David Spark

Biggest mistake I ever made in security. Go.

Leslie Nielsen

Oh, man, if I could only think of more than one. But I had a brilliant jerk working for me a few companies back. And the biggest mistake I made was letting him hang around, be toxic to the other people. And then sadly, when I left the company, he became somebody else's problem and they had to get rid of him.

David Spark

It's time to begin the CISO Series podcast, recorded in front of a live audience in New York City.

Thank you everybody, and welcome to the CISO Series podcast. My name is David Spark. I am the host of this show, but joining me as a co host is the man who is sitting to my immediate left. And that is Matt Southworth, who is the cease over at Priceline. Let's hear it from Matt.

Matt Southworth

Hi, David.

David Spark

Thanks. All right, that's Matt's voice. You'll hear a lot more of it later. I want to mention our sponsor today. It is mimecast. Email and collaboration secured by AI Block advanced human threats that legacy security misses and reduce human risk across your organization. We are in a beautiful theater here at mimecast Elevate, which is a conference that mimecast is putting on mostly for their customers. And I also want to introduce who our guest is. I'm going to bring this person in early, the person sitting to our far less over here, the CISO over at mimecast, Leslie Nielsen. Let's hear it for Leslie.

Matt Southworth

Woo hoo.

David Spark

Say hello so people know the sound of your voice, Leslie.

Leslie Nielsen

Hello, people. I'm Leslie Nielsen. Glad to be here.

David Spark

All right, I have an opening question before we jump right into the show and it is the following. I'm assuming you have seen Sora, this new video creation app. Yes. You've seen it, Matt.

Matt Southworth

I have seen it.

David Spark

You have seen it. Here's my question. You are insecurity. Everyone in this room is insecurity at some level. I had some friends who were playing with it, showing us all these videos they made, laughing their heads off, and I could only look at it in horror of oh my God, what is this going to bring? So my question to you too is, is it conceivable a security professional can actually enjoy the Sora app? Or is it impossible because we see what it's going to do? And for those people not aware, SORA is this new AI video generation tool allows you to create unbelievably realistic videos of yourself doing different things and people, other people you know as well. So what do you think? Is it possible for security professional enjoyed or no? We see Too much horror in it.

Matt Southworth

You've got to wake up every morning as an optimist, David.

David Spark

Okay. And so you hold it. Do you enjoy it or can you enjoy it?

Matt Southworth

I can try to enjoy it. No, it terrifies me.

David Spark

It's terrifying. It's completely terrifying.

Matt Southworth

Yeah. You've got to try to pry out what's positive about this. Right. How do you make an impression on someone?

David Spark

My friends were laughing, but it's like a zombie attack. We see it's coming. Like we can't avoid it.

Leslie Nielsen

You gotta enjoy it. And what you gotta do is you gotta lean into it. We had a great bearded baby talking about application security on an internal video for our Cybersecurity Awareness Month. These things are good. Use it and show people and then talk about the fear. Because the reality is deep fakes are there and they're only going to get worse or literally better, but worse. Good point. Good point. Well, eventually you're going to see yourself and wonder if that's you. That's when it's really bad.

David Spark

What works, what's not working.

People who automated a bad process ended up with a bad automated process rather than an improvement. Sometimes they ended up in a worse place. The tool faithfully and beautifully executes the underlying brokenness. Now that's Anton Chuvakin from the Google Cloud Security podcast, encapsulating what many organizations learned the hard way. If you buy that fancy soar or siem, you'll automate your corporate dysfunction at machine speed. Chevarkin argues that process is gravity, always pulling technology back into old, broken workflows. So my question. I'm going to start with you, Matt. Is there a way to assess whether your processes are ready for a new tool? And we want tools to fix processes, but as Chewbacca argues, they'll amplify your mistakes. Does the prospect of AI agents. I'm throwing this also in Offer the possibility to escape this process gravity? What do you think?

Matt Southworth

I think I've seen this 100,000 times where something's broken and you hope a tool will fix it for you. And that's not it.

David Spark

Right.

Matt Southworth

The processes are an expression of the organization's priorities. And if it's a broken process, that's because it hasn't been prioritized. You can throw an LLM at it. It could make it better. It could be like adding an intern to it, but it's not going to change the organization's priorities. Right. You're still expressing that the organization isn't investing here yet.

Leslie Nielsen

Yeah, I'm totally with you on that, Matt. And the bottom line is you just got to take a step back on processes. What your as is, what's your to be? And the challenge with that is you got to figure out that miracle in the middle. And candidly, that's what we're supposed to be.

David Spark

Right.

