Simplifying Cyber

Who’s That CISO? Allan Alford vs. Himself on Simplifying Cyber

Aaron Pritz, Cody Rivers Season 2 Episode 10

Share episode

How does a CISO react to a live deepfake? In this eye-opening conversation with Alan Alford, CISO at NTT Global Data Centers, we kick off with a live deepfake demonstration that showcases the capabilities and limitations of this emerging technology.

The demonstration serves as a springboard into a crucial discussion about the genuine threat deepfakes pose to organizations. While video deepfakes capture headlines, Alan reveals why audio deepfakes currently present the more dangerous and immediate risk vector for businesses. From CEO impersonation for fraudulent wire transfers to political misinformation campaigns, these technologies are already being weaponized in ways many security teams haven't prepared for.

Our conversation takes an unexpected turn as Alan challenges one of cybersecurity's most persistent myths: that humans represent the "weakest link" in security. Instead, he champions the workforce as our strongest allies, sharing how simple recognition programs created security champions throughout his organization. His approach connects workplace security to employees' personal lives, dramatically increasing engagement and effectiveness.

Alan offers a masterclass in balancing innovation with security, explaining how his organization approaches AI adoption through mandatory training programs and a top-down commitment from leadership. His race car analogy perfectly captures this balance: good security controls are like high-performance brakes that don't just slow you down—they enable you to take corners faster.

For security leaders feeling overwhelmed by AI, Alan provides practical starting points that any organization can implement today. From experimenting with AI for personal hobbies to creating automated security reports through carefully crafted prompts, these small steps can build confidence and competence before tackling larger initiatives.

Whether you're concerned about deepfake threats, searching for more effective security awareness approaches, or looking to safely implement AI in your organization, this conversation delivers actionable insights from a CISO who's successfully navigating these challenges daily. Listen now to transform how you think about humans, technology, and security in our rapidly evolving digital landscape.

🔗 Connect with Us & Get in Touch


Tune in to Simplifying Cyber wherever you get your podcasts, or watch exclusive video content right here on the channel. Subscribe for hot takes on emerging technologies, tips and tricks for everyone looking to stay secure, and in-depth conversations about complex cybersecurity topics.

No gatekeeping and no BS. We’re here to simplify.

Official Website: www.revealrisk.com

LinkedIn: https://www.linkedin.com/company/reveal-risk

🤘 Stay Secure with Us

If this content helped you understand cybersecurity better, please give it a thumbs up, subscribe to our channel for more expert insights, and hit the notification bell so you don't miss our latest updates.

Reveal Risk delivers cybersecurity results, not just reports.

SPEAKER_00:

Oh yeah, welcome to the special edition of the Cyber Ranch. Via Simplifying Cyber. I am Alan Alford. Or am I?

SPEAKER_02:

You are not, sir.

SPEAKER_00:

Oh boy. What? So uh Alan, this is an interesting way to have a podcast. Have you ever talked to yourself on your own podcast about it?

SPEAKER_02:

I have not. I have talked to myself in the bathroom mirrors about it.

SPEAKER_00:

Hey, that's something. So you know, Stuart Smalley style. Kind of breaking it down. We've done a lot of very challenging deep fakes. And uh I would say your look, your style, especially the hat, is a bit challenging. We can already see, for those of us of you that are watching on YouTube, we can see some distortion happening here in the uh foreheadle region. And then what we've learned through our experience is bangs and crazy hair and full hair that's maybe covering a good portion of the top of the head is kind of a deterrent to deep fake. So what we what we learned on this one, and you can see my voice is a little bit lagging, there's a little bit of a delay when you think about deepfake. Sometimes if you're doing the audio along with it, it kind of more matches up. That can be timed. But we have very different heads and hairlines. And just to kind of show, when I when I pull my the hat off, the eyes get a little less uh quirky. And uh, you know, so Cody, if you're if you're wearing a hat most times, or if you're George Camide on bare knuckles and brass tacks, it's probably gonna be tough to pull off the deepfake, but just to show a little bit more, Alan, you wear your hat a little bit lower. And as you can see here, that's not a good look for deepfakes.

SPEAKER_03:

No, but it is a good look for you.

SPEAKER_00:

So we're gonna we're gonna let you uh continue to rock your look. I'll go ahead and uh switch my cameras here and we'll go go ahead with our show and get down to some uh details on we want to cover AI, we want to cover deepfake, kind of the protective side of you know threats in AI, as well as like how do you enable businesses with AI? Lots of good thoughts. But Alan, while I'm flipping over, why don't you go ahead and give the listeners a little bit of an overview that haven't met you yet of kind of where where you've come up through cyber and what you're doing now?

SPEAKER_02:

Yeah. So uh Alan Alford here, uh been a CISO more times than is healthy, um, been in the industry far longer than is healthy. Um, but here I am anyway, continuing to do it because it's my passion and my love. Um I'm currently CISO at NTT Global Data Centers, which is the third largest data center company on planet Earth, uh, owned by NTT Data. It's a subsidiary of NTT Data. And we are uh facilitating the AI revolution, both from providing the data center space, but also as a company, NTT Data is doing some amazing stuff with AI as well. Uh so I'm really keen on AI and the intersection of AI and cybersecurity is kind of kind of my passion these days.

