Cutting through with KSIB

Episode 7 - Kristin and Steve on 3 key AI related topics

KSIB Season 1 Episode 7

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 12:56

Kristin Stubbins and Steve Brown review key topics related to AI and cyber security. 

This episode focuses on 3 key areas: 

  1. The stunning announcement from Anthropic regarding the new Mythos model and the cyber security risk it poses for Australian companies 
  2. Anthropic and OpenAI – how good are they really and what you should be thinking about from an enterprise perspective 
  3. How all Australian companies might participate in the AI revolution without needing to invest a fortune 
Kristin Stubbins

Hello everyone and welcome to episode seven of Cutting Through with KSIB. I'm Kristen Stubbins and I'm joined by Steve Brown. And it wouldn't be a KSIB newsletter or podcast without talking about AI. So with everything that's going on, there's just so much to talk about. And today's episode is going to focus on three key areas. Firstly, the stunning announcement from Anthropic regarding the new Mythos model and what that means for all of us from a cybersecurity perspective. Secondly, Anthropic and OpenAI and their models, how good are they really? And what you should be all thinking about from an enterprise perspective. And then finally, we might explore a little bit about what Australian companies should be thinking about as they participate in the AI revolution without needing to invest an absolute fortune. So let's start off with Mythos, which is really Steve's area. So on the 8th of April, Anthropic announced it had built an AI model capable of autonomously discovering and exploiting previously unknown security vulnerabilities. This model is called Clawed Mythos. You may have read about it, and it has found flaws in every single operating system and every major web browser that it was pointed at. So, Steve, as the expert in this area, why is Anthropics announcement about Mythos a game changer, given we've had so much discussion over the last few years around cybersecurity?

Steve Brown

Yeah, great question. Well, it's a new class of AI model that, like you said, is significantly better at finding vulnerabilities and exploiting them. And that means it's up there with some of the world's best hackers. And the fact that it can do this, um, not because it was deliberately designed that way, but just as a side effect of better reasoning, means that it's really signaling the likely introduction of other AI models with similar capabilities. Um and that means while it still takes humans several weeks to patch a vulnerability, AI can be out there finding and exploiting those vulnerabilities in you know minutes or hours.

Kristin Stubbins

Yeah. So there's a real asymmetry in the way that you know the AI might be used and the way these issues might be fixed in a company using more traditional methods.

Steve Brown

Exactly. That's right. Humans are normally in the loop in in terms of fixing these things. But if AI is there automatically finding them, then at least in the short term, hackers have a strong advantage, which is why Anthropic didn't release this model publicly yet.

Kristin Stubbins

Yeah, I mean, I will ask you, uh, and we didn't we didn't talk about me asking you this, so it's completely ad hoc. Um, what do you think about the rumors that this is all a bit of marketing spin from Anthropic, Steve?

Steve Brown

Well, that might be part of it, but certainly I think we've seen Anthropic just come out with a new Opus 4.7 model um with you know slightly better reasoning capabilities. Um, and this is meant to be significantly better than that. But yeah, behind the scenes, there's also a lot happening around how does Anthropic get the compute capacity they need to actually deliver this model as well.

Kristin Stubbins

Okay, so from an Australian perspective, which I'm always very focused on, you know, what are the practical implications?

Steve Brown

Uh for Australian organizations, I think well, everyone really needs to consider their operational resilience against this AI accelerated attack or, you know, potential attack. And, you know, without a strong focus on vulnerability management and how cybersecurity controls may be automated, there's a strong risk, I feel, of organizations falling victim to mythos-like capabilities when they become publicly available.

Kristin Stubbins

Yeah. And so is there anything that you would particularly recommend? You know, what should Australian businesses be starting to do?

Steve Brown

I think in any kind of cybersecurity sense, the first answer is always visibility of their current environment and a strong understanding of what the threats are out there that they might be vulnerable to or have exposure to. And then specifically in terms of this AI capability, is then just working through what are the defenses that they currently have and how they might bolster those defenses proactively in advance of this AI becoming more common.

Kristin Stubbins

Yeah. And when the AI tooling does become available, you'd be saying you've really got to start to assess, should you be engaging yourself with using those models as a defense?

Steve Brown

Well, absolutely. So if the hackers have got access to it, you need to be hopefully getting access sooner than them.

Kristin Stubbins

You're not making me feel really reassured about this. So are there particular industries that you would think would be more vulnerable than others at the moment?

Steve Brown

Certainly those that are targets for financial crime. So financial services, banks, and super funds, that's where the money is. Secondly, those organizations with legacy systems that may have more vulnerabilities or slower patching cycles. So historically, that's been healthcare, governments, and universities. And then organizations with a large stores of personal information, which are common attack targets for ransom purposes.

Kristin Stubbins

Again, not particularly reassuring. So I I think the key message here is for everyone to be really aware of this and making sure that you are in the planning mode. Because as soon as the models are more widely available, you need to be thinking about your strategies and how you're going to adopt them yourselves as a defense mechanism.

