A

Welcome to Cybersecurity Today, the Weekend Edition. My guest today is Rob T. Lee. He's the Chief AI Officer and Chief of Research at the SANS Institute. Now, Rob has a unique view, being at the intersection of education, deployment and security as it relates to artificial intelligence. And it's something if you follow Cybersecurity today, you've been hearing the stories. Now, for those of you who might not, let me preface this. I'm neither an AI apologist nor am I an opponent of AI. I think what I am is a realist and a pragmatist. And AI, in my never humble opinion, is unstoppable. It offers too much in the way of potential benefits. But AI also, in my opinion, represents one of the greatest threats to our systems and infrastructure. And I would argue that as an IT person, I think it's fundamentally insecure, not because security is impossible, but because like so many other technological advancements, no matter what we say we always do the security should be built and not bolted on. And then we run away and build something. And in a transformational technology, we do it twice as hard. So we add that level of risk. Now there's a second level of risk, and that's like any other transformational technology. Cloud SaaS, mobility. These are driven by a business desire for results. And like cloud SaaS and mobility, when business desire conflicts with security, security takes second place. It's the way it's always been. If you resist, the business will either steamroller over you or they'll subvert the rules and bring it about surreptitiously. Now, there may be some businesses that are so highly regulated that those who manage risk may have the upper hand. And all the best to you. I wish we had that job, but most of us don't. And I don't want to be flip about this. Business leaders are rewarded for business success, not for the risks they avoid. And so I may also be a little cynical. But business leadership isn't always ready to jump down and fall on their sword when there's a mistake, especially when it involves things like technology and cybersecurity failures. But that cynicism, like my understanding of business, comes from experience. I've been a product executive and a technology executive. I've lived the need to show results. I I've been to the meetings where there's been a failure or a crisis, and as one of the characters in my new book says, if you can't spot the scapegoat, you're it. So again, I say this not to be flip but to really point out the difficulty of those who have to manage this risk of AI and those who must try to introduce the dreaded G word governance. These people need the wisdom of Solomon and the courage of David. So I'm glad to invite Rob in for a conversation on this. Not to provide you with all the answers, but to start a dialogue that might help point us in the right direction. Welcome, Rob.

B

Hi. Thank you. I'm fascinated. Can I find out about your book? It sounds like goat. It's likely you or. I think that's what you said.

A

Yeah. No, the book is about a failed IT guy who's. Who encounters an artificial intelligence. So it's. Yeah, there's a. Too much of my own corporate career in there.

B

Yeah.

A

But before we get started, let's talk about SANS and your role there and then we'll. We'll get back to the subject.

B

So, been with SANS for a long time, but I like most of the instructors. You're a practitioner. And while I was starting at Sans way back when I was 24 years old, so this is like decades ago now, I was working in the AFOSI at that point. And then I worked offensive operations and malware development and discovery, vulnerability discovery for about five years doing stuff, you know, for various people and then went over to Mandiant, was at Mandiant doing response director over there, helped, you know, wrote the initial entrance report, coupled them that ever came out and then also really helped spearhead the cyber threat intelligence capabilities that they did along the lines at sans, wrote and developed their initial instrument response curriculum. And I used that as a test bed for a lot of capabilities and ideas that became industry known. I came on board full time at SANS about four years ago running their content and curriculum and now I'm actually gotten back to my roots, working on our research and focusing on AI and business. Not only AI, from cybersecurity, from business transformation. I've been a part of multiple startups, have consulted hundreds of companies and went to Georgetown and got my MBA there. So I have a massive background in the business side and applying that to technology, I think is even more prescient today than it's ever been because you're dealing with new technologies that are fundamentally fantastic and almost magical to the point where we also need to take a look at how do we secure it.

A

Yeah, and I think that's an important point. You said there's two things in my question, because that was what I thought SANS was about, was you really, it was a lot of practitioners who were doing A lot of the teaching and which is so important.

B

I don't know a single full time academic. That's fantastic. They're all in the field doing stuff, working for other organizations, consulting on their own. And then they come and teach. You know, it's like you want Navy SEALs to be top five people that were in combat. You know, this is kind of the same thing. No, we're not Navy seals. That's a bad analogy. That's like another level. But again it's a, you actually want that level of experience other than you feel like this person never, you know, had a single bullet shot at them. And you know, that's that experience. You come in here, here's real world practical advice, technical skills, and then here's what it's going to look like next week for you.

A

Yeah, and I'm always careful not to dump on academics because the although I've had my, my shoes being dumped on, I taught at one of our best universities and I look at people who I know had never done any of this in the real world who are looking at me saying, well, you're not academic enough in the morning. Well, you're not practical enough. But I think there, you know, the research, really good research has real value. Really good practical experience has real value. But we're, we're all after results.

B

And so I think you're being too nice. I mean most, most re. You know, like we dovetail on this pretty, pretty quick. But again it shows even what just happened at Starbucks. Their previous CEO, the company was like 180 billion. Not 80 billion, like 150, whatever it was. And then that CEO came in and the value went down by 40%. And then just by hiring the former CEO, I think it was Chipotle and he turned around on these businesses. His stock valuation went up. But that's someone who's been there in the fight doing it versus I believe the former CEO was more of a theoretical. You need someone looking at both because someone who's in the fight can't look horizon view to do research on what's coming next.

A

I'm always careful to say research not theoretical, like we're not physicists. But getting good data is something that I don't think we do well as an industry. And I respect the people who get good data and help us work with good data. When I was taking my degree, I had two profs who were both business people. One of them ran a franchise and he took us in it. And you know what I learned from him? If you run A franchise, you know the cost of a cup. And if you don't know the cost of a cup, don't run a franchise. Yeah, you're not going to die on $10,000, you're going to die on 0.5 cents. You know, like that's. And he was just eye opening and the same thing in tech. We had one guy was, I don't know what he did, but he took us down to the lab and we were seeing the first computers there in the university lab and we started to play with them. And you know, that was so that magic and I think that's one of the things, I think that maybe we love the practical, but it's the magic of doing things, you know. And as much as my intro was about the tension between security and business, the reality is my friend John Thorpe was a great speaker. One time used to put him say put your hand up. How many of you were from it? And people would put their hand up, said how many of you from the business and people with their hand up? He said nonsense, you're all from the business. Anyway, back to our topic at hand. What do you think of the intro? Do you, do you. Is that the situation you see or do you see it differently?

