutely
Kevin Feck: I think if you try to boil the ocean, it's kinda like multitasking. People wanna believe that they, they're good at multitasking, but really you're given partial effort to everything you're doing. And it's kind of like the old school data protection mentality, right? Some companies, a lot of companies thought, well, I'm just, I'm not gonna do data classification.
I'm gonna protect all my data the same, which means you're really not protecting any of your data Well. So
Ward Balcerzak: Yes.
Kevin Feck: you've got to, you've gotta contain your scope and go after what's most important as a priority, and then work from there
Ward Balcerzak: good [00:10:00] point. And And they're still out there, right? I think now. At least what I'm seeing and hearing people again are, are saying, ho holy cow, we need data classification. Which the way is amazing. I've, I've tried to push those initiatives for years and, and have had
Kevin Feck: with pushback too.
Ward Balcerzak: of,
Kevin Feck: With a lot of pushback.
Ward Balcerzak: right.
Kevin Feck: There's no pushback now. Yep.
Ward Balcerzak: be impactful. Right. I mean, you name it. Um,
Kevin Feck: Yep.
Ward Balcerzak: And, and I think a lot, curious your thoughts on this, Kevin, 'cause you, you've been around for a while too for, with data security. feel like data classification efforts for years have failed prior to ai
Kevin Feck: Yep.
Ward Balcerzak: due to the manual nature
Kevin Feck: Mm-hmm.
Ward Balcerzak: Data classification.
Kevin Feck: And the cultural change, a hundred percent.
Ward Balcerzak: about that statement? Do you agree?
Kevin Feck: I agree. I've, I've seen companies that said we will not do data classification. Those companies are now doing data classification because there's no way to protect all data the same and do it well. I mean Um, and it, [00:11:00] it is a, there's, always been, there's always been players on the market who would automate that for you, at least to some degree, right?
You'd spend a lot of time in tuning because they were RegEx based, but you could get that done when we rolled out data classification at my current gig. Half the half, half. The difficulty was changing the, changing the culture, getting people to understand that, data, why it's important, right?
Getting the, getting them to correlate. Sensitive business data to their own sensitive data. Right. Would you leave your, would you leave your health records on the street? Then you should probably be a little bit more careful with somebody else's health, records. Right. Just getting them to, understand the impact and the sensitivity of that data and handle it properly has been, and it still is.
The biggest challenge, right? We are a data classification shop. Like I said, we've got DLP in place for blocking certain data elements if you don't have a need to send it. And we still struggle with that. We still have vendors come up [00:12:00] to us, not vendors, I'm sorry. We still have individual users come up to us and say, You know, I don't, I, I always change my classification to this.
And I'm like, well, that's,
Oh
that's, You know, and getting, and getting, getting people to understand that. You know, personal data is, is what they own, right? You shouldn't be changing company information to personal unless it, you actually physically own it, right? Just it, it, the cultural change is, is huge. And if you go to companies where people, You know, you've got people who've been working in administrative, administrative roles or, or office roles for, for many, many years and they, they were here before we had all these.
PII and privacy standards and all of that stuff. Right? And keeping up with that stuff is not part of their daily job. So you've got a lot of education. We do training, we do training videos, we do security awareness videos, we do quick cards. It is a very large effort to get people to understand because, and I know where you're going with this.
I don't care how good your tool is. A tool [00:13:00] will never ever be 100%. If you don't educate those users and have those users actively helping you, your tool will be defeated.
Ward Balcerzak: you gave me the perfect pivot on that, sir. So something you had said, which I also agree with, by the way, I, I probably wouldn't have agreed with you, uh, a couple years ago, but, uh, fighting AI with AI was, was what you had said, right? Uh, You know, kind of, kind of
Kevin Feck: yeah.
Ward Balcerzak: these new, uh, AI solutions with like AI enabled, uh, tooling or, or whatever, right?
I don't, I don't,
Kevin Feck: Yeah.
Ward Balcerzak: have to be tooling.
Kevin Feck: My robot beats your robot.
Ward Balcerzak: Yeah. Yeah. I mean that's, it's, that's interesting, right? Because, um, You know, these tools are coming in, um, You know, certainly vendors are also innovating. You know, you, you said before you've gotten more efficient by use of copilots. So
Kevin Feck: Absolutely.
