The Risk Apogee

How a Public Sector CISO Prioritizes Risk When Every Dollar Has a Human Cost

The Risk Apogee Season 1 Episode 8

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 44:40

Public sector cybersecurity leaders face a resource equation that doesn't exist in the private sector: every security investment is weighed directly against public safety, housing, and essential city services. Austin Davis is the CISO for the City of San Jose, the twelfth largest city in the United States, and a veteran whose career spans military service, law enforcement, and enterprise security.

In this episode of The Risk Apogee Podcast, he and MK Palmore work through why cybersecurity leaders in government operate under fundamentally different budget constraints than those in the private sector. How pension obligations and procurement rules compound the staffing challenge, and why the cybersecurity profession still lacks the kind of universally adopted career pathway that exists for physicians, attorneys, and pilots.

Austin also addresses AI's rapid, often unannounced integration into legacy city systems, the governance gap it creates, and the real defensive potential he sees once the right human-machine boundaries are drawn.

Things You Will Learn:

  1. Why public sector cybersecurity budgets compete against fundamentally different priorities than enterprise budgets, and how that changes every risk conversation.
  2. Why the cybersecurity profession's lack of a universally adopted career pathway is a structural driver of the talent shortage, not just a training gap.
  3. How AI is quietly being added to legacy government systems, creating new security risks that many organizations don't realize they've inherited.

Tools & Frameworks Covered:

  1. Audience-Specific Risk Translation: Austin's practice of reframing cybersecurity risk in terms that match each stakeholder's operational reality: financial impact for finance teams, operational readiness for law enforcement, service continuity for department heads. The principle is that the same risk must be communicated differently depending on who needs to act on it.
  2. Professionalized Career Pathway Model: The argument that cybersecurity should adopt the kind of structured, universally recognized career progression used by medicine, law, and aviation with defined skill gates, hands-on progression, and a clear distinction between foundational certification and practitioner readiness.
  3. Legacy System AI Governance: The emerging requirement to re-review previously approved systems when vendors push AI components into existing products, since the original security review no longer reflects the system's actual risk profile.

#PublicSectorCybersecurity #CyberWorkforce #AIGovernance #RiskLeadership #EnterpriseRisk

🎙️ Thanks for tuning in to The Risk Apogee Podcast!
If you enjoyed this episode, don’t forget to follow/subscribe so you never miss an inspiring conversation.

✨ Connect with Apogee Global RMS for more leadership insights:
LinkedIn: https://www.linkedin.com/in/mkpalmore/
Instagram: https://www.instagram.com/apogee_rms/
X/Twitter: https://x.com/apogee_rms

💼 This episode is brought to you by Apogee Global RMS – experts in risk management solutions. Check out their website to learn more about how they can support your business.

Let’s keep growing and leading boldly. Until next time!



SPEAKER_00

Austin Davis has spent his career leading in environments where security, public trust, and mission execution converge. With a background spanning military service, law enforcement, and public sector cybersecurity leadership, he brings a unique perspective on managing risk in an increasingly complex world. In this conversation, we explore the cybersecurity workforce challenge, leadership development, the realities of securing public institutions, and how organizations can responsibly navigate the rapid rise of AI. This is the risk apogee. Let's get after it.

SPEAKER_03

Welcome to the Risk Apogee, where we cut through the noise to get to the truth about risk, cyber, physical, human. Every organization faces threats. What separates the ones that survive from the ones that don't is the decisions their leaders make under pressure. Each episode, we go inside the arena with the operators and strategists, shaping how organizations defend, adapt, and lead. This is the Risk Apogee.

SPEAKER_01

Austin Davis, welcome to the Risk Apogee. Thank you for having me. I've been looking forward to this conversation. Likewise. We've been acquaintances and uh colleagues for uh quite some time now, and I was very interested in getting you into the studio because I I think that um the perspective of folks like yourself who've done both public service and stents in enterprise and commercial, uh I think carry very unique perspectives on the risk landscape, how you tackle challenges within the risk landscape. And so your current role as the CISO for the city of San Jose. Yes, twelfth largest city in the United States. Yeah. Austin cheats, but uh yeah, yeah, we're still 12th. It it's a big proposition, right? Yeah. Uh and you are in, I think, a relatively unique place in terms of the backdrop that, you know, from which you have to operate from a risk perspective. So talk to us a little bit about the challenges from your perspective. Again, having spent time in enterprise, now back to public service uh for you at this stage, leading at a very senior level, but there got to be some constraints and things that um uh that I don't know, make the job challenging.

