Trust, Risk, and Technology with Anne Leslie Artwork

The Entropy Podcast

The Entropy Podcast is a cybersecurity, technology, and business podcast hosted by Francis Gorman.

Each episode features in-depth conversations with cybersecurity professionals, technology leaders, and business executives who share real world insights on cyber risk, digital transformation, emerging technologies, leadership, and the evolving threat landscape.

Designed for CISOs, IT leaders, founders, and professionals navigating today’s digital economy, The Entropy Podcast explores how organizations can adapt, innovate, and build resilience in an era defined by constant change, disruption, and geopolitical uncertainty.

The name Entropy reflects the growing complexity and unpredictability of cybersecurity and technology ecosystems and the strategic thinking required to thrive within them.

Topics include:

Cybersecurity strategy, risk, and resilience
Post Quantum readiness
Emerging technologies and innovation (AI etc).
Business leadership and digital transformation
Cyber threats, regulation, and geopolitics
Lessons learned from real-world experience

New episodes deliver practical insight, expert perspectives, and actionable knowledge so you stay informed, strategic, and ahead of the curve.

Buy Our Swag:

We now have some slick new swag you can purchase through our Esty store.

https://theentropypodcast.etsy.com

Watch and Subscribe

You can also watch full episodes and exclusive content on our YouTube channel:
www.youtube.com/@TheEntropyPodcast

Achievements

The Entropy Podcast delivered strong chart performance throughout 2025, demonstrating consistent international reach and listener engagement.

Regularly ranked within the Top 20 Technology podcasts in Ireland.
Achieved a Top 25 placement in the United States Technology charts, holding the position for one week.
Charted internationally across multiple markets, including Israel, Belgium, and the United Kingdom.

This performance reflects sustained global interest and growing recognition across key podcast markets.

Audio Quality Notice
Some episodes may feature minor variations in audio quality due to remote recording environments and external factors. We continuously strive to deliver the highest possible audio standards and appreciate your understanding.

Disclaimer
The views and opinions expressed in The Entropy Podcast are solely those of the host and guests and are based on personal experience and professional perspectives. They do not constitute factual claims, legal advice, or endorsements, and are not intended to harm or defame any individual or organization. Listeners are encouraged to form their own informed opinions.

All Episodes

The Entropy Podcast

Trust, Risk, and Technology with Anne Leslie

February 03, 2026 • Francis Gorman • Season 2 • Episode 4

0:00 | 47:36

In this episode of the Entropy Podcast, host Francis Gorman engages with Anne Leslie, the head of cloud risk EMEA at IBM, to explore the intricate relationship between cybersecurity, digital transformation, and regulatory frameworks. They delve into the implications of the Digital Operational Resilience Act (DORA), discussing common misconceptions organizations have about its requirements. Anne emphasizes that DORA is not merely a documentation exercise but demands a genuine commitment to operational resilience, continuous improvement, and a deep understanding of technology landscapes and business processes.

The conversation shifts to the topic of sovereignty in cloud computing, particularly in the context of European regulations and geopolitical tensions. Anne shares insights on how organizations are grappling with the balance between data sovereignty and operational resilience, highlighting the challenges posed by conflicting regulatory demands. The discussion also touches on the risks associated with cloud services, post quantum readiness and the importance of testing assumptions, along with the need for organizations to remain vigilant and proactive in their risk management strategies. As they conclude, Anne offers valuable advice for women in tech, encouraging them to share their voices and experiences generously, fostering connection and community in the industry.

Takeaways

DORA demands more than documentation; it requires actual capability.
Organizations often silo responsibilities, leading to gaps in resilience.
Continuous improvement is essential; resilience is an ongoing process, not a project with an end date.
Understanding the purpose of sovereignty is crucial for effective data management.
Testing assumptions and exercising response plans are vital for risk management.

Sound Bites

"DORA demands far more than robust documentation."
"Sovereignty is an incredibly emotive topic."
"It's the ostrich effect, the head in the sand."

If your loving the show check out our swag over on Etsy: https://www.etsy.com/shop/theentropypodcast/?etsrc=sdt

Francis Gorman (00:01.262)
Hi everyone, welcome to the Entropy Podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. Today I'm joined by Anne Leslie, the head of cloud risk at me at IBM and specializes in helping organizations navigate the fast moving intersection of cybersecurity, digital information and regulatory change.

