Shift to AI - Presented by Cycode
Shift to AI - presented by Cycode - is the podcast for security leaders mastering the AI era.
Hosted by Roland Cloutier, former Global Chief Security Officer of TikTok and ADP, the show brings together the world's leading CISOs and security executives to confront the most disruptive transition in the history of software security: the shift from human-paced development to AI-driven development, and the work of making security itself as agentic as the code it now has to protect.
Co-produced with Cycode, the Agentic Development Security Platform. New episodes every other week. Follow so you do not miss a guest.
Shift to AI - Presented by Cycode
The CVE Tsunami Is Coming - Are You Ready?
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Hi, everyone. Welcome to Shift to AI, presented by SciCode, the agentic development security platform. I'm your podcast host, Roland Klutier, former global chief security officer at TikTok ADP and EMC, now Dell EMC, and digital business executive helping other companies develop their next generation's cyber defensive operations. So this is a show where I sit down with the world's leading CISOs to talk about the shift to AI, what it means for security, how AI-driven development is changing our programs, capabilities, and mission space, and what it takes to actually build agentic security. And this is our first episode. And uh I've been looking forward to recording this for quite some time because today I am joined by two amazing peers and great practitioners. Ramini Husseini, who is a multiple-time CISO and chief cyber solutions officer at CloudFair most recently. But also I've known him for well over a decade as peers in the industry, fighting bad guys together and sharing tips, tricks, um, and working side by side. And Fonnie De Seri, Chief Trust and Resiliency Officer. And by the way, we're going to get to that title a little later in this podcast at first source. Um, multiple-time CISO and um a little background from my perspective on Fonny. I I say I've known him since he was a kid, since he graduated as postgrad, worked in um uh a few of my organizations, and it it's uh just great to see uh so many wonderful practitioners doing great things. So, guys, welcome. I I appreciate you joining me on my uh first kickoff show.
SPEAKER_00Thanks for having us. Thank you, and appreciate the warm uh warm introductions uh for both of us. Thank you.
SPEAKER_02Uh it's not gonna last long, guys. Um we're gonna jump right into it. So you know, I'm I'm going to Remy, I'm gonna start with you, but this question's gonna be for both of you. So, Fanny, you're getting a break uh on the on this first one. You get to think about it for a second. Guys, walk me through the first 30 minutes of of your morning, what you're looking at before you've had your second coffee. And and you know, and then how about the last 30 minutes of your day? What does that look like to you? So, first 30, last 30. Rami, you start.
SPEAKER_01Yeah, so thanks for having me, Roland. A real pleasure to join you. So, those who know me, uh, I know that actually the first coffee is a cappuccino, and there's no second coffee. So I I I pride myself on following this discipline. So for me, the first 30 minutes are really about signal and not noise. And actually, the distinction between the two has become its own discipline. Uh, the volume of AI and security commentary is exceeding uh you know uh anything that our industry has seen. And for me, it's important like to be very focused on a narrow, uh curated list of primary sources or research practitioners that are basically shipping things, uh, and I prioritize that over a fire hose of uh, in a way, uh noise. Um, so I'm scanning in the first 30 minutes what has changed overnight in capability, and not necessarily focusing on the opinions, but more on the actual change in capability. The last 30 is a bit um the opposite mode, if you will. I take a step back uh from the stream uh to really ask what all what I learned during the day means in the grand scheme of things, what are some of these important shifts that rarely announce themselves like in a single headline, but show up over a pattern, you know, uh across a week, a month. So for me, the evening is about a synthesis and and really um coming up with like the key priorities uh for you know the week ahead.
SPEAKER_02Oh excellent. Fanny, how about you? First 30, last 30.
SPEAKER_00Thank you, sir. Thanks for the opportunity. Um the first 30, you know, I I built my security philosophy in you know, Roland Clutier school. So uh I put a premium on clients and the business, right? So that's where my focus in the morning is, and it's a global organization. So I wake up, I see if I have any client escalations, number one. Number two, if I see is there any leadership uh from is my CEO, my CTO, you know, is that anything from them, right? That's that's my first thing I do as soon as I start my work. Then I pivot to you know, uh high context signals, you know, if I have anything that I should worry about that needs my immediate attention, you know, then and I'm then whatever is the outcome of that based run, and I'll move. And if that's not the case, then I'll move to uh understanding, you know, how are the programs that we are, you know, in in in in flight, you know, how are they doing? Uh, because the global team, you know, half the organization is already midday or you know, or you know, they're evening, so there's a lot accomplished. So I want to see, you know, what that is, and then uh that's how I uh start my morning.
