Welcome, De'Von Carter

Rachael Lyon:
Hi, I'm Rachael Lyon, here with my co-host, Jon Knepher. Jon, hello.

Jonathan Knepher:
Hello, Rachael.

Rachael Lyon:
So I have to tell you, I've been cleaning out my storage closet, and I got my grandmother's piano, and I brought it back to the house. And for anyone trying to relearn the piano after not playing for like 35 years, it's quite, quite an interesting activity. My brain is like exploding, but I feel like it's going to come back any day now.

Jonathan Knepher:
But I don't know, it'll come back as soon as all those fingers learn to work together.

Rachael Lyon:
Yes, yes. The nimbleness. I gotta get back. For sure. I gotta get back. Well, we're gonna have a really fun conversation today. Anytime we can look at security through the legal lens. It really is fun and fascinating, and I'm excited to welcome today's guest, De'von Carter.

Rachael Lyon:
He's a leading cybersecurity expert, specializing in privacy law, risk management, and security solutions with certifications including CISSP, CISM, and CIPP US. He advises a wide range of clients from government agencies to multinational corporations on protecting critical information and ensuring regulatory compliance. No small feat. Welcome, De'von.

De'von Carter:
Thank you for having me. You mentioned piano, and I was just at my son's piano recital last night. Oh, wow. Yep, yep.

Rachael Lyon:
That's wonderful. He have any tips and tricks for getting back in the groove? I would love them. It's been a slog trying to get through the learning handbook by myself.

De'von Carter:
Absolutely. I'll ask him and get back to you.

Rachael Lyon:
Thank you. Thank you for that.

De'von Carter:
I appreciate it. Excellent.

Jonathan Knepher:
Well, De'von, let's jump right into this. Can you give us some background about how working in cybersecurity, compliance, and so on? And of course, being an attorney and on the legal side, how has that shaped the way you approach cybersecurity strategy?

De'von Carter:
Well, a big thing for me, you know, a little bit about my back, my background. I started off as a network engineer. Cisco routers and switches, Arcitel, and the like. Moved over into network security, firewalls, intrusion detection, and intrusion prevention. I did wireless penetration testing, infrastructure architecture, cyber architecture. So I've done a lot over the years, and I say all that not as a brag, but to make you understand how it kind of shapes. I like a holistic view of everything.

Rachael Lyon:
Yes, yes.

De'von Carter:
Right. So it's not just about compliance. It's not just about the architecture. It's not just about the legal side or just the technical. They all have to work together. So when I. When I work on a project or when I'm doing something, it's from that lens to try to be holistic about it.

Rachael Lyon:
Nice. Yeah. It's interesting you say that because we've had another person who was, I think, an ER doctor.

De'von Carter:
Right.

Rachael Lyon:
Not that long ago, but he had always been kind of a hacker in the background or a white hat hacker in the background. But it does. It gives you that a special lens. Right. Into how we need to be thinking about this. Because as we all know. Right people. Privacy by design, security by design, those are really important topics that we continue to talk about.

Rachael Lyon:
But also, how do you actually do that?

De'von Carter:
Right.

[03:55] Compliance Versus Real Security

Rachael Lyon:
Versus on the back end? So I love that you can bring that perspective of both sides to this conversation today. I would love to talk about compliance. Right. Because that's such a hot topic. And as we look at that landscape today, what are you seeing from a legal perspective and clients that you're working with? A lot of times, compliance is compliance being treated as like a checkbox effort, or people actually, you know, like going above and beyond, kind of what that baseline, you know, meeting the standards need means?

De'von Carter:
Well, I would say it's a bit of both. It really depends on the organization. Right. The better organizations tend to think about or focus on being secure first. And as a result, they are compliant versus somebody trying to be compliant to say that they're secure. One of the things that we, you know, most practitioners understand that just because you're compliant with the law doesn't mean you're actually secure. And a lot of people, you know, unfortunately, they need to check the box just to ensure they're staying out of trouble. But when budgets get crunched, resources are limited.

De'von Carter:
They tend to only focus on what's enough to be compliant and no more. So that can be a struggle. You have to kind of work through that and demonstrate very clearly to the client, like, hey, this is a real problem. It may not be a problem now, but if you continue to kick it down the can, to kick the can down the road, it'll grow on you.

