
Loading summary
A
Welcome to Cyber Leaders with me, Kieran
B
Martin, and me, James Line. Now, we're both from sans, who are kindly.
A
Stop, stop, stop, stop, stop, stop. James, we're both from sans. I mean, come on. Right, I think that needs a little bit of an update. And what do you do there? Are you the network administrator? What's your role at sans?
B
Well, you know, part time, I suppose that's technically true, but, yes, I am the CEO, so I suppose technically, no one can stop me from doing the podcast.
A
Ladies and gentlemen, loyal listeners, those of you listening. Form of compulsion. It has been announced recently that James Lang, formerly with a complicated title of SANS that I can't even remember, is now the chief executive officer of sans. James, congratulations, Madman. Good luck.
B
Thank you very much, Kieran. An absolute privilege. And of course, we shall carry on doing this podcast. It does align rather closely to the SANS mission of making life difficult for cybercriminals and helping security leaders.
A
I'm glad you added the second bit of that mission statement. I was beginning to wonder if you'd stop it, that it aligns with the core SANS mission of making life difficult, but. Well, you've answered the question. All our listeners will want to know, which is what we're carrying on with this podcast. But what will it mean? Is it going to be an address at the beginning? People of sans, I bring you cyber. How will this change you, James?
B
Well, I think we should certainly start with the address. People of the cyber community, practitioners worldwide in all forms. Something like that could be ideal, but people seem to like the recipe. Kieran, I think we should largely carry on. I don't intend to suddenly stop being a massive geek.
A
Well, absolutely. I don't think anything will change at all, boss. Right, anyway, so who are you, then? So you're the CE of SANs, and you normally say something at this point, don't you?
B
I do. So I suppose to get us back on track. More pertinent, I remain a techie, a massive geek of huge proportions.
A
They can never take that away from you.
B
Exactly.
C
It never will.
B
My cold, dead hands and I have spent my career chasing cyber criminals around
A
the Internet and I'm now chasing James around sans. But I'm not a techie. I dealt with cyber security policy and operations and government and set up the UK National Cyber Security Center. But together, we are now trying to unpack the weird, wacky wired and wireless world of tech security and all the complicated things that it brings.
B
That's right, Kieran. This podcast is a voice for security leaders. We want CISOs security directors, and frankly everyone beyond in the cyber security community to build up their knowledge of what works, what doesn't, and ultimately secure their organizations more comprehensively and quickly.
A
Well, it is a good time today, James, with this new and elevated job of yours, this pivotal role in the cybersecurity community, to ask some fundamental questions. And I'm going to start with why are we here? Why are we here, James?
B
So I care to you. Are you okay? Is it getting a bit much for you? You're doing a very good job. Don't worry, you're fine.
A
Thank you, boss. No, no, but it's just to come back to your thing about sans mission. You know, making life difficult, pause for bad people. So I think we need to return to our roots, you know, new boss, we risk straying from the true path.
B
What are you intending for today? Explore how we got here. You're not trying to turn this into one of those history podcasts that you keep trying to bore me with, Kieran, are you again? Are you? Okay?
A
I might weave in a bit of late medieval history, but for now, no, I think our core mission on this podcast, you know, we've had a great time. We've been geeking out onto quantum, all sorts of things. I've had my geopolitical fixes over cyber war. But we are a podcast for cyber leaders. Born out of the Sans Cyber Leaders network and formerly the CISO network. And it's been a while since we've had any actual chief information security officers on the show, isn't it?
B
That is very true. I see where you're going now. As I say in every episode, we're a podcast for cyber leaders to help you build knowledge and get better at it.
A
Well, whatever. Yeah, yeah, you said all that already.
B
Yeah, you know the, the line.
A
Yes, but I have a remedy in mind. So we have a CISO today. And not just any ciso, Sisu. An international CISO of the year. Where are you at the moment, James?
B
I'm actually in France. I'm in the Three Valleys.
A
Are you planning to rule sands from France? That's very sort of plantagenet of you. There you go. Got my medieval history reference in.
B
Oh, so slick.
A
I know, it was beautiful, wasn't it? But back to our roots. We are bringing in a SISU of international standing, an award winning siso. Someone who can bring a properly international perspective.
B
Oh, you can't stop there. I mean, that doesn't do justice. You must have more to say.
A
Of course I'll say more.
B
But you should do the rest in French, I think.
