David Spark

Biggest mistake I ever made in security. Go.

Quincy Collins

Not firing a managed security services provider fast enough. We all know how long it takes to onboard providers, whether they're vendors or doing something else for us. But MSSPs are crucial to security operations and lobbing alerts over the fence just does not work.

David Spark

It's time to begin the CISO series podcast, recorded in front of a live audience in Los Angeles.

All right, that I like to hear. Awesome. We are in Los Angeles. We are here at the Issa, Louisiana Summit, our first fourth year doing the show here. We are thrilled to be back again. They invite us back again and again. We are still trying to figure out why, given all the problems, we're thrilled to be here. I want everyone to meet my guest co hosts. Sitting in places where usually Mike Johnson or Andy Ellis did it is the deputy CISO for Corning Incorporated, Jeff Stedman. Let's hear it for Jeff.

Jeff Stedman

Hello, audience.

David Spark

Say hello to our audience.

Jeff Stedman

Yes, hello.

David Spark

All right, that's his voice. You're going to hear a lot more of him. By the way, we're available@cisoseries.com where you can find all of our wonderful programming. But don't go there. Now, those of you in the audience, if you're listening, if you're driving, don't go there right now, but you can go eventually. Let me tell you about our wonderful sponsors. We have Adaptive Security, Next Generation Security Awareness. Let's hear it for Adaptive and Drop Zone AI, AI Soc analysts, and that Never Sleep. You're going to hear more about them later in the day. Now, you and I were chatting, Jeff, just earlier you were given some, when you were, I don't know if you were starting out, if you were well into it, but you were given some really, really good advice of dealing with an incident. What was that?

Jeff Stedman

So it was early on in my career, David. So it was, yes, absolutely early. And I was in a training course, hadn't had the opportunity to handle an incident yet. And the instructor says, you can't outrun a packet. And sitting back, it really, you know, reflecting on that, it's the adrenaline's going to overtake you. You're going to throw your incident response playbook out the window. Don't do those things. If you're working too fast to take notes, you're just working too fast.

David Spark

That is a really good point. In fact, actually, I don't know if you saw it. We shot a video at Black Hat where I asked people, what do they not teach you about dealing with incident response. And you, you Kind of hit the nail on the head. The big thing that we got from a lot of people was they don't teach you about the stress at all. That's something you have to experience on site. All right, I want to introduce our guest and get into the show. To my far left, here he is, the CSO for Shepard Mullen, none other than Quincy Collins. Let's hear it for Quincy. Say hello to the audience.

Quincy Collins

Hey, everybody. Such a warm welcome. I'm really appreciative to be in front of you all today.

David Spark

How is AI going to solve this problem?

All right, since modern LLM tools came onto the scene, how will the next generation learn cybersecurity when AI takes over entry level work? So Helen Patton of Cisco asks this very question and she's struggling to find satisfying answers beyond theoretical suggestions such as AI LED coaching. So this reminds me of learning long division in school. We all know how to do it and it helped us learn mathematical concepts. And that's about it. I mean, nobody uses it. I mean, is there a long division of cyber that's still necessary or can we skip straight to the conceptual understanding of cybersecurity? Is there some grunt work that's just a must do in cybersecurity? So I'm going to ask you first, Jeff, what? Where are we overthinking this transition? It is happening, or is there a real risk if we lose grasp of these foundations?

Jeff Stedman

That's a great question. I think that for me, I'll talk about the long division aspect of this and then the overthinking aspect of it. So the long division component is really looking at that foundational level of work. We'll never really get rid of that. The understanding of confidentiality, integrity and availability and how that applies into the environment to protect that business, that's very important. So the other aspect is the overthinking, certainly not overthinking how AI impacts the business and how your roles are going to be impacted. So you have to plan for those entry level workers to shift, learn how to do the new tools, use the new tools, and use the new skill sets along the way. But it's not just for those entry level workers. It's for everybody on your team.

David Spark

All right, Quincy, I throw it to you, by the way, have you thought about this? Like, if AI is going to take this, how are we going to groom the next crowd? Aren't there some basic concepts? I had to learn this. They should too.

