GOTD - Cory Zaner (real version)
===

Speaker: [00:00:00] Welcome to Guardians of the Data. I'm your host, ward Balza. Each episode will explore the passions, expertise, and real world experiences of security leaders who are helping the future of data security and governance. Guardians of the data is made possible by support from Centro. To learn more about our AI powered data security platform, please visit sentra.io.

Let's dive in.

Ward Balcerzak: Welcome back to another episode of Guardians of the Data. My guest today has over 20 years of experience across energy, manufacturing, and defense industries. He currently serves as a trusted advisor to executive leaders and as a senior enterprise architect for critical infrastructure. Corey Zehner, welcome to the show.

Cory Zaner: Hey, thanks. Welcome. This is my first time on your show. I'm looking, I'm looking forward to, uh, to doing it and walking through this process.

Ward Balcerzak: Uh, glad you joined, sir. So in your professional opinion, what's the biggest data security challenge organizations are facing?

Cory Zaner: I think probably the [00:01:00] biggest is knowing, uh, what-- They don't know what they don't know. So a lot of, a lot of data is almost hidden, right? Um, so it could be scattered from SaaS, cloud, on-prem. I-In our environment, we have a heavy ICS or OT environment that could be... You know, I have a-- I was even talking to one, to one engineer, and it-- they, they had it in, in physical notebooks.

So when I think about data, I don't think about just, um, data in the cloud. A, a lot of people, they focus-- or a lot of companies, they focus on, "Oh, let's secure your data in SaaS," or, "Let's secure your data in the cloud." And, you know, our, our CTO has the motto of, "Hey, if, if we lose that one important thing, uh, this is as big as risk as losing 7,000, uh, you know, items or, or whatnot."

So I-It's a, uh, it's a, it's a pie, it's a pie in the sky to say, "Hey, we're gonna have 100% coverage on all of our data [00:02:00] everywhere, and have data, data, data security."

Ward Balcerzak: Totally, totally agree. And, and I think, you know, you, you mentioned SaaS and cloud and on-prem. You know, once upon a time, I think back when you and I started our careers, it was relatively easy, right? You had your data

center, you had your laptops, and you had, you mentioned it, your physical assets, right?

Notebooks and pieces of paper and all that. And, And, now it's, um, now it's crazy, right, with, uh, hybrid environments. I think every organization, I, I don't know that there's gonna be an exception out there, every organization's gonna be a hybrid in, in some way, shape, or form. So, you know, with, with that, uh, you know, Corey, you're, you're currently an architect. How, how, how do folks look to start solving that, right? How do, how do they start to get their hands around this, uh, this data real estate problem that every organization's having?

Cory Zaner: That's a good, that's a good question. I g- I could tell you the direction I gave my team was, um, hey, [00:03:00] if you have-- If you're doing a, a, a, a... If you have kids, you know, or even if you're in school, right? You don't wanna, you don't want a zero, you don't wanna turn in anything. So whenever our children come in, or our high school students or middle school, they come in and they don't They don't even turn in the assignment, they get a zero.

Um, that's, that's not where you start. I think, I think a lot of companies, at least we did too, we said, "Hey, um, we have these tools, we have these programs, we, we have these policies, but we know that we're not gonna get 100% coverage." So back to your, back to your initial question is, first should we start with data classification, right?

Say, "Hey, what are the, my tiers of data?" I, I have a prior DoD background too, and it was, it was either top secret, secret, you know, confidential a- and unclassified, right? Not confidential, that's, uh, that's the business. But so first you, you start segregating your data, um, a- and, and [00:04:00] you also want to find your, your, your jewels.

Find out where, what really makes your company tick. Think about KFC, right? They, they're probably gonna protect their chicken, uh, formula faster than they would protect their, I don't know, maybe their email or some other data. So, uh, I think once you have that, I think that's the perfect place to start. So, you know, government, just simple class- classification, user education.

Um, we could wrap around all the tools that we can, but without the, the people understanding that, hey, we need to protect, protect our data, that's probably the, that's probably the first, the first thing.

Ward Balcerzak: I like that, data classification. And I'm gonna say I like that for many reasons, but I've, I've actually had two conversations already today, you're now the third, that, that you

brought up

data classification. And I was sharing a horror story from my own past with one of the individuals. Um, I joined an organization.

