Capella University Sponsor (12:10)

Imagine what's possible when learning doesn't get in the way of life at Capella University. Our game changing flexpath learning format lets you set your own deadline so you can learn at a time and pace that works for you. It's an education you can tailor to your schedule. That means you don't have to put your life on hold to pursue your professional goals. Instead, enjoy learning your way and earn your degree without missing a beat. A different future is closer than you think with Capella University. Learn more at capella. Edu.

KnowBe4 Sponsor (12:43)

And now a word from our sponsor, knowbefore it's all connected and we're not talking conspiracy theories when it comes to infosec tools, effective integrations can make or break your security stack. The same should be true for security awareness training. KnowBeFor, provider of the world's largest library of security awareness training, provides a way to integrate your existing security stack tools to help you strengthen your organization's security culture. KnowBeForS security coach uses standard APIs to quickly and easily integrate with your existing security products from vendors like Microsoft, CrowdStrike and Cisco. 35. Vendor integrations and counting Security Coach analyzes your security stack alerts to identify events related to any risky security behavior from your users. Use this information to set up real time coaching campaigns targeting risky users based on those events from your network, endpoint identity, or web security vendors. Then coach your users at the moment the risky behavior occurs, with contextual security tips delivered via Microsoft Teams, Slack or email. Learn more@knowbefor.com SecurityCoach that's knowbe4.com SecurityCoach and we thank knowbe4 for sponsoring our show.

Dave Bittner (14:16)

Do you know the status of your compliance controls right now? Like right now, we know that real time visibility is critical for security, but when it comes to our GRC programs, we rely on point in time checks. But get this more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls with Vanta. Here's the Vanta brings automation to evidence collection across 30 frameworks like SoC2 and ISO 27001. They also centralize key workflows like policies, access reviews and reporting, and helps you get security questionnaires done five times faster with AI. Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com cyber that's vanta.com cyber for $1,000 off. Danny Allen is Chief Technology Officer at Snyk. I recently caught up with him to talk about how a balanced approach between AI and human oversight can strengthen cybersecurity.

Danny Allen (15:39)

AI is clearly a focus for most organizations right now. From CEO to CIO on down, organizations are asking, how can I effectively use AI that is not an exclusion for the development organization which we regularly meet with. And so what we wanted to do is understand how organizations were thinking about AI and how they were rolling it out within the organization. And so this led to a survey by Snyk of 400 organizations with 1,000 or more employees.

Dave Bittner (16:11)

Well, let's go through some of the findings together here. What are some of the things that caught your eye?

Danny Allen (16:16)

Well, the thing that probably stood out the most to me is that the C suite so CEOs, CIOs, etc. CISOs were five times more likely to rate AI coding tools because we were specifically honing in on development and AI coding tools as not risky at all. Not risky at all as compared to the application security folks who were saying they were risky and the numbers there, I think 5% of the application security team were saying, hey, these are not risky. Where for the C suite, 25% of them said not risky at all. So there's clearly a disconnect between executives and the application security team. It's probably the most significant standout from the report for myself.

Dave Bittner (17:02)

No, that's an interesting disconnect there. What do you make of that? What do you suspect might be driving it?

Danny Allen (17:09)

I suspect that application security folks are very in tune with security issues and tend to be more paranoid. They have a lengthy history of dealing with security and when it comes to AI, of course security is the top concern. And so they just look at it as a new type of infrastructure. We need to be concerned about security. Executives, on the other hand, are not looking at it from a negative perspective of I need to be paranoid about this. Executives instead are looking at it and saying, how can we be productive in using this. And so they are looking at it more optimistically than the security team who are looking at it and say, what are the risks associated with this?

Dave Bittner (17:48)

Now one of the things that caught my eye was this finding that organizations may not be making the proper preparations when it comes to AI coding security. Can you explain that for us?

