A

Foreign welcome to the Corporate Director Podcast where we discuss the experiences and ideas behind what's working in corporate board governance in our digital tech fueled world. Here you'll discover new insights from corporate leaders and governance researchers with compelling stories about corporate governance strategy, board culture, risk management, digital transformation, and more. Hi everybody and welcome back to the Corporate Director Podcast, the voice of modern governance. My name is Dottie Schindlinger, executive director of the Diligent Institute, and I'm joined once again by my amazing co host, Megan Day, strategy leader here at Diligent. Megan, how are you doing today and how are you surviving the heat?

B

Well, I have really good air conditioning, so that helps. Afraid for my Con Ed bill in a couple of weeks, but you, you caught me. I would say this episode a little bit deep in thought. I am coming out of a conversation I just had with my boss about how fast AI is driving the pace of change inside companies right now.

A

Yeah. And what's your take on that, Megan? Because I know it certainly is driving a very brisk pace here at Diligent. We are all in on AI as a company.

B

Well, I saw a survey the other day that really stopped me in my tracks. It was from Adeco where they interviewed about 2000 C suite leaders across 13 countries. Only 10% of the companies surveyed globally are considered future ready when it comes to AI. And I don't know, it just paints a pretty stark picture of where we are with AI readiness and this like, hurry up, we gotta get there vibe happening right now. Yeah.

A

You know, Megan, you're reminding me of some conversations we had last fall with Florin Rotar, who's the Chief AI officer at Avanade. And he had this great line that he used which is, you know, he thinks we have grossly overestimated the impact of AI in the short term and radically underestimated AI's impact in the long term. And I think that's the right way to think about it. And one of the things I know we're excited about trying to do at Diligent is not just providers AI fueled tools to our customers, but also education to wrap around that. And that I think is really important too. We think about our what Directors Think survey that we did and published in January. The number one risk that board members were telling us they were seeing as it relates to AI is whether or not they've got leadership that's ready to handle it. And I think that's a big issue. I think education is part of that. What do you think about that?

B

I definitely Agree. And when you look at the companies that are the so called future ready, it's not just about throwing money at the technology, it's about investing in people. It's about aligning their strategies with talent development, training their leaders, making sure employees aren't left to figure it out on their own. I mean, one of the most surprising stats was that while 60% of companies expect their employees to adapt to AI, a third don't even have a policy in place. It's, it's like handing somebody a, a parachute and saying good luck, like, hope you land, don't break a leg.

A

Yeah, I mean seriously. And so. Ok, so let me just share with our audience, in case you're curious, some of the things that we've been doing because we really started on this fairly early. I mean we began putting together a certification program for board members and senior executives on AI ethics and board oversight. We launched that really at the end of 2023. And so that was just the beginning of 2024. So that was just really kind of getting in on the early stage to provide education to leaders about how to do this. But since then we've gone a lot farther. So now there's actually this robust education and templates library within the Diligent1 platform. And so basically, if you're a Diligent1 platform customer, you have access to it. And if you're a customer and listening to this show and you don't know this, reach out to your customer service rep, talk to your corporate secretary, talk to whomever in your company manages your contract, because you should have access to this. And what's in that library are many things, including templates for things like usage policies, short courses that might take you some somewhere between 10 minutes and a half an hour to go through just to get yourself a little bit better versed on things like the regulatory landscape or just some of the basics of how AI technology works within companies. And there's also quite a lot of expert LED content in there. It's not just stuff that we wrote on our own. We go out what we always do. We put together educational programs, we try to find the brightest minds out there, ask them to help us think about how should we do this and have them on camera, get them on camera talking about the issues and really breaking down the these complex topics in ways that are accessible for leaders, for frontline workers, for everybody. So I think it's really important to take a look at that. You know, we try to make sure everything is then accredited with continuing legal education and CPE credits and just try to help people get, you know, ahead of the curve. So, you know, if you haven't taken a look at it, sorry for the shameless plug, but I'm really proud of it. You know, it's really good work and it feels very important to me. Cause I think so many companies right now are just providing technology and saying, good luck, and that's not enough. That's not enough. We're trying to do more than that.

