A

Welcome to Cyber Leaders. I'm James Lyon.

B

And I'm Kieran Martin.

A

Welcome or welcome back to our show where the geek. That's me. And the generalist.

B

That's me.

A

Get together to discuss a whole range of wacky, weird, wired, wireless and wonderful topics for the cyber security leadership community.

B

The Geek and the generalist. You reckon we should call it that? Anyway, thanks to Sans, where we both toil, we can bring you the perspectives from across the spectrum of tech security. From someone who's been breaking the law. Sorry, that's a typo. Lawfully breaking.

A

That's important.

B

Confidence application. We can hear. From someone who's been lawfully breaking into all sorts of different Internet weaknesses in order to help organizations defend themselves and give the baddies more bad days. That's James, the uber geek.

A

To the sort of issues around policy, operations and posture that organizations need to defend themselves. From the perspective of someone who used to run cyber defense for the uk, That's Kieran, a geek in his own very special way.

B

Yes, I have a community all of my own. Well, there's a few of us, but anyway, we want to bring to you the perspective of expert guests from all over the world on different aspects of cyber security.

A

Indeed we do. And loyal listeners, we know there are some. And we love you and we love

B

our new listeners too.

A

We do. But loyal listeners may have noticed that we've been trying out a few things of late. We've had special episodes on the Iran war and Mythos, but today it's back to brilliant basics. Though still, I think with the good helping of Mythos and wider AI I mean, it's unavoidable at the moment, isn't it, Kieran?

B

Yeah, back to basics. You know me, don't like change. I'm still taken with that history teacher who told me that everything after the fall of Constantinople in 1453 is current affairs.

A

But.

B

But anyway, to take it all back to the way it was before, I just want to chat at extraordinary length to a great cybersecurity leader.

A

Well, I can do one of those things for you, Kieran, because we do indeed have a great cyber security leader for you. Someone who I think bridges the old and the new of this podcast. This is a brilliant community builder in cyber security, where, as you know, community really does matter. And a proper expert on operational defense in the age of. Of AI. So today's guest is no less than a former United States Marine. He's also worked a National Security Agency, Cyber Command, Mandian and Netflix as well, which I'm sure is fascinating of its own. Probably an impending movie.

B

Well, I reckon there's a large Venn diagram of people who've served in the Marines, nsa, Cyber Command, and a sizable one, but smaller if you add in that great company known by Google, Mandiant. But I reckon it might drop to one if you throw in Netflix.

A

Well, let's ask him because he's now field CISO here at Sans.

B

Now, James, we both live in the English countryside. Field CISO is something to do with what's going on outside your window. Agriculture, you know, does he look after the security of food production?

A

You are being very naughty now, Kieran. That is silly even by your standards.

B

Okay, I'm sorry, boss.

A

You know very well that as field CISO and VP here at Sans, this means he works with all sorts of different companies, helping their defenses. He's also founded his own consultancy and hacker media platform. Great watch, I should say. And he's one of the most passionate and successful community builders I have ever known. Not just a thing I say to be kind, an introduction. It really is remarkable how well connected he is across those who are trying to make cybercriminals miserable. So joining us all the way from Dallas, it is the great Chris Cochran.

B

Hello, Chris. Welcome to the show.

C

How's it going? James. Kieran. So happy to be here. It's an honor to be amongst you great podcasting cybersecurity leaders.

B

Well, thank you so much. Our day is going much better now that you've joined it, so thank you. Now, James has already mentioned your absolutely stellar career, but he omitted one thing and I know I said I'm not comfortable with change, but I'm quite happy to announce the first. I think you are the first published novelist we've ever had on the show. Am I right? The first published cyber novelist.

A

It has to be.

C

I don't know, I've watched a few episodes. I'm not quite sure if I know the entire Rolodex of the folks that have been on here. But yeah, I wrote a graphic novel. I have three daughters. They're 17, 11 and 6. My 11 year old, she's into anime and cartoons and all these things. And I thought, wow, wouldn't it be cool to take her likeness and create a graphic novel hero around her? So I did. Called Scotty Threat Hunter and it's volume one of three. I'll eventually get to volume two one of these days. But she's a real girl that goes into this cyber world and is a threat Hunter tracking down all the Baddies around the globe, taking down ransomware, taken down AI generated bots, all kinds of different things.

