The Entropy Podcast

Smarter Cyber Strategy with Leonard McAuliffe

Francis Gorman Season 2 Episode 18

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 40:07

This episode focuses on what real cyber strategy looks like versus the outdated “framework + gap analysis” approach. Leonard McAuliffe PWC explains that most organizations confuse activity with strategy focusing on compliance, maturity scores, and annual plans instead of aligning cybersecurity to actual business risk.

The conversation reframes cyber strategy as a business-aligned, risk-driven, continuously evolving discipline. It emphasizes understanding stakeholder priorities, mapping real threats to controls, and treating strategy as a living system that adapts to AI, geopolitics, and changing attack surfaces.

Takeaways:

1. Most “Cyber Strategies” Aren’t Strategies

  •  They’re annual roadmaps or compliance exercises 
  •  Built around frameworks (NIST, ISO) instead of business risk 
  •  Improve maturity—but don’t necessarily reduce real risk 

2. Strategy Must Start With the Business

  •  Engage CEO, CFO, CIO, CRO—not just security teams 
  •  Understand risk appetite and critical processes 
  •  Align to IT, digital, and AI strategies 

3. Focus on Risk → Threats → Controls (Not Maturity Scores)

  •  Define key cyber risks (e.g., business disruption) 
  •  Map threat scenarios (e.g., ransomware via phishing) 
  •  Link to controls and measure effectiveness 

4. Strategy is a Living System

  •  Must evolve with: 
    •  AI 
    •  Threat intelligence 
    •  Regulatory changes 
    •  Business shifts 

5. Prioritization = Risk + Cost Trade-Off

  •  You can’t do everything 
  •  Decisions must be explicit: 
    •  What risk are we accepting? 
    •  What exposure remains? 

6. Regulation Shouldn’t Drive Strategy

  •  Constantly reacting to new regs derails focus 
  •  Instead: 
    •  Build a strong master control framework 
    •  Map regulations onto it 

Soundbites: 

  •  “Most cyber strategies look good on paper but don’t manage real risk.” 
  •  “You’re improving maturity, not reducing risk.” 
  •  “Cyber can’t operate in a bubble it has to enable the business.” 
  •  “If you don’t fund it, you’re accepting the risk. It’s that simple.” 
  •  “Boards don’t care about maturity levels they care about real threats.” 

Francis Gorman (00:04.27)
Hi everyone. Welcome to the Entropy podcast. I'm your host, Francis Gorman. Before we dive in, if today's conversation challenges you, sparks a new idea or sharpens how you think about the world, don't keep it to yourself. Subscribe, leave a review and share this episode with someone who enjoys staying curious. 

Francis Gorman (00:32.824)
Today I'm joined by Leonard McAuliffe, a partner at PwC, where he leads the Cybersecurity, Privacy and Forensics practice in Ireland. has spent years building and scaling a full spectrum cybersecurity capability from developing cyber strategies to assisting organizations implement those strategies and initiatives across the roadmaps defined. Len also helps run the cyber services for clients in the form of the cyber managed services PwC provide, working with both national and international organizations

across all sectors on some of their most complex cyber challenges. His work spans everything from advising boards and acting as a trusted CISO partner to designing security architectures, managing large scale cyber programs and leading responses when things go wrong. In short, he operates at the intersection of strategy, operations and real world cyber risk, helping organizations not just defend against threats, but to build resilience and take advantage of the opportunities that come with an increasingly digital world. Len, it's lovely to have you here with me today.

Len (01:28.146)
Thanks for having me, Francis. Pleasure to be here.

Francis Gorman (01:31.63)
It's great to have you, Len. And I think today I kind of want to dive into a subject I haven't really touched on the show as our primary conversation. And that is cyber strategy. I think cyber strategy is a really important aspect of a lot of cyber programs, that doesn't get a lot of spotlight sometimes. So Len, when you walk into an organization that says, need a cyber strategy, what do they usually actually have and what are they missing in that scenario?