B

I would like to correct my metaphor before my analogy. The English major in me can't remember which one is which at this time. I said parachute, but it's not really a parachute. We're giving people, putting them on a rocket ship, giving them a jetpack and saying, good luck, see you in outer space. It is a brave new world. And we're just sort of throwing people out into the great unknown.

A

Yeah. So listen, definitely check it out just to kind of give a couple of specifics. Right. You can get in there. You can find content from governance experts like gec, Risk Advisory, Global Data Innovation, Numerati Partners, a number of others, short video content as well as written content, interactive exercises. There's thought experiments to help you apply what you're learning to potential scenarios. Okay, that's it, Megan. I swear, that's the plug over. I just really wanted to make sure to tell people about it in case they weren't aware.

B

Well, we bring all of this up because we have a great conversation today with friend of the pod, right, Nick Chevilyoff.

A

He's the founding and managing partner at VCSO AI, which is, interestingly, a cybersecurity executive advisory firm that really focuses on the sort of confluence of cyber and AI, which I think is a really perfect topic for us to talk about today. So why don't we give it a listen and come back and talk about it after? Great. Joining us on the corporate director podcast today is Nick Shevilyoff. Nick is founder and managing partner at VCISO AI, a cybersecurity executive advisory firm. Nick is also a board member at Cofence and the Bay Area CISO Council, and he's also the author of Cyber War and Peace. Nick also served as a former global bank cso. Nick, thank you so much for joining us on the show.

C

Great to be here, Dottie. Thanks for having me.

A

Well, you know what? I just ran through a couple of highlights of your career. You've done a lot of interesting things, and I wondered if you could start by giving us a little more context and a little Bit more background about some of the things that you've done in the cybersecurity space.

C

My pleasure, Dottie. 30 years in cybersecurity, the first seven technical in nature, building networks and then ultimately breaking into them with a US Secret clearance, working for US Government agencies. Five years at Deloitte doing strategic management consulting for financial services and technology companies. And then from 2007 to 2021, I was the Chief Security Officer for Silicon Valley bank, the global bank of the innovation economy. And at one point, we banked 80% of the top tier venture capital and private equity intellectual property around the world. We were the only US bank with a joint venture with China, and I served in that capacity for 15 years. For a couple years, I was also Chief Information Officer to adopt public cloud and agile software methodologies safely. I stepped down in 2021 to publish a book, Cyber War and Peace. Building Digital Trust Today with history as our guide, takes lessons from history and behavioral science and translates them how to think about cyber risk. And I started vc, so AI, and we're a boutique cybersecurity consulting firm. We help executives think through cyber strategy and we help cybersecurity product companies build better products, something I did for many years at Silicon Valley bank, early days of Palo Alto Network, Zscaler and CrowdStrike. I was there as a design partner and used those products and now I do that independently within my own company. So glad to be here, Dottie.

A

Well, Nick, I'm delighted to have you back on the show. I know you joined us pretty shortly after you had published Cyber War and Peace, and we had an opportunity to talk about your book, which is, by the way, folks, a really good read, so you should absolutely check it out. It's a really, really good book. But I was eager to have you back on the show because I feel like a lot is changing in the world of cybersecurity, in large part because of generative AI. And so I want to focus a little bit of time today with you on, you know, this idea that there's rapid adoption of AI. It's changed a lot about the business landscape already, and yet it feels like we're still at the very beginning stages of how it's going to change the business landscape. But I think it's also had a pretty profound contribution to the cybersecurity landscape, both in terms of what the threat landscape looks like, but also in terms of our ability to fight would be attackers. So talk to us a little bit about what are some of the things we need to know about how AI is changing the cyber world.

