David Spark

What I love about cybersecurity. Go.

Kilik Kutler

What I love about cybersecurity is that it forces us to reinvent ourselves every few years. Very few professions demand that level of evolution. The threat landscape changes, technology shifts, business models transform, regulation evolves. And if we are doing the same job the same way, two years later, we are already behind. Cybersecurity doesn't reward comfort. It rewards curiosity.

David Spark

It's time to begin the CISO Series Podcast.

Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO series and my co host for this episode. One of your favorites. I said this to the other co hosts. He did not like one of the favorites. He wanted to be the favorite. But I'm calling you one of the favorites because you are. It is Andy Ellis, the principal over at Duha. Andy, say hello to the audience. So every show, Andy tries to do a different language. I think you've done Hebrew before, haven't you?

Andy Ellis

I've done Hebrew before, but in honor of our guest who speaks Hebrew, I figured I would, you know, revert back and do Hebrew again.

David Spark

That makes sense. All right, well, we'll introduce him in a second. Just hang tight. We're available, by the way, audience, @cisoseries.com if you do not spend every single day there, at least four hours a day, you're definitely not getting your appropriate daily dosage. Our sponsor for today's episode is Vanta Spectacular, sponsor of the CISO series. They've been that way for years. Automate compliance, manage risk, and accelerate trust with AI. That is Vanta. We're going to be talking about that a little bit later in the show. But first, Andy, we are just a few weeks away. And any of our listeners who are in Boston on April 30, you and I are doing a live show at Aqueduct Technologies offices in Canton, Mass. We've done live shows or one live show in Boston before. We get to do another one. And you've been at this venue before?

Andy Ellis

I've been at this venue. It's a fantastic venue. I might have to head down early and drop by Gillette Stadium. Cause it's literally like two towns away.

David Spark

So what can you do just hanging out at Gillette Stadium?

Andy Ellis

Well, I can go have lunch. There's a whole shopping mall. There's Patriot Place there. You can go and go to the pro shop and get some things. And I'll have to check to see if anything else is happening on that day. I can usually find somebody to bother.

David Spark

Well, I'm sure, people enjoy getting bothered by you. Anyways, it's a fun event. April 30th, you can just go to the events page on cisoseries.com, you can find the registration button. Go ahead and register. What it is is you show up at 5:00'. Clock. We're doing a live show at 5:30. After the show, which is just 45 minutes long. There's networking, drinks and food from our good friends over at Aqueduct Technology. So please, please come and join us. All right, let's bring our guests on. Let me just say this has been a long time coming trying to get our guests on and we also had technical difficulties beforehand. So we have gone through mountains to get this recording with this person and we are thrilled we finally are able to do it. It is the SVP CISO and IT over at the Expedia Group, none other than Kilik Kutler. Kilik, thank you so much for joining us.

Kilik Kutler

It's a real pleasure. You know, I'm a big fan of your podcast and you know, I was waiting few years for the invite, so thanks for reaching out eventually.

David Spark

David, wait a second. I sent the invite a long time ago. We've been working on this for a while.

Andy Ellis

You know, it's one of those road that's really hard to travel, David. And maybe we should have consulted with somebody in the travel industry.

David Spark

That's what we should have done.

Kilik Kutler

Yeah.

David Spark

Why has this topic suddenly become the center of attention?

Is quantitative risk management or qrm, an ice cream solution? Something that solves your craving for hard numbers but provides no real value. Now that's the take from a recent post from Dr. Sam Lyles, interim CISO at Blue Cross Blue Sh, Massachusetts, who argued that QRM is quote, a gigantic self serving con. Whoa. End quote. Designed to make decision makers comfortable with acceptable ruin rather than actually securing anything. He argued QRM forces CISOs to abandon engineering rigor and become, quote, Wall street wannabes because boards are too lazy to learn basic CyberSecurity. Yet the CMO and General Counsel never have to dumb down their specialized language. This inevitably leads to incremental fixes that push technical debt down the road. So, Andy, we'll start with this. I know you have some passionate feelings about this. Is QRM really just about pushing paper? And if so, how do we connect security to things the business cares about? And can you actually slap numbers on it?