Quincy Collins

So conceptually, I think it's really important to note that cybersecurity starts with information technology. So it's really, at its core, it's an information technology problem. You have to understand information technology if you are to actually secure a system. And in order to investigate, you need to understand how computers work, networking, cloud and whatever it is that you're trying to secure. So looking at how these young folks and other individuals who are transferring into cyber are supposed to learn, they're going to have to do it the old fashioned way if they really want to have that deep, deep foundation on which they can build. Because I think today there's a little bit of a problem in cybersecurity and that everyone's looking, not everyone, but many folks are looking for a shortcut. And I'm here to tell you, AI.

David Spark

Is kind of providing some shortcuts, don't you think?

Quincy Collins

I'm here to say that there are no shortcuts. AI is a tool that we can utilize, but you have to have the wherewithal to understand if the AI is potentially giving you some incorrect information or it's missing valuable contextual information about your organization or whatever it is that you're trying to secure.

David Spark

Jeff, the two of you think of this way of like, you got to learn it even though AI is there. Kind of like we had to learn it even though we had calculators. Is there going to be this potential backlash of, no, I can just do it because I know how to ask the question.

Jeff Stedman

I'm sure there will be, but from an understanding perspective, that means your workforce is going to be a little weaker, Right? So that context, as Quincy was referring to, it's key. It's the key to success and understanding what's actually happening.

David Spark

If AI is telling you the right answer, exactly.

Where does the CISO begin?

Your fully exploited strengths provide far more credibility than your marginally improved weaknesses. Jerk. Beeson, who's the CISO at wm, argues that the myth that a security leader needs to be good at everything, unless it's a very small company, rarely will you need to be a cyber Swiss army knife. Build credibility by making your strengths your signature while hiring for your weaknesses, said Beeson. Now, leaders don't need to be experts in everything. Knowing that and being open about that speaks volumes. Even if you don't know it all, always be prepared to ask intelligent questions to any audience. If you can't, your credibility can take a hit. So I'm going to start with you, Quincy. How can you be. I mean, this really seems critical for a CISO or cso. How can you be Omnipotent without being an omni expert.

Quincy Collins

I think the focus for CISOs and CSOs out there is to be able to ask the right questions of the executives that they're working alongside, their security team that's working with them, and the right questions of the business. So you don't necessarily need to be an expert in every single area and every facet of cybersecurity. But I think you do need to tread water in order to be able to make it to shore, if that makes sense. You've got to know about encryption. You've got to know about what it is that your business is doing. You've got to know about cloud, if that's where you are. So it's very contextual what it is that you need to know. But from a foundational aspect, you have to be strong enough to be able to ask the right questions and lead your organization in the right direction with minimal risk or minimizing the risk that is associated with bringing in technology and other associated business processes in your business.

David Spark

Jeff, let me ask you. Have you ever had a situation where you actually did not know the right question? You said, what question should I be asking regularly? All right, okay, good.

Jeff Stedman

And it's important because you know your perspective, you're bringing one lens. It's important to ask your team, your stakeholders, what is it from their perspective that they see, you know, is the challenge or the issue? So to Quincy's point, asking those questions is important. Digging down deeper, whether it's business, your team, understanding your gaps, and making sure you're hiring for those gaps so that you have the right people surrounding you to get to that right answer, making sure you're providing value back to the business.

David Spark

I'm sure the two of you had, maybe for your time, higher technical capabilities, and once you moved into the managerial role, that slid. I mean, did that totally happen for both of you?

Quincy Collins

Unfortunately, yes. My technical capabilities have diminished. They haven't perished, but they have diminished.

David Spark

Right. And I will say, like, I always hear this, I hear it all the time, and there's a little loss for the enjoyment of that. But you realize it seems this is the right sacrifice I have to make. Yes.

Quincy Collins

I think it's kind of twofold. One, from a practicality standpoint, you want to be able to do everything, but at the same time, you shouldn't. As an executive, that's not your role to tighten down the bolts. Right. Your role is to lead the strategy of an organization and figure out the best path forward, even if you don't have all of the information. A lot of CISOs out there are doing their best with what they have. And unfortunately, you can't always hire for or the most technical folks or the most expensive folks or the folks with X amount of experience. So you have to do the best you can with what you have.

David Spark

Similar experience for you, Jeff, in terms of letting sort of that technical expertise.

Jeff Stedman

Slide, I think I'm still not acknowledging that point yet. I do enjoy getting my hands down into logs and reviewing the work that the team does to the point that they ask me to let them do their job. But it also gives me that opportunity to ask those questions to make sure that we're covering our bases.

David Spark

Who's our sponsor this week?

