A

From the CISO series, it's cybersecurity headlines.

B

This is Rich Stroffolino with the department of Know. Keith Townsend, host of the CTO Advisor podcast and founder of the Advisor Bench. I gotta ask, what is your priority this week? A lot of things. Holiday coming up. Where is your mind at as we enter this week?

A

This week is Thanksgiving, which means that my top priority is AWS re invent. Next week it is 50,000 of my closest friends. I'm prepping for that.

B

You know, turkey, stuffing and AWS Reinvent. It's everything, you know, we have to look forward to and be grateful for. Howard Holton, CEO at GigaOM. What is your priority this week?

C

So similar. I'm getting ready for AWS next week, but also I took the whole week off to do in depth product work and then celebrate Turkey day with the family.

B

Okay, I gotta ask. AWS Re Invent, like, what is your mission? Is it just info dump? Are you looking to meet with certain, like, what is your mindset at going into Re Invent? I've never been. Seems like it would be interesting. But Howard, I'm curious from your perspective.

C

Re Invent is the only conference that I go to that is like sensory overload. It is so much bigger than anything else. It's impossible to see it all. It's. I mean, I don't even know that you could visit it all. And last year I had so many meetings back to back that I never left the lobby of one of the two hotels. So I saw none of the content. I watched all the content after the fact. So it's really about like meeting people in person. I do 10 podcast recordings that week. It is just an insane level of kind of back to back.

B

So lobby enthusiasts, you would recommend to attend. Keith, is that, is that your experience as well?

A

Just like it is so much very similar years past. The past couple of years I've gone with the analyst program and they have it in a completely different hotel. And it's just they, they, they overwhelm you with meetings and scheduling and all of that that physically is very possible to make it from the Wind to the Venetian, which is right across the street. So this year I'm not doing an analyst program. I am bringing the lightboard. Actually, actually, I just checked right before the start of the podcast, I bought a new lightboard and I'm waiting for it to come in. So we're, you know, we, we've set up a studio in the Venetian. We're going to do some interviews and then you know, everybody wants to meet with you and then it's the conference that I'm actually trying to learn something. I'm not, I'm not going to be able to attend any sessions or anything like that. I'll make the show floor, but I'm not, I'm not going to be able to attend any sessions. I'll be like Howard and watching this stuff on replay.

B

Well, everyone listening to this is going to make up for it because they are going to definitely be learning something over the course of the department of Know. Yes, that's right. We have started the show and we are to help, help keep your week informed and ready. And we're getting you ready for next week too, with Re Invent. Also, big thanks to our sponsor for today, Know before the number one trusted human risk management platform. Remember, you can get involved in our live chat and if you can't, Jo, set a reminder. Join us next Monday at 4pm Eastern on the CISO series YouTube channel or email us feedbackisoseries.com just a quick disclaimer that these opinions expressed are in fact those of our guests, not necessarily those of anyone else, employers or otherwise. It's just we got some straight Keith and Howard and I'm looking forward to it. We've got about 30 minutes, so let's dive in. First up is our no or no segment. Now we have this is pioneering, pioneering stuff for no or no we're going to be doing which is the bigger deal here. First up we have Azure getting hit by a DDoS using over 500,000 IPs. Microsoft reported its Azure network was hit by a 15.72-terabit per second DDoS attack from all of those IPs and that was launched from the Aciru botnet. And the attack target, Australian IPM, was peaking at 3.64 billion packets per second using good old UDP. Then we had the one that probably impacted you in some way. Cloudflare blaming a database for that big outage, their biggest one they've had since 2019 that saw things everything from ChatGPT to probably most of your websites offline for several hours last week. And with chatgptown me now, no writing good by my lonesome, no more. The company now says it wasn't a cyber attack, it was database permission change that caused Cloudflare's bot management system to generate an oversized feature file that that reported or that repeatedly crashed its core proxy. Oops. Howard, I got to come to you. Which one here is the bigger deal here? Architectural problems at Cloudflare or DDoS's they.

