The primary focus of this podcast episode is the evolving role of Chief Information Security Officers (CISOs) in the contemporary cybersecurity landscape, particularly in relation to the integration of artificial intelligence (AI) into security strategies. We engage in a profound discussion about the necessity for CISOs to adapt their approaches in light of increasing data complexities and the rapid advancement of AI technologies, which pose both new challenges and opportunities for organizations. The conversation highlights the critical importance of foundational cybersecurity practices such as identity and access management, data governance, and the implementation of zero trust frameworks. Moreover, we explore the pressing need for CISOs to move beyond traditional IT security paradigms, embracing their roles as risk managers who facilitate secure business operations rather than merely enforcing restrictions. As we delve into this intricate subject, we underscore the significance of a proactive and informed approach to managing cybersecurity risks in an era marked by relentless technological evolution.
In this episode of the Security by Default podcast, host Joseph Carson speaks with cybersecurity expert Terence Jackson about the evolving landscape of cybersecurity, the challenges faced by CISOs, and the importance of data security and governance. They discuss the impact of AI on security practices, the role of the CISO as a risk manager, and the need for organizations to prioritize foundational security measures in a rapidly changing technological environment.
In this conversation, Terence Jackson and Joseph discuss the evolving landscape of cybersecurity, emphasizing the importance of asset management, the role of AI in business intelligence, and the need for a balance between security and user experience. They explore the future of CISOs in a world increasingly governed by digital intelligence and the necessity of continuous learning and community engagement in the cybersecurity field.
Key Takeaways
- The cybersecurity landscape is constantly evolving, with new challenges emerging.
- AI is transforming both the attack and defense sides of cybersecurity.
- Data security remains a critical concern for organizations.
- CISOs are increasingly seen as risk managers rather than just security officers.
- Governance and compliance are essential for effective data management.
- Organizations must prioritize identity and access management.
- The role of the CISO has become more strategic and board-level.
- Understanding data exposure risks is crucial for compliance.
- Foundational security practices are necessary for effective defense.
- Continuous learning and adaptation are vital in the fast-paced tech world. AI will play a crucial role in enhancing business intelligence.
- Effective asset management is foundational for organizational security.
- Zero trust must be balanced with zero friction for user experience.
- Creating a positive security culture is essential for engagement.
- CISOs will increasingly focus on data governance and business risks.
- The proliferation of AI agents presents new security challenges.
- Security should be integrated seamlessly into user workflows.
- Continuous learning is vital in the rapidly changing cybersecurity landscape.
- Community engagement fosters knowledge sharing and support.
- Focusing on the basics is key to effective cybersecurity.
Chapters
- 00:00 Introduction to Cybersecurity Journeys
- 02:17 Challenges in Cybersecurity Today
- 06:43 The Evolving Role of the CISO
- 11:06 Governance, Compliance, and Data Security
- 14:56 Prioritizing Security in a Fast-Paced World
- 19:39 The Role of AI in Business Intelligence
- 20:02 Importance of Asset Management
- 21:52 Zero Trust and Zero Friction Security
- 23:38 Creating a Positive Security Culture
- 24:27 The Future of CISOs and Digital Intelligence
- 29:32 Continuous Learning and Community Engagement
Additional Resources:
Connect with Terence: https://www.linkedin.com/in/terencejackson/
https://www.terencedjackson.com/
The podcast episode presents a profound and enlightening dialogue between two seasoned professionals in the realm of cybersecurity, highlighting the evolving role of Chief Information Security Officers (CISOs) in today’s digital landscape. The conversation commences with an introduction to Terence, a veteran in the cybersecurity industry, whose extensive experience spans over two decades. He provides a candid glimpse into his early fascination with technology, tracing it back to his first computer, the Commodore 64, and his subsequent academic pursuits in information systems. This personal narrative seamlessly transitions into a professional discourse on the pressing challenges that CISOs face in the contemporary landscape, particularly in light of the rapid advancements in artificial intelligence (AI). The discussion delves into the critical importance of identity and access management, data security, and the perennial struggle of organizations to maintain robust cybersecurity postures amidst a backdrop of increasing threats such as ransomware. Terence articulates how the current AI transformation has not only intensified existing security challenges but has also underscored the necessity for organizations to adopt a forward-thinking approach to their cybersecurity strategies. Moreover, the dialogue shifts to address the integration of AI within cybersecurity frameworks, emphasizing the need for CISOs to leverage AI as both a defensive tool and a potential adversarial threat. The speakers explore the nuances of deploying AI responsibly while ensuring that ethical considerations and governance frameworks are firmly in place. The conversation culminates in a reflection on the fundamental principles that underpin effective cybersecurity practices, advocating for a return to the basics as a means of fortifying organizations against emerging threats. Ultimately, the episode serves as a clarion call for CISOs to embrace a mindset of continuous learning and adaptation, recognizing that the landscape of cybersecurity is inextricably linked to the broader context of societal safety and organizational resilience.
