B (5:42)

I love the texture that you just added to least privilege. Often people forget that as long as you need it part.

A (5:54)

Right.

B (5:55)

And we've seen that, you know, really show up with these credential thefts. And you Know, the ability to go in and replay sessions and things like that. It really is kind of a limiting factor. And you're right, AI changes everything. So how has the advent or just widespread adoption of AI made this more critical for the business? How should people think about AI as making zero trust an even more important paradigm?

A (6:30)

I was in a conversation earlier this week and I heard someone say, zero trust is dead. And I said, you have the absolute wrong perspective because AI accelerates everything. So zero trust is really going to be critical. I mean, AI accelerates everything. It accelerates innovation and it accelerates attacks. And so if you think about it from the fact that it can accelerate attacks, I want a zero trust infrastructure, which means I want micro segmentation so that if something were to happen, I have the network segmented in the right way. That's for my organization and my culture and my risk tolerance, so that there's constant, there's that word again, access, going into each of the different micro segmented areas. That is going to become really, really important because AI scales massively. It's going to take everything that we know and everything that we love and it can help us scale it faster and quicker than we ever have before. And so when you think about attackers using AI for phishing, to scale phishing, to exploit vulnerabilities, to evade detection, I really want zero trust to help give me the guardrails, the continuous verification, the dynamic access, all of that to make sure I have the right guardrails in place for innovation and guardrails in place to make sure I'm secure from attacks. And so AI adoption will help us not create blind spots. And zero trust, I think is going to help us with that too. So I think zero trust is not dead. I think it's a non negotiable.

B (8:16)

I agree with you. Rumors of its death are greatly exaggerated. It just needs to be a de facto standard. And you make such a great case for it. What do you think though? For an organization that say, yes, I want this, what foundational elements do, do you think that they need to have in place before they can realistically go down this path towards zero trust?

A (8:43)

I get the pleasure of being known as mastercard's cybersecurity futurist, which means none of my answers can be wrong. With that said, when I think about the future, the future I think is going to be based on identity and data. We're going to care about the network, we're going to help, you know, do all the health and health and feeding and maintaining and innovation in the network piece. But the main points are going to be identity and data. And I say that because you start with identity. If you have access to my data and it's not and it's anonymized, then you really don't have access to me or information about me. You just have anonymized data and insights. The other piece of that is the data piece. Data is, is the currency of everything. And so if you think about it from that perspective, the foundational elements have to be situated around your identity and your data, which means you've got to verify access, right? And if you can't verify access, then you can't enforce the trust at the end. I think about, if I think with my today hat on, I'm thinking about phishing resistant mfa. If I think about my future hat, you know, we've got to like continuously move past mfa and it will be. And when I say move past mfa, I mean the traditional mfa, it will be layered. We will really be thinking about biometrics. And not just one biometric, not just a finger, a thumbprint or face id. It will be multiple biometrics because our information is out there. I've got enough, enough identity theft protection to last me until I'm 80, so I don't need that anymore. But you know, knowing and thinking about how I protect my identity and how we protect identities within an organization is going to be a foundational element. We've got to make sure we know our assets. The visibility is critical and it's critical before you protect anything. And so, and I say that because pre AI, we were dealing with shadow it, post AI, we're going to be dealing with shadow IT and shadow AI. So you've got to think about your assets and those foundational elements as well. So I don't want to make this sound like, oh, if all you think about is your identity and all you think about is your data, then you can, you can ignore some of the other things, but you cannot, You've got to. If you think about your identity and you think about your data, it pulls you to, to really think through the network, the device, you know, all of those other areas within zero trust that are equally important.

B (11:34)

You said it so well. And you know, things, things are changing with AI and you're right, this, this shadow AI and you know, people just using it because they see results and it's compelling and geez, they have a personal ChatGPT subscription, so why not. And you know, let's just bring it into my work environment and work Culture. Given all of this, what unique challenges have you faced when implementing Zero Trust at scale? Like I think about MasterCard and the scale is unfathomable. How do you, what are some of the biggest things that you've run into?