C

Just keep getting bigger architectural problems for sure. The reality is we know how to deal with DDoS attacks and other than mitigation techniques, there's not a whole heck of a lot you can do. As they get bigger and bigger and bigger, they become almost nation state issues which is almost impossible for any enterprise to manage. However, configuration issues you cannot plan for. I can absolutely plan that there will always be DDoS attacks and thus I need mitigation strategies, but I can't plan for is architectural issues. If I knew about them before, probably would have solved them already, wouldn't be so surprised by them. But this is exactly the same thing that happens, I don't know, once every other year or twice a year with Amazon where east one goes down because, well, they pushed a new configuration and BGP fell over or they pushed a new config. You know what I mean? We keep, we keep facing these and ultimately we're going to continue to get hit by this. Well, probably forever.

B

Keith, what about for you? Where's your, which is the, the bigger deal for you here and does this. I, I don't know. Does either of these raise any bigger questions for you?

A

Yeah, you know I kind of looked at the Microsoft number 500,000 bots against its, you know, infrastructure and Australia which is, you know, I think that's context, right? It wasn't against all of Azure. They tried to concentrate it to one set of resources in one continent which tells you how big Microsoft is. But that's not as interesting as how many times I've read about a Cloudflare outage that has even impacted me one of the websites I managed to or one of the services that I use. And this harkens back to a few years ago. Netflix had a big outage around Christmas time actually on Christmas Day there was all about change management. The cloud provider, I think it was AWS at this time. It's been some years, so don't quote me had a change management issue or change. Netflix wasn't in the loop on the change and they had a several outer hour outage on Christmas. So no Hallmark mark movies for you on Christmas day. So yes, for me the much bigger deal is when a trusted provider like Cloudflare who generally does a really good job goes down. And that's just out of my, just out of my wheelhouse to manage.

B

And if that happens this year all the Stranger Things fans will just lose their minds because they've been, they've been waiting for the Dribs and drabs from the duffer brothers for four years now at this point. All right, next up here, FCC to torch rules from Salt typhoon. The FCC is set to vote on scrapping former cybersecurity rules imposed after the 2024 salt typhoon attacks, which required telcos to implement basic security controls like MFA rule based access and patching. The FCC under the current administration argues the rules were legally overreaching and ineffective, favoring a collaborative voluntary approach with industry and federal agencies. Instead, the government's preference for collaboration in place of what it calls overreach. Keith, for you is do we need to know a little more about this or no thanks for you.

A

So this was no thanks for me, not because I don't care about the issue. It is because until we get to a point where we have an intelligence, an intelligent enough Congress to help us pass laws that don't change from administration to administration, it's noise to me that we need something. We, we need consistency. And these pseudo legal organizations like the FCC that, you know, change every, you know, four years or, or less. It's just frustrating.

B

Howard, what about you? Do you need to know a little more about this or no thanks.

C

So I'm going to say no a little bit more, but for the exact reason that Keith pointed out the opposite kind of take, right? The reality is, I mean this is our fault. But, but, but additionally, like the ass ninnery of the response from the FCC should be far bigger news like every, every American should be, should be upset about this. And everyone that has any communication run through the US for any reason should be upset about this. The fact is, if private business could have solved it, they would have solved it. They chose not to. And not just a little bit. Remember the Chinese hackers were in here for years and the FCC themselves said still are in some networks. This is not a problem that is solved. This is not a problem that's gone away. This is effectively we let the burglars in. We knew they were in, they're still in. And we sent, we sent the police home and said the homeowner who let the burglars in just decided to live with them and somehow that's okay.

B

And I will even go so far as to say the regulations were basically it was just like let us know that you're doing something. It was not even that. It was not onerous. It was mostly a reporting requirement, essentially an audit to say, hey, what controls do you have in place? Maybe MFA might be a good idea, guys, I don't know Just spitballing here and they have to work.

C

Maybe something from 2008 would be good, like maybe best practices from the aughts because that's all they were asked to do, right? These are not best practices from 2025. These are best practices from two decades ago that they still hadn't put in place, they still hadn't figured out. Like, guys, this is ridiculous and this should be bigger news.