Ward Balcerzak: I'll raise my
Kevin Feck: Yep.
Ward Balcerzak: I didn't think I would, I thought I was gonna be the, uh, the naysayer forever. But, uh, You know, I'm, I'm definitely leaning in now. Um, so fighting AI with ai.[00:14:00]
Kevin Feck: Sure.
Ward Balcerzak: There's still an AI piece to that, right? Which obviously is from a security perspective, a little bit concerning. Um, those organizations that are starting to look at NI AI enabled technologies, which is just about everything at this point,
Kevin Feck: Sure.
Ward Balcerzak: what do you think they should be looking at, right?
To make sure that even though it is a defense technology with ai, then it's still not gonna be a point of a data security issue.
Kevin Feck: Right. Some of that comes down, comes down to your vendor assessments, right. Um, I do a lot of vendor assessments with my gi with my job too, and You know, it. It. I'm always concerned, whe, when a new vendor comes in front of me that has been in business one or two years, how mature are they? Right? H heck, it takes you what?
It takes a year or two to actually get a SOC two, type two, right? So if they're a year old business, how mature is their security program if they've got their lead for it? Also doing the security. Has that guy ever been [00:15:00] 100% dedicated to security? Back to the multitasking again too. If you're, if you're in charge of the chickens and the chicken and the.
And the coyote, right? Which one are you gonna preference? So I always look at the maturity of my vendors a lot. Obviously a lot of the big names have more money to throw around. Um, the attraction for a lot of the more immature vendors is the price. They just want to get established. So they'll sell your, sell your company a tool that does similar to what a big vendor does.
For one quarter of the price. But then in the background, they have no security program. They have no SOC two type two. They have no guy who's ever really just been a hundred percent into security before. So I think you have to do you, you have to lean also hard into your vendor management. You have to make sure you can have.
An adequate level, level of trust with every vendor that you have that's handling sensitive information for you, right? Because are they cloud first? If they're cloud first, then they're in one way or another, they're pulling your data into their environment. Well, if you've got a SOC two type two and they're scanning your [00:16:00] environment for sensitive data and they're, they got one year in the one year of security experience and they really don't know what they're doing, what they're doing, then you're exposing your data, right?
So. I think that's my, I guess that's a short answer.
Ward Balcerzak: Yeah. And, and we, we can actually expand that,
Kevin Feck: Sure.
Ward Balcerzak: are specifically talking about security, but uh, third party risk,
Kevin Feck: Yep.
Ward Balcerzak: Again, we see this all the time. We see, hey, here's a compromise. But it wasn't us directly. It was,
Kevin Feck: Yep.
Ward Balcerzak: either one, one or two factors away due to a third party risk.
And, You know, again, just about any tool today, um, is getting some sort of AI in, or at least
Kevin Feck: different levels of ai, right? Different levels, right? Sometimes they say it's AI and it's really machine learning, right? Sometimes it's actually a full blown LLM. Is it their LLM or are they using anthropics, LLM? Do they have a, do they have a do not train, do not retain. Agreement with Anthropic or are they exposing my data?
There's a lot there. You actually have to have [00:17:00] a very solid AI governance program at your company. If you're going down the AI path, you have to have people in place who understand actually what AI is, right? You've gotta have your lawyers, you've gotta have your procurement personnel who un understand contract.
You have to have your security people and your technologist who actually understand what that, what they mean when they say ai. Ai, because I don't care what kind of. If you've got the old fashioned machine learning, that does an if and then statement. As soon as AI became the buzzword, you changed it to.
Now I'm an AI shop, even if you've got the old technology, so you better understand that from a technical perspective or get people who do
Ward Balcerzak: What's actually funny is, is you're right, right, like the, the term ai. been around for a very long time. It's been around in the vendor space for a very long time. But you are right. You, you, you lift up the hood
Kevin Feck: what's under there.
Ward Balcerzak: and for many years it was machine learning that they were calling ai and it's sure you can call it a flavor of AI in a way, but it's really not, at least not up to today's [00:18:00] standards.