B

Wow, such a great question. I think security in general is running into a very fascinating schism between business interest, where we're headed in terms of the application of a new technology and how is security being asked to wrestle with these things. So being exposed to a lot of different parts of the organization. I was at AI4 recently and I ended up creating and I think they called them round tables. What it was is 40 people who are non cybersecurity people. I said I'm going to lead this roundtable on concerns and risks surrounding AI inside your organization. How do you potentially think about it you as business leads at various parts of the organization. What was interesting about this I was all expecting. I had kind of a beat questions I want to ask folks to get conversations started because we're all sitting in this massive circle about 4, 40 of us and we had folks from financial, International Monetary Fund, usa, Audi, you name it. There are business military was in there. Everyone. It wasn't that they're worried about getting hacked through AI or adversary techniques and prompt injection and all the cool and various terms that people are using. The one thing that they said is the business trust. The one thing top like 90% is shadow AI. And that got me thinking and it was like I'm trying to tie a couple knots together here. And I took a lot of notes during that, a lot of them. And I said I think people are having a hard time in cybersecurity because there are three balls that you need to somehow juggle simultaneously. And going back to some of the beats that you said I'll start with the last one is the hardest one that you mentioned earlier is governance. You need to somehow have a policy in a framework that is applicable inside your organization. Second one is you and your security teams with what you're doing here on the media side but also your technical skills in finance and HR in product and sales. And every part of the organization is being asked to start utilizing this technology. We don't know how exactly go do some experimentations and how to utilize security team is no different. Become a more advanced superhuman powered doc analyst, sensor response, often some operator, you name it on their teams. Like you're supposed to use this magical interface and be able to accelerate your capabilities. We have govern utilize oh by the way, security team is also asked to help figure out everyone is using these magical technical capabilities here. How do we make sure that those things are safe for the organization? We need you to protect those. And by the way we're going to build our own internal AI capabilities that are going to serve our customers too. So we have three things that are just suddenly dropped in the organization. Customer facing stuff, you know who your clients are, you know what you're doing. Your business, services, product. You have your company and your people that are starting to use these tools for their own workloads. Protect that, make sure nothing bad's going to happen there. So you have the protect side and suddenly security has faced a problem it's never had before. You need to simultaneously have answers for what is our governance. By the way you need to use it figure that out. And oh the by the way you need to protect everyone else while you're doing all the these other things. And it's created a little bit of a meltdown in our industry because of that issue. And I come back to what that meltdown is. But I just want to positively. Do you see this? I mean my affine kilter are these two.

A

One of the things that I would have suggested is we should kill the word governance.

B

Oh yeah.

A

Talk about how gets done and or how things get done and who's responsible because we've lost it in a pretty word and I think we tend to do this in it. We blame marketing for having their chair. We have our own terms and people go governance. What's that?

B

It's the reality of how we know you're using grc. You're in a presentation. Well, grc, grc, grc. And I'm like, it's like people using agentic, you know, or generative AI. They're putting these. I was like. I'm like, okay, I hate the word agent. Agentic, the same thing. But it's. It's no longer governance. They just like, well, the grc. And that caught. You're exactly right. It's like that word. Those words tend to cause me to like, okay, are we. Are we going to have the. I'll just say like the. The drinking game. Everyone said to. Every time someone says a. Cybersecurity personnel grc. Okay, everyone. What to do right now.

A

Tequila. Yeah. But I think that's part of the problem. So let's talk about governance. Let's break that down while we're talking about it. What is it that governance means that we should be talking about?

B

In very simple terms, being able to align the business to its business needs. Be able to let the business be innovative, let the business flourish. It's kind of like, okay, take away the business. It's kind of like letting your kids be kids so they could learn, so they could develop grit that they've. Every now and then they'll fall down and have to have that pain that hits. But you don't want to just be all like, hey, you're riding a bike with no helmet. You still need, like basic things and raffers around the business, your kids, anything else. You want them to flourish. You want them to learn. You want them to be the best they could possibly be. Security's job in governance is to create that bicycle helmet that creates and reduces and implements safety and risk reduction. Security done properly with proper governance is going to enable the business in the perfect world. So when you think about governance, instead of thinking about restrictions, it needs to be considered enablement safely.

A

I think your bike example is a great one. There are rules of the road, there are things you do, things you don't do. You don't go whipping through an intersection without looking. You make sure you wear a helmet. If we want our kids to be safe, we teach them the rules so that they can play. I think it's a great example, and I think that's what we've lost in governance is the sense of the practicality of these are the things we need to do.

B

You know what's the same thing? The police officers. Police officers basically should allow you to leave your home and to walk safely down the street with your kids to do things that it's like enable nail. In other cases we end up saying the police is meant to contain, constrict to limit. But if done right it is not thinking that way is the police officers like to be in an area. It's like I'm creating the ability for this neighborhood to be the best neighborhood it can be. And neighbors feel safe could know if anything ever happens. That's what security teams kind of sometimes lose. There's this we're in charge of things we can now restrict. We can not think of ourselves as enabling folks safely. It is more of a we're policing things. And that's where I think a lot of security teams depends on how their mentorship, how leaders this is. So why so much the leadership and the CISO is critical decision hiring to understand that is that's why they're now a C level position and not just like three, three rungs down. Is a CISO needs return to you like CTO enables the technology CISOs enables the business in a safe manner.

A

And I think that again a good analogy. You call balls and strikes. You call. I mean if you, if you get pulled over by a cop, they tell you you're doing 120 and this Canadian in a, in a 100 zone or you know, whatever that tends to do in miles.

B

Per hour. They're out of control.

A

Yeah. Had an American friend. 100. That's your speed limit.

B

Exactly.

A

No, but, but the, the, the if you just call it as you see it. This is, this is, you know, you're doing 120 and 100 zone or you know, whatever, you're exceeding the limit. That's it. Now what the business does about that, I, I think in many cases people may get frustrated. But we're just telling. This is, we're calling it like we see it. I think that's really a good analogy. You don't have to be a judge and I think, you know, you don't have to be moral about it. We're not, we're not trying to make people better people. We're trying to make them into people who understand that there are ways in which we have to operate as a business. Good, good idea. But so where does that fit with AI? Why is, why is AI governed such a problem?