Uh, my, my [00:05:00] initial remits was kind of deploying DLP, right? Really the start. They, they didn't have a good DLP program, so like, all right, fine, like I'm not gonna call it a DLP program, I'm gonna call it data security, right? Yada, yada, all that stuff. And a couple weeks in, they said, "Hey, congratulations, you also own data classification.

Lucky you." I said, "All

right. That's, that's fun."

Cory Zaner: Completely different animal, isn't

Ward Balcerzak: Different animal, but then I started digging into the past and I inherited a I- the mess I inherited was they had tried to do this for two years prior to me joining. Tried and failed, tried and failed, tried and failed. And I said, "Well, what the heck?

What's, what's going

on?" They had tools. They had some conversations. So since you said data classification, best, best place to start, um, what are your thoughts on how to actually be successful with that? 'Cause there's a lot of companies

Cory Zaner: I

Ward Balcerzak: that say, "Yes, I need to classify my data. I agree. Let's

do it."

But they don't know how to actually be successful.

Cory Zaner: yeah, first you want to align with a [00:06:00] program. Like, uh, you know, like we align with NIST, right? And NIST has a really good outline. It says, "Hey, this type of data is, is confidential. This type of data is restricted." And come up with those three or four Tags, restricted where, where someone can look at it and say, "Hey, oh yeah, well, this is not-- I don't want this public," right?

"I don't want this to be everywhere because it's my, my employees', uh, salary information," right? So, "Oh, let me, let me tag it with that." A-and so first, make it color, color-coded. People love colors, right? Red, stop. Yellow, caution. Green, good, right? I think very-- the, the stoplight approach, I think that's, uh, um...

And also there's a lot of-- And I, I don't wanna dive into tools, but we certainly can a little bit. But, um, but think about user education, user prompts. That's probably the hardest thing, and the, the mindset to say, "Hey, you're responsible for classifying your data, not the [00:07:00] IT guy, not the person, uh, that, that implemented the system."

It's the, it's the owner that's meant to classify their own data because they, 'cause they know what it's worth. And hey, worst case, you put a higher tag on it than it's supposed to be, right? Um, but that's, that's probably the first play to the user because, I mean, data security is all about the user, user, uh, tagging it appropriately.

Ward Balcerzak: Yeah. Yeah.

I, I, I like that. And, and I, I really like what you said too, education. I think that's

incredibly important cause I've, I've always said to folks as they're, they're kind of building out their data classification, like, if your user has to get out a secret decoder ring to understand how to classify the data, you've probably failed. You've, you've probably made it one of two things. You made it too complex

Cory Zaner: Yep.

Ward Balcerzak: or you're relying on, you know, may- maybe AI these days, right? You're assuming that AI is gonna fix your complexity problem when it comes to data classification, [00:08:00] which I suppose, right, with new technologies, that, that could be the way to do it.

I mean, I've had that conversation earlier. Well, we're Tuesday today, so yesterday, earlier this week yesterday had that conversation where they're like, " I see this as an AI problem." Okay. May- maybe. Maybe we can use AI to help. Let's,

let's see. Let's discover that.

Cory Zaner: So it's, it's-- Let's-- So I just went to the local HasMug conference here in Houston, and, you know, I got a shirt, and it was-- It said, you know, garbage-- They had a picture of a poop, a person holding poop, coming through the, the, the AI, coming through the wringer. I'll, I'll see if I can find it.

Uh, coming through the wringer, and at the end, it was the same person, but they were holding this poop-shaped, uh, rainbow. So meaning garbage in, garbage out. A-AI can make things, uh, prettier, right? So yeah, no. So definitely, um- And we could definitely solve problems with technology, but I don't [00:09:00] think we could change the mindset of people with technology.

So that's why my boss always hits me, people process, and I think that's with ISACA and NIST and everyone else, you always want to focus on your people and your process first, and that's whenever you line up your tech, your technology. But,

um, some of the-- yeah.

but going back to aligning with a program, I think that's the key part.

Pick a framework, right? Whether it's ISO or p- or Homemade, NIST. That way, whenever you go to the users, you're not arguing, they're not arguing with your ideas. Let them argue with the, with the NIST of the world or the, the IS-ISACAs or these frameworks. Um, let them-- And use that and then scope that according to, to your company.

