Future of Data Security EP 29 — Age of Learning's Carl Stern on Why Certifications Are Side Effects, Not Final Goals
Carl Stern, VP of Information Security at Age of Learning, explains why forcing controls into place without executive alignment guarantees you'll fight uphill battles every single day, as people begin to see security as a blocker rather than a business enabler. Instead, he starts with identifying crown jewels and acceptable risk levels before selecting any frameworks or tools, ensuring the program fits company culture instead of working against it.
He also asserts that certifications like HITRUST and SOC 2 validate you're already operating securely; the real program is the daily processes people follow because they understand why, not compliance theatre. Carl also argues the cybersecurity industry exists at its current scale because of a systemic failure: companies ship insecure software without liability, pushing security costs downstream. Most breaches exploit preventable defects that should never reach production, not sophisticated zero-days.
Topics discussed:
Building security programs from scratch versus inheriting existing programs and why executive alignment prevents daily uphill battles
Treating certifications as validation of operational security rather than the primary program goal
Pairing administrative controls with technical monitoring to establish baselines before enforcement for unstructured data security policies
Applying three-part investment calculus for lean teams: measurable risk reduction, manual work automation, and crown jewel protection
Calculating true cost of 24/7 internal SOC coverage including shift staffing, turnover, training, and tooling versus managed services
Why attack patterns remain consistent across healthcare, education, gaming, and retail despite different compliance requirements
Explaining how AI lowers the barrier for exploit development and expands zero-day risk beyond traditional high-value enterprise targets
Arguing that the cybersecurity industry exists at current scale because companies ship insecure software without liability, pushing costs downstream