Subscribe Stay Updated with Insight On
Subscribe to our podcast today to get automatic notifications for new episodes. You can find Insight On on Amazon Music, Apple Podcasts, Spotify and YouTube.
Audio transcript:
20 Security Tips for Leaders Who Hate Surprises
Jason Rader:
You know, we just had to redo our AI policy as we've already updated our generative AI policy to just be an AI policy. And there are 200 external AI tools that we've seen people internally use. That's not a bad thing, per se.
Jillian Viner:
That doesn't scare you?
Jason
Well, we didn't block those and we're monitoring them. Mm-hmm <affirmative>. You have to click through and basically making sure you understand the policy. Go use those tools. Everybody. We, but don't use data types that we've set in our policy not to use. Yeah. Heck, go out there and have fun and figure this stuff out. And if you need data, we'll synthesize some data for you to use.
Jillian
If you're making technology decisions that impact people budgets and outcomes, you're in the right place. Welcome to Insight on the podcast for leaders who need technology to deliver real results. No fluff, no filler, just the insight you need before your next big decision. Hi, I am Jillian Weiner, and today we're going trick or treating with insight's global ciso, Jason Reer. We're gonna dive into the tricks and treats that security teams and line of business leaders need to be aware of today. All right. Well, October is cybersecurity month, and in the spirit of things we're gonna go trick or treating with you. Uh, you are our Global Chief Information Security Officer, so, you know, I'm sure you have no problem sleeping at night. No concerns with all the things going on with AI and all the new regulations that are happening. There's like a punch list, I imagine that is on your brain. Yeah, maybe, maybe, maybe. Well, you talked
Jason
About sleepless nights even on October. It's scarier, so it's scary. Anyway, but it's scarier in October.
Jillian
Yeah. We're gonna try to maybe, uh, prevent some security nightmares from happening. Yeah.
Jason
I guess the treat is I'm gonna let other people maybe sleep a little more soundly after we talk.
Jillian
That is a wonderful gift. Yeah. So we got a bunch of different things to talk through because we're gonna basically hit on the things that maybe teams aren't paying enough attention to, or there's maybe some misconceptions or, or just some things have changed a lot.
Jason
There's a lot of change. Yeah. And, and ingesting all of that change is hard. Uh, and, you know, we've been moving so fast that I feel like everybody's in the same place that we are. And, but there's a lot of people who haven't really started the journey yet. And yeah, the mad hookup of waiting is you get the knowledge of the folks that went before you. So hopefully this will help those guys.
Jillian
Yeah. That kind of leads me to one of my first questions for you, because the speed of technology is changing fast means the speed of security is changing fast. Yeah. Does it feel like you're in a more reactive state than you've ever been? Has it changed how you approach meeting with your team and going through the latest security threats and what patches and changes you need to make in your security? Um, strategies?
Jason
It, it kind of feels like that every time I watch or read or do the, you know, my daily kind of intel briefing of what's going on in the world mm-hmm <affirmative>. And I'm like, oh, did we prepare for that kind of thing. But comfortably, when we look back at the, the framework that we put in place and the program that we have in place, we're feeling pretty good about the governance and the controls and those kinds of things that we have in place. But it is, I mean, every day there's some kind of, Hey, are we okay with that? Uh oh, that's a thing. Have we thought about that? And luckily, when you've got like a multi-layered program, instead of relying on just this lock on your front door kind of thing mm-hmm <affirmative>. Uh, it's helpful, but it's still, we've got to continually check and monitor.
Jason
It's, it's really all the aspects of security. Sometimes there were some things that we put up there and you're like, we're cool now. You've gotta make sure that you're checking all of those things. Even, you know, policy and governance and things that you, you never have really had to say, Hey, does our policy cover this? Those are the kinds of things that you really wanna make sure are sorted out so that you can feel comfortable. And again, you know, nobody's in the business of having a security program. People go to market and do business kinds of things. So security enables that business. And we wanna make sure that the compliance requirements we have to do business and those kinds of things are in place. So sometimes the new stuff that's coming up, especially AI, is requiring us to do that. Yeah.
Jillian
You told me earlier that people are actually coming to you with compliance questions, which blows my mind because who gets excited about compliance or actually cares about it, you know, it's like, ooh, another compliance training said no one ever. Uh, sorry
Jason
About that, but
Jillian
Why? But that's changed now and that's fascinating. So people seem to, like, they're taking a little bit more ownership and accountability over security. Like this is a group effort.
Jason
Well, totally. And I think that's a, a great thing. The awareness that we're working on internally is important for us as well. Every day people are making ethical decisions for the company and with the ability of the tech to go way beyond where they've gone before, they can really potentially do some damage if they're, if they're not doing that. So I think that it's awesome when people kind of reach out and ask those questions. But I also think people protecting kind of their line of business based on, Hey, we're in this, we develop code for clients and their requirements are, we have to tell them whether we're using AI to develop. And those are the kinds of things. Making sure that we're compliant there. Uh, making sure that the procedures are in place to do that, and making sure that we can audit those controls. 'cause sometimes just saying you do it isn't okay. You have to prove that you do it. Mm. Those are all the aspects. So I think it's great. And I think, you know, security as an enabler for business is my dream come true. That's the treat.
Jillian
<laugh> <laugh>. That is a treat. Yeah. Yeah. You're kind of famous for saying like, put an end to the security office being the office of know. Yes. It's the office of Knowhow. Where in your career, or maybe where in like the technology change trajectory, did you come to that conclusion?
