C (2:55)

Yeah, I mean, it all started out at university. I did a computing science business degree, undergraduate degree, got super interested in how computers were connecting and talking and communicating and date myself, Unix, different flavors of AIX or whatever, Unix and Novell netware, and lots of things from the distant past that most of the listeners probably will not remember. Some of that interest was really driven by a book I read early in my time at university. It was one, I think a number of friends and colleagues in the industry have talked about and referenced. But Cuckoo's Egg by Clifford Stahl. And in my best attempt at geeking out and really loving my topic, that it felt like a thriller to me, a spy thriller, a really kind of search for that mysterious hacker. And it just got me excited about how things were connected and how they could do things maybe that they weren't meant to do or how those things happened. And then since then, it was rolls into it out of university before effectively doing cyber work, but not called cyber at that point in time, maybe just. Or information assurance, and then through a career, just through identity management, instant response, pen testing, red teaming, strategy advising organizations. It's been fascinating. It's just never the same day twice. I was asked the other day, was it passion or money that drove me to cybersecurity. And it was definitely passion. Some of the young students, when they come in, we were hosting some school. Some school kids at the moment, I call them kids. That's terrible. But you know, school people at the moment, and they're thinking about this as a career and that was their question. And it was definitely passion.

A (5:08)

Absolutely. Because it's so. It's ever evolving too. Right. You learn something new every day. And I just can't think of other professions where that's the case. So at what point in your career, though, does this AI thought bubble start entering your consciousness and you're like, hold up a second, I'm seeing an intersection here with cyber risk that perhaps we need to start looking at.

C (5:32)

Yeah, we've been kind of thinking and talking about it for so many years that it was something way out in the horizon when computers could do different things and interact in different ways that could really changed the game. And I think maybe about three, three and a half years ago, myself and some colleagues at EY were running workshops for a number of decision leaders across government and with industry, and we were really starting to talk about AI being used as a threat vector and a mechanism to generate malware, to generate phishing emails, crafting those better emails to socially engineered users. So we've been talking about that risk now for a number of years and seeing it enacted and seeing it happen. And then in the last few years, really been thinking about the flip side to that, the use for benefit. And we're seeing those threat actors use it. We're seeing attacks happen at machine speed. Our defenses need to be at machine speed. How can we do that? And then the wider piece of we want to use it in our businesses, we want to gain advantage, competitive advantage in our businesses, and business leaders are pushing on with it. How do we secure that data? How do we keep trust levels? How do we do all that? So, yeah, it's an ever increasing topic and conversation piece. And I think RSA the last few weeks, the number of mentions of AI were, if you're playing buzzword bingo, you were done within the first two minutes.

A (7:10)

Yes. It's like what zero trust was a few years ago. Right? I mean, you just couldn't escape it.

B (7:17)

So, Rick, I wanted to start off the rest of the conversation, you know, starting around the threat landscape and so on. And I was hoping you could start with giving us a background and an overview of NAVI and what that means to security teams.

C (7:36)

Okay. So we published a report, EY published a report late last year, and we talk about navi. So the nonlinear, accelerated, volatile, interconnected nature of various things. And from a cyber perspective, we're seeing that nonlinear triggering sudden tipping points that can catch organizations by surprise. The accelerated pace, just the speed of response needed, the volatility, the frequent changes, the direct organizations are needing to be agile and cyber even more on top of that, and the interconnected nature of business, today, we're in supply chains. We're interconnected to societies. So those cascades of that. So we see one constant thing in cyber, and that's change. And threats evolve. We're seeing sudden shifts in exposure, we're seeing that increasing pace. The breakout time that we call out in the report is continuing to fall. The challenges and agility, just that meeting with CISOs, meeting with security teams is what's the next threat? How do I deal with this? And attackers are doing something different. So constantly need to be agile, constantly needing to be aware of what's happening. And then I mentioned rsa. There was a session at RSA where we were seeing zero click attacks on AI and the data and the systems connected to it in some of the sessions. And it's fascinating what is capable and it was eye opening to some degree as well. To think of the pace that we're seeing.

B (9:24)

That yeah, that zero click in AI is something I noticed on one of my devices. Just sudden outbound requests as my phone's AI processing emails and it's like, why are you doing this? But coming back to this framework and the AI interaction, how is AI impacting this? And you mentioned that dwell time in the report. The dwell time drop is just astounding to me how quick it is.