A (12:14)

MasterCard, we operate in 210 countries and territories all around the world. We are doing billions and billions of transactions every year. And so when you think about something or security that has to scale, we really, there's a lot of complexity there. We have cloud, we have on prem, we've got third party integrations. That list goes on and on. So it's a very highly multifaceted environment, very complex. But we have I think the biggest challenge which is making sure interoperability happens. Right. Even though we're such a large organization and I think a very, very mature organization, we have to continuously make sure that no matter what lever we pull on this Zero Trust journey, the identity, the device and the network all talk to each other and that interoperability continues to happen and continues to happen with a good experience. Because if you don't let it happen, if you, if you create a bad experience with Zero Trust, you'll have more shadow it and more shadow AI and you'll have, you know, bigger problems. So we've learned to scale and scaling demands automation and it demands strong governance. And if you think about it from that perspective, how much can I automate and how much can I make sure I have the right governance structure around that? Then you're well on your way. I will tell you we cannot run down this journey of Zero Trust and forget about the basics though, because AI is going to really hold a mirror up to your face. My daughter does it every morning. She holds a mirror up and she's like, where'd that bump come from? That's what AI is going to do. It's going to hold a mirror up to your face. You're going to and it's going to tell you and really expose all of the holes in your network. Well, not all, but you know, just for the sake of this argument, your vulnerabilities more than you thought. It will really shine a light on your bad practices and bad habits. Because just like we want Zero Trust to scale, just like we want adoption to scale, well, the threats are scaling as well. The, the bad part and I was having a conversation, like I said earlier this week and we were calling it Dark AI Dark AI scales as well. So you've got to make sure that when you're thinking about those unique challenges of implementing Zero Trust at scale, that you're not deterred, that you start with automation. And if you start with automation, to be honest with you, then you kind of well on your way and can now really step gingerly through the rest of the journey.

B (15:03)

You know, I'm just imagining putting myself in the seat of, I want to do it, I want to implement Zero trust. And I have this lofty goal at the end of feeling like I've got this continuous validation, you know, I've got my identities in check, I know where my data is, I've got AI under control. What do you encourage people to look at as markers of progress? Like, how do I know that today that I'm better than I was yesterday? Because you described it as a journey, which I think is a really, really great way to think about it. How do you know you're making progress on the journey?

A (15:47)

We use a formal maturity model that's based on zero trust pillars of identity, device, network, apps and data. And on that journey, we score ourselves and say whether we're traditional, whether or all the way up to optimal. In certain areas we want to be optimal, certain areas we want to be on the journey to optimal. And, you know, you pull those levers based on your needs. I want to, I want to make sure I, I note that it is a journey, it is not an endpoint, right? There is no time that you should, that you're going to look up and say, I'm done. Because let me tell you a story. I started the Zero Trust Maturity framework project at MasterCard six years ago. I'm the executive sponsor for Zero Trust in our organization. And so probably last year I said, oh my goodness, when am I going to be done talking about Zero Trust? When am I going to be finished with this whole journey? And guess what? We did another assessment this year and my team said, the goalpost has moved. And I said, no, the goalpost hasn't moved. We have evolved. When we started six years ago, we didn't have AI in, you know, users using AI. We were using it in the background for fraud and threat modeling and things like that, but we didn't have it in our infrastructure. Every day, people wanting to, you know, really wanting to dig in and use it and play with it and things like that. So the goalpost hasn't changed. Technology evolves. And so as technology evolves, those pillars may stay the same, but the way you, the way you assess and measure progress, you may have to relook at your milestones to show what was optimal yesterday is not optimal today. I tell my husband, yesterday's price ain't today's price when I want to buy a new pair of shoes. So it's the same thing that, that it's a journey. It is a trust model that is actually maturing and continues to evolve. And so I look at faster response times, I look at real time anomaly detection. Those are things that tell us that we're moving in the right direction. But even those things ebb and flow as things become more accessible to us. So right now we're talking about AI, but what happens in the next few years when we're talking about AI and quantum? Because the power and scale and speed of Quantum married with AI. My goodness, that is going to really, if you don't have, have, if you have not started the Zero Trust journey, if you have not wrapped up the basics, man, you're really going to have a hard fight to fight.

B (18:29)

That's a good way and it's sobering way to put it. And you know, I can remember, and I'm sure you've had conversations like this too, years ago, talking to board members in general and them almost thinking about security itself as a finite project, like, hey, we're going to secure our systems and when, hey, are you guys done with that? Did you do that? Did you already secure it? And obviously everybody that's in security understands that it's continuous, you'll have to do it forever. You've got an active adversary, all of it. And I love you linking Zero Trust with it the same way that it is going to be a continuous journey. It's not like, oh great, we started the project X years ago, X months ago and we're going to be done by December 15th. It doesn't take the form of something like that. And it's good to hear you articulate that. And I'm wondering just on AI, and you talked about it a couple of times already, it's such a potential accelerant for the business, potential accelerant for cyber. And there's so many startups and companies that are coming into the space and offering AI assistance and all these different areas of cyber attackers are using it. They're getting better. How do you see AI help accelerate things like decision making or automation? Inside this context of Zero Trust, are there ways that AI can be used to accelerate that Zero Trust journey?