SPEAKER_02Yeah, I I find it so interesting. Both of you have um this concept of understanding your operations. So understanding the context of the globality of the you know organization you're serving and the jurisdictions you're operating in. Totally got that. But I I love this perspective of does our stuff work and and has something changed that's not making it as an effective. And I and I think um, and obviously this is about shifting to AI, so we're gonna talk a lot about AI, but um I I hope we get into this conversation about how does this help us even more around controls, assurance, and verification and uh validity of our operating environments. Um Rami, I want to set the stage a little bit uh because the two reasons the the one of the main reasons I wanted you to on the first show is you both were part of important documents that have been written over uh the last month or so um in this changing time. And you uh Rami co-authored the AI vulnerability storm, building a mythos ready security program. But you did it in the context of being a you know two-decade in-seat defender. So from your perspective, how would you describe the moment we're facing right now as practitioners?
SPEAKER_01Well, I would say that really we're not dealing with a storm anymore. I mean, since that paper was uh actually released, and and by the way, I take this opportunity to really um again thank the Cloud Security Alliance for championing that um you know community-wide perspective on the topic, and more specifically Gaddy Evran, who really herded cats over a weekend to one weekend that paper. Yeah, one weekend.
SPEAKER_02I never done before since I I I've been doing this. There's so many 20 21 CISOs, Remy.
SPEAKER_01Was it uh a lot more, actually. Really? A lot of co-authors, and then obviously an extended ecosystem of reviewers, and and that was really a great moment in our community. So uh to answer your question, I mean, I think from a defender standpoint, I mean, this is no longer a storm, this is climate change. So for for decades, you know, our entire profession was really resting on uh a big assumption that uh if we have uh skilled talent, if we have enough tools and enough caffeine, uh we could basically think faster than whoever was on the other end trying to attack us. So so we sort of hired around this assumption, we organize ourselves around it, and every war room, every tabletop exercise, every escalation pad, every corally pen test, you know, in a way was a monument to this uh idea and to this assumption. And uh we placed human judgment and human action as the rate limiting step in our attack and defense mindset. And unfortunately, uh with the Mythos class models, I mean that assumption has expired. So we are dealing with an environment now where AI is discovering vulnerabilities in bulk, it's basically uh chaining them, it's allowing attacks that can be highly orchestrated, and the change really is also around the tools that are now available to the attackers. Uh you know, we're talking now about the citizen hacker. You don't really need to be an expert in networks, in application, in cybersecurity to actually launch a very um you know substantial attack against network. And that that's really fundamentally what has changed. So for me, um you know, we have a moment where we are gonna face some short-term difficulties because obviously um uh you know there's uh a mismatch in capabilities at the moment. But we have also a moment of transformation. This is an amazing moment where I'm super optimistic, if you will, about the midterm, long-term uh perspective of this because it's gonna force us within cybersecurity to transform, uh, to turn some of these uh tools uh inward and to be able to really ask ourselves honest questions about what matters, about having the right architectures, having the right resilience. So I believe that this is going to really, really be transformative uh in a positive way uh for us. So I feel that this is an exciting moment for our community.
SPEAKER_02I I you know I couldn't agree with you more. And uh, you know, what's interesting, Rami, from from my point of view is I think in when we get over this, I'll call it a hump over the next 18 to 24 months where we burn down the legacy issues that we have to deal with and get to a net new reality or um, you know, temperature, global temperature, if you will, if I use your metaphor a little bit, um, that that will actually be in a really good spot to defend, to see, to understand, to respond, to be resilient, because we can do things that the adversary cannot, because we understand our environment and we will have the tools and technologies and speed across a more dynamic uh view than they have. So I'm I'm I'm like you. I'm uh I get excited when I talk about this. I mean, I it's gonna be a painful couple of years, don't get me wrong. We got a lot, we've got a lot of cleanup to do, a lot of things to implement, a lot of new organizations, and and we'll talk to that in a few minutes. But this is this is really important. And and and Fonnie, I didn't see you shaking your head no when Remy was talking. So, you know, you're a sitting CISO defending a major multinational infrastructure that implicates, you know, access to other comp like you, you know, you you do you have a uh you know a sizable job, um, protecting a lot of different perspectives. Are you seeing signals that tell you that this isn't just a security hype and that this is, you know, this is just um a magnificent change in our our digital capabilities ecosystems and businesses?