A

Yeah, I have this saying, as mad.

C

And as mad as I am about.

A

This, yeah, I have this saying. T S I H this stuff is hard. And when you can't get information from people, demonstrably the telco providers and these people who build big networks, they are smarter than me, no doubt. And for the people who are smarter than me, if I can't depend on them to give me the information to let me know when there's an intrusion, what hope is there for me? So we need, we need better. I'm not, I'm not a big regulation person, but we need better laws on here if the private industry is going to solve this for us.

C

Look, I'm cool with less regulation on small industry. You make less than 50 million in revenue, fine. But when you are hundreds of billions of dollars. We need regulation. It is inexcusable. And combine that with their absolutely critical infrastructure, it is absolutely inexcusable.

B

CCL in our chat here says the only thing I'm worried about with telcos is sim swapping. Don't trust the network anyway. I mean that's the weird thing that I never thought we'd get the cyberpunk part of like oh you fools, you're still using like the legacy telcos. Everyone knows those have all been compromised. You know, like we're in, we're in like a, like a Gibson novel now at this point with the trust in these networks here, I'm kind of in the same same boat there with you. So thanks for that comment. Next up here, a no or no. Canadian regulators say schools share blame for PowerSchool hack. Authorities in Ontario and Alberta released their investigative findings on the PowerSchool data leak and faulted the school systems for missteps such as not putting privacy and security related provisions in contracts with the education software firm and failing to effectively monitor and oversee PowerSchool security guardrails, particularly in regard to multi factor authentication. Man, everyone's just beaten on the multi factor authentication drum here. The onus is being put on organizations to become more proactive in relation to third party vendor arrangements. Howard, for you know, a little more or no thanks on this.

C

Know a little more. The the truth is that they're not really wrong. The expectation is if you've entered into an arrangement with a vendor, you are still ultimately the custodian of the data. It is a shared responsibility model. Not a. Not my problem model. At the same time, I would go, cool. So a school district never funded quite enough. Never funded even nearly enough. Right. Pays below market rate. What is the overall like for us? It's the Department of Education. Right. Like, like where are the policies that are put in place that they can build from? Are they expected to go from zero where they were just expected to know they should do this. They should somehow monitor this third party. And what does that actually look like? Because without some sort of help, they kind of have to start from zero. They're already starting on their back foot. Maybe it's also up to the government, the larger government, to put together a series of standards for them and then say you have to follow these standards, not these kind of, kind of broad stroke things, but actually get specific. This is what a good policy looks like. If you wish to veer from the policy, you need to submit it or you're responsible or something. But it can't just be, well, I mean school, it's on you. No, it's also on the Canadian regulators. You are a regulator. Your job is to regulate. Where was the regulation beforehand?

B

Keith, what about you? Do you need to know a little more about this or no? Thanks for you.

A

Yeah. So I spent time and this will come up a little bit later on, spent time at Lockheed Martin for a few years and this is what OMB in here in the US OMB requirements are about. The not every agency has the withdrawal to know all of this. They also don't necessarily have all the budget to hire someone like a Howard or Keith to help navigate them through this. So yes, it's shared responsibility, but it's a school district. Like they cannot afford me, quite frankly.

B

We got suggested in our chat the schools need a lobbying group as powerful as the telco. Then nothing's to blame for them and they'll have voluntary cooperation. So it'll all work out in the end.

C

Oh yeah, that's true. That's true.

A

Yeah.

C

All right.

B

And last year in nowhere no SEC drops remaining claims on 2020 SolarWinds hack in the aftermath of the breach, the SEC brought charges against the company and its CISO Tim Brown in 2023 alleging fraud and internal control failures. On Thursday, it disclosed dismissed its case against both Solomons and Brown entirely this was a major sort of Damocles kind of hanging over CISOs as a profession like this, this kind of specter of charges like this. And Tim Brown had a heart attack over this. That's the kind of damage that, I mean, literally is embodied within him. Keith, for, you know, a little more or no thanks. On kind of getting. Getting the last of the solarwinds aftermath out of the way here.