Andy Ellis

So I love Sam's comments. I think he went a little overboard on some of the things he said because I've been in boardrooms as The Director and yeah, the CMO and General Counsel do actually also dumb down what they're talking about. But qrm, I'm in complete agreement. I think there's a lot of folks who really don't understand what good quantitative risk analysis is, which is really just being able to look at multiple different risks in a quick comparative fashion and say, hey, like, it's not just my gut, but there's some data here. The challenge is all the data is made up, even the things we're like, oh, the average cost of a breach, but that's not your breach. This is like semi actuarial data you're using in weird ways. I've done lots of rants about this. Anybody who wants to grab a copy of the free ebook on howtocso.com about risk, I talk about QRM there. The biggest challenge is, I think it really is people who believe that if you just throw enough hard numbers at things, decisions will make themselves. And that's really the hidden problem of QRM is not the process of analysis. It's this belief that at the very end you do not have to make decisions subjectively, that the algorithm will make choices for you, which is completely flawed and doesn't match how any businesses operate.

David Spark

All right, Hillock, we actually had this conversation just yesterday in a recording that we did. And actually the argument wasn't that it was BS that Sam believes, but that it was actually a gold standard that was difficult if not impossible to achieve. What are your thoughts?

Kilik Kutler

So I'm more or less aligned with Andy here. I come from a deeply technical background and in today's world, especially with AI, cloud identity, centric risk, CISO must understand technology at the same level as the CTO or product leaders. That's not negotiable. But here, where I feel QRM becomes powerful, it's not about replacing technical depth, it's about aligning that depth to enterprise priorities. QRM forces a critical conversation that many organizations avoid. Let me give you an example. What is our risk appetite? How much risk are we willing to accept to pursue a specific business objective? Because at the end of the day, every growth decision carries risk. And if leadership hasn't explicitly defined acceptable risk tolerance, security ends up operating in a vacuum, setting guardrails based on its interpretation of what is secured. And it makes our job to be perceived as a technology and business partner even harder. And here is even the deeper issue. Security has always struggled because it speaks in vulnerabilities, not in impact. The CMO talks revenue, legal talks, liability, finance talks capital efficiency and if we refuse transfer into those dimensions, we just isolate ourselves. So quantitative risk management, when done properly, helps create shared language. It allows the board and executive team to say where we are comfortable with this level of exposure, where we are not comfortable with that one, is this initiative worth the risk? That one isn't. And once that alignment exists, security can design controls proportionally. Without that clarity, security defaults might be at maximum caution and that can create friction and reality hurts in reality will hurt the business. So I don't see QRM as a paper pushing. I see it as a good tool to connect engineering discipline to business intent.

David Spark

All right, Andy, do you want to have a final word on that?

Andy Ellis

I think I agree with the second half of where Hillek went, which is without the right conversations, security is trying to make risk choices that don't match the business. I've never seen QRM force that right conversation, but that conversation has to happen. I've found that talking about unacceptable losses, which QRM can help you get to that language, but it's a very different set of language, is often really where the business wants to be.

David Spark

What's the starting point for a ciso?

There's no such thing as a good market in security anymore, only markets where you have a meaningful advantage. This argued Ross Haliluk of Venture and security on LinkedIn. The moment one person has an idea, there are 10 companies trying to do the same. We have seen VCs do this. What matters isn't picking the right category. You have deep intuition, lived experience, unique insight or distribution advantages. Now this echoes VC Chris Sacca's question for startups. Quote, what's your unfair advantage? End quote. Not what's your differentiator? So as a CISO evaluating vendors, which I'm assuming you do, Kilik how do you spot which startups actually have an unfair advantage versus those who could be ignored by the market? Like what are telltale signs?