Leslie Nielsen

But people are starting to think AI is going to be that miracle. You can't fix what's broken if it's just so horribly broken that it can't be automated, outsourced, redone, relooked at, even evaluated. Look at a maturity model, look at the best way to do it, but get it documented, figure out what it is, and you're going to find processes that you're dependent on that you may not even know you have in your company.

David Spark

Well, is there a situation where you're not seeing the brokenness? Maybe you need a tool to expose it, and then you, like, reel back, okay, let's fix this. I mean, I'm assuming you've all had situations where you did implement something and something literally went awry that may have been, like, simmering underneath.

Matt Southworth

We never knew that this person was turning this dial twice a day, every day, to keep the whole business running. Right? Yeah.

David Spark

So it was, like, loss about, you know, clicking that button every few minutes. Exactly.

Leslie Nielsen

Yeah. Yeah. And on the technology side, it's, you know, feeding sims and things like that. It's, you know, you say, hey, we need to track this process, and then you turn it on. Then all of a sudden, you know, you're giving splunk way too much money. If I can say splunk, all of a sudden, things are going horribly wrong, and you have way too many alerts, et cetera. But, yeah, you can actually, just by looking at them and getting through, get some good metrics on just how bad it is and how much noise it's generating.

David Spark

So, okay, so an argument, sort of. Not against what Anton's saying here, which you're both very much agreeing with, but having that tool to expose it actually helps you see the brokenness, too. There's value to that.

Matt Southworth

Of course, if nothing else, it's a dumb person to have a conversation with which will make you completely explain what you're trying to accomplish. Right. And again, if you can teach someone how you do your job, that's when you truly understand it. And all of them is the same way. Right. If you can get it to repeat back to you what you're actually trying to do, then you understand the process.

Leslie Nielsen

Yeah, Yeah, I couldn't agree more on that. And the bottom line, people are afraid of AI and they're afraid of defining what they do for their job because they think AI is going to replace them. So even getting them to define the process to get it down. But take a look at it, use whatever tools you can, throw it up against the wall, tabletop it, do all the exercises that you have to be able to just see what's going on and see if you can break it and see what can be improved.

David Spark

All right, quickly both of you, have you implemented any AI tool or a tool that's been AI enabled that has improved a process, shown a broken process, just like anything, sort of that made a process better or exposed it?

Matt Southworth

Absolutely. Every PR we do, every pull request in our code repo is run by an LLM and it looks for things like secrets and bad code. And it's not perfect, but it expands what the engineers can look at and flag something that might have otherwise passed through.

Leslie Nielsen

Yeah, lots of different things going on. One of the things we're most proud of is just enriching data with AI from the perspective of being able to. The faster you can respond to an alert, the faster you can get at something bad that's happening, the better off you are. And we've been using AI to just enrich alerts, IOCs, et cetera.

David Spark

Is this really the right strategy?

Quote, your roadmap won't matter if no one's willing to walk it. That's Will Klosofsky of Appalachia Technologies on the trap that bull headed tech leaders fall into being the quote, this isn't that hard. Why don't you get it? Tech a hole will result in project stalling. I think Leslie, you were referencing to the brilliant jerk phenomenon earlier. So you're aware of this. By the way, for those of you who don't listen to the show regularly, my co host Mike Johnson is, it's very, very anti brilliant jerk. It is for him the worst possible thing that could be in an environment toxic. Exactly what you had described at the very beginning of the show. I go on here and he says now people don't want to work with a leader like that. To avoid the brilliant jerk phenomenon, start with their success, not your solution. Ask teams what success looks like for them and listen to their real problems. By the way, other co host Andy Ellis said one of the fastest ways to sort of get little wins sometimes big wins is when you come in as a ciso, start asking people what is one stupid thing that's still going on that you would love fixed and you'll be amazed how many simple problems you can solve then. But let me go on and say the end goal is to make security as frictionless as possible so the business can do its job. Sounds good. But there needs to be some middle ground. So I'm going to start with you, Leslie. You want feedback. You know, we want to do this guide, but heck, you need to lead. How do you play the balance?

Leslie Nielsen

So I lean in with experience. I'm 25 plus years in cybersecurity. Long before we called it cyber, we, you know, just called it the people you don't want to deal with because it implemented your project a lot longer. But I approach people with it's a way, not the way. And It's. I've got 25 years experience. Everybody in this room has a thousand. Right. If you add them together. So here is a way that I've seen it work. Let other people talk about it, not necessarily the way, and then just come out with a collaborative approach that's actually going to solve the problem altogether.

Matt Southworth

Yeah. I think looking for people who are collaborative, creative and good communicators is important. And it's not only knowing what the organization's successes are, but knowing what individual strengths are. And you might not know your own strengths. You have to be a little quiet and observe when people come alive and where they actually know they can do something well.

