Windows 11 College Deal Announcer

Study and play come together on a Windows 11 PC and for a limited time, college students get the best of both worlds. Get the Unreal College Deal everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox Game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30th terms at aka mscollegepc

Red Bull Summer All Day Play Announcer

ready to soundtrack your summer with Red Bull Summer All Day Play? You choose a playlist that fits your summer vibe the best. Are you a festival fanatic, a deep end dj, a road dog, or a trail mixer? Just add a song to your chosen playlist and put your summer on track. Red Bull Summer All Day Play Red Bull gives you wings. Visit red bull.com brightsummerahead to learn more. See you this summer.

Dimple Alawalia

Foreign.

Mia Sorrenti

Technology stretches the definition of progress to new horizons. But with the advance of AI and other technologies, the very idea of progress doesn't seem to accommodate the levels of growth we continue to see. Every new discovery is the beginning of a new beginning. AI will soon be surpassed as the latest innovation by either quantum computing, hyper automation or a new endeavor which has yet to be discovered. Hello and welcome to the age to come, brought to you by Intelligence Squared in partnership with IBM. I'm producer Mia Sorrenti. Throughout this year long programme we will explore together how new technologies will reshape human experiences over the arc of a lifetime. And you're about to hear the second of those live conversations recorded live in London where journalist Kamal Ahmed explores how cybersecurity is becoming central to economic growth, national security and public trust. Kamal was joined by guest John Sopel, former BBC North America Editor and co host of the Newsagents podcast Dimple Alawalia, Global offering leader for IBM Cyber Defend within IBM Consulting, and Matt Rowe, Chief Security Officer at Lloyds Banking Group. Together they explore the current state of cybersecurity, how prepared we are and what we might face in the future. Kamal begins with the 3am test, a scenario posed by IBM's Gavin Kenny that explores how people can make risky decisions under pressure, even when they are trying to do the right thing. Let's join Marl, John, Dimple and Matt now for more.

Kamal Ahmed

Gavin Kenny, Security expert colleague of yours Dimple from IBM. He he made a very interesting point to me whilst I was interviewing him about cybersecurity and he said have you ever considered Kamal the 3am test and how many people fail the 3am test and Dimple, this was a 3am test that he set for me and I must admit I have borderline, almost failed it. But I want to ask you as a cybersecurity expert, if you've ever found yourself trapped in this moment. And the 3am test is this. And this gets to the idea of security not always being about malevolent actors, but just being about trying to do your best.

Matt Rowe

Sure.

Kamal Ahmed

So 3:00 o' clock in the morning, you suddenly get this urgent requirement that you need to deliver some work for that morning and you are sent a data set about a crisis situation that you cannot open. And however much you try to open it on your computer, this is completely legitimate. It's come from person, you know, it's not a phishing, it's not a phishing thing. And then suddenly your computer offers you all sorts of methods for opening that data set and you're scrolling through, you're thinking, I've got to get this thing open. This thing really, really matters to my business, to my clients, to my partners. Has there been a moment, Dimple, where you've almost pressed the wrong button or even maybe it's the right button and you thought, I'm just going to get that thing across because I need to open this data set?

Dimple Alawalia

Yeah, you know what? I believe it. I think that's why so many organizations tend to do, I'll call it an efficacy test because everybody gets inundated with all sorts of education and so let's put it to test. And we do find that right. My 3:00am okay, it won't be work related in the sense that we're far too clever, but life, no, but, no, no, no, no. I wish that was the case, but I think life test. So I'm a doting aunt of many and holiday season I found myself a couple years ago and that particular holiday season I found myself in a bit of a panic because I had not done my responsible duties of being that doting aunt and ordering all the gifts. So there must be somebody or some algorithm, something like I was in this frenzy of just ordering stuff and making sure it gets delivered in different parts of the world. And in between all my confirmation of emails that yep, order accepted, order processing, order shipped, I received a note that says there was a order declined or that the courier couldn't deliver it. And if I wanted to check on the status of it, just click now. I will admit all my cyber training and experience and being that practitioner at heart was not what I was thinking at that 3:00am moment. And it may have been 2:33, you know, I think it's pretty darn close and of Gavin of picking that time frame and I did find myself almost clicking on that link to see which poor child, a niece, nephew of mine, was not going to be getting a gift from their aunt. So, yeah, I think it's a human thing.

Kamal Ahmed

Yeah. Matt, as an expert in this field, can you sense that colleagues, others, you can see when someone is trying to do the right thing with no malicious intent and they're at a moment of a degree of pressure, maybe tired, and it's a crisis situation and it's a completely genuine request that there can be a tendency to fail the 3am test. And has it ever almost got to you?

Matt Rowe

Obviously never. And it's the same. So I've had a few moments where I've got very close and then caught myself because we are all human. And I guess the broader point I'd make here, our work leading security programs, is to design out the need for the humans do the correct or the right thing to know exactly what to do at all times. And if they make a mistake because they're tired or stressed or whatever, that can be catastrophic. We have to design that out. Any security model that is dependent on the human always knowing the right thing and doing the right thing is ultimately going to fail. So that's the big picture. We have to get to a place in the design of our security controls where it's not dependent on the human at 3am avoiding clicking that link, which kind of seems similar to the thing that we're actually trying to do.

