Imperva’s Terry Ray on the Impact of Generative AI on Data Protection

In this episode of The Future of Data Security podcast, Jean speaks with Terry Ray, SVP of Data Security GTM & Field CTO at Imperva, who shares his extensive experience in the field of data security. He discusses the evolving landscape of cybersecurity, particularly the challenges posed by generative AI and its implications for data protection.

Terry emphasizes the importance of understanding data usage and implementing robust monitoring practices to mitigate risks. He also highlights the need for clear communication within organizations to enhance security efforts. He also shares his invaluable insights on how to navigate the complexities of data security in today’s digital environment and ensure your organization stays protected. Here are the top 3 takeaways from the interview. 

#1: Close the Gap Between Security Technology and Skills

“They have all these reports they want to get, and yet there’s still gaps, they still have problems. There’s still breaches, there’s still exposures, there’s still all of these things. And so the board and the C suite, they’re all asking, ‘it just happened to company XYZ down the street. What are we doing to make sure we’re not going to be like them?’ Well, we bought all the technology, we’ve deployed it all. 

“But to be fair, the skills haven’t totally caught up with the technology. People can deploy things, but then they’re in the back of their mind, I still believe, and I’m confident of this, they’re not certain. They’ve done everything they need to do, even with the technology that they have. 

“And that’s why you see the industry rising up and saying, okay, let us tell you what you need to do next. Let us tell you what you need to do more. LinkedIn got this a long time ago. When you go to LinkedIn, it says your profile is 80% done. There’s 20% more things you need to go do. Security technologies have to do the same thing. Tell you what is that other 20% that I haven’t done that’s going to make me better than I am today?”

Actionable Takeaway: Despite having cutting-edge security technologies, many organizations still face breaches due to skill gaps. It’s critical for security solutions to provide actionable insights, much like LinkedIn’s profile completion percentage, to help teams understand what more needs to be done. Closing this skills gap will reduce uncertainty and improve security.

#2: Treat AI as a Privileged User

“At the end of the day, while there are exploits that can happen on AI throughout AI’s maturity, through model selection, through education and learning, and then ultimately into implementation, the reality is, from a day to day perspective, organizations have to treat AI as they would a privileged user on their system. Monitor them. They need to still encrypt the exact same data they would have been encrypting before. And they need to have guardrails on it so they know it’s allowed to access these assets, these resources in the ways it’s supposed to and keep it inside its guardrails and it’ll be fine. 

“But I think it’s this learning curve that’s a hard one, because honestly, take AI out of the equation, most organizations today, even though the technology exists, still actually don’t do a great job at doing data security. They still lose data, they still fail in terms of doing data security. So AI is just another complexity to add on to this stack of things that organizations still haven’t caught up with bad actors on yet.”

Actionable Takeaway: Treat AI as you would a privileged user in your system. AI should be monitored with the same encryption and guardrails applied to sensitive data. While AI presents unique risks, the foundation for securing it lies in existing best practices for data security, which many organizations still struggle to implement.

#3: Balance Regulatory Compliance and Cybersecurity Investment

“Cybersecurity teams know that they are tasked with securing data, but at the same time, they know, for the most part, the only budget they’re going to get from executive staff is regulatory compliance. You’re guaranteed to fail an audit once a year, twice a year, you’re going to be audited. There’s no question, you will be audited. If you’re in a regulated system, you will be audited. You will fail, and there will be fines or there will be consequences. So you will get budget for that. 

“You very likely will not get budget for boiling the ocean on cybersecurity, even though a CISO might want to. The reality is, unfortunately, sometimes either you have a forward-looking executive staff, you have a very persuasive CISO who’s really able to tell the story. Maybe on a good day, you’ve got a peer or even a competitor who just got hacked. And now you can point to that and you didn’t need to get hacked, but they did. And now the pocketbooks open up or you have to get hacked. That’s the unfortunate thing that I took to heart. And it’s the conversation that we’ve had to have year after year after year with customers.

“And I think that that’s one of the catalysts for organizations, vendor organizations now today saying there has to be a way that experts can more convincingly educate executives and boards that you may pass a regulation, that may be great for you. However, it’s really important to be able to put a number and a metric and a threat against all the other things that you haven’t done in front of the executives so that they sign off on it and say, we accept that risk. We understand that all of these assets that we have no controls on have an astronomically high risk, and we accept that we’re not giving you budget for it.”

Actionable Takeaway: Cybersecurity budgets are often limited to regulatory compliance, leaving critical areas underfunded. Executives must be educated about the risks they are accepting by not investing in broader cybersecurity measures. Presenting metrics and potential threats in a compelling way can unlock budgets before a breach forces reactive spending.

Listen on Apple 
Listen on Spotify 
Watch on YouTube