B

Where do I begin? Because it could be like a 20 minute like Rob on a soapbox thing. So I'll cut this into pieces. AI comes in and I'll just let me start from my own vulnerable concept here. So I'VE been working in this field for, let's say before AI entered, 23 years. And when I started, there was no books. I was assigned to the first information operations, information warfare is what called it back then unit. And they basically hired, you know, what they thought was, you know, maybe they still do, you know, 30 extremely talented individuals to say, hey, go defend 9th Air Force, Air Force bases from hackers. This is like a year after DEFCON started. You have to go back in this early stages. There's really no sans, there's no training, there's nothing else. So I'm thinking everyone else in this room is like 10 year expert. They know all this stuff. No one knew that we're staring at this new technology. Windows 95 was a year old. No one knew what they were doing. And we're all trying to figure this stuff out. The reason I mentioned this is that the learning curve that I was on at that point, it's not that we knew what the target was. All I have to do is get from here to here. We didn't even know what to do. We didn't know how to go to couch potato. We didn't even know we were going to be training to run a marathon. The marathon didn't exist at that point. The 10k did not exist. We just knew, hey, we needed to move off of the couch and we had to figure this stuff out. Not just us, but multiple different groups around the planet. I kind of look at this as a very similar analogy, is that anyone who would get up on stage and say, here's how to secure AI, they are guessing as much as I was guessing. And I was trying not to let anyone else in the room know. So fast forward today, two years ago, AI comes out and I'm looking at this like, oh, technology is just like another piece of technology. All I have to do is stare at it, figure it out, tinker with it. I'm like, okay, I get it. It's just like this. But different. This is as different as Gandalf sitting in the court of any random king that's out there. He's the wizard comes in. I know magic. I've been doing magic for 25 years. I have mastered magic and again for me, I have mastered digital forensics. I have all these skills I look back on, I'm like, wow, I can speak with authority on these things. Suddenly someone da Vinci comes in the room, says, I have science. Gandalf looks at that and says, oh, that's very similar to magic. It does things that people who are affected by it don't quite understand. Very similarly, there looks. There's a. Hey, that kind of looks like magic. And science does cool things. But Gandalf looks at it and says, okay, I'm going to go attempt science because I'm really smart and I'm really good at magic. And there's no adoption. There's no true understanding. You have to go back to the beginning and say, how do I read again in kindergarten? So how do I potentially move my skills forward? From a personal aspect? People turn to me immediately, say, rob, how do we secure AI? And it took me a while to get back to this vulnerable position because I was really trying to maintain my authority and expertise on this stuff. And I'd come back and say, I am learning right now. And I thought everyone else was more. Very similar to what happened 25 years ago. I. I just thought more people had this and I would. About a year in, I realized no one really understood what was going on. So I had a theory, and I tested a theory first at Owasp Snowfrock in Denver. I have this presentation today, and I'm still giving it. And I have people in the audience feel like I'm piercing their head directly, like a Vulcan mind meld, because I asked them a question. Go through how significant this technology is. We have experts who are able to talk about the effects of this, who are able to talk about the legal ramifications of this, that are able to be in the room with leaders to be able to speak intelligently about this, because your role in this is so significant. People's lives depend on you getting this right. Your business existence depends on getting this right. Next slide. How many of you? And I said, first. I don't get to that slide first. I want everyone to close your eyes and just sit in the moment. Do not peek. You gotta ask a question based on that question. Just like I was vulnerable to you and I raised my hand on this, too. It's like I'm learning, I'm struggling. I do not know the answers in AI, but I. Then I turned it on them. And the question I asked was, how many of you are faking it with your current knowledge about AI and ML technologies? 80% of the 300 people in the room, 80% of the hands went up. I'm like. In the back of my mind, I was like, okay, this is more telling than anything else I could have said. I said, now open your eyes and look around. And you could feel the pin drop in the room. And they're like, oh, good Lord. That's the issue with AI is the businesses are turning to security teams and they're saying, hey, we've hired you, you're a very expensive person, you should know technology. Well, they're not even admitting their, they have not mastered this technology yet. But the business is asking them, what do we do? And this is where I call it a crisis. And again, it feels like I'm pointing fingers. A crisis of competency. And you can put quotes around that, where we have a security team that doesn't really understand technology. So their initial gut reaction to solve this issue is to say, what YouTube videos, what training, what is the frameworks, what is the applicable thing? There's gotta be some documentation. They come to sans say sans train us. And we're struggling with this too. It's like, what are the things we need to do to potentially help people secure their organizations? Everyone's kind of looking at each other like it was 1996. Again, there are no books, there is no training. We are asking you to get off the couch. But the business is asking, going back to the governance and everything else. We need to innovate to remain competitive. We need to make sure we're here. You need to learn AI, by the way, security teams, you need to figure out governance, you need to figure out how to use it, and you need to how to figure out simultaneously how to protect everyone. And they're asking Gandalf, who's used to be seen as the magician of the court for 25 years, to look at science and speak intelligently about it without having done the homework yet, to go through those learning cycles as to what does this stuff mean. And there are no books that have figured all this stuff out. So this is, this is the issue, this is the thing that I wake up that truth, the power of type.

A

B. I think, I think it's fair. I would have flipped the analogy because I think, I think we went from science to magic because back in the early days when we were all trying to figure this out, you could go back. This is a binary instrument. It's a yes or a no. It's a one or a zero somewhere back in there, whether you're talking in hex, whether you talk, whatever, I can come back to something and I can replicate it for the first time in a technology. I have a technology that I cannot understand. People talk about quantum. The best quantum physicists say. If you say you understand quantum physics, you're not a quantum physicist.

B

Right?

A

And I feel the same way about AI. If you say you understand what's happening there. You don't understand it. First of all, an AI will never give you the same answer twice.