A
No, je ne peut pas. But anyway, our guest today is one of the outstanding sisters of our time. Brought up in France, where you are now. James studied maths and software engineering in the United States and started her career as an ethical hacker there, doing mostly government related work. The Americans were so impressed by this young techie that the company Security Innovation centered back across the Atlantic. Not just to ethically hack Europe, sorry, ethically hack in Europe, but establish the company there, a sort of reverse Columbus to bring cyber security to the old world. So they sent her to Amsterdam, where she's still based, not just as a hacker, but as a commercial leader. She's worked for a couple of other small innovators in cybersecurity before taking on the first of two massive international CISO jobs. First she was in charge of cyber protection at AJO Delhi, one of the biggest food companies in the world and one of the biggest companies in any sector in Europe. And for the last three or four years she's been CISO at Zalando, sometimes called the Amazon of fashion in Europe. A huge and fast growing online retail giant. She is a brilliant presenter. Many of you will remember late last year she headlined a sans Cyber Leaders summit for us on countering AI enabled threats. She's spoken so eloquently about the sort of commodity threats we've been facing for years, reducing complexity and security controls and culture in the cybersecurity profession. She also works with me, full disclosure, as a strategic advisor to an investment company in the us, Paladin Capital. And if all that wasn't enough, every year the Dutch Sisuan wider cybersecurity community, friends of ours, they get together and they select very prestigiously a CISU of the year. And for 2025 they selected our guest
B
today that is ideal. This is fantastic here. So we've got someone who can geek out with me as a mathematician and a software engineer, but in the process can tell all our listeners about the key issues in global cybersecurity. And there's probably some history and politics stuff in there as well for you, isn't there? Well, excellent. You'd better get around to introducing her then.
A
Well, after a very long wait for our guest, I will both welcome and apologize to for the length of that preamble. An absolute honor to welcome the Siso of Zalando, my dear friend, the brillian Florence Motte.
B
Welcome, Florence.
D
Hi, Kieran. Hi, James. It's great to be here. Thank you very much for having me. And James, massive congratulations on your appointment as CEO, I actually feel very lucky to be your first guest on the podcast, you know, since you stepped into the new role.
B
Oh, that's very kind. The pleasure is entirely ours. I think Kira and I are feeling a little inadequate after all of that introduction, frankly. So we're very excited to have you here.
A
Very, very excited. And we'll finally let you speak now. Sorry about all that, but, you know, it's not every day James gets mid CEO and we get to make Jo jokes about it.
D
Absolutely.
B
We shall ask you many questions now, and I'm sure you've got lots of fantastic wisdom to share. So, Florence, let's dive straight in. I mean, thank you again for coming on the show. It is a real privilege to have you. Kieran has summarized your career at his usual excessive length.
A
I don't think summarized is the right word there, but never mind. Carry on.
B
Yes, kind of a generative AI summary. So it just keeps on going and going. Oh, come on, it wasn't that bad. Well, look, for you, I think in your case, it was actually justified. I mean, there's some fantastic accomplishments in there, and it does make it difficult to know where to start. So we'll do the easy bit that we do for all guests. Tell us about your journey into cybersecurity. How did you get started in what was, you know, back then, a relatively new profession? What drew you into it?
D
Ah, well, as Kieran mentioned, I started by studying mathematics and loved it. I can actually say that math was my first true love. And I lived in France at the time, where you are, James, and got the opportunity to go as an exchange student to a university in Florida. Things went well. I ended up meeting a teacher in software engineering, also named James, actually, who had just got two big grants from Microsoft and hp. He offered to sponsor the rest of my bachelor's degree and my master's degree if I shifted to his department, software engineering. So I jumped in. Too good to pass, right, and worked for him until I graduated. Towards the end of my Master's Studies in 2001, security issues were starting to come up, and that same teacher, James, launched a startup focused on doing security research for large US Government contractors and agencies. He asked me to join. I was employee number seven and I knew nothing about security. The other six employees did, though, and so I had a lot to learn from them. And over just six months after that, I spent literally my nights learning about security and in particular, learning the art of writing exploits. After a few years doing that, as mentioned by Kieran, Security became a topic for commercial companies and I was asked to move to open the European branch of that company. So I went from a techie living in Florida to running a small business living in Amsterdam overnight. And I guess the rest is history, as they say.
B
Don't mention history. You'll get Kieran started and continuing.