A (20:20)

Yeah, I think AI is going to help detect anomalies faster and automate responses much quicker. And I put that in the context of Zero Trust because when you think about how AI is going to amplify both sides, offense and defense. Adversary is using AI to get in. And I need to use AI to power and bolster up zero trust. My defenses, my anomaly detection, my autonomous responses, if I can. And maybe we'll hit on that a little bit to help make sure that I continuously stay on the zero trust journey. Because AI can be used to bypass traditional controls and mimic trusted behavior. And so I want AI on the other side, on my side to be able to bolster advanced controls. Right. And to ensure and reverify my trusts that I have in intact already. So it now includes AI governance. I think zero trust is going to now really have to double down into AI governance. Monitoring what models do and who they interact with is going to be really, really important. So what, we treat AI as a part of the attack surface, not just a magic bullet, right? If I think about it from an opportunity and a risk perspective, you know, you have to think from the perspective of where were we? I talk a lot about this. Pre AI and post AI. Pre AI, the adversary still had a help desk. If you didn't, if the malware didn't work, here's the 1-800-number to call. And it's a help desk to help you get the malware working so that you can use it to your benefit. So if I think about it from that perspective, from a, from a risk perspective, my goodness, the fact that they are now able to use AI with the level of sophistication that it has, without the level of risk that I have, without the guardrails that I have to abide by, without the regulation, I can't fight that on my own. I have to fight that with AI. And now I turn my head and think about the opportunity. And I tease this a little bit as the mastercard cyber security futurist, the opportunity is vast. So I think the future of AI is really AI Personas working on your behalf. Like, I really believe some years from now, hopefully I will not have retired. Hopefully this will send me into retirement. But the both of us will be sitting on a beach and our AI Persona will be doing all of our work for us because we've programmed it and tuned it to do everything we need it to do. AI can will easily replace a lot of the thinking tasks. And don't think of the AI that we have now, because the AI that we have now is the worst we will ever have. Can you imagine that? AI that now is the worst you will ever have? And I am astounded. Many times when I'm using AI to do certain things. When we use it within MasterCard, when we look at it for fraud protection, when we look at it for fraud prevention, because that's what we're looking. That's what we're using it for now to prevent fraud. I am astounded at what we are able to find and what we're able to do. So if I'm astounded now, think about man, what the future holds so that there's a lot of opportunity there. That means I can work 24 by 7, because I won't be working. It'll be my AI Persona working on my behalf, closing deals, making decisions, analyzing data, all of that on my behalf. A cyclical a 24 by 7. Dr. J. My husband hates the sound of that, but I think it's a great idea.

B (24:23)

I love it. I love it. That's. That's great. And I mean, that's such a great way for somebody to think about it. Don't think about the AI you have right now because it's the worst AI you'll ever have. It's only going to get better from here. How do you get everybody else on the journey with you? Like, the vision you paint is so clear. And what I've noticed about how you describe it is you don't use any technical jargon. You're talking to somebody and you can relate to, you know, a board member. You can relate to anybody in a company as well as somebody that's incredibly technical. This is something I've seen so many times that folks that are very technically proficient, almost like either hide behind jargon or can't translate the jargon into words that matter. How do you bring people along this journey with you without overwhelming with all the technical terms and jargon? And now we're going to put ZTNA here and, you know, here's how we're going to do model integrity over here. And you just kind of lose people. How do you, how would you coach people on that?

A (25:40)

I think it is a skill. Before we talked about my current role, my previous role, I was the Deputy CIO for President Obama. So, you know, making things very plain for people who weren't heavily technical and President Obama was, is actually quite technical. Making sure the message gets across all around to all stakeholders. It is, it is definitely a skill, but I think it's something that we have to take ownership of and we have to do, because cyber security as it grows is not just the company's responsibility, it is every person's responsibility. And they have to understand what, what those connections are. So when I talk about zero trust principles to AI and how that goes together, I tell people, treat AI as if it's an identity. It needs to authenticate, it needs authorization. You need to make sure that it has accountability at every step. You need to make sure that AI and the models have least privilege. And when I sit, when I say it in those terms, people are like, oh yeah, okay, if I treat AI in those models as if they are an entirely new identity and add those things, no more long lived credentials, right? We don't want people to have long lived credentials. So why would you have an AI model with long lived credentials or orphaned agents when we're getting into this agentic cycle? Those are ticking time bombs, right? And so we have to make sure that the decisions that we make, the actions that we're taking with zero trust, that people understand how it applies to AI. And the way I do that is by telling people, you treat AI like you treat any other identity and you will probably be well placed in the journey.