Um, that, I think that's the, that's the, the best place to really, really start. That way you always have a, a, a framework of reference.

Ward Balcerzak: I, I like that. I like that. And I think we could probably take that advice across most things in

security, right? [00:10:00] Like, we, we could either make it up ourselves, but, but why? You know,

there, there's super great frameworks that people have already created. A lot of, a lot of mind share and energy went into that.

You know,

start there because I'm sure you, you've dealt with this, Corey. Like, that resonates with executives. "Hey, we're gonna do this thing

and

we're aligning it to an industry standard like NIST." And then it's like, "Oh, okay. It's, it's not just Corey's idea. Like,

cool.

Cory Zaner: Yeah.

Ward Balcerzak: go do it."

Cory Zaner: Exactly, because I mean, really, and that's, you know, shifting over to this, this new role really, really had me focus on the what, the what and why, and, uh, because, you know, a lot, a lot of companies are going to MSPs as well. They're not focused on the how anymore, right? They're focused on the what and the why.

And, uh, I think when you take that approach, especially with data security and let people know that, hey, if this data got out... You know, I like to ask people whenever I'm, working their data or their project, "If this got out on the news, if you saw this on the eleven [00:11:00] o'clock news, what, would be your reaction?"

If they're like, "I wouldn't care," well then green light it go, right? No problem. If they're like, "Oh no," I said, "Maybe that's a red. Stop what you're doing." so I think the color codes, I, really like what, you said about overcomplicating, because I think some of the data classification schemes we've seen are like 10 20 tags, and it's like, oh, subtag to the subtag to the tag to the tag, and it's like, dude, just keep it simple.

Red, red, green, yellow. Green, red, you know, red, red, yellow, green. Press on.

Ward Balcerzak: Yeah. Yeah. G- so the KISS method, right? Keep it simple,

stupid, right? We should definitely employ that in just about

everything we do. But I, you know, I too have seen the overcomplication in tags. Um, y- you said the sub tags. Yes. Been, been there, seen that a few times.

Um, where, where I typically go with that when I see it, I, I go I'm kind of like a kid.

I've got a five-year-old, right? I do the whole why game.[00:12:00]

We have, we have,

we have 12 labels. Why?

Well, because of this. Why? Right? Over and over, why? And, and you, you finally get them to start, like, questioning themselves with like, because that's best practice. No, in fact, it's not, and let's talk about it. Like,

I, I, I try to get people to think about where are you going with data classification?

Are you doing it.

because your regulatory compliance says you have to do it? Okay, cool. Like, great, you're checking a box. Or are you doing it because you're going to feed, I don't know, downstream security controls, DLP, encryption, tokenization, whatever? Oh, yeah, we're gonna do that. Cool. Let's talk about how that's actually done at that

Cory Zaner: Yeah, that's, that's, that sounds cool, but you put it in front of the user and they're like, "I have no idea what you're talking about."

Ward Balcerzak: Right. Right. And it goes back to the education that you mentioned. I

think that's a super important piece. So let's,

let's bring that full circle to what we said

before. You know, people, a lot of people now are saying, "I'm just gonna, I'm just gonna use [00:13:00] AI. I'm gonna use automation to classify."

My personal opinion here, I'm curious about yours, my personal opinion is technology-wise, that sounds great, right?

A tool is likely gonna be more accurate than a person nine times out of 10. However, what I think is missing is the education piece, because

now the people aren't gonna be data sensitivity aware. They're just gonna do what they're gonna do, everything else be darned, and it's gonna be over-reliance on the tool to actually do the next step.

What, what say you? What are your thoughts?

Cory Zaner: No, no, I'm with you because, I mean, a lot of times, I mean, even if we think about AI, I mean, there's a lot of risks to AI. Um, you know, prompt injections and, you know, poisoning and all that sort of thing. That's at a different level. Uh, but, but whenever we think about AI and we read about the issues, it's typically person upload a document or person typed in this [00:14:00] data.