SPEAKER_00Absolutely, 100%, right? You know, um it's it's not a pivot, it's a shift. And these are not changes of rules of the game, the sport has changed. Right. And uh the way it has changed is, you know, I you know I love acronyms, so the forest, you know, I look at the forest formula for this, right? The scope, the speed, the scale, and the sophistication. All four have changed completely. The scope at which things a bad actor says to come at you is completely changed. They can scale in minutes. The speed at which they come at you, you know, is you know, you don't even have days, you know. You sometimes you don't even have hours, right? You have to defend yourself in minutes. And the sophistication, right? The one good thing with sophistication is now everybody has those techniques available. The nation state used to have these things, and then now, you know, to take Rami's words, the citizen, you know, hackers have it now, so do we, right? So the same capabilities are available to us. And the advantage that we have is uh what is our motor is the domain knowledge that we bring in, right? And then you know we understand our infrastructure really well, we understand what is important for us, right? You know, there is you know, somebody said this wonderfully, you can't patch your way out of this, you know, because the old playbook case out of the window. You can't do that, right? So you have to have a very different way of doing it. I know we will discuss more, but yeah, those are those are my thoughts on on um the latest uh shift.
SPEAKER_02I actually want to jump into that. I I I'm gonna you just bring up a really good point with that answer. So, Remy, I'm gonna throw one out from the left field because here's here's my belief. My belief is we're gonna get to a zero defect capability, meaning when we release when we release uh infrastructure as code, business as code, digital partnerships as code, products as code, everything's gonna be code. We we're going to have the capability to literally come out with zero defect and keep up on the vulnerability and the and the commitment across the changing external environment, map that to CTI, map that to our general infrastructure, and have some really crazy stuff that we're only starting to begin to scratch the surface on how we can look at it.
SPEAKER_00That is the only caveat where if you have to move, if you don't move to you know the next versions of it, you know. I know some businesses because certain applications bring you certain revenues, they don't want to get out of it, right? You know, and and legacy tech, you know, that could be one component, but again, you have other methods of protecting those, like we have been doing now. So we have to continue to do that. But yeah, rest everything, you're spot on.
unknownYeah.
SPEAKER_02Yeah. And so, Rami, what what do you think? Since this is a massive change, and you and you know, I I love the way that you framed it at the beginning. What do you think are the steps to get us towards this zero defect capability? Like, what do organizations really have to be thinking about over the next couple years to get to that point?
SPEAKER_01Yeah, I mean, I love what Fanny just highlighted. I mean, we he's talking about you know, cyber and technology debt, and I think this is going to be incredibly relevant. I feel that architecture is going to become the ultimate control. And the reason I mean I mentioned this is uh, you know, we are past, you know, patch in uh in a way as the primary measure that you are and the primary control uh for defense. Uh containment and speed is going to be incredibly important. So um if we think about how will we measure and assess success, because once we start thinking about how success is measured, we can work our way backward and figure out well, what does it mean in terms of investment and portfolio allocation and so on. I would say that you know, we will be focusing on some key metrics like you know the defender lag, you know, the time to contain against an adversary, time to exploit, you know. So so this is like an important metric considering like where we are at the moment. Uh we will be thinking about like the blast radius index, you know, how accessible are our crown jewels? And and this is going to be incredibly uh powerful. Uh, you know, Fanny mentioned that we do have indeed like domain expertise, we have that home field advantage, as I call it. So being able to understand the crown jewels, the most critical applications, and figuring out well, what are uh the different hops and steps to actually get access to them and what could go wrong, and and be able to qualify and quantify that blast radius index is gonna be incredibly important. The the other metric that's becoming even more uh powerful is uh to what extent our security and technology operations are autonomous. So it's the coverage ratio of uh the type of uh workflows, uh whether they're tactical or actually quite uh strategic, that how many of these agents we're using uh in our uh day-to-day processes, uh, to what extent our detection and response is able to run uh without the human as the rate limiter, if you will. Uh self-discovery is also gonna be incredibly important, like how much do we discover on our own versus you know, versus you know what we discover from um external sources, whether it's an adversary or an advisory. And and then the other you know key metric that is today incredibly important, but it's gonna become even more important, um, I think in this era is like the mean time to recover. And and that's basically has been like the the honest measure of resilience for for quite a while. But this is gonna be quite important because the we need to manage some expectations that now uh it's all about containment. It's not about eliminating like the probability of an incident, it's really about making sure that we don't have catastrophic losses and that we're able to recover quite quickly and not impact operations. So if we define these as the key success metrics or the ones that we we assess ourselves on, then working backwards. I mean, we need to be thinking about defense in depth, uh, to what extent we have the right uh uh containment strategies, um, and you know, to what extent we're able to really segment our infrastructure and limit like uh propagation. Uh and that means a whole series of controls that were incredibly important, like you know, two, three months, six months, two years ago, are still going to be incredibly important uh, you know, in the future. Uh, being able to deploy zero trust in a unified way across the entire state, understanding your attack surface and being able to shrink it. So, so these are the kind of things that we need to be thinking about it. I mean, I I would I would just re-re you know, emphasize the importance of architecture. It's going to be the ultimate control in this era.