B

That's amazing. And it's probably the first time we're going to put a link to a graphic novel in the show Notes. And the plot seems to be about turning innocent users into zombie bots. So maybe that's a segue into Mythos, but maybe we'll come back to that later.

C

Yeah, I mean, sounds about right. But, yeah, it seems like it was ahead of its time and all of a sudden it seems to be coming more and more reality every day.

A

We've been struggling with the answer of how we should advise security leaders in the next five years. I think we've got the answer, Kieran. We just need to get Chris to sit down and write a future prediction. The Nostradamus of cyber security in graphic novel form.

B

Right, well, we need volumes two and three. Don't do what my namesake, George R. Does and leave us hanging for the last two books.

A

Her cousin George.

B

Get on with it.

C

My daughter asked me every other month. She's like, is it almost done? I'm like, I haven't started it, baby.

A

Well, look, Chris, now we've got that extraordinary first out of the way, let's start by talking about your novel career and no, I don't mean your novel writing one. I mean your unique story. See what I did there? Quite happy with that.

B

Lovely.

A

Very good. We always ask people about their path into the industry, and yours is a really fascinating and compelling story. So tell us about it. How did you end up in cybersecurity?

C

Yeah, I'd always been interested in technology ever since I was a kid. Sort of the classic, hey, I want to break this thing apart and see how it works. But I really wouldn't get my start until I joined the United States Marine Corps. I happened to be lucky enough to get a job in intelligence focused on technical intelligence. So I was able to utilize that desire and that passion I had for technology for the work that I was doing. And, you know, obviously being focused on intelligence, it felt like I need to be able to do more. Right. I don't want to necessarily stay in the government forever, even though there are people that do that, and I might even go back to the government one day. But I wanted to get out there in the world in industry. So in order to do that, I actually created my own company standing up threat intelligence capabilities for organizations. And so I did that for a little while, went to Mandiant doing incident response security operations, and then long Story short, ended up at Netflix. That's where I really started to lead in the threat intelligence space. And then going into more incident command education for other folks around that time. That's when I started a podcast with a good friend, Ron Eddings. And then we ended up building out to Hacker Valley Media, which I no longer lead. I passed the reins over to Ron, so it's in really good hands and he's done some incredible things since then. And, yeah, I would say, on the AI side, you know, my first entry into AI was my senior year in college. My thesis was on digitizing the human brain. And yes, yeah, I read that paper maybe six months ago, and I actually got quite a few things right about how language is going to play a part in artificial intelligence. And we won't talk about all the stuff I got wrong because that's not important. The important part is I got some things right. And so ever since, I would say, Even right before GPT3 came out, I was dealing with some generative stuff in the smaller cyber communities, just playing around and trying to figure out, how do we leverage this? And then all of a sudden, GPT3 kind of opened up the floodgates for just about everybody. And that's when I just went headfirst. I was like, hey, how do we wrap our brains around this AI thing? And that's what I've just been doing ever since.

A

So I have two observations and a question. The first is very on brand for the cybersecurity community to talk about the areas we were right in our predictions and ignore the others. Love that. Secondly, Kieran, I'm starting to suspect, given his early work there on the digital brain, we might be talking to a clone of Chris, but he's doing a good job on the podcast. So suggest we continue and see if we can find the real Chris later.

B

Yeah, you're the attacker. You have to detect it. He's convinced me.

A

We'll work on it in the background whilst he's answering my next question. Chris, I want to ask you about your work on community building. It's a real passion for you. I know, and it's one I share. You've heard me say, bet on people and talk about how the cyber criminals have their community, so we must have ours. You've spoken so much about it and you've done so much to build it. So tell us about what the cyber security community is, its strengths and weaknesses, and what it means to you.

C

I would say the cyber security community has a life unto its own. I Would say, say very early on, I felt like there were pockets of folks kind of gathered together and being from the government also, you know, working with classified material, it wasn't like I could contribute in any measurable way. And so largely I was on the outskirts. I felt like, wow, I want to be a part of this community, but it doesn't seem like there's a way for me to really connect. And then I really didn't get that opportunity to connect with the community until I started speaking. I started speaking, then I started doing the podcast.

