Summary7 min read

Podcast Summary: Navigating AI Risks and Resilience in Cybersecurity with Rick Hemsley

To The Point – Cybersecurity (Forcepoint)
Host: Rachael Lyon, co-host Jonathan Knepher
Guest: Rick Hemsley, UK&I Cybersecurity Consulting Leader, EY
Date: April 28, 2026

Episode Overview

This episode dissects the complex intersection of artificial intelligence (AI), evolving threats, and cyber resilience. Rachael Lyon and Jonathan Knepher sit down with Rick Hemsley from EY to explore the rapidly changing threat landscape and the mounting challenges organizations face as AI becomes both a tool for defenders and attackers. The conversation weaves together practical frameworks, real-world statistics, governance challenges, and the critical role of trust and human judgment as the AI age accelerates.

Key Discussion Points & Insights

Rick Hemsley’s Cybersecurity Journey

Career Background (02:31–05:08)
- Rick’s entry into cybersecurity was triggered by a blend of early computer science fascination and inspiration from the book Cuckoo’s Egg by Clifford Stoll.
  - “It just got me excited about how things were connected and how they could do things maybe that they weren’t meant to.” (03:31, Rick)
- Twenty-five years in the field, Rick attributes his longevity to passion over money—“It was definitely passion.” (04:44, Rick)
The human drive and ongoing evolution in cybersecurity are highlighted as key motivators.

The Advent of AI in Cybersecurity

Timeline of AI Awareness (05:32–07:10)
- About 3.5 years ago, Rick and colleagues began treating AI as an imminent threat vector, initially focusing on its use in crafting malware and phishing.
- Noted the rapid rise in both offensive and defensive AI capabilities—“We’re seeing attacks happen at machine speed. Our defenses need to be at machine speed.” (06:32, Rick)
- Compares today’s “AI” hype to the “Zero Trust” trend at past RSAs.

Understanding the NAVI Framework

Defining NAVI (07:36–09:24)
- NAVI: Nonlinear, Accelerated, Volatile, Interconnected
  - Describes how today’s cyber environment is unpredictable and fast-moving, demanding constant vigilance and adaptability from defenders.
  - “We see one constant thing in cyber, and that's change.” (08:06, Rick)
- AI introduces even greater unpredictability—“Zero click attacks on AI… were eye opening.” (09:05, Rick)

Machine-Speed Threats and Dwell Time Drops

Impact of AI on Threat Actor Capabilities (09:58–10:48)
- Machines now operate and “break out” within seconds during cyber intrusions.
- “Humans are not breaking out at that pace... it’s machines.” (10:14, Rick)
Organizations are often caught lagging, reacting slower than attackers leveraging AI.

Governance Gaps and the Rush to Innovate

AI Governance Realities (11:36–12:38)
- Rick notes a sizable gap between business-driven AI innovation and the slower pace of security and IT controls.
  - “If we’re relying on legacy controls... threat actors can exploit that gap, they can be more agile.” (12:09, Rick)
- Key stat: 68% of organizations allow employees to build and deploy AI agents with minimal oversight.
- Business pressure often outweighs caution, heightening risk.

The Limits of Shifting Left

Security as Innovation Enabler (13:04–14:13)
- Traditional security “shift left” thinking isn’t enough—organizations need security teams embedded as partners, not just as late-stage gatekeepers.
- “It’s a flip in mindset of being an enabler, not a blocker... managing risk and establishing some of those guardrails.” (13:32, Rick)

Surging Phishing Attacks & The Human Factor

Adversarial Attacks and Overlapping Threats (14:13–16:36)
- AI-generated phishing is up 67%, overall phishing attacks up 442%—traditional signs are vanishing, making detection trickier.
- No silver bullet exists; both technology and continual human awareness are required.
  - “Well trained, informed, skeptical users... will provide much more resilience than any tooling alone.” (15:24, Rick)
- Identity programs must expand to include robots and AI agents as “insiders.”