Jason
I think, you know, so I was a consultant for 25 years before I became like the stay in one place CISO person. And we're
Jillian
So glad that you did. I, and
Jason
I'm thrilled. It's awesome. Um, but I never thought about it from that perspective before. So it wasn't something that I, the department of no was something I kind of worked through with a client where they, and very many times I had to be the mediator between IT and InfoSec or other parts of the business where those guys just weren't working together. Mm. And I didn't want that to be my legacy, you know? And the, the whole aspect of the way that the CISO works now is a business enabler. If you're not doing it that way, you're doing it wrong, honestly. Do
Jillian
You think a lot of companies are still stuck in that mode? Are they starting to make that transition because AI is forcing them to do that?
Jason
They're realizing it for sure. Yeah. Uh, and I think it's just as they look around and figure out, you know, everybody kind of window shops when they're looking at the way other companies do things they want, nobody says, no, we don't want security to be a partner in the business. Uh, whether or not they can make that manifest is a, is another thing. But I think for all you CISOs out there, you want to be on the side of the business, not on the side of stopping the business.
Jillian
Yeah. The trick definitely is, you know, I'm an employee, I've got this cool new chat, GPT or whatever interesting new tool comes up and I wanna just go play with it 'cause it's gonna make my day easier. And my biggest fear is that if I let it or the security team know that I'm using it, they're gonna tell me, sorry, put the Kosh on that it's now blocked. I can't access it.
Jason
So I wanna address that because, you know, we just had to redo our AI policy as we've already updated our generative AI policy to just be an AI policy. And in it, you know, we, I was just talking yesterday, there are 200 external AI tools that we've seen people internally use. That's not a bad thing, per se. That
Jillian
Doesn't scare you. Well,
Jason
We didn't block those and we're monitoring them. Mm-hmm <affirmative>. You have to click through and basically making sure you understand the policy. Go use those tools. Everybody, we, but don't use data types that we've said in our policy not to use. Yeah. Heck, go out there and have fun and figure this stuff out. And if you need data, we'll synthesize some data for you to use. Uh, that's the way that I think you partner with the org. Uh, we don't want to say no, but there are obviously some sites that we've deemed or some tools that we've deemed are not acceptable for contractual reasons with our clients and those kinds of things. Mm-hmm <affirmative>. That we block all out, but, uh, no, use it and then come to us. So I think the thing is is any tools game on with the, in the basically public data, but then when you wanna use the confidential data, we have a process where we can vet that. And I think that's the way you've gotta work with your organization.
Jillian
Yeah. I will give kudos to your team too. You've done a really remarkable job of making a lot of those tools available to us and making some safe tools available to us as well.
Jason
And, and that inertia is good. You know, now it's, and I've just had some great con conversations with side parts of the business that really never engaged before, but it's one of those things where now we're collaborating on how we can go out and do stuff, which is, again, security enabling the business is awesome.
Jillian
Yeah. Jason, how do you start your day? There's so much going on in security and ai, like how are you keeping up with it?
Jason
Mountain Dew first <laugh>, but, uh, I've got, you know, so intelligence is one of those things. Situational awareness is a big thing from a security perspective. So just like, you know, the exec executives out there are out there, you know, checking out Forbes and all of the different things that they get their intel from. I've gotta get my intel from various and sundry sources. Uh, some legit, you know, kind of places that you would think some, you know, I've gotta check the dark web and the other, you know, places to make sure that there's those things. Is
Jillian
There a CSO signal chat that y'all are on? <laugh>? No.
Jason
<laugh>. That's funny. Um, it, no, I wanna see the, the stuff that isn't sanctioned and, you know, so that's part of it as well. Um, and then you kind of extrapolate from that and triangulate what's the reality. Mm-hmm <affirmative>. Um, I just kind of wanna make sure that there's not anything out there that I'm not kind of appraised of. We can't protect everything. I just told somebody today, the analogy was, my goal isn't to go through life not getting sick. My goal is to go through life not dying from getting sick. Right. Security's the same way. We, we don't guarantee we're never gonna have a security event, I guarantee. Well, I don't guarantee it, but my quest is to make sure that we don't have a horrendous event because of a security event.
Jillian
Yeah. So that's devastating. Um, you know, we talked about AI a lot. An agentic AI is like, that's the new, if, if we were a year ago, everyone was talking about generative ai and now the hot new kit on the street is agentic ai. The business wants it, they want it now. Security has to put some guard rails behind it. Who blinks first?
Jason
Um, I think what the comforting part from, from our perspective, you know, we adopted early, uh, ai, so we were kind of ahead of the game related to that. And I, I don't wanna say we saw this coming because I still felt like, wow, everybody was caught a little off guard with how quickly the agentic thing took off. I mean, you know, the platforms that we use kind of enabled it and rock and roll. Let's, let's go do some stuff and like, whoa, are we containing this stuff? But I think, um, I never blinked, um, because, but I had to prove that we could secure it because that was the first thing is we're we don't wanna mess up our business from a security perspective. Right. Uh, I had to prove that. And, you know, those are meetings that you've gotta give some specific evidence that you're, you know, and I showed how many agents we actually saw in our environment, which was over a thousand and everybody went over a thousand. How does that happen? Wow. And we're like, a lot of people are testing it. You know, we could see Fred's AI agent, you know, those kinds of things that they were
Jillian
Testing. Yeah. I'm curious, I don't wanna derail you too much, but a thousand agents, are those agents being developed from like IT teams? Are you seeing this from other lines of business or where people are really getting into this technology?