SPEAKER_02Yeah, yeah, I I couldn't agree more. Um, you you know, I'm gonna go to uh a question that I don't think Fonny's expecting, but I I want to talk about because he's like smack dab in the middle of it. But you mentioned resiliency three times in in your in your last answer, Rami. So Fonny, you've got a new title. I mean, you know, I mean, like a lot of a lot of our peers have gone to Chief Trust Officer, Chief Security Officer, Chief Information Security. Like, there's like 15, you know, different titles, and um titles don't mean everything. However, sometimes there's a pivot in our industry, and I think we're coming up to one here. Um, and I know you and I have talked about this in this past, as a converged security expert, you know, running multiple different types of security risk and privacy enforcement programs across multiple disciplines. Um, there's there's a massive focus now on this concept of resiliency and what it was five years ago, three years ago, has entirely changed. And so you now you're the chief trust and resiliency officer. Um, talk to me about why your business made that change and what you think that and other like changes are going to mean for us and our peers in our career field.
SPEAKER_00So um I I joined as a CISO, right? And uh this is my new gigs, by the way. So day three, I was having a conversation with my boss. And we were talking about industry trends, and then you know, I was sharing my thoughts around hey, why I think the CISO role will transform uh into a trust and resiliency role, because the I in the CISO uh is around information and data protection, right? The mandate today for a CISO is much, much beyond that. In the agentic era, you know, your companies are not selling products and services, they're selling decisions and outcomes. What was a probably a product quality issue at one time is now become the security problem. Because the agents, when they make autonomous decisions, and they make decisions at a speed and scale, we're you know never seen in. Our lives. So when a let's say you know you're doing claims processing, and and and let's say your error rate is three percent and you have five thousand associates or five thousand adjudications uh every day, you know, you're talking up 150 you know error rate. Now imagine the model has drifted 100% from its baseline. The outcomes are gonna be 100% wrong. Or if somebody maliciously came in and you know and skewed the model to you know one way or the other, then you have you know a set of people that belong to a particular you know, you know, demography or or or race or whatever the case may be, now you have a class action suit against you. And we have a playbook. If the data is lost, what we're gonna do and you know how we're gonna build the trust back, and we have the playbook, and when data is lost, you're seen as a victim. This changes completely. Now you have done such damage to the individuals and to the business and to yourself.
SPEAKER_02So it's still accountability um at a quality level, just a different type of quality, and someone needs to chair over that resiliency, those new resiliency capabilities in next generation digital business.
SPEAKER_00And the consequences are very different. For this, we don't have a playbook yet. And now you're you're disrupting your business. You probably lose that business completely.