A

One thing you'll never see in my job title is ciso, so, Howard, it's all yours. I have no. No desire to be anywhere close to having this level of legal responsibility for my organization's security.

B

How about you?

C

Yeah, I mean, there's a reason I'm an analyst now and the CEO of an analyst firm and not a CISO anymore. And it's funny, I was doing a talk for a security company, like, a year ago, and this topic came up, and there was another guy who kind of made the same choice I did, and we just kind of looked at each other and laughed and went, yeah, I won't be a CISO again. Like it is. It is ridiculous that I get the least amount of attention, the least amount of funding, constantly complaining about all these things, get told to shut up, get told to stop being Chicken Little, and then the SEC might come after me. No, I'm out. I'm out, I'm out. I'm done.

A

I'm not.

C

Like, at some point, nobody cares about cybersecurity, and ultimately, a CEO can allow a product to be produced that kills people, causes cancer, does whatever. I spent a decade in ediscovery, and they get away with nothing. But the SEC will come after me when they don't listen to me about cybersecurity. No, I'm sorry, I'm done. I'm not doing it.

B

So does this ease the thing that kind of pushed you was a motivator, or is this just. They could still do this at any time?

C

No, they dropped the.

A

The.

C

They dropped the claim. They dropped the case. They dropped the charges. They didn't change their posture. They didn't let it actually develop precedent, nothing. So, like, a drop charge just means they could do this to the next one and the next one and the next one. If the SEC really wants to take action, the next step needs to be, here's actually the rules and requirements. Here's how we're making it somewhat safe to be a ciso. Here's what your responsibilities are. And that allows me to then go into a negotiation for my comp package and go, here's the Liability coverage you are going to carry for me. Here's what that means. I get to pick the attorney. Whatever. Whatever. Whatever. Right. Like it's, it's ridiculous and actually doesn't help. I know people are going to look at this and think it does help. But precedents is how the law is decided. It's, it's what really gives us the boundary. And they dropped all of it. And that doesn't mean they won't do it again to the next company. And that's really my concern. Unless the SEC files different rules, we're still in this question. This, this questionable area.

A

And I don't want to spend the next five years of my life fighting the government that just, just know I can, I can become an analyst.

B

Well, and Howard, as you are, you are want to say right. CISO is their job. Fundamentally. Right is about identifying risk, contextualizing risk. And you did that for yourself. Right. And I think as a profession that will continue to be an open conversation about the risk that they're exposing themselves to until to your point, the can stops getting kicked the road and we actually get some sort of final judgment on whether this can actually happen. Or maybe not. Before we move on to our larger discussion stories, got to spend a few moments and make our sponsor for today. Know Before Cybersecurity isn't just a tech problem, it's a human one. That's why Know Before's human risk management platform allows you to measure, quantify and actually reduce human risk across your organization. With AI powered risk scoring, automated coaching and reporting. HRM helps you surface your highest risk users and reduce the risk of data breaches and cyber attacks. Proactively ready to move from awareness to action. Request a demo at hrm today@knowbefore.com that's k n o w b e the number four dot com. All right, our first deeper discussion here. Overconfidence is the new zero day. This comes from a new report from Immersive that shows cybersecurity teams are overconfident but underprepared. What Dynamic duo if I've ever seen one. Across 1.8 million simulated exercises, participants averaged 22% accuracy and took 29 hours to contain infections. Readiness scores have flatlined since 2023 with many teams practicing outdated scenarios and excluding non technical roles which undermines coordination. Confidence often exceeds actual skill and metrics like training completion, mask capability gaps. So Keith, from I'm curious from your perspective. The report urges organizations to shift from assumption based confidence to evidence backed readiness, continuous testing skill continuously Testing skills against evolving threats and including AI enabled attacks. What are your thoughts on these findings and how do we get better from here?

