Loading summary
A
Welcome to Cyber Leaders with me, Kieran
B
Martin, and me, James Line. Now, we're both from Sans, who are kindly backing this podcast. I myself am a massive geek, and basically, since I was zero years old, I've been spending my time hunting criminals on the Internet.
A
I'm less of a techie, as anyone who watched me try to log on to this podcast recording will have realized. I dealt with cyber security policy and operations in the UK government and set up its national cybersecurity center. But nowadays, James and I are together trying to unpack the weird, wild, wacky wired wireless of the things world of tech security and all the complicated things that it involves.
B
And in your defense, Kieran, opening a link for a podcast is quite technically challenging.
A
It really is, particularly at these unsettled times. You never know who's out there.
B
It's hrefs are extra hard. But anyway, this podcast is a voice for security leaders. We want CISOs, security directors, and frankly, everyone beyond to build up their knowledge of what works, what, what doesn't, and ultimately secure their organizations more comprehensively and quickly.
A
End of standard intro. Actually, no, that's what it says here. Now let's talk about this standard intro of yours, James. I want to talk about it.
B
The bit where I say my name.
A
Yeah, I'd like to talk about your name. No, of course not.
B
Well, which bit do you want to talk about then?
A
I can't remember. Sometimes I pay close attention, sometimes I pay no attention. Maybe it's that bit where you say something like, are you or have you ever been a member of the Communist Party? Something like that. No, it's the bit where you say you've always been a hacker since you were minus one or whatever. Breaking into computers since you were baby. Whatever that is.
B
I'm not sure I put it quite like that. Kieran or Joe McCarthy quote is arguably a little closer. But what I do say very often is that I'm a massive geek and I've been breaking things and making life tough for the cybercriminals for, well, as long as I can remember.
A
Well, indeed. And that's the bit I want to talk about.
B
Fine, got it. And the spelling of my name, presume, of course. But what do you want to know?
A
I want to know how you learned. So I'm older than you? Considerably older. Several decades, I think. Before we came on air, as I was struggling with my link, you were asking me about my memories of the Great Depression or the Napoleon, Napoleonic wars or something, I can't remember. But when I was growing up. Yeah, but I think even when you were growing up, I don't really recall many books called hacking for toddlers or whatever. So how did you learn to indulge this geekdom of yours and become the deep technical expert we know and love so well?
B
That's a good question. I really fell into it organically. I mean, I got a computer relatively early on.
A
What was it?
B
It was actually a really old Apple Mac. I think it was a Quadra. That may have been my second one.
A
Right.
B
They blur together a little bit. An early version of Mac os. Absolutely terrible. By today's stand, I was there. As you know, the Internet was starting to speed up. It was, you know, predating the browsers we'd recognize today. CompuServe and AOL. And there were various communities running on modems, of course, good old modems. I can still whistle and hum and create a modem pickup tone. And I started participating in these communities and playing with software and learning to program. I remember my first book, as you say, there weren't many hacking books, but first book on HTML version 4 and CSS 1.0 and VRML, virtual reality modeling language.
A
I just love the way you're talking about this as if it's ancient Roman, you know, this book on VRL and so on, it was like the Iliad and ancient Greece, something.
B
You know, it kind of feels like that at this point compared to where we are with AI and modern technology. But, yeah, look, the long and short of it, so I don't take up the entire podcast for this background, is I noticed that you could kind of trick applications and code into doing things they shouldn't, and that fascinated me. And then I ended up in a bunch of slightly naughty but definitely not absolutely criminal forums with people figuring out, you know, exploits and vulnerabilities and malware and. Well, one thing led to another.
A
Just pointing out this is an international podcast, but there's no statute of limitations in this country. Now, you're probably wondering why I'm asking you all of this.
B
I. I am, yeah. What's with the random questions? Isn't it supposed to be about the guests?
A
It is. Well, this is about the guests, because I know I'm being incomprehensible even by my normal standards, but I'm going to bet that at least one of our listeners, one of their listeners who isn't listening under duress because they're in prison or there's some court order that mandates they have to do this as punishment, they have had their massive geekdom enhanced by dealing with today's guest. Because not only has he designed some of sans most important and successful courses, he's pioneered and run some of the most celebrated SANS experiences. Those capture the flag and other hands on practical exercises that are continuing to produce the new generation of James Lyons. Now that may be a prospect will fill you with joy or maybe fill you with horror. But I leave that to you, dear listener.