Francis Gorman (00:54.966)
As head of cloud risk, Anne leads risk and resilience strategies across more than 30 markets, working closely with boards and regulators to embed governance frameworks that enable innovation without compromising trust. Anne is also a published author, keynote speaker and contributor to European policy discussions. And it's great to have her here with me today.

Anne Leslie (01:13.902)
Thanks Francis, delighted to be with you.

Francis Gorman (01:23.254)

I'm really glad to have you, Anne. I've been following you on LinkedIn for quite a number of years now.
I like your ad hoc posts on certain subjects around Dora and different things that have caught your fancy on a given day. And I find it really insightful. it's great to have you here with me to discuss some of those topics. On one of those topics, Dora, think, because I brought it up first, we might just dip in there for a minute. It's become a bit of a buzzword. What's the biggest misconception organizations have about what it actually demands?

Anne Leslie (01:52.668)
there's so many different dimensions to that. think probably one of the biggest ones that I'm seeing is that you can get away with making it a very robust documentation exercise. Now that's not to say that documentation is not important. It absolutely is. And I think a lot of organizations, both on the technology provider side, as well as on the financial institution side are realizing that they may not have.

the requisite level of documentation, but Dora demands far more than that. And I think there's been a bit of a reckoning across the industry in terms of it needs to move beyond theoretical resilience, its actual capability. What are we able to do? What do we know about your technology landscape? What do we know about our business processes? What do we know about our partners? Do we know what we would do if any part of that breaks?

And I've seen a lot of organizations and it's understandable. I'm not criticizing anybody when I say this, there's no judgment enough. But because of the way the regulation was structured, there was a very strong temptation to divvy it up into sort of siloed pillars. We're going to give that bit to that team and that bit to another team and there'll be checklists and there'll be cadencing and there'll be, you know, project management.

Yes, it did need the diligence of cadence structured project management, but it doesn't have an end date. There was an implementation date and enforcement date, but the spirit of Dora and of operational resilience policy and regulation around the world is that this is an ongoing thing. It's continually evolving and the expectation is continuous improvement. So I think that element of

We can run this as a project. We're going to have documentation produced during and at the end of it. And then we're done. No, no, far from it. So yes, again, there's no misconception what I said around documentation is crucial. Things need to be written down, but then it's how does what's written down relate to reality and how does it translate into behaviors?

Anne Leslie (04:20.416)
and how does it translate into decisions and how does it translate into a demonstration of we know what we all do if and when we get hit with a disruption irrespective of the severity.

Francis Gorman (04:35.726)
makes absolute sense. And I the behaviors one is probably a key one there. As humans, we tend to kind of go, we'll do it next week or the week after. And something gets dropped or the tactical solution becomes the permanent solution. And the resilience aspect may not be as robust as you expect. And if suppose DNS has taught us anything in the last year, resilience is something we really need to consider, especially when it comes to

online provided services for our institutions. I totally get that. Speaking of online and cloud-based type infrastructures, I wanted to talk to you a little bit about the mood music that's cutting across Europe at the moment. It hasn't quite hit Ireland or the UK fully yet, but France and Italy are very vocal about sovereign cloud and what that means for us in shifting geopolitical landscapes.

Can I get your view? Because I get put in the spot on this the whole time and I've very conflicting emotions that it evokes in terms of, you spend so many years putting stuff in cloud based infrastructures and now there's this tense, well, maybe that infrastructure isn't the best place to have that data. Who's going to the board to tell them to spend another couple of million to move it again? So I'd like to get your perspective on it and see where that leads us in the conversation.

Anne Leslie (06:01.8)
You're spot on. mean, that whole discussion or debate around sovereignty, it's incredibly emotive. People have almost got a religion on it. Now, I'm like you in the sense that it's not so much that I'm conflicted. It's that I work for an American company. That's just sort of like a thought. I'm also a European. And that requires that I think about the topic in multiple dimensions at the same time.

and try and come at it in terms of, what are the dimensions that are important and for what purpose? So I spend a lot of time with academics who were looking at sovereign cloud in the context of computer law, in the context of data protection. And what I found interesting in those conversations is that they take quite a purist view and they'll say,

that they're very frustrated with what they consider to be a marketing takeover of the topic and that providers are saying, well, we can make sovereign this and we can make sovereign that. And what those academics are saying is fundamentally where the topic of sovereignty originated was around data protection. And if we think of it in terms of the, the CIA trial,

confidentiality, integrity and availability. It was all about confidentiality, making sure that there wasn't unauthorized access to data by whoever. It could be foreign authorities, security agencies, whoever. And that this idea of sovereignty originated around making sure that data remained confidential and under the jurisdiction of whoever actually owns it. Now it's kind of morphed into something else.