SPEAKER_02

Sure. I mean, there's there's no CISOLs that's gonna sit here in front of you and say they've got too much money and they've got too large of a team, right? Right. I think what the difference is when you're with a private company, is this need, is this cybersecurity need greater than the need for product development or in the healthcare space? Is this cybersecurity need greater than the need for more physicians? Or is it is it uh greater than the need for the hospital procuring this medical device that will save 10,000 lives? Is it more important than that? When you're with a city, it's you're directly competing with public safety, you're directly competing with transportation organizations like the airport. And so the the problem gets even more complex when it's when you're talking about allocation of funds, allocation of resources, right? It's not so simple. And then you have the city initiatives like uh right now with the city of San Jose, homelessness is a very big issue, right? So if I invest $500,000 in cybersecurity, what impact is that having on the city's major initiatives like homelessness?

SPEAKER_01

What's taken away from? Yeah. Yeah, exactly. So what you just described is uh what I might consider to be a risk methodology or framework, right? It is the analysis of the various risk. Most folks use a register of some kind where you stack rank them, um, and you begin to have those conversations around what can we afford to do and what can we afford not to do. Right. Is that any different from the commercial or enterprise side of the house to the public sector, or do you take a very similar approach in terms of the potential outcomes or potential impact?

SPEAKER_02

Sure. Slightly different. I mean, it's it's it's similar in ways, but slightly different for the city because now you're talking about public safety, and public safety is paramount.

SPEAKER_01

So does the public safety aspect, is that sort of the top-tier rule, everything?

SPEAKER_02

Absolutely. Absolutely. When you're talking about the private sector, again, depending on the industry that you're in, some things are, let's let's face it, to make things a little bit easier and more efficient uh for either the user community or the cybersecurity organization, right? Whether it's to comply with a regulatory requirement, whether it's to increase security without adversely impacting the organization's ability to conduct operations. But when you're talking about a city, a lot of the decisions that are made are gonna directly impact public safety. Right. And yes, nothing else takes more priority. Innovation, efficiency, no. Yeah, it's all public safety.

SPEAKER_01

I'm surprised you didn't use the term revenue when you were thinking about uh your time in commercial or enterprise space.

SPEAKER_02

I don't think revenue was necessarily a big driver, at least where I was, okay, from a cyber uh cybersecurity perspective. Now, impact on revenue in terms of uh potential fines, potential recovery costs, that sort of thing. Right. Maybe from that standpoint, but as far as revenue generation, not so much.

SPEAKER_01

So I I my experience has been, um, and this will likely resonate with you, is that explaining the potential risk to the enterprise, regardless of where you are, can be a challenging, can be a challenging position to be in. Sure. Um, how do you convey to other stakeholders the importance of what it is that you're doing day to day and and but still maintaining that balance on understanding they have an agenda as well from their vantage point?

SPEAKER_02

You have to meet people where they are. And I think this is where my military experience helped me. If I'm trying to talk to somebody in the maintenance shop about a an aircraft issue, and they don't really they they don't fly on the aircraft, they don't understand how the aircraft works, they just know how to kind of fix it. Yeah. If I talk to them using a bunch of aviation terms, I'm gonna lose them. Right? They're they're they're gonna wanna try to understand, they're gonna want to help, but I'm speaking a language that they don't understand. So when I'm talking, it doesn't matter who it is in the city, actually. When I'm talking about cybersecurity issues, I try to break them down in terms that are gonna resonate with whoever I'm speaking to. If I'm talking to somebody in um, somebody in finance, not only am I gonna use layman terms, but I'm also gonna talk for that particular audience about the financial impact of what we're doing, whether it's gonna reduce cost or if we don't do something, it's gonna increase cost. If I'm speaking to somebody, uh, I just had a conversation the other day with somebody with uh the San Jose Police Department and talked about in that particular conversation impact on their ability to operate, right? Those sorts of things are gonna resonate more than hey, Russia has this range of IP addresses that they're attacking the city with, and we need you to do X, Y, and Z. They're gonna look at me kind of like, and that means what to me, right? Right. But if I can translate it into you are not gonna have 20 vehicles ready to go that day because they're gonna be down because of this particular issue, that resonates with them. And then the conversation shifts to how do I help them? How do I help get this done? Right. When I'm dealing with certain departments, is Austin, I want to do the right thing. But where do I have the resources to do what you need me to do? Right. Right. In those particular conversations, you have to come from the standpoint of how I can help you and we can help each other get this thing done. So I think the longer you've been a CISO, I think you kind of learn these things that you can't talk to everybody the same way. But what is common is you have to meet people where they are.

SPEAKER_01

So, um, first of all, thank you for your service. Uh appreciate that. It's always a pleasure to come across and and work with fellow veterans in the cybersecurity space. I've often said I think we bring a unique perspective to the cybersecurity realm and its challenges. Uh, what about your career service um do you think helps you navigate both the enterprise space and public sector space?