Len (02:00.072)
Yeah, a lot of times you'll see organizations, they'll have annual plans, you know, with their list of initiatives in their roadmap for a year. A lot of times that's driven because of a budget cycles being a year. So they're not very forward looking. And the other thing is that, you know, you'll see that they'll have, you know, a framework like NIST or ISO.

that they'll be working off. And all they're looking for is they're looking for, they'll do an assessment against this, see the gaps and look at remediating those gaps. But they're not really taken into consideration then the business risk, aligning it with the business and IT and other areas like AI and digital now as well. And we find that, you know, they're working in a bit of a bubble. A lot of the times is cyber and they're doing their own projects. But although they are

improving maturity levels, they're not really dealing with maybe the risks and the threats and the threats and errors they need to be dealing with. And the other thing is that they're not taking into consideration say a business or an IT strategy that they could be enabling. I'll give you an example. It could be that the digital team want a more seamless online experience for their customers. That's where

where information security or cybersecurity can enable by putting in a good customer identity and access management system that makes it seamless for a customer to go in. So these are the things that need to change, not just doing these gap analysis against a generic framework and just plugging the holes of that. That really was an old way of doing things, but not the way strategy should be built nowadays.

Francis Gorman (03:47.288)
So that's interesting and it kind of leads me into my next question around, you know, what's the difference between a cybersecurity strategy that just kind of looks good on paper, but one that the business and IT can buy into, but also allows you to manage cyber risk against the kind of prevailing attack surface that we are seeing in today's world.

Len (04:05.712)
Yeah, like when we started off, when you look at a cyber strategy, you know, you need the business and IT and end users to buy into it. So, you know, you really need to understand the business and consult with key stakeholders. And a lot of times the CESA is like, what do need to talk to him for? Or what you do? We know it all already. We know what the cyber risks are. But when we do a voice to the stakeholders, when we

talk to, like we said, CEO, the CFO, the CIO, the chief data officer, the CTO, or the chief risk officer, or chief compliance officer, you will get very different viewpoints on what they want from a cyber strategy and what they want from the cyber function. And I think then when you take the risk appetite and start to really understand the risk appetite of the business and look at their critical processes and assets, right, looking across the whole business.

And then making sure that they're resilient to cyber attacks. That should be your focus. And so we do an awful lot of work on understanding the business and then also looking at the threat profile, who would attack this business and what types of threat scenarios are attacking their sector or their particular types of business so that you can focus on the important things and the most likely risks. It's just so important to not just manage the IT risks and the threats, but also enable the business like I mentioned earlier.

So that programs like the IT program or the digital or the AI program that you're allowing it, you're not seen as a blocker, but you're enabling them. An example might be, you know, people roll out to co-pilot or roll out agentic AI. How can we do this in a secure manner and getting those initiatives finished and done before the business is coming and looking for agentic AI to transform their business? So that's the important thing.

about getting a strategy that really works and that just looks good in paper.

Francis Gorman (06:04.466)
That's interesting, and I suppose taking those various different viewpoints can formulate considerations that may not be there within the security function itself, because it's an outward look coming back in rather than inward look going back out, which is, you know, we're always less critical of ourselves sometimes when we're in that singular position looking out at the world. But when that viewpoint comes back in on top of us, it may change some of those perceptions of our reality. So if I was to

off from scratch today and I was sitting down with you and we're going to build out this strategy. What are the key structures I need to put in place to get it right up front?

Len (06:44.624)
Yeah, I think like we always and I always like to first start off, it's going to be the CSO and his team just to get their very high level views. It's not saying that that's going to drive the whole strategy, which is important, but you do have to kind of get the feel what do they think? Then, like I mentioned, we call it like the voice of the stakeholders or key stakeholders, key people and C level and maybe a layer down below as well. It could be, for example, the chief risk officer.

and how are we managing cyber risk or how they would like to see it managed, et cetera. It could be the CFO saying, we only have X amount of budget, so I don't care what they want, that's all they're getting. And then you'll have a CEO who says, well, I just need this business to be resilient and see our critical processes, they're the things I worry about, cyber risks affecting us. So we take all of that information from the voice of the stakeholders, right? And what we're doing is we're getting inputs, data inputs.