And that's where you've matured my own approach to this when I'm talking to either policymakers or regulators or clients, which is when you're thinking about sovereignty, I don't want to get into the definition of it so much. Not that definitions aren't important. They are, but they're important in a certain context. For the work that I do, I try and get people to articulate what outcome are they expecting from sovereignty, not so much what their definition of it is.

Anne Leslie (08:27.532)
when you're concerned about sovereignty, for what purpose, for what outcome, what are you trying to achieve? And it's more useful in my experience because it gets people to start putting words onto what often are not very well articulated fears. So it's a fear in some cases of, we don't want people snooping on our data. Again, the confidentiality thing. For others, it'll be that.

And it'll be something to do with, well, we're afraid we're too dependent. We're afraid that we're too vested in one or many foreign headquarter technology providers. And if something shifted in the geopolitical landscape, we'd find ourselves caught between a rock and a hard place. So when we start getting into a better articulation of what people are worried about, then we can start thinking about, well,

those start looking a bit more like requirements and you can start translating requirements into technical mitigations. And then you start making the trade off of what sits where. And this is where one of, it's one of the topics that I think warrants a bit more work, both in academia and at the policy making level, which is, mentioned the CIA triad of confidentiality, integrity and availability.

And there seems to be a kind of an implicit assumption that they're equally important.

But I'll give you the example of financial institutions that I work with. They're being told that they have to be more resilient under Dora. And they're getting a strong nudge from, say, the European Central Bank saying, we're not telling you you can't work with foreign providers, but we are telling you that you need to have a look at your risk exposure. You need to have a fresh take on where might you be?

Anne Leslie (10:32.92)
too concentrated. Where might you have unmanaged dependencies? And what mitigations are you going to put in place so that you're not a danger to yourself, you're not a danger to your customers and you're no risk to financial stability? So that's kind of a blend of resilience under Dora and then also more of a push towards sovereignty. But if you go all in on confidentiality and you follow through, for example, you mentioned Italy, for example, France is also very big on sovereignty. You could

get a really, really solid technical response to sovereignty defined as confidentiality. But then how good are you on resilience options in terms of recovery? And it's that trade off. what I think a lot of organizations are really struggling with is that they're being told by certain authorities like data protection authorities or national cybersecurity agencies that they need to major on that dimension of confidentiality of data.

And then a different authority for banking, it'll be the prudential supervisor saying, yeah, but you need to be resilient. And the two are in tension. And it's very difficult for them to know where to place one against the other. What trade-offs?

and what's not. What are you allowed to compromise on? that determination of where to place the cursor and what the risk appetite can be is, it's still the sort of the internal jurisdiction of a firm to determine that for itself or is it implicit in the regulation? And that's a lot of attention that I see going on in relation to resilience and sovereignty.

that's causing a lot of friction. It's causing a slowdown of decision making, because the answer is not easy and the answer is not clear. But I don't see the topic of sovereignty going away anytime soon. What we need to get to is a place of operational practicality and certain pragmatism, which is

Anne Leslie (12:53.966)
As a European, I think it would be very disingenuous of me to say that allowing Europe to develop its industry and European champions, et cetera, would be a bad thing for Europe. Of course it wouldn't be. But I would be dismayed if the landscape that we're in turns into one of total opposition where it's,

countries pitted against each other and the nationality of technology providers being a determining criteria. It just sort of feels that we might be losing sight of where we're going and what we're doing any of it for.

Francis Gorman (13:36.05)
I think someone said to me lately, chaos is the new normal. And it fits right into this bucket for me, you know, as, as, as, as an architect with a remit around, around cyber and, you know, resilience. And I look at this problem myself. I have, I have a number of conflicting issues. So I'm looking at post quantum readiness. Who's doing post quantum readiness really well. The U S cloud providers, you know, clear roadmaps, clear distinctions, clear demarcation points, you know, it's.

Anne Leslie (13:59.342)
do this. Yeah.

Francis Gorman (14:04.776)
It's transparent to me. I'm looking at, you know, internal infrastructure going, would it be really nice if we put that into an environment that already had some of this stuff in place? And then I'm looking at the wider geopolitical mood music that's kind of going, you don't want to put it there now. Maybe you should put it somewhere else. And I kind of go on the pragmatic lens. then I bring this back to kind of cryptography and a cryptographic strategy. And if I own maybe the HSM that underpins

Anne Leslie (14:15.534)
Absolutely.