Kamal Ahmed

John, you and I are journalists, often at the absolute edge of sort of deadlines, timings, dealing with lots of incoming information and demands then to create outputs from those incoming, that incoming product to us. And you have to be on air in 20 seconds, they're counting you down in your ear. Something asks you a question that you think, I need to see this before I Go on. 15 seconds to go, John, counting you down. 15, 14. Has there been. That's a sort of 3:00am moment that you and I possibly live through much More often than 3am how long do

John Sopel

you want me to spend answering? Look, I was, you know, as you said in the introduction, I was the BBC's North America editor. And so London was always five hours ahead of Washington, which is where I lived. And so there would often be 3 o' clock in the morning calls because it was 8 o' clock in the morning, London, and you'd get some mad call from the, the duty editor on the desk saying, this has happened, we want you to be on the next flight out and we've booked you on a flight at 6:30 in the morning from Reagan National Airport or whatever. And there was one time when I got a call, I was woken up in the middle of the night. I wrote a note which I thought was to the foreign editor saying, can you tell he's a total and he doesn't know what the he's doing. And I sent it to him directly because I was half asleep, I hadn't thought of what I was doing and had a bit of explaining to do why I'd sent this email in some place. And that is the sort of thing where we almost make that mistake. And yesterday and today I was in Paris at a conference that I was sort of slightly involved in. There was this whole session on cyber and the CEO and chairman of this company, which is a globally significant company, and they had a reception at the Rodin Museum last night and it was very plush and champagne a go go. And they had hired two magicians. And the magician said, give me your phone to the chief executive. And the chief executive hands over his phone and they're mucking around with his phone. And I'm thinking, if your head of security could see what you have just done,

Dimple Alawalia

I'm envisioning this.

John Sopel

And on stage that afternoon, this guy had been talking about the critical importance of cybersecurity and dealing with the threats and don't doing stupid. And here he was handing his phone to two magicians who were, yeah, I mean nothing malicious happened, but people who know better do dumb stuff.

Kamal Ahmed

So that's about Matt, to your point, taking the human actually out of the loop, putting them in it in any sense, which I think is really important. A couple of points in the research that the brilliant IBM and Intelligence Square put together for me for this, which I must admit I found quite shocking. When AI became consumer, the whole debate on AI changed. Of course, AI is many different things and has been with us for many decades. But when it became a consumer product under ChatGPT, the whole basis of the conversation changed because suddenly everybody could have an engagement point with artificial intelligence and it became very real. So that's been where the conversation is. But in IBM's annual cost of data breach report, it does seem to the points you've all made that there are so many moments when you can skip over security because particularly agentic AI systems can seem to have a quick fix. You think, oh well, I could just fix that little productivity thing. But you haven't layered on the security implications of what you're trying to do. The average cost of a data breach is $4.44 million to a business. And in America, which I would have imagined would be different, the actual cost is far, far higher. Presumably that's around size as well as number of companies within it. 10.22 million the average cost in dollars. And health care. The health care sector, which both officially and for our own well being, is one that lots of us in this room will be engaged in, is the one which remains the one that suffers under the most expense when it comes to breaches. The healthcare industry is the one where clearly some of those things they put in to make their services to all of us better are also increasing their risk. Potential security breaches remain uncontained for an average of 279 days, just operating away before the company can get in control of the breach that is happening. Half are malicious or criminal. And 65% of organizations that have been the victim of a data breach say they have yet to recover long after the breach has actually happened. And also there is no formal governance for what's called shadow AI. So that's us using these new consumer AI products for our work and introducing them into our workflows because we of course use them on our smartphones and lots of them are very, very good. But that shadow AI breach problem is growing and that in itself can cost up to a million dollars for each breach that happens. So it's quite a gloomy picture. And just off the back of that, the first poll question we want to ask in today's cybersecurity landscape, who currently holds the strategic advantage? Attackers, I.e. those attempting to breach or defenders? Dimple and Matt, basically you are our defenders. Who's winning in the battle? Dimple, how is the balance looking given those really grim numbers that on our. Maybe on the side of the fence of enterprise, that is the businesses themselves, like the human errors that we make at 3 o' clock in the morning.

Mia Sorrenti

Sure.

Kamal Ahmed

Are enterprises thinking carefully enough about what's the security implication of this new piece of productive kit that we can possibly use? Are the attackers or the defenders winning the war?

Dimple Alawalia

You said strategic, so I would say tactically the attackers, strategically the defenders. Look, attacks get publicized. Lots of people feel the impact, all kinds of stuff. It's a little drama that people get to experience. Defenders, we like not to be in the news because that means we're doing a good job for the attackers. They have to get it right once. But the Defenders are using also AI to level the playing field a bit. And so with automated defenses and all those type of things, I think long term, the defenders have the strategic advantage because it enables us to look at really being able to secure organizations and manage cyber risk better without losing speed.

Kamal Ahmed

Defenders strategically. Matt, is that your sense from Lloyds bank side of the fence that you obviously will be under? You know, all enterprises are under constant attack?