SPEAKER_01:

That's awesome, man. Great to hear. So kind of talk about you know the broader scale. I saw we know we kicked it off here and out of the gate, we saw Aaron with the deep fake. But I mean, now that we saw this on this podcast, what are some broader ways that deepfakes can be used? I mean, uh, what do you what are you seeing out there?

SPEAKER_02:

So I I've seen some crazy stuff. So so the video, obviously, as we saw, you know, he's a little, I deliberately blurred my camera a little to match a little better, and I had to do that. My image was a lot sharper than than the deepfake was. Um, but that's not to say there aren't deep fakes that aren't sharper. There's a lot of different deepfake technologies out there. Uh the audio deepfaking, I think, is far more compelling right now than the video when it comes to cyber attacks. We are seeing um both individual people and companies targeted. Uh, you know, the old the old types of fraud that we used to have with, you know, the fake uh SMS from the CEO or the fake uh voicemail or the fake, you know, or the fake uh email or whatever is now being supplanted by fake voicemail, which sounds just like him, or fake uh actual video interaction or audio phone call, live call. Like there are all kinds of ways that um you can you can mimic both audio and video and as a result infiltrate an organization. Um, you know, there's stories of, you know, hey grandma, I'm trapped in Mexico and needs you to wire me$2,000.

SPEAKER_03:

Yeah.

SPEAKER_02:

Uh on up to uh this is the CEO. I need you to change the account for this million dollar account and transfer the funds to this other bank today instead because they, you know, whatever the story might be. There's a lot of fraud, there's a lot of fakery, there's a lot of people falling for what seems to be and appears to be the real deal, and it's in fact not both audio and video. More and more of this is coming out politically and socially. We're seeing faked videos, um, you know, of the sort that get, you know, Facebook becomes this hotbed of false information on all sides, right? Like every left, right, middle, up, down, whatever, end up spamming this stuff that some of which is not fact-checked or validated in any way. Well, now they're doing it with videos too. And it's like, oh, but look, I saw the video. I know for a fact the president said blah, blah, blah. No, that wasn't him.

SPEAKER_01:

It's right here, it's right here.

SPEAKER_02:

Like, hold on. That was not him. That was not him at all. So, so these kinds of things are happening as well. There's just a lot of cultural, societal, financial, personal impact, and and there's a cybersecurity bent to protecting from all of those things.

SPEAKER_01:

Yeah. Well, and we do a lot of awareness type two things. And I think even just the fact that to your point it can be done is even still unknown. Because you know, there are times I'll be in the car or bad Wi-Fi at the hotel, and there's face glitching and stuff. So, but I think even knowing that this exists is a big thing, because to your point, I could probably get past, even if Aaron's not as sharp or as clear as you, unless I know this is the thing that could that could that could happen, right? I still would probably fall off, like that's a little glitchy, but you know, things happen in signal and video and so forth.

SPEAKER_00:

Well, and humorous update, just because we were we try to record a live show and not do any post-production. Uh, apparently in Riverside, which is the uh platform that we use, we get a little message that you can turn off the camera while you're recording, but you can't switch. So you guys are stuck with deep fake Allen for the remainder of this episode.

SPEAKER_01:

This is a very special episode.

SPEAKER_02:

All right. It's disturbing. Every time I look at that square on my screen, I'm like, oh, that's weird. That's so weird. It looks like me.

SPEAKER_00:

This is great, man. This is great. So welcome to the show, Jackson. Deep fork extraordinaire. We're gonna actually just turn off the oh, let's see what happens. It's stuck on. Alan cannot be fake Allen cannot be destroyed.

SPEAKER_02:

Oh, man. Curse you, fake Alan. Curse you. That's fine. That's for that.

SPEAKER_00:

As a as a hack, we're gonna turn on my deep fake model to deep fake myself and see if I can become myself with my own model. This is getting like inception level details. Oh, yeah.

SPEAKER_02:

Oh, this is Aaron faking Aaron.

SPEAKER_00:

Oh, wow.

SPEAKER_02:

But look at the difference though, Aaron and Alan. Like we gotta go. It's so crazy. That's wild. That really did look like me. I mean, I could see somebody, especially with the cowboy hat on, like just putting out some video, and everyone's like, but I saw it, Alan said it.

SPEAKER_00:

Well, in real time, you know, a lot of these deep fake threat actors that you know, this started in a lot of the romance scams and getting people to jump on WhatsApp video or try to, you know, convince somebody that they're having a relationship and then live interactions, and then the money is coming. So it's unfortunately, it's kind of as you were alluding to, Alan, it's it's transitioned to all sorts of social engineering, include including financial crime with corporations and information loss and things like that. So I'm actually personally, uh, I think the video deepfake is compelling, and there are examples of it being used in a number of attacks. But to be honest, like I'm more nervous about audio deepfake because you pick up a phone and you sound like the CEO and it's verbatim, and you you even uh you know put a local area code as you're trying to get a number to look you know legitimate to somebody's calling from an office phone. It just gets really tough for employees.

SPEAKER_02:

But but I want to go back to what you just said. You're telling me my aunt is not, in fact, dating Brad Pitt.

SPEAKER_00:

Hey, you know what? I I don't want to cast any shade on your aunt. I'm not saying there's not a chance, but you know, let it let her have let her live her life. No, don't man. Awesome. Well, let's kind of transition to Alan. You've you've had a you know illustrious career, as you mentioned. You've uh been on the CISO side a couple times, you've done hang hung your own own shingle from a consulting standpoint, and now you're back in a bigger and better CISO role. So I'm curious, like, as you've made that journey kind of on all sides of the table, um, what has been your perception of the importance of the human element or the the workforce in cybersecurity and kind of balancing that tech with the people in process?

