Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast, where the world talks security.


Kacy Zurkus:
Hello listeners, and thank you so much for tuning in. We have a great podcast lined up for you today. Privacy is top of mind at RSA Conference 2022, and we'll be discussing privacy with our guests, Bernard Brantley and Francesca Ginexi, two of the three members of the RSA Conference Program Committee for the privacy track. Here at RSAC, we post podcasts twice a month, and I encourage you to subscribe, rate, and review us on your preferred podcast app so you can be notified when new tracks are posted. And now it's my pleasure to ask Bernard and Francesca to introduce themselves before we dive into today's topic. Francesca, why don't we start with you?


Francesca Ginexi:
Sure. Hi everyone. I'm Francesca Ginexi. I'm an attorney and public policy manager. I'm currently working at Meta, formally known as Facebook. I deal with the privacy legislation on my day to day work. I was part of the RSAC Scholar cohort in 2019, and I am super excited to be back as a member of the program committee.


Bernard Brantley:
Hey everybody. This is Bernard Brantley. I am the Chief Information Security Officer at Corelight. We like to call ourselves providers of some of the best network evidence. This is my first time at RSA on the Program Committee, so I'm really excited to be here and be a part of that. In my daily role, I handle, as you can imagine, all things across security compliance and risk management, including privacy. So this topic really hit home, and happy to share with you exactly kind of what we went through in the process of selection.


Kacy Zurkus:
Awesome. Well, we are super excited to have you both here with us and so grateful for the amazing work that you've done to help bring this program together. Francesca and Bernard, one trend that Brita and I saw come through... And listeners, if you don't know, Brita and I are the content team for RSA Conference. And we read through all of the submissions that come in. So we did read every single one of them before they went off to the different track program committees. And we definitely saw, in the RSA Conference 2022 call for speakers, a heightened focus on privacy. And I think it's really telling that we will see sessions across multiple tracks, from DevSecOps and software integrity, to machine learning and artificial intelligence and identity; all of those, and law as well, that have a focus on privacy policies and regulations, building privacy and... It really is at the cross section of all things security this year. So I'd love it if each of you could tell me about some of the trends that you saw coming through in the privacy submissions this year. Bernard, why don't we start with you?


Bernard Brantley:
Thanks. At the highest level, I really identified three key trends in this years' content. So the first of which being innovation in the privacy domain itself. Secondly, emerging tech and some of the innovative tech and the considerations that must be accounted for with respect to privacy. And then lastly, the formal application of privacy and privacy initiatives with respect to the operational capabilities in the company or in the industry.


Francesca Ginexi:
From my perspective, I found really interesting to see that there's a lot of interest in emerging technology. And I think this is really great. So people are asking themselves tough questions and they're asking, "How does blockchain impact privacy? What are some of the challenges and opportunities offered by 5G in the privacy space?" Or things like, "How do we make sure that privacy and security get embedded in autonomous vehicles?" So I really appreciated the trend of the forward-looking and sort of big-picture thinking that I saw coming through.


Kacy Zurkus:
So listen, there's one thing that you might not realize, is that before our program committee members even review submissions, they need to share are their blue sky ideas. So they sit and talk about, in a perfect world, what would they want to see on a privacy track at RSA Conference. Francesca and Bernard, I would love it if you could share what you were hoping to see come through as privacy topics before you had the chance to read anything. Francesca, why don't we start with you?


Francesca Ginexi:
Kacy, exactly. We [inaudible 00:04:42] and we sort of had a wishlist of things we were hoping to see. We started by asking ourselves, "What would be interesting to see for a diverse crowd?" We know that people who will take part in the privacy track are lawyers, but they're also privacy program managers. They're also in engineers and so forth. So a very diverse crowd. So we were asking ourselves, "What would be interesting for such a diverse crowd?" And at the same time, "What would be topical? What would make RSAC 2022 special? What is something that is applicable to 2022 and makes it unique?" So we definitely thought a lot about the challenges brought by the pandemic and upcoming return to the office, like remote and hybrid workforce, from a privacy perspective. But we were also thinking of this... Particularly me, given my background about global regulation... And we definitely thought it'd be interesting to see what people are thinking outside of Europe and North America. We really wanted to make sure that the session had a fully global footprint.


Bernard Brantley:
I think Francesca nailed it. As a first-timer here in this process, I relied heavily on her and Patty to kind of steer the conversation, really, in distilling down what it was that would be valuable to the attendees for the privacy track. They took the lead. But I was also able to really shape my view of what privacy meant for the industry overall, as a security engineer at heart and an executive in practice. There were a couple high-level things that I was hoping to see, that differed maybe slightly from how this shaped out. But I'm happy to say, in rolling through this process with them, some of my previous opinions changed. But I would echo what Francesca brought, with the slight caveat that I was looking mainly at the operational capability tied to privacy as something that I wanted to come through in this track.