Jason
Yes. I mean, you had to have access to the tools. So there were people who were given access to the co-pilot studio in our case, and, uh, the foundry options. But they were out there just testing the stuff, which I think is great. That's, you know, our organization has a lot of engineers and architects and I love that. And people out there experimenting, you know, citizen development, we're all over that, that bottom up approach. Mm-hmm <affirmative>. Uh, now we're kind of focusing on the top down approach to that because we gotta wrangle all these good ideas and get 'em, and make 'em productized for us to deliver to our clients or for us to ingest ourselves. But it was a lot of people just trying it out now and then, so once I say we have a thousand agents and we're covered, you know, we're watching these, we're looking at the telemetry, the next question that, you know, the execs ask is, oh, well, which ones are the most productive?
Jason
I'm like, I don't have that tool. You know, <laugh>, <laugh>, that tool doesn't show up in my, what identities are using agents. Yeah. Um, but what we could show with DLP is that we could see the tools that are hitting DLP the most, which means people are using PII in the prompt, uh, personally identifiable information mm-hmm <affirmative>. Which, so, and it could be an email address or something like that, but that was good to know. So I could say, based on that, we can see that this one's getting a lot of use. And it helped us kind of figure it out before we had other tools in place to be able to check the effectiveness of that. But that's still a quest. I haven't seen anybody crack the code on how much, what's the ROI on agents or those kinds of things. It's still gonna, but security's the same way. It's hard to get the, the metrics for security. Everybody's a little different. Yeah. How do you wanna measure that?
Jillian
I think it's a win if you haven't had a devastating breach. But
Jason
That is usually it. Are we in the newspaper? Okay, great.
Jillian
Right, right, right. <laugh>. All right. Another trick for you, I know governance is, is big, but you're like the house that gives away carrots and apple slices when you taught governance dental floss. Yeah. Yeah. Yeah. How do you, how do you first of all, build governance quickly enough to keep up with all these things and then secondly, actually make sure that people are ingesting it and understanding it and abiding by it.
Jason
You said an interesting word that I think everybody uses quickly is so developing governance quickly. Mm-hmm. I can write a policy thanks to ai Right. Pretty quickly. Right. <laugh>. Um, but that's not how governance should work. Right? It's more than, you know, back in the old days if you wanted to be a security professional, you find a policy on the internet, you do a fine and replace, put your company's name in there, boom. We have a security policy. And you pass every audit that ever comes your way. Um, governance has gotta be part of the culture, and that's a different thing, right? Mm. So we've gotta, we've gotta have governance in order to meet the compliance requirements that we've got as an organization, uh, because the policy has to exist so that we could be held accountable for it, right? Yeah. The, and then we could be audited against it, but we want it to be part of the organization's culture.
Jason
So that's one of those things that is a long game that we're still doing training and awareness to make sure that our current governance is in place. But it's, um, it is a place you have to kind of start. So before all the cool AI and security stuff happens, we've gotta do the policies and the guidelines and the procedures. Um, and I think that's, you know, in this cool age of a bunch of smart PE people doing a lot, a lot of cool stuff, we've gotta make sure that we can operationalize that stuff. And that's where the governance plays so great, cool thing. How do we make it so that this works, that this stays on, that it can be restored in the event of a disaster? All of that stuff. If somebody asks us a question, do, can we, providence of this particular code? Those kinds of things, we have to be able to answer those as an organization like ours. And again, that discipline that we have for ourselves, we can pass those tips on to folks that we're helping do the same thing. Where
Jillian
Are they often missing the beat on that?
Jason
I think the, again, a policy that just sits somewhere or is written by it or InfoSec and nobody really cares or knows where it's at, um, it's not really helping. But I think, think that governance is one of those things that it's not, it's not what rock stars think about all day long, but it is one of those things that lets you be a rockstar.
Jillian
Yeah. Well, you had a cool analogy and a blog you wrote recently about nasa.
Jason
Yeah. And that was a, you know, that was a life or death kind of thing. And that was a lot like ai. 'cause they were boldly going where no man has gone before kind of thing. And they had to
Jillian
Develop it very much feels like this moment <laugh>.
Jason
Yeah, it does. For real. Yeah. And I, you know, I used a, a quote that talked about, you know, governance was put in place because loss of life, there was a lot on the line, more reputationally, there were a lot of things on the line, and that they started with governance. And I was like, that's exactly why we did it this way. And I, I'm really grateful that we did, because it's our governance model is what allowed us, and and security program is what allowed us to go fast. Mm-hmm <affirmative>. And when you can go fast, now you take share. And that's the way we've gotta go.
Jillian
Is there a specific framework that you can build around the agentic AI security?
Jason
There's, there's nothing. So when we talk about frameworks and that, that's the other thing. I, you know, I've been a consultant for my career, most of my career. Mm-hmm <affirmative>. And the reason that I bring a framework forward is because the framework usually has some something behind it. You know, an entity that everybody trusts, you know, that's PCI, the payment card industry, um, nist, the National Institute of Standards of Technology. When those guys come forward and you say to the people that don't really understand the thing that you do, you say, I'm aligning with a framework, it makes 'em feel more comfortable that, oh, it's covered. Right? And as long as he can say, or she can say that they're aligned with this framework, we feel like we're, we're covering all the bases. Um, there's really not an instantiated defacto AI framework yet. But what I would say is that security frameworks like the NIST Cybersecurity Framework, and those starts with governance, goes to identity, goes to protect, goes to detect, respond, recover.