SPEAKER_02

Sure. Even when you were asking the question, the the phrase that kind of resonated in my head that I remember over and over and over again throughout my military career was service before self. So in cybersecurity, everybody's aware there's times when six o'clock at night, I want to go home. But something comes across your radar that says, we need to jump on this now. If I don't, it's gonna lead to more work and potentially more devastating consequences just because I was too tired and decided to go home. I think those things are kind of bred into you within the within the military. What you need as my teammate is more important than what I need as an individual. And I think that that absolutely resonates really well, uh, especially in the cybersecurity community, right? It's um it's a lot of long hours, it's uh a lot of difficult situations, and a lot of times you're giving people news that they don't they would rather not receive, right? And I think the other thing is uh a really strong work work ethic. Now, I've had debates with other veterans about whether that that gets formed at home or if that gets formed in the service. Right. For me, it happened to be both.

SPEAKER_01

Well, I I I think that what you're touching on is the idea that if not only if you've had that in your home life, in your upbringing, if you go through a period of military service, it basically compounds those ethics into something akin to like your natural character, it basically becomes part of your modus apparendi. 100% how you operate 100% of the time.

SPEAKER_02

Yep, absolutely, absolutely. And then I think the other thing, just being able to relate to so many so many different types, diverse backgrounds, titles of people, origins of people, I think the military really helps in that regard as well, right? Where one day you could be briefing a four-star general, and the next day you could be, you know, in a room full of newer enlisted members. Uh I'm trying to I'm trying not to be Air Force specific here, but uh some of the newer younger members. We won't hold that against you. Some of the newer younger members that um I can't communicate with a general the same way I'm communicating with them because I I'm gonna lose them. Uh and if I communicate to a general the same way I'm communicating to them, the general's gonna go, okay, are you a leader or are you, you know, what do you what are you wasting time in front of me for? Right. And then I think it also helps you just understand and respect other people's backgrounds, right? Because at the end of the day, you all have to work together and you all have to work together as a cohesive team. And I think that's something else that the military kind of really helped foster in me. And then I would say the last thing is the difference between a leader and a manager. You know, unfortunately in my career I met a lot of managers and um I met some outstanding leaders, but those managers taught me more of what I don't want to be as a leader, and the leaders really helped shape what type of leader I want to be. Do I want to be that kind of person that when something goes wrong, people are afraid to talk to? Or do I want to be the person that they know is gonna listen? And then we both uh collectively try to figure out how to get work our way through the situation, right?

SPEAKER_01

So I I once heard um a really exceptional leader say something to the effect of it's time to worry when people stop coming to you with their problems. Amen. Yeah, yeah. Because it it you leaders are problem solvers at the end of the day. Uh and if people stop coming to you, that means you're probably doing something wrong.

SPEAKER_02

Yeah, General uh General Colin Powell. Remember uh yeah, he made a statement like that. Yeah. Yeah.

SPEAKER_01

Uh let's double down a little bit on this idea of being a uh public sector uh CISO. I think really, really challenging. I I applaud you for taking on it's like it's like taking on a mission. Um I'm sure that you have lots of conversations with your counterparts across many different cities around the country. Absolutely. Thematically, what are what are some of the like uh top one or two things that you tend to hear from everyone, all of your counterparts?

SPEAKER_02

Uh resource. Resourcing is always the top number one issue. Is that a financial issue or a people issue? It's both. Okay. Um it's the so there's there's a couple of different things when you're talking about a city that uh don't necessarily apply to the private sector. And I didn't know this until I came to the city of San Jose. When you hire a uh full-time employee in the private sector, you're paying for salary plus benefits. Right. Life is good. That person is there for X amount of time, and when they leave, all obligations are kind of satisfied.

SPEAKER_01

Right. That FTE resource opens up, you get to reuse it. There you go. Yeah.

SPEAKER_02

With the city, you are um not just paying salary plus benefits, you are also you have to account for pension. Right. Right. And it's that pension that causes the city to say, we need to take a second look before adding additional headcount, right? Uh, because it has long-term cost associated with that. Absolutely. Right. Absolutely. So I think a lot of my counterparts struggle with one, you know, there's there's there's never enough money. Yeah. But with cities, it seems to be, it seems to be more more prevalent, doing more with less. And then from a staffing standpoint, it's because of that whole pension and FDE hit count, it's it it it kind of boils down to, well, do I get a contractor to do it? And if I do get a contractor, there's a lot of rules that apply to ensure fairness. Right. Right? Well, well, why did you select MK and not, you know, not Mary, right? Right. So there's a lot of can't think of a word better than hoops, because it's it's it it's important that fairness is practiced. Yeah, it adds to the complexity of even being able to bring in a simple resource to get done what the team needs to get done. And then, you know, I again from a financial standpoint, it's doable to get budget, it's doable to procure new solutions, it's just a lot more difficult than it is on the private sector because of all the all the the laws and the rules, which are good, but also what you're kind of competing with for those resources. That seems to be universal throughout the United States, whether it's the city of San Francisco or even the um, I believe she was from uh the city of Tulsa, Oklahoma, it was the same thing. Right.