A

You got on the circuit, didn't you, Chris?

C

Oh, yeah, yeah, I did. I, I went pretty, pretty hardcore into the speaking circuit to the point where I was always trying to look for opportunities to improve my ability to speak, to include going to la, to a comedy club and doing five minutes of standup, which, if you ever do that, anything else is going to be super easy from a public speaking standpoint.

A

Kieran, we've got to find that. We've got to, we have.

B

Stay with us. We'll be right back.

D

Hi, everyone, James Lyon here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us. So why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's, what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.orgcln that's Charlie Lima November. And if you're enjoying the show, one teeny, tiny, small favourite hit subscribe. That's genuinely all we'll ever ask of you. And in return, we'll keep fighting to bring you the guests and conversations that

A

you want to hear. Appreciate it all. Now let's get on with the show.

B

And we will, we must.

C

But yeah, I would say the best thing that I realized once I started sort of building my own little community is that there are a lot of folks out there looking for a community. And so I've always been of the mind, hey, the more the merrier. We need as many people from as many aspects of life as possible. Because if you think about it, cybersecurity is all about problem solving. That's all we do. And so to have different Ways of thinking and being able to share that tradecraft, being able to share those best practices, is honestly how we're going to get through any obstacle, how we're going to get through any storm to include this artificial intelligence autonomous attack storm that I think is brewing. So I would say that I've done everything from created communities for people getting into cybersecurity. I've created and been a part of some really great CISO communities. But I would say that having a community is one of the most important things that we can do as human beings, but especially cybersecurity practitioners.

B

Well, let me pick up on something really important you said there, Chris. So you talked very passionately about this community that you're such an inspiring part of, but you then mentioned communities facing challenges, and you highlighted the big one, the one we're all talking about. We can't really come back to the community without touching on the pressures of the new AI models setting the cybersecurity world ablaze. Mythos preview, the OpenAI delay of their own model, the anticipated vulnerability storm, as you called it. So let's get into that. James, what do you think?

A

Yes, indeed, Chris. First, you know the big question, right? Cut through all the debate and hype for us, would you? We got a whole range of views from this is the apocalypse and rise of the Terminators to frankly, nothing has changed. And this is asinine marketing all the way from the end of the world to great opportunity. So what, so far as you are concerned, as an expert, can these models do that we actually need to take stock of?

C

So I think that Mythos is a step in the right direction from a couple of angles. Its ability to do static analysis on applications and find vulnerabilities very quickly, I think is fantastic. Right? There are folks that are already out there using it. They're trying to find the flaws and the vulnerabilities before the bad folks do. The other thing I think this really starts to highlight is the power of models and the controlled release and the control of access to that particular model. But here's the problem that I'm seeing. The problem I'm seeing is that are we going to, in perpetuity, prevent the development of models and the release of models publicly in order to support national defense or cybersecurity? Because here's what I mean. Sure, Mythos was focused on cybersecurity finding vulnerabilities, but the problem is, as these models continue to improve, they're going to improve across the board. So what is to say that A year from now, the regular models that everyone has access to today, today turn into exactly what we're afraid Mythos can do in the hands of an adversary. So I'd be really curious to see how this starts to unfold from a control perspective and an access perspective.

B

Can I just, at the risk of slightly putting you on the spot, but it's such a big question and you've got a long and very distinguished career in government. What do you think should happen in terms of the way the state, the U.S. republic, the other countries, what should we be doing thinking about in terms of that almost most potentially existential question.

C

Yeah. So there's quite a few things that we should be doing. I'm actually a signatory on the UN red lines for AI development, which is there are certain things that AI shouldn't do, just in general. Right. But then also I'm a part of another organization called the American Society for AI and right now what we're doing, we're calling it an AI constitution, but at some point I think the name is going to probably change. But this is all about how do governments around the world coordinate and orchestrate together to make sure that we have control, control over the AI that we're developing. So the part that I'm leading is the non proliferation part of it. And so that's about, hey, how do you ensure that we aren't bringing something to the world that isn't going to be catastrophic for a number of reasons, whether it's for nuclear, biological, whether it's the Skynet, whether, you know, this thing just changes the world. From a psychological operations standpoint, I would say that we need to really start to think about how do we measure capability, how do we ensure that the people that need to know this capability exists and then also how do you control that capability, I think is going to be ever more increasing as we continue to go down this AI race with all these great Frontier labs.