Matt Rowe

Possibly, yeah. I do agree. And going back to your first data point, why is that true? Because it's actually really hard to do a good job of security. You know, it's expensive, it requires expertise, things that are not available to every enterprise. Nobody builds a company or deploys a new service or a new product, wanting it to be insecure and hoping it gets hacked. Nobody does that. So the reason that we have the conditions where firms are getting breached is because it's really, really hard and it's asymmetrical. You know, the attackers will just keep trying, will keep trying, will keep trying. They've got fantastic incentives because if they are successful, they get paid or they achieve their sort of broader objectives. And yet the moment we're in now, I do think, is giving strategically giving defenders an advantage because some of the capabilities that are becoming available to us, they're actually really well disposed to helping us solve these hard problems. Cybersecurity is a big data problem. AI and machine learning is really well disposed to solving big data problems. And on the defender side, we've got home field advantage. We know our environment. We can use AI to really illuminate any security flaws and close them and harden it if we, if we do a good job of that dimple.

Kamal Ahmed

I thought it was interesting tactically, in a sense, the attackers. Because there is this sense that fear is part of the attacker's game. So every time there's publicity, people think it's everywhere. Marks and Spencer, British Library, Cooperative Society. You hear a lot of noise and it makes people fearful. And in a way, in an asymmetric battle. And you've sort of almost made the link with. With different types of almost warfare. In an asymmetric battle, the attackers always have that fear as part of their advantage. That's a really interesting point, I think.

Dimple Alawalia

Yeah. I mean, you started us off by asking our 3:00am moment. Right. Like it's the same thing is it's a little bit of instilling that fear and then the urgency that we all feel when we think that something needs to happen. Right. And sometimes you don't make those right decisions. But, yeah, Absolutely.

Kamal Ahmed

John, is it surprised you've got the actual figure set? 84% of the people in the room think the attackers are in the lead. Maybe Matt and Dimple, maybe then they've heard you. They may want to change their vote, but who knows? I don't think we can test it at the end, but anyway, we could do that. But John, does that surprise you in terms of the public mood around the technological revolution we're in agentic AI particularly, which is. Which learns and then offers solutions or actually goes away and does new work that you haven't actually directly asked it to do, learns from what it is that you've tasked it with.

John Sopel

I wouldn't put it as negative or positive. I think we're fearful. And I think that you read about, you know, Jaguar Land Rover and what happened there, that they needed a government bailout loan, such was the devastating effect on the company. And you think, wow, everything's insecure. Or you hear that there's been a massive data breach and people have got hold of your personal records. And then there was the nursery where they were going to put up online, you know, the pictures of small kids and their addresses and stuff like that. And I think that that understandably, it feels incredibly personal. And so I understand that people are unbelievably fearful about the consequences of that. And you kind of likened it to warfare. When we hear there has been a terrorist attack in London or in our community, we are scared. What we fail to recognize is how often MI5 and MI6 are actually thwarting an operation. That doesn't make us feel less scared. We only notice when things go wrong. And I think government is acutely aware of that as well. And I think government has all sorts of, you know, is it a state actor? Is it a non state actor? What is the motivation of this? And you raised a really interesting question about all of this is, you know, it's almost like warfare. Well, what happens if you take down some piece of critical infrastructure and you identify that as being a state actor, a Russia, a China, a North Korea, Iran, where, you know, you have, there is high capability and maybe a willingness to do this. When is it war? Because there is a point presumably where if you shut down the water supply or you shut down the electricity grid, it is.

Kamal Ahmed

John, as soon as you delve into this subject, I always find you are so astonished by the importance of the debate. It seems surprising in our world, the media world, that it's not, it's not sort of front and center of a lot of the coverage of the media in terms of what is important and what will be looked back on in 20 years time as one of the most important issues of the era we're living in now. John, as a political expert, we are in a situation when we have a very noisy possible horse race between the challenges to Keir Starmer and what might happen there. And will we have the same Prime Minister in six months time or in a year's time? Whatever, whatever, whatever. You asked yourself the question, which I thought was a very smart way of pushing it, which was how many newsagent episodes of the past three months, six months have been about AI, intelligence and security risk and how many have been about the horse race of politics?

John Sopel

I'm almost ashamed to give the answer to this room because the fact of the matter is that daily. Oh my God, is Starmer done for now? Is wage treating really going to go for it? You know, that breathless sort of political analysis and what's driving it and you know, what's motivating the different political forces or the latest thing that Donald Trump has posted about annihilating a civilization in a night, you know, destroying Iran, that does really well for us. And you do an episode which is, is AI going to do X, Y or Z and we get the data back the next day doesn't do so well now it should do because AI is changing the way we're going to live. AI for 18 year olds or 21 year olds coming out of school or university is going to change the availability of jobs in nearly every area of our lives. AI is upending it and I think there is an asymmetry between what is froth and what really matters. This is like a, I feel I'm coming a confession box admitting the shortcomings of my trade, but I think it's absolutely true and I'm glad that we're having this conversation tonight because I think that the, the implications are massive and the implications for public policy, for governance, for democracy. And it's not just about companies bottom lines. Although if you're M and S and you're the cooperative society, you've seen the costs. Yeah, you've seen the costs which are massive. And I read some statistic that, you know, SMEs, if they don't have insurance against a hack or a Cyber attack, then 60% of them go under. That's part of the supply chain. They may not be the size of jlr Jaguar Land Rover, but if they were supplying parts to Jaguar Land Rover and they go under because they didn't have, you know, they're not alloyds where they can't spend the same amount of money on cybersecurity. And these are real world influences and things that are happening now.