We have two phenomenal sponsors and I'm going to tell you about both of them. But first we'll just talk about Adaptive security. So they're actually OpenAI's first cybersecurity investment. So AI powered social engineering threats like deepfake, voice calls, gen AI phishing and vishing attacks are all evolving fast. We know this. Adaptive helps security leaders get ahead with an AI native platform that simulates realistic gen AI attacks and delivers expert vetted security awareness training all in one unified solution. And now with Adaptive's new AI content creator, security teams can instantly transform breaking threat, intel or updated policy docs into interactive multilingual training. No instructional design is needed. That means faster compliance, better engagement, and less risk. Trusted by Fortune 500 and backed by Andreessen Horowitz and the OpenAI Startup Fund, Adaptive is helping security teams prepare for the next generation of cyber threats. And you can actually learn more by going to adaptivesecurity.com it is spelled exactly the way it sounds. Adaptivesecurity.com and when you go there, let them know that you heard about them from the CISO series.

It's time to play what's Worse.

All right. We have been doing this game since the very beginning of the CISO series and I have a very creative scenario here. And it comes from erkan sertalu of sahibinden.com and here we go. It's got a Marvel theme to it. You'll like this. Now I'm going to make you answer first, by the way, Jeff. And you will agree or disagree. Quincy. All right. And you have to give a good argument for which one is worse.

Quincy Collins

You're going to turn us into enemies here.

David Spark

Yeah, here we go. You can agree or disagree whichever way you want to go. All right. During the age of Ultron era, Captain America was presented With a disturbing cyber intelligence report from the Avengers, the team had detected two separate threats, each alarming in its own way. So I'm going to describe each threat. You're going to tell me, essentially, which one is worse. So, the first report warned that Ultron had developed a swarm of nanobots capable of bypassing any physical security mechanism without. Without triggering alarms. These nanobots could physically access the Avengers backbone switch or any other system and manipulate hardware components undetected. Pretty darn bad. Yes.

Jeff Stedman

Yeah, it's no good.

David Spark

Yeah, no good. All right. Second one's pretty bad, too. Second report warned that Ultron had managed to break message encryption keys based on 128 bit TLS cipher suites. He achieved this by leveraging a multidimensional quantum algorithm combined with brute force attacks, provided he captured enough data packets. Now, the captain does not know which report is more possible. So really, the question I have with you is, which threat should he prioritize? Which one is worse? So is it the physical nanobots, or is it the fact that the encryption keys have been completely bypassed?

Jeff Stedman

I just want to say both of these are terrible, but I'm going to go with the nanobots. The nanobots themselves, actually.

David Spark

Can I change that now? You want to go to encryption?

Jeff Stedman

Yeah, I want to go to. The encryption is worse, because, you know.

David Spark

But wait, you started with the nanobots.

Jeff Stedman

I know.

David Spark

You lasted, like, by the way, I don't think we've had anyone last that short on a decision before. All right, so you have switched from nanobots to encryption. So you think encryption is worse. Why?

Jeff Stedman

The encryption is worse because if the nanobots get in and I'm using encrypted traffic, then I'm not really worried about the nanobots.

David Spark

Right?

Jeff Stedman

So if they're coming across my switch and they want to look at it, great. Have a field day. As soon as you can break that encryption. They just need access to the data and enough data, and then you're done.

David Spark

All right, good point. But I got to point out that there's a lot of damage that can be done without accessing data. Yes, Quincy, yes. Okay, so which is worse?

Quincy Collins

So they're both very bad.

David Spark

Yes, I got to say, there's no. There's no doubt on that. You have agreement on that?

Quincy Collins

I'll just add that if the nanobots had access to the switch, they can then likely penetrate the network. So it's actually a confidentiality integrity and availability risk compared to the confidentiality risk of breaking the encryption. So I would go with. The nanobots are far, far Worse.

David Spark

Yes. I want you to know that Erkan, who sent this in, he considered the physical breach worse because he feels like, well, you could just upgrade to stronger encryption, 256 bit keys, if you wanted to.

Jeff Stedman

Well, maybe, but if I'm operating in the cloud, what are you going to go get on my switch? I'm not going to have a switch.

David Spark

Good point. I want to know from the audience how many people think the nanobots is the worst scenario. Buy applause. How many people. Okay, who raises their hands for a podcast? All right, a lot of people. So a lot of people are agreeing with you, Quincy. All right, by applause. How many people think that the encryption is far, far worse? By applause. You switched so quickly. I did. I did, yeah. I think the audience was on your side at the beginning. Did you. Did you. Did someone dissuade you from the audience? Did you get, like, an evil stare?