A

Well, and Chris, I guess building on that, what do you think this means for defenders in kind of practical terms now and over the next few years? What should they have their sights on, do you think?

C

So this is something I've been talking ad nauseam about all around the world. Basically. I see this. Right, right. The stuff that Anthropic talked about the end of last year with the autonomous attacks, it was met very similar to the glasswing Mythos stuff, very mixed bag. Some people felt like this was the end of the world, some folks felt like this was just automation just a little bit faster. But this is what I saw. I saw the tip of the iceberg. I feel like it is not a stretch of the imagination that within three months, six months, nine months, a year, maybe two years, we're going to have tens of thousands, if not hundreds of thousands of autonomous agents looking for targets of opportunity for the adversary. And so, from my perspective, I think that we need to do a couple things in order to prepare ourselves for that inevitability. I don't think there are a lot of folks that are really looking at it right now and for good cause. Everyone is doing their work. Cybersecurity practitioners are already fighting fire to fire, right? They don't necessarily have the time to always pop their head up and look around and see what's going on. I just happen to be in a position where I'm talking to a lot of these folks. I'm reading the tea leaves. And so this is what I'm seeing. So from my perspective, we have to do a couple of things. Number one, we have to get our houses in order. From a cybersecurity perspective, there are way too many foundational things that we've never really gotten to or a lot of folks haven't gotten to. Things like workforce identity. We never really quite nailed that, Chris.

A

I call it the pile of shame. The things we know we should do.

C

It is, I mean, it is. We tend to sweep it under the rug and hope that it never comes to pass where we have to deal with it it. But I think we're having to get to a point where we do have to deal with it, right? Because then we brought non human identity to the picture and that got more complicated. And then we were like, hey, this isn't complicated enough. Let's bring agents into our organization. And now we have to figure out agentic identity. A lot of folks don't really have a good incident response program. Right? We need to get some of these things completely shored up because the bigger the holes are in our system and our programs, the harder it's going to be for us to keep up with these autonomous attacks when they start to happen. But then also, how do we start to leverage AI ourselves for the protection of our organizations or the people that we love? And so, believe it or not, I speak to people, I've probably spoken to hundreds of people over the last several months, and I would say about 50% of them are AI skeptics. They don't want to touch it, they don't want to use it. They say, you know, it's a fad. Or it's wrong or it's bad for the planet. And this is what I say each and every time I say, you can no longer afford to be an AI skeptical skeptic. Worst case, you can be cautiously optimistic. But because the adversaries are leveraging AI, you have to then fight fire with fire. And so we can't just stand idly by and think that with our manual hands we'll be able to keep up with machines. So I'd say that this is a lot of the things that I see for the cyber security practitioner in the coming months, years.

B

So, Chris, that's really interesting. And, and I think whether you're one of the remaining AI skeptics or even if you're not, even if you're convinced. When I was listening to your masterclass in conveying advice to people about putting our house in order, and then you started to talk about the workload and you started to talk about the pressure on skeptics and pretty much everyone, I started to think about bringing the two themes together. And I think this is something that James and I really, really want to ask you. So this is a truckload of work. Whether you're enthusiastic about it or skeptical about it, you can see where this is going. How is the community that we, and particularly you care about so much supposed to cope with all of this stuff? You know, give us something to think about in terms of workload, overload, burnout. The challenge of talking to C suite board leaders about all these problems. This is a paradigm shift. But how do they cope with all of this alongside all the other things that they already have to worry about?