B

Yeah. And businesses executives are don't know the difference between science and magic. To them, it just looks similar. This new tech stack, this is what we've always done. Cloud, you see all these iterations. Gandalf, what do we do? And Gandalf is used to be able to answer those questions. Now it's Gandalf. And this is again, what's really interesting here is Sansa set me up. Chief Aio. It's like, Rob, you have all the answers, everything. The reason I'm here, I'll just be quite honest, is because I'm expressing vulnerability of my own lack of knowledge and I'm encouraging. Everyone out there is like, you need to be like, what I'm doing, and I have a mantra now that I said in order to be healthy today is you need to get proper sleep, you need to eat a proper diet. If you don't sleep, it doesn't matter what you eat. It doesn't, you get nothing out of that. You have to sleep, eat well, exercise every day you do your workout, pushups, whatever you do, walk for 30 minutes, you have to do AI for 30 minutes. It is going back to the basics. And this is what I do now. Within 30 days, it looks like, wow, you have started to master this. You've gotten in shape. We could see, like, you know, there's a massive change in you. And that's true because anyone who's not doing the work feels further and further behind, even on this stuff. And I'm looking at it from just how do you use it? Let me look at how to protect it. What are the things I could do? But I chip away at it on a daily basis and I'm expressing of like, okay, I'm, I'm now nascent, I'm now the newbie. And I have to remember, even though I've been doing this for a long time, I have to put myself back like, I'm 20 years old again. Have to learn and start the bra math, then use the calculator. Then you're building up your skills. 30 days into this process, you walk out saying, wow, you actually know stuff. You're the expert, Rob. You know, you're put on these podcasts, you're, you know, super smart on this stuff. I'm like, no, I'm just doing the work. I need you to do the work. I need the entire community to do the work. Because if we're all not doing that work. What we're tasked to do is defending people's cybersecurity. Because if what we do matters, we're saving lives. I need people to understand this, like, I am depending on you and you know, Mr. Water, you know, plant cybersecurity team, you have to do this work too. And we all need to do this as a community, realizing we're in the foxhole together, looking at each other, both scared, both trying to figure this out. But you look each other in the eye like you and I are doing right now, saying, oh, there is no one coming to save us. We have to look at each other as like, all right, accountability partner. When I'm going through this on a daily basis, I will show you cool things, you show me cool things and we'll now learn together.

A

What do you mean by that?

B

And again, this is, I don't know. I've landed on certain podcasts like the AI Daily Brief. I listened to this. What is going on across the industry. You learn about the AI action plan from the government, you end up getting exposed. Hey, Claude has a new capability. And I'll go, oh, what is that? I'll go on Claude and play around with it. I start to integrate workflows instead of okay, I'm going to figure it out. I might read about something, let me go see if I could just play with the thing and see what the impact is and maybe even something related to my kids. My kids are 13 year old twins about to turn 14. The school's currently, it's called CheatGPT, which is obvious reasons why, but I'm trying to look at it from how's my kids getting educated? So I can't do cybersecurity principles. I go into how do you use this creativity that enables is enabled through this technology. I was on the panel at the NASDAQ talking to boards, room full of people that are on boards. And I said on the panel, everyone's like, yo, we need your AI expert. That's all that's going to inform the board. And I said it was that person. Like, I totally disagree with that assessment. And everyone's like, whoa, no, this is brand new. It's so hard. We need the new Gandalf. That's going to inform the board. I said, no, every single one of you needs to learn this. And I used my iPhone, I took a picture, I said, I'm going to be talking while I'm doing this. Take a picture AI, change this picture into making it look like K Pop demon hunters, whatever current thing is. And while we're sitting there talking about this, I have the picture on come out. And I said, hey, that looks like a magic trick. But from an executive perspective, you might be doing this and saying, oh, geez, I'm doing the level of graphics designers in my own hand. And I see we have a hiring need for three graphics designers in our marketing department. I'm going to ask a dumb question because I'm an executive, I'm just learning the technology. But how many of our current team are using these newer technologies to increase their capabilities for the graphic design? So I don't need to invest. I said, that is why you as an executive need to understand this. Not at a DNA level. How do the models work? Which hugging face thing are you? No, you need to be the person that's sitting in the people that came up Netflix streaming saying what we should do, we should stream this. Because there's this thing called the Internet. I guarantee the person came up with that idea and whiteboarded it. Didn't know how TCP IP worked. They just said they connected the dots saying, hey, I'm doing this thing on the web. Bandwidth is increasing. I'm watching this videos that people are distributing over here. Can we do movies this way?

A

Yeah.

B

And this idea is like same thing with Wi Fi and Starbucks. None of those people were technologists, but they had a fundamental understanding of the technological shift that was going on to ask new business ideas and to drive innovation. So they start seeing these technologies. I said, if you outsource that, you and your business are at risk. You need to be the person. And sitting in 1998, starting to use email, the browser hitting websites, saying, huh? But if you're being asked to change your business in the middle of the introduction of the Internet and you never used a web browser or email, guess what? There's no way you're going to be able to do business strategy. And if you're leaning on it, AI expert or C Internet expert, hand them the reins of the company at that point and you step down because you are effectively not useful anymore. The board executives need to put in the work too. Start playing with it. Everyone needs to start playing with it. And that's the hard part.

A

I think that's the essence of and it would be the same advice I would give to people is now people say, oh, well, I've got to jump on board with AI. You don't have to jump on board with AI and integrate it with your business or get rid of 4,000 people. You have to start playing with it. I think I would maintain that if executives aren't trying this stuff out, you really are going to miss the understanding of what it's like in the organization. People need to understand the possibilities. That's the phase we're in and I think people miss that. They're rushing to say, I got to get this implemented, I got to save some. That's a really, that's a really dumb strategy.

B

So you want to see my next magic trick?

A

Absolutely.

B

Okay. So where we started governance, we just went down to how important is AI from the business side and we talked about earlier that the business needs are to remain innovative and governance is an enabler. So organizations are starting to realize, wow, this is going to be a needle mover for us. We don't. We could save on costs. We're not going to fire people. I still am. We haven't seen the data. No one's being laid off of it. Some will have switching and replacement. Yes. But organizations are going to say, hey, use the people we have, get them more AI enabled. We don't know what that looks like. That's the other thing executives need to kind of tie the knot on. We don't know what that is. We just need a lot of people playing with things and creating roi. So they turn the security team and say, hey, how do we do that? We want to lean forward, but we want to reduce risk. Security team is used to being able to apply a framework to do 80% reduction of risk on whatever that is. But what the security teams need to lean in on and saying, oh, we should probably do things that are 10% reduction of risk. But because Gandalf his feet over here saying, hey, you've been seen as a 25 year expert in this stuff. What should we do? You're trying to apply a framework that is going to completely reduce risk. What's the same issue legal teams run into is like, we are going to be starting to do business in Timbuktu, except we can't read their legal stuff because it's only word of mouth. We don't know what business impacts and issues we're going to have. Liability issues we're going to have over there. So I don't think we should do business in Tenpuk 2. No, the other thing that security teams, they look at that and they're also looking at this from independently. The only framework they have to apply to reduce AI risk for an organization. And everyone's like, what framework's rom? What is the Thing that everyone's using. I say, oh, it's a very simple framework. Everyone's heard of it. The framework of no period. They basically come in there and say, okay, we don't Understand Claude or ChatGPT or data rails or Perplexity. Someone may do something bad. We don't know what the risk is. We need to evaluate every tool. They form a committee, they come in there and someone says, I would like to use Cloth. How do I do that? No, we don't know. We don't. Give us maybe Q3, we might have an answer for you. Maybe Q4 months go by and then the personnel asks, hey, what happened to the tool I asked about? Silence. And like, well, we said, no, don't use it. We're still evaluating. And then meanwhile, incoming. How do we evaluate this? And we have no idea what's going on. There are a lot of teams out there that actually fully capable and have implemented this stuff very well. The exact problem security was trying to avoid was now created by security. Shadow AI is a result of legal and security default. No, everyone's going to use it anyways because they're worried about their own jobs. They're worried about like, hey, I've been told to do this. There's also fascination, curiosity. All these things kind of add together. Guess what? The framework know has created the exact security issue that everyone's actually worried about in that room. Shadow AI, that's it. They're hiding it. No one knows it. Four weeks ago said, hey, I'm upload the financial spreadsheets and send it over to another financial analyst. Seeing the shared link in there, oops. Accidentally now shares that entire chat in a Google search URL. Oops. They had no idea. But how would you figure that out? And I would, I've asked my parents. I was like, okay, let's assume you're evaluating Grok. How would you have found that? You would just be like, oh, and all of a sudden you're staring at this, okay, do we just ban Grock now? This is again like a knee jerk reaction.