Francis Gorman (14:34.75)
the data and I have the flexibility of a US cloud provider, does that solve my problem? it's kind of created these kind of unique questions in my mind that I'm mulling over and I won't say I have all the answers, but I have a certain direction I'm starting to form and it's not rip everything out and put it somewhere else because I haven't been given, and this is going to sound probably bad, but I haven't been given a good European option to stick it in.

that gives me the level of robustness in terms of availability zones, in terms of native services that kind of self-solve for problems that I have in the immediate future. And that's a problem. like Europe does probably need to up its game in this space to get on par before we start having competitive analysis of the solutions. you know, maybe that's a bit disingenuous for me to say, but from an architecture perspective,

I'm always looking at what creates the least amount of toil to the business, gives me the highest value in terms of security and doesn't break the overarching budget that surrounds it. that's a consideration there. And what I have here, I'd like to talk a little bit about cloud risk because I don't know about your perception, but mine is cloud risk was a major red flag for about three or four years.

And last year, know, we talked about cloud risk, but it seem to kind of seem to be smothered by AI and, know, AI was was kind of across the board and everywhere. there is there is there one or two cloud risks that have become less talked about from your perspective, but more dangerous in the last couple of years?

Anne Leslie (16:14.818)
I think what I'm seeing is...

maybe a level of complacency and just an assumption that things because they're managed, you know, it's a well, we bought a managed service, that something's taken care of, you know, it continues to blow my mind how people dismiss the shared responsibility model like it's old news. But then when you actually question people about

How clear are you about who does what and how granular can you get about who does what? And, you know, I was struck, for example, by some of the lessons learned that were published by the UK Financial Conduct Authority after one of the big outages, I think it was in 2024. And what they had said was something as basic as the availability of a call tree between providers and clients.

And they said they were very, very surprised, if not dismayed, at how few organizations were actually able to contact people on both sides of that supplier-client relationship by phone. So I think the risk is operational. The risk is when something breaks, do we know what to do? Do we know who to call? Do we know how to turn around a response quickly?

When everything is fine, everything is fine. It's just, you mentioned cryptography. There's just that very human tendency when things have been in place for a long time in relative terms and nothing's broken, people kind of you know, implicitly, nothing's going to break. We don't have a problem. And get lulled into that false sense of security, whereas

Anne Leslie (18:19.898)
I really, really emphasize the need for testing all the time and sort of, you know, sprints and reps and drills. And yeah, it's tiring. It's like going to the gym, but we're talking about sort of lifespan and health span in terms of our personal lives. And there's an equivalent in terms of managing technology and organizations is that you can't get away with managing risk on topics like these anyway, without exercising, without testing.

So I think the element of risk that's maybe being under indexed is have we tested our assumptions? Have we exercised our ability to respond to the risks we think we have? Are the risks we think we have our biggest risks? And people sort of challenging their thinking and challenging their assumptions. And the ability to do that effectively

is very strongly influenced by organizational culture. Because when something looks good on paper and nothing has broken, you might be taking on a degree of career jeopardy. If it turned out that you went to executives or a message went to the board saying, you know, we might want to think about this. Some organizations, healthy, well functioning, well governed organizations will respond well to that.

because it's best practice. It's what everybody should be doing. Some organizations won't respond well to that. And I do see quite a big divergence between the willingness to entertain that perfection has not yet been attained and other organizations said, no, good enough is good enough and nothing's broken yet. And we're going to continue as if everything's plain sailing. So I think the biggest risk and it's not

It's not specific to cloud, but I think it's showing up in cloud.

Francis Gorman (20:24.778)
It's the ostrich effect, the head in the sand. I think that's that's a beautiful example, actually, you know, who do I call when things break? It's so it's so simplistic. But I've seen it materialize, you know, that person has left the company or, know, you're not authorized to talk to that person because your guy has left your company, you know, when you're going, what do I what do I do here? You know, who authorizes me if the guy who's supposed to authorize me no longer works?

Anne Leslie (20:45.742)
Absolutely.

Francis Gorman (20:54.672)
So it's really, really interesting in terms of how that can materialize. I think we've touched on quite a bit there. We've touched on resilience and we touched on cryptography. I might just get your perspective on where you think the post quantum conversation is going at the moment.