Leslie Nielsen

Yeah, that's great. I love it when I come out of a room and people don't realize I was the most senior person in the room. I love it when other people are driving and doing things and people are like, oh, you report to that person over there. Right. It's like, yeah, yeah, I do.

David Spark

You know what's interesting? You say that because when you stop leading and you let others lead, you realize certain things can come out that don't happen when you're leading.

Matt Southworth

Right, Absolutely. I was complaining to my boss just this week that sometimes I feel like my job is going to a meeting and telling people to do their jobs and was brainstorming how to empower everyone on my team to do that, even when I'm not in the room.

Leslie Nielsen

Yeah. And we're in a 24 hour world. You have to have your backup. You have to be able to take a little digital dark time and you have to put trust in people and let them get experience too. We need more good cybersecurity people. And people need to collaborate and share. And it's kind of been the, you know, I could tell you, but I'd have To kill you mentality with within the business for years. But those days are over.

Matt Southworth

Yeah. Speaking of toxic.

David Spark

Right? Yeah. So I was just in Houston at this conference. Hugh Satcon and two CISOs I spoke to did this exercise and interesting know if you did it where they would do the what if I'm not here scenario. What if I'm not here and this happens so I'm not a contact for you to reach out to. And it was two things. One was trying to see if they can think about what you think, which wasn't necessarily important, but if they could handle the situation. Have you done these before? Like the no Matt, no Leslie scenarios?

Matt Southworth

Yes, we have. So three years ago, maybe when we did an annual tabletop. I was traveling at the time and the team didn't know this, but I was having Internet problems for the first hour of the tabletop. So I let them run it themselves and then I joined later to see, you know, how it was going, how things were progressing. One thing we learned there was one person in the company who could declare an incident and that was me. Oops.

David Spark

Yeah.

Leslie Nielsen

Yeah. Live fire. Tabletop exercises happen all the time. When be it you're on a plane or you're out or you're trying to be digital dark. But the other thing I like to do though during tabletops is just role reversal. So who's incident commander? Who's incident manager? And just flip it because it's really hard for technical people that have come up through the ranks to understand the business side and to see it and make them role play it, make them feel a little bit of that pain. CEO, the CRO, the cfo, get everybody involved and make sure that people understand what's going on.

David Spark

I want to come back to one last thing and then just wrap this up with this about the brilliant jerk. So is there a way. And again, all people are different. But have you ever been successful with a brilliant jerk or it can never work and you just got to get rid of it.

Leslie Nielsen

I have, which is partially what made me keep that one I talked about around. But there are just some people that I am not talented enough to bring around. Right. I'm not perfect with everybody. Not everybody works great together. But yeah, there's good brilliant jerks out there. They just don't realize it. And a lot of time they just haven't had good leaders and they feel like they have to just come on so strong. I'm so right. Everyone should listen to me. Just take a step back, get them involved, get them collaborative. 80, 90% of the time, you should be able to bring them out of it.

Matt Southworth

Yeah. You can do a lot with some feedback given the appropriate time in the appropriate way. Right. But you don't have to speak first. You are where you are because you're smart and talented. You don't have to impress everyone on that every time. Let the most junior person in the room speak first. These are things we've all heard, but just keep repeating it to people who might have a personality that's not gelling yet.

Leslie Nielsen

Yeah, And I'm just going to tag onto that. Absolutely. What Matt said and define your acronyms. If you said in a meeting with Finance, you're going to realize that, wow, I don't know anything about finance and this is probably what I sound like when I'm talking to other people. Tell people, if you leave a room and people don't understand what you're saying, you lost that meeting. That's not a win, that's a loss. And that's a good early indicator of somebody that's going to be a brilliant jerk.

Matt Southworth

Also, can you just stick them on the help desk for an afternoon?

Leslie Nielsen

Really good one.

David Spark

That is a good one. I like it.

Leslie Nielsen

I like it.

David Spark

And by the way, put a camera on them because that's going to be entertaining.

Who's our sponsor this week?

Today's episode is brought to you by Mimecast. Let's hear it from Mimecast. All right. They are trusted by over 42,000 organizations worldwide to secure human risk. Cyber threats are getting smarter every day. And threat actors aren't just targeting your technology, they're targeting your most valuable asset, your people. Now, mimecast helps you identify and secure risk with a unified, intelligent platform that protects across the spectrum of threats, from email and chat to file sharing. Now, with mimecast, you, your team becomes your strongest line of defense. Empower employees to make smarter security decisions, stop threats before they spread, and keep your organization resilient. Do you want to learn more? Well, visit mimecast.com to discover how Mimecast's integrated protection helps you stay one step ahead of cyber threats. Remember, that's mimecast.com, and when you go, let them know you learned about them from the CISO series.