Jonathan Knepher:
How do regulations fit into this? And how quickly are regulations changing that? Folks have to take that into account as they're building these compliance plans?

De'von Carter:
Well, you know, the compliance programs are based off the regulations in a Lot of ways. Right. The purpose of the compliance program is to ensure that you are being compliant with the regulation. The thing that I am seeing from regulations now that I kind of think it's good they're becoming more prescriptive, not so much as high level as they used to be. That used to leave a lot of wiggle room for companies to kind of say they're compliant, but not, you know, just kind of wiggle around it. Well, now they're, they're telling you more about, hey, you need to do X, Y, and Z. And what that does is it makes it more clearly defined for the businesses, for the organizations, and what they need to do. So from a regulatory standpoint, that is a trend that I like.

De'von Carter:
But you know, we also have to be careful there. We don't want them to become too prescriptive. We don't want them to go too far to start talking about using this vendor or that vendor. Now, I don't, I don't think they would ever do that. But there's still a fine line. I think companies need the autonomy and the flexibility to choose which solutions best fit them. And so as long as they give enough direction to kind of get them in the ballpark, then allow the company to do what they feel is in the best interest of the company while still being compliant and secure, I think that's the best way.

Rachael Lyon:
Speaking of regulations, there's so much happening in the world today, particularly when we look at AI and the European and the US Perspectives. And as companies face more regulations coming online, they have to figure out a way to operationalize these and create repeatable processes so that they can be compliant. What are the steps people should be thinking of when something new comes online, and they need to start implementing, implementing it across their business and infrastructure? And there are probably two, two answers here. Right? There's the larger organization. Right. And then there's the small business organization, and probably two very different approaches.

De'von Carter:
Yeah. But I would say the first step is making sure that you consult with your legal team, your compliance team, and make sure you have a clear understanding of what the law is asking for. There's the letter of the law, and then there's the spirit of the law. So you want to make sure that those things are converged. Right. You want to make sure that you're meeting both, because one without the other can cause you problems. Right. I would say from a larger organization, once you have an understanding of what the regulation is asking for, the first steps is to get with all the stakeholders, make sure they understand what's going on, because without the stakeholders having buy in making sure that they understand the risk associated with not being compliant or going against the regulation, then you're not going to get the resources necessarily that may be needed in order to execute on a compliance plan.

De'von Carter:
As far as specific steps, it really kind of depends on the organization. A larger organization, it's going to take a while because they may have to adjust policies. They may have many policies and procedures that are already in place that may go against that regulation. What's going to happen is they're going to have to go through whatever process they do to update their policies. And most people within a corporation, especially large corporations, they're not going to move until the policy says they have to move. So that's a natural or first step they would take. Once you do that, you want to start getting with your technology teams, making sure they understand, or getting with legal compliance and technology to make sure they converge to understand what needs to happen and find appropriate security controls or the appropriate plan to get the security controls in place to move things along. Now, on the smaller business side, they can usually be a lot more nimble, right? They don't have to necessarily use the big box tools, really expensive tools. They can find other options that will help them to bridge the gap.

De'von Carter:
And so I find it can sometimes be a little bit easier for small businesses. Depending on the regulation. Right, depending on regulations.

[10:06] Operationalizing Regulations and Evidence Collection

Jonathan Knepher:
So a lot of these regulations and security compliance certifications require businesses to demonstrate that they're meeting all of these obligations. What's your advice on how to appropriately collect and operationalize the collection of all of that evidence? Because sometimes it feels like it can be overwhelming.

De'von Carter:
Oh, it absolutely can. I highly recommend there are a lot of compliance tools out there that kind of simplify things from an evidence gathering standpoint. A lot of them have the regulations built into them, so you can kind of implement those things to really help to organize the evidence collection, to organize the whole process as far as the evidence portion of it. That's what compliance does, a lot compliance kind of works with them to make sure they understand what is the best evidence that would demonstrate compliance. And then we start building processes around so that they can regularly pull that same type of data each time. What you don't want is a different type of evidence every time you do the assessment, because that gets confusing. It's hard to track your improvements or your deficiencies if they grow over time. So having a uniform process for the specific type of evidence that you require and that's going to take time.

De'von Carter:
Right. Because compliance needs to go through and see what evidence is even available. Are we even collecting it? Do we have logging in place? What type of metrics are we collecting or looking at today? Do these metrics have a direct correlation to demonstrating compliance with that regulation? Right. So all that has to be assessed. You know, we have to make a determination of what we need to do once we assess those things.