I could talk all day about this topic, but I won't hijack the call on it. I like to when I have when I have intelligent people in front of me, they'd have a good depth of experience across the industry. I do like the probe on post quantum readiness because I fear a lot of organizations have not yet looked at the problem. And for me, it took about two years just to understand how big the problem was and how you would go about tackling said problem.

Anne Leslie (21:44.91)
Absolutely. It's a fascinating topic and it's one that I dug into quite deeply last year and spent a lot of time and actually your podcast was one of my resources on this. You have some great episodes with some really great guests. I came at the topic initially feeling a little bit under equipped in terms of going, you know, it's cryptography. It's necessarily complex and it is.

But I realized pretty quickly that I didn't need, I still don't need, and I'd love to understand the actual cryptography itself. I understand enough, but that's not where my skillset comes in. My skillset in terms of managing technology risk and evaluating business risk. It was relatively easy for me to see quickly that not all the right stakeholders are mobilized on this.

And some people who are vaguely aware of it, who should be deeply involved, are choosing not to be. And I've been very curious about trying to understand why. I came into cybersecurity a little under a decade ago. I still have a high degree of humility about the things that I don't know. But I look at people who spent maybe two more decades than me in

IT and technology. I'm kind of looking at them going, you've been around technology longer than me. We're going to make a reasonable assumption to say, you know more than me. And yet you're choosing to ignore this and downplay it and not get involved in it and sit on the sidelines of it and crypto procrastinate, which is a phrase that I love from Jaime Gomez.

And I have really been trying to understand why, because what I'm seeing in post-quantum readiness is that it's like the canary in the coal mine of governance and risk management that's not functioning. So any organization that doesn't have this on their risk horizon. The question is not only, well, what are you going to do to be ready? It's what are you seeing that you think that

Anne Leslie (24:07.082)
It's okay not to be focusing on this. What's going on in your organization that's allowing you to feel comfortable that you don't need to carry it. And I've had some real, you know, jaw dropping moments where I've been in conferences or conversations with executives and a COO of

a GSIB, a globally significant and significantly important bank, systemically important bank, said, yeah, PQC, yes, it's the thing, but it's not my thing. And that's maybe one of the biggest issues is that a bit like resilience, it's everybody's problem. But if it's spread up in

robust accountability matrix, where somebody owns the outcome, nothing gets done, or nothing efficient gets done or nothing impactful gets done. it's not to downplay the technical complexity about choosing how you're going to do this from a roadmap and a migration perspective, what algorithms, etc, etc. But just leveraging my skill set and the kind of the perspective I have.

It's much more about managing this from a risk and a business impact.

I learned from debates around sovereignty and resilience that when people are pushing back, don't argue with them anymore. I don't tell them that they're wrong, but I ask them to explain to me what it is that they're seeing that allows them to feel confident that they're right.

Anne Leslie (26:01.066)
Oftentimes, I won't get a very convincing, compelling answer to that. And those people go away and I can see them kind of going, yeah, maybe, maybe we might want to revisit that. One person was very honest about this and said to me, it's outside the duration of my mandate in the sense that my board currently doesn't care about this. I could bring it to them.

All I'm going to get is grief. I'm going to get no thanks. I could be the guy who plants the tree that I don't get to sit under. Right now, I just don't have the energy. And I, it's a very unfortunate, unsatisfactory state of affairs. But organizations are tough places to be, and particularly large organizations. So I wouldn't be surprised that that is the truth.

that is present in a lot of places, which is the incentives aren't in place to get smart people energized, mobilized to do something where they won't necessarily be the people getting the kudos at the end of it.

Francis Gorman (27:17.56)
you're spot on. So we started a journey about two years ago now. And one of the things when we sat in a room and really baked this out after multitudes of conversations that we identified was key was top down enduring sponsorship and enduring being the key word there because we determined the average lifespan of an executive somewhere between four to six years.

this is a decade long problem. Depending on how you start, it's going to get more expensive the later you leave it within that decade. So it's got a compounding effort against you if you let it kind of just rock on, I will do it next year, I will do it next year. And then by the time you go to do it, you've such a learning curve to understand what it is you have to do and the steps you need to take. like the problem we probably have in Europe at the moment is it hasn't been

regulated against for yet. it's talked about, we've put out roadmaps, we've put out expectations, but a lot of organizations don't actually get rubber on the road until there's regulation that has implication. And I think that's what's probably missing to be the final screw. We see the direction is very clear in the US. The G7 have come out with their document during the week that kind of lays it out as well.