It's time to play what's Worse.

All right, for those who've heard the show before, you are familiar with this game. We've been playing this game since the beginning of the CISO series, and here's how it works. It is two holes, horrible scenarios, they're bad Neither one you like, but it's a risk management exercise and you have to determine which of the two is worse. I always ask the co host to go first. So Matt, you're going to go first. And here is the scenario. It comes from Neil Saltman of Ahead, and here's the scenarios. What's worse? Having no data governance policies while your company moves full speed ahead with AI projects, with shadow IT everywhere and no real visibility into what's happening, or relying on AI completely to protect your data, with someone who doesn't know what they're doing, manning the controls and the controls have gone rogue, changing at such a rapid pace you can't track all the changes. What is worse, Matt?

Matt Southworth

Oh, great, thanks.

David Spark

This is a tough one.

Matt Southworth

Well, like Leslie, I've been in this game for a minute and I think my answer will have change over time. Initially. What's worse? Probably would have thought all the AI processes uncontrolled, whatever. Today with these gray hairs, not having a data governance program is worse in every scenario.

David Spark

Every. So just AI going loose and changing. That's not as worse than no data governance program.

Matt Southworth

I mean, you could have dumb interns, right? It's not that different, except they are a little faster. So without your data governance program, you don't even know whether the rogue AI is doing real damage to the organization or not. So lack of data governance is worth. Final answer.

David Spark

All right, final answer. I'm going to go to you, Leslie. Do you agree or disagree?

Leslie Nielsen

I disagree. Okay, I'm going to go with B. I'm going to go with B is worse just because it's going to cause the proliferation so much faster. You know, not having data governance yet, you can back into it and start teaching people, et cetera, but just having rogue AI everywhere, spitting stuff out, not knowing what's going on and not even be able to track it back down, I just, I don't know. That scares me more.

David Spark

Yeah, that's pretty bad. All right, I'm going to throw this to the audience. All right?

Leslie Nielsen

They're both bad, they're both horrible.

David Spark

But again, the game's called what's Worse? So I'm going to throw it to you. So the two scenarios, essentially the, the no data governance with the shadow IT going everywhere or AI is completely running your program and someone doesn't know what they're doing with the man of controls and the controls have gone rogue. So that's the second scenario. So no data governance controls going rogue. Which one's worse? By applause, how many people think no data Governance is worse. By applause. Come on. All right. Few people by applause. How many people think the AI going rogue is worse? Oh, I lose. They went with Leslie.

Leslie Nielsen

The crowd has spoken.

David Spark

They have spoken.

What are these security pros talking about?

All right, this is a fun game.

Matt Southworth

This is the new game.

David Spark

This is not that new. We've played it actually once before, but it's actually, you know what? It's new in that we actually have bumper music for it. So that's what we got for it. So here we go. This is the game. We interviewed a series of cybersecurity professionals. This was actually at RSA this year on a variety of different topics. And we're gonna go play their answers. You have to guess what the question was. So you're gonna hear a series of different answers to a question, but you're not gonna hear the question. You gotta figure it out. If they don't figure it out, I will toss to you the audience and see if you can figure it out. Okay, we got four rounds of it. Here is the very first one. Listen, and I can play it a second time if you need. You can be 100% secure. People know exactly what they have to do. There is a single determine the security.

Leslie Nielsen

Posture of an organization.

David Spark

What do you think the question was?

Matt Southworth

I think the question was, what does your CEO believe? That's completely false.

David Spark

I'm going to give you that. That is what are common misconceptions about cybersecurity. Very, very good. All right, Why'd it go on that? Let me give you that.

Leslie Nielsen

Nailed it.

David Spark

You get the organ win on that. All right, here comes the second one. Multi factor authentication. Timely documentation of everything that they learn and do. I wish they would just patch their stuff, not to click everything they see in their email. Leslie, we want to try this one.

Leslie Nielsen

If I could only get my stupid users to do one thing.

David Spark

That is correct. Very, very good. All right, good job. All right, here we go. Another one. It requires expertise to be a cybersecurity person. It doesn't. Requires different thoughts. Compliance does not equal more secure single.

Matt Southworth

Panes of glass and more single panes of glass. Covered by single panes of glass. Most people do not understand security strategy.

David Spark

What is the question?

Matt Southworth

Feels like something that you'd need to educate a talent acquisition or recruitment team on to get the most diverse candidates.