Rachael Lyon:
Now, what about those that take a wait-and-see approach? De'von, you know, like when GDPR came online, I know there were a lot of organizations, they're like, you know what, we're just going to sit on this for a little bit. And you know, their decision calculus was, well, we'd rather pay the fine because to become compliant would actually cost us more money. You know, are you seeing kind of changing attitudes toward, towards these things, and you know, kind of the bigger, bigger lipped regulatory compliance regulations that come up?

De'von Carter:
Well, what we're seeing is, I mean, those fines are pretty hefty. So it's usually going to be better to go ahead and try to get in front of it as best you can. Right. Even if you can't do it all at once. What I tell clients is like, look, how do you eat an elephant? One bite at a time. Let's just take care of this small piece first. When we get there, we move to the next piece. Because what is always a good thing to be able to demonstrate, even if you're not fully compliant, is that you have a plan to get to compliance and that you've been executing on that plan consistently over time.

De'von Carter:
That tends to help to limit the regulatory blowback should something bad happen. Right. So I would say doing nothing, not really a good option. Right. Even doing something. Small steps, small bites. Over time, eventually, you get through that whole elephant, you start to make real strides.

Jonathan Knepher:
How do you suggest people work on the design of their infrastructure, their networks, and their policies and procedures early so that they, so that they have the right policies and procedures in place, especially around things like data collection, privacy, and third-party data sharing.

De'von Carter:
The big thing is understanding the business. You know, I don't think. And it's getting better now, but early in my career, technologists didn't care what the business were doing. We were just going to make it secure. Right. Well, that's, that's changing. Right. Because businesses are far more complex, far more integrations and all kinds of stuff going on.

De'von Carter:
So I need to fully understand what your business is doing. What, why are they collecting the data? Do you even need to be collecting that type of data? How is that data, you know, applicable to what you're trying to accomplish? Right. That's the first thing is assessing the business, understanding what type of data they actually need in order to deliver services to the client. When you can minimize the amount of data that you're collecting, it really minimizes your risk from a privacy standpoint. Right. One of the other things is, especially on the privacy side, you want to be very mindful that you're doing with the data exactly what you say you're doing with the data. Right. Are you sharing it? If you are sharing it, you have to disclose who you're sharing it to, why you're sharing.

De'von Carter:
Do you have contracts in place with the people that you're sharing with to ensure that they're protecting the data appropriately? There are a lot of cascading effects and issues that can arise when you're doing third-party data shares. Right. You can ask Facebook or Meta and some of these other large platform-based companies that have gotten a lot of trouble and have spent billions of dollars in fines, you know, to remedy that. Right. So that's what I would say from a privacy perspective, understanding the data you're collecting, knowing where the data is going on, what you're doing with the data, trying to limit as much as possible the data that you need to collect for your business, especially if you're not in the data business. Right? Yeah.

Rachael Lyon:
Just dabble. Just dabble.

De'von Carter:
Yes.

Rachael Lyon:
I'm really curious about your perspective on. We've seen a lot of, in terms of legal implications, right. With data breaches and things like that. And we're starting to see more kinds of fiduciary responsibility potentially fall to boards of directors and things like that. Are you having more and more conversations with clients on this front, and kind of how are they trying to keep a handle on any privacy security gaps with legal implications? Are they just doing one incident plan response, response plan activity for a couple years, and leave it and forget it? Or do you see people being more active and trying to stay on top of all these things, kind of? What, what's your purview?

De'von Carter:
So there are a couple things, right? We talk about chief information security officers, chief security officers, and those people in those types of roles. Initially, I believe it was DNO insurance. They weren't covered under DNO insurance for if there was a breach. So they would have a lot of liability potentially if something bad happens, you're starting to see them starting to get covered under those policies. You're also starting to see sizzles, take more conservative approaches in the way that they do security. Right. Because they understand that, hey, you know, I may be in jeopardy here if something bad happens. Excuse me.