SPEAKER_01

You know, just at a different scale.

SPEAKER_02

Yeah. You know, I was sitting on a panel um about uh about a month ago, and this was right before RSA, and it was a uh it was a public sector cybersecurity forum. And I remember somebody in the audience asked the question to the to the panel members, and I remember sitting there looking left and right uh to my other panel members, and it kind of turned into a therapy session, you know, and it was all those common themes.

SPEAKER_01

Yeah.

SPEAKER_02

Getting people, getting solutions, and then also kind of retaining people as well.

SPEAKER_01

What what do you think is the nexus of the of the people challenge? Are there just not enough trained technology professionals on the landscape or entrants into the fields, or is it is it our selection process and like what we're looking for? Yeah, I I I've heard everything, the complaints across the spectrum. We don't advertise correctly for the roles, we don't really know what we're looking for. We're we're putting folks up against an unmeasurable bar that like they can never exceed. So there are some arguments that these people are out there, we just can't seem to sift through the noise and get to the real signal on it. What are your thoughts on that?

SPEAKER_02

I think this is where I get in trouble. Um so uh I think it's a couple of things. Yeah, um, one is uh, and I'm I'm gonna go back to the military here for a minute. Yeah. When you come into a new job, doesn't matter what branch it is, you you you come in at a certain skill level, and then uh somebody lays out in order to advance to the next skill level, here's the set of criteria you need to meet. Very, very clear. Here's the training, here's what you need to be able to demonstrate, and then we'll move you up to the next skill level and the next skill level and the next skill level. That's not done. I don't think that's ever been done for the cybersecurity career field.

SPEAKER_01

If you look at hasn't NICE tried to tackle some of that, and there have been some organizations, I think, that have tried to create career pathing around. I think I I don't mean I I want you to go on with your train of thought, but I I I think adoption is the issue. But go ahead. Okay, I would agree with that.

SPEAKER_02

I also think that look at some of the other skilled professions out there. Look at uh being a physician, look at being an an attorney. Right. There are certain there's certain training everyone is required to go through. Doesn't matter where you live in uh in the country, there's certain things you need to be able to demonstrate as a I'm gonna step out of my element here, but as a trainee physician.

SPEAKER_01

No, but as a as a qualified practitioner, you have to be able to show you can do these particular set of skills, right? Exactly.

SPEAKER_02

So there's there's there's not a doctor shortage, there's there's not an airline pilot shortage, there's not a uh an attorney shortage because there are universally adopted career tracks paths in order to obtain those positions. Cybersecurity to me is no different, it is a disciplined, skill uh-laden career field. Right. And there should be something universally accepted process that says, hey, if you want to be a cybersecurity practitioner, then you need to meet these requirements. But what do we do? We say, um, I think that's the number one question I get. Austin, how do I get into cybersecurity? Right. And my answer is always the same. Um, from a practitioner standpoint, you need to understand how systems work. You need to understand what happens when you send data from this system to this system. You need to be able to understand how that works because cybersecurity is really understanding not only how things work, but how they could be used for in a malicious manner in order to make it work for an adversary. How things can be broken. Exactly. Exactly. I remember in the movie uh training day when um Denzel Watson's character Alonzo, he was talking to one of the younger police officers, and he said, you know, to protect the sheep, you have to be a wolf, right? And that's so true. And that applies to cybersecurity.

SPEAKER_01

Yeah, right? You gotta think like an adversary.

SPEAKER_02

A hundred percent. Yeah, a hundred percent. And so what's the path to that though? Do I do help desk? Do I uh do I go into the military? And and I know they're struggling with this as well. Do I go into the military, get enough years of experience, and then leave, which is which is what's happening today.

SPEAKER_01

Um I tell people I tell people all the time, try public service first. If you want to break into cyber um roles like I'm sure the ones that you have open for the city, the federal government, um, certainly you know the armed services is an option, but I tell folks all the time they really should consider public service because you get not only the academic associated training, but you get the hands-on experience that subsequently will make you desirable to these commercial enterprises, if and when you're ready to make that transition into the commercial space.

SPEAKER_02

Yep. Yeah. And I think uh, you know, the statistics have been there for quite some time. There's more cybersecurity roles than there are people qualified for those roles. And so what that translates to is then you start taking people who aren't necessarily qualified for that role and putting them in a role that requires more skill and it requires more experience. And so it ends up kind of diluting the career field itself. I remember when I first came in before cybersecurity was a a field, you know, someone actually sat down and spent time with me. And and, you know, she said, hey, if you don't, I need you to understand these things. Once you understand these things, then I'll take you on the next step. But until you understand these things, I can't, you know, I can't train you on this stuff here. So it was a step-by-step process to where it finally got to the point where she said, Okay, now you know what you're talking about. You can come on, you can come on my team. Right. That doesn't really exist in organizations where resources are heavily impacted, right? She she had time to do that. And in her, kind of in her defense, she made time for me. Right. But again, there's no formal, widely adopted training process in order to properly train up people to be cybersecurity professionals, cybersecurity practitioners, uh, and and take them on through up to, you know, what we would call in the military, a a master practitioner.

