CISO Tradecraft® #272 - Data Centric Platform Play (with EJ Pappas)
11 snips
Feb 23, 2026 
Ross Young, a cybersecurity pro with banking experience focused on encryption and masking, and EJ Pappas, PKWARE Field CTO skilled in data discovery and protection. They discuss shifting to data-centric security, the blind spots caused by platform sprawl, differences between structured and unstructured data, AI as both accelerator and risk, and why encryption and DLP must work together.
AI Snips
Chapters
Transcript
Episode notes
Protect Data Not Infrastructure
- Data-centric security means protecting information itself by placing protections as close to the data as possible rather than focusing on infrastructure first.
- EJ Pappas explains this reduces motion-related risk and shifts assurance to knowing where data lives and who accesses it.
Data Sprawl Breaks Central Control
- Data sprawl and distributed ownership make "Where is our sensitive data?" difficult to answer because data now lives across endpoints, cloud, SaaS, and many owners.
- EJ contrasts location-first thinking (eg Azure has card data) with value-first thinking (card data exists regardless of platform).
Tell Boards Measurable Data Outcomes
- Report data posture to executives using measurable outcomes like protected data volume, retention limits, and access-behavior metrics, not only platform hardening tasks.
- Use classification to drive protection (encryption, masking, redaction) and report tangible controls and age-of-data rules.