all the time before we go near looking at strategic priorities. We then look at threat profile and the modeling as we made out where we're looking at the risks, the key risks, the threat scenarios that go with those risks. And then also looking at, okay, what control frameworks they have and controls they have in place to kind of get an idea of what their threat profile is at the moment. And then there's the big lump of work is you do a current state assessment. Now,

This is the old way where you look at an industry framework like NIST with all its security controls, which is excellent, or ISO. And you do your gap analysis, but that's not to be all in them. You do look at those gaps as well. And then you look at other internal and external factors of influence that may drive the strategic priorities for cyber. And then we take all of these inputs and we do a SWOT analysis.

And that then helps us derive the insights that inform the strategic priorities. Once you have those strategic priorities done, you can start building out the rest then underneath.

Francis Gorman (08:48.204)
And those strategic priorities, Len, that you're talking about, internal and external factors are obviously key there. So when you think about internal and external factors, what are the key kind of areas that drive those strategic priorities at the far end of the strategy?

Len (09:03.376)
Yeah, I remember first when one of our financial regulators was reviewing cybersecurity in a lot of our FS clients. One finding was always coming up is that the cyber strategy doesn't seem to be aligned with your business strategy. So when we're talking about internal factors of influence, I'm talking about ensuring that your cyber strategy is in line with your business strategy.

Also taking into consideration your IT strategy and how are you going to enable IT and their different initiatives and their roadmap. You'll find a lot of times now a chief data officer is going to have a data strategy that you need to look at around data security, data risk. You'll have a digital strategy, which a lot of times will incorporate AI as well. This is another internal influencing factor that you have to take into consideration. And then you have to look at all the past kind of

cyber risks and incidents and how they reported that to build that good, what I would say, internal focused factors that you need to take into consideration. On the external side then, it's very important that you look at competitor analysis, what are others doing in your sector? And we look at current and emerging technologies. could be, it was AI, it could be quantum, and how is that going to affect that strategy in the next one to two to three years?

We look at the general global cyber threat landscape as well, which is an external factor. Regulatory and the EU guidelines always play a big factor as well. And then also, finally, geopolitics you have to take into consideration. And that kind of sums up a lot of the external factors. So taking those internal ones, taking those external ones, and then putting them together, doing your kind of SWOT analysis, you then filter out

What are the key strategic priorities that will drive the strategy for the next one to two to three years?

Francis Gorman (11:08.473)
And I suppose you talked about that SWOT analysis. So anyone who doesn't know it's strengths, weaknesses, opportunities and threats. And they're kind of like your your key table that you can cross reference and kind of go, we're strong here, we're weak here. opportunity to do something good here, et cetera. But you touched on something interesting there and it touched on AI and you touched on geopolitics and the impacts they may have in your strategy. I feel like cyber strategy life cycles need to shorten down. You know, your business strategy could be five years. Your technology strategy could map to a similar level.

of time but the world is changing dramatically with AI and with geopolitics like we don't know what's going on week from week so how do you keep your cyber strategy I suppose relevant but yet aligned to the overarching cause of the company

Len (11:51.505)
Yeah, it's very important because, you know, a cyber strategy, us trying to predict one year, two year, three years is so difficult. So it's an evolving strategy and a living document, we always call it, And what do you need to do? So for example, if you're looking at your cyber risk profile, which is huge in this, right? There could be new cyber threats that come out.

within three months, six months of your strategy that weren't even there or even thought of. And you would hope that we would be predicting some of them, but as you know, the way AI burst onto the scene, it's for your strategy, you might never have taken that into consideration. So you constantly have to take your threat intelligence feeds and we'd say you're looking at them really monthly and quarterly with your threat intelligence teams.

and can they say, okay, do we need to change something here? Do we need to invest in something new? And you're looking at, there could be a new rate comes out and the timelines are, you know, are tighter than you thought within one to two to three years. And you need to look at, you know, emerging tech that's coming out. Again, if you were doing a strategy two to three years ago, you know, would you have thought the impact of AI was going to be so high, you know, especially if you're going back three years.