A
Well, look, the whole story is remarkable, but this bit I do find remarkable. You've made it sound all very normal, Florence, but I am guessing, wild guess, I've never asked you this before. Turn of the century or early years of the 21st century, you're hanging out in Florida, you're doing tech stuff in the US government and all of that. I'm guessing there weren't a lot of young French or indeed other European women or even men hanging around those areas doing that sort of work. You've got the whole tech buzz, you've got the sort of dot bomb, you've got the recovery, you've got the beginning of all sorts of trends in the industry and so forth and you get it all sound very normal. It must have been a bit weird. How did you find it?
D
So when I started, I was young indeed. It was a really long time ago and the security industry was still very small. I think it was at the time, maybe 100 folks or so. And as mentioned, I was on the east coast of the US in Florida. And in our small part of the world, I was certainly the only woman in the field. There were some more in the us but the percentage was still super small. In Europe it was even worse. Right. I mean, the industry was close to in existence at the time. And I did not know any women there either doing this work. What I realized though is at the time, most people didn't really know what security was. I think my parents really understood what I did maybe five years ago.
A
I think James has similar stories. But I was going to ask, in terms of. Then you come back to Europe and the US is possibly even further ahead then than it is now of Europe and tech. So you come back and you're in a smaller organization. You're doing this profession that nobody understands. How did you find the reverse emigration, if you like, back to Europe into this? What some Americans frankly still see as a sort of tech void is the working culture insecurity very different. Was it more different back then? What did you make of European cybersecurity and European tech when you got back and settled in Amsterdam relative to the us?
D
Yeah, so when I moved back, I saw the difference. Everybody was still finding their bearings but certainly in Europe, security was even newer than it was in the and so I was working for some commercial companies that were a bit ahead of the game, ing SAP companies that were international enough that they were really trying to catch up and to keep up with the American companies. What I saw though is it started leveling up after a few years. But there is still that fundamental difference between US and European companies. I worked for both. Right. And I was always under the impression, and I think it's true, that US companies are a bit bolder. They move faster, they try, they fail. Companies in Europe think a bit more before they engage. And as I am saying this, actually I realized that Zalando may be quite different for a European company because it's a very bold company. If you look at what we've been doing with AI for many, many years, what we did with Genai starting 2022, it really takes calculated risks and encourages entrepreneurship throughout the company. I think that's why I really like it. It's a lot of fun.
A
Okay then, well, let me put you on the spot. If you ever do get this narrative saying in the US about US lazy Europeans or so forth, or very backward, how do you feel about it now? Are you optimistic? Are we getting better over here? Are we up to scratch? What's happening in European tech and security right now?
D
Yeah, I think so. I think so. And we also have more regulation, which is a blessing and a curse, right? I mean, in some ways, of course, it makes some things difficult, but in others, it's also very helpful. It helps set a baseline that maybe the US are missing.
A
Fair enough. Right, well, now let's turn to the present and stay in the present and these issues in cybersecurity. So again, I want to ask you, as the defender of a really significant and fast growing European company, about the threat balance. So you did this brilliant presentation for the SANS Cyber Leaders network about bringing AI securely online. We'll touch on that a bit later. Let's not deal with that now. But I wanted to talk about the balance between your defense from, say, older threats, the ransomware stuff that we've been really scared of for years, and all sorts of your corporate neighbors all over the continent and North America have been absolutely pulverized by this. You've got all the nation state spying campaigns that have been going on for ages. You've got all this decrepit infrastructure. So you've got all that to deal with. And then you've got all this new stuff. You've got the disclosures about AI hijacking LLMs. You've got all sorts of scary vendor reports day in, day out about AI related cyber threats. So for you, what's the balance? You can't protect everything, you can't prioritize everything. So how much of the threat picture for you is the new fast moving and scary and exciting stuff versus fixing some of the stuff we've been worrying about for years?
D
Stay with us, we'll be right back.
C
Hi everyone, James Lyne here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us. So why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into the latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.orgcln that's Charlie Lima November, and if you're enjoying the show, one teeny tiny small favour hit subscribe. That's genuinely all we'll ever ask of you. And in return we'll keep fighting to bring you the guests and conversations that
B
you want to hear.
C
Appreciate it all. Now let's get on with the show.
