B (14:32)

My role focuses on securing Adobe's products and platforms and we do that with a strong emphasis on AI. By that we mean both how we use AI to improve security and how we secure AI itself. Talking about My background, generally speaking, my career has been shaped by working across industry, community and academia. And that has actually influenced how I think about AI today. One of the biggest lessons for me was security doesn't scale through technology alone, it scales through people. And that's why I was pretty excited to join our conversation.

A (15:07)

Well, when AI first started showing up in your security workflows at Adobe, what did that moment feel like inside the organization? Was there excitement? Was there some skepticism, or a mix of both?

B (15:20)

Definitely a mix of both. At the same time, nothing we build happens, especially around AI, happens in isolation. At the end of the day, regardless if we are a skeptic or not, once we build it, it's a result of trust, it's a result of curiosity and of course, collaboration between the skeptics and the less skeptics. And at the end of the day, it's a matter of a shared belief that great tools only matter if we invest just in as deeply in our people. So I think that was one of the cornerstones here. That's how I look at it.

A (15:58)

Tell us about an early conversation or a turning point that made you realize that AI was going to require a cultural shift, not just a technical one.

B (16:09)

If I think about some of the misconceptions around AI, one of the biggest ones I see is we tend to look at AI as a shortcut when at the end of the day it's more of a force multiplier. So it does deliver great value when it builds on strong fundamentals. And I feel that going back to one of those first conversations, that strong fundamentals piece was what mattered a lot. So when we have clear ownership, high quality data, well defined threat motors and so on, AI tends to help us surface those insights faster and strengthen the security outcomes. But in many cases, while it brings clarity to the area that are already hard to see, it also surfaces some of the pain points even greater. I feel that's a very interesting way in how AI helps us both in surfacing and speeding up stuff, while also surfacing more. Some of the challenges that there are there.

A (17:21)

When you say surfacing some of the challenges, are there any examples that come to mind?

B (17:26)

If the data that we put in there is not healthy, if the number of, for example, the number of alerts we have is not relevant, I think that AI creates that elevates that to an even worse level. Think about the trust in AI. Another misconception there is that AI naturally takes care of itself, and trust in AI actually naturally takes care of itself. While in reality, I feel that teams need education and transparency to use AI when we do not understand how it works. Speaking of those skeptics, in the beginning they avoid it or work around it, which reduces visibility. So that creates a problem of the input data that we have too. So when they do not understand its limits, they rely on it too heavily and stop asking questions. So this is an interesting mix and I would actually like to say it again because that's how important I feel it is. So trust in AI naturally takes care of itself. That's a misconception. In reality, teams need education and transparency to use it well, to use AI well. So when people do not understand how AI works, they avoid it or work around it, which reduces our visibility as a security team. But when they do not understand its limits too, they rely on it too heavily and stop asking questions. So for me, that's a very interesting intersection that we have in the use of and adoption of AI.

A (19:25)

Now, you built a team internally, you call it the Security AI Guild. Where did that idea come from?

B (19:34)

So from the Security AI Guild came from the idea that we need to support our folks, but we didn't want to focus on a very formalized program or we wanted it to be more of a natural adoption. So what we actually did, instead of coming with a very stiff framework, for a lack of a better word, we decided to come up with a set of principles. So as long as people adhere to those principles, we definitely consider them part of the AI guild. So the whole idea behind it is just to keep things effective so we get to understand the positive impact that AI has in security and beyond. Very, very fast. And we only have three of them. Three principles. First, outcomes come first. By that we mean every effort is tied to a real security problem. We want to have impact and we want to have it fast, and we wanted to have it on the problems that we care about. Second, ownership. It's clear in every product and in every initiative or project that we deliver as part of the Security AI Guild, there is always a path to production or handoff. And then third, learning is shared. Both successes and failures are visible to everyone. That enabled us to develop the Security AI Guild as not just another meeting. The way to look at it is the Security AI Guild is a cross team community at Adobe that brings together security engineers, AI engineers as well as product teams to work on real security problems. That's the key point there. The real security problems using AI. It's not a think tank, is not just a recurring meeting. So it's not a think tank. It is not a recurring meeting. It's basically an execution engine, as mentioned, focus on real outcomes.

A (22:00)

I know you've mentioned that it's really been important to build a culture within Adobe. You've said that trustworthy AI is designed socially, not just technically. What does that mean in practice inside such a large enterprise?

B (22:17)

At the end of the day, from a cultural perspective, we need to cut across traditional boundaries and we need to think about AI as a force to do just that. Cut across traditional boundaries. Not a single team, no single team has all the context. Especially from a security perspective, we need to understand risk, which the security team does. Data scientists understand the models, product teams understand the users, and so on and so forth. So coming back to the guild, it actually creates that shared space where those perspectives meet and have the ability to experiment responsibly. And that's also a key word, the responsibility piece of it. Some of the examples. Coming back to the examples, let's look at how we use AI in security. We use AI to scale the vulnerability, discovery and triage. So we do use it to help our security engineers focus on what actually matters. Cutting through noise, surfacing real risk area, and then keeping humans firmly in the decision room. And that's something that we particularly care about. And then from a detection and response perspective, AI helps us connect the dots faster. People do stay accountable for understanding, validating and acting on what the system surfaces. And then how do we secure AI itself? That's a very interesting and challenging aspect at the same time, very, very rewarding. So from threat modeling to guardrails to human in the loop design, some of our most important security work today is security AI itself. So how do we build those guardrails, how do we develop those threat models and who wanting the loop design? So AI earns trust, not just assumptions. I shared three examples. I feel that across all three examples, the pattern is the same. AI accelerates insight, but trust comes from the culture, which is basically built on shared responsibility, transparency, and then humans staying accountable for the outcomes.