Jeff Stedman

The sun got in my eyes. Cause we're near the beach, David.

David Spark

There's barely any setup. There's a lot of cloudy.

Jeff Stedman

Cloudy.

David Spark

What is Dave's mom talking about?

All right, my mom is not a cybersecurity expert. She's an elderly woman who is very kind to her son, and when her son comes up with a really stupid idea for a game, she. She plays along. So here's how this works. I asked my mom to describe different terms in cybersecurity. I will tell you, these are all different variations of wrong. Okay. You know what these terms mean? You definitely know what these terms mean. You have to try to determine from her just hearing these words, not knowing anything about cybersecurity. Try to figure out what the heck she's talking about. All right, I'm going to play each clip. Just jump in when you know, when you. If you guys can't figure it out, we throw this to the audience. All right, here we go. Here's the first one. Stand up straight to stop someone from breaking in.

Quincy Collins

Firewall.

David Spark

I'm going to tell you that. That first line, stand up straight is critical.

Quincy Collins

It's tough.

David Spark

You're gonna.

Jeff Stedman

Yeah, I got nothing.

David Spark

Oh, God. All right, hold it. Some of. I could yell it really loud. What do you think?

Jeff Stedman

Security posture.

David Spark

Security posture.

Jeff Stedman

Yes, sir.

David Spark

Very good. Very, very good. Excellent. All right, one for the audience, zero for the two of you. Yes. Audience is kicking ass. All right, here we go. Someone cheating. And looking into your data. There's a semblance of correctness here. There's a little bit here. Come on, jump in. I'm gonna give you a. I'm gonna Buzz you out.

Jeff Stedman

Buzz this out. Buzz this out.

David Spark

Buzz you out. That's a tough one.

Quincy Collins

This is the hardest test that I've taken.

Jeff Stedman

Oh, no.

David Spark

All right. And we're going to the audience. The audience is gonna crush you. All right, anyone know this one? I'll play it again. Someone cheating and looking into your data.

Jeff Stedman

Attacker.

David Spark

Not lateral movement. Not pen. Testing. SSL stress. No. Hacker. No, not hacker. This one may be too tough. This is spyware. All right, that is. Here we go. Someone cheating and looking into your data. You see, they're spying into your data.

Jeff Stedman

It's kind of right.

David Spark

She's kind of got it right. Yeah. Here we go. Here we go. So one for the audience, zero for everybody. Here we go. It's hard to believe, but some people will be good when they get into your information. I think you can get this one. Wanna take a guess on this?

Jeff Stedman

Ethical hackers.

David Spark

So close. So close. Extremely close. Quincy, you can take this very close.

Quincy Collins

A black hat, white hat.

David Spark

White hat is correct. Good job. Very, very good.

Jeff Stedman

All right, that was a combo win. We should each get a point.

Quincy Collins

David.

Jeff Stedman

No, no, no. Everybody gets a point.

David Spark

No, he said black hat. He was completely off. He was completely off.

Quincy Collins

I was like, what?

David Spark

In terms of brainstorming. In terms of brainstorming, we would consider that a win because good ideas come from bad ideas. But since you're playing a game and you're not brainstorming, Quincy loses. You win. There we go.

Quincy Collins

There we go.

David Spark

So one for the audience, one for Jeff. Quincy's got zero. You can redeem yourself, and it could be a three way tie here. Quite. Quincy, last one.

Quincy Collins

All righty.

David Spark

Here we go. Okay. Just want to stress, everyone in this room knows it. My mother does not. An online streaming service. That is so unusual, few people know about it. Okay. It's so not right. But again, if you had heard it for the first time, this is probably how you describe it, and you didn't work in cybersecurity. I'll play one more time for you. An online streaming service that is so unusual, few people know about it.

Quincy Collins

Wow. Yeah. Nothing, Nothing. Nothing intelligent to say. So I'll just. Wait, wait. I'll just come with. The first thing that I think she might have thought about was security certificate, maybe.