A

And in reality it's never worked. I still remember the early days when people were talking about mobility things and we'd say, well, we've got to have our data secured. And then you go, wait a minute, they're having a board meeting and they've all got iPads. Anybody looked at the security on those? No. Anybody think that the documents our board has might be, I don't know, confidential? Oh yeah, geez. So the fact is, if you don't get in there and try and cope with it. People are going to hide from you. And the biggest people hide from you are the executives and the management for the most part. But right now the stats say that 40, 50, 60% of people, depending on what research you're looking at, are using AI and not admitting it.

B

Yeah. And then even if the square, like I have all these things, it's like I've tied. I need to write a paper on this because what is the biggest ROI that has led to innovation in the company? Shadow AI. Thank God it exists. Nothing. The companies are implementing as a sunlit project. Not all of them, but most. In that MIT report kind of highlighted 90% of organizations have not figured out ROI. But the report, honestly, I actually did write a substack article. I said, MIT report masterclass of missing the point. And again, I was like getting a little bit. I was out for a walk and I said, they're missing the point. And I'm like, all of a sudden, I landed on that title. They focused in on the ROI of some of the projects. But what it also stated in there is that the biggest ROI was coming from shadow AI that 90% of the employees are using anyways, even though 40% are supposed to be using official AI capabilities that the company has made improved. Hey, so shadow AI is the actual thing that's driving innovation in the company. Shouldn't we be focusing in on how to encourage that in cybersecurity? Teams need to figure out a way. Okay, we need this. Like you said, the playing around thing, like I'm telling executives to do too. How do we move that from shadow AI into sunlight AI and how do we potentially put enough of a wrapper so the kids are able to walk onto the playground and saying, hey, listen, I cannot fully protect you. I'm going to ask you to put on a helmet and you still may. Bad things may happen to you. We could reduce risk by 10%. Now you pass that back to the executives. All I could do is put a helmet on you. Are we okay with that? And then hand that decision back to the executive saying, this is the best I could do because of my knowledge. No one else knows it. Gandalf science issue. You need to be upfront with this. Being vulnerable, the organization being vulnerable. But the executives need to do their job now. Make hard decisions that could risk the entire organization if they're not leaning forward hard enough into this new technological innovation. They reduce competitiveness inside their own space, whatever they're doing. And on the opposite side, if we don't have enough risk reduction. We also risk the business because bad things can happen there too. So you're walking down this tightrope as an executive, more so than anything before, and you don't have six months to think about this. No, you actually are now saying you have two weeks to consider this. Deep Seek came out with a model that's 10x cheaper. Whatever your IT teams comes in, we could save a bunch of costs. Look at all this power consumption costs. We're going to be able to do x, y and z. 10x savings when you're spending a hundred million dollars on it is sizable. And if you're saying, well, we spend six months staring at is Deep Seek the model we should now be using. Whereas Amazon, Microsoft, GitHub, they all implemented the deep seq model within five days. Critical business decisions, leaning forward, obviously saying security, we can't have that hold us back because of the cost. You're now the executive. Do your job, make the hard decision. Don't just wrap yourself in legal and security to say no. They just need to come in and say probability. We can't secure it as much as you'd hope. We need you now to make a really difficult decision. Innovate or reduce risk. It can't be both. You need to balance, be smart. You need to lead the team. Just like you know, if you're a military commander in Ukraine and all of a sudden I was never trained to deal with drones flying overhead. It's not like you go to six months of training and do drain combat defensive operations. No, you're dealing with the thing that's in front of you. You need to make decisions within minutes, hours over this new technology, not deal with it with some sort of training class that may or may not exist. What business leaders are doing in the US and around the world, you can't take the time to fully understand it. You just need to see what's in front of you, make hard decisions based off intelligence, everyone else feeding you information. You have to be your military commander, you have to make hard decisions, own your job or step down.

A

That's a little bit here because we put, I think what we sort of said is you need to play, you need to learn and you need to get people out there to play. But before they play, make sure they're wearing a helmet, make sure they know the rules of the road. You know, I would say, you know, like if that's why I like to say, take the analogy of play. When I learned to drive, my dad took me to A big parking lot on a Sunday. In those days there was nobody in a parking lot. I could drive around fully. You could start to get the feel of the car. So we're. Because this thing's moving fast. But as a. As a person who's involved actively in education and learning how where are the resources? What are the things they should be looking at to help them learn this?