Steve Brown

Yeah, and I think just be very concrete. So what are the risks? What are we doing about it? When will it be done? Um, have it front of mind always with clear targets.

Kristin Stubbins

Okay, so maybe moving on to something a bit more upbeat, which is um because we've started with the terrifying aspects of AI and now we're moving on to the exciting aspects. And we at uh Ksib are huge Claude users, very excited about Claude. Maybe, maybe too much sometimes. I think we start to treat Claude as a team member sometimes in terms of our thinking. But we also have OpenAI. Uh, and many companies are like us starting to get excited about the co-work features available. Um, also, some companies are starting to explore how they might let's call it vibe code with Claude. So, what would be your key messages to companies about this and some of the things they might need to consider?

Steve Brown

So, for these capabilities in general, I guess the question is, you know, how can you take advantage of AI capabilities? Um, and then secondly, how to look out or what are the concerns with vibe coding? So, on the first part, I'd say um, you know, you won't know what's possible unless you try it in a considered way. It's sensible to start with what you call augmentation of existing stuff, uh, which I'm sure people will be doing with their chatbots. How can you use AI to help you draft existing material or research stuff, do analysis? Uh, and then organizations might move into uh workflow integration. So, how can you embed those kind of AI-augmented processes in your business day-to-day processes in a repeatable pattern? And then, of course, getting to agentic workflows, can you build AI agents that help automate stuff that is human-based, manual, intensive, um, but repeatable and controlled as well? And you've got to do that obviously with the right framework from the outset as well.

Kristin Stubbins

Yeah, so there is an opportunity for Australian companies to explore all of these business problems using AI. And I guess we're keen to think about how we help companies do this without needing to invest a huge fortune, because most companies simply are not going to have armies of data scientists and technologists that are going to be able to build all of this within their environment. So the way I guess I was thinking about this and our experience with the work we've been doing today is that a business problem, which is really important, we have to start with a business problem or opportunity. But let's just say a business problem that was previously really difficult to tackle could now be resolved through some of these enterprise builds that you were just describing, whether that be through agents or other means. So, one example could be if you're seeking to improve the knowledge transfer throughout the organization, you may want to consider using some AI-based knowledge retrieval systems or some chat features. It could be fairly innocuous and easy to do. Um, you could have a customer uh contact center, you could have clients or customers interacting with an agent in certain circumstances, and the agent could actually be performing some tasks or it could be augmenting the human who's engaging with the clients, as you just talked about. So there's many different models that that are starting to emerge, and it does actually involve much more than just technology, it's it's really business model change. So if you don't have this army of data scientists and technologists to help you build all of this, my key message is you've really got to start by understanding the business problem or opportunity that you're seeking to solve. Then you need to look at what is possible and what is the appropriate technology. They're sort of the starting points. Because it may be, Steve, that it's not AI that is needed. It might be some other technology that's more appropriate and, you know, less expensive. So I'm sort of thinking, you know, if we're advising clients, it's very much start with the business opportunity or problem and then strategically look at the way that you might want to solve that problem. It's just that now we've got this sort of um almost like an army of graduates available to us to do things at warp speed. But, you know, would you agree with that?

Steve Brown

Yeah, I think that's the right approach. I might just touch on the vibe coding question too, because that looks like a very attractive way to make progress. Um, but what you're really building with vibe coding is the Hollywood movie set. So something that's looks great from the outside, built with cardboard and sticky tape, and will probably fall over in the next big wind. Uh, not something that is suitable for enterprise grade or corporate, you know, systems that you're going to use embedded in your workflows and systems. So the other aspect of what you said is how do organizations get the right help to take the right first steps, and hopefully those steps will be successful steps then.

Kristin Stubbins

Yeah. And I guess what we're seeing is there's many different options to actually, once you've decided your strategy and what you're going to build, you know, how you go about that. So you may, for example, have a validated use case and you might say engage specialists to help you build agents or a platform or a system within your environment and then have that ownership transferred to you. But then you're also going to be responsible for the ongoing maintenance and development and all of you know the associated, I guess, risks with that, including having the expertise in-house to be able to manage it. You might, as another option, engage specialists to build and manage this for you as a bespoke managed service holistically, or you could, in many instances, buy an off-the-shelf platform or a managed service that's available to everyone. So I guess the overall message from us is you can do it all really in different ways, even without an army of technologists and data scientists, but you have to look at it strategically, what technology is appropriate, whether you should build versus buy. And then there's a whole lot of other opportunities and risks to consider because there's a whole lot of new risks that come with using um AI and LLMs. So our focus is really on helping you choose what would be the right options and the models dependent on your business need. We can also help you with the build or the buy or any of those options that you explore. So, as usual, lots and lots happening in the world of AI, which we are simultaneously excited and terrified about. We are set up to help you cut through this complexity, and we can mobilize many experts to work with you to help you understand the possible strategy and the risks and the opportunities. As I just said, we can also help you build the solution or build it for you. So reach out to us at kristen at kisb.com.au or steve at kisb.com.au if you'd like to discuss any of this further.