B
Why choose Kieran? Why not joy and horror simultaneously? But yeah, you're right. And yes, this is where it all comes together. I see your plan now. If you've ever been to Cyber Threat, that's our brilliant threat conference we run every year in London for hands on geekery of the highest order or at all sorts of different events, frankly, you will have felt and live the buzz of some of the greatest cyber security experiences on earth, but at least the legal ones per our introduction. And we're going to be discussing this further with our incredible guest today. And of course much more of the podcast goes to standard recipe and length because today we're joined by a true great. The man who not only develops, designs and runs all these incredible exercises that lets budding hackers, reverse engineers, malware analysts and more practice hands on, but also teaches three of San's most important courses, all on cloud security on which he is a deep expert, a world renowned practitioner, but somehow in between that, he finds time as well to be the chief security officer for a data center company, a board member, an advisor to some nonprofits, and a highly skilled recreational auto mechanic. Perhaps reflecting some of his earlier pre cyber career in Land Rover. Starting to make me feel quite incompetent here, Kieran. He's been lauded by leaders all over the world and he's won as well as written a lot of cyber competitions. And to be clear, the ones he won are not the ones he wrote. He is the director of Research and development of the Sounds Institute, the legendary Simon Vernon.
A
Welcome Simon. Thank you for coming onto the show.
C
Thank you for having me. Much appreciated.
A
We are delighted to have you now in that record length introduction for which we apologize, hopefully some of it was at least deservedly flattering. When James wasn't inciting young people to cybercrime, he was talking about the way in which you develop all sorts of talent. But I want to talk about how you developed your own skills. So we ask everybody this question. So you've been with Sans for about eight years. There's a whole community of fans of yours out there. They've been through your capture the flag exercises and or They've been on your cloud security courses, but they may not know a great deal about your earlier career. Maybe, like me, not much is known about it because according to James, I was born before records began. But in your case, how did you get into this whole business and how do you end up where you are now?
C
Well, I'm not that much younger than you, so quite a long story.
A
Go for it.
C
But I will keep it relatively brief.
A
That'll be a first in this podcast, but go ahead.
C
I also had rather a mischievous edge to me, especially in my younger years. My first ever computer, I think, was in the late 1980s. It had a rubberized keyboard and a tape player attached to it as part of the learning process. Of that, I spent an entire day writing this huge amount of code. I can't even remember what language it was in. And then when I executed it, a man ran up a pyramid and then down the other, and then the program finished and that was it. And to me, that seemed like a colossal waste of time and energy. But he did teach me a lot of things. That meant I could then explore and work out what these, you know, newfangled devices could do. I also had an exceptional teacher at my first high school who was a chap called Mr. Ferber, who I never got the opportunity to thank. But he incited me to push the boundaries of really what was possible at that time. He got me into things like BBC computers, he got me into electronics, and that really carried forwards everything that I did from that point onwards. So from about the age of 12, 13, if we had anything electronic in the house, it came to bits by the time I was 14, most of it went back together, right.
B
Sometimes functionally, much to the annoyance of
C
my parents, who were very patient.
B
Did it ever have new features, Simon?
C
Well, I mean, new features. Spare parts.
A
Yeah.
C
And that then continued. Now, I did get myself into a little bit of trouble when I got to my second high school, where I had an ongoing battle of the wits with my deputy head teacher, who was also the IT operations manager, about who was running the school network.
A
Ah.
C
And he won, but he kind of cheated because they asked me to not come back to school for a little while to give him the opportunity to bring things back into reality.
A
If you'd been American, this would have been a Hollywood high school movie classic. It would be the all time list. We've missed a trick here.
C
It was good fun. And I have recently been invited back to the school to actually help them solve a problem. They had some students who were Playing poker during the lunch break with the parents. Credit cards. Okay, we'll help unlock a few things, Darren.
A
Well, this is the sequel to the
C
movie, so yeah, I was kind of kept away from computers for a little while.
A
Yeah, can imagine.
C
And I was basically told that I wasn't allowed to sit around the house all day because that was dangerous. And so I had to be out of the house and I got myself a job working in a garage. And before I knew it, I was taking electronics apart in cars, which were just going through this transition of having very basic electronics to having onboard ecus. And then it just went from there, really. About five years later, I discovered that computers hadn't changed in any way. I still fully understood exactly what they were doing. And it was a off chance chap who turned up in a garage who had a computer that didn't work. I fixed it for him as well as several other things. And he paid me more money than I'd earned in the entire week in the garage.
D
Wow.
C
And I realized that actually I could probably do this, earn a little bit more money and be warm in the process.
A
Right.
C
And that was it. But I still have all of my mechanics tools. I've got a 35 year old Land Rover, which, I mean, if anybody owns a Land Rover, you'll know if you want to use it, you have to fix it first.