B

Well, obviously sans and one of the reasons I'm really glad to be chief of research as a part of my job, but my focus is on AI. So I've pull these two things together, pulling in the small number of experts that I call them experts, saying they're fully vulnerable, saying hey, we're learning too and pulling together resources of what is currently known. We have enough understanding of how people are using AI in day jobs. So we're starting, you know, there's massive parts of our courses that are now teaching to that same thing on how do we protect it. But again the protect is what we currently know and we have to iterate those protect classes as fast as possible. On the governance side, you know how does UAI ACT and gdpr, DORA all feed into AI implementations. So your understanding of the risk so the business leaders can make these decisions. We have these summits that we do at Sam and Alan Koller massive had to depend on our founder who's no longer with us. He started the first ICS summit that said hey listen, we need to protect critical infrastructure. It's not like that was solved. He said what are we going to do to do this? Let's have a summit, bring in people who are kind of knowledgeable about this. Mike Asante, Tim Conway, eventually Robert Emle to be able to have these core discussions like what are you guys doing? What are you doing? What is everyone doing? Have hard talks to have people talk about it. But again iterate and iterate then iterate. It's research, it is coming together, it is community forming. It is let's solve this together. That is the thing that SAMS has stood on for over 25 years since I came in. They asked me, he was like Rob, show us what you know and answer his boss. It's not like well, I wrote the book. This appears exactly. I started it wasn't a educational academic. Rob what works? And I would give a talk like okay, can you do that for three hours now? Do you have more material? You could teach us tricks and things that you know we would help people like well, here's what I figured out. That's why it's the practitioner coming in and doing this, they're sharing what they know, but that is not the solution they're showing. Here's what I currently know and I did the work to be able to get here and I'm more than happy to bring others along with me because we're all in this together. It's like, hey, did you know? Oh, I never even considered that. And you go, try it yourself. You're like, oh, cool, that's amazing little technique for cooking. This is why SANS is a resource. You go on our website sans.org AI we dropped everything in there. We currently have the AI critical controls, which was a consensus paper of 50 different individuals. We have a partnership with OWASP and OWASP AI Exchange on how to technically implement a lot of those controls. And working together, community forming experts coming together, implementing what our practitioners are finding right now. And it's still early days. It is not like these are all the solutions. It is like, here's what our current knowledge and we're basically three inches into what we're still staring as the ocean.

A

We started a group called Project synapse. We started having coffee Friday mornings to talk about AI and what was happening. It turned into one of our most popular shows now. And it started as three guys who were just sitting around. We're going to figure this out. And I think there's a lot to be said for that. Having access to some of the material I think is great. You need to start reading again, but you've also got to talk to people and imagine things. I mean, when I wrote my book, I wanted to explore what the world was going to be like living with AI. And there's lots of great fiction out there. You can also start to use your imagination. That's something we don't talk about in business. You know, our imagination, our ability to play and our ability to learn. I think those are really important.

B

I think it sounds like we are really starting to figure this out. Rob, you're speaking from authority on this. I say what I'm speaking from authority on is learning journeys, how you become an expert, how you develop passion and how you admit your own vulnerability. So one of the reasons I consider myself a leader in the field on this stuff now in AI is not because I have all the problems solved. It's because I'm leading everyone to get in shape again. A new form of it. I have to do the work every day. I have to wake myself up and saying, you have to do your AI homework. What is the AI homework? I Don't know. I'm going to go online. How do you figure out what to learn? I said, great question. You know what I spend a lot of time doing? I have my entire feed on TikTok is AI people talking about AI things and I'm looking at their, oh, that's interesting. And I pause it leads to a YouTube video and I try to replicate what they're doing and then I'm okay, cool. But my vulnerability is, listen, folks, I don't have all the answers. I cannot go down into every single thing on how to potentially prevent attack A or B. I haven't even done most of those things. I'm looking at it from the aspect of I need to be able to lead the industry. The only way I could do that is by starting to get off the couch and invest the time at micro learning environments to be able to get to the point saying, hey, sans, we need to invest things over here because I think there's a thing here. But if you're not willing as an organization, as an individual even to do that from an executive board and just submit your own vulnerability, that's what I think is very important for us as a beat, even for you. This is the Thanksgiving discussion that's about to happen. Everyone's going to be talking about what they're doing. Are you using AI? What do you think is a job killer? I don't honestly think it's going to be the politics that's going on in the country around Thanksgiving this year. I honestly think and predict people will be talking about AI and is it scary?

A

Please God, be right. Well, I'm being invited in to talk to groups and I find this just, I find this fascinating. There's a small municipality just two hours from me wants me to come in and talk to their business community about the potential of AI and what they can. One of the things, I want to circle back to this because it is an interesting concept and it's something that I think we need to learn and it's difficult. We've had a real concept of leadership that says, I know everything. I'm not going to make any mistake. I'm, I'm on top of all this stuff. I've got bright people who work for me. I think I was close to 50 years old before I realized I don't have to know everything now. I don't have to say I know everything. And I think you've talked about his vulnerability. I think it's an important piece to say, wait a minute, I don't know everything about this. So we're going to talk about it. We're going to talk about it in detail. I think that's a new mindset for executives in particular and maybe for CISOs, because everybody says, oh, you've got to be on top of all this. No, I don't. I need. I. This world is moving. We've never seen technology adopted this quickly. I mean, when you take a look at the telephone, how long did the telephone take from. Till it became a business? When you take a look at computers, how long did computers really take before they were implemented in, you know, the web started 1990. Like it was invented in the 80s. Didn't really touched down till the 1990s and took about 10 or 15 years to be put into. We're now, we have compressed this into weeks and months, and we're moving at a speed we've never moved before. If you honestly believe you're going to convince people that you know everything, good luck. You have to.