Danny Allen (18:02)

Yes. So on the development side, what we found is that two of three devs, so 66% of developers were saying they weren't being trained on AI security. And if you think about this logically, a developer can take code and put it in ChatGPT and say, can you make this faster or more efficient? Or convert this to a different language. There's obviously security concerns about that because they just took proprietary code and put it in ChatGPT. And so one of the things that organizations are not thinking about is developers that are trying to be more efficient and they're using AI to be more efficient. But they haven't been trained on the security concerns that come along with the use of this AI. And what you find is that most of the organization, it's the proprietary information that they're trying to optimize because it's their crown jewels and they're saying, how do I do this more effectively? Having security training around that is obviously critical.

Dave Bittner (19:03)

Yeah. What are the take homes here in terms of lessons learned or words of wisdom for folks to take away from this report? What do you hope they get from it?

Danny Allen (19:13)

Well, I really hope that organizations realize that AI first of all is extremely effective and it helps organizations to be so much more productive. So this is in no way meant to say don't use AI. Instead it's to say we should be using AI to make our organizations more productive, to develop more quickly. But we also need to be thinking about the guardrails that come along with that AI. And those guardrails can be at a people level. So for example, training developers on how to use AI more effectively, they can also be at a process level so that they're trained on how to use the AI within their daily workflows. And then also at a security level, there's many ways that we can put in security controls that as organizations are using AI, they're doing it in a way that conforms with the corporate policy.

Dave Bittner (20:05)

Do you have any guidelines for best practices for folks to kind of dial in the balance between effective use of AI but also the necessity for human oversight?

Danny Allen (20:19)

I'm not yet convinced that AI is ready to be completely autonomous. Some human oversight is valuable, I think of self driving cars. I'm not yet ready to get in a self driving car and say drive me across the country, still need to be sitting in the seat with my hands on steering wheel. However, that being said, you want to do it in a way that takes advantage of what the AI is giving you. In other words, if you're in a self driving car, of course you can pay attention to the traffic, but you don't have the stress associated with it. And I think that's the same way when it comes to AI within the organization. You don't want to be slowing down the organization. You don't want the guardrails to be so onerous that it doesn't allow them to achieve the outcome and that they are achieving the benefit of it. But you do need to have those guardrails in place.

Dave Bittner (21:10)

Our thanks to Danny Allen from Snyk for joining us. We'll have a link to Snyk's AI readiness report in the show Notes.

KnowBe4 Sponsor (21:32)

And now a message from our sponsor Zscaler, the leader in cloud security Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year over year increase in ransomware attacks and a $75 million record payout in 2024. These traditional security tools expand your attack surface with public facing IPs that are exploited by bad actors more easily than ever with AI tools. It's time to rethink your security Zscaler 0Trust AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement Connecting users only to specific apps, not the entire network. Continuously verifying every request based on identity and context Simplifying security management with AI powered automation and detecting threats using AI to analyze over 500 billion daily transactions. Hackers can't attack what they can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more@Zscaler.com Security.

Dave Bittner (22:54)

And finally, CES. The Consumer Electronics show is all about futuristic gadgets designed to improve lives. But sometimes innovation veers into eyebrow raising territory. Enter the Worst in Show awards, where dystopia experts highlight the most repair challenged, privacy invading and unsustainable tech. Topping the list of face Palms Ultra Human's $2,200 luxury smart ring, which lasts just 500 charges before becoming irreparable bling. Two years of use for that price. A new low, quipped Ifixit CEO Kyle Wiens. Next up, Bosch's AI powered crib promising to rock babies to sleep and track their vitals. The Electronic Frontier foundation dubbed it surveillance for your infant, packing cameras, mics and radar into what should be a privacy safe sanctuary. The least sustainable prize? Soundhound's AI in Car Commerce system encouraging wasteful takeout and distracted driving. And TP Link's router won least secure thanks to vulnerabilities that prioritize government alerts over user safety. Finally, the overall winner. That would be LG's AI refrigerator, flashy, pricey, and doomed to premature obsolescence. And that's the CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com this episode was produced by Liz Stokes. Our mixer is Trey Hester, with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karp. Simone Petrella is our president, Peter Kilke is our publisher, and I'm Dave Bitner. Thanks for listening. We'll see you back here tomorrow.