A
Right? You have no idea what you just offered. That was a mistake. Just please hang on. After we stop recording. Now look, we've so much to get through and we could spend the whole podcast talking about your double career in cyber and tech and computing and in mechanics. But I'm going to go straight to where we are now. And James, I'm sure will ask you some very insightful questions because he's smarter than me, about the role of practical learning in cyber and so on. But let's dive straight in. You and I worked together last December. We were in London at Cyber Threat and I was essentially a glorified compare, saying the next excellent speaker. And they were all excellent as so and so. But whilst I was doing that, you were running an incredibly complicated competition for 400 people. They were all loving it. They were baffled, frustrated and joyous in equal measure. So I'm trying to research all of this and I encounter the phrases Jupiter rockets, Telnet International control shift delivery and operational meltdown, which sort of reminds me of the name of my brother's sort of record collection of bad heavy metal bands in the 1980s or something like that. Now, there'll be people Here, listening, who'll say I know exactly what all this stuff is. But there are others who might think, well you know, that was also my brother's 80s record collection. So what are these things and why are they called what they are?
C
So These are our CTF ranges that we've been building over the last eight years. So go back 10 years. I got invited onto a son's training experiment for eight weeks where I lived, lived in a hotel, was taught by James.
B
Sorry about that.
C
And as part of that process we also did a lot of things like hacking environments, we built systems to attack and defend, we played Net wars extensively. And one of the things that I took away from that was training is brilliant. Training sets the standards and gives you the opportunity to find out things you didn't previously know. Whereas the hands on practical experience is absolutely critical to that learning process because you have to have somewhere to practice and if you go and do a sans course you will come out with a vast amount of new knowledge. But you've spent an entire week trying to listen to everything that's coming out from the instructor and you don't necessarily get a massive amount of time to practice.
A
Right?
C
And it's the practice that makes things real because the course content that gives you a foundational knowledge that tells you that this kind of vulnerability can be exploited in this way. And as James used to tell me, you know, well, it can be exploited in that way, but actually you can also do it in these ways as well. I had distinct recollection of myself on the Dunning Kruger curve being sort of the happy and ignorant at the top and then spending three or four days with James before realising that actually I was in the Valley of Despair, which is where I've spent most of my
B
time in career since at least it's wet and warm down there.
A
Well, James will have much more interesting and insightful follow up questions, but I just given the story, what did you put on James's evaluation form at the end of the course? We must know.
C
I can't remember. I think my brain had actually melted by that point.
A
That was Operation Meltdown, literally Operation Meltdown.
B
If I recall it said something like make it stop.
C
Something about hot butter through chicken I believe.
B
Ah yes, I actually remember that even though it was many, many years ago, I was talking about a blind return oriented programming exploit which I had misclassified in a hands on exercise as medium difficulty, much to the amusement of the class. And I demonstrated how one would achieve it and use the phrase like a hot chicken through Butter, which of course is quite close to what one should say, but a lot more smashy and mess and maybe actually a beautiful metaphor for that particular exploit technique. But anyway, look, with kifrid's weird naming obsessions out of the way, tell us a bit more about the practical hands on things you do. So you run these, capture the flags and let people train their brains with hands on skills and work in teams together. You've developed an applied skills analysis platform, C.O.O.L acronym ASAP. Like that. And I know firsthand you're really passionate about this stuff and enabling the cyber security community to better itself. So how did you get into it? Why are you so passionate about it? And what's it all about?
C
There's a lot of big questions. Stay with us, we'll be right back.
D
Hi everyone, James Line here, the CEO of the SANS Institute. A quick thought for you. Cybercriminals have networks, dark web forums where they share what works, what doesn't, and where they're constantly sharpening their playbooks against us, so why shouldn't we do the same? That's exactly what the SANS Cyber Leaders Network is about. It's a place where CISOs and security leaders share what's actually working inside their organizations and what isn't, while getting access to world class experts sharing insights into the latest threats and trends. You'll find me in there surfing around, sharing what works. So come join us at go.sans.org that's Charlie Lima November, and if you're enjoying the show, one teeny tiny small favor, hit subscribe. That's genuinely all we'll ever ask of you. And in return we'll keep fighting to bring you the guests and conversations that
B
you want to hear. Appreciate it all.
D
Now let's get on with the show.