A (24:45)

What would be your advice to other companies who want to start building this kind of AI security culture? Do you have any words of wisdom based on the experience that you've shared at Adobe?

B (24:58)

I don't have words of wisdom. What I do have is what worked for us and what we learned. I feel that the biggest lesson is to start with people, not platforms. So for organizations starting out, I would say that the first 90, 60, 90 days should focus on shared learning, clear principles similar to the ones I shared earlier, or develop their own principles. And a safe space to experiment. I would stay away from like mandates or hype. So let me, let me rephrase that. For organizations starting out the first 60 to 90 days should focus on shared learning, clear principles and safe spaces for experimentation. And yes, not mandates or hype. That's how I look at it. And no one should do this alone. I would highly rely on partnerships across industry, community, academia. These are essentials because we are at the beginning of this and we are all struggling or experimenting. And this is probably even more important for us. It is probably even more important for us to stay close to the industry, community and academia. Yeah, that's how I feel about it.

A (26:35)

When you look ahead, what gives you confidence that organizations can build these AI systems that are both powerful and trustworthy?

B (26:45)

AI forces us to rethink how trust is built. You can't boil trust on after deployment. It has to be part of how teams learn, collaborate and make decisions. So going back to the cultural ingredients, I would say that we need to focus on shared responsibility. So AI decisions shouldn't sit on one team or one role. Security, product, data science, everyone shares the responsibility and then transparency and explainability. I feel that people trust systems they can reason about, not just systems that perform well. Enablement over enforcement. It's something that I really care about. So we invest heavily in upskilling so teams feel confident using AI responsibly and not being afraid of it. One thing I learned and actually captured in our security AI enablement work is that training alone is not enough. Teams need that shared language and hands on experience as well as clarity. And then another critical cultural ingredient for me is that human interlock by design, AI is assistive, not autonomous. Humans do stay accountable.

A (28:06)

That's Daniel Barbou, Director of EMEA Security at Adobe. When it comes to mobile application security, Goodenough is a risk. A recent Survey shows that 72% of organizations reported at least one mobile application security incident last year and 92% of responders reported threat levels have increased in the past two years. Guard Square delivers the highest level of security for your mobile apps without compromising performance time to market or user experience. Discover how Guard Square provides industry leading security for your Android and iOS apps at www.guardsquare.com. Ever wished you could rebuild your network from scratch to make it more secure, scalable and simple? Meet Meter, the company reimagining enterprise networking from the ground up. Meter builds full stack zero trust networks including hardware, firmware and software, all designed to work seamlessly together. The result? Fast, reliable and secure connectivity without the constant patching, vendor juggling, or hidden costs. From wired and wireless to routing, switching, firewalls, DNS security, and vpn, every layer is integrated and continuously protected in one unified platform. And since it's delivered as one predictable monthly service, you skip the heavy capital costs and endless upgrade cycles. Meter even buys back your old infrastructure to make switching effortless, transform complexity into simplicity, and give your team time to focus on what really matters, helping your business and customers thrive. Learn more and book your demo@meter.com cyberwire that's M E T E-R.com cyberwire. And finally, for decades, if you wanted to track your heart rate, you needed a smartwatch, a medical device, or at least something strapped to your body. Now, researchers at the University of California, Santa Cruz, suggest your WI fi router might quietly do the job. Instead, their prototype System, charmingly named PulseFi, uses ordinary Wi fi signals and a machine learning model to detect the tiny disturbances caused by a beating heart. In tests with 118 participants, the system measured heart rate with near clinical accuracy in as little as five seconds, even if people were sitting, standing, walking, or lounging several meters away. The setup relies on inexpensive hardware, meaning the technology could eventually be deployed cheaply in homes. In other words, your WI fi may soon know your pulse, whether you asked it to or not. And that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwarner@n2k.com N2K's lead producers, Liz Stokes, were mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our contributing host is Maria Vermazes. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. If you only attend one cybersecurity conference this year, make it RSAC 2026. It's happening March 23rd through the 26th in San Francisco, bringing together the global security community for four days of expert insights, hands on learning, and real innovation. I'll say this plainly, I never miss this conference. The ideas and conversations stay with me all year. Join thousands of practitioners and leaders tackling today's toughest challenges and shaping what comes next. Register today@rsaconference.com cyberwire26 I'll see you in San Francisco. Most security Conferences Talk about Zero Trust Zero Trust World puts you inside. This is a hands on cybersecurity event designed for practitioners who want real skills, not just theory. You'll take part in live hacking labs where you'll attack real environments, see how modern threats actually work and learn how to stop them before they turn into incidents. But Zero Trust World is more than labs. You'll also experience expert led sessions, practical case studies and technical deep dives focused on real world implementation. Whether your Blue Team, Red team or responsible for securing an entire organization, the content is built to be immediately useful. You'll earn CPE credits, connect with peers across the industry and leave with strategies you can put into action right away. Join us March 4th through the 6th in Orlando, Florida. Register now at ztw.com and take your zero trust strategy from Theory to execution.