[17:14] Incident Response, Legal Counsel, and Accountability

De'von Carter:
So that's, that's the perspective from the leadership. As far as the incident response and preparation, I am seeing an increase in people being vigilant and diligent about their incident response. One of the things that I always tell my clients is that even a bad plan is better than no plan. Right. You know, because, you know, the thing that happens when these companies get breached, they panic, they freeze, they don't think, they're just scared at that point. So having something documented to know who to call, that goes a long way in helping them to kind of get their bearings and start to the protection and discovery and recovery process and things like that. So I'm seeing a lot more around tabletop exercises. I mean, at a, I spoke at a conference, the Raleigh chapter, the Information Systems Security Association conference, a couple months ago, I did a tabletop exercise walkthrough for incident response.

De'von Carter:
From a legal perspective, one of the things that I really, really try to impress upon my clients is legal has to be involved, has to be involved. And, I recommend some, you know, some may get mad at me for this, but I do recommend external counsel for that. And I know that seems self-serving, but I promise you it's not one of the things companies run into when they have a breach, and they only use internal counsel. What ends up happening is a lot of the data collected becomes more easily discoverable should litigation happen, because it's hard to separate what was done for actual legal recommendations versus general business practice recommendations. Business practice stuff is discoverable, right? In order for privilege to attach, it has to be done for legal purposes and things like that. And so when you hire external counsel for the breach, there's automatically a legal implication brought that legal team in for that breach. So it's much easier for privilege to attach.

De'von Carter:
And why that's important is because it helps you to better tell the story or protect the story. Right. From a business standpoint, I can tell a much better story because I can protect what's getting out a little bit better. That makes sense.

Jonathan Knepher:
That makes sense. And so you suggest doing that early in the process of cleanup.

De'von Carter:
I suggest it's one of the first calls after you have designated the person who can say, yes, we are having a cyber incident, because you need to designate that person. You don't want just anybody being able to say, we're having a cyber Incident, you want the main person that you have responsible, who has access to all the information, the data, who has the authority and knowledge to say, yes, we are experiencing a cyber incident. We will start our cyber, and our incident response plan will activate it. And at that point, yes, a lawyer should be one of the first people you call.

Jonathan Knepher:
Okay, so that's kind of the first thing. What are the other capabilities and other processes that should be in place as part of this plan to be on the ball when something happens?

De'von Carter:
Well, one of the things that the attorney will do is they will reach out likely to a third-party company that will come in and help with the forensic investigation. And not just the investigation, but hopefully stopping the attack. Because you're going to have your internal teams trying to do everything you can to stop the attack. And then you'll bring in external, your external counsel, bring in an external vendor that will, you know, help further that, that process and things like that. So those are the big things, communications, right? Making sure you have a process for determining what communications need to go out. Because the other thing, if you have a breach, the other part that legal is very important to his notifications. You take a regulation like NYDFS, the New York Department of Financial Services.

De'von Carter:
Right. I believe for the ransomware requirement for notifications, it's like 24 hours for if you make a ransomware payment. Right. So they, these things have to be considered. Right. And so I would say again, legal there is going to be important for the notifications communications to your clients who are impacted. Right. Gosh, my mind is drawing a Blank for a second.

De'von Carter:
You also want to ensure that your. I'm sorry, guys, I just completely lost my train of thought.

Jonathan Knepher:
That happens. What about on the technology side? What other capabilities should companies build into this process?

De'von Carter:
So one of the big things that companies get... Thank you for getting me back on track... Logging and monitoring logs have had a number of companies that have engaged me for different things. And you say, okay, we need somebody to go through your logs because that's going to literally tell us what happened and how it happened. Oh, well, we don't have logs. Okay, well.

Jonathan Knepher:
You need to have those logs.

De'von Carter:
I don't, I don't know what to tell you. So you know, generally we can do some things to try to pull, we can do some other things, but that gets more expensive. That's harder. Right. So, I would say from that, having on the technical side, making sure your logging and monitoring is in place, making sure you understand your capabilities from a backup recovery standpoint, particularly in ransomware. Right? The easiest way to get over a ransomware attack is, first of all, don't have one. But second of all is making sure your backups and your disaster recovery processes are sound. Right.

De'von Carter:
Because if you have immutable backups completely separated and segmented and have not been impacted by the ransomware, you can tell the ransomware guys to kick rocks. We'll just restore and recover, and we'll be okay. Right. And so that goes a long way. So from the technical side, I would say those things would be key.

Rachael Lyon:
How many of the incidents that you're seeing are kind of insider risk-driven? That's kind of like my new favorite topic. It's come back since 2018, but I'm really curious, kind of like what you're seeing on the ground.