Kilik Kutler

I guess yeah, I will say five different things and maybe it's a lot, but for me it's extremely important. The first one is they need to understand the problem operationally. Not the polished pitch deck version, the messy one, the real world version. What happens at 2am where alerts break down, where teams are overloaded. If they speak from lived experience instead of buzzwords, you can feel it immediately. Second, they need to tailor their value proposition to the business. The great ones don't deliver the same pitch to every organization. They understand that a global enterprise, a mid sized company, financial services company, health or travel and hospitality ones have different Priorities and competitive realities. If your solution sounds identical in every room, it's not customer centric, it's product centric. And that's not what I'm looking for. The third one, they need to reduce friction. Security teams do not need another dashboard. We need leverage. If adoption requires ripping out half of the stack or creating organizational drag, it's not sustainable. Great vendors integrate naturally into workflows and make teams more effective without adding noise. The first thing is data gravity and that's really important, especially today. Do they have a proprietary data source or feedback loop that compounds over time? If their product gets smarter only because OpenAI gets smarter, that's not durable. If it gets smarter because of a unique telemetry or customer specific insight. Now we are talking and finally, it's really important they understand budget cycles, change management, audit implications and long term support. They are not trying to win a demo, they are building durable partnerships. They think beyond the cell. And here is the uncomfortable truth. Andy and David, at least in my experience, most startups don't lose because they lack innovation. They lose because they underestimate operational reality inside enterprises. So when I evaluate a vendor, I ask myself, does this team have insight to my challenge? Others don't. Can they truly partner with us for the long term? And I also ask something more practical. Am I just another logo for their slide deck? Their first major enterprise deal to showcase in a press release or brag about in front of their board? Or do they genuinely understand that working closely with my team, learning our environment, supporting us through real operational challenges which will create long term value for both of us?

David Spark

All right, I want to say something to our listeners. We have a transcript of our episodes. You're going to literally copy and paste everything that Kalik just said and you're going to put it up on your wall and you're going to pay attention to it. Andy, what are your thoughts?

Andy Ellis

I mean, I'm 100% with that. I might rephrase a couple of them. I think Kilik's fourth point is really about the network effect, right? Do you have a network effect where the bigger your network of customers grows, the better your product is? And if you don't have that, then you're right for disruption, Right? But the companies that's like, oh, once we get to 100 customers, the 101st customer is getting a 20% better product and the thousandth customer is getting a 40% better product. Like that is huge because that's how you build functional monopolies is where the value to price is increasing as your customer base grows. So that's huge. And the first thing is what I like to think of as an unjust advantage, not an unfair advantage. And I like the word just because the most dangerous phrase I've ever heard in technology is people who say why don't you just do X? And there are so many problems where the just answer is wrong. And if you understand that and you can build the solution that nobody else is going to think to build because you truly understand the problem, you're deep in the operational realities, you know that the naive solution will not work, that gives you an unfair advantage because you actually are solving the real problem, not just the sort of surface skin problems. So those sort of the two things I might, I would rephrase, but I think Khilak actually covered everything in there. And his sort of final point, which I think was woven into point three as well, is you actually have to know how to run a good company. A lot of startups are not running good companies.

David Spark

Yeah, we always forget that it is also a business after all.

Andy Ellis

Yeah, yeah.

Kilik Kutler

You know, over time you learn when you are in other logo or when you are extremely important. And this is a real important point for founders. You know, working with smart teams in complex, fragmented, real life companies, organizations will bring them to the point that they are actually ahead of their competition. You know, and this is the value that I'm always trying to work with the founders and with the leadership companies. I know that the sales rep wants at the end of the day the paycheck. But again, you know, if you understand the value, this is good partnership.