SPEAKER_02I mean, just think about three years ago, we were worried about massive attacks for coordinated inauthentic behavior. We were worried about misinformation, disinformation through the use of AI spread across different mediums and social media and media, and you know, um, and and now we're talking about bias and product that delivers negative impact income to a committed quality product you're delivering to market from information to drugs. It is it's mind-blowing um where we have to think of think about that. Resilience is just one of those. Um, but it is the trust of of what we're delivering. Great, great point. Remy, I wanna, you know, I want to pick up on kind of the last conversation you had because you talked about doing things um at machine speed that that you know we we have to adapt to and we have to have capabilities. But if vulnerability discovery and code is becoming machine speed, if we're doing machine speed remediation, testing and revalidation, um just what are some of the assumptions of security programs themselves? I and and I love your answer because I'm cheating a little bit because you and I had this discussion in London a couple of weeks ago, that a lot changes. But for peers that aren't there yet, that are just getting their arms around governance and enabling their business to do some of this work, like what are some of those things that are just they're gonna become outdated immediately and they need to be thinking about it?
SPEAKER_01Uh governance actually is uh for me like one of those key considerations. I mean, in a in an era where uh everything is moving at like machine speed, I mean, the biggest mistake we could be making is really um not uh not rethinking budget cycles, not thinking about uh the cost of actually traditional governance in in an environment. Uh, because you know, if approval speed is uh is an issue, uh you know, to select an actual security control to deploy it, uh it's gonna become a challenge because we're dealing really with evolutions uh in the environment uh from uh both like a defender and an attacker perspective that really warrant a rethink of governance. So I would I would say like governance in itself is is a big issue. We have to be thinking about uh AI-powered governance and be clear on the type of decisions that could be completely automated and the ones that will require uh you know, humans on the loop, uh, you know, not necessarily in the loop, but on the loop uh to be able to um validate uh the execution. So so I think we we we need to to again uh adopt you know this uh approach of containing as opposed to you know patching, you know, and that and that's like a philosophical shift. And and you know, the analogy that I like to use, um it's been one that's been used in the past, but I think it's becoming even more relevant now. I mean, think about it like you know, we're building like a watertight compartment into a submarine, right? Like we assume and we engineer the environment uh so that you know uh exploit could happen, but they would be contained. Uh but we're able to reduce the blast radius, we're able to have fast recovery and and not deal with any catastrophic uh challenges. So this is exactly why we need to be taking a step back and and not necessarily getting rid of the existing playbook. I think the fundamentals didn't change that much, they are becoming even more valuable. Defense in depth is a core principle uh for us as defenders, and we need to understand to what extent defense in depth is actually deployed in our environment, to what extent we have the right segmentation, to what extent we have the right egress filtering, to what extent we have efficient resistant MFA, to what extent we've been very disciplined and rigorous with our identity and access management, and and to what extent we've been really rootless in shrinking our attack surface. So all of these things actually are part of the playbooks, the core playbooks, and they haven't really uh, you know, as principles changed that much. What has changed is how can we make sure that we adapt these uh principles to uh machine speed. And this is where the transformation of key processes, starting with governance, is gonna be incredibly important.
SPEAKER_02Funny, I want to switch a question just a little bit, but it in the same context, when we talk about everything as code, right? The business is code, how we integrate, you know, into our supply chain is code and our infrastructure is everything's code. What from your perspective does um defense mean now? Like what do we have to change in defense in defense in depth now that everything is code? How does it change priorities within our program?
SPEAKER_00So I I think I'll pick on what Rami said, right? The defense in depth, that principle never goes away. That wrapper has to be around the agentic security that you do. So you have the faith around the guardrails for AI agents, right? Um, in terms of you know their execution, you know, uh irrespective of what the agent does. The guardrails alone are not enough. You know, we are not at that maturity level yet because the frontier models are changing every single day. So, you know, are your guardrails pretty effective? Um, you know, that's a changing answer every single day. So having this defense in depth wrapper on top of this would is the way, and then the governance architecture is something that you have to follow 100% because this is going the governance is gonna take the center stage of this because that's how you're not only defending your systems and your applications, but that's how you're also gonna defend your business.
SPEAKER_02Yeah, I I uh I you know I I take that statement with the knowledge that we have to apply it, Fonnie, to this concept of um context, intent, and explainability, right? Like right now, we it it's a it's a zero-one. It's doing what it's supposed to do, it's not doing what it's supposed to do. I mean, I mean, there's some stuff in bot defense and some other areas that is context, you know, rich in in how we do automated defense. But the reality is from quality to defense, we have to understand the intent of the agentic, the intent of the original request from the time that it started to the time that it delivers the outcome, right? This outcome-based assurance. I would say outcome-based quantification, right?