De'von Carter:
So that's a loaded question, right? Because it's versus it's malicious insider versus, you know, accidental.

Rachael Lyon:
Right.

De'von Carter:
Accidental, right. And so at some level, most of these things are insider-driven because an insider probably did something they weren't supposed to do, whether maliciously or accidentally, it's caused a breach. So I'm still seeing a lot of stuff accidentally. Right. I'm not seeing a lot of malicious insiders. People did something for the purpose of causing the breach. Does that occur? Yes, particularly in companies where they're doing a lot of research and development, a lot of trade secret-type stuff, those things. Yes, that you may see some things like that, but for the most part, it's still accidental.

De'von Carter:
You know, the thing is that bad guys only got to be right once. That's right. They gotta try to be right all the time. And it's really, really hard to do that. So, you know, my mantra is, you know, the buzzword zero trust. Right. Treat everybody like they're a risk or they're a threat text. Understand what's going on, what they're doing.

De'von Carter:
Make sure you're doing authentication and authorization for everything that they do at all times. There should never be a time where they don't have to authenticate or be authorized to do something within your, within your network. Why are you doing that? Is it a pain? Absolutely, it's a pain. It can be very, very cumbersome. However, you strengthen the security posture, and you take the onus off of your individual employees. Right. Because that's, that's ultimately what you want to do. You know, employees are going to click the link at some point.

De'von Carter:
Okay, well, make sure they don't have the permissions that, when the link is clicked, that gives the bad guys administrative access. Right, Right.

[25:42] The Same Attacks in Different Wrapping

Jonathan Knepher:
So in your experience, right, we've talked about ransomware, we've talked about insider threat. What are the biggest threat vectors or incident types that we need to be kind of prioritizing as we secure our environments?

De'von Carter:
I'll be honest with you, I was just speaking with somebody about this a couple of weeks ago, and somebody put out an article about how AI was impacting threat vectors and so on and so forth. And the thing that struck me as I was reading through this article, they're the same attacks with different gift wrapping. Very true. Right. So what I'm looking at, I'm like, they're just using AI the same the way that we should be using. It's just an efficiency mechanism. They can do it faster; they're more efficient. You know, they might need fewer people to actually perpetrate the hack or the breach.

De'von Carter:
But, but, you know, it's not, it's not a whole lot different that we need to be doing, right? The attack vectors are still the same, still going after the individuals. The individuals are most easily gotten after via emails. Right. AI has helped bad guys a lot. In that language is more clearer. They're easy to, excuse me, hide things a lot better. Instead of seeing misspelled web links, they'll change the font in the web link to a very relatable, very closely related font. So it changes like you're seeing those types of nuance, types of changes, but it's still the same type of attack, right?

Rachael Lyon:
Well, if it works right, why stop?

De'von Carter:
Well, again, you go back, and you look at the OWASP top 10, right? There's still some of the same attack vectors that have been here for the past 10 or 15 years, or however long that report's been coming out, right? So it's because it works.

Jonathan Knepher:
So on the AI topic, right, it's been in the news, there's lots of questions on how AI is going to be properly regulated. What's your take on kind of the whole AI regulation complex compliance issue and how that will affect both us protecting our environments, and to your point of like the adversaries using it to accelerate their poking and prodding and attacking our networks?

De'von Carter:
Well, if they can use it to be more efficient in attacking us, then we should be able to use it to be more efficient in identifying and detecting attacks, right? So that's what I would say from an AI perspective, security, right? We should be utilizing AI more for security, orchestration, and response type things, right? So that we can automate those processes, so that we can see those triggers, we can see those Threat vectors that people are coming after, and being able to respond more efficiently. So I would say that's the big thing for AI, but for AI as a whole, one of the things that concerns me, and I was just speaking with someone this morning about this, AI is very, very good. We have to be careful societally to not allow AI to make us dumb.

Jonathan Knepher:
Yes.

De'von Carter:
Okay. And so, you know, I've been trying to talk to people like, hey, your security team, you should have a week where they can't use any tools like rotate them around. They have to go old school. They have to still be able to think logically through a problem, tie the different types of vectors together, discover a compromise, and execute a response plan. Like, you have to continue to exercise those muscles. And what I worry is that we become too heavily dependent on AI, that it's going to cripple us in the future. Right.