C

That's a huge problem and that's a problem that I'm constantly trying to think about. How do I help the community as much as I possibly can? Where can I pitch in and be of service? And I've given a talk several times about burnout and how burnout happens for several different reasons. Right. But I would say one of the big things, especially when you know, you're talking about cyber leaders, they are kind of getting it from all ends, right? They have top down pressure to say, hey, what are we doing about AI? How are we going to secure it? And they're having to figure out what AI is in general. Right. We didn't just come out of the gate and everybody knew about AI and all the aspects for. But then you also have to learn the security aspects of it. Then you're trying to talk your teams into using AI and they are giving you pushback because they Say, hey, we don't do that. We do it the old school way. And then you're dealing with your fellow C suite folks and you're dealing with incidents, and then you got cyber insurance that you're dealing with. So it's really a tumultuous reality for a CISO today. And I would say multiple things. Number one, community, that is the most important thing that you could do for yourself as a leader is find the folks that are in your area, area in your industry that you can speak to, that you can speak freely. Because being a CISO is a lonely job. So shout out to one of the best CISO communities out there. The security tinkerers became a security tinkerer, I think, in 2019. And then when 2020 happened, everything shut down. And I actually started this thing. Every Friday I was doing a call. It was called NextGen. These were directors, VPs that were looking to get to CISO eventually. And it became so popular, the CISOs from the security tinkerer community started to join as well. So every Friday for maybe a year, I let a call of maybe 30 to 40 CISOs, and we would talk about everything from life to work to, hey, what's going on with this particular threat to, hey, I'm having a hard time at home, yada, yada, yada. And people found that so valuable because if you're just sort of stuck in your own mental echo chamber, it can feel like you're alone. You feel like everything you do is wrong. You feel like everything is just kind of coming at you, you. And sometimes all you need to do is talk it out. Sometimes you just have to say it out loud to someone else, to another human being. But I would say that the more we can band together as leaders and work with each other, that'll help prevent burnout. That's step one. Step two is really get good at communication. I think that from a communication standpoint, that's something we felt like we learned in grade school, and then all of a sudden we really kind of just left it. And we don't really increase our ability to communicate, but whenever you communicate with someone and you're able to convey, but also tied to emotion, whatever emotion that is. And I'm not saying to manipulate people, but if you want a desired outcome, if you want to really send a point home, you have to understand the power of being able to tell a story. Storytelling is one of the most important things in the world, because if you can tell a story to a board or a CEO or to your team, and it puts in their mind exactly what you're dealing with. And then you can let them know how they can help help and how actually this would also help them in return. That's where things start to have this inflection point of positivity. But when you feel like you're in it by yourself, you're going to constantly feel burned out.

A

You know, Chris, I love that communication point. I think it's so important, and I would highlight to folks as well, that is an opportunity area for AI to specifically assist that isn't about, you know, the technical application of models to vulnerability discovery or otherwise. It is rather good at this, but it also takes some time and practice. It's very easy to generate generic M dash propagated text that frustrates the listener with feeling like you didn't really put any original thought into the communication. So using the tools the right way and doing what Chris said on storytelling I think is immensely powerful. But Chris, if I could narrow this question down a little more for some of our audience. Again, you have lots of wonderful advice. So I've said many times on this podcast, security teams run at 100% capacity or more or they're always busy, there's always something going on and this is just adding to the workload, let alone trying to dissect the latest press release on why a model might be the end of the world or quite helpful. So security leaders are going to have to make time for their folks to work on this. Assuming they do that and they find a way to open up some space, where should folks first spend their time? And I know Chris, it's hard to answer this universally. I mean, looking at, you know, some of our folks developing our new AI classes, such as how to use AI for vulnerability discovery, it does require a lot of the security knowledge of the original problem domain as well as AI orchestration and management skills. So I know you can't truly silver bullet this, but if folks get time from security leaders, how might they deploy it to make themselves feel a bit more connected to the future of AI augmented cybersecurity?