So very,
Kevin Feck: Yeah.
Ward Balcerzak: point. You
Kevin Feck: if I could expound on that a little bit more, right? So you've got a, you've got vendors', ai, you've got vendor, you've got vendors', AI that they wanna run in their compute, and then you've got vendors', AI that you can run in your compute. So you've got more control, right? But just because you have control of that AI doesn't necessarily mean you should put your regulated or highly sensitive data in that ai, right?
You, I mean, we go back to privacy standards. I'm a huge privacy guy. Um, You know. The reason that you collected in a process that data, can you justify that reason by putting it to that, to that ai? A lot of times contractually and legally they can, but you need to make darn sure, right? Because that's another usage of that data.
And if you put that data, you put that regulated like take GDPR for example, or some other really stringent PII regulation, you put that data in your locally governed LLM and all and you. And in that locally governed LLM where you're doing a lot of analytics on it, you've got a lot more people with access to that data [00:19:00] than would it would have been just in production processing.
If you've got a breach that's that's, that's could be pretty destructive to your company and your reputation.
Ward Balcerzak: Yeah. Yeah. And it's, it's interesting, You know, there, there's a new role coming into corporate America, a new role that, You know, we, we didn't really see a whole lot. Um, I've actually, You know, by the time this episode airs, uh, another episode will air. Uh, there's now kind of the head of responsible AI
Kevin Feck: Yep.
Ward Balcerzak: out
Kevin Feck: Yep.
Ward Balcerzak: of AI and, and whatnot.
Um, because they are becoming those experts, right on what it is. They are working very closely with security, procurement, whatever, legal, certainly, to get their arms around like, the heck is this thing? How do we use it? How should we use it?
Kevin Feck: Yeah, absolutely. I think every company's, every company. Who's going down the AI journey, for lack of better words, right, is looking at that AI officer. And what's funny is, is like, You know, how can anybody be super experienced with AI when it's really been [00:20:00] only a big thing for a couple years, right? Or not even that long.
So your, your expert may only have a year of experience under his belt, right? So, at least the company's allocating resources to take it seriously no matter how long AI's been out, or no matter how many years that person has experience.
Ward Balcerzak: Well, and it kind of goes back to, and they're not even really jokes these days. It is reality. But like all, all those memes and stuff you see about like job postings.
Like, Hey, you need to have five years in this technology. And that technology's only been around for a year. Like, we're gonna start seeing that with
Kevin Feck: absolutely.
Ward Balcerzak: need to have 10 years, like, hold on, wait a minute.
Kevin Feck: Yeah.
Ward Balcerzak: commodity, You know, ai, real AI has not been around for 10 years. What the heck,
Kevin Feck: Yeah,
Ward Balcerzak: we're we're gonna see that.
Kevin Feck: that's exactly correct.
Ward Balcerzak: the nature of the beast
Kevin Feck: And it evolves almost on a daily basis, so,
Ward Balcerzak: right. Yeah. So keeping up with it is completely crazy. Um, full-time
Kevin Feck: yep.
Ward Balcerzak: just like, uh, just like us in security. So, so Kevin, I wanna go back to the idea [00:21:00] of not boiling the ocean. And I'm not looking for, for specifics on what you're doing, but You know, hey, you said, hey, we're starting with this thing, right? We're gonna get our hands around it. That's kinda your 20 26, 20 27 initiative. When, when it comes to expanding that scope, um, how are you looking at that?
Right? How are you determining, okay, cool. Mission, either mostly or complete here. I'm gonna go to this
Kevin Feck: Yep.
Ward Balcerzak: what's driving you, how are you planning for that?
Kevin Feck: Uh, it's based on what I'm responding to, which is not the best answer, right? I wish I could just tackle all things, and I wish I could consult my crystal ball first and, and, and tackle the most important things that are gonna be a priority next year. But like I obviously we're, like I said, we're a co-pilot shop, so we're going after co-pilot data.
You and I both know that it's a matter of time before they start connecting co-pilot to your on-prem file shares. Uh, it's a matter of time before they say, You know what, uh, co-pilot's great, but they're a little slow. We wanna, we wanna connect anthropic to your, to [00:22:00] your whatever, share, to your snowflake, to this, to that.