SPEAKER_01

Right. This is super, super important because it um I've had, like you, this conversation for the past decade, I think. And and some light bulbs have gone off for me, just in how you've couched the subject in terms of making it analogous to other professions, uh, and the fact that there is a well-regulated career path for becoming a doctor, for instance, or an attorney. Cybersecurity is an academically founded profession. There should be a step by step process for someone to become a cybersecurity practitioner. There should be particular gates that assess your capabilities and then move you on to the next stage.

SPEAKER_02

Yeah.

SPEAKER_01

As I say these things out loud and as I listen to you sort of go through what is a totally reasonable approach to this, sounds to me that there would need to be some rather deep. Deep public-private partnership that would enable our industry to really gravitate towards some kind of organization around the profession. No. I'm not sure that's happening. It it's interesting though, that literally the way that you outlined it, I could see the federal government stepping in, creating a clear career path, and then enable institutions and organizations to be able to basically take people through those career paths.

SPEAKER_02

Yeah.

SPEAKER_01

Yeah.

unknown

Yeah.

SPEAKER_02

I know some of your listeners are probably saying, no, there's there's there's uh a bunch of cybersecurity certifications. That's a good foundation. Yeah, it is. But that's that's like so me as a pilot, I'm a uh I'm a private pilot, you know, at at this point. And I get my I get my ground training certification. Yeah. Or I get my student pilot license. To me, that's the equivalent of a certification. I kind of know what I'm doing to not crash the plane, but there's still all this other stuff that I've still got to learn that only way I can learn it is through both hands-on instruction as well as kind of being up in the air and and learning through trial and error.

SPEAKER_01

Yeah. No, I I'm a big proponent of certifications. Um, it's the pathway that I took, it's what the FBI provided to me as someone who was uh selected to go into the cybersecurity lanes. They started giving you these certifications, and that was sort of a gating. But even still, I had lots of options in terms of which courses I wanted to take and where I wanted to provide emphasis. And I know organizations like SANS and others have created sort of tracks depending on your level of interest. If you want to be a digital forensics guy, like there's a pathway for you to be able to do that in the certain courses that you have to take. But still, there is no recognized in industry pathway. And like you, I get lots of questions from young folks about how to break into the field. And and what they end up getting is a little bit of my experience and my opinion on things, but you're right. I can't tell them, hey, go look at the uh the universally accepted framework for uh a cybersecurity education and you know, go take those steps and break into the field. Yeah, and I I think you I think this is an interesting point. I think it's an unless and until we get our hands wrapped around that, I think we'll struggle with this resource issue in terms of being able to identify people, and in all likelihood, we'll still improperly post for these roles and positions, not really knowing exactly what it is that we're looking for.

SPEAKER_02

Yeah, I'm kind of laughing when you're saying that, because I I agree. You know, we say this is an entry-level role, and you need to have five years of uh experience with the CIS experience.

SPEAKER_01

Exactly. Yeah. We say that stuff jokingly, but it still happens. Oh, 100%. It still happens. You know, there's there's still that um sync up that's not happening between the HR folks and the practitioner leaders to explain here's what we need for this role. The HR people go to some kind of taxonomy or or methodology that exists in their data banks, and they just start throwing in certifications and role descriptions and all that kind of stuff. Could not agree more. Yeah. Well, we don't take the time to, you know, let me take a look a fresh look at that and tell you exactly what I need for this role. Yeah. Interesting. So we we talked about resources. What other themes uh across the uh across the realm are folks dealing with? Um I'm trying to be careful with with with how I say this, but Yeah, and you don't have to mention any cities specifically.

SPEAKER_02

It it it revolves around an emerging uh threat, but also emerging innovation is around artificial intelligence.

SPEAKER_01

Yeah.

SPEAKER_02

Um I'm surprised we got this far into the conversation without mentioning AI, but go ahead. You know, I think when you're talking about cities in particular, and you know, I'm not not trying to ring kind of the dinner bell for our adversaries, but because I think everybody's struggling with this, but I think it's a little unique with cities because cities are trying to use artificial intelligence, trying to adopt it, trying to lean into it. Absolutely to increase the efficiency. Why should it take me 10 months to get a uh a building permit when you know with AI it'd only take 10 days, right? But on the flip side of that, you also need additional resources to stay current with defending an environment that is now really embracing artificial intelligence. And I think that's something that I hear from a lot of my counterparts.