Jason
That's still an ai. So we can apply anything that we're doing. And I also think from a practical perspective in security, you know, people always, not always, but sometimes people say, Hey, I need a ransomware solution. I'm like, the best solution for ransomware is a good security program. Same with ai. The reason we were able to ingest ai, like I said, is because we had a good security program in place. So I think there will certainly, and NIST has released some stuff, there's some stuff going on inea right now. Um, I'll show you in New Zealand, they're out. But there's nothing that kind of is the, and oh, sorry. ISO has a standard as well. Uh, but there's nothing that's like the thing mm-hmm <affirmative>. And I would say in absence of the thing, still kind of defer back to something that you're comfortable with that your whole program aligns to. Yeah.
Jillian
I can make the connection here too, where we're talking about agent ai, we're really talking about almost like digital teammates, right? We are creating specific roles that AI is taking on. They're executing tasks. And when we approach it that way, we're often giving the, the same guide rails to the AI as we would to a human being. We
Jason
Do it exactly that way.
Jillian
Yeah. Yeah. And zero trust and identity, I imagine would be part of that process as well, right?
Jason
Totally. And so those aspects of Zero Trust, which we, you know, again, we're not the utopia of Zero Trust, but where the idea of zero trust, I think that's where most people are. Mm-hmm <affirmative>. In the journey. But the fact that we explicitly give access to data, the fact that we make every agent use an identity, those are, and we can monitor all of that telemetry just like it's a normal user, just like you or me going to access some stuff, an agent doing it, we're gonna monitor them the exact same way. And we can see just like risky user behavior, risky agent behavior looks like risky user behavior. And we, we have that telemetry and those alerts coming in. So it's a beautiful thing when you do it that way. Had we not had those elements of Zero Trust in place mm-hmm <affirmative>. We'd be quickly trying to implement those elements. Um, and I, again, having a good foundation is the way that we were able to embrace this quickly, but it's not too late. Uh, but it's just some of those things that are kind of hurdles to get over with changing a paradigm of the way that you do things potentially. Um, that's where you want somebody who's kind of figured it out to kinda help you on the way.
Jillian
Yeah. Is there, when you're looking at like making maybe an identical AI agent, a larger scale agent, you're applying that zero trust, you said you give it an identity, but what does that entail? What does that mean?
Jason
Sure. So like, depending on the platform you develop on, if, you know, we use the Microsoft platform. So it's, it's all kind of built in. So, and that's the way that I wanted it. Um, we use other platforms, but the beautiful thing is when we want those people that created those thousand agents mm-hmm <affirmative>. When they went out and created 'em, it created identities for 'em. So that's how we were able to track. So if you're using the right tools that have those integrated elements, it's gonna go out tora, which is Microsoft's identity provider, and it's gonna be request an identity and get it. Um, so that is one of the ways, there are ways to create agents out of band of that. And again, those are things that concern. What's good about that, if you're following Zero trust, those new identities that are created on the side don't have access to the data that's been explicitly getting access to stuff that's in your intro.
Jason
So luckily it kind of works itself out. Now we don't wanna bunch of rogue stuff and we monitor for that as well, but it's a lot of layers. So the quickest way, again, and I think I was just having this conversation earlier today, is there a way to bypass all of that and do something quicker, better, faster once you figure it out? Sure. But you've gotta figure it out first. And I think the safest way to figure it out is empowering people with like a copilot studio or the Azure Foundry, uh, cloud Foundry, being able to do those things. And that's helped us a lot. Um, because otherwise there would've been some stepping stones we would've been able had to go through before we were able to empower our users.
Jillian
Yeah. It always seems to come back to foundation. If you're talking about infrastructure, security, anything, it always comes back to having a good foundation. It
Jason
Really does. And data on that backend as well. Yeah, I mean that's, that's, you know, a lot of people run into that. 'cause if we didn't give explicit access to identities on our data and just said everybody has access to our data, boom, then we've eliminated some of the control that we had for rogue agents or things like that.
Jillian
Yeah. Zero trust seems like such an obvious direction to go. And somebody pay attention to like, what, where are people getting tripped up? Where do they feel like, where do they think that they've got it? And then like, where are you finding a lot of the holes, common missteps?
Jason
You know, zero trust is basically, you know, beyond the tenant of assume that you're breached already. The reason they, they say that as a tenant of zero trust is because if you're breached, you're trying to make sure what do people have access to? What's the blast radius? Those kinds of things. So always think that way. The way that we deal with it is everybody has an identity. All the data has it. So that you have to have been given explicit access to access to data. And then segmentation is the other kind of aspect of that, where certain accounts have no business on this part of the network or this part of the network. So we've tiered our environment out from a segmentation perspective. Heavy identity focus and monitoring and visibility around that. And then making sure that all the data, certainly the data that's the crown of our organization, uh, is making sure that explicit access is.
Jason
Yeah. Have we been, you know, we're a 30 5-year-old company. Is there stuff out there that we gotta deal with? Yeah. But one of the ways you could deal with that, which is a hats off to legal, is have a data retention policy. Guess what? Everything that's older than three years, let's get rid of that. That's residual risk to the organization. If we get rid of that, unless we're required to have it, or it's being used every day for business, that's a great way to get rid of a bunch of risks. Now people are holding onto that data 'cause they think AI's gonna do cool
Jillian
Stuff. Say, yeah.
Jason
You've gotta, you know, make that determination. Well,
Jillian
And I just think about our human nature is such to collect and hold onto things. I mean, it always feels so good when you do like that maybe spring cleaning purge, and we just have to get in the mindset that we don't need all these things for so long. Is that ki like, when you get into a client environment, are those kind of the things that you see that you're like, you know, you don't need all this data, you haven't actually locked down the access points.