Kamal Ahmed

Matt, can I bring you in? So John raised a very interesting point around significant nationally important infrastructure. And the banking system obviously is one of those sectors. How do you approach it with that knowledge and how much is a partnership with others? It shouldn't. And maybe it can't be all down to just what Lloyds bank does. There has to be a process, a system, your partners in the financial services, the government, the regulators, and then maybe just to push a little bit. Again, what John has raised, you are, I think, the biggest SME bank for the uk. It's quite an interesting point that John makes that one of their resilience issues when you are supporting them on their growth, et cetera, et cetera could well be cybersecurity. But just on that first point, national resilience and how we should approach that.

Matt Rowe

Yeah, so I'll say something on each on that point. Yeah, that's the mission. So the way that we think about it, protecting Lodz Banking Group is protecting UK economy, which is protecting UK society. There's a straight line all the way through. So that is like a higher order thing. That's why we take this stuff really seriously and we need to do a brilliant job of it every day. So that absolutely is how we think about this work and it connects to what John was saying. This is a really big deal. It's a really big deal. And it's, it's the thing that, you know, successes, people, people don't notice to your wider point. And, and absolutely we need the whole ecosystem to be secure. And that is where it gets more complicated because of different economic models, different resource profiles, the availability of expertise. So we're thinking really hard, working with government, the National Cyber Security center, the national center for Resilience, to work out how do you raise standards right across the board and how do you empower organizations to raise standards based on their business model? Because not everybody can and not everybody should do it like a large enterprise. And I just connect it to the thing we were talking about before. We're in a really interesting moment where it's extremely volatile. The world is extremely volatile with the pace of change, geopolitics, technology development. And at the same time we have suddenly been been given these, these tools that actually can democratize really effective security if, if we do a good job of it. So we, we see that we have a role in that for sure.

Kamal Ahmed

Dimple just as an expert, 20 plus years in cybersecurity. When you see a Jaguar Land Rover, British Library, Marks and Spencer. What lessons do IBM's partners take from that around cyber resilience and preparedness or there's a cost of doing business and these things happen and we just need to kind of keep playing on. Because I find sometimes when you're talking about cybersecurity, it's one of those slight at the board level. Slight, not Cinderella would be too pejorative and negative. But it's not the big sexy shiny thing. What you're not doing is, you know, you're defending so you haven't got. It's not the big new product, the big new brand campaign, the big new thing for the bottom line. It's cybersecurity. It's the stuff that has to happen every day. Relentlessly Just wondered what your response is when you see the headlines.

Dimple Alawalia

Cyber was definitely seen as, as a cost of doing business in the past. Perhaps it's the optimist in me, but I do see a shift in that more senior leaders are starting to recognize it as a business enabler. You know, I kind of use the, the analogy. IBM has been doing a lot of stuff with Ferrari recently, so cars are on my mind. Seat belts were introduced, you know, in the early days. It allowed people to go faster. And I kind of equate that to, to cyber in that businesses as they're venturing into new growth areas, whether that's products, services, whether it's new geographies, expansion, mergers, acquisitions, whatever, they've started to recognize one, that they can do that with a little bit more peace of mind and security, if security is built in, I think from all of these incidents. We were just talking a minute ago about how attackers have been able to instill fear by publicized. I'd like to say that there's always a takeaway lesson that's learned and hopefully others take note of that when these things happen. Because all of these incidents have taught us about the importance of resiliency. That means anticipate that there will be some sort of a flaw and that flaw will get exploited and prepare a plan for it. Practice it, practice it, and practice it and practice it. So you build a muscle memory, right, and then figure out how you're going to manage one of the most important things that organizations have to deal with, which is how do you maintain the trust of your stakeholders. When we hear about the JLRs, we hear about the MNSS and all those. It's a little bit of how do you take those moments and apply them for learning, for improvement, for growth. Then the other thing part of it, I would say is none of us work alone as organizations. It's a little bit of that conversation also that needs to happen between partners to make sure that your partners are taking security just as seriously as your organization is attempting to do. Right. So making sure that there's clarity around who your, who your businesses are dependent on as partners and how you, how you manage those relationships, particularly from a security standpoint.

Matt Rowe

Can I just add one point? And we've talked quite a few times about breached organizations so far tonight. And I do think that we've got to be careful about victim shaming because it is hard to do a good job of this. And at the end of the day, the problem is that the attackers are able to get away with this. If I wander home tonight and I get mugged, this room won't spend the next six months talking about how Matt Rose an idiot for getting mugged. Probably depending on the circumstances, you know, the conversation would more likely be about safety, would be about law enforcement, would be about, you know, lighting the way that actually crime has been allowed to grow in certain categories in certain areas. And I do think we need to flip the conversation a little bit, which goes to the essence of your question, which is like, actually, how do we make the whole ecosystem more safe by design?