C

I would say, you know, at sans, we kind of look at AI in three different buckets. One bucket we think about how do we utilize AI. So from that perspective, even if you have to just think about what is one thing that I can start to leverage from AI that could save me the most time, or to make this product that much better, like really just start to find those little use cases where you can really start to lean on artificial intelligence from a Protect position for artificial intelligence. What are some of the failure modes in which you need to understand, especially for your organization? Right. How do I think about what is the worst case scenario for my business? I used to say, when I was doing a lot of threat intel work, I used to say I want you to think about what is that headline that would be in the newspaper that would absolutely gut you. And then how do you prevent that from happening? So you have to start to think about threat modeling and failure modes. And then ultimately I think the most important aspect of it is like governance. And then again governance. You can't do that in a bubble. Right? Artificial intelligence isn't just an IT thing, It isn't just a security thing. AI is becoming an integral part of every aspect of business. And so now you have to start to think about who are the different stakeholders we really need to need to bring together to start to figure out how do we govern artificial intelligence together. So creating something like a AI governance council from around the organization, I'd say those are the really the high leverage. If you get a little bit of time to start to wrap your mind around some of this stuff, that's where I would put a lot of my dollars.

B

Wow. So this is turning into one of my favorite ever episodes for all sorts of reasons. The community, the technical expertise that bringing the two of them together. But most of all, all I think this is a master class on how to convey an awful lot of really useful information in a very short period of time. I'm talking to you from a well known university and students often talk about communication skills. And if James releases the copyright, I think I'm going to get them to listen to this. But therein lies a challenge for you, Chris.

A

That's something we can do, Kieran.

B

Fair enough, thank you. But for the short version of the class, but also for James's benefit. Chris, I'm sorry, but go on.

A

I see where you're going. I suspect you're about to be cheeky.

B

For James's benefit, you have to condense all of this into less than half a minute.

A

Yeah, see, I knew you were going to be cheeky. That's not exactly how I'd put it, Kieran.

B

Of course you wouldn't. That's classic CEO behavior. You'll deliver a sucker punch in velvety language. That's what you people do.

A

Ooh, harsh, maybe fair. Who knows? Anyway, what Kieran actually means, Chris, is that this is a podcast for hard pressed security leaders. And look, we've covered so much about the state of the industry. Industry, the AI challenges and what they themselves need to be doing. That is a lot. Now, we don't want to overwhelm people. This podcast is supposed to be a break from CISO burnout, after all, not a contributor to it. The end is nigh panic. So if we had to summarize your thoughts for the community and its leaders into one short sound, bit sound bite, even double word.

B

I see what you did there.

A

Again, this is excellent stuff. Well, I love a data size joke, you know. Absolutely. Just a nibble. Anyway, a bit of advice on the road ahead. What would it be?

B

I believe that's called the 32nd takeaway, Chris, so take it away.

C

All right. 32nd takeaway. I would say be intentional, and that might sound like it would add to burnout, but I'll say this. Be intentional around how you implement artificial intelligence. Sit and think about it. Just pause for a moment. Even with your teams, be intentional. Be intentional about how you operate with them. Every moment should have a reason. It should have a why. Really focus on what are the important things I need to do today in order to save my team time, save my team, my organization, Heartburn. Be intentional about all these things, even if you have to just sit and think for a moment about, hey, what would be the next step? From my perspective, Be intentional and center everything around people and community. I would say. That's all I'd have to say.

B

Absolutely wonderful, brilliant takeaway. And I'm afraid all I have to add to it is the end is nigh. But don't worry, only the end of the episode.

A

I do love that advice though, Kieran. I do think much of the burnout issue, the fatigue comes from over reliance or over avoidance completely so kind of rotating tasks, deliberately using AI for some things and not others to keep our brains working. I really rather like that takeaway. He's quite good at this communication thing, isn't he? Oh, sorry, Chris, you're still here. Thank you so much for joining us today, Chris. I think you've shared a lot of incredibly useful advice for our community and hoping you'll join us again at some point.

C

Oh, absolutely. And you guys are fantastic. Fantastic. This was so enjoyable. We'll definitely have to do it again.

B

Well, you can definitely come back having said that, but that is all we have time for today, so do leave us a rating, a really good one because this was a great episode. Thanks to Chris. Do leave us A rating wherever you got this podcast according to people who understand modern communications technology. They tell us it helps if you do that, especially if you leave a nice, good, strong rating. And if you have any suggestions or follow ups on our show, you can email us at Cyber Leaders Podcast at

A

san and with that, thank you very much for listening.

B

Thank you for listening.

A

Keep cybering from me, Kieran Martin and me, James Line. It's goodbye and remember an AI task a day keeps the bad guys away.