SPEAKER_01

Um it's the governance piece that um that I think is missing. Yeah. And the fact, once again, that as an industry, we haven't really adopted a formal governance structure for AI adoption. You know, firms like mine and and others, the big four, we're all kind of coming up with our own uh approach to this. And it's methodical and then and it adheres to some best practices and things, but I I think what's missing is some kind of governing framework to basically walk organizations through that process and tell them what they need. Yeah. I don't want to work myself out of a business opportunity as I think about this out loud, but like that's what's missing. People don't know where people don't know where to go.

SPEAKER_02

Well, and it's the use of AI, even in legacy systems, is propagating at a at a crazy rate right now. I mean, we were we were in one of the departments in the city a couple weeks ago, and it was a solution that had been there for like, I don't know, 15 years. No. They said, oh yeah, well, they just added this new component that encompasses AI. Okay. Um that product had already gone through a security review. That that that product uh had been running a long time. That product had been patched, it it did, you know, the firmware was up to date on it, but nobody kind of thought to say, hey, they're pushing out this new capability.

SPEAKER_01

And oh, by the way, probably to take it back through the process for security validation.

SPEAKER_02

Yeah. So I think that's the other thing. It's kind of putting cybersecurity teams in a position to where they said, well, yeah, well, we reviewed all this stuff and we put the appropriate controls in place in order to properly mitigate risk on these, you know, these different systems. I think it's forcing those teams to go back and say, Well, which of these products have changed so much? Because now they've added some kind of artificial intelligence component that's tied back to an LLM or that now we need to go back and re-review, right? If you try to stop people from innovating, I mean, everybody in the cybersecurity community knows all you're doing is just creating the next generation of hackers, right? People that figure out how to work around your controls. So it's you've got a I just don't want to call it a threat. You have an issue propagating that needs to propagate.

SPEAKER_01

Yeah.

SPEAKER_02

But at the same time, you've got to get your arms around it while it's propagating.

SPEAKER_01

It's more than a line item on anyone's risk reserve register. It needs to be diligently investigated, and you need to figure out a way to to mitigate the potential impact of the enterprise for sure. 100%. Yeah. Let let's um take off your CISO San Jose hat for a second. What's your biggest hope for AI as it relates to cybersecurity? What do you think it's capable of doing for us as practitioners?

SPEAKER_02

I think cybersecurity and AI are capable of automating defense. I think it's capable of by its predictive nature, I mean that that's what artificial intelligence is. It's it's prediction, staving off attacks before they happen. The scary part of it is machines fighting machines. Right. Right? Excuse me, and you completely remove the human elephant uh element from the equation. That's the part that I'm uneasy about, right? Because I grew up in that that generation of uh, you know, war games Terminator and Wargam. War game and all that stuff, right? But I never really thought about well, what would that mean if machines are fighting machines? I think there is so much room for AI to enhance cyber defense, both on the proactive side and the reactive side. And I think we haven't even scratched the surface of what's what's possible. I mean, people talked about uh SOAR 10 years ago when it comes to um incident response, right?

SPEAKER_01

But yeah, this is this is like the realization of SOAR, right? Orchestration without having even to define playbooks and things like that. It's all sort of baked into the algorithm.

SPEAKER_02

Yeah, yeah. Uh people talked about self-healing networks, yeah, you know, 10, 15 years ago. It's we have the technology to do that now, but but what does that mean, right? Where does the human intervention where where should it be required? And where is kind of the human getting in the way, right? Of the technology being able to perform it at its full potential. That's the stuff that I don't know who's asking those questions right now, but uh those are the questions that need to be asked. Whose role is it to ask those questions?

SPEAKER_01

That's a great question. Is it the creators of this capability or is it government or is it a combination of both?

SPEAKER_02

I do think that there is a responsibility in those that are creating the technology that have to ask that question. But I think it gets I think we start getting a little bit into politics when we start deciding, you know, is it a is it a regulatory agency? Is it, you know, that's a great question.

SPEAKER_01

Yeah. Well, I mean, it it I think what we're viewing or seeing is one, the technology is moving so fast. Yeah. I mean, I I I don't know about you, but I have trouble keeping up with it. I'm a heavy user myself of AI from a business standpoint. I think it's I could not do business without it uh at this point. But at the same time, uh I can't keep up with uh with the advancements. There are so many entrepreneurs out here starting new companies based on AI, uh, solving problems in new and different ways that I don't know about you, but I have a little bit of the um the shiny object syndrome from time to time because I see, oh wow, they're building this over here, and I need to go dabble in that and see what it's capable of doing. And then, oh, this thing over here, which now solves this problem. Yeah. I I think it will, I agree with you. I think it has the potential to elevate cybersecurity defense. I really believe that that should be the goal of how it's infused in the cybersecurity spectrum. I I think for the first time um we potentially have a way of combating or at least being on par with adversarial activity. Yep. But I think productization gets in the way of that.

SPEAKER_02

Yep. I couldn't agree with you more.