SPEAKER_02:

Yeah. So at a at a high level, right off the bat, I'll say this, and you you alluded to it, but I've been a vendor as well, right? Um, and I think it's super important for folks to recognize that the vendor CISO relationship is a human relationship, right? Like one of the biggest problems we have in this cybersecurity industry, and David Spark's got a whole podcast just about this, but yeah, you know, the the the whole the whole idea that the there's hostility between the CISOs and the vendors, and and the reality is without one another, neither one of us can thrive, right? Like, like if I don't have the tools to deploy, I'm I'm I'm incapable. And if they don't have a CISO to sell to, they're incapable. And um, you know, it's it's it's a human relationship, right? Cybersecurity is ultimately about humans. It's about protecting humans, it's about furthering human goals and agendas and interests uh and protecting us from the bad humans. I mean, at the end of the day, we talk about technology all the time, but it's really human, 360 degrees around. It really is. The ecosystem, the vendors, the industry, the players, the team who has to stay up late and and work the incident. I mean, this is all a very, very, very human experience. And it's vital that we keep that in mind and remember that as we run around talking about all the technologies we talk about all the time.

SPEAKER_01:

Yeah, yeah. Totally agree. So, I mean, totally you said humans, humans, humans. I mean, I think that's spot on. Why do you think from what we've seen right now? We talked a lot of CISOs and there's challenges. Some of some is exec buy-in, but what do you think the challenges of like the you know, the underinvesting and workforce-facing efforts?

SPEAKER_02:

So it's it's a thing, it's a real thing. We we treat October, you know, coming up, right? Cybersecurity Awareness Month every year. We we treat it like uh, you know, I've seen companies that do nothing more than slap up a few posters in the break room, right? Yeah. Um the human component in cybersecurity training and awareness, you know, it's it's called awareness for a reason. Machines, you know, and uh until such a time as Skynet occurs, even AI is not self-aware. Awareness is a human trait. We call it security awareness, and awareness is 100% a human trait. 100%. So we have to do more, we have to think more, we have to be more. We have to educate the humans on all the cybersecurity things uh in a way that's engaging, informative, that hits them where they live and treats them like human beings. One of the most successful things I've ever seen, and in fact, we we do this at NTT, is very often cybersecurity awareness training ties into not just you in the workplace protecting the company, but also, oh, by the way, at home, this is exactly the kind of thing you're gonna run into too. This problem we're talking about at work also exists in this format in your personal life. Be on the lookout for it, look out for it. You know, when holidays come around, the holiday gift card scams and these kinds of things, you know, it's important to alert employees and and rope them in and and and show them where these things matter in their daily human lives outside of the workplace. If you can't engage them at that level, you're you're gonna lose their interest at some point. And and at the end of the day, the workforce is absolutely our strongest set of allies. I I loathe when CISOs say that the human beings in the workforce are the weakest link.

SPEAKER_00:

Yeah, that's not true that they're not. Or they don't matter, you'll never fix their behaviors. So, like, let's just try to automate our way out of it. Like, I will be person number one signing up for that bus if it is legitimate and it's leaving the station, but we've yet to see it yet. Like the technology is outpacing, you know, the the threat technology is outpacing the the detection technology. So until we get to that world, I don't know if we ever will. We need to be also be investing in the human and processes and all bringing it all together.

SPEAKER_02:

Yeah, we need our allies. We need our allies, and guess what? There's a whole office building filled with them wherever you work. Um those are allies. Those those are your allies and cybersecurity. If you can rope them in, get them engaged, get them interested, educate them enough on what the threats are, and give them some really basic stuff to deal with those threats. Sometimes security awareness is nothing more than contact us at this number, at this email. You know, anytime anything's weird, just reach out, right? Yeah, if you can just get that message across and have a central receiving email, phone, help desk, hotline, whatever it might be, that alone is miles beyond not doing anything. And and from there, once you get the workforce used to that, you can start to educate them more on even self-awareness and self-solutioning and you know, things like the Andy Fishing training, click the report button in your email and these kinds of things, right? But but just start with if you have nothing to start, just start with here's a central contact information, here's what fishy looks like. If you see fishy, reach out to that central contact information. I mean, just that. If you can just get that across the fence and do it in a way that's engaging and fun, the boring annual blah, blah, blah, blah, blah, blah, blah training that people try to fast forward through isn't the way.

SPEAKER_03:

Yeah.

SPEAKER_02:

Micro learnings, you know, quick, fast, easy stuff, fun, engaging stuff, goofy jokes, cartoons. I've seen so many vendors do different uh takes and approaches that are all doing one thing, and that is appealing to the human.

SPEAKER_01:

Yeah. Well, question too, thinking about like, is there a naming, is there a name issue with the word awareness? Does it not sound like offensive enough or or defensive enough? Or is it like because to me, I I live and breathe it. So do you and Aaron. We know this really well. But to the to the lay non-cyber person, is it like, oh, that's awareness? That's nice to know, but like, I'll need to be aware. I mean, do we have a naming problem? You see, here like human risk management, security training, but what do you think about there's there's a lot of new uh names for the category in the industry?