Probably not, but no, it's one of the biggest risks that we have. And then you have to be aware of changes to your business and your IT strategies as well. So they may have changed their approach or some new business opportunity is coming out and they want to go online or want to learn a new product. And you have to be aware of all of these things and be willing to, at least we always do an annual review of a strategy to see if it's in line.

But look at those other factors like the trade profiles, changes to the business, changes to reg, emerging technologies constantly to be updating the strategy as well and monitoring and making sure it's fit for purpose at the end of each year or does it need updating?

Francis Gorman (13:58.576)
They're really key insights, then I suppose, like you say, you build a strong foundation, but then it's a living artifact on top of it that needs to be reflective of of the world that surround us and all of the various complexities that we're seeing on a day to day basis emerging within that world. And that kind of leads you to my next question. So you you do all the work, you do your analysis, you do your internal and external checks and balances and alignment with your different various strategy types across the organization. Then how do you decide?

what not to prioritize because you've got a whole list of roadmap items that you want to execute on, but you only got so much capacity within your cyber function, within your change function. You know, you have that real question is I want to do it all. But the CRO says you got five million quid. So how do you how do you balance that?

Len (14:41.916)
Yeah, the usual one. Well, I suppose just taking into consideration the process there. So we've taken all these inputs, we've filtered them all down, and we have our strategic priorities. And underneath the strategic priorities, then you say, OK, what are our strategic objectives? And how do you make them smart objectives, specific, measurable, achievable, et cetera?

And then once you're happy with them, then come the initiatives underneath. So here's our smart objectives underneath that strategic initiative or priority goal. So you have your smart objectives. And then the last piece is your strategic initiatives. How do I actually implement these objectives? And that's where the strategic initiatives are all going to meet out. But there can be many. And you may not have the budget.

and to implement all of these initiatives and more often than not you don't. And what's very important is that you take a kind of a risk and cost benefit approach. we've constantly every year CSOs goes well we can't do that project and you're kind of well is it because of the number that was there and it just got it or was down the list and that was a lot more tall has to go into what goes out because

And when you ask the business, and if, and CISOs aren't typically very good at doing this end, well, okay, we'll accept that it's only X amount of budget. What they need to do is say, well, if we don't do this, right, these, is the risk exposure that we have in our organization. And then it's back to the CRO or back to the COO. Are you willing to accept that risk exposure? If so, fine, that's your risk appetite. That's okay.

but you do have your job as a CSUNer job in cyber is to say, well, okay, we only have X. I would take a risk-based approach. What's gonna manage your major risks or major threats. Let's focus on those projects. But if there's ones that you're kind of worried about, I would be explaining that if you don't do this, this is your risk exposure. And maybe I had to push for more budget or say, okay, we'll deprioritize this one.

Len (16:59.724)
And because we were using it as a business enabler for X, and these are decisions that you have to make. So risk and cost benefit approach to each one of the initiatives before you cut is what I would say.

Francis Gorman (17:12.089)
You know, that's a really interesting take. And it often gets lost. You know, that it's OK to say, I told you, but you accepted. But it's not OK to say I accepted, but I never told you. And that's interesting. There's a key differentiator there in terms of the exposure and risk to an organization that may not be properly articulated if you kind of hold that back without painting the picture. And I suppose that brings me on to a question around we talked about maturity a little bit earlier on. We touched on maturity levels and our organization still reporting.

cybersecurity maturity levels to boards and does this really reflect the I suppose the cyber risk of an organization for the business or is it kind of thematic based on frameworks?

Len (17:54.013)
Yeah, this is a really important question. And you know what? Boards are getting more informed, more educated, smarter when it comes to cyber risk, you know? And what I've noticed when you're doing board presentations or going in with a CISO to kind of look at whether they're cyber risks or an update, I've noticed boards are kind of going, okay, we've been doing these maturity levels.

for the last number of years, you've gone from a two to a three and here's the investment we made to bring you to two to a three. But then again, ask the question, but are we protected now from the real risks? And the maturity levels aren't telling you that. They're telling you that you have implemented or fixed gaps against a generic framework. And it is good. Listen, you those frameworks are good. They are mitigating a lot of risks. But I would want it to be more concentrated.