So really, I'm going after what I see. I'm trying to pay attention to what the business is doing. Even though it, You know, those priorities seems to change on a, on a regular basis, and I'm trying to respond or be pro as proactive as I can for what I see coming down the pipeline. Obviously, like I, when I talk about AI readiness, which I haven't said on this show yet, but like, you talk about AI readiness, well, you should have had AI readiness a couple years, but a couple years ago, but nobody could do that.
Right? So now I'm, You know, I'm leading AI readiness after, after it's already out of, out of the barn, right? So. Trying to get, I know that that's my priority today. I know other things are coming, like as soon as I get done with my M 365 data, or, or at the same time, but at a slower pace. I want to apply the same technology and the same processes to my on-prem file shares.
You know, I, if, if. I currently have A-D-S-P-M for my cloud data links. It's a different technology, and this is [00:23:00] probably something you'll wanna talk about as well. It's like, You know, most of us have all these disparate technologies across our environment. You might have, you might have something that does data classification on your on-prem file shares.
Chances are. Um, you're, you have a different tool that does your Snowflake instance, and then you might have a different tool that does your M 365 instance. Um, and then you've got file shares too. You've got databases, file shares, M 365 and Data Lakes, and they're probably all different tools and you've got contracts with those, each of those vendors, and you're looking two or three years down the road when those contracts run out.
Can I consolidate? Can I, and I hate to say this word because I always think these are buzzwords, that single pane of glass, right from a data.
Ward Balcerzak: no, you said
Kevin Feck: I did, I'm sorry,
Ward Balcerzak: it.
Kevin Feck: we have to drink. I didn't bring a bottle, but, uh, but, uh, I mean, it's that, it's that how do I, how do I protect data holistically if I've got different tools that, that are, that are protecting or monitoring data in different environments.
So, You know, and not only do I [00:24:00] have contractual reasons that slow down the consolidation of my tool sets, um, but I've got capability gaps, right? You've got some players on the market. Who are market leaders in using AI or LLM or intelligence to classify and protect data? And then you've got the other ones, the big, the big dogs on the market, right?
Your, your, your big names who are using older technology. Well, if I, You know, if a year from now I, I'm a firm opinion that a year from now, if you are not using real intelligence in the DSPM or the data security market, you're probably gonna be either be out of business. Or you're gonna be that little checkbox that people use when they just need to say, I've got a DLP, I've got a DSM.
It really doesn't do anything. It monitors a bunch of stuff. It doesn't block anything. 'cause I can't trust it. Right. But I've got it. And then everybody else is gonna be like, they're, they're gonna be allocating funds to make sure that they can at least keep up with their competition.
Ward Balcerzak: Well, I think that. [00:25:00] also completely agree with everything you just said. I, I think that piece that you just hit on though, the checkbox. I, I feel like that's been a problem in our industry for, for a long time, right? Like some companies, um, they, they still unfortunately look at security as a cost center,
Kevin Feck: Yeah.
Ward Balcerzak: Instead of a business enabler,
Kevin Feck: Yeah,
Ward Balcerzak: oh yes, we understand we need firewalls. Oh that's a great point actually. Yeah.
And check the box. Right? Unfortunately, which is why. So, like I mentioned earlier, I was at a conference this week. I got to meet and talk to a lot of folks. I had one individual that came up to me and said, Hey Ward, I've got 20.
You were saying before, I've got three solutions that do this thing, right? I've got something for on-prem. I got something for cloud. I got something for this thing. I was like, oh boy. How you liking that?
Kevin Feck: Yeah.
Ward Balcerzak: it. Right. Different rule sets, different capabilities, different gaps. He's like, I'd love to get to one. And long story short, there, You know, through the conversation we, we came to the [00:26:00] realization together like, oh shoot, there there is not one that can do every single thing across the board.
Kevin Feck: at least to that 80% rule, right?
Ward Balcerzak: Exactly. And that, and that's actually where the conversation went. Like, can we do most? And we started talking through, I was like, You know what?