Jonathan Knepher:
So, yeah, and I think it's scary, too, just how convincing AI can be even when it's wrong.

De'von Carter:
Right.

Jonathan Knepher:
And I think that comes down to exactly what you're talking about. You've got to keep your skills.

De'von Carter:
Oh, absolutely. You know, I'm a law school professor. I teach data privacy law. And so one of the things that I also, you know, impress upon my students, you can't take shortcuts. You still have to know how to, how to think through these things. You have to still know how to write. Stop asking. Copilot.

De'von Carter:
ChatGPT. You're, you're so great at prompt writing, but you can't write a paragraph. That does not help us. So, I'm sorry, I'm going on a tangent.

Rachael Lyon:
No, no, it's, it's something that, you know, Jon and I have talked about as well. I mean, it's a real fear because let's, I mean, let's be honest, human nature is to default to the easiest option. So it's like you actually kind of have to make yourself to your point.

De'von Carter:
Right?

Rachael Lyon:
Kind of like force yourself to just put that, put down the AI, right? Walk away, go do something else with your hands or whatever the case may be, you know, but how do you, I mean, how do, how do we get people to actually do that, De'von?

De'von Carter:
Well, we have to, you know, companies, they're your employees, they work for you, right? You can put policies in place, you can put, you know, things in place to ensure that they are doing this regularly. I'm not saying you take the tools away from everybody at once. That would be silly. But rotate separate rotations of duties, right? Swap people around, put them in different responsibilities that will force them to have to think, activate those. Those brain muscles again that they haven't been using for a while, because now everything is seen in, you know, splunk and this sim and that sim and, you know, everything is tied together automatically. They're losing their focus. They're losing the skills.

Rachael Lyon:
That's a good point. So I'm always also curious to talk about. We talked a little bit about regulations, but, you know, as. As you look at the landscape, how should companies be thinking about kind of maintaining the right security baseline, you know, across states, across countries, across the globe? It seems like it's getting more complicated. Is it? Yeah, I mean, I look at, like, there was that YouTube article. I guess YouTube had a $10 million fine. You know, this is kind of tangentially related to mislabeling videos.

Rachael Lyon:
Right. And, you know, I'm not saying that's just, you know, maybe there was a new regulation that came on board that they overlooked, but it's. There's so much out there. How do you, like, how's the business supposed to move forward and make sure they're doing all the right things?

De'von Carter:
Well, I mean, honestly, you know, selfishly, it's good for me. So from that standpoint, you know, the complexity does certainly help, you know, us practitioners out here in the world working. But, I mean, you're right, it's more cumbersome. It's a lot of work, and you have to have people dedicated to try to work through that stuff on a regular basis. I would say what a lot of companies are doing is they're finding the strictest law and just saying, okay, we're going to adhere to this law and just hope and pray that that makes us good everywhere else. And so I'm not going to say it's necessarily a bad thing, but at the same time, there's a risk there. What if you are introducing, you know, a lot of controls and work that you don't need to do, the administrative overhead then becomes, you know, more than is, you know, whatever business you were going to get. So, you know, I had.

De'von Carter:
So I'll tell a quick story. I had a legal client. They got a notice, somebody coming after them for a violation of a privacy law. Right. Now, they didn't know they were in violation of the privacy law. Right. But what ended up happening was the client was like this particular state that the people were coming after. They weren't making any money in that state.

De'von Carter:
When they looked at the books and their response was, hey, De'von, can we just. Should we just geofence this state and just like, not allow people from that state to gain access to our website? Now, that seems pretty extreme. Pretty extreme. But at the same time, you know, if you look at it from a business standpoint, like, look, if I'm only making a couple of bucks from you and it's Gonna cost me $100,000 to defend against this case, I just would rather not have you guys be clients. You're not clients anyway. Right. And so for smaller businesses, that may make sense.

De'von Carter:
Right. So I'm not gonna say it's just, oh, that's dumb. That's crazy. No, it's, it's a, it's a business decision. If you've been in business for 10 years and you're not making any money from that state and it's gonna cost you a few hundred grand, maybe I can do without them. Right. And then maybe that will start moving the needle as far as, you know, legislative-wise, when they start seeing their citizens being impacted by, hey, your laws are such that you create too much legal risk for companies to function here. Right.