D
Yeah, it's a great question and it's something we deal with every day. You're right. On one side we've got this fast moving, AI driven threats with attackers using LLMs did fakes, and this is evolving really fast, constantly, and we're having to move just as fast to keep up. At the same time, some of the most damaging attacks that we see are still not very fancy. Right? It's attackers walking through open doors, exploiting systems that should have been patched years ago, or maybe taking advantage of passwords that haven't been changed since 2012. So the balance, it's not easy because you can't ignore the bleeding edge. And at the same time, if you don't have the basics right, identity patching, backups and the likes, the rest doesn't really matter. So I think maybe one way that we can look at it, and what I'd like to do is to take a step back beyond the considerations of new and old. What we need to consider is that we really live in a world that relies almost exclusively on interconnected systems, cloud platforms, complex supply chains and this has really increased both the likelihood and the impact of those security incidents that we see. So for me, the focus is on cyber resilience. Whether we think of old or new threats more than ever. Yeah, of course it's about stopping some attacks, but it's really about being prepared to response and bounce back fast.
B
I love that lens, Florence, and I think underline something you've stated there from my own experiences and offer one other interesting example of this. You mentioned the cybercriminals and other actors use of AI. It hasn't produced a great deal of novelty. It's produced scale and velocity, some accessibility and of course that's really useful to attackers. And they can afford to be fairly sloppy with the implementation at machine speed because if it doesn't work, they move on to the next target. Whereas for us as defenders trying to produce resilience, to your point, we then need machine speed retorts to that that aren't going to down our production systems and cause problems. So it may be less the novelty and more just a velocity problem. In achieving future cyber resilience, we have to think about does that brief well for you, does that kind of seem like the problem space we're in from what you've seen in AI?
D
I fully agree. We do have a speed problem and we see through some of these AI powered attacks. Right. So yes, on hand you have all these phishing campaigns that are hyper personalized, perfect, tailored to target. You have those deep fakes that are absolutely damaging for companies and that just look better and better every day. And then malware development, I mean think about it. AI now helps attackers who have absolutely no idea how to write code, but it helps them write, test, improve malware faster, even helping them to embed detection, evasion techniques. And so what we see is that speed and it's also the field has been democratized, right? You have all these attackers who don't really need that much knowledge in order to convey attacks.
B
Yeah, I think that's a really good description. And of course we've seen, you know, this surge in AI bypasses and toolkits to make it easy for attackers to use AI tools for these purposes, which was inevitable. I suppose the good thing for us in cyber resilience is it's got faster, but the hoops through which they have to jump to get to the things they want remain choke points that we can use as defenders. And I suppose a little related to that, a relatively recent example, there's obviously the conflict ongoing in Iran and I sure hope by the time this podcast makes it out that, you know, some stability and peace has been achieved there. I can't predict the future, but of course, what is happening right now is there is a lot of retaliation occurring as well. You know, groups like Hamdullah striking out, unintentional pun at a variety of organizations such as Striker. And then when you go and look at, you know, what is actually happening there, it is mostly abuse of misconfiguration and tools in the environment. It's living off the land. It wasn't some AI powered super threat or new exploit. They're using, you know, MDM and device management to achieve these nasty effects of wiping over 200,000 devices. So I think even more in support of what you're saying, it's going to go faster, it's democratized, it's more accessible. It doesn't necessarily mean it's more clever or that their playbook is targeting different things. And maybe that's the bit we've got to focus on if we want to have any hope of success in facing these attackers with those tools in their hands. Does that make sense? You know, you're on the ground with this. You might have to correct me.
D
That makes absolute sense. And you're right. And it's something that I talk a lot about members of the board as well, who constantly ask about AI and all those new types of attacks, but truth is, it's take a ransomware attack, it's the same attack, but with an AI twist. Right, Right. It means that the time it takes to find a way in is infinitely smaller. The search for vulnerable systems is quick and exhaustive. Security measures are evaded by the malware, but the vulnerabilities that are leveraged are the same. And the security measures that we can put in place, the mitigations are also the same. So we just need to be faster and we don't have the luxury of thinking, oh, yeah, but this one is hard to find, mind, because for AI, it's not.