A

So the findings don't surprise me. I think if you've never really been part of a breach, you've never really been bitten by this. You can be overconfident. And I can tell you from my time at Lockheed Martin when our two factor authentication was compromised. Think about that. Lockheed Martin, our two factor authentication was compromised. These people know more about security than out. They forgotten more than I would ever know. And then I just a few months later when I was at PwC, I was helping a Fortune 500 credit card processor recover from a breach. It was 90 of us, 90 Keith Level Resources. Whatever you think about Keith, 90 Keith Level Resources on the ground for six months working 12 hour shifts, helping this company recover and get ready for their next QSA audit. So I have no level in confidence in my security skill, but that's because I've, I've been bitten before, I've dealt with these issues. So the only way to prepare your staff for this without actually going through it, I don't recommend it for anyone, is to train, is to train, train, train awareness. This is why conferences, like all of the security conferences or anything that's security related is important for folks to go out and talk to people who've experienced these issues and going through the, gone through them, get away from vendors. Vendors are not the ones to talk to. It's other end users, other security professionals that have actually experienced breaches, they've experienced malware attacks, they understand the pain and they thought they were prepared and they learned what prepared really looks like. There is no prepared.

B

My only hope is more millennials get into the workforce, that any sense of overconfidence will be completely shattered into them as they get into these higher echelon positions. That's my, that's my only hope here. Howard, how, how are we getting into this overconfidence mindset here? Like, are you surprised by this?

C

I mean, welcome to 2025. Like.

B

I mean, same story, New year, right?

C

I mean, yeah, without a doubt. Like, okay, cool. We spent a bunch of money in 2020 on cybersecurity. We spent less the year after that, less the year after that, less the year after that, and less the year after that. Like while budgets are still increasing, they're not increasing at anywhere near the same pace and we're still on average less than 10% of it's budget goes to cyber. Right. So of course this is a problem. But Also, how many companies just don't have MFA everywhere if it's more than one failure? Remember, if you have an exception to security, you don't have security that one user that doesn't have MFA because it's a problem for them and they're on the exclusion list. Yes. I'm looking at the CEO's executive assistant, not mine, but every organization, if there's going to be an exception, it's guaranteed to be that exception. Yeah, okay, cool. That's also a hugely targeted account. That's a hugely valuable account to go after. And who are you going to go after? Well, I'm going to go after the people that have been there the longest. I'm going to go after people that are in strategic positions of power. Sure, easy one to go after. So the one you shouldn't exclude is likely the one most excluded. So when we start to run these scenarios and the advice is, oh, include the business, cool. But they won't show up.

B

Why?

C

Because the organization doesn't actually take cybersecurity seriously. It's all the responsibility on the ciso, none of the actual authority to make any changes because everything is overruled for budget. Well, okay then. Then you get what you get. Like it's the risk that you have accepted. So just accept the risk and stop complaining. Like we tried to tell you. You didn't listen. You know, I. Stop hitting yourself. I don't know what to tell you.

A

Yeah, I have to. That. That. Howard, you remind me of a painful exchange with a three letter agency director. Oh, like the. We enable multi factor authentication on removable media. And this is to, you know, this person's credit, which is not helpful. It was 2010 and they went to the White House and they put their thumb drive, their thumb drive into a White House machine. Now just think about that. They put their thumb drive into a White House machine and they were very, very, very upset that they had to remember what their password was so they could access the thumb drive. Now, today, that would be what, you took a removable media device and put it into a machine at the White House. That's crazy in itself. But, you know, that's where. So, you know, as you think about exceptions, I'm not going to say if we made an exception or not, but, you know, this is where these are. This is where exceptions come from. Security is hard.