C

Yeah, great question. Very topical. So as part of my practice as I host Chief Security Officer dinners on a regular basis, and I asked this very question of the operational practitioning CISOs, and the common themes that come out from CISOs from large organizations is that generative AI empowered everyone. It made developers be able to develop faster and in parallel with Genai, but it also made the bad guys, the threat actors, be able to scale. So think about it in the past where someone who wasn't necessarily a native English speaker, they would have to do research, they'd craft a targeted spear phishing attack and they target an individual. Now with gen AI, you can have all that crafted for you at scale, and you can target individuals at scale. And so one of the top threats that organizations are seeing today are really well crafted spear phishing attacks at scale. So, so that's one of the things that they're seeing and the other are the deep fakes. It's sort of the imitation of someone's voice or their face or something to build trust for you to authenticate them and then commit some sort of malfeasance. And that is happening on a regular basis. And so you're seeing the increase in targeted spear phishing attacks. And phishing remains the number one cyber threat. And an increase in deep fakes used to trick organizations typically into moving money. We faced business email compromise for many years where someone with the authority to move money outside an organization got an email from someone that pretending to be the CFO or the CEO. Now you're seeing video transmissions, zoom calls requesting those money transfers, and they're really fake. So those are some of the top threats that organizations are seeing today and need to prepare themselves against.

A

I mean, those threats are going to keep me up at night, of course. I mean, they seem so easy now. I mean, there's so much of the technology that has come so far. These things are able to be launched by really anyone. To your point, you know, you don't have to even be a native English speaker in order to launch an attack among a company that speaks English. Right. It's really gotten so easy. But, but I also wanted to ask you about some of the ways that AI is also helping to fight some of these new kinds of threats. Right? Because I think that there are AI fueled tools that can also give you a little bit of an advantage over some of the traditional methods of fighting cyber crime. So maybe you could talk a little bit about some of the pros or some of the less scary aspects of AI when it comes to the cyber landscape, you know.

C

Absolutely. And there's new technologies being invented in this AI era. So we kind of came through the cloud era where everyone was migrating to the cloud and now we're in the AI era where organizations are trying to figure out how can they adopt AI to be more effective in many different ways, one of which is in cybersecurity. And so the very technology that empowers us may also imperil us. And we have to think about the trade offs. And the, the AIs that companies are deploying are typically only as effective as the data they have access to. So you need to have clean labeled data that your AI can source in order to produce some sort of outcome and produce some sort of workflow. And so what's interesting is that the architecture of certain solutions have greater advantages than others. So for example, endpoint detection and remediation, EDR is the next generation antivirus. It's on our endpoints and it has direct access to the activity on that endpoint, making EDRs much more effective in the age of AI. So that's based on the architecture, but there are other architectures, such as cloud native architectures that are application programming interfaces, APIs, connections which are point to point that block access to certain data points depending on your privileges, making it much more difficult to leverage AI solutions in the cloud. So I would say that there's lots of use cases that organizations can leverage AI to be more effective, especially including cybersecurity. You have to analyze the workflows that the AI is producing and the data that it has access to make sure that you have the right controls in place. When I think about cybersecurity, I think about the capability that you have, the configuration of the capability and then the coverage that it has. And so if you use those three sees and you analyze how you're leveraging AI native cybersecurity solutions, then you can start to gauge how effective those solutions are in parallel with adopting it through other workflows within your organization. So those are simple ways to think about it.

A

Nick, I think it's also really helpful to provide some examples, right. I'm thinking about the directors that listen to this show. I think a really helpful example, an illustrative example, could be really useful. So could you give a specific example of one situation where AI successfully detected or prevented a cyber attack that a traditional method might have missed?

C

I think that when you have sims, right, these are large pools of data, what you're seeing is that Once you gather these logs in a centralized location, having an effective AI system access those and respond faster are use cases that you're seeing within organizations. And so here's an example is the legacy Security Operations center where a human sits in front of a screen and looks at lots of different alerts and then takes their mouse and their keyboard and acts and responds to an attack that has been augmented with AI that monitors those alerts. I mentioned EDRs earlier. Your EDR sends off an alert, it used to be that a human would then respond to it. And that could take minutes and hours. And so that's your mean time to detection, your mean time to response. That's typically in the minutes and hours. You're now seeing AI technologies called Managed Detection and Response auto monitor these EDR alerts and auto respond in seconds and not minutes and hours. So these are examples of real technology that's been deployed now for a couple of years that is bringing down the mean time to detection and the mean time to response on attacks in your network.