SPEAKER_00Very good. You know, like that's that's where we our our calculation has to go because it's not going to be your general CRQ anymore. This has to be an outcome-centric quantification for every risk that you look at. Then that's how you you will make your decision. That's how your agents will make decisions in terms of controls, controls effectiveness, or or you know, you wanted to, you know, not control that particular outcome, right? It's clearly dependent on that.
SPEAKER_02Yeah, I mean, the the changing workforce and what will be your workforce in two years is something we might want to hit at the end. But we've been talking for the like the last three or four questions around this concept, and the answers come back to speed and capabilities and and and um and what that really means. But um, Rami, for you know, you the you know, the CSA released the report. We all read it five times. We knew we know what's coming, and it and that gave us um a great I don't know, framework's probably the wrong word. It gave us an actionable table to build for to support the organizations we have and give us an understanding of the implications that we need to really be thinking about. And it was just it was so well done. Um, but that time between existence of um uh a new issue and business disruption is going to shrink from ours. And I'm not and you talked about this in the attack sense last time, right? This, you know, our time, our time to exploitation now is from exploitation to negative impact event. I'm seeing four minutes. I'm literally seeing in you know, in some major multinationals that have really good teams, you know, in bad things done in under four minutes. So when we're when we're dealing with that, you know, um, but on a larger scale of now this is impacting the business disruption, what's the first organizational change talking about people that leaders, our peers, should make to really prepare for that reality? And I'll go to both of you, but I Rami, I want to start with you because you've put a lot of time into thinking about this as well.
SPEAKER_01Organizational change. I mean, uh, if we're thinking about like uh the talent, we're gonna need more builders within uh the cybersecurity teams. Uh, because obviously, uh, yes, uh the attack um you know protocols have shifted and uh the response protocol have to shift as well. So I I think that we are uh as communities of cybersecurity defenders are going to have to deploy uh also a lot of agents in our environment, uh, but not do that in a blind way. I mean, we have to be thinking about uh uh you know carefully about the scope of these agents, the identity they operate under, and and you know, really having the right level of observability. Uh, I agree with uh Fanny, by the way. I mean, I think uh, you know, it used to be that we were uh focused a lot on identity management and access management. Now I think we're gonna be creating almost like a new acronym, outcome management is gonna be really key as an actual program for understanding how how agents are behaving in our environment. So so builders, you know, that's one uh key ingredient in the makeup organizationally of uh a new uh or a next-gen cybersecurity program. But the second uh one um evolution is really uh making sure that we are doing our uh due diligence in terms of uh explaining like this shift uh to all layers within the organization, to the different executives, to the different uh you know lines of business, to the board. Uh, because they they need to understand that this is a substantial inflection point, and they now need to understand that uh the the technical debt and the cyber debt that they've been carrying on their books, well, I mean the interest rate has just increased massively on that debt. And and as a result, I mean there are going to be some interesting transformation opportunities of the different stacks. And if we don't do this uh road, if you will, show internally and explain that, I mean, I think we will be constrained by um a mismatch and expectation understanding of the problem. So for me, making sure that everyone understands the problem, but also the opportunity behind it, because really this is a transformative moment where we could get a lot better, a lot more agile, a lot more resilient. We could really transform our application, create better user experiences. So really deliver uh on the promise of digital transformation that we've all been talking about. And and the five why this step two is super important, because it's tied to what I mentioned earlier: governance. We need to evolve governance. I mean, decision rights are going to evolve uh as a result of who needs to really be able to get in the loop uh for some key decisions. Uh obviously, we cannot wait for you know weekly, quarterly meetings to make certain decisions. It's gonna be very dynamic and we're gonna need to have some degree of confidence that when we are enabling some autonomous uh remediation activities, uh, that the threshold for that this those decisions are well understood and well accepted and are part of our overall risk acceptance as a business.
SPEAKER_02Yeah, I I think um there's an amazing view that people have a very, very hard time of taking around um that their organization is going to be very different. And they have to start with the what what can I do? What's my responsibility? Like when you think about what our digital ecosystems have become, and you think about a concentric circle, the old bullseye on how we used to protect data, right? Like how however you want to look at it, there's there in the layers of our business from internal to external, remember, to your point here is that we have different levels of visibility, accountability, authority that gets smaller and smaller as we go out. And maybe it is our data, maybe we are having an external processor do something, or maybe, or, or, or, but all the things we can do across all of those effective bus digital business zones within our ecosystem is not always ours to be able to achieve. And so we have to rethink the services we're delivering back to our business. So speaking of services, uh Fonny and readiness, um, let's just pretend you're a CISO work walking into um a new Fortune 500 organization tomorrow. Oh, wait, you are doing that. Um and let's just say so. Remy talked about three metrics he looks at in this total shift to AI. What are three indicators of readiness that you're looking at when you walk into an organization that's going to help you inform about their level of readiness?