Yeah. Like absolutely. But I, I feel like. And, and we, we've been doing this for years in security, but I think with AI and trying to keep up, I feel like the better together story with with solutions is even more important these days than, than finding something that can check all the boxes, right? Like I, I'm seeing and hearing a lot of companies, if they have a solution that's not great, they can get rid of it, but it's not gonna be assured. That they can get something back to replace it.
Kevin Feck: What.
Ward Balcerzak: Or get something that's same or less cost to, to get it. So I feel like we're getting in that industry, we're better together is kind of the name of the game. [00:27:00] Integrations, tightly coupling whatever are, are you seeing the same on your side?
Kevin Feck: I think the better together is a lot better than not ha than than missing coverage, right? I'd rather have five tools doing DSPM and work out a way to share that intelligence across those that tooling than I would, than I would to have gaps. Right. I, so I do, Right. I said, I think, I think better together is exactly the right, the right, the right choice.
And I do think that, I'll go back to what you said earlier about security being set, seen as a cost center, sometimes seen as a necessary evil. Um, I think, and, and, You know, you, you had to have it for regulatory, regulatory reasons or you had to have it for business partners assurance. And now, I mean, it is, it has really brought security.
Data security to the forefront. If you want to use this data and connect it to all these different ais that you probably don't manage, you better be securing that data. I I 100%, like my, my, my AI [00:28:00] readiness project is 100%. Well, not 100% 'cause I'm a security guy and it's never 100% about the business. Right.
But it is, it's 100% a business enabler, right? And we
Ward Balcerzak: Yeah.
Kevin Feck: Know that if we get in the way, people will, You know, either executive management will, will overrule us, right? Or people will find a way to get around you. So a hundred percent a business enabler.
Ward Balcerzak: Yeah. Yeah, absolutely. And um, it's funny that you, you use the term AI readiness. It's actually been that, that's been a trigger phrase for me as of lately, right? Because you, you, you see and hear a lot of people say AI readiness. And what's funny is when I have these conversations with folks, everyone realizes like. It's not really readiness for, for a lot, it's not really readiness. 'cause the cat's outta the
Kevin Feck: Yep. Yep.
Ward Balcerzak: even admitted it yourself. It's more like, oh shoot. Like I, I now need to secure this thing that's already in
Kevin Feck: Exposed.
Ward Balcerzak: I'm
Kevin Feck: Yeah,
Ward Balcerzak: in the marathon to try [00:29:00] to, to catch up with the leader here essentially.
Kevin Feck: absolutely. It really is. It's playing catch up, at least for now. Um. I think to some, I hate to say it, but I think to some degree we're always gonna be playing ketchup because there's, I mean, there's, unless you've got a crystal ball, you, you have no idea what's, what's coming next, right. So, and there's always gonna be additional data sources, right.
So, yeah. Hey, it's interesting nonetheless.
Ward Balcerzak: Absolutely. Absolutely. So, so Kevin, uh, an old school data security guy like myself, how excite, I mean, you mentioned it, right? Data security is finally at the forefront again. How excited are you about
Kevin Feck: I'm thrilled the, You know what, and this is same as you. It's not me patting myself on the back, but maybe to some degree it is. But we've been screaming from the mountaintops about data security, about data protection, and about how it always comes down to the data for our entire careers.
Your firewall's great. Your zero trust is great, but they're all protecting the data and the processing of that data. At the end of the day, that's the most important thing you've got, and there's no way you could [00:30:00] protect at all. All the same and, and, and achieve the goal that you're trying to actually trying to achieve.
So I, I'm very excited that, that it's all about data protection now. And back to the, um, and this is, I swear this is not A-D-S-P-M commercial, but back to the back to that, that vertical is just amazing. That vertical has blown up. And You know, the convergent, like I said before, the convergence of that, I have no idea where that market will be in a year.
With all these different players, with all their different capabilities. It is. It is very interesting. And You know, I was reading an article this morning. And it was talking about CSPM, right? Your cloud security, posture management, and how it was always like at the interface or the machine level, or the blob storage level, and how DSPM is that natural iteration beyond CSPM, right?