David Spark

Well, before I go any further, I'm going to tell you about Vanta. And if you are not clued in, and even if you are even partially clued in, listen to this. No, it's not your imagination. Risk and regulation are ramping up and customers now expect proof of security just to do business. We've heard this a lot, especially enterprises as well. So that's why Vanta is a game changer. Vanta automates your compliance process and brings compliance, risk and customer trust together on one AI powered platform. So whether you're preparing for a SoC2 or running an enterprise GRC program, Vanta keeps you secure and keeps your deals moving. Companies like Ramp and RYTR spend 82% less time on audits. With Vanta, that's not just faster compliance, it's more time for growth for your business because you do not want to spend all your time on compliance. You want to get started with this. I'm going to give you a website and it's going to be a very specific one. Vanta.com. you know that, but add the CISO go vanta.com CISO it is the easiest way to let them know that you heard about them from the CISO series. Do me a favor. Vanta.com CISO go check them out.

It's time to play what's Worse.

Kilik, I believe you are familiar with how this game is played.

Kilik Kutler

Indeed, yes.

David Spark

All right, I've got a good one. I like this one. I make Andy answer first. This comes from Dustin Sachs, who has sent us lots of wonderful ones. He's with Cybercog Labs now. And here you go, Andy. It's going to be two different kinds of CEOs. I'm going to ask you which kind of CEO is worse. Is it the CEO who wants zero risk or a CEO who believes cyber insurance will replace security? Which one is worse?

Andy Ellis

That's a really fascinating two things to look at. And I'm trying to figure out what the CEO who wants zero risk means. Cause like, do they want you to tell them there's zero risk, or do they want you to actually try to implement to zero risk?

David Spark

Well, but this is like, and I remember asking this question on camera long before the CISO series, which was, what do you say when the CEO says are we secure?

Andy Ellis

Right? Like, that's the thing. CEOs will always ask you to say you're at zero risk, but they don't actually intend for you to go implement what it would take to get anywhere near there, even though you can't. So I'm trying to figure out, is this the CEO who wants you to tell them there's zero risk, or is this the CEO who basically is like, go spend whatever you need to eliminate risk?

David Spark

Oh, it's definitely not that. It is definitely not the second one. I mean, if it was the second one, there's be, you know, so let's just.

Andy Ellis

Let's just be honest. There's the CEO who wants you to basically say, look, we got everything covered. And there's the CEO who's like, look, I don't need you. I'm just gonna have insurance. So I'm gonna say that one's worse because I don't have a job under that one.

David Spark

That's a good point.

Andy Ellis

I have a job under the CEO who wants me to tell him that there is zero risk. And presumably he's not saying zero risk with zero budget. Like, I at least have a normal ish security Budget like he's not set, but probably hard to get incremental budget because he's always saying, but you've covered everything. Right. So why do you need more money? Or she, let's be honest, could have a female CEO who's equally blind to crazy risk here. So I think I'm gonna go with the second one simply because.

David Spark

Just because you wouldn't have a job,

Andy Ellis

I wouldn't have a job there.

David Spark

That's a good point.

Andy Ellis

That's probably a worse outcome for the business. If you replace cybersecurity entirely, you are just going to get breached. Good luck getting your insurance paid out the second time. Whereas in the first one, you still have a security program.

David Spark

Well, okay. We're gonna assume that insurance will cover you if you have no protections at all whatsoever. Which they would. Not at all.

Andy Ellis

They wouldn't. But. But after you pay out the first breach, their insurance premiums are going to go up the following year. Like, those are not static. So I will violate the near rule slightly and just say, you can't keep buying cyber insurance at some point or you might not even exist as a company. So rambling the.

David Spark

No, but good rationale there. I thought it was interesting. I'm interested. What do you think of this one? Which ones were. They're both pretty bad.

Kilik Kutler

Yeah. Not bad. It's like double down bad. Going into Andy's comment, and I know that Andy is always making it difficult on the CSOs, but, you know, let me now make it harder on you. You said, I will not have a job, so I will go with the insurance, with the cyber insurance policy. And I would say, are you even want to work for this type of company where they think cyber insurance will do that job? Not necessarily. Right. So this is not really the intent here. Right.

Andy Ellis

Certainly not. Like, just to be clear, that is half a joke there. There's no cybersecurity program, so whether I want to work there or not doesn't matter.

David Spark

Yeah, well. Well, it's this. It's his CEO who believes cyber insurance replaces security. So you may not have a security department at all. Yeah.