B

We had Kevin Farrell in our chat here. There will be more memes, I guarantee it. Kevin, if you have any more MFA exception memes or anything related to this, please send them Our way. Feedback@cisoseries.com. anyone in our audience, I want all your memes. We will share them. And hi Amish Runway. Glad you could join us. Better late than never. It means a lot. All right, our next story here. AI is too risky to insure, says insurers. Gulp. Major insurers such as aig, Great American and WR Berkeley are asking US Regulators for permission to exclude AI related liabilities from corporate policies, which one underwriter described as too much of a black box. One executive from the insurance company Aons was quoted as saying, insurers can handle a $400 million loss to one company. What they can't handle is an agentic AI mishap that triggers 10,000 losses at once. You know, Howard, this article cites examples of the types of events that are spooking at your. So here, let's run down a couple of them. Google's AI overviews falsely accusing a solar company of legal troubles, resulting in a $110 million lawsuit. Back in March, Air Canada being forced to honor a discount that was invented by its chatbot, a $25 million deepfake that happened to a London based design firm last year. If insurers don't want to insure, where does that leave organizations who are now, I'm going to say deep in the morass of AI at this point. Howard, how should we read this?

A

Sure.

C

Let's talk about Air Canada for just a second. Okay, so I'm a customer. I have a loss in the family. I asked their customer service, which turns out it's an AI bot, what the bereavement policy is. It tells me the bereavement policy. I'm at least smart enough to screenshot it. I do the needful. They deny and say that's not a real policy. Cool. Escalate. Nope. I sue you in court. You should have just settled. At any point, you should have gone, oh, crap, this is a problem for us. We made the mistake and you should have just settled. Instead, they didn't. They went to court and the Canadian court said, what are you, stupid? Your customer did what you were what they were supposed to do. You doubled down. You tripled down. Now you're here, quadrupling down, of course. Also, it was like $800 Canadian was the original amount. It's not even money.

B

That's like 40 cents.

A

Yeah.

C

Far more. Yeah, yeah, right, right. Convert it to Freedom Dollars. That's like no money. That's like a Coke. I mean, sure, Cokes are $18 now, but. But, you know, like like, they deserved every inch of that, every second of that. That was 100% their fault. There's no two ways about it. Right. They didn't know what they were doing. They put themselves in that position. They absolutely deserve all of it. Matter of fact, I think the Canadian if, if that happened in the U.S. that had been a $3.7 million judgment, but in Canada, they don't do that. Like, at some point, that's not an insurance problem. Should not be an insurance problem. Like, like, no, go away. I would argue in the same way that CrowdStrike should never have been the CrowdStrike issue. Never should have. No one should have ever been allowed to submit that as a cyber incident. That was an application configuration problem. That had nothing to do. You know, they pushed the update and blue screened everything. Like, at some point, as much as I don't really care for insurance companies necessarily, right. Like they make money off of the worst part of us, at the same time, they still have to be able to run a business. And absolutely the lack of understanding by the community, the community of people actually putting this stuff into place is so great. The pressure to push it fast into production is so great. There's no way, there's no insurance company that should do that. They're already struggling around cybersecurity for exactly the same reason. Right. The number of insurance companies that have pulled cyber policies as a. As a portfolio is. Is just gets larger every year. Not smaller. Insurance companies aren't adding cyber. They're removing cyber as a policy decision. Right. So yeah, this is totally logical and reasonable and I hope the insurance regulator sides with the insurance companies in this case.

B

Keith, I mean, what kind of red flag in terms of your like, hey, we're rolling out AI? Oh, also insurance companies won't take our money. Like, what, what does, what, what is that saying to you?

A

So actually, as I talk to businesses, the. There's not as much shadow AI as there was shadow cloud. Shadow cloud was all over the place. The marketing group would have a cloud project and the developers spinning up this. The business, the business understands the risk and they move a lot slower in comparison to other technologies where they could consume them on their own. You know, Google's latest model, chat. I mean, not chat, GDP, but Gemini Pro 3.0 came out the other day and my AI agent runs on Gemini Pro 2.5. I didn't even. It wasn't even a remote possibility of me moving my little used agent that maybe gets one or two inquiries a week, but the inquiries that it does do is representative of my brand. And there is no way I'm trusting a new, a new model with my brand. And I think this is pretty much the sense. Right. What Howard is saying is true. I don't think I want insurance companies to cover this yet. I think we want companies to go extremely carefully and as we always want that. Because it's one thing to make an 800 mistake on a ticket. It's one thing to sell, you know, a first class ticket that should be $25,000 for a dollar. It's another thing to say put glue on pizza like that, that's, that, that's another like it may, may not be harmful. But people, there's enough studies to show that when AI, AI is an expert in language. When AI tells you to do something, even when you're an expert in it, you start to question your own expertise. The we need to be careful. It is a great tool, but it's not, it's not a great tool.