Takeaways:
- The ongoing transformation in AI has exacerbated long-standing issues related to identity and access management.
- CISOs are increasingly being viewed as enterprise risk managers rather than merely IT security officials.
- The evolution of digital agents necessitates robust governance to mitigate associated risks effectively.
- Data security remains a paramount concern, particularly in light of AI’s impact on access to sensitive information.
- A focus on foundational cybersecurity principles is essential for developing effective defense strategies.
- The integration of security within organizational workflows must balance robust protections with user experience to avoid friction.
Transcript
It’s awesome to be here with you again for another exciting, fun conversation with amazing and awesome people who really do everything they can to make the world a safer place online. I’ve known this person for many, many years.
I always enjoy meeting him at different conferences around the world, mostly in the US So it’s where we typically get to meet up. So, Terence, welcome to the podcast and it’s so awesome to have you on.
If you want to give the audience a little bit of background about yourself, how you get into the industry and what you get up to these days, sure.
Terence:Thank you, Joe. I appreciate the invite and happy to join you. So, yeah, man, I’ve been in, you know, cybersecurity and IT for 26, seven years or so.
You’ll appreciate this. My first computer was a Commodore 64, so I’m dating myself right now. But you know, at an early age, man, I just had that, that, that inkling.
The tinker managed to take my toys apart, put them back together, and that just kind of led me into, you know, it. Fun fact. I was actually an information systems major in the school of business, like was in college.
So I had the option to go in computer science or business. I saw the math on the comp side, side and I was like, this business degree looks like it’s may, may, may suit me a little bit better.
But, you know, I’ve done a number of, you know, I’ve worked in a number of industries, public and private sector. You know, I’ve been a CISO a couple of, you know, different places. I’ve been a privacy officer for a small stint. Don’t want to go back to doing that.
And, you know, now I’m currently Microsoft as a customer security officer, essentially sitting on the advisory side of things, you know, partnering with our customer, you know, CISO CTOs to really help them with their strategy, their programs, really helping them, you know, maximize their, you know, cybersecurity investments and also helping them skate to where the puck is going and not where it’s at.
Joseph:Absolutely. I mean, we’re doing very similar activities in that regards because from my advisory CISO responsibilities is exactly that.
And I really enjoy it because I get to go and talk to different CISOs and really listen about what’s their challenges, what problems, what technologies they look into to solve those, being able to share experiences and insights and learn from that and also share some of the best practices and to your point, help them get to where they need to be rather than just firefighting constantly. And I think that’s that’s the challenge that if you’re firefighting, you’re not being as efficient effective as you really want to be.
So I really want to kind of get your perspective on what is some of the top challenges that scissors do face. What, what, what’s, what’s the common stories that you hear and the pains that they have. What do you hear from the field?
Terence:Well, as of late, you know, this is a old but new problem. But what’s old is new and what’s new is old.
You know, unless you’ve been on a rock, you know, this whole AI transformation that, you know, the world is undergoing right now has exposed some old things. And when I say old things, we’re still talking about identity and access management and data security. Largely.
AI in this current iteration is still, you know, a web app of sorts.
You know, it’s a fancy web app, but, you know, but it is done in organizations that didn’t have strong governance capabilities around, you know, identities and data. It sort of accelerated the need to double down on identity and access management and data security.
So I would say next to ransomware, data security is top of mind probably in every conversation I have on, you know, from inventorying your data, classifying your data. This is no 25 plus years we’re still talking about DLP technology and strategies.
And it was one of those things where especially large organizations did, you know, about 35, 40% of it. And it was like eh.
But now with, with AI and the ability for these tools to reason over large amounts of data in small amount of time, it hasn’t, it hasn’t given access to end users that they didn’t already have. But what it’s done is highlight the access that they have to things that they didn’t know they had access to. And that gets interesting really quick.