C
Why do I build CTFs? Well, again, I have a very distinct learning pattern. If I do something, I remember it. Other people really great at reading stuff. There's a vast amount of people who can just watch a video and then repeat something from that. I'm a doer, that's it. That's as simple as it comes down to. And I believe a lot of people need that hands on, practical experience in order to make a lot of the theory that they're learning a lot of the academic side of it real. So James actually recruited me into SANS and asked me to basically turn some of the original CTF environments into cloud based platforms. And then over the last seven years we've just run with that and gone beyond where we, I think any of us really imagined what we'd actually be able to do with a CTF with the ASAP platform, we've kind of twisted it and we've actually turned it into an analysis platform that allows us to measure abilities and skills within individuals and with teams. So we can actually identify gaps within a SOC team, for example, or an incident response team by challenging them in a CTF environment to solve a whole series of problems in order to be able to then focus their energy on, you know, this is where your gaps are. These is where your, you know, additional training may be required. And this is what we'd recommend you do from there. And I think that being able to play in a safe space is absolutely vital, especially in this current climate. I received an email a couple of weeks ago from somebody anonymous who invited me to try and break into a system as part of a CTF challenge. And when I looked into it, it looked terrifyingly real. And I suspect it probably was. It was actually somebody trying to incite me to break into something that they wanted access to, which is horrifying. But again, with the introduction of AI into security and the fact that the attackers are always ahead of the curve when it comes to adopting new technology, you know, we have got to get people hands on in safe spaces and being able to defeat the attackers, defend systems and, you know, we give them the opportunity to come across some technologies that they've probably never seen.
B
I love that, Simon. I think it's so important and two things I draw out of that that I underline personally. The first, this, this practicing as a team and understanding the gaps. It's really easy to look at individuals and their own skill profiles and forget to look at them in macro from a cyber capability perspective. And I know a lot of security leaders are now thinking more holistically about that capability and how they want to build it over the coming years, which I think is really important. And then there's part of it. Do you want to practice when it's in production and the cyber criminals are doing it to you, or do you want to practice in theory with patience and calmness and learning outcomes before that happens? And it's just such a critical thing to give yourself and your team the time to learn, to fail, to grow. And that's what these types of activities are really about. Sorry, Kieran, I'm in your way of a question.
A
No, let me jump in there because when Simon said very powerfully and genuinely something, I'll remember that you personally learned something by doing it wrong than, say, reading about it and jolted Back in my chair because I had two reactions. One was reconsideration of life choices given that I spend most of my time teaching in an ancient university. And number two, I'm guessing that this is one of the reasons because you do a lot of these exercises, a lot of this practical hands on learning in the community, you do a lot of it for free and you organize it where people don't have to pay. That's a very good thing. And I'm guessing you're trying to get people involved who wouldn't normally have the chance to show their potential. So a lot of organizations try to do stuff in the community. You know, they try to be good corporate citizens but actually it's quite hard to have an impact impact. It does feel like you've managed to build a community of people who have been through these processes, have stayed in the industry, have stayed in some form of the community. So can you tell us a bit about the community aspect of this? How did you get started? How does it work? What are your hopes for it in the future?
C
This was a bit of a crash course during the early days of COVID Actually. It was discussions with Sans, with James that we really needed to keep the community together and to keep people communicating. Now traditionally cybersecurity people aren't necessarily brilliant at doing this. So we wanted to to create an environment where people could come, they could share information, they could chat about games or challenges. We could bring the people together to be able to talk. And this is where we created Boot Up CTFs. So Boot Up CTFs are the community based CTF environments that we've now expanded upon. In fact, we ran about 110 of those events last year. They're all community based. We run them for very specific demographics, regions in the world. World. I've just run one, for example, for the historically black colleges and universities in the U.S. i'm running.
A
Wow.
C
Women in Cybersecurity. Next week we've got an AWS one coming up very shortly. So these are all tailored towards that particular demographic, but they're also really accessible and really simple. They are Jeopardy style environments. There's no progress that you have to follow. You can just jump in and jump out whenever you want. We normally run them for about 48 hours to take into consideration different time zones. And we have built a really robust community around this. And there's tons of information that's being published, sometimes slightly annoyingly because people document the challenges which, you know, creates issues for us.
A
But yeah, I can see that.
C
Otherwise the feedback for them is generally very good.
A
Amazing.
B
Well, Simon, I could talk about CTF challenges for a long time, but we're going to resist that temptation. We're going to move on to other geeky stuff. Could get really geeky. Kieran, you can mute if you want to or go make a cup of tea.
A
Yeah, I'll go and do Wordle. It'll take me about half an hour.
B
Oh, I'll see if you can get a one to hit one. Not look, Simon. So Jupiter Rockets, the Rangers are of course, you said, in a public cloud and building these massive hackable environments where huge numbers of teams can come together and practice exploitation and defense and investigative practices. It's quite an interesting architecture and technical challenge. Not something that would have been very easy to do prior to the advent of many of the cloud technologies we have today. It's kind of something we take for granted in a lot of enterprise infrastructure. And if you look at your work or your courses, they're going to learn a lot about how to do cloud more securely. But it is funny, isn't it, that we kind of take it for granted and yet there are still so many misconfigurations and kind of odd issues going on in the cloud. It really, by now shouldn't be a particularly sexy attack opportunity for cybercriminals, and yet it is. So cast your mind back to just over a decade or so when Kieran was in very, very late middle age and the cloud was new. I mean, at least the cloud we recognize today, just like for so many AI is the sort of AI we're talking about now is a bigger change than cloud was then, I would argue. But still a lot of fretting, a lot of worry that the cloud would be like so much other technology, cheaper, better performing, but not very secure, some of it turns out more expensive. Tell us a bit more about your work getting on top of cloud security and what you think are some of the biggest lessons in how people have evolved their cloud design and infrastructure over the past few years.