Large Language Model (LLM) and AI Supply Chain Risks

Third-Party and Supply Chain Attacks (16:36–18:08)
- Transparency and rigorous third-party controls are essential to protect “crown jewels” from exposure via external AI solutions.
  - “Look for those hidden dependencies and vulnerabilities, just as we would in software engineering.” (17:40, Rick)

Human Judgment vs. Autonomous Decision-Making

Balancing Machine Speed and Human Oversight (18:08–20:28)
- Discussion on “agentic AI” raises the specter of AI-controlled system decisions (with memorable reference: “Your agents are my minions”).
- Trust and judgment remain vital: “Without some judgment remaining in the loop, I think we’re missing ourselves. But... there are some things we’re just going to have to accept, have to be done at machine speed.” (19:18, Rick)

Detecting and Defending Against AI-Driven Threats

Detection and Insider Risk (20:28–21:16)
- AI models must be treated like human insiders; same rigor in monitoring is essential.
  - “Don’t separate them into ‘they’re a machine’... they’re an entity operating with your data.” (20:57, Rick)

Real-Time Response Imperative

AI to Defend Against AI (21:16–22:41)
- Only way to combat AI-driven, real-time threats: use AI in defense (“AI to solve for AI.” (21:54, Rick)).
- SOCs implementing autonomous agents to manage and mitigate threats.

Elevating Security at the Executive Table

Bridging the Boardroom Gap (22:41–25:06)
- Best CISOs are “talking the language of the business,” using stories of regulatory and reputational risk to gain influence.
  - “Seek first to understand and then kind of take people on the journey with you.” (24:15, Rick)
- Recommendation to use frameworks like the UK’s Cyber Governance Code of Practice for communicating effectively with boards.

Wait-and-See vs. Proactive AI Security

The Cost of Hesitation (25:06–27:36)
- Waiting exposes organizations to loss of trust and reputational damage.
  - “If you wait and see, you are endangering that trust.” (25:52, Rick)
- AI represents a rare “greenfield” for building in security from the start.

Actionable Steps for Listeners

Rick’s Top Recommendations (27:36–28:31)
- Implement “guardrails” as outlined in the EY report.
- Work proactively—security teams must champion delivering trust, resilience, and competitive advantage in the NAVI world.

Quantum Computing: Emerging Risk or Hype?

Quantum Threat Perspective (28:31–30:30)
- Draws a parallel to Y2K: inventory cryptographic dependencies now, as quantum threats could materialize before legacy encryption is updated.
  - “We are still using things that were broken 15 years ago... we need to be on top of it.” (29:27, Rick)

Notable Quotes & Memorable Moments

On AI in Cybersecurity:
- “We’re seeing attacks happen at machine speed. Our defenses need to be at machine speed.” (06:32, Rick Hemsley)
On the Human Factor:
- “Well trained, informed, skeptical users... will provide much more resilience than any tooling alone.” (15:24, Rick Hemsley)
On Insider Threats in the AI Era:
- “Your agents are my minions.” (18:50, Citing an RSA talk)
- “Treat your data flows... as you would with an insider risk program.” (20:34, Rick Hemsley)
AI for Defense:
- “The only way we can do that is by adopting and using AI ourselves.”
- “AI to solve for AI.” (21:54, Rick Hemsley)
On Governance:
- “The best CISOs... are talking the language of the business... and translate between tech teams and executives.” (24:15, Rick Hemsley)
On Waiting for Regulation:
- “If you wait and see, you are endangering that trust.” (25:52, Rick Hemsley)
On Quantum:
- “We are still using things that were broken 15 years ago… we need to be on top of it.” (29:27, Rick Hemsley)

Recommended Actions (Key Takeaways)

Establish Clear Guardrails: Use risk frameworks to guide safe AI implementation.
Embed Cybersecurity as a Business Enabler: Security must support—not block—innovation.
Treat AI as Insiders: Apply insider threat rigor to AI agents, not just humans.
Leverage AI for Defense: Invest in automation in SOCs and response functions.
Communicate in Business Terms: Security leaders must connect cyber risks to business outcomes to influence at the executive level.
Prepare for Quantum: Start inventories and prioritize cryptographic updates now, not later.