So you start thinking about HR data or maybe ip. So you know, the data security, privacy, all that and then, you know, kind of double clicking on that. The potential. We talking about shadow IT now?
Shadow AI because it’s a term that I’ve been.
Joseph:People are curious recently.
Terence:Shadow AI, you know. Yeah.
Joseph:What data is going, what are they putting in there and who has access to it and what algorithms are running against the data and maybe uncovering things that you didn’t want to be covered in the first place.
Terence:Exactly. And we’re still a curious people.
When the Eric news is talking about things like Deep Seek, everybody’s like, let me go download it, let me see what’s going. That was an interesting week. By the Way, but, but yes, a lot of firewall rules that went in place. Like, no, we can’t do that.
But that’s just the current state of the world, man. You know, people are curious and data has not been properly, you know, even from things that we shouldn’t hold on to.
We started talking about data retention.
Now people going, it’s like, why do we have 20 year old, like, you know, financial data that, you know, we didn’t need to keep beyond the regulatory requirements. So data, man, it’s all a data problem.
Joseph:It’s interesting because recently I did an interview and a discussion with IT Brew and they were talking about the chief Data officer. In some places they’ve got the digital officer.
And it’s really, that person is looking at, you know, one is what are we regulatory required from a data perspective? And also how can we maximize the monetization of the data that they have as well?
And then you look at, you know, even one of the things I’ve saw in the past year, we talk about how attackers are using AI to compromise into, you know, the one thing I find amusing the most on two, two specific areas.
One is improving the efficiencies of phishing campaigns and social engineering, but also accelerating the understanding about what data they’ve stolen. So they can actually analyze it.
They can analyze it sometimes in minutes now and really understand about what’s the value of that data, what was the credentials, what, you know, credit card information or financial information or IP is in there. And they can do it really fast. Where it used to take them months to analyze what they stole, now they can do it in seconds. So.
And that really changes, changes the speed of things for an attacker.
Terence:Absolutely. And wait to, you know, we’ve been talking about, you know, still now, you know, decrypt later.
Wait, wait till Quantum really becomes an attacker tool. And now they can pair quantum decryption. Yeah.
With, you know, these large language models to, to reason them and over the data that they’ve, you know, already taken.
So it’s, it’s, it’s a bold new world that we’re living in when it comes to the velocity and the speed of the attacks, as you mentioned, which makes it that more for, you know, CZOs to actually bring AI into their security stack. Because you’re going to have to combat AI with AI. That’s. That’s the only feasible path forward.
Joseph:Absolutely. I had a fun, fun episode last year with Mikko and we, we kind of talked about the battle of algorithms.
It really comes down to who has the Best AI algorithm and agents. And also who has the most, let’s say, you know, accurate and clean data, because that’s what makes a difference.
You know, you can run as much algorithms as you want, but if the quality of your data is poor, you’ll have hallucinations.
Terence:Yep, yep.
Joseph:And that’s, that’s the worst thing you have is that one, one, you know, the algorithm is telling you fake distance, dense information itself. I’m trying to make you believe it. Absolutely. The accuracy and the computational power, those two.
And I’ve seen, I’ve seen the acceleration of, you know, let’s say in AI being used, more accelerated in the defense side of things and the security technology, which is great, but yeah, it’s, it’s only a matter of time before the attackers have to switch to it and using it for their advantage as well, and that we’ll have the battle of algorithms. It’s going to be, you know, sit back and watch the algorithms fight and see who can win and come to the. The answer the fastest.
Terence:Yeah, that’s definitely going to be, you know, as we move into, you know, this agentic, you know, development of AI and you know, thinking about, you know, a security analyst having a fleet of agents that are acting on his or her behalf against the attackers. Agents that are acting. And you’re right, that’s going to come down to the quality of the data on kind of who wins that.
And this is where being able to reason over data that’s pertinent to your organization, but making sure you have good intel feeds. But that’s also a new attack vector too, being poisoning models. So it’s a lot.
Joseph:Absolutely. That’s one of the things I’ve seen is the data poisoning side.
If they can get into the machine learning, learning and training of the large language models, that’s also massive impact because then you could make, you know, incorrect decisions based on the learning and corruption of that. One of the things I wanted to ask you is about how has the scissor rule evolved?
We’ve seen the scissors reporting into various different parts of the organization responsible for various different things. I always like the kind of area where, you know, scissors are no longer responsible just for IT problems today.