B

It is. Is this a level of we need five years of data on this and then insurance feeds it into their, their insurance AI and they were able to price this all out or is this, I mean I feel like that about cybersecurity. Like fundamentally there are variables to that that, that seems like an impossible market to really like to build that actuarial table out of. Does, does that flip around in X amount of years or is this always going to be, hey, this is, you know, you're building, this is on you. How would it flip your perspective?

C

Yeah, I think it'll flip, but I think the problem right now is very similar to cyber in that they didn't really have a firm understanding before offering the product for sale. And then it kind of became, well, it kind of became the parachute that organizations were using to justify not enough proper investment in cybersecurity. Well, I mean ultimately our policy would cover it and our policy only cost this dollar amount. So if we spend more than that on cyber, we're throwing money away. Just let the insurer pick it up. Those are legitimate conversations that I've heard inside organizations. The reality is if we do the same thing with AI, this is going to be chaos fuel and it's not going to get better. We need organizations to be far more pragmatic and realize there are no training wheels. Guys, this is on you. This would be a good place for the SEC to get back involved and really go after CEOs that are bad custodians of their customers data. I would like you to think about something For a minute. If I as a CEO set up a Ponzi scheme and I steal $1,000 from every person I talk to, let's say it's a million people, right? I go to jail. I am absolutely imprisoned. But I took from a million people $1,000. It's a billion dollars of impact. What if I stole your Social Security numbers and allowed those to be leaked? What's the damage to you? You only get one Social Security number. It's out there forever. What if I go a step further and I leak all of the security questions that would be used to validate you as a human being? All of them. Right. Which means there's no way to recover because all of your security questions are also leaked. Thus the security questions, the answers and the private data is all leaked. Shouldn't I go to jail for that? Isn't the damage from that potentially far greater than $1,000 per person and yet no one's jailed for that. Right. We have a huge problem here. And insuring against it, not the way to fix it.

B

Yeah, the, the idea of. Yeah, where, where value resides. And especially because like my, my, my flippant response that would be, oh well, I'll be the needle in the haystack. So. But oh, actually we have giant ingest engines that can immediately weaponize all of this at scale like there is. There's not even the hope of obscurity at this point. So Keith, can you give us, can you give us a. What is the hopeful take on this? Right? Is it, is it. Companies realize, hey, we, we don't. We're working without a net here. Right. So it's in our best interest.

A

I did, I talked to a Fortune 50. What is the new thing? C C A I O Chief Artificial intelligence officer. And I asked him this question. It's. And Howard hinted to it. So what happens when I give someone, let's say it's a banker. Different industry than what the Fortune 50 executive that was talking to. Let's say it's a banker and they've relied on the rules of redlining from the, the application engine that exists within the organization. There's data scientists behind this that's trained, that understands the problems with the way you analyze data and redline. Then I give them a. Some type of AI assistant that can now crawl all the data sources that they have and all the data sources available in the bank. And now as a banker, I recreate a red line problem because I'm not trained in data analysis. I just want to make a good decision. And in my world, a good decision is, oh, I don't rent them from people in this zip code. Whoa, you, that's, that's you. You. It's not as blatant as that, right? It's just, oh, I see a pattern. And the pattern just happens to be that it's people in the zip code. I was trained not to do that, but the AI is telling me something different. I asked the CA I o, how does he or she handle that situation and the solution, their solution, they don't give their, their employees that chatbot and that ability to do that level of data analysis. That would be irresponsible to give that much power to an end user. That's their approach. While I've seen others handle it much in a much different way. But this becomes the conversation, right? That from a senior leadership perspective. And I think I like the fact that they've created a position that either reports into the board of directors compliance or the CEO to really think about how do you handle the organization's data and the derivatives of the organization's data.