B
Yeah, it's going to be fascinating, isn't it? Because of course, for years we've talked about dwell times in compromises, and they've slowly been reducing as in a great victory for security leaders. But you look at some of the more recent data and it's, you know, 15, 16 days compared to years ago where it was hundreds of days. But 16 days at machine speed with AI is a very, very long time. I do want to kind of come back up a level in a moment and talk about this in terms of security leaders. And governance and how they should think about it. But I do one more little nerdy opinion piece because I'm. I'm interested if you'd agree or disagree with this. There seems to be this kind of two groups forming in AI and cyber security. One is the church of AI will solve all problems and eliminate all cybersecurity roles. The other is the temple of its fancy autocomplete. You guys are idiots. And everyone seems to be dividing into these churches and temples and not much in.
A
In the middle history, politics, religion. Now where are we going with this?
B
We got to get it all in. I'm going to go to Aliens.
A
And by the way, when you were talking about Iran and hoping for some sort stability, by the time this podcast come out, which of the two of those things were you saying was more uncertain? Because one of them you can control. Now when this podcast comes out,
B
I wish I could control the other one, but yes, good point, good point.
A
Anyway, where were we?
B
I'm curious, Florence. So, you know, I, I look at everything that's happening, and I'm not a naysayer, there's some incredible potential for use of this branch of technologies in defense as well as offense. We've seen these things like, you know, releases of previews of code security tools from Anthropom Topic and others causing massive drops in share prices and kind of general panic in cybersecurity. And then, you know, I look at the improvements in quality of code and offset them against the volume of code we're generating and all these agents flying around the place. And it feels for all the advancements, like we might just be making the surface area bigger and presenting attackers with more opportunities. So I'm really hoping that you're going to prove me a pessimist, but it kind of looks like this might be tilted towards a little more opportunity for the attackers than defenders, at least to. In the short term, what do you think?
D
So in the short term I agree, but I think we're catching up. And I know that it's something that we're working extensively internally because we see volume of code being created and we see that our traditional measures are not going to be able to keep up. So we are starting to experiment with a number of different technologies. Right. Maybe it's an agent running in the IDE that catches all mistakes before code gets pretty pushed. Maybe it's having more embedded guardrails just built in. So infrastructure as code, right, is something that we're also investing a lot in. So I do think we're Catching up a little bit, that's true, but I'm not very pessimistic by nature.
B
Anyway, good for you, good for you.
D
I'm also not an eternal optimist, so I don't think it's going to solve everything. I don't think it's going to replace all cyber security leaders, but I think that we'll find ways to mitigate some of these risks. But right now you're right, it's complicated.
B
It's a bit of a free for all, isn't it? And there is a fantastic paper as a side for our listeners called Agents of Chaos, which is a bit of a study. Not a perfect study like all these things, but it's a bit of a study of what happens if you let a bunch of agents loose in a computer environment for an extended period. And it's great fun and a cool title as well. But Florence, we must, you know, do the geeky bit. We've got to do the other side of it too. So, you know, everything you've just described, described there I agree with. For security leaders listening for CISOs, any big pro tips in how to think about these problems at the moment, things you would focus on, be IT policy or governance structures, things that you think will help drive, you know, making AI work in an organization better versus worse that they might pay attention to.
D
So it's interesting because I think at the moment it's very dependent on the company you work for because there are companies that are extremely, well, bold, as we discussed, companies that are still more conservative when it comes to AI. That said, I think that we all need to prepare and have a framework for organizations that will allow them to explore whether it's now or later. So there are a few things I think it's a combination of tools, techniques and governance aspects as well. Let me start with the tooling and the more technical part parts. So we have to combine smarter tools, techniques like AI red teaming, advanced detection, strong identity controls. And we have to combine all of these with practical steps like employee training, reducing what we expose online. It's really about again, recognizing that AI makes the attackers faster and sharper. And so we have to be as adaptive and layered as they are. But just in our defense. Now if you think of AI related threats like model poisoning and exploitation, well, with AI, CISOs and the broader security function have never been as close to the business as it is today. And we've actually experienced it firsthand. At Zalando, we have our product and engineering teams that have leveraged gen AI heavily since 2022, as I mentioned earlier. And the idea was really to improve the experience of our customers as well as the lives of our employees. Employees. But we were not on the sidelines, we were there. We created our own security framework and so it includes threat modeling, red teaming, and that helps us find vulnerabilities ahead. Now, it's one of the reasons why I think CISOs are partially becoming AI governance officers. It's not the only function that needs to be then, but it's really important. I think that with AI getting embedded across department departments really fast, whether it's hr marketing product, it opens the door to new security risks and we have to be a part of it.