David Spark

No, that's not it. Not at all. What do you think, Leslie?

Leslie Nielsen

I think it's the misconceptions around security and the things. That was the first.

David Spark

That was the first one. No, no, no, it wasn't that. All right, I'm going to throw this to the audience. Just literally yell it out if you think you know what it is. Anyone think they know? Nobody.

Leslie Nielsen

Take another shot.

David Spark

You want to take another shot at it?

Leslie Nielsen

Cybersecurity professional pet peeves.

David Spark

Exactly correct. Yeah. Good job. Bravo. Excellent. Very, very good. All right, last one. Let's play the last one. Good job. Leslie's gotten two. Matt, you have one audience. You have zero. Audience has had zero. Here we go, last one. It's going to be quicker to do a bunch of things, I would say.

Matt Southworth

Threat detection for information to reference and.

David Spark

Learn about what is going on and what's being detected to help augment some of the mindsets of people and also just basically help streamline all your security practices to be proactive in identifying risk points. What do you think the question was?

Matt Southworth

Sounds like, what do you want to take away from this conference? Or what do you want to do over the coming year?

David Spark

That is not the correct answer. What do you think?

Leslie Nielsen

What do you think AI is going to do for you in security?

David Spark

Nice. That is correct. That is correct. All right, very good lesson.

Leslie Nielsen

But Matt, I like the way you're thinking.

David Spark

It was a good answer. But Leslie wins three to one. Sorry, audience. The goose egg. You blew it.

Could this possibly work?

I love this topic. It's something that's brought up on the cybersecurity subreddit. We're huge fan of the cybersecurity subreddit. So here's my question that was asked on the cybersecurity subreddit. What overlooked security controls are actually getting the job done? So that question came up from a sysadmin on the cybersecurity subredd who wanted to know which are the smaller, less hyped controls that are most effective. So here are some of the very telling responses marking emails from external senders that top the list. Outbound firewall rules came up repeatedly. And the simple but often ignored practice of deleting old exceptions. So I'll start with you, Leslie. What are the quote, boring controls that dramatically improve your security posture? And I guess they don't necessarily have to be boring, but why are they so effective?

Leslie Nielsen

So this is non sexy and it's going to be controversial, but friction in getting things done, especially user provisioning and access control, because people that can do stuff really, really quickly tend to end up making mistakes and not following process.

David Spark

I will tell you there are some friction things I actually enjoy. I'll give you a perfect example. I have like A CRM type tool that if I try to delete more than one entry, it'll make me type in two boxes. Three, whatever the number is, I have to physically type that whole thing, that friction I very much enjoy.

Matt Southworth

Prevent stupid mistakes.

David Spark

Yes, very much. Prevent stupid mistakes. That's a good one. What do you think?

Matt Southworth

I racked my brain on this and I am a total pack rat. But if you have an aggressive retention policy, especially for Things like email, 30 days, 90 days, your attack surface just shrinks dramatically. If you can turn that on, it's incredible. For helping the organization prevent the loss of data.

David Spark

Well, that's a pretty. Does anyone have a 30 or 90 day email policy? We reference emails.

Matt Southworth

Years you've seen 90 days you've seen it.

David Spark

But how does the business operate like that?

Matt Southworth

People have to be disciplined about. Email is not your file archive.

David Spark

Right.

Matt Southworth

Put the data somewhere that it's referenceable even if you leave the organization. It also gets you out of these one point of failure mentalities.

Leslie Nielsen

And it's not your file transfer protocol.

David Spark

Yeah, yeah, but I couldn't imagine doing like, I don't know how I could stay in business doing that.

Matt Southworth

Right.

David Spark

All right. Any others you got? I mean I thought these were very good, like the marking emails from external senders. But one thing that I've heard is if you use the same color, they start to get glassy eyed. So changing the color is critical.

Matt Southworth

Just educating users, giving them the tools. Maybe you can buy a password manager for your users. It saves so much pain in the long run.

David Spark

And this interesting one, the often ignored practice of deleting old exceptions. People throw those in just in a whim and immediately forget about them.

Leslie Nielsen

Oh, absolutely. And your risk exception process, There are so many people that just don't go back and look at them. Right. It's like, okay, you have this risk, it's accepted for 90 days and then two years later you have a firewall.

Matt Southworth

Rule with a reference to a ticket number from a tracking system that hasn't existed in 10 years.

David Spark

How do you unearth those?

Matt Southworth

Turn them off and see what breaks. Don't do it at the end of the year.

David Spark

Amen. By the way. Have you done that practice? See, let's turn it off and see.

Matt Southworth

The phone rings.