Anne Leslie (28:33.048)
Yeah.

Francis Gorman (28:38.414)
the Quantasafe Financial Forum which I'm a part of has obviously had a number of different publications with the IFSC SEC and others over the last year and you all of these different bodies coming together to promote awareness still probably needs to stick and it's terrible to stay but a stick is sometimes just needed in these situations.

Anne Leslie (28:58.776)
Totally. And I've seen that. So I've seen a shift in some, you know, there are some front runners. I spent a lot of time in financial services and there are some front running organizations across banking and insurance who are kind of taking the lead. And I've asked them, what's different in your organization that you're managing to do that? And it's a combination of a small group of people with a conviction that this is important. They're managing to get executive support.

They're also, the insurer that I have in mind explained to me that they used the language of their business, which is managing risk and putting a Euro figure on business at risk. And they went to their executive team and said, if we don't make strides on this at pace, this is the amount of business that's at risk in our organization.

And I think that's really insightful in the sense that it's bringing a very technical topic that a lot of people shy away from because it's very human to not want to feel inadequate and stupid. But if you're an executive in any organization right now that uses the internet, it doesn't matter whether you're planning on having a quantum strategy. If you're using the internet, you need to be thinking about this. Bringing that topic into

relatable data points that can't be ignored. you know, for an insurer to say, yeah, okay, well, business at risk, we can't ignore that. Those organizations are managing to show that progress is possible. They're managing to demonstrate to the deniers that there is a way forward. One of the people that I interact with quite a lot has said, I've stopped arguing about when Q day is coming.

And he said, it's the best thing I've done in how I approached this topic in the last year or so. So I stopped having that because it's a fruitless debate. It brings us nowhere. And he actually pointed me to Ms. Tu and he pointed me back to Dora. And you're right in the sense that another regulatory stick would probably give more impetus, but there's not nothing there.

Anne Leslie (31:26.882)
for anybody who's inclined to say.

Well, maybe we could use Dora or News2 to our advantage on this. I'd be relatively confident saying, think there's enough in those regulations to be able to go to an executive team and say, okay, so maybe it's not specified exactly what we need to do, by when, but it's implicit in there that our encryption can't break in a way that's going to cause disruption.

and our encryption can't break in a way that's going to cause a problem for our customers, ourselves, or financial stability. So if we know the date by which certain algorithms are going to be deprecated, well, if we work back from that, by when do we need to mobilize? And start making it about interconnectivity with an ecosystem, and can we stay connected to our partners? And is there a risk that we'll get shut out?

of ecosystems that we're in if we don't make a move. So it's another form of kind of dependency mapping. It's another form of looking at business processes. Again, it does require exactly what you were pointing to, consistent, genuine support coming from above, which unfortunately isn't present everywhere.

But I think like a lot of things, you know, if you look at models of technology adoption, I think it's going to be very similar like this. are going to be the front runners, the people who are doing it out of conviction because they can see it's inevitable and they'll be better prepared and get more payoff from their investment in it. If they do it early, they'll be the fast followers. And then there's going to be that bulk of organizations that kind of get drawn along just by the effect of the pool.

Anne Leslie (33:19.308)
And then the others. The question though that I'm kind of thinking about is, you what about the others though? Are those the weakest link in the chain? And does the whole thing come down like a Jenga tower if everybody's not ready to a degree at the same time?

Francis Gorman (33:37.231)
think that is an unknown quantity at the moment because what is the population of the others going to be at such a point that this becomes of relevance. It's interesting you mentioned Dora here because I've often been asked how do you get executive buy-in and I say you paint it as a resilience picture. You point back to Dora specification and keep it abreast of cryptographic analysis. But more importantly, look at the browser forums sliding timeline in terms of public certificates by 20.

God, I've had Christmas breaks and still I did this that last 45 days by 2029. I that correct could be wrong. I'll fact check that one. And if I'm wrong, I know someone will be on it, but it's it's sliding to 49 days in the very near future. And that requires automation. And you can't you can't do that manually anymore. So if you're asleep at the wheel, you're going to get caught with a spreadsheet that has all these search and owners that are expiring. And you're to have to put up a

50 people on it, depending on the size of your organization. By the time you've once heard thunderous, going up, we've to get over there and do that one. you know what mean? So I think I think I think I think there's things happening that may create knee jerk reactions. And that's why I think we probably need to get a bit stronger in the regulatory space to kind of go explicitly. You need to get ahead of this stuff properly. And that could be done by a small change, Shadora or something and make it kind of a bit more.