Bernard Brantley:
And then I was hyper-focused on the insider threat piece and how that shakes down with the overall addition of monitoring controls, both within the environment and how that changes given our current hybrid context, given the pandemic. But Francesca was right on. The blue sky really shaped what we were thinking, and then once the content was delivered to us, I think that we had everything that we needed to make some great decisions and bring forward some great content.


Kacy Zurkus:
I love that. And I always think it's so interesting too to talk to our program committees about, "This is where we started with the blue sky. This is what we hoped for before even reviewing any of the submissions." But then there is this reality of... You only can read what comes through, right? So you talked a little bit about the trends that you saw come through in the submissions. And I'm curious to know whether those were in line with your expectations, or... Did you come to see... Bernard, you mentioned having compromised a little bit, changed your expectations a little bit. What was new or interesting that you hadn't expected, for some reason, that made its way to your final list of picks?


Bernard Brantley:
What I was not expecting was the privacy context of some of these emerging technologies; specifically, blockchain on autonomous vehicles, right? Prior to this conversation, and prior to this program committee, that's a domain that I am not working in, or not hyper familiar with on a day to day basis. So to see the level of entries and submissions that had that in it was surprising, but it was spot on. We're living in a world where everything is moving towards autonomy. Most of the net new capabilities that companies are bringing to bear have some type of drone attached or some type of blockchain attached to it. And so that was surprising, interesting, and I think spot on for the audiences there to get something new out of it. With respect to what was in line with my expectations, I think that we've got a couple talks here that are spot on in delivering on the actual commitment or use of privacy frameworks and how you operationalize that, specifically NIST.


Francesca Ginexi:
Yeah. And I agree with Bernard. I think he covered a lot of the things that I also saw in terms of what was aligned with our initial wishlist thoughts. I think the interest in the post-pandemic workforce and the consequences of hybrid workforce is pretty much shared with the submissions that we received. And so, we were pleased to see multiple submissions on the topic. What surprised me is, going back to the point that I made about privacy laws and regulation, I was pretty surprised to see that the interest is still around the EU or US law. We saw a lot of submissions around privacy law in US state law, but we didn't really see a lot of submissions around what's happening, for example, in Latin America or Asia Pacific. And so this is a hope that I have for the upcoming years. I'm hoping to see an expanded interest in those areas, given that more and more companies become globally focused.


Kacy Zurkus:
And it's so interesting, this idea that you have all these submissions, you have these topics that you're trying to cover, yet in listening to both of you, you saw a lot of submissions on X, a lot of submissions on Y. So how did you winnow those all down to a list of final picks? Can you walk us through that process?


Francesca Ginexi:
Yeah, I can get started on that. I think it was a combination of individual and group discussion and brainstorming. So we definitely kept in mind our initial thoughts and our initial lists. And we used that as overarching principles, or to underpin our thinking process here. So first, individually, each of us came up with a list of our top eight submissions, and then we met and we compared our ranking. We look at things like diversity of the speakers. We looked at this in terms of industry, but also the roles that these people cover, gender diversity, et cetera. Diversity of the topics, clearly, because we want these topics to be appealing to a very diverse crowd, as I mentioned before. And also the angle in which each of the topics was approached; for example, compliance, technical, legal, and so forth.


Francesca Ginexi:
When we came up with the ranking and we met up to compare our decisions, if our mutual ranking showed two different submissions on the same topic, then we walk them through and compare their abstract. So we definitely gave priority to those that provided a more in depth, a more analytical synopsis. What we did not want was to have two submissions on the same topic. We definitely wanted to make sure that each and every session was unique. And so, we also looked very briefly at reviews from past years, if the speakers had presented in past years, but definitely that was not the main factor in our decision.


Bernard Brantley:
Francesca, you're spot on. I can't say enough how grateful I am for being on this program committee with two privacy professionals. I learned quite a bit from them throughout this process. But it was crazy to see exactly how closely we were aligned in our thinking on the topics that were submitted and what would be beneficial to the group, with very small variance. We were almost directly in line for our first eight submissions our first pass, and then just slightly out of order in ranking as we started to work through alternates. Those were close as well. So it was very easy for us to kind of talk through the content that was being delivered and really focus on, "Hey, what is the differentiator between these two talks on the same topic?" Or, "What is the differentiator between this topic with respect to the other content that's being presented?"