It’s almost like, you know, they’re becoming the challenge, you know, responsible for societal and the society itself. Yes. How have you seen the role evolve over the years and where do you see it going even?
Terence:Yeah, I definitely see it’s emerged, I would say, from the shadows.
You know, generally, you know, CISOs were often seen as the it, you know, the security guys, but also, you know, don’t go talk to them because they’re going to tell you no for everything you ask. Right.
So I think in the current threat landscape, CISOs have really been elevated to the risk manager for the business, which is what the role really is. You know, the CISO can’t determine, you know, to accept or, you know, transfer risk personally, but it’s acting on behalf of the business.
So it’s a boardroom level role now for most, especially Fortune 500 roles. But there’s still a lot of work to do. Not everybody’s there, but I think the conversations are being had.
And now the need, especially with the velocity attacks, you know, ransomware attacks are still increasing year over year with AI, I think the CISO kind of got left behind a little bit because the IT side of the house was like, we need to develop, we need to deploy AI, AI this, AI that. And the CISO was asking the right questions like, hey, what data are we going to allow to go in? What models are we going to use?
Do we have an AI standard to govern the use, the policies? And you know, kind of, you know, the rest of the business is like, I don’t know, isn’t that your job? So it’s been interesting.
Joseph:It’s like we threw security by design out the window for AI, and we did.
And let’s figure it out later, let’s accelerate as quick as we possibly can and we’ll do the same as what we did with all the other problems that we had in the past is we’ll add security at the end. And it’s one of those things. We have to understand the risks to your point, that is the role. But I think the important part is the CISO now is not.
It’s not to say no, it’s to say, how do we do this without putting the organization at risk.
Terence:Absolutely. And you know, I used to always say, you know, the ciso, the office of the CISO is not the, you know, no department. No, but the no department.
K N o W. Most CISOs actually want to be helpful. They want to enable you to do your job, but they want to make sure you’re doing it securely to reduce risk across the enterprise.
And sometimes that gets lost in transmit trans, you know, translation because, you know, for example, developers just want to develop and, you know, push code as fast as they possible. And sometimes we haven’t done ourselves any favors because sometimes we, we do introduce some friction.
But I think we’ve gotten we, you know, as a whole we’ve gotten better at integrating, you mentioned secure by design and integrating security into the pipelines, into the deployments and catching things early on. So a lot of rework isn’t done.
And same thing with AI, you just have to catch it early and put the controls in place to protect, you know, the business, the. And you know, depending on the data.
If you’re like thinking about health data or because it’s a one way street, you know, once data goes into, especially if it’s a hosted LLM, it’s gone,.
Joseph:It’s out there, it’s literally out of your control. And that’s one of the things is, you know, is it, are you still in control of that data or not?
And that’s the concern, you know, in the AIO model itself, is it being anonymized before it gets actually put through the algorithm? And that was. So you tipped on a kind of point that I was going to want to ask you as well.
You know, how, how is governance and compliance and regulations really help, you know, prioritizing ciso’s responsibilities?
Are they, are they kind of forcing to do certain things or is it, you know, are they, are they just kind of, is it also just part of the responsibility in regards to other things as well?
Terence:Blanket answer? I would say yes. As you know, Europe usually leads in these type of things.
So you think about, you know, the AI act and really, you know, putting guardrails in place for the usage of AI. So for large multinational companies that, you know, have people in disparate locations, I. E, you know, the eu, yes, absolutely.
In the US we’re still trying to figure that out. You know, it’s, it’s ebbing and flowing, but we’re trying to figure that out.
But again, it’s getting a handle on the data is still, you know, the first thing you mentioned, you know, the chief data officer and you know, really leaning and partnering with them to get an understanding of what type of data the organization has and really putting guardrails on what data.
You know, these, the LLMs these chat bots can actually access and use is like ground zero because you don’t want to, you know, overexpose data that you can’t get back.
And then that gets expensive when you start thinking about, you know, some of these fines for, you know, exposing personal data and you know, think about gdpr, you know, the right to, you know, remove this. How does that, how does that work with an LLM? You know, how does that work once it’s gone.
Joseph:So that’s what goes back into anonymizing it before it goes in.
Terence:Right.
Joseph:That was with the key same, same as blockchain. Because once if you put personal data on blockchain, you can’t get it out, it becomes permanent for me. Absolutely.