SPEAKER_02:

Human risk management is one of my favorite ones for sure. And I've got, you know, I've got friends that that own a startup in that space and are and are doing exactly that. But I don't think awareness is a bad term. I think I think awareness gets a bad rap, not so much from cybersecurity, but from you know, we're back to Facebook and the social culture, you know, raising awareness. There's all these people out there that all they're doing is raising awareness and nothing actually changes, right? And I think that's where awareness gets a bad rap. You know, I'm I'm here raising awareness for whatever my social cause of the week is.

SPEAKER_03:

Yeah.

SPEAKER_02:

You know, pat myself on the back. I posted a video telling people it existed. Ooh, did anything change? Did anyone invest? Did anyone, you know, that's not the same thing. Just awareness is never enough.

unknown:

Yeah.

SPEAKER_02:

But I think in cybersecurity, it's a great first step.

SPEAKER_00:

Yeah. And Alan, I was excited about HRM and human risk management. We've had a couple experts on the show that define that category as more of like the analytics and reporting to segment your workforce and better action. So, you know, that may be a subset, but like based upon your words and Cody, you're kind of concerned of like awareness is only the knowing. We need the doing. So maybe something like cyber human enablement or cyber risk and human enablement. There's something about the action that I think we're missing.

SPEAKER_01:

It's two two uh two words. It's like there's the educate part and there's the empower part. I need to educate you on what is what is out there and what to look out for. Yes. But then I need to empower you, Alan, to your point about like, here's okay, what looks bad. This is bad. Got it, there it is. Okay. Now that I saw said bad thing, what do I do with that knowledge now? That's the empowerment of a, you know, is it a report button? Is it tell your colleague type thing? But I think that's another part too. That that kind of brings it full circle of beyond just the education.

SPEAKER_02:

Right. That's it. That's it. And and human beings, you know, it's it's I'm a very positive person. I am. And I always believe humans have uh community interest at heart and not just self-interest. I believe that humans want to do the right thing. I believe that humans want to earn what they have for the most part. I mean, obviously there's exceptions all throughout society, but for the most part, I believe humans are in the game for the right reasons. And so they're hungry. They want a thing that they can do, they want to be able to do the thing and fix the thing and solve the problem and address the need. And if you give them that, you know, it's the old if you build it, they will come.

SPEAKER_00:

So speaking of building it and they they coming, um, Alan, do you have some examples of like some of the favorite things you've done across the companies you've managed from a cyber standpoint? When it comes to October, forget about October. Like, you know, it shouldn't be once a month where we kind of come into action. We've been doing a lot of stuff with deep fake and physical and virtual scavenger hunts and really trying to, you know, be fresh and not commodity and not out of the box. The out of the box stuff is good for a purpose. But yeah, curious on your thoughts of like where have you pushed the needle in this space?

SPEAKER_02:

Yeah, I I've seen some really fun stuff with cybersecurity escape rooms, virtual escape rooms. I've seen, you know, that as a more recent kind of thing. I've seen that one fun. But I'll tell you personally, from my own past, one of the best things I ever did. And this is gonna sound so goofy and so stupid, but it was so successful. We made a plaque, and the plaque was nothing more than the piece of wood with the clear plastic in front that you could slide an eight and a half by eleven into, and voila, you had a plaque. It was just a blank piece of wood with an acrylic face and slide a piece of paper in there, a standard sized sheet of paper.

SPEAKER_03:

Yeah.

SPEAKER_02:

And on that standard size sheet of paper, it literally just had a big smiley face and it said, My cybersecurity team loves me. And it was signed by me and had the date. And anytime anybody went out of their way proactively to anything in the interest of cybersecurity, they got issued one of these plaques. Nice. And it became a thing people wanted. The whole company was like, Oh, how did you get that? I want one of those. That's so cool. And da da da and it was just this goofy plaque with a smile on their face. And all of a sudden, people are asking me, What can I do to earn one of these? How do I help? And I started creating champions in every single department of the company over nothing more than these goofy plaques. It works, and it was a very human thing, you know? I like to be loved and I like to be able to show off that I'm loved. And look at this silly thing that makes everyone laugh when they walk by my desk. I get that little validation. Yeah, that was it. And it worked, it absolutely worked.

SPEAKER_00:

Awesome. Well, let's let's expand beyond you know, deepfake and cyber threat and how we're working with our employees to you know get them more engaged in cyber. Let's expand the conversation to artificial intelligence. And obviously, for as much as the bad guys and the cyber criminals are using AI through deepfake and automating attacks and you know, human heuristics and languages and all of that, just making it much easier to be bad. Let's talk about being good in the world and kind of your stance on AI and some of the things that you're doing to really enable your workforce to get, you know, take advantage in safe ways the new technology.

SPEAKER_02:

So at NTT Data, we have something really cool that I think most companies don't have. We have a chief AI officer who is rather high ranked in the company. And by rather high ranked, I mean it is our CEO, has actually taken on the dual hat of chief AI officer. He is pushing this agenda through the entire organization, 100% all the way from the top, right? Amazing, amazing. Um, I can't name which tools. Obviously, we never talk vendors and specific tools, but we've got a couple of different things we're doing in terms of the tooling. And and I I say more than a couple because, you know, in terms of LLMs, there's a couple, but also Agentic is all kinds of cool stuff going on all over the place.