Timestamps for Important Segments

| Timestamp | Segment Description | |-----------|------------------------------------------------------------| | 02:31 | Rick’s cybersecurity origins and motivation | | 05:32 | Early awareness of AI risks in cyber threat landscape | | 07:36 | Introducing NAVI – Nonlinear, Accelerated, Volatile, Interconnected | | 09:58 | AI’s impact on dwell time and machine-speed attacks | | 11:36 | Gaps in AI governance and business-driven innovation | | 13:04 | Shift left limitations—cybersecurity as a partner | | 14:13 | Surge in AI-driven phishing and the importance of user awareness| | 16:36 | Supply chain and third-party risks from large AI models | | 18:08 | Balancing automation and human judgment | | 20:28 | Treating AI models as insiders and monitoring accordingly | | 21:54 | Adopting “AI to solve for AI” in defense | | 22:41 | Recommendations for CISOs to communicate with executives | | 25:06 | Risks of a “wait and see” approach to AI security | | 27:36 | Concrete actions for cybersecurity teams | | 28:31 | Quantum computing as a looming risk |

This episode offers a realistic, deeply insightful roadmap for navigating AI’s risks while building organizational resilience—in Rick’s words, to “help the organization keep pace in that NAVI world.” Good guardrails, human/AI partnership, and proactive governance are essential as we race toward an unpredictable, machine-accelerated future.