Leslie Nielsen

Yes. Yeah, Yeah. I had a previous company or a few companies ago, we had a whole bunch of orphan systems from mergers and acquisitions and we started a system eviction notice program and we called them centers at sin program centers, you know, kick them off the network and you know, shut stuff down. And we shut so many things down and nobody complained. I told the team, you need to push harder. We need to get somebody to complain.

David Spark

What about this AI security challenge?

AI generated code presents fundamentally different risks than other software, said Boyd Kane of Cube Space. But general beliefs of secure code do not apply to AI written code such as software vulnerabilities are caused by mistakes in the code. You can find bugs by analyzing the code. If you fix a bug, it won't come back again. It's like asking the same question twice to ChatGPT and getting two different answers. Do you agree? I'll start with you, Matt, with this assumption that AI written code or even vibe coding needs a different code analysis treatment. And if so, what should we be doing differently when securing AI generated code?

Matt Southworth

I don't know if the point of generation, if AI generation is what differentiates how much you need to review and scrutinize the code. I think what you're doing with the code, where it's running, the context, what data it's touching, is much more important. We've been using tab completion and code forever. It's again the dumb intern problem. I'm not sure that the person writing this code is any smarter or less smart than the Genai tool. Anecdotally, when we look at Genai generated code, it's longer. That doesn't mean it's better. It may not be as efficient. There are some known problems with this code and you might want to tune your reviews, your detections around that. But fundamentally, if it's critical code that's touching sensitive data, that's where you want to invest the review. Whether it's reviewing human code or machine generated code.

Leslie Nielsen

Eventually AI is going to get to the point where it's saying, oh, we don't even need code, I'll just write bytecode and stick it right in. Or I'm just going to redesign algorithms or how computers do, et cetera. But we're not there, we're just generating code. And there are good secure software development lifecycle practices that need to be followed and need to be followed rigorously, especially with the proliferation of more code from AI. Do good architecture and design, do threat models, iterate over those threat models and make the architecture and design stronger. Do static, dynamic as well as secure content analysis through the process. Do pen testing, red teaming, bug bounty, responsible disclosure. Just do all the things that you're already doing, do them better and you're going to make it through the AI.

David Spark

So what you just said may have literally answered my next question. But I'm going to throw this out anyways. Is being. Prior to AI generated code, there was a process to work with developers on being more security conscious and also thinking about Vibe coding. The people who are just literally writing in natural language text to have code spit it out for them and creating the app itself. Is there a way to have a. Hey, look, I know the sort of environment of developers is changing. What is constituting a developer is changing. What is the kind of conversation about security you have to have with like a Vibe coder? Someone who literally has no development experience because. And I'll just throw this out very quickly, I met a guy in Florida who literally Vibe coded his way to an extremely successful app. But he was unbelievably aware. Oh no, this has got holes in it. I've got problems coming up. He felt like, my pants are down by my ankles now, so either one of you jump in.

Matt Southworth

So I think the problem here is the person generating the code can't explain what it's doing. Again, this is a problem whether it's a human generated or machine generated. You can start with the five whys. Ask, why did you do this? Why did you make this choice? What do you expect to happen here? Then hit them with the QA questions, what are the failure modes? If instead of what you expect to happen, something unexpected happens or what will occur, chances are the Vibe coder is not going to know. So you educate them then on guardrails and how to protect sanitize input.

David Spark

By the way, I'm totally talking in a language of developers. I don't think a Vibe coder any of that crosses their mind at all.

Matt Southworth

I guess the Vibe coders I'm thinking of are technical folks, but not developers. But you're right. This is a whole new world for people who have never even touched a C textbook.

David Spark

Right. I remember having this conversation about producing a live physical event and I was talking to somebody and they started asking me questions, kind of like what you're doing. And I just like my face just felt like literally none of that crossed my mind. Not one thing. And I have that same feeling that's happening with people who are coders. Like there's this whole slew of questions that just never crosses their mind.

Leslie Nielsen

Yeah. So I'll go back to what I was saying in the beginning. Right. It's architecture and design, threat modeling, et cetera. When you're Vibe coding, you can't do any of that because you don't have a design, you don't have things to do. Threat modeling, et cetera. You may have to use. This is where I would come in. Use tools that can reverse engineer that, that can pull it out. But then it makes it even more critically important to go through static dynamics, cure content analysis, do all of that, and then pen test the heck out of it. So beat that stuff up and make sure it's ready for production because that's the type of stuff that leaks vulnerabilities in zero days into the network.

David Spark

Let me hold, let me throw this out because what you just described, why couldn't that be put into an AI development system? Like I say, just vibe coded. Spit it out. Okay. You created the. Now here's the next stage of testing it coded like it could literally like a wizard walk you through the process.