SPEAKER_03:

Yep.

SPEAKER_02:

Um, but one of the things that we did at NTT that I I I walked in the door and this already existed because I, you know, I worked at NTT before, and then I went and did some things and I came back, right? I I just I can't quit NTT for real, right? Um, and I came back and found out we had uh launched this AI uh academy. And it's like, you know, white belt, yellow belt, this kind of thing. Mandatory for every single employee in the company. Wow. Just like cybersecurity awareness training is mandatory, AI awareness training is mandatory, and not just awareness training, but how-to training. Like these things get very practical and very concrete. And I am personally uh on the ELT at global data centers. I'm sort of the AI champion, if you will. And I'm the one who's been getting people licenses and training folks on what to do and giving examples. And we've got an ELT meeting coming up in just a couple of weeks. And I have deconstructed the entire data center industry and all the nooks and crannies where AI can benefit us and kind of a kind of a talk to sort of get everybody in the room, regardless of their role and function, lit up and going, whoa, I can do that. I go, ooh, let's go explore that deeper. Yeah. And some of my stuff may be fluff uh and it may not come to fruition, but I've come up with something for literally every department in the room to at least get them thinking, like, oh, we could do something like this, you know?

SPEAKER_03:

Yeah.

SPEAKER_02:

And, you know, when you talk about agentic AI, um, data centers are an incredibly physical environment, right? I always joke about, you know, people talk about cloud and you know, the OSI layers and all this, and I'm like, we're layer zero. We are dirt, concrete, power, water, like we are layers zero, plus internet connectivity, obviously. So we're more than that. But um, you know, a data center is a very physical concept. And and as a result, there's a certain sort of physicality and practicality to everyone's mindset in the data center industry. And so it behooves us to look at AI not just in terms of all these software solutions and cloud and SaaS and all the other cool jazz, but also what is going on in the physical world with AI. Yeah. And oh my goodness, is there some amazing stuff out there now in terms of like, I mean, you name it, robots, cameras, assembly lines, vacuum cleaners, you know, just body cameras, and I mean construction time analysis, and and you can actually look at a construction site and have the entire model that was predetermined and built, you know, because the model exists before the building exists, right? Sure, yeah. And you can actually have somebody with a body cam walk around that construction site and validate to the millimeter that what's being built matches the model. And where it's not matching, immediate flag, let's deal with this. Why are we three millimeters over on this particular strut or you know, whatever the story might be, you can get down to the millimeter millimeter level of accuracy with AI and spot the defects, spot the deltas and and address immediately, right? I mean, just crazy stuff like that. Assembly lines and motherboard manufacturing and security cameras and drones and all of these things. The physicality of AI is something that a lot of us forget about, but but there is so much innovation going on in that space right now.

SPEAKER_01:

Yeah. And I think too, with all that drive innovation and to your point, like challenge, figure out how to use it. It's like also while doing that, here's this go fast, but here's some light bubble wrap as you're doing that. So, like, let's go fast, but how you know, how's that challenge gone? I mean, I to your point, as a as a leader in AI and as a CESA of this large in NTT, it's gotta be a challenge, you know, it's like with around AI governance too. So, how's that going?

SPEAKER_02:

There's a reason that I chose to be the AI champion. Um, coming from the cybersecurity perspective, it you know, the default knee-jerk reaction, just like we we talked about the knee-jerk, you know, the humans are the weakest link kind of statements that so many of us in the industry make, there's a big backlash against AI in the cybersecurity industry. Sure. And I wanted to be the one to be the forward observer, be the champion, be the one pushing for progress, being the one pushing for change, and and champion this stuff as much as humanly possible, obviously with the same message of let's be careful, folks, right? To your point, light bubble wrap, guardrails, if you will, is good enough, right? Like, like I want you to speed down the highway, but I don't want you going over the cliff, right?

SPEAKER_01:

Um I once heard someone say it was like, I don't want to slow you down, I want to give you faster brakes.

SPEAKER_02:

So, yeah, and and this is this is the analogy I always use is if you're a professional race car driver in a Formula One race, your brakes are as much for slinging your butt around a corner as they are for slowing you down. Yeah, right? Like brakes, brakes, good high-end brakes go with good high-end engines for a reason, right? They're a tool for the driver. They are, they're a safety measure, but they're also an accelerator at times. Um, they're they're there are a lot of things, but but being the brakes on the train, you know, I always I always tell my team one of my mantras is never be in the business prevention business, right? Like you don't ever want to be the lone individual standing in front of the railroad train rushing at you. Like, yeah, yeah, you can't win being that person. You will always get smeared on the tracks, right?

SPEAKER_00:

Well early in my career, I was in audit, and obviously audits about finding the bad things from happening. But yeah, what I realized is like you're finding process gaps and opportunities to change the way that they're doing. But I told people, look, you can pretty much do anything in business that you want as long as you have the right controls. And I think, Alan, that really kind of correlates to your brakes example. Like we're not slowing down here. We are actually um going faster by slinging through the the corner and the turn uh so that you're able to do what you want without kind of crashing into the wall or going completely off course.