Dimple Alawalia

Correct.

Matt Rowe

And that's not about a firm that gets breached, it's about the whole system.

Kamal Ahmed

This is very hard work. And so many chief executives, particularly of global enterprises, even at the table stakes issue of do all their data sets, are they able to speak to each other? All these stats that may have come from different companies during takeover situations, during joint ventures. I remember speaking Stephen Hester many years ago when he was the sort of rescue CEO for RBS, saying to me in an interview that RBS's computer systems, Royal bank of Scotland's computer systems were like a massive plate of sort of slightly moldering spaghetti, just all different. You couldn't unravel them. It was impossible to understand. It didn't even know the information. It didn't know about its business under previous leadership. And of course, the financial crisis revealed how little the banks knew about their actual jobs. And that is still extant. We're nearly 20 years on from the financial crisis. This is not about banking. But for so many organizations, they don't have a clean data stack that can speak across geographies, across different divisions. And that has got to be the start of the hard yards is that cleansing of what is the ability of our data system to speak to each other.

Dimple Alawalia

You mentioned about companies and how certainly large companies with complex environments, many organizations who've been in business for a while, they don't have the advantage of the startup world. They have some advantages comparatively, but nonetheless these are messy environments. So not only do the data sets sometimes don't talk to each other, part of it is also some systems can't and shouldn't be upgraded on a rapid path. Right. We've been talking about, or at least the conversation so far has been more around traditional IT environments. You've got systems, operating systems, applications, databases and all that kind of stuff. I think conversation gets even a little bit more interesting when you think about operational technology. It's things that we don't think much about but until those moments of crisis when the water supply is in there, when a transit system is crippled, things that we all rely on as, as society. So I think certainly there's more attention around it. The resilience part, I think it is a we in cyber like to look at cyber as a team sport and that's why I was mentioning even the importance of knowing what your partners are doing and such. So I think in these cases it's. I'm going to go back to my, my earlier point about devising a plan for those moments and, and just like you would, and exercising those muscles and. And I think we need to do a far better job as defenders to talk about the positive aspects of it. Right. So you made a great point. I love the analogy about, well, I hope you reach home safely. But I think you make a great point. It's that so much of the focus is on, well, what didn't that company do? They put us at risk. I don't know how many letters I get that say, your data has been compromised. So, sorry, we'll provide you a monitoring service. And that's lovely because I will be monitored till, you know, I'm well into my senior years here. But I think we have to also start looking at learning, at applying, at sharing without that risk of, well, is

Kamal Ahmed

that hard to do? Because we're in places of high security, Matt. We're in, you know, a competitive environment. We also have to be very careful about the data we own. So that sharing bit is actually, can be hard work when there are, you know, many, many different themes at play around how you do share and then maybe even externally publicly share. This is what we did.

Dimple Alawalia

Yeah, look, there are lot lots of reasons where people tend to shy away from it, Certainly public perception and trust, which is important for anyone as individuals or organizations to maintain. There's the regulatory aspect. When regulations get defined, it seems logical. It's in the interest of everybody. But like Matt was saying, this is hard stuff. And when you start putting what are the penalties associated with some of these things, people have a tendency not to share. And I think that's a true shame because we only improve if we learn with each other, from each other and then collectively strengthen the defenses. Because as one organization does their bit, the other one also benefits from it, particularly in this interdependent society that we live in.

Kamal Ahmed

John, American politics, uk, European politics. Just in your time in America, was there a more expert engagement? Did you get ever get a sense in these type of issues we're talking about here, not just maybe cyber security, but the broader issues around AI. Obviously America and China are in the lead on the debate, and in America that is a debate run largely by a handful of very large businesses in the political system. Were there any differences or things that we could learn from America or vice versa? I just wondered if you felt there was a difference between how America politically approached some of these issues and the UK and did you feel more comfortable talking about some of these issues? Whether or not you can get on the news agents is a different matter in the UK than maybe you did when you were in America.

John Sopel

Well, the one obvious point to make, and it kind of may seem weird one to make, is nationalism and economic nationalism. I mean, I was out there when the US government was banning Huawei from anything to do with any American government company. And the idea that the British government, when I think it was Theresa May, was the Prime Minister and Huawei was going to be kind of part of the 5G infrastructure and working with BT to install kind of cables and everything else. And the American government was going mad about it. I mean, really furious about it. It's kind of like the NATO debate now, but it was about AI, it was about the technology companies of China and whether they should be able to get any kind of foothold. And the argument was always presented in America that this was about national security. It was never presented in the way, or might it just be a bit of protectionism? I mean, in the same way I remember, I think it was the in Dubai, the port authority was going to buy a port in Baltimore and they were absolutely banned from doing that because we couldn't have an Arab country running a port in America on national Security grounds, that was scotched. And so the big difference there.

Kamal Ahmed

Did you feel that was right, John? Do you think that that was actually true or was this cover for a political argument?