Jason
Yes.
Jillian
All the things. It's,
Jason
It, it's all the things. I mean, it's, it's, I'd love for you for to be able to say everybody's a unique, you know, unicorn of, it's pretty much 80% of everybody's the same. Mm. Us included. Which again, while we solve our own problems, we're helping, you know, taking that to clients. When we solve problems for clients, we're bringing that back to ourselves because that's important too. Yeah. But I think the, the whole, everybody kind of does the same thing. Everybody's saving a ton of data. I remember asking before the AI thing was readily available and kicking off, people always would say, we have an intention of using AI with this data. I'm like, but it's like, log data from, you know, 10 years ago from your firewall or something. Why do you need this? Um, but hey, we also sell storage as well. So it's one of those things that
Jillian
<laugh>,
Jason
I, I
Jillian
Get it. Get a storage unit for all that data.
Jason
No, I've, at home, I've got a gigantic mass
Jillian
That's
Jason
Full of stuff that, uh, I'm, I'm just as much of a culprit.
Jillian
Uh, talk to me about incident response readiness. Mm-hmm <affirmative>. Over incident response theater. You mentioned tabletop earlier. Yeah, I think it was maybe before we actually started recording, but I know it's a practice that we're actually pretty good about here. And it's something that, that I think we hear a lot about. That's maybe not a great practice for a lot of organizations.
Jason
Well, yeah. Um, so you don't want to figure out your incident response during an incident is my number one thing. <laugh>, unfortunately, a lot of people do. Um, but yeah, the tabletop exercises is so, it, it's fun. Usually for me, <laugh>, I mean, I'm a nerd, but it's, uh, that premise of just basically getting a bunch of folks around the table and going through, okay, this happened. Who responds to it? Who would see this if it happened? You know, and just working through those things. We just did it specifically with injecting, you know, prompts, injection into an AI model that was public facing on our website. What would happen? Who would see, how would we do this? Who would we have to communicate to? What are the legal requirements? What would it affect? What would we shut down? How would we push the AI kill switch? Um, and that, those are great exercises to go through because, you know, you could have something in a policy that nobody read or follows.
Jason
Right? Um, but again, it's the real, we have the operations people, we, you know, I'm there. We've got a whole bunch of people from multiple sites. It wasn't just the IT folks and InfoSec doing it, it was the people who were the operations folks. We had legal there. And I think that's a great exercise. Legal had some great input, you know, operations had some great input. We figured out some places that, not specifically related to that attack, but just as we were going through how things are passed off or escalated mm-hmm <affirmative>. We were like, Hey, we probably should tighten that up and, and do some very specific things. You know, at first, if there's people can't get to something, it's an outage, it's not a security event, then when does it become a security event? You know, when do we determine that? When do we have to contact legal? When are they brought in? Uh, so those are things that everybody could, should sort out. You shouldn't figure that out while it's going on.
Jillian
That would be a terrible, terrible trick. I'm glad that you mentioned the prompt injection into generative ai. I feel like that's something we haven't talked about in a while, but more to the point it's, you know, AI is getting integrated in so many different processes from content generation to code generation. Tell me, what's the latest on how businesses are treating generative AI across business units, particularly with code? Like, are you giving different advice to clients these days from like a security perspective?
Jason
Yeah. I mean, we, we develop a lot of code in our organization for clients, for ourselves mm-hmm <affirmative>. Um, and you know, again, as we solve our own problems, we take those to clients, but clients that developed code, I think are, are realizing there are certain models that are kind of more, you know, it's, it's kind of like you sell something that's, I, I can't think of a great example now, but, you know, so the Yugo got a lot of heat from, uh, being a not a great car. So if you're trying to sell a Cadillac and a Yugo, people are like, oh, that yugos not that great. Well, what if it's faster? What is, what's your use case for it? It's the same case from a AI perspective. You something that generates really good code. So there's, there's the whole aspect of the usability of it.
Jason
How, how quickly can it generate code for my peoples that we can deliver. But then there's also, from the client's perspective, if you're using Grok or Deep Seek or GPT five, you know, there's, there's a perception potentially. And I think from a transparency perspective, you should be prepared to say all of the different models that are used to generate your code, which is why it's good to standardize on an enterprise platform that you can do those things with. But I think what clients, so just clients are becoming more discerning related to your process. They'll maybe evaluate you based on what you can tell them on your methodology for, for doing this kind of stuff. But I do think, you know, there's a risk back to the prompt injection, back to the jailbreak aspects. If we're relying on code that's generated by these to actually call models themselves, then there's a question of which models are they gonna call? How tricky can that it, has the model been designed to design code that lets people lets their application phone home to a nation state or something along those lines? Those are things
Jillian
Back doors and code. Yeah. You have to think about.
Jason
Yeah. Uh, and if we've got a bunch of people that are really good at designing or vibe, coding stuff, and then they're not good at checking to see if the back doors are there. Mm-hmm <affirmative>. Uh, we're in trouble. So it's, I think there's a lot of things about developing code that we used to think, oh, it's developers. They're following a software development life cycle that's done. Who's the cheapest? Uh, now it's a, there's, there's more to that that the client, that the customers, the, the consumers of this have to think about. Um, so everybody's gotta become a little more aware. And if you're not, you could run into a problem. Yeah.
Jillian
I mean, these models are changing daily, it feels like. Yeah. It's so hard to keep up with. So your advice really to clients is like, if no matter who you're working with, whatever vendor, get some transparency behind what models are using, how it's being used, where it's being used. Have that documentation
Jason
1000%. And if you ask that question and they can't answer it, it's something to think about.