Um, AI is not gonna save them for what they typed into, to AI. So they really have to educate... They have to know that, hey, I, I don't wanna put in my KFC super-secret chicken here into, you know, OpenAI. But they might think that, hey, this is, this is my tenant, it's secure. Um, but yeah, I, I, I don't know if I'm answering your question, but

Ward Balcerzak: I think you are. I

think we're saying the same thing, actually. Like, if,

if people don't actually have an idea of what is sensitive and we're just relying on technology to slap a label, or maybe the label's not even visible. I, I love your, your idea of color coding. Um, if you don't have a visual indicator to say, "Hey, beware," right?

Yellow, caution, red, stop. Beware, you're about to do this. Or, you know, just-in-time prompts that popped up. Like, if you don't have any of that,

Cory Zaner: All right

Ward Balcerzak: awareness is, is likely

Cory Zaner: Yeah.

Ward Balcerzak: They're, they're not gonna know what's going on. They're gonna do whatever they wanna do.

Cory Zaner: And, and we can definitely rely on, [00:15:00] on AI and tools, and they are a huge help. Uh, I know you work for a, a strong, you know, data security company, uh, and they can help a lot. But we-- But they cannot help, they cannot tell us what our secure data is. Like,

where, where I work, we do a lot of research and development, and they, your, your particular AI or no one's data security program, uh, product can come in and say, "Hey, this is-- You should really look at this data because we, because we understand your business, and we understand that, uh, the, this is, this is what's making you guys a lot of money."

Or, you know, the K- the KF- the K- the KFC example. I think, now, they could pattern things like, "Hey, this is Social Security numbers, and, you know, PII, and this looks like it might be sensitive. It's got, you know, security usernames in it." But they, they can never point out the, the, the KFC's super-secret recipe, because to AI, it's just more words.

Ward Balcerzak: Well,

you'd hope not. It's not super secret if AI can come in and tell you it.

Cory Zaner: Yeah, yeah. [00:16:00] But I, I, I do think if you train it, if that user says, "Hey, this is data that, um, I, I have that our company values," and it says, "Hey, it looks like this," then AI can say, "Hey, now I can, now I, I pick up that pattern, and I could, I could, I could find other, other data that looks like this." But I don't think I could come in a- a- and solve that people problem.

Ward Balcerzak: Agreed. Agreed. So we, we talked a lot about data classification and, and we started off this episode, uh, you saying, you know, the big problem is, you know, really you don't know what you don't know, which

again, I think we could say that about just about all of security. But okay, we got data classification. What's next? Where, where, where should people go after they've started to classify their data?

Cory Zaner: well, see, I think about data retention, but, uh, let, let's leave that, uh, as a whole nother mountain to climb. Uh, so sp- sp- specifically around data security, then, then, then they need to figure about [00:17:00] once you have those tiers, what should and you shouldn't do whenever you're in that tier. So let's just, let's just go back to the stoplight example.

If I mark something red, restricted, should I be able to email it? Should I be able to download it? Should I be able to share it with Billy? Um, you know, should I-- A- and what you do is, again, you go back to that standard that you initially selected, whether it's NIST or whoever, and you say, "Hey, what does that standard or that policy say about-" Downloading data at this tier, right?

Um, and that's whenever you could shape your tools to match your program and you educate people and say, "Hey, did you know if you're marking this thing red, you're not gonna be able to email it, you're not gonna be able to download it. There's gonna be a, a tag across the header." Right? Uh, and, and you and I haven't even talked structured versus un-uns-unstructured data.

Yeah. Yeah. I mean, right, right now we're talking user, user document. So I guess if we back up a little bit more, um, I would say [00:18:00] start with the unstructured, the M365 stack first, your Outlook, your emails, your Work-- if you're a Gmail. Uh, I don't know if many people here are using G Suite. Uh, I don't hear that almost, uh, anywhere anymore,

Ward Balcerzak: Oh, there's a lot of people out

Cory Zaner: Okay.

Ward Balcerzak: Yeah,

yeah.

Cory Zaner: Yeah, but so whatever your, your consumer-facing or, or your customer-facing system is, you know, for your users to send emails or do documents, that's where I would start. And I'm pretty sure, I get them backwards sometimes, I'm pretty sure that's unstructured data. And then once you have the da-the data classification, and then that's whenever you start diving into your structured data, your SQL databases, your file shares, right?