Andy Ellis

Right. So I think. I think the way. So to apply the near rule to this one, I think we have to say you end up being a CISO without a team and without budget, but you can't quit because you're not allowed to change the situation.

David Spark

Right.

Andy Ellis

So you have a job, but you don't actually have a functional program because every time you try to spend money, they take it to go buy a cyber insurance. Premium.

David Spark

But in the first scenario, you're gonna have a CEO who will never be satisfied.

Andy Ellis

No, I actually don't think it's a CEO who will never be satisfied. I think it's a CEO who's gonna require you to lie to them about they're not gonna give you incremental budget. Cause otherwise, we would all love that. If they're like, oh, every time you say there's a risk, they'll give you money to go deal with the risk. Like, that's not a bad problem.

David Spark

That would be wonderful.

Andy Ellis

In the spirit of it being a bad problem, they don't give you money and they refuse to listen to to new risk because they insist that you say risk is covered.

David Spark

All right, well, I still have not heard from you, Khilik. Where do you land?

Kilik Kutler

I will take it differently, pivot wise. First of all, I'm fortunate to work for amazing CEOs throughout my career.

David Spark

Yeah. By the way, when I read these, I'm not saying, by the way, this

Kilik Kutler

is your company, of course, but it's very important for me to mention, and I was fortunate. But I would go with the first one being worst.

David Spark

Oh, okay.

Kilik Kutler

I think the first one is more strategic than the second one. The first one means a CEO that thinks that we want no risk in security, probably will want no risk anywhere else. And risks on a strategic level, you have risks everywhere. You have legal risks, you have security risks.

Andy Ellis

It's how you make money.

Kilik Kutler

It's how you make money at the end of the day. So this is strategic. It's. It will not be only around security. It will be around. So probably they will not be as successful as maybe they could. The second one is related to security at the end of the day, you know, security. I'm a ciso. It's extremely important. But again, this is strategic. No risks whatsoever across the board. And this is cybersecurity. You know, let's go with insurance. Whether it's complementing the cyber program or replacing very, very bad. But less strategic than let's have no risks whatsoever.

David Spark

Kilik has a good answer there, Andy.

Andy Ellis

I do actually like that answer. It's a good one. I'll accept that as a good way to disagree with me.

David Spark

I'm glad you accept that.

Andy Ellis

I've had people disagree with me just to disagree, which is, I think, where Kilik started. But he was actually able to parallel construct a way to interpret the scenario that made sense.

David Spark

I think Kilik has a better answer than you do. Although your answer is good because you are out of a job.

There's gotta be a better way to handle this.

Well, the greatest risk isn't replacement. It's the abdication of our values. End quote. Karen Pfeiffer of Pythian recently argued that in our rush to automate, we're outsourcing not just tasks, but but ethical judgments to systems that have no concept of ethics. Given that AI is trained on biased historical data, when it makes a decision, it doesn't just replicate human error, it can scale and harden that bias with terrifying efficiency. Pfeiffer argues the classic human in the loop model can't scale. Instead, she proposes Humanity in the Loop, a three layer framework embedding human values at every stage. A values layer for strategic governance, a context layer for monitoring inputs and performance, and a judgment layer for high stakes decisions. This is a very interesting take. It's an interesting take on the Isaac Asimov's IROBOT rules of robotics here. So, Kilik, do you agree with this? And if so, how would you actually operationalize this?

Kilik Kutler

So, yeah, I agree with the spirit of what she's saying, but I'd frame it slightly differently, with your permission.

David Spark

Sure.