David Spark

Oh, God, no. I don't know. No. By the way, your intelligence is what's hurting you here. Yeah, this is. You don't. Yeah. You don't give me the buzz. Yeah, well, all right. We're taking this to the audience. I'm gonna play it again. For you. An online streaming service that is so unusual, few people know about it. Anyone want to take a stab at that one? What do you got? No, not Zero day. No, no. It's a security term. Oh, security term. Anyone want to guess this? Come on. You're going to hate yourself when you hear the answer.

Jeff Stedman

I love your mom, though.

David Spark

Yeah, we all love my mom. Anyways, it's a virtual private network. There we go. Wow. Wow. Your mom crushed it. My mom won. Is who won?

Is this really the right strategy?

This is a really fun creative discussion. Should your next strategic hire be an artist instead of another analyst? Now that's a question raised by Anneliese Lewis and Laura Melissa Williams of Manifesto, who argue that businesses have sidelined the artist's mind in favor of data obsession and and engineering solutions. Their case for strategic artists includes roles like director of Strategic imagination and narrative systems architect, arguing that artists thrive in volatile spaces. Now there's a precedent for creative minds and security. After 9 11, the CIA reached out to screenwriters like Lawrence Wright to help imagine terrorist scenarios. So I'm going to start with you, Jeff. Do you actually see value and maybe you've already done this in bringing artistic thinking into cybersecurity strategy? And have you chosen that over a qualified traditional candidate and define that the way you want, or does it sound like a nice to have but not top of the list?

Jeff Stedman

For me, I think it's a nice to have not at the top of the list, but I'm going to qualify that a little bit with. It's important to bring in differing perspectives. Right. So when you have somebody that maybe is not that traditional candidate, creative or otherwise, they're going to provide that angle or lens that you may not think about into your processes and hopefully update those to make them a little more modern. I think it's more important that we consider hiring for what I call the three A's, which is attitude, aptitude, and appetite. So if you have those three great qualities in any teammate, then they're going to bring value back to the business. But I think the real winner here is if you have somebody that's working in your business that wants to get into cybersecurity, they're bringing that business value to the team.

David Spark

That, by the way, I couldn't agree with that. One more. All right, same question to you regarding bringing in the creative minds. Is it a nice to have or. This is kind of. We can move this to the top of the list.

Quincy Collins

I'm a fan of the whole person concept. I wouldn't set aside one quality for another. I look at the entire person whenever it is that I'm hiring for a security operations job or auditor job. You know, a lot of people want to look at, hey, you know, how many certifications do they have, where did they go to school? Or what was their experience? But you know, you got to kind of package all of those things and then ask yourself, is this the right culture fit? How is this person going to fit in the team? And then how does their mind work right? Give them some situational problems and not necessarily looking for the right answer, but understanding their thought process because that, that could be indicative of how they're going to attempt to solve problems.

David Spark

So I'm interested in how you do that. We've heard a lot from our, from our audience. They've taken our what's worse scenarios and asked them to for, like, for job interviews with candidates. Have you done that like either through a job interview or just sort of challenging the team in general, like what would you do in this scenario? Or another classic case is when a big hack happens, you sort of study it from your angle. Like, had this happened to us, how would we handle it? Like, have you sort of done challenges like that?

Quincy Collins

So the way we internalize and kind of work through problems that we've seen out in the real world is we don't necessarily game plan, say, hey, what would you have done? We just kind of look at, hey, does this problem potentially exist in our environment and what does that remediation strategy look like? So a few years ago we had a situation where there were lots of remote management tools out in the real world that we were being exploited. Large companies, small companies, medium sized companies were actually being exploited via remote management tools. So you know, we decided, hey, we're going to look at our firewall, block it from an application perspective, look at the endpoint, and then create alarms in our sim. So you know, are you able to detect it, are you able to prevent it? And then what are you able to do moving forward? And then we actually update that list every six months or so or when something interesting happens. So we don't necessarily gain and say, hey, what would you do? We kind of look at, hey, what's the threat? What's the risk to our environment? And then use our auditors to make sure and audit that process, make sure that it's buttoned up nicely.

Jeff Stedman

So it's really like if the assessing that incident in the public that happened to somebody else to see if that risk applies to you and how you need to go address that risk in your environment. So it really boils down to assessing your environment to know if that risk applies and then taking the appropriate action.

Quincy Collins

Oh, absolutely. We love to learn from others so that we don't have issues internally or at least try to prevent them.

David Spark

Who's our sponsor this week?