A
Can I jump in there, Fiona? Sorry to interrupt, I'm very, very rude. But you're saying it's company specific and you're talking a bit about Zalando and I just, as I heard you speak, I just couldn't help but think back to that wonderful presentation you did in London at the Sans Cyber Leader Summit at the end of last year. It's probably online. If not, I'll get the new boss to upload it and we'll put it in the show. Notes please. Anybody listening? Do watch it. But just to bring that out, do you mind giving us a as quick a summary as you can because there's some very cool stuff. All I remember was making sure your new chatbot that was helping people to buy clothes didn't become an accessory to crime, for example. Some really powerful stuff. Can you just summarize it for us? Because it's brilliant.
D
Yes, sure. Thank you. So indeed the idea was that we published an assistant for customers to find the right outfit, no matter the occasion. And so it's really a conversation between the chatbot and our customers. And with our Genai security framework, what we did was to make sure that indeed the assistant was not going to, for example, provide advice on what self defense tools could be bought on the Xalanto platform. Because that's not what we sell. We sell lifestyle. Right? And so it was interesting in some of the examples I gave, there was a cuticle nipper and a ring, you know, that were listed by the assistant as items that could be used for self defense defense. And so of course those were all fixed as we went, but this is what we did with our framework. And since then of course we refined it, we have been using it for other Genai products. But it's where it all started.
A
Yeah, I mean it is just brilliant. And all I remember is coming away thinking well, if anyone here, if anybody listening, wants to go on this leading online retailer's site and ask, what should I wear if I want to get away with murder, you'll be sorely disappointed, thanks to the work of Florence and her team. I also remember thinking what an extraordinary extension of the role of a CISO that involved, which I think you've brought out really well. But I'm going to have to pivot and take us back to other bits of cybersecurity because it's really interesting to me, now that you've had your geeking out session with James, you can have a policy and governance, much less interesting geeking out session with me.
B
Sorry, Florence. Sorry.
A
I know if we'd been recording this five, seven, eight years ago, we'd have been banging on about data breach risk and all of that. We haven't really touched on it yet. So we've talked about, well, who's going to mess around with AI and what consequences of that and what you've done to make sure they can't. We've talked about all the disruptive threats, the geopolitical stuff. So I just wanted to ask you about where sort of data breaches fit in to all of this. In terms of how you think about the defense. I mean, I call it sort of thugs versus thieves narrative, in that we are getting pummeled by all these sorts of cyber thugs and they're causing all sorts of disruption. But a lot of our laws, governance, even culture incentives, you know, what teams are used to dealing with, are about making sure customer data doesn't get stolen. But do we have to worry about that a bit less now? How do you prioritize what to worry about?
D
Yeah, so actually, this topic is one of my little frustrations. Disruption and data breaches are often treated the same, but they're very different in how they impact a business. And so at a company like Zalando, we have to protect both, right? I mean, massive data sets on one side, complex operations on the other. So I don't know if it's about prioritizing one over the other, but it's certainly about building layered defenses that cover both risks.
A
Yeah, I think that's fair. It's probably, you know, as they say in English, a sort of apples and oranges question, if you like. But I just wanted maybe to extend that. You mentioned earlier where I was trying to goad you into saying something controversial about, you know, European versus American culture and all the rest of it. You didn't take the debate, and I'm not Trying again, but I'm going to ask, you mentioned something about the regulatory environment and it's an objective truth that there are far more laws affecting European sisters than your counterparts in the United States and so forth. And whether that's, you know, gdpr, which in cyber terms is now, you know, old and venerable and established, or the new EU AI act, however it's being adapted, and all these news directives and so forth, I mean, looking in big picture terms at the fairly highly heavily regulated world that you operate in, in a huge continental European EU based company, do you think these moves have been largely helpful or unhelpful? I mean, if you could sort of control EU policy for a day, what sort of changes or entrenchments would you like to see?
D
How much time do you have?
A
Oh, as much as you want.
D
So you're right, and I mentioned that earlier. Right. The operating environment is quite different in the US and Europe. And so it's not only the EU AI act, gdpr, Nistu, it's also a mix of national laws that are layered on top.
B
Of course.
A
Yeah.
D
And so it makes everything quite complex. I still think, as mentioned earlier, that these laws and these directives have raised the baseline. They've made privacy and security non negotiable, which is good. But what gets challenging for us, especially when you operate across Europe, is the lack of consistency. So you're often dealing with slightly different interpretations of the same rules. And so what I'd really like to see from policymakers is more harmonization across borders and more guidance that's actually practical, not just legal theory. And I guess, I mean, if I continue. Right. Yes, we need to keep driving standards, but we need to do it in a way that supports how businesses operate. In some cases it feels like paperwork. Yeah.