C (9:58)

Yeah, I think so. We see that movement and the breakout time as well. I forgetting the number now, but in CrowdStrike's report they talk about seconds. It's for breakout and that use of machine. Humans are not breaking out at that pace as much as we might think. There's some amazing hackers and amazing people and threat actors out there. It's machines, they're using machines to operate at that pace. So I think that that's the big thing that we're seeing. And then when you look beyond that, the report talks about some of the losses and some of the impacts on it, potentially just very, very large.

A (10:48)

There were some really interesting findings in this report and for all of our listeners out there, we will be sure to link to this report so you can have it in the show notes. But it looks like you guys found that half of all organizations have already been negatively impacted by AI. Introduced bones, average losses of 4 million per incident. And then on the flip side of that, you've got 68% of organizations letting employees basically innovate. Right, Build and deploy AI agents with seemingly little to no oversight. Because innovation doesn't wait. We have to move forward. So when you put these two things side by side though, what does that tell you where most enterprises are today in terms of AI governance within their AI transformation strategies?

C (11:36)

Yeah, I think it's definitely lagging or a gap. I think we see that. One of my colleagues had a really interesting chart we put up with some clients recently and it was talking about the pace of innovation as the top line and how fast the business and the organizations they wanted to drive forward on AI initiatives. And then below that lagging line with a gap between it to where technology organizations within the companies, within the organizations was running and then even below that where the cyber teams were and that. So that increasing level of gap, when you go with pace and innovation is material and it's impacting organizations today and threat actors can exploit that gap, they can be more agile, they can adapt. If we're relying on legacy controls.

B (12:38)

So Rick, in the software engineering world, we're always looking to shift left, shift left about everything. And I think that's always been true for security as well. How do we get security earlier in the development cycle? Reading through some of your material, it seems like this isn't sufficient. Why is it not sufficient and. And what is the right answer here?

C (13:04)

So I think I agree. I've also been advocating that shift left. I think we all have for so long and I think it's the pace of innovation and what we're doing and the risk of cyber security, cyber resilience, becoming the blocker to the innovation and blocker to the ability for the organization to function. We're seeing that move at a pace, wanting to move at a pace and cyber not being able to be that business partner and helping them achieve their goals safely. So I think it's a kind of flip in mindset of being an enabler, not a blocker. Building trust together, managing risk and establishing some of those guardrails around it. So clear points around human factors data, the various aspects we talk about it in the report. I won't bore everyone by reading out titles from a report, but it's have those guardrails establish a framework that enables the business and you can work as partnership with the business to achieve the outcomes.

A (14:13)

And as we all know, blocking just makes people find other Creative pathways to 100% get done what they need to do. Not that I have ever done that in my career. Just so we're never never so we're clear. But it is interesting as we see the development of adversarial attacks, meaning targeting AI systems through new vectors such as data poisoning, prompt injection and model theft. It looks like you guys have reported that AI generated phishing is up 67%, phishing attacks 442% and just all of these problems overlapping and do they all have a common solution or are there overlapping solutions that we need to then look at on how to address this but also move at machine speed hopefully to do that?

C (15:04)

Yeah. Anyone who walked the floors in RSA and saw the many silver bullets to solve all problems will hopefully be as skeptical as I am of that these days. I don't think there's not a single magic silver bullet or solution to these things. I think that human factors piece we talk about culture and awareness are a topic that I don't think ever should go away. Well trained, informed, skeptical users of systems will provide much more resilience than any tooling alone. Curbing errors and helping people detect social engineering campaigns. But those better phishing emails, those phishing attacks, all of those have improved. So looking for some of those traditional things just aren't there anymore. But it doesn't mean we don't need tooling. And I would strongly argue that the brilliant basics, the having clear view of identity, who is in your environment and that identity isn't now just humans, it's robots, it's AI, it's all of these things. What are those entities trying to access? Why are they trying to access it? Is that a valid reason? So that leads to insider threat programs. And those insider threat programs aren't just insider threat as in a human human, it's an insider of any variety.

B (16:36)

Can you talk a little bit too about the threats that might come in via large language models where CISOs and so on might not have a lot of control and especially things like AI supply chain attacks.