What are the specific risks to my organization? And then what are the threat scenarios? So there's a risk. And I'll give you an example. Just say your cyber risk was disruption to your business operations. So you probably have around eight to 10 cyber risks. Then you say, what's the threat scenario? We'll just take an example of a ransomware attack that could disrupt.

Then what's the, that's the threat scenario. What's the threat factor? Well, you could use phishing to deploy that malware. Okay. So now you're looking at, okay, how do I map that now to my control framework, which is typically a NIST control framework. and what are the key controls that will mitigate that threat? And it could be, you know, security awareness. It could be your network controls, your detection controls and all that. So you map them to these exact threat vectors that are most likely for you.

And then you feed in the operational metrics to say, these controls are operating well, they're operating as expected, they will mitigate this threat, which reduces this threat scenario, which reduces your risk. That's the way you have to start looking at things now, not just maturity levels, but tying it to risk, tying it to threats, and then mapping it to your controls and seeing if those controls are operating effectively.

Len (20:11.336)
to bring it within your risk appetite. That's the way mature organizations and it's what boards are looking for. Like they're looking for like a dashboard, they can go, well, there's a key risk, there's stressors, why has that gone up or down? They can click into it and say, well, okay, you we acquired this new organization, we don't have the same percentage of coverage and that's why that's kind of, our control is kind of gone down, it's increased our risk, I get it. That's the kind of information now.

that boards are expecting that you can drill down and show your risks, your threats mapped to your controls as well.

Francis Gorman (20:45.007)
That's really interesting, And I think that resonates a lot with me. If I look at a lot of strategies over the last five years, they were zero trust based. But now we're in an implicit trust world with agent AI. What does AI want? Access to all the data with a high permission set against everything to do whatever it needs to do to fireside. you've got two worlds playing against each other. Security going zero trust. AI saying, I need implicit trust. And now we've got to figure out how do I map

in between all of that to kind of bolster the security aspects, but still allow the business to meet their outcomes. So I think that is when you paint that picture around the threat from the outside in or from the inside out, or once you're inside an organization, we know the measure that I think that's become more complex, but also really, really important to kind of articulate. have made these decisions to move in this direction. This has actually moved the risk dial.

opposite direction and therefore our maturity may say one thing but the reality is something different. So I think that's a watch item for me in the next couple of years as the technology space kind of evolves even more, particularly as it relates to AI. I want to ask you a question about strategy and how much is driven by regulation versus actual real risk. This is something that kind of

I have a bugbear with this one. I kind of go, we have a strategy because regulation says we should do x, y, and z, but it doesn't equate for the actual real tangible risks like we just touched on there.

Len (22:15.91)
Yeah, you know, this is a bugbear with me as well, I have to say, you you develop a strategy, you you've put a lot of work and thought into it. You know, you have your strategic priorities, you have your objectives, you have the initiatives that are going to implement these and they're there to mitigate those top risks that you've already trep modeled out, right? And then what happens is...

And you know, there's a regulator comes in as a few findings and it's like scrap all that. Let's just concentrate on getting these done. when, what I, what I would always push is that if you're doing it the way I was outlining narrowly, have your cyber risks there. You have all your threat scenarios. And now you've mapped them to your controls framework. That to me is the key bit, right? Your controls framework should meet.

should map to any regulation that comes out, whether it's Dora, whether it's NIS2, and an awful lot of them are the same. And if you, and there's a lot of duplication, but you can map them to your master controller, so it's just like NIST, and you'd have to add in some ones definitely, all right, and especially in NIS2 around, you know, the OT side, which doesn't cover well. But once you have that master controls framework, I don't care what regulation's coming in, you're able to report that here's the controls in my framework.

Here's the new regulation. Yeah, we can map that to that. We can map that to that. I'm not going to get too excited about this new regulatory framework because you know what? We have a good controls framework and it's managing the risks. And I would argue with any regulator, we've gone in, we've identified our key cyber risks, we've identified all of the threat scenarios, vectors, and now we have just massed the controls framework to make sure that we're managing that risk properly. I mean...