Kilik Kutler

I think that the real risk isn't that AI replaces us, it's that we stop being intentional about what we encode into it. AI doesn't have values. It reflects incentives, data and guardrails. And so the danger isn't abdication to machines, it's abdication of governance by humans. And she's definitely right about classic human in the loop doesn't scale right. You know, you can't put a person behind every AI decision if you are operating at platform scale. That's not oversight, that's practically a bottleneck. Where I strongly agree is that values must be embedded upstream. But operationalizing humanity in the loop requires discipline in three very practical ways. The first one is governance. Before deployment, you need a clear AI risk appetite defined, unacceptable use cases, and executive accountability. If no one owns the model's outcome, you don't have governance, you have experimentation. The second thing is instrumentation and monitoring. The context layer she mentions is really about measurement. It means putting the right telemetry in place, monitoring for bias, tracking model drift, and using explainability metrics to understand how decisions are made. You don't evaluate ethics abstractly, you evaluate outcomes using data. And the third, escalation design, high stakes decision must have defined breakpoints where automation pauses and human judgment re enters. Not randomly, intentionally, especially in areas affecting financial harm, safety or rights. So the key insight is this. In my opinion, you don't Scale ethics by adding more humans. You scale ethics by encoding clear principles into system design and continuously validating outcomes against them. AI will absolutely scale bias if left unmanaged, but it can also scale consistency, fairness and access if governed properly. So I don't think the future human in the loop or humanity in the loop. It's disciplined governance in the loop because values don't belong inside the model, they belong inside the institution. Deploying it.

David Spark

Kilik, that was again phenomenal. Andy, what are you going to add to that?

Andy Ellis

Well, I think I'm being replaced by Kilik instead of an AI at this rate.

David Spark

I believe you are right now.

Andy Ellis

So I read the, I read the whole essay here and I am underwhelmed. I'll be very honest. I think there's a lot of flaws in this approach. Like high level. There's, there's not, not bad ideas to think about this. But just to, to put in here two sentences that jumped out at me. One from very early on where she talks about, you set up an AI ethics and strategic governance board with HR and legal and engineering leaders that will, and I quote, debate and codify the organization's values and ethical red lines before a single line of code is written. And then at the very end of the essay it says, building a robust framework for human oversight is not about putting the brakes on innovation. And I don't think these two sentences can coexist. Like, I don't think you're going to be able to get HR and legal, let alone everybody else, to agree on whether the red lines about values and ethics, like at any point within sort of finite time, like heat death of the universe, might come first. But here's sort of one of my. I've got several problems with the way a lot of people are approaching AI and historical data. First of all, the world is inherently biased. Let's just start with that. Like, tall people have certain advantages. Physically strong people have certain advantages. Like there's a lot of bias in the world. That is a natural description of what's happening in the world. And a lot of people assume that that means that's something you can just eliminate, which means you're going to add more bias in. There is no such thing as de biasing. It is just more biasing. And so anybody who starts from approach where they're very rigidly focused on that debiasing, I start to worry, like, what outcomes are you actually aiming for? And that should actually be our conversation. We should not believe that we can build debiased AI. We should Figure out, like, what are your ethical rules? What are you trying to establish? And I jump back to a thing that was really popular, like, almost half a decade ago. It was called the Moral Machine. And it was this program I think somebody at MIT researchers had put together that gave you a set of scenarios. You were an autonomous vehicle, and you could either, like, remain in the road you were on or, like, change lanes. And sometimes you would run into a barrier, sometimes you would run into people. And it would give you a scenario like, there's people in your. In this crosswalk, there's people in that crosswalk. There's people in your car. There's people not in the car. And then at the end, it would tell you how biased you were based on who you chose to kill. Because you could only pick, like, I go this way or go that way. If a car hits people, people die. If car hits a wall, car dies. And I had a very simple rule, which is the vehicle should. If there's a choice to not kill humans, don't kill humans. Failing that, the vehicle should protect the humans who are in the car over humans who are not in the car. Failing that, should protect humans who are following the law, not jaywalking over ones who are not. Like, really sort of simple, like, here's my hierarchy of rules. That wasn't in their model. So they kept telling me things like, oh, you're biased against. Like, you would rather kill women than men. Because it gave me five scenarios in which, like, that was the underlying thing, was that all the women were breaking laws or were doing things that put them into this problem. And then I take the test again, it would give me the exact opposite result. And this is where we need to focus on our data analytics when we think about AI is where are there simple metrics that AIs are going to learn from and say, oh, I should filter on race, because that's simple. When the real answer is no, you're filtering on economic status. And there's a bunch of things about racial data tied to economic status. Status. And if we're not going to have those conversations, then we shouldn't be bothering having these conversations at all.