Leslie Nielsen

I would say from a tool perspective, we are getting there. We're enhancing static and dynamic analysis with that, we're actually doing proactive pen testing, like pen testing continuously, which could eventually replace dynamic analysis. It's getting there. You know, using AI. World War II airplanes were just going crazy and everybody's like, how do you shoot down an airplane with another airplane? Right. Use AI to fight the proliferation of AI.

Matt Southworth

Yeah. We do have a threat modeling GPT, for example. Right. And that's helpful if the person reading the results understands what they're looking at. And that's what I wanted to ask you, Leslie, is how do you put these controls or processes in place in a way that doesn't brand you as the team of. No. Or squashes the enthusiasm and creativity of the people who are vibe coding?

Leslie Nielsen

Yeah, it's tough, but you have to follow at least some process and what you can do is you can turn it around. Security awareness training at Security Champions. Like, look, you're ahead of the game and you're generating all this great stuff. Look at these vulnerabilities. Let's just figure out how we can fix this and then how you can augment and teach others, you know, play on.

Matt Southworth

Yeah. Appeal to vanity.

Leslie Nielsen

Appeal to vanity.

David Spark

It's time for the audience question speed round.

So in my hand right here, I have index cards, questions from this audience and some other people who I met just earlier this week. And with the little time we got left, I'm going to see how many we can get through. They have not heard these questions. They do not know them at all. So let's get some quick answers. I like this one from a mimecast employee, Katie Callahan, who asks, I know you got a lot of fears about AI, but I want to know what's your absolute number one fear of AI, Matt?

Matt Southworth

Well, Katie, my number one fear of AI is uncontrolled development and deployment into production. Easy to say, but what do I mean? I mean, like any other development process, you need to be strong around role based access control, secrets management, et cetera. That's where I worry that those processes and disciplines that we build up over years will fall down.

Leslie Nielsen

Social engineering, the ability to just strengthen that from the hacker side, the ability to just really strongly deep fake better emails, better social engineering and to get it done and get in because the scattered spiders, et cetera, of the world. That's what's scaring me the most right now.

Matt Southworth

It's a very mimecast answer.

Leslie Nielsen

Thank you.

David Spark

Have either of you fallen for a deep fake video thinking it was real?

Leslie Nielsen

I have not. I did fall for an Onion article years ago where Microsoft was going to transfer Office onto Linux.

Matt Southworth

There we go.

David Spark

That is a very nerdy response. All right, from Steven Gonzalez of Zencor. I like this one. And just select one. What is one good policy you have either heard about or have implemented yourself around AI governance?

Matt Southworth

One good policy, if you implemented around AI governance, is awareness. We don't tell people not to use these tools, we tell them to talk about it. So to make it simple, a Slack channel for everyone using a tool where they talk about what's going well and what's not.

Leslie Nielsen

Just having AI governance. I'm sorry, but no, there are companies.

David Spark

Out there that don't turn the on switch button.

Leslie Nielsen

Yeah, yeah, exactly. Just get procurement, get legal, get everybody together, talk through it. Have just a small committee and talk it through. But bring some of the other people in. But yeah, it's just having that. There's so many companies that still aren't doing that.

David Spark

All right, this one comes from Masha Sedova at mimecast. And by the way, we've talked about this many times on our show, but I want to hear your thoughts. And I'm going to keep this general because there could be nuances to this, but if an employee keeps failing simulated phishing tests, should they be fired?

Leslie Nielsen

Okay, I got this one. All right, jump in on it. I'm sorry, but yes, you have to go through a process, right? Two strikes, three strikes, et cetera. You have to give them every education opportunity. But if someone is a threat, if someone's constantly letting robbers into your office, they have to go.

Matt Southworth

I think I agree with you, Leslie, but I don't think this is a decision the security team should make or have to make very much if you're not able to tell this person's manager and HR the risks that are presented, they don't see it the same way, then there's a fundamental organizational problem you have to address first.

Leslie Nielsen

So that's a great point. And that's acceptable use policy. Right. If something's in the acceptable use policy and somebody's not living up to it, talk to hr, do the right things, report, open the ticket, whatever you need to do. But you're absolutely right. Follow the process.

David Spark

All right, I'm going to throw a wrinkle in this. And this has come up on the show before. So I have a good friend who works in HR for a big company. They had a situation with a mechanic who could not be trained with just failing phishing tests over and over. So again, he kept failing. Not a knowledge worker, not in front of the computers, not working in finance, not working in accounting. But they did get fired because he kept failing phishing tests. Should that kind of person. Should the rules apply to everyone or vary? If I'm an accounting and finance, the rules are stricter. If I'm a mechanic, lower. What do you think?