C
It's funny how you compare actually cloud with AI, because they're very similar to a degree in the way that they've been adopted by organizations, enterprises across the world. Cloud has been around for a long time now and you mentioned, you know, people still making the same mistakes as they were in the beginning. And it's true, unfortunately, because the cloud has grown into this enormous, the most complex LEGO set possible, that we are still getting some major implementation errors. And it all really comes down to education reinforcing good Practical experiences and good training. So, you know, I teach an engineering class, we teach an architecture class and the same challenges that we are facing, that organizations are facing 10 years ago are still facing today. It's just that the technology's moved on somewhat. You also mentioned things like the, you know, the cloud being this cheaper option potentially. And it turns out that's not always
B
the case, rarely even.
C
And so we're now in a situation where organizations are moving back to on prem services and effectively just running an entire hybrid model which again increases that complexity and then we throw AI into the mix.
B
By the way, Simon, I gotta tell you before you go, AI, I do have this acronym because, you know, we love an unnecessary acronym in cyber security. But I've been using it and I think you'll love it. Rinfol. Run it now, figure out later. That's very good.
C
Yes. Otherwise known as. It's working. Don't touch it. Back away from the machine.
B
Many a banking mainframe I've seen.
A
I'll just go and check if rinfall.com is available. Just back in a sec.
B
I'd be careful with that one. It might be something you don't expect. Make sure you have SafeSearch turned on.
A
I don't know how to do that.
B
Anyway, Simon, you're going to tell us about AI.
C
Yeah. So AI's really again sort of changed the dynamics of what cybersecurity is doing. We've all of a sudden got this tool that, you know, there's a lot of talk that it potentially has the ability to replace human element or human interaction and I don't think it does. We've had a lot of talk from evangelists online that it's going to solve a lot of the problems. I think it's going to solve some problems, but it's going to create and it has been creat whole new problems in itself. And again, it's how organizations adopt this. Now with the cloud, there was a lot of hesitation. Organizations were not running full speed ahead blind into running infrastructure in the cloud. They were actually quite reserved about it because it was contained to the engineering teams that required you to understand software defined networking, whereas the network engineers actually had appliances to play with and Pokemon Prod. AI is very different because AI is touched by everybody. So every person in the organization is going to use AI whether the organization wants it or not. And I literally had a conversation yesterday with a small team of people and they have concerns about how AI is being used. They've got potential data leaks that have already happened. This thing's not going slowly. The adoption for it is vast, and the policies that organizations put in place just cannot keep keep up. So this presents us a whole new series of challenges. And of course, from my perspective, this is brilliant because it means a I can now write a lot more code and be a lot more productive, because that's really what AI is. It's a productivity tool. But also we can introduce that into the CTF environments and we can experiment with this. And in fact, we did at our last Cyber Threat event, where we actually had a phone system where you could dial up an AI bot and you had to convince it to give you some credentials.
B
That was awesome.
A
That was awesome. Before you and James geek out even further on air AI, as I both expect and even hope that you will, can I just ask you a little bit about where you think AI is? I was really interested that you mostly concurred with James's framing of the cloud and AI experiences in terms of adoption, in terms of the narrative and so forth. But now you're saying, look, everybody is using it, it is different in some key ways. And I just wanted to ask. Here's a nice easy one. You know, what is AI? And what I mean by that is, when you're talking about organizational adoption, you know, there are all sorts of predictions in the past few years, there are all sorts of predictions of where it's going. But with any technological revolution, there have been bits where expectations have been overshot. There have been bits where things have been much slower in terms of development, and there have been things that have been predicted that haven't happened at all. And we're getting all sorts of predictions about robotics, about interaction with the physical world, about the takeover of various professions and so forth. So where should organizations really be looking in terms of which bits of AI matter most for their effectiveness and for their security?
C
So from an effectiveness perspective, it really should be treated. Treated as a productivity tool. It is there to expand or speed up processes that humans are interacting with. Already. The whole let AI go off and do its own thing is terrifying from my perspective.
A
Okay?
