Brian Vecci, Field Chief Technology Officer of Varonis, and Rizwan Jan, the Chief Information Officer and Vice President at CNA Corporation, take center stage at RSAC 2025 for an in-depth exploration into the evolving landscape of data security. Accompanied by Jackie McGuire, a principal analyst at theCUBE Research, this discussion reveals key insights from leading industry experts.
In this video, Vecci and Jan share their extensive expertise on securing sensitive data amidst growing technological complexities. With insights from McGuire, the discussion addresses crucial topics such as the importance of understanding an enterprise's data landscape, the challenges faced by cybersecurity teams, and the significance of data classification in today's AI-driven world.
One of the salient takeaways from the conversation is the necessity for companies to shift their focus towards visibility and automation in data protection. Vecci notes that organizations often underestimate the vastness and vulnerability of their digital assets, underlining the need for enhanced data governance. Jan further emphasizes the importance of understanding an organization's "crown jewels" and aligning cybersecurity strategies accordingly.
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Register For RSAC Conference 2025
Please fill out the information below. You will recieve an email with a verification link confirming your registration. Click the link to automatically sign into the site.
You’re almost there!
We just sent you a verification email. Please click the verification button in the email. Once your email address is verified, you will have full access to all event content for RSAC Conference 2025.
I want my badge and interests to be visible to all attendees.
Checking this box will display your presense on the attendees list, view your profile and allow other attendees to contact you via 1-1 chat. Read the Privacy Policy. At any time, you can choose to disable this preference.
Select your Interests!
add
Upload your photo
Uploading..
OR
Connect via Twitter
Connect via Linkedin
EDIT PASSWORD
Share
Forgot Password
Almost there!
We just sent you a verification email. Please verify your account to gain access to
RSAC Conference 2025. If you don’t think you received an email check your
spam folder.
In order to sign in, enter the email address you used to registered for the event. Once completed, you will receive an email with a verification link. Open this link to automatically sign into the site.
Sign in to gain access to RSAC Conference 2025
Please sign in with LinkedIn to continue to RSAC Conference 2025. Signing in with LinkedIn ensures a professional environment.
Are you sure you want to remove access rights for this user?
Details
Manage Access
email address
Community Invitation
Rizwan Jan, CNA Corporation & Brian Vecci, Varonis
Brian Vecci, the Field Chief Technology Officer of Varonis, and Rizwan Jan, the Chief Information Officer and Vice President at CNA Corporation, take center stage at RSAC 2025 for an in-depth exploration into the evolving landscape of data security. Accompanied by Jackie McGuire, a principal analyst at theCUBE Research, this discussion reveals key insights from leading industry experts.
In this video, Vecci and Jan share their extensive expertise on securing sensitive data amidst growing technological complexities. With insights from McGuire, the discussion addresses crucial topics such as the importance of understanding an enterprise's data landscape, the challenges faced by cybersecurity teams, and the significance of data classification in today's AI-driven world.
One of the salient takeaways from the conversation is the necessity for companies to shift their focus towards visibility and automation in data protection. Vecci notes that organizations often underestimate the vastness and vulnerability of their digital assets, underlining the need for enhanced data governance. Jan further emphasizes the importance of understanding an organization's "crown jewels" and aligning cybersecurity strategies accordingly.
Rizwan Jan, CNA Corporation & Brian Vecci, Varonis
Rizwan Jan
Vice President & CIOCNA Corporation
Brian Vecci
Field CTOVaronis
Brian Vecci, field CTO at Varonis, and Rizwan Jan, VP and CIO at CNA Corp., join theCUBE Research’s Jackie McGuire for a conversation on the future of data security. Their insights go beyond buzzwords, breaking down what truly matters in a world shaped by AI and expanding attack surfaces.
Together, they explore how organizations must rethink their approach to sensitive data. From improving visibility to embracing automation, the dialogue touches on critical strategies for navigating modern cybersecurity challenges. The discussion touches on actionabl...Read more
exploreKeep Exploring
What is meant by "data is the new oil"?add
What steps should be taken to protect sensitive data from shadow data and unauthorized access?add
What is one of the lesser discussed issues related to cybersecurity at RSAs?add
Rizwan Jan, CNA Corporation & Brian Vecci, Varonis
search
Jackie McGuire
>> Welcome back to RSAC 2025. This is Jackie McGuire. I'm the Practice Lead and Principal Analyst for Security at theCUBE, and we are live. I am joined by guests, Brian Vecci and Riz Jan. Thank you for joining us, guys. You have a very interesting position of Varonis. We were just talking about all of the different, we have a list of 20 things to talk about and I was like, "Come to think of it. We're going to get to maybe half of these and some of them are really juicy." So, welcome. Thank you for being here today.>> Thank you.