One of the things I kind of learned when I was talking a lot of scissors as well is that, you know, they’re trying to prioritize things and I think you’ve kind of touched on a lot of it. The top of their list is the data security, posture management. They want to know the data risk that they’ve got.
And then the second one is the access which kind of falls into whether it being human identities, non human identities, resources, you know, and then done, you know, and then you go down the next level which is the infrastructure, you know, security management side of things is that where is this all hosted? Is it still traditional on premises?
You know, all my edge devices and my employees and contractors across the world and then moving down a layer, you know, application security as well. Is that what apps have I deployed? I think, you know, that’s where I’m seeing that the different prioritizations that CISOs are looking at.
Is that along the lines what you’ve seen from the conversations that you’ve had as well?
Terence:Absolutely.
You know, when Apple rolled out Apple Intelligence, you know, that was a ciso, you know, bored conversation for some organizations because the, you know, the, the leadership wanted to get an understanding of what on device meant and what access these on device, you know, models sort of had access to.
And you know, I had conversations with sizzles that, you know, sort of blocked that update until they got a, they got comfortable with, you know, the technology and you know, there were some hard pivots back to company owned devices. You know, we’ve largely been living in a, you know, post Covid BYOD type of, you know, world.
You know, these, these chat apps and these LLMs have sort of, you know, brought that conversation full circle because every employee, basically your edge device is your phone or your tablet. And if you know, what level of management can you put on a personal device when it comes to AI, that’s.
Joseph:That’s the other thing as well. So I’ve always talked about this evolution.
We started with, you know, the bring your own device, you know, 10 plus years ago and then it moved into, you know, the bring your own office because everyone’s working from home, working, you know, now it’s their printers, it’s their networks and you know, whatever else WI fi access that they’ve configured from home. It’s that bring your own office and then we’ll move into that.
You know, bring your own identity where people will just, you know, whatever identity they have tied to, they’ll actually be bringing that as well.
And the next thing will be bring your own agent, your AI agent, which has already been trained on my personality, and it’s going to continue that way.
And that means that organizations, they’re all in the business of not, let’s say provisioning, but it’s about, let’s say, connecting those users, what they’re bringing to their organization. So it all becomes access controls and access policies and insights. But it’s going to be an interesting viewpoint.
You know, the moment you’ve went so far, I’ve seen organizations pull a little bit back saying, because I can only control those devices to a certain point and I need to have a little bit more control. It’s almost like, you know, you’ve got that hybrid model.
For certain employees, you might say that’s fine, but your access is limited to these policies.
But for others who might have sensitive access, you might go a bit further and actually say you have to use this or even third party contractors must use certain devices as well.
Terence:Absolutely. It’s a bold new world, man. It’s just, you know, the pace of innovation is so fast right now.
You know, what was true yesterday, you know, might not be true today. And it’s just, it’s great to be alive at this time to see the transformation. But also it’s like, man, how do I keep up?
Joseph:I mean, we were talking, you know, the years that, you know, you were talking about your first computer as a Commodore 64. When we think about the pace of acceleration, then it is, you know, the pace that we have got of technology evolving.
You can go to bed one day and wake up the next and everything’s changed. That’s the pace that we’re living in.
And it’s exciting because you know that for me, I’m a person that’s always kind of focused around, you know, my education and continuous learning. And for me, I’m always getting said, what do I have to learn?
Tomorrow I may have set some type of agenda prioritization, but the next day I might have to change because something else has happened already overnight. So what do you kind of, you know, how does CISOs deal with this?
You know, what’s the best way for them to prioritize and to plan for the future when we’re in such a fast Paced industry today.
Terence:Oh, that’s a great question, man. And this is where one of those old is new. And fundamentals, man, we as an industry sometimes don’t do the fundamentals.
Well, you know, we get into the basics. You know, the identity and access management, you know, the, the network segmentation, the data security.
And you know, that’s under the umbrella of zero trust.
You know, I always advise, let’s go back to the basics because we can’t really master advanced concepts if you haven’t done, you know, the foundational things. You know, a doctor can’t do surgery if he hadn’t been to medical school. I mean, at least he won’t be successful at it.
Joseph:He can a lot of mistakes along the way.
Terence:But if we’re working from a known good foundation that makes blocking and tackling, I. E. You know, defense a little bit better.
When you have at least a, you know, 85, 90%, you know, confidence level of inventory across your network, and that’s devices, data entities, you know, et cetera, versus if you don’t know what’s on your network, how can you put forth strategies to defend it? And that’s where we are. That’s where I will help.