John Sopel

I think it was. Well, I think there was a bit of both. I think there was, you know, there was uncertainty over what China was capable of doing with spyware and all the rest of it, therefore, why take the risk? But I also think it was about championing American companies. And if you look now at the race that's going on, and I think it's really fascinating what's happening and maybe we can talk about this a tiny bit is with Mythos, the anthropic kind of AI model that the owners have declared is so powerful and so terrifying they're not going to release it to the public. And I'm thinking is that good marketing or is this, you know, everyone will want anthropom, you know, mythos when it comes out? Or is this real? And there is now. But what I, you know, further to Matt and Dimple's point, what I understand is happening now, there is now this thing called Project Glasswings going on where certain key banks and insurance companies and vital US Companies are being brought in by Anthropic to look at it. And in your defender attacker paradigm, I think that there is a thought that this could give an. I'm wading way out of my depth here and I'm going to leave it to you to talk about the reality of the technology of this. But actually it is so effective as a tool in identifying, you know, security weaknesses in a company's cybersecurity net setup that it will be an incredibly powerful tool for the defenders in future because

Kamal Ahmed

they say they, they this be the suggestion Anthropic made, the suggestion that, you know, they were finding breach capabilities that were that sort of laid dormant for like 26 years.

John Sopel

Exactly.

Kamal Ahmed

We're just sitting there waiting for this new hyper powered system to be able to sort that out on the defender side. But impor how, you know, Fortune, we talk always to chief executives. How are they supposed to make sense of this point that a handful of companies, and broadly four American chief executives and one UK founder of DeepMind, Demis Hassabis, are making decisions on my ability to keep my company safe and whether they even give it to me. How are boards and C suite executives supposed to make sense of how to do the governance, the structures, when. And we haven't even gotten to quantum yet. As John says, companies like Anthropic and the others are making These types of announcements.

Dimple Alawalia

Yeah, look, I think Anthropic has done a fabulous job of marketing. I will, you know, as having been in marketing in one time of my profession, I have to admire what they've been able to accomplish. It's like capturing the imagination of the world in many cases. The way Anthropic is not the only frontier model that is is available. And I think people have a tendency to think, well, do you have Anthropic? How do I get anthropic? And it kind of focuses the conversation in a different area than it should. I would say, John, to what you just said, I think the future is now in terms of can defenders use it? When I was talking about what an offering leader is, is what's around the corner, it wasn't out of the realm of possibility or science fiction that something like this could happen. And so one of the things that, you know, I had the fortune of working with colleagues, not only within IBM, but our strategic partners, our strategic clients, is anticipating forward and developing what we're looking at as autonomous security. So just like frontier models have identified the ability to identify those decades old vulnerabilities that have existed perhaps in systems that couldn't be updated or weren't updated for various reasons, similarly, we're looking at how do you apply that to automate defenses? Right. So if something is going to move at the speed of AI to attack, the defenders have to do the same. And Matt and I were talking about that a little bit earlier. So what we've been talking to clients since this whole Mythos thing. It's been a fabulous way to have that conversation with different stakeholders at a board level, at a C suite level and really talking about how do you look at data, data that they're using today to monetize because of the value it provides and it's proprietary and it provides intelligence and all that kind of stuff is how do you protect it and how do you protect it at all stages and how do you do it with speed? That's the second part. Because perception for security is when I started my career in security, I used to get a whole lot of eyes rolling in the back of the head like, oh, you're one of them. You're going to tell me thou shall not. And we were kind of like, you

Kamal Ahmed

were seen as a blocker.

Dimple Alawalia

I was a blocker, right. Like, what are you going to tell me that I can't do? And now it's about, yeah, use AI. Let us tell you what the use cases are that you should be doing so intentionally. Where is your data traveling to be more knowledgeable about that? Who has access to it, for what purpose, how are you going to manage it? And then on the defense side of it is how are you going to protect it? Right. So once you know your crown jewels are things that your company absolutely requires to function, how are you going to protect it? And then that's where we've been introducing more autonomous security. That's a rapidly evolving area where within it feels like the last three weeks of my life are probably three years literally. I mean it's been that rapid around adoption and really bringing together better visibility into the organization with thank you, frontier models. But then also how do you assess what the risk associated with it is? How do you protect and protect where it's reflective of the risk that you're willing to take with that type of data? Right. And so automating all these different parts of organizations where we tended to work in silos. So one team is looking at your identities, one team is looking at responding to threats, one team is looking at your cloud footprint and all the workloads and being able to pull that information together. And of course with the appropriate guardrails, being able to automate where things should be and maintaining human in the loop where they can't be. That's really been the conversation with CEOs of late is not to suggest don't look at using for the benefit, but really how do you do it? With my seat belt analogy, I talked

Kamal Ahmed

about shadow AI at the beginning of this, which is that people will be using in their everyday life things that they are told is going to help you clear up your calendar, give these new agentic AI models access to your systems. And it acts like you've got your own ea, you've got your own support staff, you've got your own team and you go into work and you've got this thing working away and you think, I'll just stick it into my work emails and into my work calendar because of course I need to align, you know, my meeting with XYZ and pick up the dry cleaning and I've got to, you know, pick up Anna from whatever in the evening, my kids or whatever it might be. When we talk about shadow AI, how would you say that we should be thinking about it? Because some of us may already be behaving like that. I don't know. But also, how do businesses approach, how does Lloyds bank approach the fact that on here a lot of your teams can have systems constantly encouraging them to Say have your own support staff.