C
And from a security perspective, it's even more terrifying because as humans, we're really good at missing things. And the AI tools have been trained by humans. So people have to come to the realization that at the moment, and with the versions and with the types of AI that we're currently running, running, there are still going to be some fundamental flaws in there and that we, you know, we shouldn't really be trusting them with Things as critical as security. That said, they can speed up a lot of those sort of remedial processes, the data hunting etc, And I use it, you know, we use it extensively, particularly around things like log investigation, a second cloud infrastructures. It is good for a lot of those implementations but we have to double check it, we have to verify everything it's doing. And the conversation I had yesterday with a company was they have a product development manager who was essentially blueprinting what some infrastructure should look like and he was then immediately sending that off to the development team in the hope that they were going to build it without really any consideration of the architecture of what was needed to be built, how it was going to be implemented and how it was going to work with everything else. Yeah, it was almost like they'd skipped the step to get the right.
A
And I can't resist asking you this as a follow up, maybe even taking you back to capture the flags and practical learning and so forth. So you learn by doing, you're designing, you're bringing AI into all these exercises and so forth. So you're looking really, really closely in a really hands on way. You're doing everything short of live fire at what the defenders can do and what the attackers are doing. What in terms of two things, one, I suppose techniques is interesting. You and that sort of cliched question about who does AI favor, attackers or defenders? What's your perspective on that?
C
Oh, including.
A
That's a terrible question. That's an acceptable answer.
C
Again, that very much depends on the individual's ethics.
A
Yeah.
C
You know, what their objectives are and how prepared they are to implement some of their objectives.
A
Yeah.
C
Some of the techniques I've seen from the AI perspective and from an attacker's perspective is actually targeting human nature. And I think this has taken a very dark turn.
A
Really interesting. Yeah.
C
We all know what fishing is, we all know what vishing is. Now all of a sudden we've got tools that can handle things like translation.
A
Yeah.
C
We no longer need to rely on poor translation. You know, the attackers can just translate whatever they want into whatever language they want, which means they can write code in one language and have it compile in another language. They can write emails, they can vish. All of a sudden it's opened up a vast area or surface of an attack that previously was, you know, getting better.
B
If you wouldn't mind, Simon, to build on that point or just to interrupt. Yeah, exactly. Well, you know, I hadn't spoken for a while and I do like attention.
A
Fine.
B
It is Simon. It's the case that a lot of the folks who are building these technical inserts and artifacts and so on aren't exactly notorious for their gregarious social skills. And now with AI, it's not just that they can translate to other languages or have better spelling. Their ability to please people in conversations, to adapt to social preferences. I mean, that's one of the terrifying, you know, features of AI that's led to some elimination of models and the way that people have felt the need to anthropomorphize it and turn it into their friend. Well, think about what that does for our attackers who may be more technical and less human manipulative and understanding in their nature. So it's even bigger than the, the translation thing, isn't it?
C
Oh, it is. I mean, it's into mimicry. And as we know from psychological studies over the last 20 years, in things like neuro linguistic programming, if you can mimic the behavior of an individual you are communicating with, you're more likely to be able to get them to do something. And this is a horrifying aspect of AI because it actually is very good at this. You know, attackers can scope out and identify the traits, the language, the behaviors used within an organization and become a part of that organization in order to then leverage further access. And we've seen this over the past six to 12 months really gaining traction not just through phishing either, but through voice prompts, et cetera. It's getting a lot more difficult to detect.
B
Yeah, it is. And I'll share a couple of stats from my perspective. You could refute these violently if you like, Simon, or agree. Up to you. And then I've got a couple of questions on the back end of this to try and make it useful to our listeners as they think about cloud and AI today. You know, look, I've seen these wonderful headlines and kind of application of these technologies for defense and offense and the obvious question is, well, does the world get more secure? We saw the huge plunge in the stock market in cybersecurity companies due to the preview release of an effect and you know, an LLM for improving code quality and reduction producing vulnerabilities, which by the way is a fantastic use case for this type of technology that I thoroughly encourage. But the details matter, doesn't it? Because two things are true. Firstly, having more of this stuff out there, more agents, more AI likely to increase the surface area of attack. So even if you reduce the number of vulnerabilities in your code, there's more stuff. There's More surface area, which might take us to a place where frankly, we're just as exposed as ever. But there's also all this research out there, isn't there? There's, you know, kind of Opus 4.6 vulnerability dens increased 55% over its predecessor. And, you know, Veracode kind of released a report saying security performance stays flat regardless of model size. And there was another one, I think it was Endor Labs who'd said that, you know, these models that are producing these fewer false positives and improving code security also generate code that's vulnerable 25 to 75% of the time. So I get this real sense that we're admiring the improvements, which are wonderful fall and missing this bigger point that it's going to create a ton of other baggage that leaves us in a world where we're just as exposed and frankly, maybe more exposed. Oh, God, I've gone full doomsday scenario. Simon, help me out. Can you give me some pragmatism here on how you think this is going to play out for organizations over the next couple of years? Go for the middle ground.
C
Unfortunately, I'm not going to give you any pragmatism at all. I'm actually going to reinforce what you just said.
B
Oh, no.