Anne Leslie (34:44.002)
Yeah, totally.

Anne Leslie (34:58.988)
Yeah, correct.

Francis Gorman (35:02.999)
a bit more robust, but I do think it's something that's probably needed because you don't want large populations of businesses that can't maintain trust and without trust, I'd argue you can't be a business. yeah, no, it's a fascinating topic that we could definitely talk about all day. But I want to talk about the other fascinating topic in the world, which is AI. While I have you here, you know, we're on a roller coaster now. We might as well we might as well keep it up. From you, from where you sit.

Anne Leslie (35:12.951)
No, exactly.

Anne Leslie (35:28.001)
Yep.

Francis Gorman (35:31.163)
you're responsible for cloud. AI is now kind of baked into every SaaS solution, whether you want it or not. know, there's a a ULA there that forces you into an agreement. And even if your procurement team hasn't ticked the box, some guy in another department has approved for everyone. And, know, it's just there. AI is all over the place. What are you seeing in terms of the AI avalanche? I'm going to call it.

across cloud environments and what struggles is that bringing forward for control, for security, for regulation, for governance from your perspective?

Anne Leslie (36:10.178)
I'm seeing a real tension between the velocity of change in the market, the availability of models, the progression of technology, and the ability of organizations to adapt the velocity of their governance and their security and their risk management to adapt to that. Internal processes around governance and risk management, et cetera, they're rigid, sometimes for a good reason.

There is a certain rigidity that's inherent in them. And that's not always a bad thing. But when there's so much going on externally and it's being brought in, or even things that are being developed in-house, and the pressure from the business and the pressure from executives to move at pace. I'm hearing, for example, from peers who'd be working in emerging technology risk, and they're wringing their hands and

their head is in their hands in almost despair going, we keep flagging these risks and we keep being told it's fine and it's being written away with a risk letter. And it's all going to be fine until it isn't. So I think organizations are demonstrating a high risk appetite in some cases. It's not necessarily a bad thing.

I don't know that they fully thought through what risks they're exposing themselves to. And I don't think they've necessarily thought through the unintended consequences of it. you know, one of the things that seems to be happening quite a lot is data being ingested from unstructured sources that hasn't gone through a classification mechanism, but it's fine. That'll be fine.

because there's pressure from the business and this fear of missing out. And there's a, again, I keep using this word tension, there really is this attention of fear of missing out if we don't engage and build capability and be seen to be doing things in terms of modernizing our internal capabilities and our client facing services and embedding AI everywhere. And then the people who are actually on the frontline of doing things, it's a real fear of messing up, right? It's sort of the,

Anne Leslie (38:33.582)
dichotomy between FOMO and FOMU. I would love to see, and I am seeing it actually, I would love to see, I am seeing some organizations learn from the mishaps and the about turns and the detours that happened in terms of cloud migration.

The learning is being transferred from that into what they're doing on AI and they're doing it much more sensibly. So they're demanding that there be a very robust reason for taking on AI, right? So previously the business cases for moving to cloud, they were believable in some cases, but they turned out to be pure fiction. And some organizations have learned from that and they're saying, we're using AI, but we're really clear why.

We're really clear what we're building in-house. We're really clear about what we're buying in from the outside. We're choosing our partners carefully and we can tell that story and we're confident in it. And then there are other organizations where it's nowhere near as structured and nowhere near as governed and people are using whatever AI they seem to think they need and bringing it in and shadow AI is a huge problem. So,

I think in terms of buckets of what I'm seeing, some organizations are really clear about why they're using AI, others aren't. And from there, everything can either go in a positive spiral, or it can turn into something that is just increasingly risky with unmeasured consequences. I don't think we know.

yet about where this could go horribly, horribly wrong. mean, there's the known security threats for cloud. we're seeing, for example, prompt injection and tags and things like that. They're not new, but we've created another avenue for those kind of exploits to happen.

Anne Leslie (40:52.014)
So when people say, we're feeling completely overwhelmed, we don't know where to start with AI. So start with the basics about what are you trying to do for the business? then what do we know? Or, you know, start with the OWASP top 10 and things like that. We have, we have industry resources and without trying to reinvent everything and over engineer things, start with what we have been told for years that we need to be

focusing on and it'll be a really good start. So there are things that are common and lessons that can be transposed and learned and I'm encouraged to see that some organizations are. I'm also very disenchanted by seeing that some organizations seem to have learned nothing from what they did on cloud and are just plowing on ahead with AI and hoping for the best.