Jillian
Go to the next house. Yeah. Close
Jason
The door,
Jillian
<laugh>, go to the next house. No treat
Jason
Here.
Jillian
<laugh>. All right. Let's get to another really juicy No, this is another dental block. Dental Flox house. Yeah, sorry. Um, compliance, we've talked about this in a couple other episodes about, you know, organizations understanding how to meet compliance. They will bring in a security expert to help them check all those boxes. Isn't that good enough?
Jason
Well, it is good enough. It depends on what you're trying to do, right? Uh, I've certified auditor. Uh, and the bad thing about that is, uh, with kind of the mischievous nature that you have as a security person, that means I know exactly how to pass an audit. Um, everybody who's ever passed an audit, or how about this, everybody who's ever been breached probably passed their audit. Hmm. Um, that those things don't equate to security.
Jillian
It's like living in a gated community. It's just a far it's deterrence. Maybe it's an illusion. <laugh>. Yes.
Jason
And, and that's the thing. Uh, and I do think people can get hung up in the, well, we're compliant. Mm-hmm <affirmative>. Secure. We're not spending another dollar on security in the organization. And, and we talked about earlier, before we got started that, oh, we're not in the newspaper, so we must be doing good. That's a ticking time bomb, in my opinion. So the compliance isn't something that I relish, but it is, I think my opinion when I came to Insight as the CISO was, you know, audit said, Hey, we wanna run an audit. And I'm like, great. And they're like, what? And I'm like, it's okay. Tell me, tell me what we're doing. We're partners in this. Tell me where the gaps are. We'll fill the gaps. And they were like, what a fresh approach. <laugh>. Um, and I think that's, you know, you become compliant to the control, the framework, the controls framework that you use.
Jason
You get audited, they tell you where your gaps are. You go fix those and you become compliant to that. You know, that level. And there's a maturity level sometimes. Um, it's, it's the way that it's, it's a checkup. Right. But it doesn't mean, you know, I've gone to the dentist and had no cavities and I went back the next time and I had three cavities. What happened? Um, and then they, you know, tell me to brush more and floss more and fix those cavities. And then I'm not done with cavities for the rest of my life. They, I've gotta still maintain that.
Jillian
I see. You're, you're still the dental floss house?
Jason
I am. Yeah. I'm, I'm giving people cavities with my treats. <laugh>,
Jillian
Let's do a speed round. Okay. Okay, let's do this. All right. You're gonna give us five power moves for the C-Suite to bolster their security. Okay. Starting with, we talked about agentic, i AI earlier. So what is the thing that leaders can do starting Monday to improve their agent identities?
Jason
So I think they need to verify that their agents are getting identities 'cause it's possible that they aren't. And then making sure, what I had to do was go through every console that we used to check users and make sure we could, could differentiate between the agents and the users. And I showed that to all of the execs to make sure that they understood where we were with that. And some of the, you know, some platforms are catching up as well because one of the consoles said coming soon. So they hadn't really sorted the agent thing out as of yet, but they knew that they were going to. So the tab that said agents said coming soon, that's okay. Uh, we were covered on four other things, four other tools that we used. But it was, you know, it's good to know that the platforms are gonna be picking that up probably by the time now it's probably in there, but I feel super good about where we are right now. But we can't, we can't rest. I mean, that's the, again, I'm not gonna be sleeping soundly for a little while.
Jillian
<laugh>, so you're not allowed then we can't ask you what keeps you up at night. Yeah.
Jason
So Mountain do it. Is
Jillian
<laugh> alright. Uh, the tabletop exercise instant response plan. Yeah. What's, what do you need to do Monday to make sure that you're ready to go
Jason
Schedule one's? I mean, I think it's, that's easy. I call 'em messy meetings, you know, have a messy tabletop. What's the worst, the best thing that could happen is you learn where you've gotta go. The worst that could happen is you faked it and something real happens and everybody's super surprised by it. That is not good business. So securities, we enable the business. We don't lie to the business so they can go so they get to sleep well. Mm-hmm <affirmative>. We're all staying up, let's figure this thing out. And I think that partnership is really important.
Jillian
Number three, how do you test your workforce that they're paying attention to policies and following them?
Jason
Well, we do quite a sinister phishing test every so often. <laugh>
Jillian
It is a big trick. Yeah.
Jason
So I got it two, two times ago I got hit. So it's funny 'cause all the executives when they do it, they'll reach out to me going, Hey, I got it <laugh>. And I'm like, it's cool every, it's okay. Uh, and then I got hit and I was like, oh, I did the training. It was like one in the morning, I'm laying in bed, I looked at my phone, I clicked the wrong thing. Oh. And I was like, dang, I'm doing the training right now because I'm going through this. But
Jillian
Jeremy Nelson admitted that he fell for it once too. So
Jason
It happens. And I think, you know, some people are like, that's terrible. I'm like, no, it is awesome because the bad guys aren't gonna take it easy on us. Let's make it as hard as possible and then let's work from there. Um, now I hope nobody's checks their email anymore, but hey, I can have AI do it actually for me, which I do quite a bit. Catch me up on the emails I really need to, to, to look at. Yeah. So, but I think that's an important part. Okay.
Jillian
My CISO says that our identities are locked in. Is there a way to pressure test this?