B
Well, Florence, I guess I'm going to pivot you across. Kieran has driven you down. Regulations and paperwork, I love it. And you're right, all that matters, I mean, no doubt. But I do want to ask you the kind of technical parallel, I suppose. Of course, one must. Right, one must. So techniques and capabilities that you think have the biggest potential to transform our ability to deal with all these challenges. And I mean, all these challenges, you know, you were just describing the explosion of regulatory requirements. We talked about the AI velocity issue and accessibility to software cybercriminals. You talked about interesting gen AI security and content control use cases. So, you know, I know in the past you've talked about authentication, passwordless access. What do you think the most important controls and capabilities are? To help security leaders with everything we've talked about so far. What's on your hot list or high potential list.
D
So what I see is that some of the biggest breakthroughs are coming from things that reduce fraud, friction, and so sometimes they seem really small. Like, I mean, you mentioned it, right? Passwordless access, or maybe better identity management, maybe infrastructure as code. So really having security embedded in the lives of the users, because that makes it extremely easy and it's not as error prone. So for me, those are really the little nuggets that make these big changes. Now, of course, I'm also excited, as I mentioned earlier, about how automation and AI are starting to help defenders as well, not just attackers at detecting faster triaging alerts, et cetera. And I think for those, the key is really going to be to make them practical and usable, not just flashy tech. That there's way too much of that at the moment.
B
People do get rather excited about their tools and end up buying a bunch of them and deploying half of them and not necessarily having people with the right skills to turn all the checkboxes on and off or configure them appropriately. It's definitely a problem we have discussed ad nauseam on this podcast before.
A
Before.
B
Well, Florence, I. I know we are kind of running towards time here, so, Kieran, we've got to prioritize our last questions here. I know we hate to do that, but maybe. I know we must. We must. So I've got something I want to pick up on that I'm really fascinated about. You didn't start your journey on the corporate ladder. I mean, you're an ethical hacker. You like breaking stuff, like me. And then you ran, you know, a P and L for a cyber security innovator. So kind of seeing lots of new technologies and figuring out a bit of the business side of it, too. And now you're this kind of major defender, winning CISO of the Year awards. And, you know, when you got that award, you gave an interview where you said, in the future, the CISO is going to have to wear many hats. I assume not literally. It was more of a metaphor. Though I do like the idea of, you know, multiple stacked hats.
A
You can ask Zalando's chatbot how many hats you can wear.
D
That's right.
A
And which ones. And. Ooh.
B
Exactly. And what the correct number of hats is to get away with a crime,
A
but not how you can harm people with them. They won't answer that.
B
Exactly. No cutting hats. So I think that's a fascinating remark, but the only problem with that interview was that it was quite short. Mind you, everything is quite short compared to our podcast. Kieran, so didn't get to as much detail as we'd like to on that. So on this podcast, we are indeed famously undisciplined about time. So why don't you take as long as you would like to tell us and the cyber leaders nesting, you know what you mean by this many hats.
D
So what's interesting is I'm surprised I said that the future CISOs will have to wear many hats because I think we're already there. And for me, it's really about being well rounded business and technological leaders.
B
Lawrence, as a mathematician, I do have to ask you, do you think this expansion of hats will be polynomial in some nature? Is it an exponential hat increase?
D
I think it's quite exponential.
A
Have you guys switched language?
B
Okay. No, it's. Okay, carry on with your point.
D
But yeah, you have to be comfortable speaking with all functions in a company. Engineering, risk, legal management. And when you think about it, it's more than just connecting. It's really building those strong relationships, relationships internally. And so it's understanding business priorities and tweaking the role that as a ciso, you need to play for them. So, yes, you end up being partly cyber defender, part strategist, diplomat, governance officer, and still very much a core leader in the business. So, yes, I think it's quite a few hats and I think we're all wearing them already.
A
Well, excellent answer. I mean, if anything, not long enough. Because James, as new leader of sans, is adopting the more is more principle rather than the less is more. And I think we've always taken that approach in the podcast. But one final question before we wrap this up. So you've talked about the CISO present and future and the huge number of hats that have to be worn and how that's getting even more striking feature of the role. Let me ask you about the profession, generally, the cybersecurity workforce. You've been in it a long time. You came in as a bit of a trailblazer, as we've talked about earlier. So be optimistic or pessimistic about it. Would you recommend it to young people? Now, what do you think? What's the state of this industry?