Francis Gorman (41:50.191)
I I share your perspective on all of this and I even read during the week, I'm not sure if I remember the source, but about non-human identity risk and it becoming a major red flag for insurers. So basically the premise was insurance companies will not insure non-human identity risk. So agent DKI that has taken actions.

that are detached from human accountability was the essence of it. So I think that's going to be a fascinating space when it kind of comes to the fore. And unconscious of your time, before we finish up, I just want to ask you, like you're a phenomenal inspiration for women in tech. Have you got any advice for other women out there who are looking to get into the industry?

from my perspective, you you're all over my feet anyway. So maybe maybe I should should should change gender and go in because I'm definitely tagging on your on your algorithm. And I just think what you're doing is amazing. You're putting out these kind of short videos that are information driven. They're useful. Your posts are well taught out. And I just think you're kind of an industry leader now that has a lot of respect from my perspective. And, you know,

It's great to see you forging a path in the industry.

Anne Leslie (43:12.878)
So I think what I'd say on that is I've gone on my own, I hate the term, but I can't think of a better one. I've gone on my own journey, right? In terms of being able to accept compliments like that graciously, because it is a huge compliment. If somebody to say, you know, you're a role model or you're an inspiration.

I don't feel I'm doing anything particularly heroic, right? In terms of when I think of somebody who's an inspiration, that's sort of where my mind goes. know, somebody who's doing something absolutely extraordinary. But somebody said to me, it was actually one of my mentees had said to me, you keep things real and you say what you're thinking and...

When I publish content, be it videos or I write a blog, it's often the fruit of me struggling with a question or thinking about something and getting to a point in my thinking where I might have resolved something or I might have come up with another question. And I think what I would say, not just to women, but to pretty much everyone, is that we're all entitled to our voice.

when we share our voice in a generous way, not looking for attention, when we share it in a way, which is to say, I'm thinking about this, and maybe you are too. And maybe how I've been thinking about this could help you in how you're thinking about it. And maybe this thing that I've learned could help you. Those kind of voices, I think, are always welcome.

And I see a lot of people self-censoring and I see a lot of people saying, you're so brave putting yourself out there. I wouldn't be able to do it. I wasn't always brave. I was the kid in primary school who used to go and hide in the toilets so I wouldn't get picked for the school play. So it's a learned skill and it's a muscle that you build up. But I think getting comfortable with speaking aloud and allowing myself to have

Anne Leslie (45:29.046)
and opinion on certain things and allowing myself to be visible. It's very liberating. And I would just encourage everyone, particularly women, but in general, everyone to share. when it's done in a spirit of generosity and it's not attention seeking, you're always going to find an audience.

Not necessarily because you're looking to build up an audience, but you'll always find connection. And I don't anybody in the world today has too much real connection. I think we could all do with more. So I've met so many people. I've had opportunities come my way. This came about because you and I connected online through content. You just never know. It's like a message in the bottle.

out in the universe when you publish something. So much can come downstream. Yes, there are trolls out there. Yes, there are people who might give you a bit of hassle, but on balance, being a little bit visible just opens you up to the potential of meeting a range of people that you would never otherwise come into contact with.

And the benefits of that kind of connection coupled with just the freedom to say, I'm not ashamed of what I think, I'm not ashamed of my voice, I'm not going to make myself small. That would be my main message for people. And if people sort of look at me and go, you know what she's doing, maybe I can too. Okay, well, I did something useful.

Francis Gorman (47:17.891)
very pure and I think I fully aligned with you. know, the hardest thing to do is start. You know, there'll always be the trolls, but we'll give a shout out to the trolls. Hi, You I've got plenty. I've got plenty of those at the moment, but, you know, it's it's it's my it's my it's my Friday evening bottle of wine and message reading. So I find it quite a fight. Quite find it quite enjoyable. And it's been it's been a pleasure to have you on. I think I think the conversation has been.

Anne Leslie (47:28.014)
You

It's a measure of success.

Francis Gorman (47:47.757)
has been great. hope that Istra gets something out of it. And thank you very much for coming on the show. Thank you.

Anne Leslie (47:53.976)
Delighted, it was a pleasure.

Francis Gorman

Host

Anne Leslie

Guest