SPEAKER_02:

Yeah. And and you know, people talk about AI and what's the challenge and what are we facing and what do we do? Like it's always in that sort of paranoid security context of, oh my God, what do we do about AI? And my answer is always double down on humanity. If you want to know where the best breaks are, just like we talked about with security awareness, we're right back to that same story with AI. AI has to be trained, it has to be trained by humans. Uh, humans have to deploy it, deploy it ethically, and deploy it with human considerations and factors in mind. Human goals are ultimately what it's there to achieve. Not yet. AI is not there to achieve its own goals. Why do we have it? It's a tool to serve us. Okay, who is us? Us as the humans. Let's think this through from the human perspective. What training is required of us and of the tool? What training is required to drive usage of the tool? What training is required to enhance the tool? What data do we and don't we feed it? All of these are human conversations and human questions. And in some sense, they're really no different than the cybersecurity human conversations we've been having for years and years and years. You know, and and this is this is a big thing for me because I I'm actually working on a book now. Um the fundamental premise of the book is this AI is not the only technology revolution we have experienced as human beings. Go back in time. We had the internet revolution, we had the cloud revolution, which wasn't as big a deal, but we had the PC revolution, we had the mainframe revolution, just the fact that computers existed at all. We had the telephone and radio and TV, electricity didn't used to exist, cars didn't used to exist. Every one of these things introduced great social change, and every single time railroads is another good example. Every time one of these events occurs, what you see is um two sets of people at the at the beginning of whatever the revolution might be. One set is decrying it, saying it's gonna be the end of all things, and the other one is saying, no, no, no, it's gonna solve all the problems. And the truth is always somewhere in between, right? And and one of the big concerns is always jobs, and one of the big concerns is you know cultural impact and ethical concerns and all these kinds of things. And what are you talking about when you're talking about ethical concerns and jobs and financial impact? You're talking about humans, you're talking about the humans making it happen, the impact to the humans that it's happening to. This is always a human conversation, and so it's super important to step back and remember that that as a species, we've always survived every one of these revolutions. And and the overall trend that has, you know, appeared in almost every case is yes, certain jobs are lost. Like go all the way back to the original industrial revolution and the Luddites, right? The Luddites, uh, for those not familiar, these were the folks who were the artisans who handcrafted um, you know, weaving type stuff. And then the industrial looms got invented, and all of a sudden these guys got displaced. And it was a real big deal. Like I'm losing my job. Oh, and they they revolted and they marched into factories and smashed machines, and the Luddites were these, you know, they got written up long after the fact in history. If you hear the word Luddite, it it tends to be perceived as just anti-technology, you know, caveman. And the reality was it was about job displacement. That's why they were so upset. But if you look at what the industrial revolution did in the long term, far more jobs were generated because of it than were lost uh due to it in the beginning, right? So there's this labor curve that occurs. And how do you address that labor curve? Well, we've just come full circle in our conversation because again, it's all about training human beings.

SPEAKER_01:

Yeah, I was talking to a buddy the other day, and if he's probably listening to this podcast, but he owns a coding shop and they do a lot of cool things. And he was like, of my development team, 50% of them don't want to touch it. You know, coders say we're good, the way I'm doing it's great. I don't want to learn. He said, now they're probably 40% are trying a little bit, you know, and they're doing some good things, and they're probably 2xing their output. And he said, But 10% of my developers are going just gangbusters on it, and they're like 10 and 20xing their output, doing phenomenal things. And he's like, but it's just but to your point, there's some buds who are just stuck, like, I don't want to do this, and some are just pushing ahead, and they're you know, doing light speed up like sprints and everything and coding and everything. But I think that's an area a little easier. That's the the path to AI is a little, a little you know, more defined. Yeah, but to your point, some are gonna say no, some are gonna be standing, some do a little bit, and then some are just gonna go absolutely you know crazy with it and really show what all it can do.

SPEAKER_02:

History pro tip, the Luddites have never won. Not once. Yeah, not once. So be the one who embraces it, be the one who learns it. Because it it's not, you know, people worry about job displacement, and it's not really about job displacement, it's about job enablement. If if I can hire a team of 10 people, there's two choices, you know, the the the the naysayers and the fear-mongers are saying, well, he's just gonna fire two of them and replace them with AI. And the alternative view is what is a business there to do? A business is there to take smart risks, do some investment, get some return on that investment. That's what a business is there to do. There's lots of things we talk about all the time in the business world, like acceleration is a great word we love to use in the business world. Well, instead of firing those two people and replacing them with AI, what if you use AI to complement all 10 and now you're producing 20 people's worth of work for the cost of 10 people?

SPEAKER_03:

Yeah.

SPEAKER_02:

Wait a second, now you're the one who's in the competitive market and your competitors that are firing people are lagging behind. Right. Like, so so you know, it's always important to characterize these things and think about the human impact. It's absolutely vital to think about the human impact. But if the humans double down and you double down on the humans, it's going to be a win for everybody in the long run. Absolutely, it will be. Yeah.

SPEAKER_00:

So, Alan, let's take your story as an example. You, you're a CISO that's kind of taking the charge. You're the champion within your organization. You've got support from the top, the CEO kind of taking that secondary role as the chief AI officer. Um, but not every organization is that progressive. No. Um, What what would you say? So you've got two roles to play. One, be an advocate, make it safe. And then two, educate around the bad things like we started the show with, with deep fake or video, audio, all the different things. For less mature organizations, for leaders that maybe haven't taken the step you have, where do they start? How are you guiding them?