A

That is a great example. Yeah, thank you for that. I wanted to also just have you. Look, this is something you spend all day, every day thinking about, right? The cyber landscape and what's changing, what's evolving. So speaking to board members, what are some of the things that you see as the biggest opportunities and challenges in the cyber threat landscape right now? What are some of the things that board members should be paying attention to?

C

Well, do we have someone on the board that understands this technology? Do we understand what is being shared with us in terms of the risks and the rewards? And do we have a plan like, are we adopting this and are we learning from adoption? Because there are features in these technologies that are going to give you more accurate forecasting, more effective predictive analytics. And once you have these new insights, how do you ingest them? How do you think about them? How do you incorporate them into your decision making process? So I think those are points for boards to think about is having someone who understands the technology on the board having good discourse on how they're going to measure the effectiveness of the adoption of the technology, how they're going to receive reporting, and how are we actually going to improve our effectiveness and have greater insights and make better, better informed decisions. I think that's a healthy dialogue and also a healthy way to adopt a very rapidly changing space. Right. It seems like the space is changing at a rate faster than any other technology that we've experienced. And something I mentioned in the book years ago, Dottie, and I'll repeat today is that the rate of change that we are experiencing today is likely the slowest rate of change that we'll ever experience again. It's just compounding that makes me want.

A

To retire right now.

C

This is so much fun. We're just getting started.

A

We're just getting warmed up. Well, listen, I know that some organizations, hopefully fewer these days, but some organizations have some concerns about over reliance on automation for security. They want to make sure there's a human in the system and keep the human being at the center of the system. What are some of the key limitations or risks for companies that are incorporating AI and machine learning into cybersecurity programs?

C

I think you want to understand what processes that you want traceability and explainability for. Right. And why. Why do you want traceability and explainability? And then you probably want to establish thresholds for when intervention is required. So that which may be automated should be automated, but then controls should be put into place to measure deviations from means that we decide to be critical. So if there is a process that needs to execute and it needs to be done in an automated fashion, we want to establish controls that monitor deviations from the mean of that process and establish a measurements program so that which, you know, you should think about measurements in terms of managing effectiveness. So I can't manage something I don't measure, and I would argue I can't measure something I don't know how to manage. So determining what should be measured, why it should be measured, and how it should be measured in order to have reporting to the board to understand are we adopting new technology effectively and safely, and where we need traceability and accountability, we have it right. And having that critical discourse internally, I think those are all healthy discussions at the board level.

A

I want to pick up on that last thread there, Nick, because the idea of having the CISO do better reporting to the board, it's something I know you and I have talked about before and how incredibly important that is. And I know certainly it's important in large part because you've got a lot board members who don't come from a technical background. But it's also important from the perspective of the CISO being able to report things in ways that mean something to the board. Meaning how does this tie to what the company does for a living? Right. So really making sure that it's tied into business strategy when they're talking about the cybersecurity program. So do you have any kind of specific recommendations you would make either to board members or to CISOs about how they can do a better job on, you know, asking the right questions and reporting on these really critical issues.

C

At the board level, I'll tie this into more modern software delivery methodologies. So I mentioned for a couple of years I was also cio and as a cio, an agile software delivery methodology is just a more modern iterative way of producing software. And I thought about the world as the planned business projects that I was delivering on the planned technology in support of those business projects. The third type of work is planned change in the organization. And the fourth type of work was unplanned work, also known as anti planned work. The more unplanned work I had, the more it erodes my ability to deliver on planned work. And security should be protecting to enable planned work outcomes. And so boards can ask themselves is how well are we delivering on planned work? How much of it is unplanned or anti planned work? Where can we use new technologies to reduce our uncertainty on delivering on planned work? How do we make people more effective? How can we create automation loops and have humans overseeing the loop and intervene as needed with the appropriate abilities and privileges? So those are more broad strategic discussions that can have that tie into really credible methodologies. And Agile has been around now for 20 plus years. A lot of more modern software delivery organizations have adopted it. Agile lets you build software in a more iterative fashion and you can tie in. There's a lot of new tools in AI that help you deliver on software faster. In fact, this is one of the most intriguing elements today is that you've got AI solutions that you can, you can verbally share what you want to build. They'll build the policy. You can convert the policy into code, you can take the policy as code and put it into a new AI software development platform platform. It will create the software for you and then you can have a separate AI to QA it. And so there's different ways to, you know, take these new technologies and daisy chain them together to be more effective. I like to take two different phones. I have one running one AI and one running another and I give them each a role to play. I have one being a product designer, one being a software developer and I give them the roles and I tell them the problem that they're trying to solve and I put the two phones away and I let them problem solve overnight and then they come back with a solution the next day. That's one way of doing it. But there's lots of different others new ways of working today leveraging these new technologies.