Loading summary

Transcript44 lines

[00:01]
A
Welcome to to the Point Cybersecurity Podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the Point. Hello, everyone. Welcome to this week's episode of to the Point Podcast. I'm Rachel Lyon here with my co host John Neffer. And of course I have a thunderstorm happening right now that my dogs are very excited about. John, it's one of those days. One of those days.
[00:41]
B
Your place sounds exciting right now.
[00:43]
A
It's very exciting. Three dogs, two cats. Just couldn't ask for more. But I did want to ask you something that's been burning on my mind. Have you heard about this angel AI doc or how I became an apocalyptomist? That just came out at end of last month. And it's this fellow. His wife is expecting their first child and he's been thinking a lot about the world ahead and bringing a child into the world of AI dominance, if you will. But it sounds like there's a lot of great interviews there. But like the social media documentary, do you watch and you want to see behind the curtain or do you just like. I'd rather not know.
[01:22]
B
I mean, that sounds pretty scary to me. I've been worried about similar things and yeah, I don't know if I want to think about it too much more.
[01:32]
A
Yes, sometimes it's nice. Just keep the blinders on. Well, I'm so excited to welcome today's guest. Please welcome Rick Hemsley. He's the UK and Ireland cybersecurity consulting leader at Ernst and young with over 25 years of consulting and industry experience. Rick. Rick continues to work as he always has throughout his career with a broad range of organizations, including governments, to improve their security posture. With Rick's advisement, clients have been able to enhance reporting and operating models. This has also helped clients gain an actionable and accurate picture of their cybersecurity posture and build a priority list of activities to further enhance cyber resilience. Rick joined Ernst and young in 2022 from a large global consulting organization where he delivered key cybersecurity transformation projects for clients. Prior to this, he worked in leadership roles for many leading cybersecurity organizations. Wow. Welcome, Rick.
[02:30]
C
Hi. Thank you.
[02:32]
A
Thanks for joining us. So we're going to shake it up a little bit today and we're going to bring the end of the conversation to the beginning for this week's chat. So, always curious what the path to cybersecurity has been, you've got 25 years of cybersecurity consulting. What does that path look like in that time?
[02:56]
C
Yeah, I mean, it all started out at university. I did a computing science business degree, undergraduate degree, got super interested in how computers were connecting and talking and communicating and date myself, Unix, different flavors of AIX or whatever, Unix and Novell netware, and lots of things from the distant past that most of the listeners probably will not remember. Some of that interest was really driven by a book I read early in my time at university. It was one, I think a number of friends and colleagues in the industry have talked about and referenced. But Cuckoo's Egg by Clifford Stahl. And in my best attempt at geeking out and really loving my topic, that it felt like a thriller to me, a spy thriller, a really kind of search for that mysterious hacker. And it just got me excited about how things were connected and how they could do things maybe that they weren't meant to do or how those things happened. And then since then, it was rolls into it out of university before effectively doing cyber work, but not called cyber at that point in time, maybe just. Or information assurance, and then through a career, just through identity management, instant response, pen testing, red teaming, strategy advising organizations. It's been fascinating. It's just never the same day twice. I was asked the other day, was it passion or money that drove me to cybersecurity. And it was definitely passion. Some of the young students, when they come in, we were hosting some school. Some school kids at the moment, I call them kids. That's terrible. But you know, school people at the moment, and they're thinking about this as a career and that was their question. And it was definitely passion.
[05:08]
A
Absolutely. Because it's so. It's ever evolving too. Right. You learn something new every day. And I just can't think of other professions where that's the case. So at what point in your career, though, does this AI thought bubble start entering your consciousness and you're like, hold up a second, I'm seeing an intersection here with cyber risk that perhaps we need to start looking at.
[05:33]
C
Yeah, we've been kind of thinking and talking about it for so many years that it was something way out in the horizon when computers could do different things and interact in different ways that could really changed the game. And I think maybe about three, three and a half years ago, myself and some colleagues at EY were running workshops for a number of decision leaders across government and with industry, and we were really starting to talk about AI being used as a threat vector and a mechanism to generate malware, to generate phishing emails, crafting those better emails to socially engineered users. So we've been talking about that risk now for a number of years and seeing it enacted and seeing it happen. And then in the last few years, really been thinking about the flip side to that, the use for benefit. And we're seeing those threat actors use it. We're seeing attacks happen at machine speed. Our defenses need to be at machine speed. How can we do that? And then the wider piece of we want to use it in our businesses, we want to gain advantage, competitive advantage in our businesses, and business leaders are pushing on with it. How do we secure that data? How do we keep trust levels? How do we do all that? So, yeah, it's an ever increasing topic and conversation piece. And I think RSA the last few weeks, the number of mentions of AI were, if you're playing buzzword bingo, you were done within the first two minutes.
[07:11]
A
Yes. It's like what zero trust was a few years ago. Right? I mean, you just couldn't escape it.
[07:18]
B
So, Rick, I wanted to start off the rest of the conversation, you know, starting around the threat landscape and so on. And I was hoping you could start with giving us a background and an overview of NAVI and what that means to security teams.