Matt Rowe

The main response is to like shadow AI is a risk. Let's just ground that it's absolutely a risk and therefore pay attention to it. The main response from, from our perspective is to give people the most brilliant experiences through their work technology. So we've touched on it a little bit but classically the security organization would be the Ministry of no, we'd like rate limit, everything was a problem and put in friction and blocks and frankly just force users off your organization's technology and sort of force them onto that kind of shadow construct. So our job is to enable brilliant safe experiences on work technology so you can have your kind of Billy basic AI running on your own tech. But if you want the real stuff then you'll use your work technology to get the job done. And our approach in LBG is that you can do the stuff that you need to do for your home life through your work technology. And that's a complete inversion of how we used to operate because that's the way to.

Kamal Ahmed

That's very good for Lloyds Bank. I get that. But to John's point, not every business is going to be able to operate at this type of scale that you can operate and with the expertise that you can operate with.

Matt Rowe

Thank you very much. But let me just connect it to what we were just talking about and what I will say on the latest frontier models. They are the most powerful AI models and tools that we've ever had. They are the least powerful they will ever be. Okay, so there is a lot of high five to anthropic for the marketing job. It is fantastic marketing and it's real. And the important thing is not whether you've got access to Mythos, yes or no. It's a data point on a trend line because the ability for models to do this is only going to become more efficient, effective and faster. So why do I say all of that? We've got to meet the moment, we have got to use these capabilities for defender advantage. And the thing that you said is like the purview of a large enterprise. We have to democratize it. We have to ensure that these capabilities can be put into the good guys hands with the appropriate safety guardrails so that we kind of mitigate these set of really structural risks that will otherwise exist. Go back to what John was talking about. And that needs to be a whole of society conversation needs to involve public policy, it needs to involve regulation, it needs to involve the business ecosystem traveling together. And it's a conversation that we're kind of not having because we're distracted by, I don't know, whatever happens this morning. But this is the really big shift we're living through.

Kamal Ahmed

I wonder, John, we've just seen the answers there to the questions. I wonder whether that is actually reflecting in the audience. Do all three. That is, we can't really choose between all three of those. We should be doing them all. John, is there hope that because it's gone consumer, ChatGPT changed the way it was discussed? So I think, and I think that's a gain that suddenly there was something that touched the public in a really major way. Do you have a degree of optimism that obviously we are doing events like this for this very reason, but that we will have that conversation and that people will really start to focus on the opportunities as well as the risks of this subject?

John Sopel

I think it's really interesting the speed with which it's very easy to mock Trump and all the rest of it, but there are bits of what they're doing in America where they have woken up to the power of this stuff and the way that it can upend society without thinking carefully about what the implications of this technology is and what it can do and how it's going to change people's lives. And I think that conversation is taking place in America now. So it's not just kind of the wild west of these five tech bros who are trying to, you know, be. Be the first squillionaire, although there are elements of that undoubtedly taking place in America. So I think the conversation is taking place. You know, is our legislation keeping pace with the technology? Nowhere near. But I think that there is a growing awareness of people in government that are working pretty well on this stuff. I mean, I think in Europe they're much more alive to the dangers. And I think in Europe there is a risk of perhaps being left behind by your, by the limitations of what you're saying AI companies can do and kind of layering it with additional responsibilities, which of course you're not getting in America. And I've, you know, not for the first time in history, Britain is somewhere in between, although potentially closer to America in the way that it's looking at AI. But, you know, I was with the other week, a former head of gchq and he was talking about, you know, the things that he's really alarmed about. Yeah, we can keep the focus narrow on companies and their bottom lines and, you know, interruption to supply lines, you know, but they're really worried about misinformation campaigns on a Massive scale. You know where you have got foreign governments campaigning in your politics, sowing discontent. You know, there's a lot of that stuff that's already out there and if that becomes better organized, you know, governments are thinking, countries are thinking how can we protect our democracy from attacks like this? And so you know, politicians have to be alert to this stuff because it has gone consumer. But at its biggest scale the disruption potential is epic.

Kamal Ahmed

Dimple just before we come to questions Quantum as well is something that everything is a thousand x just give us some sense of again I must admit I immediately feel a nervousness when I think whatever the problems we have now, try a thousand xing those and see what happens. But Dimple Defender first get give us the reassurance around IBM are at the frontier of quantum development. You're already, you know, you have systems in place and you're already piloting and showing how Quantum can change some of these asymmetries that we're looking at at the moment.