SPEAKER_01

Were they what's that expression? The self-licking lollipop. Like the cybersecurity industry. Yeah, it's a it's a behemoth.

SPEAKER_02

Yeah.

SPEAKER_01

Uh you all you have to do is attend RSA every year to see the size and scope and and the different vendors, everybody building this, you know, people identify a single problem, they build a tool to combat it, and they basically go to market. Yeah. And that means there are thousands upon thousands of vendors out there creating these tools. And I I think collectively, it again, it's it's kind of self-propagating. It's like, you know, the industry is going to exist as long as there's a problem to be solved and an opportunity to solve it and monetize it. And you get these competing products out there, and it just makes the field uh it makes it a very difficult proposition, I think, for folks in your position because like now you're the stakeholder that's got to figure out, okay, well, which which what which tool is best for us?

SPEAKER_02

Yeah.

SPEAKER_01

Right. And our situation. How can we maximize the limited resources and dollars and things that we have available to us? I just I think it's a massive ongoing challenge.

SPEAKER_02

Yeah. I mean, to your point earlier, though, I I think what we're seeing right now is there's not a lot of um differentiation out there. I think people are putting out a lot of this really similar products with slightly different naming conventions. Yeah. Yeah. But I remember, uh, CrowdStrike's not going to cut me a check, but I remember like when CrowdStrike first uh reached prominence, right? It was doing things way different than McAfee, way different than Symantec, way different than Kapersky and all those A V vendors, right? But who's the CrowdStrike out there right now in this age of AI innovation, right? I I don't know.

SPEAKER_01

Yeah. I mean the field is littered. There's new companies popping up every day. I I have meetings literally multiple times a week with brand new companies because I'm trying to figure out a way to complement these new technologies and services with our service lines, and that um there's no end to it. I I have to block off time to meet new entrepreneurs, new leaders to basically take a look at what they're doing.

SPEAKER_02

And I know you some of your listeners are gonna be calling me, talking about no, I guess how I differentiate, don't call me.

SPEAKER_01

Yeah, uh we're um we're not short on advice. I I'm sure that uh I'm sure that you will get some outreach. So we talked a little bit about the challenges. Is there are there any blue skies? Are there any, I don't know, things that you and your cohorts are are are looking at and saying, you know what, we got a pretty good handle on this. We feel we feel good about X, Y, or Z. Does that exist or is it all worry?

SPEAKER_02

Um, well, I mean you're talking to somebody who's paid to be paranoid, right? Um, I do think there are areas of governance that is that that that are maturing now, the ability to comply with regulatory requirements, the ability to produce what a lot of people don't want to do, but documentation that helps people comply with cybersecurity, that helps people comply with regulatory requirements. I think that is an area that I'm seeing a lot of advancement in. And frankly, like yourself, I'm taking advantage of AI resources to to bolster those areas. Right. Right? Here, here are my themes. Build this thing out for me. Let me see if I, you know, make let me make sure I agree with everything that's said and I can put it out. Right. Whereas before it was like writing a you know, a term paper. Writing a thesis. Yeah, absolutely. You know, and again, I'm I'm probably gonna get myself in trouble, but you know, like I I look at our police officers in the city of San Jose. Everybody was kind of up in arms about the whole um overtime thing. Well, you you were in law enforcement just like I was on the federal level. It takes time to write down everything that went that that transpired during a you know a particular incident or event. Right. But, you know, if I have if I have a camera that records everything and then it it it transcribes everything that it saw, I think that's fantastic, right? Especially you're not taking the human out of the the equation because they have to proofread and make sure that that you agree with everything that was generated, right? So I think just from a documentation and communication standpoint, I think things are getting better from a cybersecurity standpoint. I don't want to get into politics and yeah, you know, the media and all that, but um, I think that's where I see kind of Greenfield right now. Right.

SPEAKER_01

I I will tell you that as this new technology, and I'm referencing AI, continues to take hold. The very first thing I thought about was how I could have been so helpful in much of my law enforcement career, the auditing, the inspections, the uh the drafting of uh information that, you know, I got to be pretty decent at, but it was so time consuming. And it takes you away from the aspects of the job that people naturally assume you're doing the whole time that you're on a shift or whatever you want to call it. Like you're not policing the whole time you're on a shift, as you just noted. You literally are spending a portion of that time writing reports about what you did while you were on that shift. Yeah. Um, just so that you can document things. And yeah, I mean, if there's a possibility that a recording can be auto-transcribed and create a viable, legally binding transcript of exactly what transpired, I think that's a good thing. And I think it'll free up time to do the thing that they're being paid to do. Amen. Hey, I want to um I want to shift gears a little bit, get in the personal side. I think I could talk to you for for hours about challenges across the risk landscape, but I'm always interested in what um what influences people and kind of what made you who you are today. So I want you to think about a book, piece of film, an album, piece of art that has had an outsized influence on how you see the world. Is there anything that fits that description for you?