[07:36]
C
Okay. So we published a report, EY published a report late last year, and we talk about navi. So the nonlinear, accelerated, volatile, interconnected nature of various things. And from a cyber perspective, we're seeing that nonlinear triggering sudden tipping points that can catch organizations by surprise. The accelerated pace, just the speed of response needed, the volatility, the frequent changes, the direct organizations are needing to be agile and cyber even more on top of that, and the interconnected nature of business, today, we're in supply chains. We're interconnected to societies. So those cascades of that. So we see one constant thing in cyber, and that's change. And threats evolve. We're seeing sudden shifts in exposure, we're seeing that increasing pace. The breakout time that we call out in the report is continuing to fall. The challenges and agility, just that meeting with CISOs, meeting with security teams is what's the next threat? How do I deal with this? And attackers are doing something different. So constantly need to be agile, constantly needing to be aware of what's happening. And then I mentioned rsa. There was a session at RSA where we were seeing zero click attacks on AI and the data and the systems connected to it in some of the sessions. And it's fascinating what is capable and it was eye opening to some degree as well. To think of the pace that we're seeing.
[09:25]
B
That yeah, that zero click in AI is something I noticed on one of my devices. Just sudden outbound requests as my phone's AI processing emails and it's like, why are you doing this? But coming back to this framework and the AI interaction, how is AI impacting this? And you mentioned that dwell time in the report. The dwell time drop is just astounding to me how quick it is.
[09:59]
C
Yeah, I think so. We see that movement and the breakout time as well. I forgetting the number now, but in CrowdStrike's report they talk about seconds. It's for breakout and that use of machine. Humans are not breaking out at that pace as much as we might think. There's some amazing hackers and amazing people and threat actors out there. It's machines, they're using machines to operate at that pace. So I think that that's the big thing that we're seeing. And then when you look beyond that, the report talks about some of the losses and some of the impacts on it, potentially just very, very large.
[10:49]
A
There were some really interesting findings in this report and for all of our listeners out there, we will be sure to link to this report so you can have it in the show notes. But it looks like you guys found that half of all organizations have already been negatively impacted by AI. Introduced bones, average losses of 4 million per incident. And then on the flip side of that, you've got 68% of organizations letting employees basically innovate. Right, Build and deploy AI agents with seemingly little to no oversight. Because innovation doesn't wait. We have to move forward. So when you put these two things side by side though, what does that tell you where most enterprises are today in terms of AI governance within their AI transformation strategies?
[11:37]
C
Yeah, I think it's definitely lagging or a gap. I think we see that. One of my colleagues had a really interesting chart we put up with some clients recently and it was talking about the pace of innovation as the top line and how fast the business and the organizations they wanted to drive forward on AI initiatives. And then below that lagging line with a gap between it to where technology organizations within the companies, within the organizations was running and then even below that where the cyber teams were and that. So that increasing level of gap, when you go with pace and innovation is material and it's impacting organizations today and threat actors can exploit that gap, they can be more agile, they can adapt. If we're relying on legacy controls.
[12:39]
B
So Rick, in the software engineering world, we're always looking to shift left, shift left about everything. And I think that's always been true for security as well. How do we get security earlier in the development cycle? Reading through some of your material, it seems like this isn't sufficient. Why is it not sufficient and. And what is the right answer here?
[13:04]
C
So I think I agree. I've also been advocating that shift left. I think we all have for so long and I think it's the pace of innovation and what we're doing and the risk of cyber security, cyber resilience, becoming the blocker to the innovation and blocker to the ability for the organization to function. We're seeing that move at a pace, wanting to move at a pace and cyber not being able to be that business partner and helping them achieve their goals safely. So I think it's a kind of flip in mindset of being an enabler, not a blocker. Building trust together, managing risk and establishing some of those guardrails around it. So clear points around human factors data, the various aspects we talk about it in the report. I won't bore everyone by reading out titles from a report, but it's have those guardrails establish a framework that enables the business and you can work as partnership with the business to achieve the outcomes.
[14:14]
A
And as we all know, blocking just makes people find other Creative pathways to 100% get done what they need to do. Not that I have ever done that in my career. Just so we're never never so we're clear. But it is interesting as we see the development of adversarial attacks, meaning targeting AI systems through new vectors such as data poisoning, prompt injection and model theft. It looks like you guys have reported that AI generated phishing is up 67%, phishing attacks 442% and just all of these problems overlapping and do they all have a common solution or are there overlapping solutions that we need to then look at on how to address this but also move at machine speed hopefully to do that?
[15:05]
C