Joseph:Absolutely. Digital intelligence, or you know, it’s just business intelligence. Is that, what is that? What do you have to manage?
And you know, then you’ve got that. What do I have control off on? What do I not have control of? Absolutely. The foundation is, is back to asset management. That’s really good.
It’s like having really good inventory about how the business operates and then what things you can control directly and what things you cannot control. And I think that’s so vital. I think over the years I’ve done many areas where, you know, asset inventory.
I remember one time just, it was a massive organization and they came, said, we need, you know, licenses for 120,000 machines. Like, are you sure? Like, you know, we’re like, look at our spreadsheet. You know, it’s got 120,000 line items. And I’m like, are you really sure?
Let’s go and do a real time active, like, you know, just scan a network. You know, it’s like basically going, just finding out what IPs are out there, what’s connected, what’s coming back.
And they were, I don’t know, 120,000. That’s it. And we’re going, no, let’s, let’s, let’s make sure that your spreadsheet is accurate enough to date.
So we went to the scan 140,000 machines. And we’re like, okay, there’s, there’s, you know, and when you think about that, that’s 20,000 machine discrepancy. 20,000, Yes.
And we’re thinking, okay, that was a large organization, they had a large company of devices that they didn’t even know about.
And it fundamentally came down to one we even got, that was just finding those systems that were around and then getting into inventorying them, you know, out of date licenses, you know, out of date software. You know, they hadn’t had a virus scan sometimes years.
And what had happened was it was after doing an investigation as people were getting new devices, the old device was not being properly, the unprovisioning didn’t exist.
It meant that all of a sudden, you know, the employee moved that, that machine a little bit to the left and the new shiny one went in, but that one still existed. So that they can access old applications that was not supported in the new version.
Old data that only worked in certain file formats and versions or that it just, it worked outside the security mechanism so they could actually browse certain sites that had, you know, that could be accessed from the new machine. So it was really that kind of fundamental. That on provision just didn’t exist. And I went through the energy cost.
It just the power saving actually funded the entire program. Just the power saving of those machines funded the entire unprovisioning program. And actually the licenses that they were to pay pay the company.
And it was getting into that fundamentals. Asset inventory is so vital. I think sometimes it’s an oversight many times. But you’re absolutely right.
Getting the fundamental basics and you touched also in zero trust I will say that when you go down that path of zero trust, I always say that sometimes organizations, they also have to make sure they invest equally in zero friction. It’s getting that balance right because zero trust is a very security heavy focus.
But you also have to make sure that you have that balance of zero friction because at the end of the day you want people to enjoy security. It should be a metric that we should all be measured on is how do we get people to enjoy what we do?
Because in many cases it used to be in the past, as you mentioned, we were the, you know, people that said no. And then they’re always like, don’t ask them because they’ll always say no. And that’s where we got shadow it.
And you know, today we now have shadow AI, but absolutely we have to be the ones that they want to come to and ask for Advice and, and you know, as you mentioned with, with the, with the, the people of knowledge when it comes to digital kind of services.
Terence:Absolutely. You know, I believe we can absolutely make security fun.
You know, when, when you and I actually work together, you know, this, I was security awareness program, you know, was gamified. You know, people actually look forward, you know, to those episodes coming.
Joseph:But I actually really enjoyed those rather than this very like, you know, like false acting people. It’s like, you know.
Terence:Right, right, right.
Joseph:More enjoyed the cartoon. I enjoyed watching cartoons that brought reality and you know, and the fictional characters. That was fun.
Versus some of the styles that you get which is like, you know, the really bad acting.
Terence:Yep, yep.
Joseph:Bad acting of corporate, corporate security awareness. So there’s, there’s light and day.
Terence:But I think, you know, some of the, you know, we talk about frictionless security. I think some of the best security from an end user experience is security they don’t even know it’s there.
Joseph:Absolutely.
Terence:You know, they just interact with it in their normal flow, but it doesn’t stop them. It just complements what they’re doing. You know, those gentle nudges like hey, you’re sharing this externally. You sure?
Because this is labeled like internal confidential. You know, it’s not obtrusive. It’s just like trust but verify. It’s like, you sure you want to send this?
And things like that versus you know, constant interruptions or making people jump through three or four hoops and all that does that doesn’t make an organization more secure.