C (16:51)

Yeah, definitely. And we talk about that obviously in the report. We're seeing that CISOs are, that we're working with, that you are working with, are mitigating those AI supply chains by working to have transparency, visibility, minimum security standards across those third party providers and the AI components where they can't achieve that, that's when they have to start raising the flag and saying, look, there's our data. There are potentially the crown jewels going into these systems. We need to do that. So strengthening the asset management, rigorous third party risk control. Again, the basics, the cryptographic verification, Are we using the right models, our data models and the data we are sharing into things, Are we being respectful of the GDPR and all the privacy requirements that we have and look for those hidden dependencies and vulnerabilities, just as we would in software engineering around the whole supply chain of components, Are we introducing more vulnerabilities through any of that external AI software and code?

A (18:08)

The big conversation on AI too, which I find this a little fascinating. So everyone's moving towards automation, agentic AI and helping us out. But I guess what is your perspective in terms of how much human judgment needs to remain in the loop? And I say this, you know, kind of flagging things like sometimes these agents just lie to your face and then you call them on it and they say, my bad, you know, so we kind of have to manage through that. So what is your perspective there?

C (18:43)

Yeah, definitely. I mean, I think, I think it's, I said, I sat on a number of those sessions at RSA looking at, looking at different agentics and everything's. I think it's not an Easy question, definitely, but one that we have to address. And I forget the presenter, but the topic was something along the lines of your agents are my minions. I call it the presenter who's very good at both the content and the showmanship on the presentation, you know, but those insider, those agents becoming insiders, being attacked, being turned to achieve outcomes for threat actors is terrifying and something that we really have to think about. And without humans in the loop, without some judgment remaining in the loop, I think we're missing ourselves. But then to your point, the machine speed, there are some things we're just going to have to accept, have to be done at machine speed and get comfortable with it. And it's that balance we're in at the moment. And I personally don't have a silver bullet magic answer for it. It's judgment and it is judgment from the ciso. The risk, thinking about the data use cases, getting back to the bas. What are we protecting? How critical is it? What's the priorities? What would the impact be? How do we continue to operate and be resilient?

B (20:28)

But given that, what kinds of things can enterprises do to detect these threats? Right. You've already mentioned you kind of have to send these models certain amounts of private data in order for them to do what they need to do like and prompt injection and all sorts of other other things are open risk vectors, right?

C (20:52)

Yeah, yeah, I think, I mean just, you know, I mentioned that title. Your agents are my minions. They are, they are a potential insider risk. So treat, treat your data flows. Treat, treat all of that as you would with an insider risk program. Think, don't, don't separate them into their machine. They're, they're, they're an entity operating with your data. Think about them as a potential insider

A (21:16)

coming back to, I guess per incident cost. Right. It's quite significant. And these things can grow over time as we know. So how can these things, these are real time attacks that require real time action. How confidently can enterprise security teams be that they can act in real time and get ahead of these AI driven threats?

C (21:47)

I think the only way we can do that is by adopting and using AI ourselves.

A (21:52)

AI to solve for AI?

C (21:54)

Yes, AI to solve for AI. Yeah, we're seeing that with clients TNT out we've been implementing and again I wouldn't help, I would labor on specific vendors, but we made some announcements at RSA ourselves as EY where we're working with particular technology organizations around having agentec agents into SOC and using it to help support the defenders and being able to Manage those risks. This is where the organizations we work with are shouting at me for not mentioning their names, but I'll be good, no adverts to do so.

B (22:41)

How do we enable the decisions makers and the CISOs to get a seat at the table to assure that they're there from the beginning on all of these security decisions?

C (22:54)

Yeah, I think the best CISOs we work with today, I think are getting the seat at the table and I think they've earned that, that right to have the seat at the table. How do I think they're getting there? I think they're getting there because they're talking the language of the business. They're talking in terms that the risk, the understanding of it and they're using what's happening in the world with governments, with regulators, with shareholders, really placing much more emphasis on, and I'm not going to say cybersecurity, but cyber resilience. We've seen organizations, large, large organizations massively disrupted by cyber incidents. So that impact on the bottom line and taking the conversation in the language the executives and boards can understand is how CISOs earn that seat at the table. And as I say, many of the best CISOs that EY work with today are doing exactly that. For those that maybe aren't today. I would say look at the business outcomes, translate, act as the translator between tech teams and executives. And I'm not saying that executives don't have to be build their education and understand more of the technology side of it, but by talking their language, seek first to understand and then kind of take people on the journey with you. So then educate the execs along the way, bring them with you as involved in an activity with the UK government. It published the Cyber Governance code of practice and it poses 20, 27 questions, 20 something questions to boards. And the point of that is for them to be able to understand the posture of their organizations on cyber. So I'd say to CISOs, look to things like that and say, could you answer those questions in business language that would be understood by the board?