C
So the stock market in a particular type of organization actually took a tumble over the last three months, which was SaaS products. Right. So software as a service of all of a sudden, their really stable consumer base has now been disrupted because anybody can write an app. So we now have a situation where the encumbrance who have spent millions in research and development over the last 10 years or so are now being phased out by organizations because they've realized that rather than pay a particular license, they can get a developer in who knows how AI works and then write a custom application for them. And then that brings you back to this sur. Area of attack statement you made as well, which is, yes, we have now more advanced tools in AI that can identify flaws in code, bad practices, all those kind of things, but we've also got 10 times more people without any experience writing code. So is it going to get any better?
B
What could possibly go wrong?
C
What could possibly go wrong? Yeah, it's a less than ideal situation. And I think again, it's going to take a while while for not just the early adopters to get beyond this point. It's going to take a while for the organizations and for the teams who are a little bit slower to pick up new technologies to get into this state, which means that actually we're probably going to be facing a worser scenario in the next year or two than we already are at the moment before we get to an improvement state. Unless there is another huge leap in the technology and an advance in the technology.
B
Yeah, no, that makes sense. Well, look, I've got one more thing for you and I promise I'm going to get out of the way. Kieran, I'm hogging up a lot of time here.
A
I'm learning by not doing so much
B
like people with a lot of AI, frankly. So, Simon, I want to get back to something practical for our listeners here on both cloud and AI. So I give you a hard assignment. Two points on how people need to pay attention to cloud security here in 2026. Two things that you think are particularly important that a security leader goes and checks their technical team are mistakes that are common. And then two things in AI where you do the same and validate being used a certain way, or you've got a certain policy or that you're looking at a certain area of technology you think matters. So for both of them, two specific things that you think are worth paying attention to that people can go check.
C
I'd like to say I got a million things I'd like to say on that one. I mean, the two that tend to cause the most problems for organizations in the cloud is identity, primarily in the cloud environment. Environments, managing users and just doing the basics. I mean, again, I was reading an article written by a pen tester. He was talking about an organization that had spent, you know, $2 million on an EDR, an XDR. They'd got endpoint detection and response. They had a pen test and they were breached within two hours. And they were breached within two hours because they had a hard coded credential stored in a file, stored in a server somewhere, unsecured buckets, et cetera. All of those traditional weak spots inside a cloud environment implement. They're the things you want to watch out for. And you don't need a vast array of expensive tools to do that. You just need, you know, eyes on and some skilled professionals. The next challenge to that one then is to expand that out onto management of your On PREM infrastructure as well. And the cloud now is part of on prem. In fact, your on PREM is going to become your on premise cloud and that is where everything is going. So, you know, handling again, identity from those two distinct environments is proving difficult for organizations, especially when they're trying to drag some legacy systems along with them. From an AI perspective. Oh, this is Easy. You just got to train your staff. You've got to provide and give them incentives to use the technology appropriately, show them the potential problems and the flaws in the way that the technology is implemented and provide them with the tools that they need in order to be able to use those resources properly. The next part of that one is manage the actual communications. I had a very, very odd scenario a couple of where an organization implemented a very strict policy across the entire organization, made all the staff sign a document, basically went through the whole tick box exercise for ISIL 27001, Cyber Essentials, et cetera. And then CEO was using his own personal ChatGPT account and actually posted information about his clients in that account and created a breach.
A
Wow.
C
Just from that kind of default activity, it was logged in on his computer, on his enterprise and he was on a personal account on, on his phone and that was it.
A
What an incredible answer. We could unpack that for hours, but actually it was so succinct. I suspect some people would just clip that bit out and use it as advice for their organization for quite some time to come. But so let me ask you hopefully a slightly easier question. It's a hard one to ask because I'm trying to bring lots of things together that we've talked about. Love the remark about your on prem cloud. You're talking about the challenges of AI adoption and all the complicated things we've talked about today and the fast pace of change and so forth. We are talking about an industry where quite a lot, lot of people feel under pressure. Now, anyone who's encountered you, we can't speak to how you're feeling on the inside, but I hang around with you at conferences and you're about to go on stage. You have legendary status in parts of the community, but you wear it all lightly with a famous cap on your head. During the ctfs, you have this huge area of hinterland of interests outside of work. You get so much done, you don't seem to, on the face of it, let it all get to you. But there's plenty of talk about this industry being under pressure. So two questions to finish off with. One is really, how do you manage to do all this with, at least in public, a smile on your face? And is there a more serious problem in our industry that you, by whatever means have managed to avoid?