Jackie McGuire
>> So, I guess, first, let's start with intros. So, if you guys wouldn't mind introducing yourself. Riz, we'll start with you.>> Sure.
Jackie McGuire
>> Tell us what you do and what you're excited about at RSA.>> I'm Riz Jan, I'm Vice President and CIO at the CNA Corporation. So, we're in the national security field and what I'm most interested about here at RSA is just networking, meeting people, and seeing some of their pain points and makes me feel better because they share mostly the same pain points as I do.
Jackie McGuire
>> Misery loves company. That should have been the title for RSAC '25.
Brian Vecci
>> You're not wrong.
Jackie McGuire
>> Yeah. And Brian, why don't you tell us about what you do at Varonis?
Brian Vecci
>> So, my name is Brian. I'm the field CTO at Varonis. I've been about here about 15 years. We're a software, we're a security company. That's what we do. We sell software. So, I'm here to network, listen to pain points, tell stories, and hopefully, sell some software. That's what we do.
Jackie McGuire
>> That would be great.
Brian Vecci
>> To be perfectly candid and honest, that's what we do.
Jackie McGuire
>> So, I met with Matt yesterday to talk about his keynote, which is about getting gamers into security. So, hopefully, when the gamers hear his enthusiastic endorsement, lots of them will buy your software.
Brian Vecci
>> I certainly hope so.
Jackie McGuire
>> All right, so we have a few things here. You guys actually brought up an interesting thing that we used to say when I was at Cribble as well, which is data is the new oil. And so, I think data in and of itself is kind of a currency and a lot of data brokers have been trading in this currency for the last 20 years, but now, we're starting to see that companies now with AI and what makes or breaks your deployment of AI is the data that you have to weaponize it with. So, can you tell us, Brian, a little bit more about what you mean when you think about data as the new oil? And then Riz, afterwards, I would actually also like to understand how you think about data from your perspective because you're in a little bit of a different perspective and you deal with, I think, significantly more sensitive data.
Brian Vecci
>> Yeah. I look at it this way. Nobody breaks into a bank to steal the pens. They're after money. So, data is what a threat actor is after. If you're an insider threat, if you're an outside attacker, we talk about ransomware and cyber attacks. What gets held for ransom? Data.
Jackie McGuire
>> Yeah, yeah.
Brian Vecci
>> So, when we say data is the new oil, what we mean is of all the digital assets that enterprises have, data is what's in most important. It's also what they have the most of and they know the least about. It's very difficult to protect something when you don't know what you have and where it is, and I'm sure we'll get into that, but data is what is valuable from a digital perspective. And you said it yourself, you want to take advantage of AI workloads, you want to monetize the data that you have, you need to know what you've got, and need to protect it.
Jackie McGuire
>> Yeah. And Riz, you deal with a lot of highly sensitive oil. So, how do you think about, so I guess one of the things that I've heard quite a bit the last couple days is shadow AI is the new shadow IT and that you can't even protect things that you can't see. And so, a lot of these places, we have people drilling holes of oil that you don't even know they've drilled, and so when someone else comes along and drinks your milkshake, as they say, in No Country for Old Men, you don't even know that you had a milkshake to drink. So, Riz, you have tons of sensitive data. What do you do to make sure that you don't have shadow data and nobody drinks your milkshake?
Brian Vecci
>> Yeah, yeah, we do. We work in a classified environment and then outside of that, we have a lot of sensitive data too, but you got to understand what your crown jewels are. There's a great, great story about UnitedHealthcare that happened last year in 2024 when they got hit by that ransomware attack and they ended up paying $22 million just to get their data back and then two point plus billion for reputational harm and to help their subsidiaries out and crushed 142 million Americans with their healthcare data. So, understand what your data sets are, take the AI out of that first, get your classification, your data classification in order, then you understand what you're protecting. And then from there, yeah, you could do all the fancy stuff with AI and all the next-gen technology that's coming out right now, but understand your data set first.