SPEAKER_02:

So I think keeping all AI out of the shop but LLM to start so everyone can get a toe dipped in the pool, right? Don't get into the agentic stuff and unless there's a specific department with a specific need that knows what they're doing. And it's like, hey, you know, there's lots of cyber solutions, for example, that use agentic AI now where you can definitely see the value and the gain. But you have to be cautious about, you know, it's just like any other cloud story, any other privacy story, whose data, where's it going, what are they doing with it, what do they see, you know, where is my, you know, all those kinds of questions. Nothing changes if you've got a strong vendor assessment program. It's no different than uh assessing a SaaS app from that perspective. So you can allow the little agentic stuff here and there departmentally, if you will. But if you really want to get people's interest and get them captured and get them going with it, um, you know, Chad GPT is viewed as this sort of goofy novelty for most people that even do play with it at all. It's this goofy novelty. And one of the things I love to do is just like I talked about, I'm going to each and every member of, you know, each leader of each department and saying, here's some examples of what it could do for you specifically in the context of your role, your daily job. Here's some cool stuff it can do. And you can Google that. At this point, you can, in fact, you can chat GPT it. You can jump into an LLM and ask it what it's good for, and it'll give you some great answers, right? Um, so so don't be afraid to engage in and explore it. And the other thing I always tell people to do too is whatever your hobbies are at home, jump on the AI and play with it in that context. Use it at home. Just sign up for a free LLM, you know, whatever. Pick one and go. Um you can see very quickly the strengths and the weaknesses, and where you have to sort of refine your request to it. And and and lo and behold, you're learning prompt engineering before you even realize it, right? Yep. Uh I'm an unabashed video gamer. I've been a video gamer since you know 80 or 81, I think is when I started. And uh I still play RPGs, you know, when I have time as a C So, of course, that's a rare commodity.

SPEAKER_01:

You got plenty of trap relief.

SPEAKER_02:

You know, I I will jump into Chat GPT. I got a personal account at home. I jump into Chat GPT and I signed up for the whatever, the$25 a month plan or whatever it is, and I literally have it designing video game characters for me. The part of the job, the job uh used to be spreadsheeting and spreadsheeting and spreadsheeting and spreadsheeting, and then you jump in the game and actually play the game. Like four hours of work for one hour of gameplay was the old model. And now it's uh an hour of chat GPT and an hour of gameplay as the model. Like I'm I when I when I have time to game, I'm actually getting to game more than plan more because I've got chat GPT doing my work for me. Yeah, I've seen people use it in the kitchen for recipe stuff. I've seen people use it on how to fix cars when they're the kind of, you know, like I've got friends that are hardcore gearheads that buy and restore old cool cars. You can use it for that. Um, you can use it for just about any hobby you have. And it's just like we talked about again, full circle, security awareness training. Hit them where they live, talk about how it might impact them at home, gift cards, games around the holidays, these kinds of things. Show them where ChatGPT can benefit their personal lives, their hobbies, their family stuff, their fun. Teach them how it's a more sophisticated search engine. And of course, again, guardrails, teach them what hallucinations are and show them what prompt engineering is like to overcome those hallucinations. And if you can get everyone playing with it in that context where they you capture them at where they live, you capture them at that human moment of their lives, they'll come back to work and immediately be the ones brainstorming on how it can better be used at the workplace too.

SPEAKER_01:

Yep. I love it, man. The AI innovative drive and C C Sale, man. This is this is great.

SPEAKER_00:

And Alan, I just want to underscore your point because I think you're talking about starting small, applying it to your home life, translating it to your work life. When you gave some of the work examples, it's like starting with the basics. I want, did you did you see the MIT Nanda study that kind of claimed it was a shocking headlight headline, but it said 95% of enterprise uh AI, generative AI pilots fail to deliver meaningful or measurable financial results. But then if you read past the headline and get down into it, it said a lot of the big complex, you mentioned don't jump right into Gentec programs were failing because they were not adapting to business process and workflow and they were moving too fast. But it also said the experimental individual use of AI was like through the roof. So I think to me, that's the big lesson. Like, let's not jump for the building the third floor of like, let's learn the foundation, let's do some basic stuff, let's stay on gen AI before we're trying to automate our SAP backend with the workflow.

SPEAKER_02:

Right. Get your get your white belt and your yellow belt, if you will.

SPEAKER_00:

Yeah.

SPEAKER_02:

And then think about your departmental needs and think about a super simple use case where LLM can help facilitate whatever it is you're doing. We've got folks in my company that are already using it for just really basic stuff. Like um, what's a good example? Um I've had 20 emails back and forth with this one guy in this other department, and I've lost track of all the threads and the whatever. Hey, LLM, jump onto my email threads, concatenate all that, gather it, tell me what the latest is. There's another really simple one with some of these tools. I will literally log into an LLM in the morning and say, what are my action items? What are my open things? Based on email and Teams chats both, you know, whatever it might be. Like what's what's going on? What do I have that's that's delayed, or I promised somebody I'd do a thing and haven't followed through, or somebody's asked me a question I haven't answered, and it'll literally just spit all that out and give me my punch list for the morning. Whenever I have free time and no meetings, I'm I'm consulting LLM to turbocharge my to-do list and what I'm behind on, and you know, really basic little stuff like that. You know, concatenate this email thread, summarize these 18 documents this one team sent me that I don't have time to read all of them. And, you know, there's a million and one little examples like that. And start small, start with those little things and see the value and then start, you know, it'll it'll trigger you to start imagining bigger use cases.

