Dave Buettner (9:59)

What's your 2am Security worry? Is it do I have the right controls in place? Maybe? Are my vendors Secure or the one that really keeps you up at night. How do I get out from under these old tools and manual processes? That's where Vanta comes in. Vanta automates the manual work so you can stop sweating over spreadsheets, chasing audit evidence and filling out endless questionnaires. Their trust management platform continuously monitors your systems, centralizes your data and simplifies your security at scale. And it fits right into your workflows. Using AI to streamline evidence collection, flag risks, and keep your program audit ready all the time. With Vanta, you get everything you need to move faster, scale confidently and finally get back to sleep. Get started@vanta.com cyber that's V A N T A dot com cyber and now a word from our sponsor, ThreatLocker, the powerful zero trust enterprise solution that stops ransomware in its tracks. Allowlisting is a deny by default software that makes application control simple and fast. Ring Fencing is an application containment strategy, ensuring apps can only access the files, registry keys, network resources and other applications they truly need to function. Shut out cybercriminals with world class endpoint protection from Threat Locker.

Maria Varmazes (11:42)

Dave Buettner recently sat down with Manoj Nair, who is the Chief Innovation Officer at Snyk, to explore the future of AI security and the emerging risks that are shaping this rapidly evolving landscape. Here's their conversation.

Dave Buettner (11:55)

So today we're talking about AI security and your outlook on that. I would love to start with some high level stuff here if we could. Can you give us your perspective on sort of the state of things when it comes to AI and security? Where do you suppose we find ourselves at this moment?

Manoj Nair (12:15)

I think we're at the very early innings of really understanding the security risks for AI. I think like every wave in technology we are about probably in the first few innings of adopting the technology, but security is usually following the actual technology innovation. And so people are starting to understand the risks, but kind of early in understanding what do you do about the risks and the risks are also, you know, just emerging as we speak.

Dave Buettner (12:50)

Well, we've seen transitions over the years. You know, you think about folks moving to the cloud and things like that. Does this one strike you as being different?

Manoj Nair (13:00)

I think both the speed of the technology transformation and the understanding of security, both are, both are different in that they are moving at what I call the AI speed. I think the good news is there is a bigger understanding when I talk to a lot of very large companies and CISOs and enterprises. I think, for example, just contrasting with the cloud era that took a few years Several years after cloud became mainstream, I think for the security professionals to truly understand that the risks are different and they need to own it and do something different. I don't see that with AI. I see a leaning in of the security teams wanting to know what to do different, wanting to be close to the business, enable the business understand the risks, understand that they cannot be just saying no. And so there's a lot like that for me is pretty marked differentiation between these two technology waves.

Dave Buettner (14:01)

Well, let's dig into some of the risks. I mean, what are some of the things that are top of mind for you in terms of the things that have your attention and your concern?

Manoj Nair (14:12)

Let me break it down maybe into a couple of the key use cases that we see. From where I sit and where the company sits, one of the in our personal lives, AI adoption is chat, video, voice, all of these use cases, all of us are using it every day, our kids are using it. So it's all kinds of fun that we can talk about. On the work front, code has become like the chat like use case, right? So there is, you know, it used to be just copilot three years ago. There are tons of companies here, some that are breaking every record. Companies like Cursor and windsurf, anthropic and OpenAI themselves have introduced coding assistance and agentic AI IDEs and agentic orchestrators. So there's three generations of code related innovation that has already emerged in the AI space. And so ground zero of the risks is the magic of LLMs that we all like is they're, oh, look at this, they thought of this unique thing and it's just them using all the training data that they have and manifesting results in different ways that we think is magic. On the code side we call it hallucinations. And hallucinations are really bad for security. And so one of the biggest things that three years ago was education and today I don't find the CISO is not aware that it is improving, but that security risk is actually profound in that it's much higher than human produced code. Will it get better? It will, but there's also a human psychology element there where especially the junior developer tends to think that anything that the machine produces is accurate. So that is a huge set of capable risks emerging from that, whether it's SQL injections getting into the code and no one is catching it until late, or package risks, malicious packages. We saw some recent attacks over the last few even weeks where people are creating malware and open source packages and these LLMs are hallucinating packages that don't exist in a predictable way. So they go post malware. It's called typo squatting. So all these terms are emerging, these risks are emerging, whether it's code or the packages or the supply chain. So there's a new set of, I would say, coding and supply chain risks emerging with just the first use case. Right. And I'll pause there because then there's that next set of things that people are doing with LLMs.

Dave Buettner (16:59)

Well, before. Yeah. So before we get to the next step, let me ask you this. I mean, have we hit the point yet where it's worth it, where it's not just aspirational to hope that these LLMs are going to actually return on their investment when it. From a coder's point of view.

Manoj Nair (17:22)

I think the productivity is there. I do see some occasional research that says because of so many other things that they now have to deal with. If you think about a typical engineer these days, there's research that we have done, others have done. This is you don't spend more than, let's say, somewhere between 10 to 30% of your time coding. So if you truly look at the full software development life cycle, you got to understand that AI has got to impact all of that. And we are seeing innovative companies who are trying to impact that entire software development life cycle, all the way from design to code to test. And until that happens, and that happens with proper guardrails, it is hard to find that full productivity impact that's promised. But today there is that euphoric moment where some of the busy work can go away. Or if you're not a regular developer, you're now able to code again. Or this term citizen developer emerges. But I talked about my two roles. I love that my marketing team, that some of them have never looked at code before, able to use some of these, wipe coding apps and create technology. That doesn't mean I'm going to just deploy that in production without a lot of checking and security guardrails. So the pain moves somewhere else. And to truly get the full productivity benefit, which I'm a believer that we will get, you do need to have the proper expansion of both the technology guardrails, like AI that can secure AI might be a simple way of thinking about it, but also AI that can test AI, AI that can do PR checks for AI. So new innovation needs to figure out what is the new new sets of pain points it's creating and then find solutions for that too. That's happening. It's happening real time.