That to me is the ultimate answer. Don't worry about new regs coming all the time. Just make sure that you're, and you will have to update your master control framework, you know, and maybe add in someone's under and this too, but not too much. shouldn't change that much. You shouldn't be worried about every reg coming along.

Francis Gorman (24:28.143)
a lot of sense, Len. I think one thing that's kind of popped into my mind as we're speaking is, you you do all of this work, but then how do you measure and qualify that you're making good investment decisions off the back of it? Like that, that, that in itself is almost a, a skill set that needs to be sharpened over years by CISOs because you've got so many different asks, so many different needs, but when you spend money in cyber, you don't necessarily get a return on investment.

that's visible, but that service protection element is key. And I don't know if that gets articulated enough within businesses.

Len (25:06.118)
Yeah, we spent a lot of time, we built out this managed cyber risk framework. And it's basically what I'm saying to you there, you your risks, your threats, and you then map them to your controls framework. Now in the background, you have a security program that's improving these controls. So for example, it could be an identity and access management program to...

and improve and enhance all your privilege user access management. So when you're looking at your controls framework and these identity and access management controls, the investment of that project for 500,000 improved all of these controls. You map it back to your, mitigated this threat, reduced this risk. And then you are getting into kind of risk quantification that the investment that we made here

And we do use FAIR to quantify how well a control is designed and operating effectively. So we quantify that. The metrics will tell us that feed into say that control is operating effectively. The investment in the change program, your security program has shown that the improvement in these controls has reduced this threat and reduced our overall risk. That's your way of showing the investment in the program.

which is the initiatives in your roadmap really in your strategy, how that's improving your controls, mitigating the threats that we've mapped out and then reducing your overall risk exposure. This is the best way to show, you know, to board level and to sea level, like these investments are really improving our cyber risk posture.

Francis Gorman (26:50.607)
That's great advice and it's measured and I suppose pragmatic as well, is always a key litmus test when it comes to these things. Then I look at, think we've got a great overview on kind of how you construct a strategy there and kind of the key watch items and the key building blocks that bring it all together. You have a lot of visibility across organizations and across industries due to where you're positioned in the Irish market.

What you see is the biggest cyber risk facing organizations at the moment.

Len (27:20.976)
Yeah, I think what we're seeing and you know, there's a survey coming out every week on these, know, including our own PWC ones. But, you know, the dominant cyber risk I've seen is identity compromised. People aren't exploiting vulnerabilities in zero-day attacks. could be, you know, LinkedIn or wherever is hacked and their database has been sold in darknet and all your login credentials are there and people don't change them. They reuse the same passwords.

So an awful lot of the risks we're seeing is identity and identity compromise. And you'd be amazed the lack of a multifactor authentication to try and mitigate that risk. So we're seeing that people aren't cracking and hashes or brute force cracking passwords. What they're really doing is just taking ones that were stolen from another website credentials, your username and password and reusing them against SAS.

and applications and software to try and get in, whether it's the outlook or whether it's any cloud application like that, that they can authenticate into straight. See, this identity compromise is kind of lost or stolen or social engineered from a person, their credentials, and then people logging in to SaaS solutions and getting access to data. The other rise we're seeing is the

AI enabled social engineering. you know, I saw a brilliant demo the other day of someone using AI. you know, there was, it was a spoof of a person in their organization who joined the actual Zoom call as well and was speaking with their voice, with their, you know, obviously the right face for the employee. It's very hard to defend.

against that, you know, when there's that level of social engineering through impersonation being done with either voice or video. So we're seeing a rise in that in the AI enabled social engineering. think ransomware driven business disruption never kind of goes away as that that threat, you know, and we've seen in recent attacks that are geopolitically motivated. This is still a go to for hackers and third party supply chain exposure.