Jackie McGuire
>> Are you saying that enterprises are sitting on dirty data? Don't all enterprises have their categorization and classification dialed in?
Brian Vecci
>> You would think. You would think because these little things-
Brian Vecci
>> I would think that, who trusts the users actually label and tag data.
Jackie McGuire
>> I didn't invent the term, but I do frequently use the term data swamp, which is what happens when you let a data lake fester for too long. You end up with a data swamp. And so, I guess when you think about this shadow data and crown jewels, how do you go about figuring out what those are and then how do you prioritize how you're protecting that data?
Brian Vecci
>> Well, I'm going to tell you a story that illustrates what happens when you don't. So, I met the AI security, I don't know what her actual title was, the AI security person from one of the big banks and they wanted to test how valuable something like Copilot was, Copilot being ChatGPT for all of your emails and files and everything you've got access to. And so, if you've ever worked for a bank, you've ever been in IT for a bank, the people that get the most love are the traders. They have nine monitors, they've got the latest phones, the latest laptops because if you can make a trader more productive, even 1% more productive, the bank will make more money in theory. So, they gave Copilot for 365 to one of these traders and this trader being a smart person, asked a question that he thought it would help him in his research. What stocks do our employees invest in? Figuring somewhere someone has written a report, I'm going to get a couple of paragraphs summary and that'll help me in my day. Instead of getting a couple of paragraphs summary of a report, he got tables of employee names, socials, account numbers, and their 401k positions. And it's not because Copilot gave him access to some financial system that he wasn't supposed to have access to or he was an insider threat or he had broken into something because just somebody somewhere had saved a spreadsheet, stuck it in the team site, shared that with the distribution list, and inside that distribution list was everyone except external users. So, everybody in the bank had access to this data. To your point, almost every company has a giant data swamp and they have no idea what they have and where it is and it's the unknown unknowns that are going to kill you, especially when you give people the greatest information retrieval tool ever. Now, I see this at banks and manufacturing companies and insurance companies. You got to deal with this all the time.>> Yeah, deal with it right now. And that's one of the issues too is the business actually puts all the burden on the security staff and the security staff doesn't know the business' data and know what their crown jewels are. So, there's that disconnect. Historically, most cyber people are introverts, so they don't even want to leave their cube. Don't get in their basement. They don't even want to leave. The only reason they'll leave the basement is to get pizza.
Jackie McGuire
>> That's why I make the big bucks because I'm autistic and a people person.>> Right. Exactly. Exactly. But you got to be able to first understand the data and have those conversations, then you could go from there. But that's the-
Brian Vecci
>> You ask the question, where do folks start? Most security teams don't even know what they don't know, and you can't just say, "Well, the business will tell me," because of course, they won't. It's a lack of visibility, it's a lack of telemetry, and then it's a lack of automation. How big is your team and how stretched thin are they? I'm saying the royal you, all of us that have security teams, nobody has enough time and people to go chase down every alert, to go look at every control, to prove that every control is correct. So, it's visibility and automation. At least that's the way we come at it. Yeah.
Jackie McGuire
>> Yeah.
Brian Vecci
>> 3.8 million jobs in cyber that you can't fill because of talent shortage. So, it's not-
Jackie McGuire
>> It's not a shortage, it's a gap.
Jackie McGuire
>> There you go. Yeah.
Jackie McGuire
>> It's a gap because we need people with experience and we have a whole bunch of people fresh out of boot camps in college, but we have no way to give them the experience...>> I like experience, yeah....
Jackie McGuire
>> Without putting things at risk. I do want to make a small correction because I have a wonderful production team who informed me that I misquoted. I drink your milkshake is actually from There Will Be Blood, not from No Country for Old Men, but it's in relation to oil because he's basically talking about drilling into somebody else's oil pocket. So, I want to talk about data misuse because you draw a distinction between data breaches, which is where data is actually extracted and just data misuse in terms of, so can you tell, Brian, what is data misuse and then how does that compare to data breaches?