De'von Carter:
And so maybe you need to adjust a little bit to free things up. Right. So that's my.

[35:36] How Do We Get Good Security, Good Privacy, and Free Business?

Jonathan Knepher:
So how's that overall, though, like both what companies should be doing and what should lawmakers be doing? Right. Because there's, there's a lot of value of having laws more local. But to your point, like, there's this complexity of like all this patchwork and like, just where's the outcome where we get good security, good privacy, but business is still able to do business?

Rachael Lyon:
Yes.

De'von Carter:
Yeah. I mean, I think, you know, the current administration and every administration for years have been trying to kind of figure out that balance. There's a middle ground. I just don't think we know what it is yet. Maybe at the federal level, we put some key baseline requirements in, and then you still maybe allow the states to go or do things up to a certain point. Right. But without any type of overarching privacy regulation or regulatory requirements from the Fed, it's really tough. We're going to continue to have this.

De'von Carter:
What was interesting to me, what was it? I guess back during the summer, the administration tried to put in an AI law that would block all states from being able to form their own AI laws. But I got blocked because the states were like, you know, Congress, and everybody was like, well, wait a minute, we're not, we don't have a law in place. We can't tell the states that. They can't. That doesn't make sense, right? We still have to protect the people at some point. Right? Especially when you start talking about more and more reliance on AI for decision-making. Right. Employment decisions, medical decisions, this decision, that decision, whatever decision.

De'von Carter:
Right. That stuff has real impact on people. And the states who are local and close to the issues for their state should be able to make laws and make decisions that they feel best protect their citizens.

Rachael Lyon:
It's a tough one, though, right?

De'von Carter:
It's very tough. I know that's not an answer, but it's just, it's not gonna be clean. Somebody's gonna be upset. It's probably a good law when everybody's upset. So, you know.

Rachael Lyon:
So how, I mean, from your perspective, though, if we were to say, you know, we really, really, really need a federal law to come online, so at least we have some baseline coordination across states, you know. But how soon would that need to happen? You know, I mean, it's. We're not really there yet. I know it takes a lot to get things through, particularly find consensus on these kinds of themes, you know, but is there kind of... Do you feel like a ticking clock of a man? We really got to figure this out in the next three years or whatever the case may be?

De'von Carter:
Well, I think I would love to see something within the next three years. I don't suppose I'm going to see it within the next three years. So, you know, the current administration, they kind of bounce back and forth between, you know, a lot of regulation and no regulation. They really don't have a middle ground thing from what I'm seeing from them. And so I just don't think there's an appetite for it. So it would help if we had a federal regulation to come online. But then there's a question of preemption. Are you going to block all the states and say that this federal law is going to take the place of that, or are you still going to allow states to have some autonomy, to get stricter and so on and so forth, then you're still in kind of the same situation because the states are almost always really very, you know, bipartisan legislature, things like that.

De'von Carter:
It's always going to be states who want to be more stricter, more strict than others, or stricter than others, or, you know, looser than others. It just really is going to depend on the state. And now you have a situation where you're. You're still in the same place.

Rachael Lyon:
Right, right.

De'von Carter:
Except now you got a federal law to be concerned about, too, right?

Rachael Lyon:
So what are your thoughts? I was just reading it. Before we got on the, on our call today, I was reading some articles, and I guess it was in what, Louisiana, their ethics board was asking for like an exception for elected officials and data privacy laws. And you know, so that kind of adds like the next layer of okay, well then who gets a free pass?

De'von Carter:
Right? Well, I mean, you know, for, I mean, we don't really value our data the way we should. Right. Our personal data, we give it away far too easily. And I'll be honest with you, that genie's long out of that bottle. Like, Yes. I don't know that there's anything that's going to happen that's going to allow us to reclaim the power of our data. Because it is everywhere. Right.

De'von Carter:
The EU, I think they obviously have a, they seem to have a better handle on it, just being perfectly honest with you. They seem to have a better handle on it as far as protecting people's data. But some of their stuff, some of their rules are becoming too heavy-handed. I feel bad for small businesses there. Right. One of the things, you know, that you run into is that now you make the big platforms in Europe even stronger and bigger because now the small businesses have to depend on the big platforms to help them to become compliant. Right. So it's just a hodgepodge of mess.