Bernard Brantley:
So I think we really looked at the overall breadth of coverage we had in the topics and talks that we selected. And then like Francesca said, the completeness of thought, completeness of abstract, and what it was they were bringing to the table. Those were the primary things that helped us decide on, "Hey, these folks are going to provide an awesome experience for those attending RSA and those that are interested in privacy, both to those that are born and bred privacy professionals, as well as new entries to the field. So we looked at things that were also accessible to people who may not have ever been interested in privacy before and just kind of shuffled themselves into the talk because they had a break in the day, or those who have been doing it for a number of years and are looking for a little bit different view on things that they're doing daily.


Kacy Zurkus:
I am just so impressed with your level of analysis, and really, the work, truly, that went into you designing this track. And I want to make sure that that's something that comes across to our listeners, is that this is an all-volunteer group of program committee. And they truly are so passionate about their work that they bring this level of expertise and professionalism and focus to making sure that the program that is delivered at Conference is one that is awesome and everything that Francesca and Bernard just explained. So, much gratitude to both of you, and to Patty as well, for her contributions on this track. The notifications have gone out. So if people's submissions were accepted, they now know that. So maybe you will be the first track that is able to give the listeners a little bit of a sneak peek into which picks you are most looking forward to seeing on the big stage at RSA Conference 2022. Bernard, do you want to start us off?


Bernard Brantley:
We are excited about all of the talks. I know that Francesca's got a couple that overlap with mine, so I'm going to go a bit off of what my favorite is and throw my engineer hat back on and say, "These are the favorites from that perspective." I'm really looking forward to the talk on privacy and IAM and how to bake that in from the beginning, as well as the talk on privacy and automated testing. I think, for the less privacy-focused people in the room and the more engineering or leadership people in the room, they're trying to figure out how to operationalize this. These two talks give a really good framework for implementing this in your workflows or implementing this in your environment in a way that's approachable and allows you to leave the conference with something you can go do.


Francesca Ginexi:
Yeah. From my perspective, I am super excited about the talk about innovation and regulation. So understanding how to build AI and data policies. This is something that I think about every day at work, so it will definitely be really, really inspiring to see how other people are thinking about it and just to see what questions are sparked for the discussion. I'm also super excited to participate in the talk about non-consensual tracking and victim safety, because I think this is a super sensitive and important topic that should be addressed. And I'm really looking forward to that panel.


Kacy Zurkus:
Yeah, me too. That is definitely one of my favorites for sure. Francesca and Bernard, it's always such a pleasure to spend a little bit of time with you. Before we wrap up, do either of you have any parting words for our listeners?


Bernard Brantley:
I just ask that as you go into this RSA Conference, and specifically the privacy track, there's a couple things that you should do. And the first of which is, come with an open mind, right, that privacy has changed over the years; that there are some new topics being delivered; there's some innovative things that are being talked about that don't typically fit the old school thinking of, "This is how privacy applies in my domain." And with that, coming with an open mind, I think that there's a lot to learn here. And as you're going through this conference and going through this talk track, I really hope that you can focus on the human aspect: the people in the room, or out of the room, and the people in your domains, that are going to be affected by these privacy policies or these privacy areas, and what that means for you and how you can help get these things further along.


Bernard Brantley:
Because there's no time, other than now, where privacy is more important to our day-to-day interactions with the technologies that we leverage to do our jobs, as well as the products that we're providing to folks out there and the general populace. And then lastly, take whatever you can and learn and deliver it to those that didn't have a chance to get there.


Bernard Brantley:
So increase awareness around privacy. That's what I've got. Enjoy the conference.


Francesca Ginexi:
Yeah, this is my third RSA Conference. And the most important piece that I've taken with me at these sessions has been really the connections that I've built at the conference and the conversations that were sparked during these sessions. And the brainstorming that happens with practitioners in... Are from your same area, but you probably would've never met if you hadn't attended RSA. So I would definitely recommend, on top of what Bernard just said, to really try and build connections, meet as many people as possible, and really start those conversations and see where they take us.


Kacy Zurkus:
I love it. Thank you both so much, Francesca and Bernard, for joining us today. Listeners, thank you for tuning in. To find products and solutions related to privacy, we invite you to visit rsaconference.com/marketplace. Here, you'll find an entire ecosystem of cybersecurity vendors and service providers who can assist with your specific needs. And please keep the conversation about privacy going on your social channels using the hashtag #RSAC, and be sure to visit rsaconference.com for new content posted year round. Thank you all so much.