B (27:28)

I can't miss the opportunity to ask you this. I mean, I think about the scale of MasterCard. I use a MasterCard all the time. My family does, my parents do, for example. We've been in this dilemma forever of striking the balance between security and, and usability. And especially when you're thinking about a high trust environment like financial services, from employees all the way down to customers. How do you think about that? Because the attackers are so good and you mentioned the help desk example, they're so good at manipulating people and AI will only help to scale that. How do you counsel people? Here's the way to think about integrating security. But you can't take your eye off the ball of what it's going to do to the usability on the other side.

A (28:33)

It is, it's a hard problem because if you make security clunky, then no one's going to, then your operation is not going to be secure because people are, they're just not going to do it. They're, they're not going to abide by the, the governance structure, the, the rules that you put in place. And I think, you know, you think about misconfigurations and you think about shadow AI or shadow it. This happens because a lot of times people want to work around or they don't know the process. So you've got to kind of make it easy. I think within MasterCard we look at it as our responsibility to stop fraud before it happens, our responsibility to make it make security Easy for our customers, for our stakeholders, for those who are working with us, and understandable so that they are on this journey. We're all on this journey together. We're in an arms race. We're all on this journey together. And that even goes to some of the thought leadership sessions that I have. And I talked to seniors, I talk to my kids, I talk to, you know, young school kids and making sure that everyone understands what their responsibility is. And I kind of look at it, at it as a rite of passage. You want this information, you want this device. You want to have the autonomy to do things and not be afraid? Well, you want the autonomy to do things and not be afraid, then you have to have the right cybersecurity principles in you, in your DNA, so that you know, if you get a, a, a smishing message, a text message that has a link, you know, not to click if you see a, a FaceTime, because I think this is the future as well. FaceTime is going to come in and they're going to say, hi, I'm Alyssa from XYZ Bank. We've decided that we're offering our customers $20. $20 and all. That's all I need to help secure your entire banking profile. People like my mom would be like, that's a great idea. $20. I've got $20. It won't be. I need 50,000 Bitcoin. It won't. It will be. I'm a help desk person. Somebody who you can't, who you can't verify. I'm a help desk person. Give me $20 and I'm going to do this thing for you and you're going to say, that's a great idea. Here's my $20. Think about that. I'm in Washington D.C. right now. Think about it. If half the people in Washington D.C. did that, then I could, I would retire, right? If I, if I had a deep fake that did that, I would retire because so many people would fall for that. The bar of entry is getting lower and lower and lower for, for the adversary and people who want to try to break into things. Just like the bar of entry for acceptance and understanding is getting lower and lower and lower too. The bar of entry to be attacked is getting lower and lower and lower too. So as you're thinking about AI lowering the bar of entry, it's lowering the bar of entry in all areas. And we have to make it cons, we have to make security, cyber security consumable in all of those different areas so that all of Your stakeholders understand what's at stakeholders.

B (31:56)

That is a great direction to kind of give folks. How do you make it easier for every single person? How do you make it more intuitive? I just am curious about your experience, but I'm thinking about the first time that Apple introduced in the iPhone Touch ID and it was one of the few examples that I could point to when I was a professor at Columbia teaching computer security. You get into this security usability trade off, like you have to talk about it because it's a real thing. Most of the time it really is a trade off. But that's one of the few examples I could point to where for a lot of the population they could actually increase usability because they can now just put their thumb on this phone and get in and not type their passcode anymore. And they've increased their security because some of them may have not even had a passcode before because they don't want to go through the problem of typing in it. But those examples seem so rare, so uncommon that both increase at the same time. And I'm just curious, do you see us evolving even as an industry and the types of controls that come in that we really will get to a place where people will just naturally be more secure. Like there's usability and people are going to be able to do intuitive things, but behind the scenes we're going to help secure it in a way that's just frictionless to them.