Your, your, your storage accounts, everything else.

Ward Balcerzak: a million percent behind you on that. That, that is something that I've advised a lot of companies on, uh, when I was in the consulting role. Like, where do I start? And,

you know, you, you got a lot of, a lot of folks who are like, "Oh, we're gonna secure all of the things." The, the boil the ocean

approach, which is, We're g-we're, We're gonna, we're gonna,

the things.

Cory Zaner: [00:19:00] even data retention.

Ward Balcerzak: Yeah,

we're gonna do, we're all the things. And I always say like, y- you actually said it very well, uh, let's look at your M365 environment. Let's look at your G Suite environment,

'cause chances are that's where a lot of your user-generated content is going.

That's being, you know, created from scratch, copied and pasted, transformed, whatever.

That's where, there it's where it's gonna be

because I am of the opinion, may not be a popular opinion, but I am of the opinion, and yeah, I've, I've seen this plenty of times in, in my career, it's not just me saying it out loud, that generally speaking, getting your arms around structured data is easier, structured data repositories.

And I, and when I say that, I'm talking about databases. Like it's, it's easier. It's not easy. Nothing in security is easy.

Cory Zaner: Yep. A-a-and why is it, why is it easier? Let's-- In, in, in my opinion, because it's, it's IT owned,

Cory Zaner: and it's an IT thing, and the customer never sees it. So you could say, "You know what? [00:20:00] I'm gonna remove the customer from the equation, and I'm gonna make the decision." But that, in data security, that's not the proper way.

The proper way is the data own-the data owner classifies it. Um, but yeah, yeah, finish, finish your thought. Sorry.

Ward Balcerzak: No, no, I'm, I completely agree with you. I was gonna say, you know, it's IT owned. Usually you've got, you know, some sort of like DB, uh, admin. If it's a homegrown application, you've likely built the database. Now, yes, I will fully say out loud for the audience, "Ward, you're talking crazy. That assumes good governance, good hygiene."

Yes, if you got bad governance, if you got bad hygiene, if the person who created it is no longer with the company, yes, you could have an absolute nightmare. But that nightmare Is likely still a little bit easier than getting your arms around your unstructured data,

Cory Zaner: that's whenever whatever tool you want, whatever shiny object that you bought or you went to a conference and you saw, that's, that's where it could play nice and you could do the... And, [00:21:00] and the, the user might see a new banner on their app or something, they, but they don't really care.

I mean, they don't care until they try to download or share. Um, but you, you haven't changed that mindset for the user. That's why... And that's why we have selected to go almost last. Not saying that the data's not as important, uh, but saying that the most effective way is to start the user-facing applications first.

Ward Balcerzak: I like that. I like that. All right. So, I mean, get data classification, color code it, get the awareness out there.

You then went to the next, the next part was just, you know, next steps. What are we actually gonna do about it? If you have highly confidential, what can you do? And, and when

you said that, I was, I was laughing.

I might have been laughing on video. I was definitely laughing in my brain because I remember, um, very clearly a conversation I had at one of the companies I worked for. I was working with the legal team.[00:22:00]

Cory Zaner: Okay,

Ward Balcerzak: Surprise,

lawyers, gotta love lawyers. And they said, "Well, Ward, why wouldn't I just mark everything highly confidential and call it a day?"

And I said,

"You could. I'm

not saying you can't, but you're not gonna be able to email

it." And I kinda got that weird

look. I was like,

like, "Look, I, I forget the person's name. It doesn't matter." Like, "Look, well, Sally. Look, Sally, you can do that. You can absolutely do that. Nothing wrong with it. But the downstream security controls are gonna prevent you from actually sending that externally, or it's gonna prevent you from sending it externally to anybody but so and so.

Maybe it's, you know, whatever B2B

relationship we have going on

Cory Zaner: Maybe it's the, oh yeah, maybe it's the Gmail account, right? Yeah.

Ward Balcerzak: there." Right. Yeah. No Gmail. Well, we have some customers' Gmail. Okay. Like, that's cool. Um, either give me that information so we can, you know, build kind of a, a trusted list, or don't mark everything highly confidential.