Picture this. Your sock gets a suspicious login alert at 3 in the morning. It sits in the queue for six hours because your night shift is overwhelmed by morning. If it's real, the attacker has moved laterally through your network. Here's what changes everything. DropZone AI doesn't just enrich alerts, it actually investigates them like your best analyst would. It pulls logs, checks user behavior patterns, correlates with threat intel and builds a complete evidence chain all in under 10 minutes autonomously. No playbooks to maintain, no code to write. It learns your environment and and get smarter with every investigation. Now, while other tools generate more alerts, DropZone eliminates the backlog. Your analysts get detailed investigation reports, not just enriched data. Stop letting real threats hide in your alert queue. Visit their site. It's DropZone AI spelled just the way it sounds. Drop Zone AI to see autonomous investigation in action. That's DropZone AI. And when you go there, let them know you heard about them from the CISO series.

Surprising research just in.

When we zoom out and look at the last 100 years of business history, it becomes painfully clear that cybersecurity risk is important to but rarely truly existential. And that's what Ross Holly Luke of Venture and Security said. And he noted this on LinkedIn, that market risk execution failures and strategy mishaps close doors a lot more often than cybersecurity issues. And in fact security researcher Adrian Sanabria has taken this further, maintaining a spreadsheet tracking companies that actually went out of business to due to cyberattacks. And the list is remarkably short. 17 over the last 10 years. So this challenges cybersecurity sense of self importance. We often act like we're the only ones keeping the barbarians at the gates. So I'm going to start with you Quincy. How do you balance the still very real threats of cyber attacks with the industry's tendency towards dramatic overstatement? We've heard of fud, so. And does acknowledging this diminish cybersecurity's importance? What do you think?

Quincy Collins

You know, my first question is, you know, who is is shooting out all the fud, right? I think if we look at the marketing behind a lot of the new security tools that are out there, many of Them are unproven.

David Spark

Right.

Quincy Collins

So especially the new things that are bleeding edge. So we have to just be careful not to purchase expensive paperweights, but to, you know, really kind of be right behind that bleeding edge just to keep pace with the attacks that are out there. The most important part for me regarding information security and keeping a tight grip on my network is training my team, making sure that they're available, making sure that they stay on the team. There are a lot of things associated with keeping pace with the current landscape of information security that's going beyond fear, uncertainty, and doubt. You've got to stay behind the A ball and keep your foundation with regard to information security and just keeping your head in the game.

David Spark

All right, now, do you feel maybe your own team feels this way or you feel this way, but the business may not acknowledge cybersecurity as being that important. Like, it's gonna crush the business. Like, where do you stay? It's important, but we're not gonna wreck you or like, how does it play? But I'm sure you kind of have these discussions. Yes, like, what's like, this could wreck us, this couldn't.

Quincy Collins

So every business unit is important. The role for information security and myself is to mitigate risk for the business. So with that in mind, there are other factors at hand when you're thinking about cost, when you're thinking about allocation of resources, and when you're thinking about security controls. So information security is important, but there are other, more important, many times factors which may play into your decisions. Now, I think it's also important to note that there's a risk appetite associated with the decisions that you make. And it's our role to make sure that everyone involved and the decision makers that are involved are aware of the risks and sign off on those risks associated with whatever it is that you're doing. I think it's just vitally important that you have the business lens in front of you rather than just a purely information security lens, because that's kind of self serving.

David Spark

And by the way, that's very much staying within the theme of the CISO series. Jeff, what can you add to this?

Jeff Stedman

Well, first thing, I want to go back and challenge the numbers on the.

David Spark

17, so just so you know, you can look this up. Adrian Sanabria. It's an open. I mean, I think. I don't know if you can edit it directly, but you can contact him and he updates it. He's always looking for.

Jeff Stedman

Well, let me explain why I want to challenge it.

Quincy Collins

Right.

Jeff Stedman

So it's not just those 17. That impact to those 17 has a ripple effect into a supply chain that causes an impact there. And I would hazard a guess that there are more than 17 that were impacted because of a single cybersecurity event.

David Spark

I'm not arguing this is literally doors closed because of a cybersecurity incident. No question that companies get impacted.

Jeff Stedman

Right, right, right, right.

David Spark

Yeah.

Jeff Stedman

And so I completely agree with Quincy that you need to communicate candidly to the business about risk. That's more important. And there are times that the business is going to look over and say, all right, we'll accept this particular risk, and you need to understand that risk and where you should be allocating your funding to then secure the environment.