Because if I've got a blob storage with public information and it becomes internet accessible, how much do I care? I might care about defacement, but that's probably all I care about. Much different than if that's sensitive information. So it's actually now, it's [00:31:00] actually now zeroing in on the actual target.
So I feel very good about it. I finally feel if like a career from a career wise, I'm in the right space, right?
Ward Balcerzak: Y Yeah. Yeah. I mean, that was, that was me, right? So I started in this about 20 years ago, a little over 20 years ago, and I, I did a lot of consulting around it. You know, ma, mainly government, because, You know, a lot of sensitive, right? Like they gotta secure it. But I remember the last job I was at, I was trying to get a DLP uplift going, and I remember going to my leadership and saying like, we need this.
Here's why we need it. they said, okay, bring out the Gartner mq, let's talk about it. I said,
Kevin Feck: Oh gosh.
Ward Balcerzak: Exist. There is no Gartner MQ anymore for dlp. And I kind of talked through them like why and how they're doing it now. And, unfortunately the output, at least the initial output of that conversation was, oh, well if Gartner doesn't have an mq, like we don't need it. And I was like, oh my goodness.
Oh my goodness.
Kevin Feck: Just this word guy who stands up.
Ward Balcerzak: both just said.
Kevin Feck: It's just word [00:32:00] that says we need it, You know? if they brought in a Gartner consultant and they said you needed it, then maybe they might pay attention. Right. But yeah,
I, I, see. And that's the thing, right? We, we did, and I'm, I'm picking a Gartner a little bit no, I.
Ward Balcerzak: similar conversations with the others, Forrester and some of the others, and the problem statement, right? Kind of going back to what we were just saying, the problem statement was for many years, organizations really pay attention to data security. Right. They paid attention to the perimeters. Let's make sure we're secure. If perimeter is there, you can't get out. They paid attention to the eds, right? EDR is still hot. They
Kevin Feck: Sure.
Ward Balcerzak: To the NG firewalls, all that identity, right? Identity's getting huge too again. Um, but folks said, look, our data's fine. behind the walls. Yeah. might be squishy, but whatever. But boom, AI, copilots, all that hit the market and surveys said
Kevin Feck: All about the data.
not secure. Yep. Yep. [00:33:00] I, I could, I could not agree with that more. It was all Castle Mo. It was all perimeter. Um. You know, people thought that all of those things were data protection, and that's just not true. You, You know, you have to identify that sensitive data and you have to, you have to correlate it along with permissions.
Otherwise, it is exposed. It may not be, it'll be exposed externally because people will find a way to exfiltrate it, but it's also exposed internally, which is also a problem that people, to some degree, I mean, they, they've, we've always cared about internal exposure, but not nearly as much as we do now with ai.
Ward Balcerzak: Right. It's made it easier,
Kevin Feck: Yeah.
Ward Balcerzak: made the insider risk either, You know, unintentional or malicious, right? It's made it,
Kevin Feck: Yeah,
Ward Balcerzak: uh, that much easier for them to execute whatever they want to execute, whatever they
Kevin Feck: yeah. And I, I, I think when you go back to that old school mentality too, right? You start thinking about, um. Like internet gateways, right? I'm gonna block all the, I'm gonna block all the AI sites and I [00:34:00] don't have to worry about it. I don't have to worry about somebody exposing my data via ai, which is just not true.
Number one, there's like 500 LLMs on the market today that are actually ranked, so there's probably another couple hundred that aren't ranked, and there's gonna be more tomorrow. So there's no way you're gonna block all those. There's no way you're gonna use an internet gateway that 100% has its categorization, correct.
Because no tool can be 100% correct. Um, then you get into things like, can that user install the, the, the thick client for the AI on their machine, right? Because they're gonna ex fill it over HT TPS. So you just got exposed that way. So it really does come, You know, it, it all, it's all becoming data centric at this point.
Finally. It always should have been, but it's finally data centric.
Ward Balcerzak: Yeah, it makes me happy my, my, my career path, right?
Kevin Feck: Yeah.
Ward Balcerzak: for for years it was like, is data security the right thing? Like I feel like it's drying up and now it's like, oh man, yeah, it is.
Kevin Feck: I mean, it wasn't sexy and it wasn't, it wasn't, it didn't get the attention that it got for a very long time.