C

So to comment on that real quick, I think companies are probably going about this exactly backwards. If I feed all of my company's data and I'm a Fortune 50 bank and I feed all of the data about mortgage approvals from the last hundred years in, effectively, I've given AI the training to lean into all of the biases that I consciously or unconsciously created within that data set. So saying that I'm not going to give people access to it doesn't actually solve the problem. What we need to do instead is lean into the biases so we can expose them and then be rigorous about doing what we can to remove them. Keeping them as hidden biases is a problem. And I'm not saying that this, that that is what this CAIO was saying because I don't have the full picture right. You just summarized an entire probably three hour conversation in 30 seconds. But I do see this kind of attitude over and over again, like we need to find our biases, uncover our biases and remove our biases, not create systems that obfuscate them. Because the ultimately there's still something that that data is going to be used for to help make a decision, whether it's automated or not. And so that's kind of my concern as we go through this. Right? How do we find and uncover those biases so we can lean into them and then destroy them? Right? You don't, you don't, you don't win the war by shying away from where the enemy is at, you lean into it and destroy the enemy.

B

As a Midwestern Catholic, I have to say this goes against my entire doctrine of unparalleled repression at all levels. So Howard, thank you for elucidating that. I needed to go talk to a therapist right away. No, this is like the fascinating conversation the opportunities right that these technologies have and instead of reifying the things that we had already been doing and just are going to unconsciously systematize potentially within these new systems. Howard, I think that's a fantastic approach. And Keith, thank you so much for illuminating that. I love to hear that those conversations are happening and that companies are having like have to have to think about that kind of stuff with these huge long term impacts. Just a fantastic conversation. Thank you both for making this just an awesome awesome department of know. And thanks also to everybody that's been in our chat. I see Amish runaway having a good time here. We have CCL talking about had a moment early where chat or where GPT told me about AWS config I could not find in their docs so confidently I felt I should retire. Guess what? When asked for reference it folded like a paper boat. I have been there too. Claude will confidently lie to you about documentation all day long. Turns out just need to go to the man files who knew with all my linuxing then Kevin Ferrell also in our chat. I know everybody's getting ready for the big holiday weekend coming up here so everybody is going to be safe. Have a happy one. I hope we can at least get some knowledge into your week, brief though it may be. Thanks Huge thank you to Keith Townsend, the host of the CTO Advisor podcast and the founder of the Advisor Bench and Howard Holton, the CEO CEO at GigaOM. We'll have links to both of their linkedins in the show notes. Some fantastic content there always to check out. But Keith, I know you've been working on something, you've been vibing on something. Why don't you let people know what you've been working on?

A

Yeah I took every piece of content that I've ever written publicly and I grounded it in AI and it's and I love for people to check it out. X Virtual keef a question virtual.thectoadvisor.com check it out. I would love to feedback I have.

B

Personally tried this out and I will tell you it has deep thoughts about hyper converged infrastructure so you need to definitely check it out.

C

Howard yeah buddy? Did you get my feedback on it. I looked at it like right the day you posted it on LinkedIn, I looked at it.

A

How long was it the first version of it? Yeah, yeah, I did get your feedback and I made changes based on that feedback. So give it another try and let me know.

C

I'll do that.

A

I'll do that.

B

And I encourage all of our audience to do so as well. A huge thank you to our sponsor, know, before the number one trusted human risk management platform. Remember. Join us again next Monday at 4pm Eastern for another edition of the Department of Know. To register for the live show on YouTube, you can either just subscribe to the CISO series on YouTube or go to our events page@cisoseries.com we always have everything listed there. You can check out Super Cyber Friday, all of our other fantastic shows, meetups, events and all of that great stuff that's just about it. For the show, for myself, for our glorious producer Steve Prentice, for Keith and Howard for having a spectacular show and indeed for the entire CSO series organization, here's wishing you and yours to have a super sparkly gobble gobble day.

A

Cybersecurity headlines are available every weekday. Head to cisoseries.com for the full stories behind the headlines.