D
Well, of course I would recommend it to anyone because I really love this field, right. I've been doing this for 25 years, so for me, it really runs in my DNA. Now. Is it hard? Yes. And I see it around me, right. I see some CISOs who really burn out. I mean, the pace, the pressure, the constant alertness, it wears people down, especially in companies where the function is understaffed.
A
Yeah.
D
And when maybe they have to fight fires and all the time. So it's not easy. But is it super interesting? Fascinating. Absolutely is excellent.
A
Thank you. Some encouragement. Over to you, James.
B
I love to hear encouragement and I love to hear passion for our industry as well. I'm very aligned to. To those remarks. But look, Florence, we've covered so much, but I am afraid after Kieran's admonishment of my more is more, we've got to bring things to a close.
A
Sorry. But don't forget,
B
we'll work on your accent, but he'll be available for French rehearsals on. On future episodes. Melle grousement. So, anyway, look back to task here. As you know, at the end of each of our episodes, it is important that we give folks something very useful to take away.
A
So we are asking you for, Florence,
B
your 30 second takeaway. Look, ultimately, this podcast is about lessons for cyber security leaders. So, Florence, if you had just 30 seconds with a cyber security leader, what would you advise them? Something to do, not do, pay attention, to completely disregard a favorite style of hat. It's up to you.
D
Okay, so here's what I would say. Resilience isn't just about stopping attacks. It's about acting fast when they happen. And that speed only comes from trusted connections across the business, engineering, operations, leadership. So my advice is to invest in those relationships regularly so that you can all act quickly when it's needed the most.
A
And actually, I think a wonderful takeaway to finish a wonderful episode where despite the length of our introduction, we managed to cover AI, traditional threats, Europe, America, government, the state of the industry, and a bunch of mathematics stuff that I didn't understand. Thank you so much, Florence. We must leave it there. All that remains for me to say is to thank you, Florence, for joining us. It's been an absolute pleasure.
B
Wonderful.
D
Thank you very much for having me.
A
And to ask you, the listeners, for feedback, you can Message us@cyberleaderspodcastans.org, you can leave feedback on the site. You can even give us a rating, which is all very nice, but tell us what you'd like to hear. More or less, anything you like.
B
And with that, thank you for listening.
A
Yes, thank you for listening. I'm glad you're not watching because you'd see a big picture where it says, james, Kieran's boss. But anyway, from me, Kieran Martin, and
B
from me, James Lyon, the boss it's goodbye and keep on cybering. Just.
A
Sam.
Guest: Florence Mottay (CISO, Zalando)
Date: May 1, 2026
Hosts: Kieran Martin and James Lyne (SANS Institute)
This episode of Cyber Leaders explores how Zalando, Europe's online fashion giant, has adopted generative AI without exposing itself to major cybersecurity risks. Florence Mottay, Zalando’s award-winning CISO, shares how her team integrates AI tools securely, how she balances legacy threats with fast-evolving AI-powered risks, and what it takes to build resilient organizations in the face of democratized cybercrime. The episode is rich with insight into the shifting landscape of global cybersecurity, leadership “hats,” and practical strategies for CISOs and tech leaders.
[07:12 – 09:14]
[11:09 – 12:55]
[15:14 – 16:41]
[16:41 – 18:24]
[19:57 – 20:44]
[21:37 – 23:50]
[24:36 – 26:41]
[27:16 – 28:11]
[28:43 – 29:51]
[30:47 – 31:50]
[32:42 – 33:32]
[35:11 – 36:10]
[36:47 – 37:22]
[38:21]
“Resilience isn’t just about stopping attacks. It’s about acting fast when they happen. And that speed only comes from trusted connections across the business, engineering, operations, leadership. So my advice is to invest in those relationships regularly so that you can all act quickly when it’s needed the most.”
— Florence Mottay, CISO Zalando
This episode stands out for blending practical case studies (Zalando’s AI security journey), context on the evolving European threat and regulatory landscape, and candid, actionable advice for security leaders facing the “velocity problem” of AI-powered crime. Florence’s optimism, realism, and breadth embody the many-hatted CISO of today.