David Spark

It's time for this week's security tip. This week's AI infused security operations tip is sponsored by Anvilogic.

A truly mature SOC doesn't exist solely to react to threat alerts. It must also actively hunt threats down. This is a shift from reactive to proactive. And this is exactly where AI shines. Since it's capable of analyzing enormous volumes of telemetry such as logs and endpoints, network data and cloud events, AI is best suited to uncover weak or hidden links that no analyst could ever find manually, at least in a timely fashion. AI pieces together relationships across systems, correlating indicators that appear harmless on their own, but which form a pattern when they are seen together. A series of low level authentication anomalies might go unnoticed by busy humans, but when they are spotted and connected, that's where they could reveal lateral movement in progress. AI fueled hunting transforms seemingly random noise into investigative leads. Human expertise still guides the process. They're not redundant. Humans are best at deciding which anomalies to pursue and which to dismiss. Your SOC can build hunt libraries which are informed by AI insights and which continuously learn from from successes and false positives, allowing you to keep your eyes on the horizon as well as the ground right in front of you.

To learn more about saving costs and optimizing analyst capacity with a hybrid SIM and data lake, go to anvilogic.com it's time for the audience question. Speed round.

All right, I have here in my hand a series of questions that I've gotten from many of you and we've actually got a good amount of time, so I think hopefully we can get through a lot of these. And this first one is quite interesting. I learned this from Richard Rushing, who's here in the audience right now. He's the CISO over at Motorola Mobility and they have COPILOT running in their environment. And he just had copilot volunteer. He didn't ask for this, volunteered this very information. It said to him, you've been working a lot, you deserve a raise. My question to you is, how dangerous is this? That copilot volunteered this to him and I'm sure possibly his team as well. How dangerous is that?

Jeff Stedman

I think it's really dangerous if you're not classifying your deity accordingly and maintaining those controls where copilot has unfettered access to information like, okay, so they know.

David Spark

His salary, they know how hard he's working, he knows maybe what his salary may be compared to other CISOs, things like that.

Jeff Stedman

Yeah, that's certainly a challenge. I wonder, did you take more time off?

Quincy Collins

I think this highlights the fact that the risks don't just lie with information security departments or information technology departments. It goes to the business units. Units, it goes to hr, it goes to general counsel, your legal department. So AI technology usage of whatever systems that you're utilizing, it actually it encompasses the entire business. So many more people should be in the conversation about technological risk, whether it's AI or otherwise, rather than just information security. So, yes, it is dangerous. AI is watching. Right.

Jeff Stedman

There's a level of education that needs to occur with the entire business to ensure that you're secure.

David Spark

Well, these types of questions could be wake up calls like, oh, maybe it should be. We maybe have to tighten this thing a little bit. All right, here we go. From Matty Keen of kforce asks, are you seeing fraudulent candidates coming through for jobs? And if so, how are you handling it?

Quincy Collins

Fraudulent candidates? I mean, what's the definition of a fraudulent candidate? Right, so are they in a location that is unexpected? Are they working multiple jobs at the same time during the same hours? There's, there's a movement behind that. Or are they in a adversarial nation that is potentially looking to infiltrate your environment? So there's, there's a lot of different aspects of, of, of a fraudulent worker. And you know, you have to have strong HR controls. You have to.

David Spark

So. But are these conversations you're having with hr, HR like, okay, so that's good. So you, you are. So you can see this kind of stuff if it's coming in, you can.

Quincy Collins

Only see what you're aware of. So there's always going to be a residual risk of someone, some candidate or some group slipping through. But I think it's just important for organizations to have a plan for vetting applicants as they come in. And you know, what does that new hire onboarding process look like. Right. There are currently laptop farms that are in different states and people being paid to wiggle the mouse, so to speak, and log in so that individuals from other countries can actually work in US organizations. And it's quite scary actually. And it's just like having a physical security breach actually, and maybe even worse. Right. They could exfil your data and then try to sell it back to you. So you're only as strong as the controls that you have. So you have to do the best that you can and communicate that risk. And hopefully your process is going to pull up a flag at some point during that process.

David Spark

Let's go to the next question for you, Jeff. I like this question from Malka Bondar of Fira Global. How do you define sensitive data?

Jeff Stedman

I actually don't get to define sensitive data. That's really up to the business, right.

David Spark

From that aspect, have you ever had this where they go, all my data is sensitive? I'm sure you've heard that line.