It just teaches the employees how to bring in shadow it to get around the guardrails that you put, you know, those random devices that pop up on your networks. Like what’s that? I don’t know what that is.
You know, they brought in their home computer now because you made it too hard for them to use their company.
Joseph:Issue one and their mobile hotspot connected to the network and it’s filtering everything out, bypassing your firewalls, you know, introducing a public facing RDP access into them. It’s the last thing you want people to do is find the technology solutions themselves. Because that typically also introduces.
We talked about secure by design. I always talk about even secure by default. And unfortunately a lot of times the default is not the secure way.
And most people, you know, they choose the defaults. And that’s what we have to get. We have to make sure the default is, is the best way.
Terence:Oh yeah, you got to do is look at some of these botnets, man. You know, these home Edge devices, default passwords.
Joseph:So yeah, 1, 2, 3, 4, many cases or 0, 000. You know, it’s from an attacker’s perspective, it’s a couple of guesses and they’re in. And that’s what we have to move away from.
You think, what do you see this role going for CISOs? What do you kind of, what’s your insights for the future off the role itself? And, and how do you think it’s going to evolve?
Terence:I think it’s going to get more ingrained on the risk side of businesses because it’s already there now.
But as you know, if we look at the amount of data that organizations are producing, humans are producing, that agents and AI is reasoning over, it’s going to get more into the data governance, the business risks. You said digital intelligence. I like that, Chief digital intelligence officer.
But everything has connectivity now and every business is going to, you know, have some sort of AI systems, agents. I think one of the things that would keep me up at night if I were a sitting ciso as we move into agents and how is that really going to be secured?
Because now you, you have an digital asset that can take actions with certain authorizations just like a human can.
So how you going to govern that and the proliferation of that across an enterprise and then on the attacker, you know, side of that, you know, they just, you know, ransomware as a service. Now these, these affiliates are just going to sell agents, like, take my fleet of agents, go do bad things.
So the defense capabilities are going to have to almost. We’re going to have to be predictive, I would say, in where we think attacks are going to go based off the specific organization’s assets.
And that’s where, you know, we start looking at things like exposure management and graph APIs and looking at the entity relationships of assets within the organizations to find choke points or potential, you know, catastrophic failure potentials based off of the exploit of a single, you know, entity or asset.
So I think the biggest, the bot agent perspective is going to be interesting on how we put security guardrails around those similar to what we have in place for humans, but as they become more autonomous, that that gets interesting. You know, in my mind, it’s like will the, will the bots try to get around guardrails to do things?
You know, and that comes back to poisoning, you know, if you poison a model that has an agent deployed.
Joseph:So that brings us full circle to the whole Skynet discussion. That’s where that goes.
But the, if the agents decide to go, okay, to take things into our own hands because these humans are stopping us from doing our job.
Terence:Right. Right.
Joseph:You know, it becomes a shadow agent that can have a whole new world result. I completely, I mean for me, I completely agree.
I think I remember doing research many, many years ago where I was looking at the, the difference between human accounts and the non human or machine accounts they refer to as Gartner. At that time, I think it was Maybe about almost 10 years ago, it was like five to one.
That’s literally, you know, for every human that you had an account in the active directory or your directory services, there was maybe five non human accounts. I’m looking at the Gartner research from last year. They had it up to 40. So now it’s for every one human it’s up to 40.
And that’s just going to accelerate as we have different agents for different things.
And to your point, my concern is that right now, at the moment, a lot of those agents are, let’s say, you know, they’re assistant agents, they help humans make decisions, but the moment they actually turn it off and say, okay, fully autonomous, which then becomes kinetic based agents is that, you know, will they stick to the algorithm that you’ve set or will they, will they create their own.
Terence:Right, right. It was like, I think I know better. So let me try this. And so that’s, that’s going to be interesting.
I mean, I’m as excited about that as I am like, oh, I, I’ve.
Joseph:Been, you know, at the beginning of this whole kind of, you know, you know, innovation I’ve seen, I was like, because I’ve been watching this for, for quite a few years now and I’ve been, you know, I was pessimistic at the beginning, but I’m hopeful, I’m hopeful that humankind will do the right thing.
Terence:That right.
Joseph:We will have, you know, maybe the emergency. You know, I remember what the CIO of the Estonian government said.
We need that power off button more than ever that we actually, you know, need today. The moment we start having the no power off button, that’s when we have to start getting worried.