B

And it meant you're learning. If you are in charge of Ukraine defense and you see Trons overhead, you'll turn to your smartest people in the room. What do you know about drones? Now? If they come out, I was like, here's what I know. You know, they're sitting on that ledge. I guarantee the defensive commander is like, okay, seriously, you can tell me. You actually know what's going on here. Have you ever flown a drone? No. Do you understand the mechanics? Have you used this in combat, defense, offense? No, no, no, no, no. Someone find me anyone who's touched a drone in their life. And of course, someone comes in there as a hobbyist saying, I did it. And then all of a sudden that person said, what do you need for this thing? And they start saying, okay, we could do this too. It was some 20 year old who flew a drone flying a camera around a house that became the military commander for a guarantee. I don't. I'm guessing here none of those generals in that room that know how to do combat, they relied on someone who was flying and drone around a home to sell that house. The same thing occurs when you end up taking a look at, you know, Billy Mitchell, the 1st Arrow Squadron, way back, you know, flew the plane. He's up there like, okay, cool, we need a lot of these and we're going to form squadrons and we're going to do damage to everything. So they build a lot of planes and everyone's staring at the planes like, okay, do we have all the pilots that have graduated pilot Training at this point to fly these things. There is no pilot training, no one knows how to fly these things. The only thing was we had someone slightly smarter by a week maybe getting in that cockpit with you and saying, okay, here's what I know, up, down, left, right, we'll figure it out, right? And then all of a sudden you have 40 people that are week old flying planes in combat, never having done it before with no pilot training. Now of course all this stuff becomes formalized and everything behind the scenes, but you need that person that's a week older than you. Just a week, maybe a month, that is. Okay, here's a couple things that I have done and these are called the AI champions in your organization. Now, my AI champion, everyone has the. Everyone needs a Yoda. So my Yoda is a really good friend of mine, Kate Marshall. She worked with me at sans, led the AI summit with me. She's about six months to a year, probably more in implementing AI things. Now she does not doing it for cybersecurity, she's just doing normal workflows and everything. But now Kate, ironically enough, is doing a business specifically on working with people on getting them up to AI speed. But everyone, she's my Yoda, I'll go to her and saying, what about this? I need to talk through this. So it's not like I'm completely alone. I just am talking to someone who jumping in the aircraft maybe a week earlier than me. And anyone's on TikTok, they are flying through there and they're talking about AI things, I guarantee they just looked at that thing three days before and said, oh, I'm going to do a video about this because then it'll look like I'm an expert in this and it will look like they've been doing this for a year. But if you actually talk to them and say, when did you learn that before you filmed it? Oh, three days ago, four days ago. So how are you speaking with authority? It's like, I'm not, I'm just showing you what I did. I'm like, no, I've only, I've been doing cybersecurity for 25 years and I'm fully willing to say, hey, listen, just because it looks like it, I'm more of an expert than you. I've only been doing it a week. You could easily catch up to me and we could be working on this together. And that's my call to action for everyone in the industry. You're asked to do governance, you're asked to utilize it and you're asked to protect things with it. And juggling three balls simultaneously, it's intimidating and you feel like you're being left behind. Go back into vulnerability mode, which is ask yourself, just tell people. It's like, okay, I just started learning. Well, what are you doing? Which learning class I'm not. I just jumped in the plane and started. If I do this, do this. By the way, did you see what I did yesterday? If I pull back on the stick with enough speed, I was actually able to get the plane to do this thing. I will just call it a loop. Who did the loop for the first time? There was no training for that. Who's the first person that did a roll and then said this is a brilliant idea without crashing the plane? It's not like that was part of the sigma ticks that the plane was built with. It's all of a sudden they played with it enough. But then it became thing that was trained. We need you to do the loops, the rolls. Hey, let's add a bomb to this. Let's add a machine gun to the front of it. And by the way, we need to shoot through the propellers. Someone has to figure this out. Someone has to be that 20 year old drone operator that became the critical node in Ukraine's defense and offense. And we saw what they were able to do just recently.

A

I don't think we want to arm cybersecurity people.

B

Well, I mean now it's just it.

A

If we take this, explore, learn, be vulnerable, stay ahead, find an advisor. How do we deal with our corporate world at the same time? Because we're, we're faced with real things of, you know, people are attacking us, people are doing things. We're back in the war room now, you know, and in our corporate world, what should people be doing or CISOs or cybersecurity people be doing in their day to day that would help them to understand and manage AI?

B

You need to move from a framework of no to, to sunlight AI. You need to figure out a way to do a 55, 45 percentage split on yes versus no default answer to yes. How can we make it happen? Find those who are leaning forward into playing with AI to become AI champions in every part of the organization. So you could talk to them about how they're using the technologies. Because once you enable them a little bit, it's yes, yes, yes. It's not like blind yes. It's like, okay, let's do an experiment. Monitored one. Can we sit down next to you, ask questions when you're doing, we'll have a different perspective. But it's finding the 20 year olds that are using it. Maybe a 40 year old, it doesn't really matter. Someone who's flying their own personal drone around with a camera attached to it is like, hey, look what I did. And you sit down with them and said, okay, let me see, watch what you're doing and can you show me and can I start doing it? That champion in finance, in product and HR is going to be utilizing in such a different way. You can't centralize it. You have to see how they're using it and then ask them questions like, how do you know you're not exposing things? And like, oh, it's easy. And they're like, oh. Then you write that down, you solve it for your business. But the only way you're going to do this by learning, experimentation, move to a framework of yes, sunlight, AI and enablement and need to find. You're not. You need to find those initial people flying the plane. And it's not only business enablement. By doing this, security teams could watch, monitor and potentially assess. And it's like, okay, they're using it now. If they're using this, how can I protect what they're doing so they're allowed to continue to do this? You have to learn by doing. The only thing you could enable that is potentially by monitoring. It's going to take effort. There's no books. Sans is leading on this space and we show competency. It looks like we have all this. We're pulling in like Alan Pollard did at the ics saying how, as a community, do we help here? Myself as a leader, is going back to the basic principles of what happened in 1995, one year after DEFCON. This is so brand new. The ping of death was a thing. And everyone's like, whoa, magic, magic trick. I could kill Windows machines with the ping of death. That wasn't the concern. We were dealing with, you know, like Israeli hackers sitting in California, Solar Sunrise and all the Moonlight Maze and all these other major events that started to occur and no one knew what they were doing and everyone had to come together. Analogy happened in the military back then is they formed a unit, Joint task force, Computer Network Defense. Everyone in there is like, we don't have the book on this. We don't know what we're doing. That unit became Cyber Command four years later. And it's like the gestation of a bunch of people who are smart, who don't know what they're doing. Then they get training, then they teach capability like we did at sans, like I did at sans, without really knowing that. What I'm starting to build is a curriculum and an academic capability that is training people to replicate, not just say, hey, here's what I did last night. Isn't that cool? It takes us to come together. So, core question. What do you do enable AI in a way that you could deploy your team, maybe assign a security personnel per team to sit with the AI champion to, hey, you're my battle buddy now. I watch what you're doing. I will ask you questions. But if you go back to the typical model of centralization and then deployment, you will fail. You need to sit next to people who are doing experiments, who are playing, and you need the cybersecurity people, probably to watch them replicate what they're doing to get you thinking. But you also need to potentially, you know, we need someone on your team also playing, figure out, how do you do AI with cybersecurity? The protect people need to look at how people are using AI and their function to protect them. And it's different in finance than it is in hr, than it is in production. So it's. It's hard, but it takes redeployment of security resources.