Ward Balcerzak: [00:35:00] Well, we've said a few times now, you and I have both been in in the industry for a while. Uh, we're both getting a little long in the tooth, I guess, but
Kevin Feck: Yeah.
Ward Balcerzak: curious, been doing Datasecurity for, what was your journey? How did you get to be the leader you are today?
Kevin Feck: I, uh, You know, I started off as a, uh, a server guy. Uh, I was working at a, a law firm back in the day. Um, and we brought in our first firewall and we had a vendor hook it up. 'cause I knew nothing about firewalls at that point on our internet. Egress, egress, and ingress. Um, I got to see all of the attacks that were being run against that law firm on a constant basis.
And I absolutely fell in love with it because it wasn't just building another Windows server today, standing up another database today. There was somebody actively trying to exploit and, You know, defeat our defenses. So that's how I fell in love with security. And from that point forward, I never took another straight A IT job.
It was always security [00:36:00] focused. Um. I think that, I think, um, a lot of people, some of the best people that I see in security, there's, I think there's two different buckets. I see a lot of people in security who are technologists, really strong technologists. Um. And they usually try to do the right thing, but their real core focus is technology.
And then I see another bucket of people that are people who have a drive to do the right thing. They are the protect people. They're those kind of sheep dog people, right? They would've been a fireman or a police officer, but they realize those jobs may not pay enough. So they've go the it security path, right?
So I, I think that, yeah, I, I see those two buckets and I've always been in the, in the latter bucket. I've always been that that person who tries to do something meaningful and more meaningful in just standing up another operating system, right? How can I protect, how can I protect my company's data? How can I protect my individual's data?
I mean, so much of this, you'll get me going down a rabbit hole here, but so much of the data that [00:37:00] companies process doesn't belong to them. I'm gonna put my privacy hat back on and say, You know, that's not your data. I've worked at companies before where we paid all of our attention to PCI data because, because we had PCI regulations, right?
And we had to be ma, it had to maintain those in order to be able to process credit cards. But we also had banking account information, right? So as You know, like if I lose your credit card information, the most you're out is probably 50 bucks. More than likely you're not out anything. I lose your bank account information.
You may not be able to feed your family for a week or two weeks or longer. So I've always, I've always fallen into that camp where I, I went after data security because I, it, it was a passion of mine because I could feel like I was doing something bigger than just earning a dollar. So, long story short, that's why I went that way.
And then I've gradually worked my way up, I think. Um. I mean, I, I, I had quite a few jobs in technology in the beginning. I got my C-I-S-S-P-I think in 2007. [00:38:00] Um, worked for a major auto manufacturer and then worked for a ma, um, a ma, a clinical research organization, which gave me, gave me HIPAA exposure, which I really cared about.
Um, a lot of people related data. You know, my next job was at a clinical research organization that had a lot of individual data. So I, I found it easy to get out of bed in the morning and go protect those, those individuals data. It wasn't just, and. Not to make light of it because you care about protecting your business information, right?
You care about protecting your company. You've got your friends and FA maybe family that work there. You've got your own paycheck that that comes from, that. Maybe your company treats you very well and you want to protect that, but you can also take it down to the individual level and protecting those individuals.
So I went from that to a major credit card processor where, like I said, they had an emphasis on PCI data, but maybe not, maybe not data that was more impactful to the individuals that. That processed it to my current, to my current business, but I've always found the ability to draw, to draw excitement and [00:39:00] passion about doing the right thing.
Insecurity based on individual impact, probably more than anything.
Ward Balcerzak: I love that. I mean, passion is, is so important. And I'll share, um, on the data security side. So I've, I, I've built and, and led teams and programs, data security for years and, and the way I interviewed folks, certainly. Do they know the space? Right? Sure.
have a DLP role with a certain technology, do You know that technology is a piece of it?
Obviously, but I, I remember still to this day, I don't remember the individual's name, but I remember still to this day, the strongest person on paper. I was interviewing him. I was like, oh man, like this is gonna be a layup. And said one thing, actually one phrase that made the. Absolute yes. Right? The shoo in to like, Nope, not gonna be on my team. And the phrase was, I, I forget what I asked him, but his response was, well, data security's not rocket science, so blah, blah,
Kevin Feck: Oof.