Yeah. Anyone who walked the floors in RSA and saw the many silver bullets to solve all problems will hopefully be as skeptical as I am of that these days. I don't think there's not a single magic silver bullet or solution to these things. I think that human factors piece we talk about culture and awareness are a topic that I don't think ever should go away. Well trained, informed, skeptical users of systems will provide much more resilience than any tooling alone. Curbing errors and helping people detect social engineering campaigns. But those better phishing emails, those phishing attacks, all of those have improved. So looking for some of those traditional things just aren't there anymore. But it doesn't mean we don't need tooling. And I would strongly argue that the brilliant basics, the having clear view of identity, who is in your environment and that identity isn't now just humans, it's robots, it's AI, it's all of these things. What are those entities trying to access? Why are they trying to access it? Is that a valid reason? So that leads to insider threat programs. And those insider threat programs aren't just insider threat as in a human human, it's an insider of any variety.
[16:37]
B
Can you talk a little bit too about the threats that might come in via large language models where CISOs and so on might not have a lot of control and especially things like AI supply chain attacks.
[16:51]
C
Yeah, definitely. And we talk about that obviously in the report. We're seeing that CISOs are, that we're working with, that you are working with, are mitigating those AI supply chains by working to have transparency, visibility, minimum security standards across those third party providers and the AI components where they can't achieve that, that's when they have to start raising the flag and saying, look, there's our data. There are potentially the crown jewels going into these systems. We need to do that. So strengthening the asset management, rigorous third party risk control. Again, the basics, the cryptographic verification, Are we using the right models, our data models and the data we are sharing into things, Are we being respectful of the GDPR and all the privacy requirements that we have and look for those hidden dependencies and vulnerabilities, just as we would in software engineering around the whole supply chain of components, Are we introducing more vulnerabilities through any of that external AI software and code?
[18:09]
A
The big conversation on AI too, which I find this a little fascinating. So everyone's moving towards automation, agentic AI and helping us out. But I guess what is your perspective in terms of how much human judgment needs to remain in the loop? And I say this, you know, kind of flagging things like sometimes these agents just lie to your face and then you call them on it and they say, my bad, you know, so we kind of have to manage through that. So what is your perspective there?
[18:44]
C
Yeah, definitely. I mean, I think, I think it's, I said, I sat on a number of those sessions at RSA looking at, looking at different agentics and everything's. I think it's not an Easy question, definitely, but one that we have to address. And I forget the presenter, but the topic was something along the lines of your agents are my minions. I call it the presenter who's very good at both the content and the showmanship on the presentation, you know, but those insider, those agents becoming insiders, being attacked, being turned to achieve outcomes for threat actors is terrifying and something that we really have to think about. And without humans in the loop, without some judgment remaining in the loop, I think we're missing ourselves. But then to your point, the machine speed, there are some things we're just going to have to accept, have to be done at machine speed and get comfortable with it. And it's that balance we're in at the moment. And I personally don't have a silver bullet magic answer for it. It's judgment and it is judgment from the ciso. The risk, thinking about the data use cases, getting back to the bas. What are we protecting? How critical is it? What's the priorities? What would the impact be? How do we continue to operate and be resilient?
[20:29]
B
But given that, what kinds of things can enterprises do to detect these threats? Right. You've already mentioned you kind of have to send these models certain amounts of private data in order for them to do what they need to do like and prompt injection and all sorts of other other things are open risk vectors, right?
[20:53]
C
Yeah, yeah, I think, I mean just, you know, I mentioned that title. Your agents are my minions. They are, they are a potential insider risk. So treat, treat your data flows. Treat, treat all of that as you would with an insider risk program. Think, don't, don't separate them into their machine. They're, they're, they're an entity operating with your data. Think about them as a potential insider
[21:16]
A
coming back to, I guess per incident cost. Right. It's quite significant. And these things can grow over time as we know. So how can these things, these are real time attacks that require real time action. How confidently can enterprise security teams be that they can act in real time and get ahead of these AI driven threats?
[21:48]
C
I think the only way we can do that is by adopting and using AI ourselves.
[21:53]
A
AI to solve for AI?
[21:54]
C
Yes, AI to solve for AI. Yeah, we're seeing that with clients TNT out we've been implementing and again I wouldn't help, I would labor on specific vendors, but we made some announcements at RSA ourselves as EY where we're working with particular technology organizations around having agentec agents into SOC and using it to help support the defenders and being able to Manage those risks. This is where the organizations we work with are shouting at me for not mentioning their names, but I'll be good, no adverts to do so.
[22:41]
B
How do we enable the decisions makers and the CISOs to get a seat at the table to assure that they're there from the beginning on all of these security decisions?
[22:54]
C