Dimple Alawalia

Yeah, look, I'm excited about the value to society that we're going to see from Quantum. Personally I see about the type of complex problems around particularly related to healthcare and solving for ailments that have or sicknesses that have lasted for a while. On the security side there's a lot of debate organizations initially when I started having this conversation in fact I think my first board conversation was in the London about it and their initial times. Like Dimple we have hundred other things that are more existential risk to us right now. This Quantum thing, the risk related to it, it's five years, we'll get to it. I see that's fair. You have to focus on your immediate concerns. But let's put that into perspective a little bit in terms of the post quantum cryptography and Q Day. So when quantum computing is the use cases can be proven at scale and all that kind of stuff. There's the part about what we call call IBM calls quantum safe and being ready for that Q day put aside whether it's three years, five years, two years doesn't really matter the risk at the moment. So you need to be looking at particularly organizations who have data where the data has a longer lifetime. So 10 years or more. There are a lot of things in our life that have value for that data beyond 10 years. Our national identities and your health care. Like a lot of things. Right. And so couple of things that you're looking at is one of the biggest things that we're looking at advising clients is this notion of harvest now decrypt later. So that essentially means that attackers like there's some sense of security where people say yeah, I know my data, I had loss of data, but it was encrypted. I'm good. Well, with this, just like we've seen with frontier models and their ability to identify vulnerabilities at a rapid pace. Well in this world what you're going to find is that all the protections we have with that encrypted data, they tend to be at risk because harvest now, decrypt later, essentially is that attackers who are already getting our data today, when the quantum computing is available, they will have the ability to decrypt it. And so all of that data that has a shelf life of greater than 10 years is at risk. You can debate now we all know that anyone who's been through any sort of a modernization or transformation program, these are, these programs have a long tail because you have to first of all understand all the areas where your encryption is. You have to understand what's the. So basically take inventory of it, right? Otherwise how are you going to protect. If you don't know about it, then you're looking at having a plan of what am I going to put in place. Crypto agility is a term that we're looking at is so whatever algorithm it is, rather than focusing on that being able to protect the data regardless and having a plan for that and getting stakeholder buy in because it's not a security issue by the way, in the sense that security is not security owned alone. It is a business issue that people across the organization have to look at around the importance of the data. How do you look at updating your systems, updating the encryption models that are protecting that data and so on. That's really been the conversation is before you know it, it's going to be that time. And so start working now and chipping away at the problem. So every time you update to a new server or protection systems, make sure that again talking to your partners, look at what their strategy is so that when you invest in something and you upgrade it slowly, you're chipping away and improving your, your security posture, right? So that you're ready for that time frame. So one is look at what you have and two is as you go about your business on an everyday basis, start addressing the problem set there practical

Kamal Ahmed

for just us as individuals to be thinking about quantum now. Or is that not. You're shaking your head, Matt.

Matt Rowe

No, I don't need. As a consumer. You're a consumer is a commodity.

Dimple Alawalia

Because if you think about as a consumer. We've talked about your personal devices and such. Right. The people who have been and this should give reassurance. The people who have been already addressing this are organizations that are responsible for our critical infrastructure, including telecommunications. Right. So we have those, we have financial services organizations who are already addressing it. So, so there are companies that browsers, web browsers. Right. So as consumers, there's a little bit of an expectation, and rightly so, is that the other companies and organizations will do their bit so that when it comes to the citizens, there's less of that. Like this is look at AI and shadow AI, but quantum computing and protecting.

Kamal Ahmed

So my very rude Whatsapps to John about our bosses are safe for the next 10 years. Thanks so much to Intelligence Squared to IBM. Thank you very much for listening such a great debate and being involved in that debate. Thank you John. Thank you Dimple. Thank you Matt. And safe journeys, everyone. Thank you very much.

UPS Store Announcer

This Father's Day, when you ship UPS Air at the UPS Store, your items arrive on time with your money back guaranteed at no extra cost. It's like the father of all shipping services. It shows up to the airport way too early just to play it safe. It's overprotective about all the things that truly matter. And it's always prompt, especially to be with family. Make it your first choice to celebrate your dad. Ship UPS Air with our money back guarantee exclusively at the UPS Store US retail locations. Visit the upsstore.com airshipping for full details. Terms and conditions apply.

Dimple Alawalia

Have no fear.

Red Bull Summer All Day Play Announcer

Chosen Foods is here to defend your

Dimple Alawalia

favorite foods from the forces of seedy

Red Bull Summer All Day Play Announcer

oils and sketchy ingredients. With cooking oils, salad dressings and mayo,

Dimple Alawalia

all powered by the good fats from 100% pure avocado oil and simple, delicious ingredients. Chosen foods Spring just slid into your DMs. Grab that boho, look for that rooftop

Carrington College Announcer

dinner, those sandals that can keep up

Dimple Alawalia

with you, and hang some string lights to give your patio a glow up. Spring's calling Ross.

Carrington College Announcer

Work your magic. Your next chapter in healthcare starts at Carrington College's School of Nursing in Portland. Join us for our open house on Tuesday, January 13th from 4 to 7pm you'll tour our campus, see live demos, meet instructors and learn about our Associate Degree in Nursing program that prepares you to become a registered nurse. Take the first step toward your nursing career. Save your spot now at Carrington Edu Events. For information on program outcomes, visit carrington. Edu Sci.