SPEAKER_00Do they have visibility into their LLMs and their AI pipeline? You know, shadow AI? Do they have a comprehensive view of what's going on? You know, again, we all know what you can't see, you can't protect. So that's that's table stakes for me, right?
SPEAKER_02I I have the tattoo, by the way. You know.
SPEAKER_00Go ahead. So, you know, that's that's number one. And then I'll I'll see if there is any governance structures, you know, with respect to you know, onboarding, um, you know, uh agents or you know, your supply chain partners, you know, is there a view for that? You know, uh what are you doing with respect to managing this? Because when a new shiny tool is in the hands of every citizen in the organization, they do a lot of things. And some good, you know, some could be not that good, right? For for the business. So how are you governing that? You know, do you even have a governance structure? And if somebody tells me that governance structure is with the CISO, then again, you know, that's not a good governance structure. You have to have the right people on that governance structure. You're a chief AI or data officer, your you know, business, you know, whoever is running that particular, you know, uh agents or own that agents, right? You know, probably your CTO, probably your your CPO, and of course the CISO as well. Um, so you have to have that kind of governing structures, right? And three ILC, do they even have the education necessary, not just for the leadership, for the I don't know, normal associates as well.
SPEAKER_02Can the teams do it, right? The teams have the you know the requisite skill, are you know, is there a vibe co? I I oh funny. I like I've had this discussion over the last couple of weeks with with other leaders about you know, we we have to make hiring decisions starting now. Like if if you're not AI native, you you can't work here, right? Like people have to redevelop themselves into AI nativeness.
SPEAKER_00Exactly. And then you have to bring that culture that you know that so the teams have anxiety, just be real about this, right? Yeah, especially the foot soldiers. They're like, okay, what you know, we will be replaced, we everything will be automated, so on and so forth, right? That's not the case. What they have, nobody else will have, is the domain knowledge. They being in-house is more valuable for the organization than completely automating with some tool that's not gonna do anything, right? If you understand your domain, you're the king. And bringing that knowledge to you, and then probably initially, what I would say is attach yourself to the engineering team, and then borrow a couple of engineers, and then go have some fun, ask them about, you know, hey, I want to do this, you know, I want to do that, I want to automate this component, I want to automate that component, right? You know, this workflow, that workflow, and take their help. You know, you play something, then of course you will get the knowledge, and because you have to tell them what to do, and and then as a part of the process, you will also become AI native. And six months down the line, you don't even need them.
SPEAKER_02Yeah, it it there's a lot to there's a lot to do, and I'm eventually I think I'm gonna bring um into the series like an HR specialist to talk about these massive changes and how we're thinking about the people issues. I wish we had the time to, but I want to get to an important question with Randy because we you mentioned like three or four things just in that last response, um, Fonny, that is, you know, costs a lot, right? This is not free. This is not, you know, this isn't just replace this for that. This is, I mean, there's cost of what we do, there's the new, you know, cost of of the tokens we're gonna spend to achieve what the business needs. I mean, there's a lot going on here. So Rami, how do you think, well, I I'm gonna I'm gonna let you both answer this, but um first of all, what security investments become the most valuable in a um let's just call a mythos ready world? And um, and what investments become less important? Give me your your quick take on more valuable, less valuable in investments.