SPEAKER_01:

Yeah, you're spot on. I've had this problem that probably no one else has, but I go out of emails and sometimes I don't I read them and I forget to respond to them. So to your point, you know, I'll pop an AI and say, hey, like what did I forget? And lo and behold, it's like here's four things, and I was like, ah, because I don't get the time to sit there and just scroll through every email or newsletter I get and go forth. So yeah, to your point, it saves me hours on end.

SPEAKER_02:

Another fun one that we do, uh, my senior director of CyberOps and I co-authored a prompt. Um, we went back and forth for days on this prompt, and we now issue a daily report to ourselves from an internet attached uh AI LLM, and we basically walked it through. I want to see all the latest CVEs that came out in the last 24 hours. I want to see all the latest Kevs that came out in the last 24 hours, cross-reference those to data center uh specific uh needs and concerns, such as, you know, blah, blah, infrastructure, blah, blah, you know, oh, uh, I T O T yada, yada, yada. Blah, blah. Um, summarize the headlines from the following six or seven public uh cybersecurity news sources, um, you know, et cetera, et cetera. We it it at this point the prompt is like a page and a half. Yeah. And every morning, without fail, we get this lovely little report, and we immediately, you know, share it with the team. And uh, we've been fine-tuning our prompts and getting it tighter and tighter and better and better. And we've even got it referencing MITRE attack now and all kinds of cool stuff. And it's just this cool daily report waiting for me. Like, yo, heads up, there's this one CVE that there's now a Kev for. And if you look at MITRE, it's actually this and this attack, you know, kill chain. And you know, I just what a great thing to have at your disposal instead of waiting to hear from someone else. You know, you're subscribed to the various lists, you rely on your CISO peers and network, you know. Think about all the ways and means in which the latest cyber threat gets to you, and think about the fact that you can be using LLM to proactively hunt that stuff and get it in your inbox before anyone else even finds it or sees it.

SPEAKER_00:

Look for any deep fake balance out there. So I want to end the show with one question and maybe a two-part answer, given we've had a two-part pronged conversation about the threats of AI and deep fake, and then also enabling it. And you know, cyberleaders can be in the leading edge of this. So, my my question is and imagine the questions coming from an employee of yours or in in a prior company, and maybe she is similar to your aunt, you know, late late 50s, maybe not that tech. Yeah, not that tech uh up to speed. So the question is, what what can she do? We're coming into October if you had one thing in an elevator to tell her what can she do to both protect the company or protect a company as well as get more adept in AI and integration with the job. What are some simple things that you'd start her with?

SPEAKER_02:

So I always love to say something really simple. Um and it's a two two two sentences, and you're done. The first one is go and explore on that personal level and play with it where you live, your hobbies, your interests, your stuff at home, whatever it. I mean, people do, you know, churches use LLMs at this point for things and synagogues use LLMs. And you know, I mean, just anything you care about personally, there's a utility there. But the second sentence is always, and whatever you put into it, understand you could be sharing with the entire internet. That's it. Start with that awareness of what data goes into an LLM. Start there. What do you feed it? Start with that security concern. Then you'll have to address as you progress, you know, things like, well, what about the data it gives back is incorrect, or what if it's been poisoned, or what if it, you know, and you can start to get into pickle files are corrupted, and you know, uh all the other things. But the really the very first and foremost security concern for Joe Average and Jane Average is think about what you put in there, but use it for creative stuff to solve little problems in your daily life, or to or to speed up things you do on a daily basis. You know, one of my big cyber mantras is you know, every good cybersecurity company, every good vendor that's ever come out there, what they're really doing ultimately is I I picture a CISO walking down the same sidewalk every day to work. And there's a crack in the sidewalk. And there's this one gap where the tree roots have made that one slab rise and you have to step over that. And there's a pile of dog poo from the same poodle every morning, and you know, this kind of thing, right? And all you're doing as a cybersecurity vendor is you're saying, instead of taking that journey down that sidewalk for granted, stop for a moment and look at that little crack. Is that a feature? Look at that big step over that big thing. Is that a product? You know, dodging the dog poo, that's probably a feature. Maybe it's a product. But the point is that stuff we've always taken for granted. Stop for a moment and imagine it could be done a different way. What if I quit taking this for granted? What could I do to alter it permanently and change it in some way that makes my life better? And that's the exact same mindset you want to approach with AI. How can I use it to improve this little bit of my life? Just this crack in the sidewalk, even if it's not a great big thing. It may just be a feature, it may just be a crack, not a great big step over.

SPEAKER_01:

Be innovative, but be aware. Yeah.

SPEAKER_00:

Awesome. Well, thanks again for Alan coming on the show. Thanks for uh your great style. Sorry that I uh I'm 80% pulled it off today, but had a little fun doing it and uh appreciate your willingness to do that and uh and expose the you know the art of the possible to others and you know the awareness, the behavior change that we need, as well as really pushing into AI in a safe and secure way.

SPEAKER_01:

Yeah, Alan, great conversation. It was awesome talking to you. Thank you.

SPEAKER_02:

Thanks so much, guys. Uh I always love chatting with you guys.

People on this episode

Head Shot

Aaron Pritz

Host
Head Shot

Cody Rivers

Co-host