'if it's not actually

Cory Zaner: cause it aligns back with your standard or your policy you've adopted, and you just say, "Hey, [00:23:00] we, we, we've adopted this." Now, hopefully when you built your program, you didn't do it in a bubble with you and your, you and your security manager, you pulled in legal and you... So this, whenever you said that, hopef- hopefully it, it wasn't a shock to them, just, "You're what?

You're doing what?"

Ward Balcerzak: You know, and actually, going back to what I told you, I, I joined, I inherited data classification. Two

years, it failed. That, That, was actually why I, I started talking to legal and HR and those teams like, "Hey, like, I'm Ward. Nice to meet you. I inherited this mess." Like, "Why is it a mess?" They're like, "Well, what are you talking about?"

I actually had that a few times. "What are you

talking about?" I'm like Okay. Here's why it failed. Like,

nobody talked to you. Let's fix that.

Cory Zaner: Hmm, do we, do we need legal and HR involved in a multi-billion, multi-million dollar company whenever we're talking data classification? The signs point to yes.

Ward Balcerzak: my three go-tos

for every data classification issues, my three initial [00:24:00] go-tos, obviously it's the entire business, but three starting is going to be, uh, legal. Gotta have the lawyers even

though you love to hate them. Gotta have the lawyers. Uh, privacy, because a lot of things go back to privacy regulations, and sometimes it's the same team, sometimes legal and privacy.

And certainly HR, um, because HR touches a lot of that data, but also they're generally gonna help you, hopefully, if you have a good HR

department, help you with some of those, uh, you know, employee trainings and, and also the bad side of it, which is what are we gonna do with these people if they violate the policy,

Cory Zaner: Yep. And, and,

Ward Balcerzak: be the HR repercussions?

Cory Zaner: and you're right, and, and you've also formed a... Now, hopefully you don't meet once, but hopefully you've formed some sort of committee. This is a, I think some people might call it a privacy committee or a s- a data committee or whatever you wanna call it. Um, try to meet with them, so whenever there are a change to classifications or a change of, "Hey, we need to move this data type to restricted," or, "We're gonna push some..."[00:25:00]

So they're, they're educated, so whenever you sit in front of them and say, "Well, you don't wanna mark everything restricted," like you said, because you can't knock your email. They'll say, "Oh, well, yeah, I know. Oh, that's because we work with lawyer so and so, um, and we agree." So yeah. I think they, some people call them steering committees,

Ward Balcerzak: Steering committee. Yeah, I've heard that a few times and it's... You know what, what's interesting on that is, is, yes, like listeners, if you're not building some sort of governance committee, a steering committee, whatever, like please do so. I think one of the hardest parts about building that I've seen, it's like any other new shiny object, any other new thing, you get a lot of interest up

front, right?

A lot Of people are like,

Oh yeah, I want to help. I want to help."

But the interest dies out, right? And it's like anything in corporate America, nobody wants a lot of meetings on their calendars. They're like, "Oh,

do I really have to attend that thing?" I think what, what I've seen is you have to drive ownership into each and every one of those [00:26:00] individuals.

A sense of ownership, extreme ownership, if you will. Like, "Hey," like, "we will not be successful if you are not

in that virtual chair helping out with this committee."

Cory Zaner: Well, because we need, in your example, we need privacy input. Um,

you know, there, there, there are privacy lawyers out there, that is their sole bread and, bread and butter. And, you know, you give them a couple compliments, you tell them how important pri- you know, you have to... Everybody cares about privacy and, you know, HR, oh, HR data is number one, and that's, that's their most critical data.

Yeah, you have to, you have to, to, to lift them up a little bit. I think, I think that's kind of what you're saying, keep them excited. And that's, that's where I think our, our, as security professionals, that's where our role comes in, to let them know, "Hey, this is the risk of the-- This is the risk, this is the risk of a win-in, and this is the value that you're bringing to, to those committees."

Uh, we, we just cannot be a fly on the wall, uh, especially a g- a good security [00:27:00] professional.

Ward Balcerzak: Completely agree, and I think, I mean, you hit the nail on the head, good security professional. There's a lot

of security professionals out there. There's a lot of security professionals that don't like to do what we're talking about, which is partner and talk to individuals. So Corey, y-you're an architect.

You are working with executive leaders in your company, and I'm sure you know other, other executives out there.