Len (29:48.977)
If you're rock solid, but there's third parties accessing your organization, why don't I just compromise one of those that mightn't be, mightn't have the budget and mightn't have the security controls that you have. I'll just piggyback in off them and they have admin admin access to your organization because they're supporting some, some software inside and that's their way in seeing a lot of that. And then typically cloud cloud control failures, like cloud misconfigurations, cloud sprawl that people didn't know about.

and leaving themselves exposed in those areas as well. They're the main kind of cyber risks I see facing organizations at the moment. And it's amplified by geopolitical instability then as well.

Francis Gorman (30:30.083)
And just to just add petrol to the fire, the geopolitical stability is driving it all. And we saw that resonate with the attacking cork on Skylar Medical, where the Iranians basically destroyed that.

Len (30:32.68)
Yeah.

Francis Gorman (30:42.785)
organization's core technical capability because they were an American entity in Ireland. like that is that geopolitical lens is definitely is definitely there. The deep fakes or the vectorization using AI is also an interesting one. You know, I think we may issue all of our senior leaders with a pack of cigarettes because when you're smoking, it breaks the vector, you know, health warning. But you might save the organization a few quid. So, yeah, I don't know how we're going to I don't know how we're going to realistically protect against some of those things. So like

Len (31:07.24)
you

Francis Gorman (31:12.729)
It's it's it's definitely there is a market there for a plug in that, you know, does vector analysis on lighting temperature composite video types, but yet not not going to be straightforward. So that can ask me like who's winning right now in the ice base is the attackers or the defenders. It's it's it's a complex world out there.

Len (31:19.57)
Yeah.

Len (31:30.632)
It is, and you see that the attackers have an advantage, right? They can move quicker because they have less friction. They don't have to go through the same governance. They don't have to go through the same, you know, design boards, et cetera. Anytime you want to build or implement a new security AI solutions, know, and attackers only have to be successful once. We need to be successful all the time when we're defending, you know? So I do think because they can move quicker and develop tools quicker.

that they definitely have the upper hand, you know, and, you know, there's, there's a lot of people, there is excellent AI tools out there for defending, you know, whether it's, you know, doing your level one sock analysts and, you know, but it still has to be fed really good data and good signals and all of that. So I do think attackers are moving quicker, less friction, less governance, and are winning this at the moment. But we

We will catch up and we will get it right, but there's a lot of building blocks that security teams have to put in, whether it's the cleanliness of the data, the signals, et cetera, that's coming in. know, rubbish in, rubbish out. You know, you could build a great AI solution, but you need to get all of those basics right as well, which a lot of organizations do struggle with that data governance, data cleansing, classification, that side of things.

Francis Gorman (32:58.519)
Yeah, no, it's very true. And I think that the data lifecycle management is kind of one of the most key parts of AI. It seems to get forgotten when we try to rush to get it in. I remember there's a great example from one of the airlines where they query their prompt engine. You know, I'm on a boat and whatever. Where is the where is the exit door? You know, it's it's row three. It's row five. there is no exit door. And what's what's what's happening here? And then they realized actually version one, version two, version three of the same document was.

was in there and LLMs being LLMs, when they indexed, they looked for the first take that met their core criteria and spit back the answers. like, know, that data cleansing and data lifecycle is a really key consideration and can really mess up your workflow.

Len (33:43.305)
Especially if you're looking to make decisions to auto defend you. You got to get it right. And now I think, you know, it'll be and it still is in all fairness is that, you know, people are building tools, trialing tools. but there is always, you know, the man in the middle and oversight there as well, because as you say, it does make mistakes, but you can't really make mistakes like that when if it's defending against an attack.

and you just got it wrong, wrong documentation or wrong data that fed it. You know, so I think we've a bit to go on the defense side. But I think the good thing is there's a lot of software solutions and providers building AI into their products already, which are good and mature products. So it's just getting that AI piece right. But then that opens up another

area of risk where third parties are enabling AI and processing your data in a way as well that you have to be wary of. there's a long way to go on this yet.

Francis Gorman (34:51.639)
Yeah, that's that's one of my other book bears. I call it the Matroska effect, like the little Russian dolls. know, you've got solution a but it's using solution B, C, D, E, F, G. Where did my data go? You know, who's who's the engine at the back end that's doing the process and just.