Terence:Absolutely, yes. We all need one of those. I need one of those in my basement right now.
Joseph:So turns what, how do you stay up to date? Where’s the resources you go to? How do you stay involved, you know, informed? How do you stay educated? Do you have any mentors in the industry?
What’s the things that you go to, to keep learning?
Terence:Oh man, that I, I, that’s a great question. There are A number of podcasts, obviously.
Joseph:This one up there in the must.
Terence:Listen, but, you know, the Cyber Wire is, you know, popular. You know, Dave Bittner’s.
Joseph:Dave Bitner’s awesome.
Terence:Yes, Dave is great.
Joseph:He’s amazing.
Terence:Also the CISO series podcast. You know, I’ve been a long time listener, you know, David Sparks.
Joseph:David Spark is one of.
I always, always enjoy listening to, you know, David Spark and his, his view and way of, you know, he’s a very good entertainer and way of simplifying and explaining things. So awesome, awesome person.
Terence:Yep. You know, the typical, you know, bleeping computer, you know, dark reading. But, you know, I try to network with my peers, you know, as well.
And, you know, you mentioned, you know, mentors, you know, you know, I have a couple that really have, have impacted my career. You know, Devin Bryan being one, you know, he’s been a couple of different, you know, places in his career, but phenomenal leader.
Also Sean Coughlin, that actually sits on PayPal right now. But, you know, both of those gentlemen kind of took me under their wings, you know, early on and just, just helped me out.
And of course, you know, Joe, you know, I’ll be remiss.
Joseph:It’s bidirectional. I mean, I learned so much from you and vice versa as well.
You know, we always share, you know, ideas and knowledge, and I think that’s what’s important is to have.
That’s what I think is great about this industry is the community side of things, is that when we have, you know, ideas or challenges or struggles, you know, that we have people who we can reach out to and we have confidence to really help us kind of find that, you know, the path forward. And you also have, I mean, you share a lot of knowledge as well through your newsletter.
How can people connect with you or subscribe to the newsletter so they can stay up to date and what you share.
Terence:Sure. Thanks for that. So you can, you know, I have a couple different entryways into that.
You can go to the cyberdeacon.com to sign up for that or Terrence D. Jackson.com either or so kind of different audiences, both, you know, for, for those two outlets.
But, you know, you know, man, I just try to share good news each and every day and share something that people can learn from because we’re all, you know, perpetual learners in this industry. If you start learning, you’re done.
Joseph:Yeah, I mean, it used to be.
It used to be if you didn’t learn something in five years, you’d be already kind of, you know, because that was that cycle, you know, the of, you know, the RFP cycle was maybe three to five years. New software, new hardware, replaced. No, it’s like, you know, it’s containers.
Just like the moment a new container is, you know, things change very, very rapidly. Absolutely. What’s the best way if people do have questions and they want to reach out to, what’s the best way to.
Terence:Connect with you on LinkedIn? I think we can put my LinkedIn, you know, URL in the chat. But yeah, just find me, follow me on LinkedIn.
I do respond it sometimes it gets overwhelming, but I do eventually make it back around to everybody that reaches out.
Joseph:Likewise as well. That’s.
I have this, you know, lots of requests comes in and people asking and absolutely, you know, we do our best to go through all the messages and try to respond accordingly. We’ll make sure that we put the links in the show notes as well so people can find them easily. Turns. This has been awesome. I’ve been really kind of.
It’s a privilege to know you and to be able to, to learn from you and to, to see your career growing and it’s always fantastic what you’re doing in the security industry in the communities. Many thanks for the awesome work that you do and making the world a safer place and for the audience. Tune in every two weeks for the podcast.
You’ll, you know, definitely be educated.
You’ll get latest news, trends and some ideas to really help you take your journey and career to the next level and also to help your organization stay safe and reduce the risk as well as also, you know, bringing valuable lessons to your family as well.
Because at the end, security isn’t just an IT and business problem, it’s a society problem that we all have to do and to make sure that, you know, our social sphere is protected as well and staying safe. So, Terence, awesome. Any, any last words of wisdom that you want to share with the audience before we close up?
Terence:The same that I share pretty much everywhere. Focus on the basics.
Joseph:Basics matter. Have a good fundamentals in place, a good foundation to kind of get started. Yes, it’s been awesome. Stay safe everyone. Take care. Until the next time.
Thank you and goodbye.