A

Yeah. As an example, when I was CIO of the last company, I gave it up to become a podcaster and make all this money. The idea of I would sit down with people and say, if you want to try this out, don't use our customer data. I can get you a data set to play with. And I think maybe that's a really great idea, is if you're out there and engage with people, you can help them explore without risking the company.

B

Yeah.

A

Because I think that's been a big thing. Left to their own devices, I can guarantee you they won't. They won't think about these things.

B

Yeah. It's like someone sitting on the playground and you could watch the group a little bit, but just assign secured personnel per team to watch the playing on the playground and to say, oh, maybe we need to put some sort of padding underneath that thing. AI is going to require a restructuring of your team and security personnel, maybe even hiring folks that will be sitting side by side in every single one of those units. And in. Even in the military, they have a safety officer in every single unit that says, here's what I. It's not like single safety officer in the, you know, Air Force army was like, here's our policy universally. They need to see what that unit's doing to potentially implement what the safety protocols are for that specific unit.

A

Okay. And as we wrap up, I'm going to. I'm going to do what, what I think a lot of cybersecurity professionals would do. They're hearing this conversation going, you guys are a little.

B

Oh, no, hold on. You're.

A

You're a little airy fairy here, guys. Okay? Now I gotta face the reality. I got threats that are coming at me. I've got prompt injection. I've got all this stuff happening in my real world. You guys have a nice Saturday, Saturday morning chat. What am I supposed to do practically to survive? What would you say to them?

B

Realize that the only way to learn is by joining the community. Attend and I'll say, we're doing summits at sans. I have an AI summit that is happening in April, but We have over 50 hours of AI summit material from the past three years. We did our first AI summit six months after ChatGPT was released. Ton of material out there. You could go absorb that. Even using AI to load them into. Because they're just YouTube videos, you could load them all into a notebook. LLM, ask it questions, experts, basically tapping brain power around the world. Now to ask these questions to you, that is one way is like you have to engage the community, jump and join the AI AI exchange. And no one's going to say, hey, you're writing the policy for EUI Act. But they had to start somewhere too. And you sit around the smart people. Find a Yoda, not just a person that is like, hey, I have it down for cybersecurity, but probably it's even better. Find someone who's your Yoda that's just out there in the field doing cool AI things. Because a trick that they figured out for product may be a trick and technique that you could immediately apply to a cybersecurity process and workflow you're working with. So it's a combination of someone's going to save you. Here's your policy guideline, download template that you do, and here's A, B and C that you do in this regard. One, join the community to start tapping into resources and pulling people in with you that are saying, hey, we're learning this. SANS has a massive amount of resources and things you could digest. We have the critical AI controls, we have the blueprint, which something I came up with. Those three pillars, govern, utilize, protect. Because organizations literally come in, it's like, we need AI security. And I ask our team is like, well, what kind of and there's like, no, I was just told we need AI security, but I find it's no, it's really AI governance is what they're seeking. Well, that's a single set of classes that we have that basically will say here's what we currently know about the way people are interpreting DORA as it applies to AI. The classes that we do have, like in security operations, those might be a full day of material integrating AI workflows. What they currently know. We have a brand new class that's out there. Literally the entire class is focused on workflows. So some of this stuff is current knowledge, what we're currently teaching, but we don't have it all. Sorrel then on the protect side. So all three pillars are ways you potentially figure out which pillar you need to sit in to become the expert in. Probably not all three. Be the protect person, be the utilized person, or be the governance person. And then tell the organization, I'm going to learn this better than anyone else, but I'm going to go join those communities, including sans, that seem to be leading with the more competency. But not the point where you're saying it's blind trust. We need you to join the conversation and realize that it's our responsibility to protect your family, our organizations and our nation.

A

Fabulous. Sir, last words for our audience. Anything you want to leave people with as we go, we let them go for the day.

B

I really want to know what your book title is again and where I could purchase that. I'll give you last words. All right, go back to that. I'm still that sinking in. My mind is always fascinating when someone on the technical side ends up writing a book. So what's your book?

A

Always glad to plug my book. A Tale of Quantum Kisses. It's an exploration of our life and the very near future in terms of AI and how we might coexist with a superior intelligence. A lot of fun. You can get it on Amazon, you can get it on Kindle. The audiobook came out this week. So you can get that everywhere. You can get audiobooks. I've discovered a lot of people don't read anymore. Everybody's listening to audiobooks while they're doing.

B

The dishes wash. Or podcasts, you know, or podcasting with us on this podcast. Well done. Send me an email saying I listened to the entire thing. I'll get two emails.

A

Done. There you go. Well, on this one you probably get. There's a good 10,000 people listen to this.

B

I'm hoping. I mean, you never know. I'M crying. Like, I think it's up to us, you doing this, me talking about this. Now you're going to talk about this. We have 10 people come off this, talk about this, and they're going to become vulnerable and they're going to rationalize and say, oh, I'm going to go into my team and say, hey, guys, I don't know what's going on, but I'm going to start learning this. We all need to be in this together. We're in that foxhole all scared. But if we work together, that's the way we get through this and we're going to be able to protect our families. And you know, I say that this is one technology that is permeating down to that level and that's why it's going to be a Thanksgiving discussion, is that you need to potentially internalize what we're talking about and start leading your own teams and expressing those, hey, you know, I don't have all the solutions. It's more than even than that. It's like I am now in kindergarten again and I'm learning a brand new language and I need to get, you know, very simple cic, run, DJ and.

A

Jump to tell you if that crazy old uncle that attends all of the Thanksgiving dinners is now showing you how he can edit photos on Google instead of talking politics.

B

We've done our Nano Banano, my friend.

A

Yes, Banana Banano. Yep. My guest today has been Robert T. Lee. He's the Chief AI Officer and chief of research at the SANS Institute. Thank you very much, sir. Glad to have had you for this chat.

B

Yeah, thank you. Pleasure to be here and happy to come back and talk about how things are going.

A

Great. And if you've stayed with us this long, bless you. If you want to find out more about AI, I'm going to tell Rob to send me some links and I'll put those with the show notes. I eventually get the show notes up there on, on@technewsday.com our regular site, so you can find them there. And I'll put some links up there. I'll put a link to the book and if you're really interested to sit down discussions. Every Friday we have Project Synapse and most of the time we broadcast those as a podcast on hashtag trending, our sister podcast. And you can hear three of us stumbling through what's happening in Elite and AI.

B

That's exactly what needs to happen. A lot of stumbling. I love it.

A

Thank you very much. I'm your host, Jim Love Have a great weekend.