Jason
There is. I mean, be careful because how you pressure test identities is probably doing something with your own identity or an identity that's out there that you're, you know, impersonating. Um, so it's, it's typically good to do those things with authorization, uh, which red teaming and we do quite a bit. Um, but I think, you know, the way that you would test them is we would see if we did something that was, and usually one time isn't necessarily, it's a positive, but it's not something that we have to chase down because sometimes people click stuff or they try to see if they have access, they need to request it. That's not an event. Um, somebody going 25 times and two different accounts, which is like, means somebody's impersonating another account trying to hit something they're not, they don't have access to, that's gonna raise some flags. Yeah. Um, and then if we go back and you're like, Hey, I was just, just testing it. We're like, okay, well let's go next time. Let us know <laugh>. Um, but I think that would be the, the test is just to see if, and that's literally the first step in most cases. It's gotta be, we have to have visibility that it actually happened. Otherwise somebody saying, oh, six months ago somebody tried to do this, you didn't notice. Well great. That's terrible. Uh, so it's making sure you have the visibility into those things.
Jillian
And number five, how often do the InfoSec IT teams, even lines of business leaders, need to be getting together to update each other on potential security threats, changes.
Jason
I think, you know, our board is actually really good about wanting a security brief and I, not just like, how's Jason and his team doing, but more about like, what are the external internal threats that we're thinking about? So I think that's good. So that's at least twice a year. Um,
Jillian
I'm surprised you didn't say more often. Well, but that's with the board.
Jason
That's with the board. Okay. Yeah, I do. You know, and executive elts executive, um, leadership, the, we do it quite a bit. And you know, what's also awesome is that I'm not the only guy carrying this torch. You know, our chief digital officer, my boss, uh, our CEO Joyce, they're great at keeping Aris of this stuff. I mean, it's pretty normal weekend to get texts from Joyce going, Hey, what about this? And you know, and I think that's awesome.
Jillian
So if your, if your leadership is not engaged and paying at least a little attention to security, you need to get them engaged. That's
Jason
The key. Yeah. And I, again, it probably goes back to that whole is security enabling the business or are you just the department of No. Or the, or some expendable scapegoat that they're gonna say, oh, let's get a new CISO because this guy let, let's get breached. Yeah. Um, and, but having everybody kinda, ooh, we wanna do this in business or we want to, or Hey, are we covered in this? Or Hey though, that's a great thing. I mean, it's, people probably in the past didn't want their CEO to ask those questions, bring it on. We want to have this collaboration. Yeah.
Jillian
One of the scariest, uh, attacks that we're seeing these days, and I think it's been going on for a year and it's only gonna get better, are the degenerative AI attacks where it's a full on impersonation of, you know, you think you're talking to your CEO, they're on camera, it sounds like them. It's talking their speech pattern. Is there any way as like a normal human being to say like, Ooh, red flag, this isn't who I, I think of. And if there's not, what's, what is, what would be your advice for, okay, this person just made kind of a strange request and I got a little bit of a tingle, but because they're my boss, they're important, I'm, I'm just gonna action on it. Like, is there, I think with families, you know, we heard a while ago about the horror stories of parents getting the call about their child being kidnapped and you hear them on the, the phone. So a family started put together like passwords. Mm-hmm <affirmative>. Do you have to do that as a business now? Do you have to have passwords or some sort of like secondary, almost like authentication in another way?
Jason
Exactly Right. No, and we do use those. Um, so that's, first of all, if you get the tingle, that's, that's what keeps humans alive, is that instinct. And so follow that instinct. And nobody's gonna be mad if it was really your boss. They're gonna be like, Hey, good job. Yeah. Validating this. But yeah, I mean, the uncanny valley is gone with that kind of stuff and it's the natural voice and impersonating somebody with an AI avatar mm-hmm <affirmative>. We're doing that later today. Right. So it's definitely gonna be there. But, you know, with the executives with those kinds of things, if somebody, you know, the way that you keep that from happening is how did this person get into our, you know, environment to in the first place? Is this a teams meeting? Is this a zoom meeting? Is this something that we had scheduled? Because that person would have to log in technically as that person to get in.
Jason
So luckily having good identities and keeping people out of our environment mm-hmm <affirmative>. In the first place. Um, but yeah, we have literally the most basic of things is, I know the phrases from the folks that I have to deal with that when we're gonna make decisions, but also never act very significantly from a simple text message, or especially if it's not from a number in your contact. Yeah. Um, those are the kinds of things, but that's never going away. Um, but the standard social engineering tactics also apply. So, you know, it's a person of power or a person that, or it's a level of urgency. All of those things are still gonna apply. And we consistently do training, you know, reminders.
Jillian
I was gonna ask, we get those phishing emails. Are we gonna start getting deep fake tests too? Like I'm gonna get a one-on-one with Joyce and be like, oh, wow.
Jason
I am not saying that that hasn't been requested <laugh>.
Jillian
Oh, it does sound like that's probably the next evolution of cybersecurity training within corporations. It
Jason
Is. And and again, I it's, some people would say, well, that's not fair. And I'm like, I get it, but
Jillian
Not fair.
Jason
Not fair to try to trick people that way. Um, but it's, the adversaries are doing exactly that.
Jillian
Yeah. So we've got, I would rather you play a punk on me than <laugh>.