[41:10] De'von Carter's Career Path and Advice

Rachael Lyon:
It really is. So I do want to, I am cognizant of time, and I want to respect everyone's time today. But I love to ask the personal question, as Jon knows. So, you know, starting off as you know, on the engineering side and then making your way to legal, I'm always kind of curious of that catalyst moment when that happened. And then part two question is, as an attorney with that cybersecurity background, is this something that should be mandatory for everyone going through law school?

De'von Carter:
Right.

Rachael Lyon:
That they have these kind of understanding of, you know, how cybersecurity works, the technology. Right. And then how do you place law on top of that?

De'von Carter:
Wow, that is a great question. So the first part of that question, as far as me personally, my background, you know, if you ask me what I wanted to be when I grew up as a little kid, I would say I wanted to be a lawyer and a comedian. Oh yeah. I don't know what the comedian came from, but a lawyer and a comedian, my mom used to keep me watching Matlock, Perry Mason. Perry Mason was long before my time, but they played reruns, and we just would watch when I was a very small child. And so that always struck a chord with me. The problem that I had was my high school grade, said more comedian than lawyer. So technology always came easy to me.

De'von Carter:
And so thank God I got into college, which was hit or miss, but I got in, and I went with technology. But honestly, I always wanted to be an attorney. I have many family members who are attorneys. I have an uncle that was a judge. So it's just a family thing, I guess. Maybe it's genetic, I don't know. So that's kind of how I, you know, I went to a cyber security meeting. A gentleman there happened to be an attorney, and he literally talked me into taking the LSATs.

Rachael Lyon:
Really?

De'von Carter:
Wow. Yeah. Taught me into taking the LSATs and told me I could do it. And he was very encouraging, and later found out he was a member of my church. I didn't even know he's a member of my church. So it was just a weird bunch of coincidences that kind of worked out. So I thank God for that second part of your question. I have a little experience with this because I actually taught a Security+ course at law school.

De'von Carter:
In a law school. It was the first one ever offered in the law school, and they just wanted to see how it would work. Well, we'll say mixed results because Security+ can get pretty in-depth in some areas, technically. And those. Those kids weren't tech. So I would say there should be some level of introduction to cybersecurity, at least the terms and concepts. Right. In addition to.

De'von Carter:
Everybody should take a data privacy course. Right, right. Because it is so much of an. It's just such an issue, and it's going to continue to be an issue moving forward. So I would say, yes, they should definitely be a part of the curriculum. I believe they should be mandatory. Now, whether that happens or not, obviously, I won't know, but that's my opinion. I think it should.

Rachael Lyon:
I think that's a. I'm feeling like a great opportunity here for you, De'von. Like maybe writing a book or setting some. Setting some standards for how this could move forward in the community. I don't know.

De'von Carter:
I'll think about that. Awesome. You help me write it, and we can do something.

Rachael Lyon:
Absolutely. Well, that's ChatGPT, right? That's all we need.

De'von Carter:
There you go. We're done. Yeah. Woohoo.

Rachael Lyon:
All right, well, thank you, De'von. This has been a wonderful conversation. Thank you so much for sharing your perspective and insights with our listeners today.

De'von Carter:
No, thank you for having me. It's truly an honor. I really appreciate you.

Rachael Lyon:
Wonderful.

De'von Carter:
Thank you.

Rachael Lyon:
And I'm going to give Divine. You ready? We're going to give drum roll to Jon.

Jonathan Knepher:
Oh, smash that subscribe button.

De'von Carter:
And you.

Rachael Lyon:
Get a fresh episode every single Tuesday. So until next time, everybody stay secure. 

About Our Guest

De'Von Carter, Compliance Director, TRUIST

De'Von is a leading cybersecurity expert specializing in privacy law, risk management, and security solutions. With certifications including CISSP, CISM, and CIPP/US, he advises a wide range of clients—from government agencies to multinational corporations—on protecting critical information and ensuring regulatory compliance.

Throughout his career, De'Von has successfully led initiatives such as developing incident response plans, conducting vulnerability assessments, and implementing secure network architectures. His ability to tailor strategies to each client’s unique needs has made him a sought-after consultant and trusted advisor.

As President Emeritus of the ISSA Raleigh Chapter, De'Von helped grow its annual conference into one of the largest cybersecurity events in the Southeast. A recognized speaker and advocate for cybersecurity education, he remains dedicated to helping organizations address