A (25:06)

Flipping this a little bit and how we look at it, Rick, and I know there's been a lot of discussion relative to things like AI regulations enacted by certain regions and impact of innovation first versus security first and those things. So what could be the consequences for those organizations that are saying, you know what, we kind of want to take a little bit of a wait and see approach, you know, kind of see how this thing might play out and get a better sense of things before we dive into the Deep end. You know, is that a play here or do. Are they just really left behind in the dust and that's not a leapfrog opportunity by waiting?

C (25:48)

No, I think it's an organized, you know, it's a valid question organizations have to ask themselves. I think for me, more and more we see organizations caring about that trust. The trust of their own people, the trust of their clients, the trust of society. And trust is the key word I think there. So I think if you wait and see, you are endangering that trust. And I think the guardrails that we propose provide a flexible, business friendly enablement approach that probably would work well for most organizations to gain the advantages without endangering the trust, not risking reputations or the horrible end of the spectrum, the fines, the legislative consequences and I think being proactive in thinking about the risk. In some ways we have a green field in front of us. How many times in it have we had a greenfield in front office where we can build security in from the start we've all inherited stuff. I started in the 80s, 90s, I've been doing this a while and we had the legacy, we had cobol, we had code, we had lots of mad things that we inherited. No one had thought about the security roundabout. Those this is a chance where we're making a fundamental shift in what we're doing with this technology. It's a great opportunity to think about how do we create those guardrails and build security in from the outset.

B (27:36)

So if you were to distill down to just a couple of action items for our listeners on what they need to be doing right now, what would you be telling them?

C (27:47)

All right, think about those guardrails. The report will be linked. There are five of them. Think about them. Use that to help you secure your AI rollout across the enterprise, generate more value for the business, for the organization and the cyber security function. This is thing that can really support and drive value for that. The CISO should be helping the business promote the function of what cyber is bringing. It's helping deliver trust, it's keeping the organization more resilient. And by doing it right, it'll help the organization keep pace in that navi world.

A (28:31)

I have a closing question, Rick.

C (28:34)

It's a little hot.

A (28:35)

Take question. Because we keep mentioning RSA when one of the other topics that also came up quite a bit in addition to AI was quantum quantum computing. And for so long existential threat. Existential threat. Oh, maybe not, right? I think Google was kind of bringing in a timeline a little bit sooner than others had thought. So what is your perspective there?

C (29:00)

Yeah, that was my other, that was my other fun topic of geeking out and going to go to Quantum sessions. I think there's some really level headed sessions this time on Quantum and I think it is a pick which timeline you want to go to. For me today to say it's a Y2K problem again, maybe dates me and maybe is lost in a lot of folk. We set about documenting and having an inventory of where we were using dates, how those dates were critical or et cetera, et cetera and how those systems could be updated or not. I think it's the same at the moment. It's what are we encrypting, how are we encrypting, where are those, how are we doing all of that stuff at the moment? Get clear on what you are protecting with what? There was a session that I attended and it presented the timeline it takes to change a cryptographic algorithm in an organization and we are still using things that were broken 15 years ago. I didn't see one timeline on any of the sessions that said Quantum wasn't going to happen in 15 years. We need to be on top of it and understanding the criticality of where we are today with our data, with our encryption and starting to think about how we would prioritize the action round about that.

A (30:30)

I do remember Y2K very well. I wanted to take a trip and I was a little nervous on December 31st. You know, should I be in the air when the clock changes? I don't know what's going to happen. What a wonderful reference. Well Rick, thank you so much for joining us today. This has been a really fun conversation on such a hot topic. I know is top of mind for all of our listeners. Thank you so much for your insights and again we will absolutely link to the EY report that has all of those wonderful insights and data points that folks can use as they start navigating the AI trans transformation path forward. So thank you and to all of our listeners out there. John,

B (31:22)

smash that subscribe button and you

A (31:25)

get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cyber Security Podcast brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.