Dave Buettner (19:19)

Well, given these realities, what's your advice then for the folks who are charged with protecting their organizations? What are your words of wisdom?

Manoj Nair (19:28)

My first question I ask any CISO is do you know what the devs are doing in terms of building gen AI apps and LLM apps and MCP servers into their code? And the answer is, you know the answer. And so start with visibility. Like everything else, you know, where's the shadow AI happening in your organization? I've been on calls where CTO and the CISO are both on the call large organization. And you ask the question, how many models do you have in production? One goes, we don't do, we don't deploy AI right now. You can imagine this is security professional. And then the other build site team goes, thousands. And so this is the dichotomy that's there. So start with visibility and once you start with visibility, then just follow traditional security principles. You're not going to say no because the pressure is from the C levels in the board. Can you work with your technology counterparts to figure out what's the proper governance model? Do you need to use every one of the 2 million models in hugging face? Does the dev team really need that access or could you find a few secure ones? Then of course as a security professional, you're going to find what tools allow me to know how do you approve and disapprove some of these models. And so this back and forth like collaboration is key, visibility is key. Finding tooling that can move at the pace of AI is key. So find who are the providers who are being very innovative because you're not going to see it from most of your. If you're a security professional thinking that my traditional endpoint or traditional network company is adding some AI features and that's going to help me here. The problem is AI is really code and it's being built and it's being downloaded. We call these terms inferencing, using GPUs to run these models. All that is very dynamic. It's going between, you know, acting and inferencing and using data fairly quickly. So what are the dynamic set of capabilities? I need as a security professional to allow the team to be very innovative while sensing and reacting and putting governance in place and putting visibility in place, but also figuring out how do I really know how the model is behaving after deployment and bringing all of that data back to continuously update the policy. So something like that one is just educate yourself. We are holding the first industry event In San Francisco October 22nd, 23rd it's called the aisecuritysummit.com it's free. It's us partnering with an organization called AI Engineer. They're the ones who held the largest AI engineering conference in June. 3000 plus AI engineers and all the leading AI companies were there. So this is an industry event founded by Snyk, an AI engineer. We got CEOs of 10, 15 companies there and there's a practitioner track and there's a leader track. I mean finding events like this to really educate yourself on what is the state of art of agentic gen AI development and then what is the best practice ways to start educating and training your team to have these AI security engineers who can be paired with AI engineers to really be able to go drive the security of gen apps. That would be my recommendation.

Maria Varmazes (23:05)

That was Manoj Nair sitting down with Dave Bittner to explore the future of AI security and the emerging risks shaping this rapidly evolving landscape.

Manoj Nair (23:19)

Foreign.

Dave Buettner (23:28)

They know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales's industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most. Applications, data and identity. That's Thales. T H A L E S learn more@talasgroup.com Cyber.

Maria Varmazes (24:15)

When did making plans get this complicated? It's time to streamline with WhatsApp, the secure messaging app that brings the whole group together. Use polls to settle dinner plans, send event invites and pin messages so no one forgets mom 60th and never miss a meme or milestone. All protected with end to end encryption. It's time for WhatsApp message privately with everyone. Learn more@WhatsApp.com facial recognition is becoming part of everyday life, from unlocking our phones to verifying our identities online. But for millions of people that are living with facial differences, that technology can be more of a barrier than a convenience. There's new reporting from Wired that reveals that some individuals are being locked out of their essential services, like renewing driver's licenses, accessing financial accounts, or even just verifying their identity simply because the systems can't recognize their faces. Experts say that the issue stems from algorithms that weren't trained with enough diversity, leaving people with craniofacial conditions or other differences literally unseen by the technology. And advocates warn that this isn't just some technological glitch. It is a solid reminder that when AI systems fail to include everyone, they can deepen long standing inequities and isolation. They're calling for more inclusive design and human support when automated systems fall short. It's proof that even advanced AI can sometimes miss what's right in front of it.

Manoj Nair (26:04)

Foreign.

Maria Varmazes (26:08)

And that's the Cyberwire Daily brought to you by N2K CyberWire. For links to all of today's stories, check out our daily briefing@thecyberwire.com hey CyberWire listeners. As we near the end of the year, it's the perfect time to reflect on your company's achievements and set new goals to boost your brand across the industry next year. And we would love to help you you achieve those goals. We've got some unique end of year opportunities, complete with special incentives to launch 2026. So tell your marketing team to reach on out. Send us a message to Salesthesyberwire.com or visit our website so we can connect about building a program to meet your goals. We'd love to know what you think of our podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing, changing world of cybersecurity. If you like the show, please hear a reading and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k.com N2K's senior producer is Alice Carruth. Our producer is Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher and I'm your host Maria Varmazes in this week for Dave Buettner. Thank you for listening. We'll see you tomorrow. Here we have the Limu Imu in.

Dave Buettner (27:47)

Its natural habitat, helping people customize their car insurance and save hundreds with Liberty Mutual. Fascinating.

Manoj Nair (27:56)

It's accompanied by his natural ally, Doug.

Maria Varmazes (27:59)

Uh, Limu is that guy with the binoculars watching us.

Manoj Nair (28:02)

Cut the camera.

Dave Buettner (28:03)

They see us. Only pay for what you need@libertymutual.com Liberty Liberty Liberty Liberty Savings Very underwritten by Liberty Mutual Insurance Co. Affiliates excludes Massachusetts Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more at CID Datatribe. Com.