Len (34:56.998)
you

Len (35:07.496)
Just to kick that point, we were doing a workshop and our AI security team and we were discussing, when you have agentic AI and you have an agent that you built and it's great, it can access that piece of data and that piece of data and do that and do something really clever and brilliant. Now you can tie that agent to that agent to that agent. How the complexity of managing

Each agent now has to have an identity, so it has an owner, right? And then the identity and the access management. So now it can access that data, it can access that data, and that data. Now that agent is there keeping control of that, and making sure there's not toxic combinations. If you access that data and that data, the person shouldn't have both. It's really complex. So implementing agentic AI.

is so important and that area of identity and access managing and managing all that, which is just one of the areas you still have to fill in, you know, the DLP risk, you know, you have to fill in the, you know, monitoring and make sure that that's all working as well. But it's very complex and we need to get our heads around it, around it quick, you know, and there are solutions there and our guys are architecting those out and helping organizations, but it took a good while to figure it out how you could do it with tool sets that were there already.

Francis Gorman (36:32.643)
It's also very costly. think Microsoft came out in the last couple of weeks and said, each agent is an identity, each identity needs a license. they go, so now I'm now I'm paying for the AI and I'm paying for the seat for the license. Is that another E5 license I need somewhere for my agent who's doing all this stuff that the human used to do. So it's yeah, it's definitely a complex ecosystem from a security viewpoint, from an organizational viewpoint and now from a cost viewpoint, because the costs are hidden. You know, it's tokenization, it's license requirements, it's

Len (36:39.79)
Francis Gorman (37:01.977)
privileged management. It's the tooling that you already deploy against your interactive users. And these are essentially another layer of interactive user on your estate. it is highly complex, especially as that footprint grows into the hundreds or thousands of agents. before we finish up, Len, I want to ask you, there's a lot going on in the cybersecurity space at the moment.

Len (37:18.546)
Vaginous virtual work.

Francis Gorman (37:29.921)
Is there any trends that you would take right now or just overhyped? it's it's vendor land trying to push a new idea and it's just not where it needs to be or we don't need to buy into it from from an organization standpoint.

Len (37:44.559)
Yeah, I think we're on the topic. What's overhyped? think AI will solve cyber security is very badly overhyped. AI absolutely matters, but the way it's being sold is a bit ahead of reality. I think AI amplifies it both for attackers and defenders, but it doesn't remove core cyber risk on its own.

So kind of what's getting overplayed is these autonomous socks, replacing analysts and defending, know, magically detecting breaches, you know, without strong identity or logging or governance. And then vendors employing that, you know, that AI compensates for weak fundamentals like your identity and access management, asset management, patching, all of those foundational and basics still have to be there. And AI will help us.

But again, I think the areas around clean signals, good identity hygiene, governance, faster alerts, maybe with the wrong problems. We need to sort out all of those first. And I think there's an awful lot of hype around it that it's going to solve it. And it'll defend against attacks in real time and all that. We've defeated the right architecture and also the right data signals.

good hygiene, cleansing as we taught for it to be able to work effectively. So I think that's probably one of the biggest hype ones at the moment.

Francis Gorman (39:14.223)
Yeah, I was given a talk in Dublin. There was a few hundred people out of the a while back and I asked a question near the end of it. Has anyone replaced their security team with AI yet? And I was very disappointed. No one put their hand up. So on that note, Len, it was it was great having you on. think the conversation was really informative and the listeners get a lot out of it. But thank you for taking the time to speak with me today.

Len (39:23.445)
I can build a pot there to do my job.

Len (39:42.716)
Pleasure. Enjoyed it. take care, thanks.

Francis Gorman (39:46.746)
Thank you.

Len (39:52.712)
Yeah that seemed to flow nicely didn't it?

Len (40:00.931)
It's a jam.

Len (40:06.655)
Yeah, yeah, yeah, yeah nice content and there are a few nuggets for them

Len (40:19.699)
on June 2.


Head Shot

Francis Gorman

Host
Head Shot

Leonard McAuliffe

Guest