Leslie Nielsen

Well, re engineer your business process. Why does a mechanic need email?

David Spark

Right.

Leslie Nielsen

I mean, you know, they're just.

David Spark

Well, they need. I mean, look, they need to get information from the company and then payroll information. Any just basic, you know, community reengineer.

Leslie Nielsen

The business process where they have more limited access, where they, you know, they have a secure portal. I just. Yes, they probably should because they're potentially bringing harm into the company. It's tough. But also, look at re engineering business processes. It's one of the last defenses.

Matt Southworth

Matt, totally agree. Why do they have email? I understand the nuances there, but then why are the links in their email live? If they're a mechanic, what device are they looking at these emails on? There's a bunch of places you could put in some simple controls before you bring out the hammer.

David Spark

All right, from Tom Doty, who's the CISO over at Generate biomedicines asks what human actions are you comfortable with AI supplanting.

Leslie Nielsen

Yeah, I mean, start with a low level. I'll talk in our soc. Right. We're enriching, enhancing data. We're, you know, more quickly opening tickets, looking at indicators, compromise, pulling all the data in that we need, getting it at our fingertips. That's from the security side. On the coding side, I'm fine with AI coding, but again, I'll go back to what I said earlier. You got to have those processes in place. You got to do the reviews, I think.

Matt Southworth

Yeah. On the security side, what's the stuff that either we're not doing today because it's boring or we don't have the resources to allocate?

David Spark

Right.

Matt Southworth

Start there. Enrichment is huge. Additional eyes on PRs is huge. Great stuff that you can do pretty easily with a couple API calls. Pet peeve of mine. When I receive a communication from somebody on my team or when I'm looking over a review and it's obviously being written by ChatGPT and doesn't have any of that person's voice in it. Oh, I really don't like that process. And it's a fine lined walk because I've got people who speak a dozen languages and English is not their first. I want them to clean up what they're trying to say, but I don't want it to read like it was written by a robot with an EM dash in every sentence.

Leslie Nielsen

That's nice.

David Spark

M dash. By the way, that has been a telltale sign of AI writing. Extremely overused.

Leslie Nielsen

The word delves almost always guarantees that an email is generated by ChatGPT.

David Spark

All right, very last question, and this is very much in the world of mimecast here. I'll start with you, Leslie, and you can speak with organizations because I know you're doing this stuff at mimecast, but how is your or you're seeing other security awareness programs evolving with deepfakes, and it comes from David Peach, who's the CISO of Intersection.

Leslie Nielsen

Ah, evolving with deepfakes. We're using smaller, quicker, and we're also nudging and putting stuff out when people do fall for phishing, et cetera. I don't know from an evolution on the deepfake perspective, we are including more things in the security awareness, but it's really shorter, quicker content that's to the point and delivered at the right time.

Matt Southworth

Yeah, I think you need to think about who the target audience is. I think a lot of the deepfakes we've seen are impersonation of an executive. You think about your AP team, you think about your help desk and you target training to them with the deep fake, with the recording of your CEO saying, hey, help me reset my password. And you target it. That way you make it smaller and more oriented towards their specific role and concerns.

Leslie Nielsen

Yeah, David, could I. One last thing. So I'm just going to tell everybody right now and I send this out in email. Cybersecurity Awareness 9000. Our CEO will never ask you for Amazon gift cards. Never going to happen over WhatsApp.

David Spark

That's right. By the way, I want people to send me Amazon gift cards. I would love that. I would really, really appreciate that. Well, that brings us to the very end of the CISOS series podcast. Let's hear it from my guests. Let's hear it for them is Leslie Nielsen, who's the CISO of mimecast, and also Matt Souorth, who is the CISO over at Priceline. Thank you both for coming. This was a lot of fun. I want to thank also mimecast and mimecast Elevate for bringing us out to New York to do this live show. Remember, go to mimecast.com for essentially all your human risk factor needs, if you will. Any last words? Oh, question I always like to ask, are you hiring over there at Priceline?

Matt Southworth

We are hiring@booking.com in Amsterdam. Beautiful city. Go check it out.

David Spark

Ah, I've been out there, yes. And are you hiring at Mimecast?

Leslie Nielsen

I got some recs open. They're on LinkedIn and I'll make sure they get pushed.

David Spark

Awesome. Well, thank you again, everybody. Thank you for coming out to see us live. I say it all the time, but we really, really appreciate your contributions and, and for listening to the CISO series podcast.

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and cybersecurity headlines. Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.