A (33:41)

I think there will be a balance. It will definitely help. AI is going to help us accelerate decision making. I think when you think about it from a security perspective, we are going to move to be more proactive than reactive because. And this has evolved because one of the things we used to say a lot of times in the White House is it doesn't matter unless it had, you know, unless it happens on the Wall Street Journal or the Washington Post because everything was so reactive. There were many times where we can't be reactive. We can't be reactive. We have to be proactive. And that's just an evolution of where we were with technology and everything at that time was very reactive kind of culture. When I think about now, we enough everyday people have had identity theft instances or have been breached that now everybody recognizes you've got to be proactive. Before it was, oh, this is a business thing. This is the. They're only attacking the big businesses, they're not attacking me. You know, you would hear about those very, very, very small amounts. So which made us reactive when we heard about it. You know on the small amount. But now I think we've heard about it so much and like, I think I started out this earlier saying I've got enough identity theft protection till I'm 80, I don't need any more that I think I shared this, that same sentiment with that that a lot of people share with. Got to be more proactive. And so AI is going to help us do that. AI is going to help us flag anomalies so that we can be more active, we can adjust dynamically. So we're doing that right now in the business, right? We're doing that now from a business perspective. My before I thought things that happen, consumer enablement and engagement happens first. Like mass adoption happens first, of course, mass adoption of AI. We've been using AI and MasterCard for the past, probably two decades for fraud prevention, fraud protection. It wasn't a buzzword until mass adoption, mainstream adoption, right From a everyday people level, I think the benefit of AI in cybersecurity is going to flip. The mass adoption and the way we're using it now will eventually trickle to the consumer level and regular everyday people. The AI having the AI flag and anomalies, having the AI adjust dynamically to malware, to threats, to be able to deter things. We're using AI now within big businesses that will somehow make its way to something that's smaller, that's more consumable for the everyday person to have that embedded with on their devices. Some type of AI that can adjust dynamically, that can, I mean, we, we've got automation right now that can block, you know, and things that can block spam. I'm talking about going further than that. You know, I think, I think there's going to be a balance between the reactive still and the proactive. But I think no matter what, we will still have human in command, we will still have human oversight at some point. We just now have to grapple with. And as we think about AI in the future, at what point do we want the human in command? How much autonomy do you want AI to have? Because AI is a tool, but it's not a free pass. So when I say that, I mean it's a tool. And when it doesn't work, it's not AI's fault. It's going to be whoever designed, whoever implement, you know, whoever didn't do their due diligence. We're going to be pointing to fingers. So it's a tool, not a free pass. So you still have to have the human oversight and the human in command. We just need to figure out where is that human in command evolution going to take place and how quickly will we start turning things over. And that's why I think the zero trust framework is so important, because as you start turning things over and giving it more autonomy, then you have the zero trust framework that says, wait a minute, I've got. I'm doing the right things with identities, I'm doing the right things with devices. And, and AI won't be able to, will only be able to work in the box that you give it, and you will give it that zero trust framework to work within, and you'll be better off for it.

B (38:07)

Love it. And I'm just going to come back full circle and ask you one last question, because I love the visual that you painted. Like, years from now, I want to be on the beach and I want these AI agents operating on my behalf, where you're governing them, you're governing them. But even the fact that you're on the beach has got this kind of relaxed notion that you feel like you're under control of these things. I'm from the Bahamas, so I very much resonate with that analogy.

A (38:38)

People talk about it as if it's something scary. Oh, my goodness, AI is going to take over. It's going to be horrible. And I'm thinking, like, please, if you could do my job, at least half of it, I want you to do that.

B (38:53)

I'll take 20%.

A (38:55)

Right, 20%. I'll take it.

B (39:00)

Last question for you is like, if somebody, if you're talking to another chief security officer, security leader, and they were just starting coming back full circle on their zero trust journey right now, what's the one big thing you tell them to do or avoid based on your experience? How do they get to that beach where they got zero Trust in place? AIs a part of the mix. What can they do?

A (39:32)

Right now, I'll stay with the beach. Visual. Don't boil the ocean. Start with identity and mfa. If you start there, you're. You're at a great point in the journey to look around and say, okay, what else do I need to do? What I would say to avoid is avoid treating it as a tech project. It is actually a cultural shift. You have to embed it in your DNA. You've got to focus on quick wins. You've got to gain and build momentum. So that, I think, is what you tell them to, you know, to do and to avoid.

B (40:10)

I love it. Dr. J, thank you so much for being here. This has been fantastic. You're such a great articulator, especially of these these concepts that other people just make unapproachable. Like I just feel it's so approachable when you talk about them. And again, thanks for being a part of this. And listeners, thank you so much for tuning in. Please keep the conversation going on our RSAC membership platform by visiting onersac.commembership and be sure to check onersac.com for new content posted year round. Dr. J, thanks a lot. This has been awesome.