How have you

built some of those skills, some of those soft skills that typical security folks don't like doing? Let's be real, they d-

don't like dealing with the public. How, how have you, how have you built some of that up to actually be successful in your role?

Cory Zaner: That's a good-- That's a really good question. Um,

I think just, I think a lot of my, a lot of my, my military experience has taught me to c- to communicate well. Uh, a-a-and like my son, he's, he's active duty Air Force, and he's like, "Well, you know, Dad, what type of things I want to get out? What type of things?" I said, "Soft, [00:28:00] soft skills are number one." Um, I think the, the Bible's pretty clear too.

I don't want to make this a, a, a biblical show, but, you know, hey, hear more than you talk. Uh, this kind of doesn't apply to us on this show, right? Because we're talking. But, you know, try, try to listen. Like, like, like whenever you inherit the, the data security program, it sound like you went to them and you listened.

You didn't just say, "Hey, data security is so, is so important. You know, follow Lord Ward around. And, and we're gonna do data security because I said, I said so." But-- And also try to look at their point of view, right? So I bet you if, if, if they say, "Well, you know, data security is important, but I, I really want to email my data."

Well, you can, as long as you classify it correctly. Um, yeah, it, it's a, it, it's not an easy skill. And you're right, I've seen a lot of, we'll call them IT folks, that just, it's very hard to communicate. But I think just, just listen more, try to talk a little less, and tr- and [00:29:00] try to go in op- open-minded and just Look, put on a different pair of glasses whenever you're talking to the lawyers and the HRs.

You know, with HR, they, they're, they're, they're employee front, so maybe they go to a trade show and they try to re-re-recruit pe-people, and you say, "Hey, you can't use your iPad." It's like, well, this is how I'm showing new employees how to enroll and stuff. And if the security guy says, "No, well, NIST says you can't do this."

And it's just like, well, not everything... We could, we-- There is a s- there is a s- there is a way to put too much security in things that we do. It's just like, we could lock it down, you can't do anything. We, we, we could shut down the internet, right? But you Oh,

Ward Balcerzak: man.

Cory Zaner: to do your job,

Ward Balcerzak: I, I like what you said there, and I'm actually, I'm gonna do a call... I, I have not done this yet, but I'm gonna do, I'm gonna make a call out to one of the listeners, Andrew Zizzo out there. You're, you're

gonna love him. I'm about to say the phrase that you're always calling me on. Be the department of know, [00:30:00] K-N-O-W, and

not

Cory Zaner: funny.

Ward Balcerzak: N-O, right?

Cory Zaner: I think my b- my boss would also like that too. That's kinda, that's kinda his, his thing as well is, "Hey, we're gonna, we're gonna be the department of no, and know what you're doing, uh, enable people to work securely." And, uh, that's what the, the CISO of AWS said. He, you know, he went on and, and, a-and he's like, "Hey, we need to enable people to work securely."

Ward Balcerzak: Yeah, yeah. If, if you're just simply saying no for the fun of it, and I was there when I first started in security, I had a lot of fun just saying no all the time. Like, why not? I can tell people no, and why? Because I'm security.

But guess what? It wasn't successful, right? They were gonna find or try to find ways around the controls at that point. Corey, you, you've been in the industry for, you know, over 20 years at this point.

Um, you've been in multiple industries. What was your journey? How did you get to where you are today?

Cory Zaner: So I actually, um, actually started working on printers and copiers, uh, out of, out of high school, and [00:31:00] kind of felt like a dead-end job. This was in the early two, 2000s, you know, Y2K, everything else. But, uh, it was right after 9, 9/11, I said, "Hey, I

wanna, I wanna join the Air Force," right? So, uh, I joined the Air Force as a network, a network communication cryptography person, right?

So with the basic, basic training, almost a year at tech school learning electronics and, um, networking, OSI model, servers, inf- infrastructure, you know, POTS, Plain Old Telephone Systems. And then, um, you know, throughout my career, the first three years I was in, in, uh, southern Japan working in, in top, top secret environments, really cool, you know, doing SIGINT stuff and really helping the mission.