Jason
Yeah. It's like, am I being punked? Yeah, yeah. No, I totally, and again, I think that as we think about security in, in general, you're not a, you haven't done anything horrible because of security event. Somebody's taken advantage of you in some electronic or personal way. What we've gotta make sure, back to that whole sickness thing is that if it does happen, how far can it go, uh, to cause loss or you know, some type of serious event happening at the organization. It's gotta be more controls than just somebody texting you saying, I need $600 in steam gift cards. Right. It's gotta be something where, oh, for me to do that on my corporate card or, or those kinds of things. There's gotta be other controls in place. Yeah. And again, a good program with good governance, good training and awareness, all of those things kind of come into play because we, we get down to the level of tracking shipments and those kinds of things to where we can say, oh, this doesn't make sense. And we can go back and figure that out. But that takes a program that's, that's mature enough to actually get to those levels. Because sometimes if all you're ever doing is just in time kind of stuff mm-hmm <affirmative>. If that investment hasn't been made or your team's not mature enough, you don't have the right platform. You're, that's, those people never sleep. I at least sleep a little <laugh>.
Jillian
It feels like we're moving toward a future where AI particularly is going to make the day-to-day tasks that today we're struggling with and getting bogged down with. And like those big decisions are somehow happening miraculously fast. So it sounds like at some point the dream is AI has made our daily lives easier and the consequential tasks that we might do that involve sending payments or extractions, there's actually gonna be a little bit more red tape there and it's gonna be a good thing. Yeah,
Jason
That's fair. And again, there's the whole human in the loop aspect is an important thing here. If we just had everything age agentic and we just sat back and collected paychecks, I don't, that's not, we're pretty far from that, in my
Jillian
Opinion. <laugh>, I hope
Jason
So. Um, yeah. Let's just make our AI avatars and go home. Right, right, right. Um, but the human in the loop aspect is still required. And again, I think if governments and regulating bodies have anything to say, they're not gonna let everything be totally human out of the loop. Mm-hmm <affirmative>. Um, so we're still gonna have to have those things in place. And again, as people are looking at how to ingest ai, they'll need to look at where those checks and balances need to be, re-engineer processes, those kinds of things. Okay. If we're doing like next level Jetson stuff, there's still gotta be somebody at the end that's gonna push Okay. On the button.
Jillian
So what are you excited about over the next six months?
Jason
You know, I, my team, we we're like chatting all weekend. We're doing a lot of cool stuff. Model, context, protocol. Mm-hmm <affirmative>. Um, and what that does is it, it gives the agents, 'cause here's the deal, from a security perspective, I don't want, well, I want a bunch of agents, but I don't want everybody who makes an agent to have to program the right security into it. Otherwise, now I've gotta check every agent to make sure that it's been coded correctly. I want all of those agents to kind of forego that and then go through something that can tell 'em where this stuff is properly that they don't have to do themselves. And that's where MCP comes in to save us. Mm-hmm <affirmative>. So it's, uh,
Jillian
Can I ask you, this is an example of this 'cause I Sure. I recently used our, our internal co-pilot that has GPT five now. Yep. Yep. And I am planning a work trip mm-hmm <affirmative>. And so I said, here's the event I'm going to, here's the hotels, find me some flights. What was interesting about the results is that it actually referenced the system that we use to book flights and was like, make sure that it's compliant for this and that. And when you submit like it, it referenced our, our process. I was like, wow.
Jason
Yeah. So that's the, what people are going to expect moving forward. Now the, the security aspect of that is, it's not a standard yet. Mm-hmm <affirmative>. So there could be something better that comes along. I doubt it. But the thing is, is when things get standardized, then we can audit them and check them and those kinds of things. So we're at this interesting thing where we're leaning in and still going into this because everybody is, and we don't wanna be, we wanna be really comfortable with it while we're doing it. Mm-hmm <affirmative>. And leverage it ourselves. Um, but the standard makes it so we can kind of productize those things. And I, I see a lot of that. That's gonna be one of the things that if AG agentic was going crazy, CP is one of those things that's gonna allow us to settle down y'all and here's how we do this kind of stuff. <laugh>. And it makes it easier for agents to be creative to be honest. Yeah. So, and used capabilities like flights or weather or those things that, why would they wanna code that they don't, they want to something else to go figure that out.
Jillian
And this is a great process. You guys are figuring out piloting in house and then when you're going out to meet with clients. 'cause everyone wants Asians right now. Yeah. We're you're just replicating what we've discovered.
Jason
Absolutely. It's the most beautiful way to work. I mean it's, I feel fortunate to do what we do from a security perspective. 'cause what if we didn't take security to our clients? Yeah. If it would just stay here. And I feel like that's a missed opportunity. What's cool is when we do something cool, we can take it to our clients. Jason,
Jillian
You're like an astronaut. You're just out there in the new frontier <laugh>. Yeah.
Jason
And it's, it's awesome. Uh, and we will go boldly go where no one has gone before. But I think we're all, and that's the other cool thing, is we're all going together, which is neat. It's not just this solo mission. Mm-hmm <affirmative>. It's everybody going together. 'cause it's cool to watch, but it's better to participate.
Jillian
Well, I can't leave. I can't think of any better way to end our conversation today. It was truly a treat to talk to you
Jason
As well. I, you know, always enjoy our conversations. Let's do it again.
Jillian
Let's do it. Thank you Jason. Thank you.
Speaker 3:
Thanks for listening to this episode of Insight on. If today's conversation sparked an idea or raise the challenge you're facing, head to insight.com. You'll find the resources, case studies, and real world solutions to help you lead with clarity. If you found this episode to be helpful, be sure to follow insight on, leave a review and share it with a colleague. It's how we grow the conversation and help more leaders make better tech decisions. Discover more@insight.com. The views and opinions expressed in this podcast are of those of the hosts and the guests, and do not necessarily reflect on the official policy or position of insight or its affiliates. This content is for informational purposes only and should not be considered as professional or legal advice.