David Spark

Is AI going to help us or hurt us?

Quote, we keep talking about AI alignment, but we can't even align our teams, end quote. How are we supposed to make sure AI is doing what we want when we can't even manage the people around us? Argued Joshua Copeland of Crescendo. So this is a good tag to our last segment product teams optimize for Velocity, while security optimizes for control. Marketing wants data exposure. Legal wants data minimization. They're all misaligned because they have varied objectives. I've seen this happen all the time and therefore are measured differently. Security is rewarded for saying no. Engineering for shipping now and compliance for documenting later. So he warns that training AI models on our own organizations will just make them masters of office politics. I love that. That's great. Must we solve human alignment before letting AI run loose? We were just essentially talking about, this is a really good tag to this, Andy. Or is it okay for AI to operate in our misaligned departmental models? What do you think?

Andy Ellis

So I love almost everything about this whole lead in.

David Spark

In paragraph.

Andy Ellis

Like, there's so much quotable there that I kind of want to go back to. I think my favorite was product teams optimize for velocity while security optimizes for control. And I think there is a place for that. I think we do actually want to have Byzantine AIs. I think the model of saying you have one AI that makes decisions is a bad model. You should have. In every decision, you should have a designated AI whose job is to say no, to say, okay, we're looking at doing this. Why shouldn't we? Because that's good human practice. Right? The concept of a pre mortem, which we've talked about on previous shows, where you say, what could go wrong? We want to train to have our AIs ask that question. And so maybe actually training AIs on office politics isn't a bad approach. Now, maybe we can make them more idealized, but have a world in which before we make a decision, like, there's AIs that are like, here's how to do it the fastest, here's how to do it the safest. Here's how to not do it. And then synthesize to get to a better answer. Rather than trying to have humans only get one answer, maybe we could have AIs actually play out the arguments and make better choices by exploring more possible futures than humans are capable of.

David Spark

All right, what is your take, Kilik, on this?

Kilik Kutler

I'm aligned with Andy and less with the quote or the article. I think that we don't have alignment problems because people are dysfunctional. We have alignment tensions because incentives are just different to some extent they are supposed to be. Product should push for velocity. Security also needs to push for velocity, but we want to do it a little bit more responsibly. And legal should push for risk minimization with regulatory constraints in mind. So the, the tension is healthy. It's how organizations avoid blind spots. So the problem isn't misalignment. The problem is undefined prioritization. When trade offs happen. AI doesn't require perfect human harmony. That's unrealistic. If we waited for that, we'd never deploy anything. What I feel AI does require is clarity at the enterprise level about how conflicts get resolved. If growth and privacy conflict, which wins. If cost and resiliency conflict, which wins. If that hierarchy isn't defined, AI will optimize for whichever signal is loudest in the data. And that's when you get weird outcomes. Not because the model is political, but because the organization might be. And we just don't have the right conversations. So no, we don't need to solve human alignment before deploying AI, but we absolutely need to have a clear enterprise level objective, explicit guardrails and escalation paths for high risk decisions. AI should not inherit departmental incentives. AI should inherit enterprise priorities. And here is the interesting part. Sometimes AI exposes misalignment faster than human dogs. When a model produces a decision that makes everyone uncomfortable, it forces the organization to comfort what is actually values. So the real question isn't are we aligned? It's have we decided what matters most when we are not? So again, bottom line, AI doesn't create politics. AI just make incentives visible at scale.

David Spark

That is a great close to this. Hold it. Wait. Andy, did you want to say something?