Yeah, I think the best CISOs we work with today, I think are getting the seat at the table and I think they've earned that, that right to have the seat at the table. How do I think they're getting there? I think they're getting there because they're talking the language of the business. They're talking in terms that the risk, the understanding of it and they're using what's happening in the world with governments, with regulators, with shareholders, really placing much more emphasis on, and I'm not going to say cybersecurity, but cyber resilience. We've seen organizations, large, large organizations massively disrupted by cyber incidents. So that impact on the bottom line and taking the conversation in the language the executives and boards can understand is how CISOs earn that seat at the table. And as I say, many of the best CISOs that EY work with today are doing exactly that. For those that maybe aren't today. I would say look at the business outcomes, translate, act as the translator between tech teams and executives. And I'm not saying that executives don't have to be build their education and understand more of the technology side of it, but by talking their language, seek first to understand and then kind of take people on the journey with you. So then educate the execs along the way, bring them with you as involved in an activity with the UK government. It published the Cyber Governance code of practice and it poses 20, 27 questions, 20 something questions to boards. And the point of that is for them to be able to understand the posture of their organizations on cyber. So I'd say to CISOs, look to things like that and say, could you answer those questions in business language that would be understood by the board?
[25:06]
A
Flipping this a little bit and how we look at it, Rick, and I know there's been a lot of discussion relative to things like AI regulations enacted by certain regions and impact of innovation first versus security first and those things. So what could be the consequences for those organizations that are saying, you know what, we kind of want to take a little bit of a wait and see approach, you know, kind of see how this thing might play out and get a better sense of things before we dive into the Deep end. You know, is that a play here or do. Are they just really left behind in the dust and that's not a leapfrog opportunity by waiting?
[25:48]
C
No, I think it's an organized, you know, it's a valid question organizations have to ask themselves. I think for me, more and more we see organizations caring about that trust. The trust of their own people, the trust of their clients, the trust of society. And trust is the key word I think there. So I think if you wait and see, you are endangering that trust. And I think the guardrails that we propose provide a flexible, business friendly enablement approach that probably would work well for most organizations to gain the advantages without endangering the trust, not risking reputations or the horrible end of the spectrum, the fines, the legislative consequences and I think being proactive in thinking about the risk. In some ways we have a green field in front of us. How many times in it have we had a greenfield in front office where we can build security in from the start we've all inherited stuff. I started in the 80s, 90s, I've been doing this a while and we had the legacy, we had cobol, we had code, we had lots of mad things that we inherited. No one had thought about the security roundabout. Those this is a chance where we're making a fundamental shift in what we're doing with this technology. It's a great opportunity to think about how do we create those guardrails and build security in from the outset.
[27:37]
B
So if you were to distill down to just a couple of action items for our listeners on what they need to be doing right now, what would you be telling them?
[27:47]
C
All right, think about those guardrails. The report will be linked. There are five of them. Think about them. Use that to help you secure your AI rollout across the enterprise, generate more value for the business, for the organization and the cyber security function. This is thing that can really support and drive value for that. The CISO should be helping the business promote the function of what cyber is bringing. It's helping deliver trust, it's keeping the organization more resilient. And by doing it right, it'll help the organization keep pace in that navi world.
[28:32]
A
I have a closing question, Rick.
[28:34]
C
It's a little hot.
[28:35]
A
Take question. Because we keep mentioning RSA when one of the other topics that also came up quite a bit in addition to AI was quantum quantum computing. And for so long existential threat. Existential threat. Oh, maybe not, right? I think Google was kind of bringing in a timeline a little bit sooner than others had thought. So what is your perspective there?
[29:01]
C
Yeah, that was my other, that was my other fun topic of geeking out and going to go to Quantum sessions. I think there's some really level headed sessions this time on Quantum and I think it is a pick which timeline you want to go to. For me today to say it's a Y2K problem again, maybe dates me and maybe is lost in a lot of folk. We set about documenting and having an inventory of where we were using dates, how those dates were critical or et cetera, et cetera and how those systems could be updated or not. I think it's the same at the moment. It's what are we encrypting, how are we encrypting, where are those, how are we doing all of that stuff at the moment? Get clear on what you are protecting with what? There was a session that I attended and it presented the timeline it takes to change a cryptographic algorithm in an organization and we are still using things that were broken 15 years ago. I didn't see one timeline on any of the sessions that said Quantum wasn't going to happen in 15 years. We need to be on top of it and understanding the criticality of where we are today with our data, with our encryption and starting to think about how we would prioritize the action round about that.
[30:31]
A
I do remember Y2K very well. I wanted to take a trip and I was a little nervous on December 31st. You know, should I be in the air when the clock changes? I don't know what's going to happen. What a wonderful reference. Well Rick, thank you so much for joining us today. This has been a really fun conversation on such a hot topic. I know is top of mind for all of our listeners. Thank you so much for your insights and again we will absolutely link to the EY report that has all of those wonderful insights and data points that folks can use as they start navigating the AI trans transformation path forward. So thank you and to all of our listeners out there. John,
[31:22]
B
smash that subscribe button and you
[31:26]
A
get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cyber Security Podcast brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.