A

Well, you just gave us a great list of discussion points at the board level. But just in that last example you were giving, having the two phones sort of teaching each other, I mean, it goes back to something you said earlier, which is now cybercriminals have access to this technology too. So they can just, you know, plain language speak what they want to do to your system and AI can go build that software and go launch an attack. So what would be some things you might recommend as effective cyber defense strategies? Given, you know, the state of AI technology investment and where we're heading? What should boards be thinking about?

C

What should they be doing they should be thinking about? It's a, it's a combination of what's the latest generation technology that we should be exploring that's been created in the last two or three years, that's AI native, that moves at the speed of the AI threat actors, but it's also good old fashioned cyber hygiene. So ransomware is just disk encryption that you don't have the key to, but it's still plaguing organizations and organizations are paying hundreds of millions and billions of dollars in ransomware related costs. And, but you know what gets you out of that trouble is effective backups. Right? If you take what's really important for your organization and you back it up effectively and you keep it in separate environments with separate credentials and you validate it and you do recovery on a regular basis, that'll save you in a ransomware attack. And, and so we're seeing a lot more of these AI fueled ransomware attacks leveraging the attack version vectors we talked about earlier. But good old backups and good hygiene are what's saving a lot of organizations. So I would say think about the latest and greatest and newest technologies and have that as part of the discussion. But also good old fashioned cyber hygiene needs to be front and center. You know, excellence in the basics, right? What are the basics? And have excellence in those basics is key.

A

I love that. Well, Nick, it's been so great to catch back up with you and find out what you're up to these days. And thank you so much for providing so many practical tips for our directors.

C

My pleasure, Dottie, glad to be here. Thank you for having me. Great catching up with you again.

A

We've been joined today by Nick Shevilyoff, who's the founder and managing partner at VCSO AI, a cybersecurity executive advisory firm. Nick, thank you so much for joining us on the show.

C

Thank you, Dottie.

B

Great food for thought. Dottie, I mean, it brings up this question that I feel like we're starting to have again. Do boards need to have an AI expert at the table?

A

Boy, we've wrestled with that one a lot, haven't we, Megan? And you could have put in fill in the blank expert at the table. I know, right? We talked about this so many times, and I don't know if my thinking's evolved on this over time. Here's what I sort of think, right? I always go back to the research that Dr. Peter Weil did at MIT on digitally savvy board members, right? And that research was just so clear. Once you have three digitally savvy board members in the room, everything goes better. Your growth goes off the charts, your risk goes way down, the company explodes. And so I don't know whether it's having a specific expert in fill in the blank topic or whether it's just making sure that the people that you are bringing on your board are digitally savvy. Like, do they have sort of that basic grounding and understanding? Do they have that pedigree and that background, not just of having been any type of CEO or any type of cio, but really kind of thinking in sort of these future ready ways and having that skill set? And I just think it's become critical for every executive now to be digitally savvy. I don't think you can really be a successful executive if you're not these days. That's a bold statement, but I think that might end up being true.

B

Nope, I can.

A

What do you think?

B

I completely agree with you, Dottie. And I think, you know, we have seen this, as you said before, the fill in the blank with the cyber, with hr, with any sort of, I don't want to say niche subject matter, because it's much more than that. It is this idea of a board member being a generalist versus a specialist. It just again comes back to the balance that you need to strike on your board. And increasingly, as executives get more experience with technology, with AI, with cybersecurity, then I think naturally the boardroom will start to fill up with people that have a much stronger grounding in all of these topics.