The last three years in the Air Force I was working on a, a, a Drone program called Preda- Predator. It's when the, the Predator and the UAVs, they're p- they're popular now with what's going on, uh, in Iran. Um, and then I got out. I, I, I got a really good, good, [00:32:00] uh, role with Raytheon So, um, so you know, I was selected for, uh, for, uh, for that role. We called it cloud security architecture, which, um, I mean, this maybe five to six years ago, I was like, "What's, what's cloud security, right? Why don't you just the security guy?" But really we focused in on kind of like you said, the, you know, the data security, the, the, the, the, the, the business outside the f- the firewall, iden-identity security.

So I ki- I, I built that program. I had a really strong team of, of architects. Um, so we, we built up the, the program again. We started from the what are the myths today, and then we, we worked our way down. And then here recently there's a reorg, and they, they created a new division, enter-enterprise architecture.

Uh, and that's where I've been for the last two, two years. I really like it, the enterprise architecture, and I have a really strong security focus. I'm the only security person on there. Uh, but you know, so I work, I [00:33:00] work hand in, hand in hand with the CISO, CIO, right? To kind of help shape that direction.

But it's given me a, a different view for the business, um, which a lot of security or IT people don't understand the business a lo- at all. So it, it's been a, an, an in- an interesting ride, and I'm curious to see what's next or what's... Yeah, I'm still, I'm, I'm still young, so I still got, you know,

Ward Balcerzak: That's

Cory Zaner: a cou- a, a couple more years.

Ward Balcerzak: Love it. Quite the journey. So, uh, Corey, if, if folks want to connect with you, is LinkedIn the best way to do so, or is there any other good spots?

Cory Zaner: I like LinkedIn. I think, uh, I think a lot of people use it. You know, I've been to a lot, a lot of conferences. I think people really encourage LinkedIn posting, uh, and that's kind-- It's the Facebook for, for professionals. I mean, uh, there's things like Discord. I, I don't really go on Discord. I think it's, it gets busy, y- you know, but you get-- take a l- a long time to catch up.

But yeah, I mean, connect with, with, with me on LinkedIn. Um, al- al- [00:34:00] always a little weary of some of the s- the salespeople that just wanna connect and, you know, two minutes later you have something in your inbox. But they're-- It's, it's a, it's, it's amazing, Ward. I mean, I mean, you kinda worked for a semi startup, and you and I have discussed this, but the rate of change in this space for the past three or four years has been so fast.

And I can't imagine the rate of change in the next couple years with, with AI. So, you know, I, I've taken a different stance of giving the, um, the new startups more opportunities because they, they might solve problems faster than we ever could with some of the, the bigger vendors.

Ward Balcerzak: Oh, yeah. Little, little more

agile sometimes, right? Like some, some of those

bigger vendors that are kind of behemoths, right? They're slow to move like an aircraft carrier moving

around by a tugboat, whereas, uh, the startup's a little, little more scrappy, a little more agile. Absolutely.

Cory Zaner: because I mean, as I, I think about Wiz and, you know, we were one of the first customers with, with Wiz and look, and look at it now. I mean, you [00:35:00] worked for a... I, I don't know if you advertise your company you work for, but you know, I mean, you worked for-- They, they started small because we had discussed this with them a few years ago.

They're small now. They're growing.

So, um,

I think it's, I think it's a, it's an exciting, exciting time and with SaaS and cloud, the risk of onboard and off-board, it's, it's decreasing so much. Like 10 years ago, we used to have to deploy a server and rack stack some things and, you know, get the hardware, get everybody involved, and it took six months to roll something out.

Now, with cloud technologies and API, APIs, AI, I mean, you're up and running in a couple of weeks,

Ward Balcerzak: Corey, thank you

so much

for

joining the episode

today, sir.

Cory Zaner: I appreciate the opportunity. Thank you.

Ward Balcerzak: And big thank you to the audience. Really hope you enjoyed the episode today and learned something.

Please tell others in your network to follow and listen. This has been another exciting episode of "Guardians of the Data." See you next time.

Speaker 2: That's a wrap on another episode of Guardians of the Data. Thanks for tuning in for show notes and more Visit Guardians. The data do [00:36:00] show Guardians of the data is made possible by support from Centro to see how we help organizations discover and classify all of their data accurately and automatically while quickly achieving scale data protection without the fuss, please visit sentra.io.

Catch you next time.