Andy Ellis

So I had this realization as Kilich was talking that where AI is going to hurt us is who are ex outside the organization. And when you think about regulators and the ability of people to sort of challenge and bring in an AI weaponizing process from outside an organization where it's not part of your organization, but it's able to affect your organization. Like imagine if you had to deal with every complaint that came in before you could do something and some customer adversary weaponized AI to fill up your inbox with complaints.

Kilik Kutler

Can I add one more component, David?

David Spark

Sure.

Kilik Kutler

So there is one more thing that I hear too often in my opinion, which I feel needs to be discussed in today's reality, security and product teams must be aligned. Not philosophically, operationally. If security is still acting as a late stage gate, that slows down the business because they're afraid. That's not a product problem, that's a strategy problem. On the security side, modern security cannot afford to be a checkpoint. It has to be embedded from inception. Product needs velocity. That's how the business wins. And security job isn't to Resist that. It's to design controls and guardrails early enough that velocity becomes sustainable. So we are still constantly negotiating. At the end of the process, something upstream is broken. Now, bringing AI into this AI will not magically fix misalignment. It will amplify whatever incentives and structures already exist. If security operates as a reactive control function, AI will optimize around it. If security operates as a design partner with embedded guardrails, AI will scale that discipline. So we don't need perfect human harmony before AI, but we do need evolved governance. Security must adapt to the speed of the business. Control must be automated, embedded and measurable. And trade offs must be explicit at the enterprise level. If we continue operating with gates, friction and last minute objections. The problem isn't AI, it's the security team. It's that our operating model hasn't caught up with reality. AI just makes it much more visible and faster.

David Spark

Thank you again. Two great endings for the show. So thank you. Vermeer. Kilik, that was. I'm going to use a metaphor they probably never use in Israel. You knocked it out of the park.

Andy Ellis

Well, come on, the Israeli baseball team just had like two wins in the World Baseball Classic.

David Spark

Come on. Did they. How often do Israelis use baseball metaphors?

Kilik Kutler

We don't. No, no, no, we don't. We don't have baseball. Now there are some Americans that are.

Andy Ellis

I mean, yeah, it's mostly an American

David Spark

team playing for Israel, but yes, it's an American pastime. But I threw that metaphor in there.

Kilik Kutler

Yeah.

David Spark

Phenomenal job on today's show. Thank you so, so much. I want to thank our sponsor and that would be Vanta. Remember, automate compliance, manage risk and accelerate trust with AI. Go to their website, vanta.com CISO it's the easiest way to let them know that you heard about them through the CISO series. Vanta.com CISO I'm going to ask you a closing question by the way, Kilik. But first, Andy, as always, you did very, very well. But I think Kilik shined over you on this episode.

Andy Ellis

He did. I love having a guest who is amazing and gives our listeners somebody to come listen to besides just listening. Listen to the two of us talk.

David Spark

I know.

Kilik Kutler

Yeah. Listen, David, I prepared.

David Spark

Yeah, we could tell. Thank you. So we love guests who prepare.

Kilik Kutler

You know, I'm a big fan of the show and you know, I knew that I cannot come without preparing in advance. And you know, it's, it's Andy and it's you and I enjoyed it greatly. So really, really highly appreciated.

David Spark

Well, we would love to have you. Let me ask you a quick question. Are you hiring over at the Expedia Group?

Kilik Kutler

Yes.

David Spark

All right. So. And our listeners can, if they're interested, they go to the job board on Expedia Group. If they're interested in a position, they can reach out to you via LinkedIn. We will have a link to your profile on the blog post for this very episode.

Kilik Kutler

Absolutely.

David Spark

Excellent. Well, thank you very much again, Kilik. Thank you again, Andy. And thank you to our audience. As I always say and I always mean, and I'm not going to go into the earnest voice as I was doing before. I'm just going to say it straight up. We greatly appreciate your contributions. And for listening to the CISO Series

podcast that wraps up another episode. If you haven't subscribed to the podcast, please do. We have lots more shows on our website, cisoseries.com Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and cybersecurity Headlines. Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you're interested in sponsoring the podcast, contact David Spark directly@Davidisoseries.com thank you for listening to the CISO Series podcast.