A

And here's the difference, right? Okay. If you've got someone on your board who has a grounding in some of these topics, look, you're still going to bring experts in the boardroom, right? You're still going to bring in outside consultants to handle specific issues that your company is dealing with. But if you have someone in the boardroom that understands the subject matter, first of all, they're going to have a network of really good experts you can draw from. Right. So they're not just going to call up, you know, the garden variety consulting firms and say, send us your best. They're going to know people, and they're also going to know how to vet the quality of the consultation that you hire. Right. Because sometimes, and I hate to say it, but I don't know if you noticed this, Megan, suddenly last year, do you notice everybody was an AI expert? I mean, and I can tell you this from my own experience, I can't tell you how many speaking gigs I turned down because I was like, guys, I'm not an AI expert. Like, just because I've written a couple of reports on surveys that we've done does not make me an AI expert. Stop positioning me this way. And the truth is, I think people are just so desperate to get information on this hot new topic, they're willing to listen to anybody who sounds vaguely intelligent and interesting. And that's not, that's not a bar high enough for boards. And so I think that's where the difference happens. It's when you've got someone who actually knows how to, how to qualify the level of expertise you're bringing in the boardroom. You know, that requires some experience. It requires you to have a basis of knowledge to be able to make that judgment call.

B

Yeah. And I honestly, I want to backpedal for the second time in this episode and maybe recant what I said. I mean, I actually want to stop calling it a topic or an area of expertise in some way, because what AI is doing is, it is upending business models. It is, it is like the conversation we had 10 years ago around digital transformation in the boardroom. It's that conversation on steroids because it touches every aspect of how a company operates. And in 10 years from now, all companies will be AI companies. And so how do you equip yourself for the right people around the room to have that conversation?

A

Yeah, I mean, it's, it's the best, the best equivalent that I can think of is the Internet.

B

Yeah.

A

You know, there's, there's not literally nothing that you do doesn't involve the Internet. And that wasn't true in, in 1990. And, you know, some of us remember working back then, and it was a different world. It was a different world, but we all came around. It took us some time. It took some longer than others, but it took some time. And those that took too long, they're not around anymore. Those companies are gone. I think it's the same thing. AI is going to very quickly become technological DNA. In fact, I think it is pretty much has at this point. It is there. It's not necessarily in every single system, but I think you'd be hard pressed to find a single piece of code that hasn't been written partially by AI these days. I mean, why would you write code manually anymore? I mean, why? It would take you several times longer and be full of errors. So it's. I don't know, it's interesting. But with that said, I do think talking to people like Nick is so important because there are all these things that can go dreadfully awry. And you do have to think about the implications of all of these changes, all these rapid changes and all the hype and all the excitement, which is really easy to get swept up into. But you still have to have guardrails. Like you have to have guardrails. Things can go so badly wrong so quickly. Anyway, how do our conversations always turn to like doom and gloom? I think it's my fault. Is that my fault? I'm sorry about that, Megan.

B

Despite your your peppy voice, Dottie, you are just full of doom and gloom.

A

All right. Like the Pollyanna for the apocalypse. Well, that wraps up another episode of the Corporate Director Podcast, the Voice of Modern Governance. I'd like to say a few special thank yous, first and foremost to our cyber and AI expert Nick Chevlyoff, podcast producers Kira Ciccarelli, Steve Claydon and Laura Klein, our sponsors for the show, PwC, KPMG, Wilson Sonsini and Meridian Compensation Partners. And most especially, thank you to Diligent. If you like our show, please be sure to give us a rating on your podcast. Player of choice. Five stars only, please. You can also listen to our episodes and see more from the Diligent Institute by going to diligent.com resources thank you so much for listening. You've been listening to the Corporate Director Podcast to ensure that you never miss an episode. Subscribe to the show in your favorite podcast player. If you'd like to learn more about corporate governance and tools to help directors do their job better, visit www.digent.com. thank you so much for listening. Until next.

B

SA.