Ward Balcerzak: Whatever the rest was. [00:40:00] And just the way he said it was like, man, don't actually have passion for this, Right.
Because, 'cause you're right, it's not rocket science. But the way you answered the question just showed me like. Yeah, you're smart, You know the technology, but you don't actually have a passion for this, and I don't want you then I don't want the smartest person that's not passionate because I want somebody that's,
Kevin Feck: yeah.
Ward Balcerzak: Yes, smart, going to do the right things, the passion
Kevin Feck: drive. drive.
That's right.
Ward Balcerzak: going, right? Learn more things, pick on things, figure out. So that's, think it's a great answer, right? The passion is
Kevin Feck: I. got you into it.
I used to ask people in interviews, um. And still do, uh, You know, why do you wanna be in security, especially if they weren't in security before? Why do you wanna be in security? And the wrong answer is because it pays well, or because it's a great market to be in. It's not the wrong answer, but it's not the preferred answer for me.
To your point, I'd rather take somebody with average skills, with a really strong desire to do the right thing and [00:41:00] to learn and to grow than somebody with really, really great skills who's just checking in and checking out every day. I'll take the for former all day, every day
Ward Balcerzak: Yeah,
Kevin Feck: because we can all learn.
Ward Balcerzak: You know, Mo most folks, uh, work to live, not necessarily live to work, but you should still find some passion in your work for sure.
Kevin Feck: Absolutely. It makes life a lot easier if you do. Right. So, as
Ward Balcerzak: absolutely.
Kevin Feck: as an older guy, it makes You know you don't want to hate your job. You don't want to hate getting out of bed every morning. And if you have, if you have passion for what you do, it makes life a lot easier.
Ward Balcerzak: Absolutely. Well, Kevin, I like to ask this question of a lot of folks. I kind of think I know what your answer might be and I'm gonna ask it anyways. So if you could go back in time,
Kevin Feck: Uh,
Ward Balcerzak: however many years, doesn't matter and, and give yourself a piece of advice. would that advice be? And, and would you take any different paths to where you are today?
Kevin Feck: sure. Um, I don't know if I'd take a different path. Maybe I would, um. And this is [00:42:00] not gonna be a technical answer. This is back, this is basically back of what you talk, we talked about earlier, right? We've known all along. It was all about data protection and we finally got validated by the ai. I think I would've had a lot more confidence back then that I was right, instead of accepting what I heard from other people that You know, You know, everything we do is about data security and that's just not true.
Um. So I, I think I would've had more confidence in myself back then and probably pushed harder. Not, not accepted, no. For an answer and just kept pushing and let the chips fall where they may, because I mean, I think, I think we were, we were validated with the AI explosion, right? But we were right all along and AI just proved it
Ward Balcerzak: Man, that is an amazing answer. I like that. I have not had that answer yet. But you, but you're, you're right. Like I, I guess I, now that you said it, I'd probably go tell myself that too.
Like, look,
Kevin Feck: Yeah.
Ward Balcerzak: you're you're right. Just keep beating the drum. Don't worry about it.
Kevin Feck: Yeah. And don't back off. Right. If, if pe, if people don't accept that answer, then find people who do, honestly. [00:43:00] So
Ward Balcerzak: right. Kevin, if folks want to connect with you, what's the best way to do so?
Kevin Feck: LinkedIn is, is still the best place to find me.
Ward Balcerzak: Awesome. Well, Kevin, thank you so much for joining me today. This has been a great episode,
Kevin Feck: It is a pleasure. I, I really enjoyed it.
Ward Balcerzak: and big thank you to the audience. Really hope you enjoyed the episode and learned something today. Please tell others in your network to follow and listen. This has been another exciting episode at Guardians of the Data. See you next time.
Speaker 2: That's a wrap on another episode of Guardians of the Data. Thanks for tuning in for show notes and more Visit Guardians. The data do show Guardians of the data is made possible by support from Centro to see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving scale data protection without the fuss, please visit sentra.io.
Catch you next time.
Creators and Guests