SPEAKER_01Yeah, I'm gonna go back to what I said earlier, which is really the fundamentals and the basics are actually worth uh a lot more now, not less. And uh it might sound counterintuitive, but uh hear me out. I mean, I talked earlier about architecture and architectural containment, you know, deep network segmentation. Egress filtering, you know, efficient resistant, MFA, all that good stuff, you know, is going to be incredible from an effectiveness perspective because these are the controls of last resort, right? To be able to buy us time when patching can't keep up. So they're really high-levered spend, not legacy hygiene. So I'm a I'm a big believer in ensuring that these uh probably uh areas where we've been underspending, because there's been a lot of focus maybe on some uh other type of threats, uh, are really key to have the right like layering of controls, to have the right defense in debt. So uh if I'm if I were to think about like where I would focus uh from an investment uh perspective in terms of new spend, I think there'll be two areas. Agentic identity governance is is really shaping up to be uh uh uh a big pain point, and this is something that we are going to need to address as an ecosystem uh to find a solution to be able to deal with uh agentic identities because they're sort of like in between the human identities and the non-human identities. They're in between, they're a category on their own, and and we need to be thinking carefully about how we can get the right observability and the right control uh over these identities, especially in the context of uh you know agent chaining themselves and inheriting uh different set of privileges as a result. And and the other category is really uh agentic set-ups. We have to, you know, be able to transform our detection and response capabilities uh to move at machine speed. So those are two areas. I mean, a third area is really around um agentic uh runtime and being able to sandbox the agent and really understand uh whenever we have back to the conversation about outcome, a deviation from the expected outcome, a way to essentially nuke it out and essentially initiate another action, that's gonna be incredibly important in a mission critical context where a lot of damage could be made if there is a drift in behavior. What's becoming though less valuable, and this is how the economics work, right? You're gonna create some new investment categories and you need to then shift your investments from other categories. Everything that we built around uh human-based point-in-time cadence, so the Corally Pentest report, the reactive patch cycle, this is definitely not going to be relevant in the current era. So um if we want to address this in an economically viable way, we need to also be thinking about the uh structural reasons why we created cyber debt in our environment. It could be a question of architecture of applications, it could be the different technology stacks that we have in the environment, it could be engaging in MA and not consolidating. All of these uh are incredibly important considerations in an era where we need to take a step back and remove classes of risks uh by addressing the root causes of the challenge. Uh so there is a lot of tactical, there is a lot of strategic, and there is also a reallocation uh focus, but the fundamentals are still core to this uh approach.
SPEAKER_02Yeah, I appreciate that, Remy. And um, I can't believe we've already run through time. I've taken so many notes, I could take so many more. Um I'm I want to end this with um uh a direct to-do, a thought for everyone listening to this. So uh Fonny, I'm gonna start with you and then Remy, you can close it out. Um what's the one thing listeners should do in the next 30 days to shift to AI?
SPEAKER_00I would say have visibility, number one, right? You know, go understand what AI pipelines do you have, what LLMs, you know, what you know uh APIs, third-party, you know, AI agents, what's going on in your environment? Please try to understand that first. And have a mechanism to you know figure that out and authenticate that that information is accurate.
SPEAKER_02All right, Remy, what's the one thing everyone should do in the next 30 days?
SPEAKER_01So uh back to the home field advantage. You have that home field advantage, that domain knowledge. So in the next 30 days, just run a single experiment. Uh be thinking about like the most critical system, you know, the one that if it went dark, you would have some explaining to the board to make. I'm sure you're familiar with those uh type of scenarios, uh, Roland. So then then turn like an agent inward and and and basically orient it toward this system and try to map out like all what could go wrong and how attackers could actually get to that outcome, which is a bad outcome for you, that that system is actually going down. I think just doing that level of experimentation will teach you, teach uh the you know, the community a good understanding. Okay, here are some uh plausible scenarios, right? And what are some of the immediate steps architecturally that could be taken to reduce the likelihood of that scenario materializing? Yeah.
SPEAKER_02Um, so many great tidbits, guys. Uh I you know, this is this is a wrap on episode one of a series I'm so excited to do. And again, I cannot thank you, Fanny Rami, for for uh stepping it up and and doing this first one with me. It sets the tone and tenor for what we're gonna be talking about over the next several episodes, um, and probably has shifted and changed some of the questions for my for my next guests. Um, I will tell you that my one takeaway from this, um I think is gonna be that term outcome management. Our jobs are changing to understand, defend, manage, and ensure resilience around outcome management for our business. And I think each of us needs to define what that is, decide what it is, and then go architect and execute in a way that supports the the mission space of our business. So, again, thank you, everyone. Shift to AI is presented by Psyco, the Agentic Development Security Platform. Follow the show wherever you listen so you never miss one of our great guests. Until next time, I'm Roland Cludier, Global Chief Security Officer and Digital Business Executive. Thanks for listening.