Brian Vecci
>> Well, as you said, a data breach is when it's right there in the world. It's been breached. Data has been exfiltrated by an unauthorized party. What's interesting is a lot of the new, in security, it's easy to harp on regulations. It's easy to harp on the galaxy of acronyms, whether it's SOX or HIPAA or PCI or GDPR. But what a lot of them are saying these days is the data doesn't have to actually be stolen in order to notify that something went wrong. NYDFS says if data is even accessed by an unauthorized third party, if it happens to be accessed and encrypted, even if it's not stolen, you got to notify someone that their data has been misused, even if it's not lost or stolen. The hard thing for a lot of enterprises these days, and again, it goes back to visibility, what data do they have and who is actually using what and is it authorized or not? In security, it is often easier for things to fail open. It is easier to leave the doors open and not break anything. Rather than be a bull in a China shop, go and lock everything down, and then hope nobody calls you up screaming saying, "Why can't I do my job?"
Jackie McGuire
>> That's how you end up with management interfaces exposed to the internet because it's easier to expose that snowflake database to the internet than to get a pissed off call from somebody in the executive team that they can't access that information.
Brian Vecci
>> Exactly. Exactly.
Jackie McGuire
>> Yeah. Awesome. All right. We're going to have to wrap up pretty soon. I think you guys have a really busy day. So, I want to ask, what's the one thing people aren't talking about at RSA that you wish they were?>> I think we touched on this last night a little bit, too. The computational compute that's being stolen from everybody. A couple of years ago in my previous organization, we got hit by North Korea and they were mining crypto on our devices and our performance just went down the tubes and that's when we were Varonis up. We had to call Varonis up and they came in and did some good forensics work on our BF. But those are one of the things that no one's really talking about at RSAs; ransomware, all this stuff, but the compute power that's just being lost. It's stunning.
Jackie McGuire
>> Yeah. I actually had a friend who found adult material being hosted on a government website.
Brian Vecci
>> Scandalous.
Jackie McGuire
>> Yeah, because if the government will pay to host the videos, it's a lot cheaper than paying yourself. Yeah.
Brian Vecci
>> My tax dollars going to host pornography.
Jackie McGuire
>> I know. The great CUBE content everybody tunes in for. So, what about you, Brian? What do you think people should be talking about?
Brian Vecci
>> And this is going to be self-serving, but we focus in security. If you think about security as layers of an onion, you have controls at the perimeter and there are the great endpoint providers everywhere. You have controls at the identity layer, you have controls at the physical perimeter, the data center or the virtual perimeter. You've got CASB and those technologies, but it's all in service of protecting data. And going back to the first thing that we talked about, it's companies don't really know what they have and where it is. They don't know what's important, what's not. They don't know. Especially in a world where everything is connected together, you've got data in prem, you've got data in the cloud, you've got data in files and databases and applications that are all connected together by design and everything fails open. Companies really need to focus on what investments are we making to protect their oil, to go back to the metaphor that we started with. That's what's valuable, data's what's valuable. Nobody breaks into your systems to steal configuration files. They're after data. And without the visibility and without the automation, companies really struggled to protect it because that was way too much. You said one thing, I think I gave you five.>> Configuration files, they want to steal too because they're probably wrong.
Brian Vecci
>> Yeah, probably wrong.
Jackie McGuire
>> Yeah. I was joking with somebody that I found out a vendor was compromised and I was like, "That actually might be good for national security because their tech stack isn't great." So, if the hackers start using it might not be a bad thing. It might slow them down.
Brian Vecci
>> What's funny is we used to have, especially when it came today to the ostrich defense. If I don't know about it, I don't have to fix it. The attackers, the bad guys are going to get there before you do.
Jackie McGuire
>> Yeah. Plausible deniability. Well, thank you so much, Riz, Brian. Really enjoyed having this conversation with you. We'll try to find you at some of the after hours events, so we can continue our less on-the-air appropriate conversations from before the video.
Brian Vecci
>> Everybody be good.
Jackie McGuire
>> Thank you much. Yeah, everybody behave yourselves tonight, but thank you so much for being here.
Brian Vecci
>> Thanks for having us.
Brian Vecci
>> Thank you
Jackie McGuire
>> For theCUBE, I'm Jackie McGuire at RSAC 2025. We are live and we'll be back after a short break with more insights. Thanks everybody.
Jackie McGuire