Jeff Stedman

I think everyone in the room has heard that particular.

David Spark

Then you kind of don't. You have to act like a Sherper or a guide going, all right, what is the concern of this data? What's the concern like, do you have to kind of work them through it?

Jeff Stedman

Yeah, I think it's a consensus of stakeholders too. Right. So if you look at a particular segment of the business, depending upon who you're talking to, everyone thinks that their data is special.

David Spark

Right.

Jeff Stedman

And a portion of that data is certainly special. You really need to tie it back to the business value.

David Spark

All right, quick, how do you define sensitive data?

Quincy Collins

It's defined by the business, it's defined by the system owner, the data owner, and it's your job to make sure that it aligns with the data classification policies that you have and different laws and regulations associated with the data that you're attempting to protect. I think that's the most important part. And then that will flow down to your data loss prevention policies and data tagging, all of that.

David Spark

All right, I like this question from Amy Cheney Citi right here. What security strategies or just pick one, are you abandoning because they do not work anymore? Maybe they worked at one time, but hey, it's not now. What do you think, either one of you?

Quincy Collins

I think the old strategy of defense in depth is going to remain. It keeps getting repackaged over and over again. Now it's zero trust, but I think confidentiality, integrity and availability defense in depth, those old school information security definitions and frameworks. If that's what you want to call them, are going to continue to be repackaged as we move forward.

David Spark

Forward.

Quincy Collins

We're just going to put different technology, new technology, and new, innovative ways of securing our systems and data and enclaves moving forward. So I'm not abandoning anything because I think it's a lesson that you learn with each thing that you do. You just keep it in your back pocket. You never know when it might be useful. Got to use that 10 millimeter wrench at some point.

Jeff Stedman

Yeah, it's expanding, I think. So everything you said. Yes, ditto.

David Spark

Right.

Jeff Stedman

I think the component is that you're adding on, you're taking a different context to talk about data, specifically to protect the data versus just your perimeter, just a host, and then you're moving into that identity space. I need to protect the identities, whether that's an actual human account or maybe it's an agent for AI and their identity.

David Spark

All right, very last question from Richard Greenberg, who is running the whole show here with the Issa. We love Richard. Let's hear it for Richard. There he goes. All right, we're closing with this question. I love this question. I mean, the discussion of AI is incessant. It's nonstop. It's painful. I'm interested to know what are actually the AI risks you discuss with the C Suite.

Jeff Stedman

Really, it's across the business, Right. So if you're looking at AI, you have to look at it from the user context, how you help the user, how you defend the environment, how you can sort of support the business to grow, all those aspects. There's not a single technology that I think is coming out today. Your refrigerator will have AI built in to let you know that you're not quite out of milk yet, but it's almost expired to think about it. So really, it's looking at each aspect of that business and how AI can either assist it moving forward or be a detriment if you're not careful with how it's implemented.

Quincy Collins

I agree with Jeff's sentiments. I would just add that security architecture is really important when it comes to any application, whether it's AI or otherwise. Where is that data going? How is it stored? What logging is associated with the tools? Is the data being utilized to train other models? Is it accessible by other entities? Are they sharing that data out with third parties? Are they selling it? There are a lot of questions that you have to ask when implementing AI technologies. But at the same time, you want the implementation and onboarding and procurement of technology to be smooth. You don't want to take too long reviewing things. So you want to make sure that that process is as quick as can be, but also as thorough as necessary to protect your organization.

David Spark

Well, that brings us to the very end of this episode. Let's hear it from our guests on stage. Jeff Stedman, Deputy CISO over at Corning Incorporated. Also Quincy Collins, CSO for Shepard Mullen. I'm David Spark. I also let's hear it for our sponsors, Adaptive Security Next Generation security awareness. Remember adaptivesecurity.com and DropZone. AI AI SOC analysts that never sleep. Remember, go to DropZone. And remember, when you go to either one of their sites, let them know you heard about them from the CISO series. I want a huge thanks to the Issa, Louisiana chapter for inviting us again for the fourth time. Thank you so much for bringing us here. We really appreciate it. We love coming here. This is definitely great crowd. Fantastic. So kudos to all of you for coming. Kudos to our guests, kudos to our sponsors and keep this wonderful cyber community in Los Angeles going. Let's hear it for you. Thank you very much. As always, thank you for listening and contributing to the CISO Series podcast.

That wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup and Cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a course question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.