SPEAKER_02

That's a great question. I I think more than any form of media, it was really, really my my father.

SPEAKER_01

Okay.

SPEAKER_02

You know, my my dad was uh what some people would call a a a throwback. He, you know, he he got up every morning, he went to work, you know, he didn't cut corners, he came home, made sure his family was taken care of, and rinse and repeat. He didn't accept less of himself, and he expected the best from us as as his children. He loved us very much, but I think love back then was a little bit of a different connotation than it is now. Love wasn't being your friend, love was setting you up for success later on in life. So when something gets difficult, because he loved us, he made us push through. Right. When something was scary or intimidating to us, he made us stand up to it. I think those things combined with you need to be a respectful person. You need to treat everybody with respect until they show that they don't uh deserve that level of respect. Right. You need to treat people with with kindness. Those things have really, I think, shaped the type of person that I am as a uh as a husband, as a father, as a friend, as a as a cybersecurity executive, as a as a leader, right? I um try to be respectful of everybody that I interact with. And you know, it's kind of funny. I get I get comments from time to time of you're such a respectful person. That was the norm. Yeah. You know, where should be table stakes, right? Yeah, you know, and and and how I grew up, but it's it's um uh you you kind of look at society today and kind of say, well, how did we move away from respect and kindness being a foundation, right? But it's also it's also how I approach not just work, but everything in my life. And when when something's difficult, I think that's when I get keyed into uh okay, it's it it's a challenge, uh, and it's my opportunity to push through.

SPEAKER_01

Yeah, right.

SPEAKER_02

Where you know, I've kind of seen, you know, nowadays, wow, I guess I'm the old guy now in the room going back in my day. But you you you know, you you kind of see these kids and they're put in a situation and they they shrink, they fold. I can't handle that, you know.

SPEAKER_01

There's an absence of resilience. That's that's the way I describe it.

SPEAKER_02

Yeah. And then, you know, it's the same thing with accountability. If something didn't go well that I was responsible for, I've I played a role in it not going the way I wanted it to go or it not going well. And I, you know, kind of started to see a little bit of an absence of that in kind of you know modern day. But again, these were things that were foundational, you know, in how I in how I grew up and kind of shaping me uh into who I am just just as a man, you know, and I know that I don't want to get into the whole toxic masculinity and all that, but I guess I'm a proud, toxic masculine man. Because the way I was raised was here's the definition of some things that not what a man is, but here's things that a man typically does. Yeah. He takes care of those around him, he takes care of his kids, he teaches, he nurtures, he supports. All these things are, you know, really fundamental aspects of who I am.

SPEAKER_01

Well, sounds like you had a great dad and um and family and obviously made a uh a huge impact on who you are. Last question for you. What's something that you're surprisingly good at or deeply interested in that has absolutely nothing to do with technology?

SPEAKER_02

Um I'm a I'm a pretty humble guy, uh, MK. I'll tell you what, I never thought uh when I was a kid that I would love riding or racing motorcycle so much.

SPEAKER_01

I know. I I'm glad you mentioned that because I was gonna I was gonna I was gonna check you on that.

SPEAKER_02

Yeah, yeah. That's that's um, you know, uh people that know me well, uh I say I'm gonna go see my therapist this weekend. And uh that's usually a track day weekend and and I tell people, you know, in in in certain roles that you take in life, your mind naturally doesn't shut off. Yeah. Because you're always thinking about this person or this thing or something that needs to be helped or overcome. But when you're on the track, only thing you have time to think about is the next turn, right? Or it pulls you into the moment. Absolutely, absolutely, and it allows you to requires your full attention. Yeah, yeah. It's a mini vacation, you know. And you know, I know some people think like, well, why is going 120 miles an hour uh around the track? How is that a vacation? But it really is a mental break. All you're thinking about is negotiating the next next turn, the next obstacle, right? Can I increase my speed and and and still safely, you know, get around the track? All those sorts of things. And it's um both physically and mentally draining, but it's that good draining. It's that it's that good tire, right, right? Before all the other stuff comes back, you know, that you have to worry about uh, you know, as a as a human being in the world.

SPEAKER_01

So well, Austin, thanks for what you do for the city of San Jose. Um being a San Jose resident, I get the benefit of uh knowing that you're at the helm from a cybersecurity standpoint. It's very much appreciated. And uh keep being a good human. I appreciate it. All right, hey, thanks for being on the Risk Apogee. Thank you. All right so much. Thanks, Austin.

SPEAKER_03

Thanks for being here on the Risk Apogee. Every episode, we dig into what it actually takes to lead through risk. And that's the same work we do every day at Apogee Global RMS cybersecurity, physical security, organizational resilience, talent strategy, one integrated approach built around your people, not just your platforms. Are you ready to move from reactive to resilient? Visit apogeeglobalrms.io and sign up for a risk free consultation with our team of advisors.