C
There is a serious problem in the industry with burnout and it's very easy to fall into that trap and without noticing as well the pressures that people who work in cybersecurity are under, you've got to be constantly learning just to stand still. There's often more work that is possible to actually do as a single individual, then, you know, add the training onto there and then incidents on. If you're in that particular part of. Of the industry, it is really difficult and you do just have to take yourself out of it fairly frequently. Do something that's completely, you know, outside of that environment and just keep yourself grounded. I find it exceptionally easy, but that's just because I'm a massive geek. And to be honest, this is as much as my hobby as it is my job. And I am very lucky to be in such a position where I basically turn up to work every day excited. In fact, I said to my wife this morning, she was leaving the house, she was like, what are you doing today? I was like, yes, I'm building CTF challenges today.
A
Haven't managed to do that for about
C
three weeks because I've been doing some other things and running some events.
A
So how are you getting on?
C
I was great. Yeah, they were brilliant. I've had a lot of fun today.
A
Excellent.
B
Simon sits in his lab like an evil genius trying to recreate the machinations of cybercriminals and then do them in a way that's secure enough that lots of cyber security professionals can emulate that safely. And it's a fascinating problem to build something very specifically vulnerable and not more broadly vulnerable. It's a really interesting problem, isn't it, Simon?
A
And only you, James, with that mind of yours, could take that wonderful, upbeat, positive answer about I'm so lucky because my hobby is my job, and say, yes, you're an evil genius.
B
Well, I think it's flattery of the highest order, actually. It's highly creative. Evil for good, right, Simon? Evil for good. Another T shirt. We've got one.
A
That would be a very good T shirt, actually. Yeah. That's the best idea we've had for a while for these fictional T shirts that we never actually make, but there we go.
B
But one day we just might. There's a distinct possibility that's probably a slogan of a company somewhere. So apologies if I just inadvertently promoted someone or breached a copyright, but if not, someone should snap that one up, I think.
A
I'm almost worried and this is my fault. I've got us rambling again. Just me and you. Not Simon. He's been very articulate and we might run out of time before your favorite bit, James, because I think, you know, having done cloud AI, capture the flag, community outreach, State of the cyber security industry. I think we'll let him off a bit. Except for your favorite bit. Go on. We have to.
B
One must. So look, Simon, it's only fair if we ask people to listen to us, we give them something really pretty practical and useful at the end.
A
So. Absolutely, Simon.
B
So we are asking you for your 30 second takeaway. It's my favorite bit. Simon, this podcast is about lessons for cyber security leaders. So if you've got just 30 seconds with a cyber security leader, what would you advise them here in 2026 to pay attention to, to ignore or frankly to give up their role to an AI and go and get into carpentry or motorsports? I don't know. What would it be?
C
My recommendation would absolutely be invest in your people. They are the ones who are going to make the biggest difference. And actually proving your security capability and not just claiming it is a massive win for anybody who's in cyber security leadership. My actual goal is really simple. I basically want to take teams of people into operational readiness by giving them systems to break, defend, recover, et cetera. But you've got to commit those resources to come and play those, those games so that they can practice without the pressure of somebody leaning over shoulder asking them, is it working yet? Is it working yet? Is it working yet?
A
And that is as clearly expressed a 30 second takeaway as we've ever had, and a memorable one too. Thank you very much, Simon. It's been an absolute pleasure having you on the show. And unfortunately, that's essentially all we have time for. So all that remains for me to say, apart from thanking Simon and even thanking you, James, is to say you can leave us feedback at the podcast site or you can email us@cyberleaderspodcastanz.org tell us what more you'd like to hear, less tell us anything you like.
B
And so with that, thank you very much for listening today.
A
Thank you for listening. Keep cybering. So for me, Kieran Martin, and me,
B
James Line, it's goodbye. And remember that when exploiting a binary, it's a lot like a hot chicken through butter.
C
Sam.
This episode dives into the persistent challenges and necessary fixes in cloud security, exploring why many organizations are “still getting cloud wrong” even as cloud usage has matured. Renowned cloud security expert Simon Vernon joins the hosts to discuss his journey, the evolution of cloud and AI in cybersecurity, the power of hands-on learning environments like Capture the Flag (CTF), community outreach, and practical lessons for cyber leaders in 2026.
In Cloud Security
For AI Governance
On Team Health
Simon's 30-second Takeaway:
"My recommendation would absolutely be invest in your people. They are the ones who are going to make the biggest difference. And actually proving your security capability and not just claiming it is a massive win for anybody who’s in cybersecurity leadership...you’ve got to commit those resources...so that they can practice without the pressure..." ([41:52])
The episode is engaging, candid, humorous, and approachable, balancing high-level expertise with practical analogies and community spirit. Simon’s humility and enthusiasm shine, and both hosts add levity and sharp insights throughout.
Recommended For:
Cybersecurity leaders, technical managers, educators, and anyone interested in closing the gap between theoretical and practical cyber defense—especially those grappling with the realities of cloud and AI adoption.