Credential stuffing attacks can put organizations in a tricky spot. On the one hand, they are dealing with a data breach due to user behavior out of their control. But blaming the victim is rarely the right move. So what kind of reasonable expectations can companies have about how much users will do to protect themselves?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), operating partner, YL Ventures. Joining me is our sponsored guest, Jay Trinckes, director of compliance, Thoropass.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Thoropass
Full Transcript
[Voiceover] Best advice I ever got in security. Go!
[Jay Trinckes] The Internet was never built with security in mind. You can’t blindly accept anything as truth coming from the internet, and I think it’s going to get even worse with advancements in AI, deep fakes. Not only do we have to figure out what is true or not, but now we’ll have to figure out what we are actually seeing is or reading as human versus AI.
Don’t trust anything you can validate or verify first, and make sure it’s from reputable sources.
[Voiceover] It’s time to begin the CISO Series podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark. I am the producer of the CISO Series and joining me for this very episode, one of your favorite hosts, it’s Andy Ellis, the operating partner over at YL Ventures. Say hello to the audience, Andy.
[Andy Ellis] Hello to the audience, Andy.
[David Spark] That is one of the oldest jokes in the world.
[Andy Ellis] It is and yet it still makes you smile every time I do it.
[David Spark] My favorite joke, and I remember seeing this and it’s an old joke that’s been repeated and I may have mentioned it on a show and I saw it on an episode, not recently, but I think the last time I remember was on Welcome Back, Cotter. And all you do is you hear someone on the phone and they’re talking to someone.
You don’t hear the other side of the phone conversation and they’re saying, you don’t say. And then there’s pause. And they go, you don’t say. You don’t say, and then they hang up, and they look to everybody else, and so everybody else goes, so what’d they say? Uh, he didn’t say. That’s the joke. That always cracked me up.
It’s such an old dumb joke. Anyways, we are available at CISOseries. com, and our sponsor for today’s very episode is Thoropass. Compliance with confidence. And in fact, we’re going to be talking a good amount about compliance today. In fact, Thoropass is responsible for our guests, and this is a great, great conversation we’re going to have today.
Before we jump into that, Andy, I often ask you beforehand, what would you like to banter about, and you said, oh, my birthday is going to be in a couple of days from the recording, and I responded. Nobody cares outside of your immediate family, and I truly believe that, that nobody really cares it’s your birthday out of immediate family, but you defended, what, what were you starting to defend?
[Andy Ellis] It’s always a reason to have a party or do something fun, like people look for excuses, so if you don’t make the birthday an obligation. Like, so what I’m doing is I’m actually going to go to a local hockey game, the Women’s Professional Hockey League, the Boston team. They don’t even have names.
Like, it’s very weird.
They just reconstituted, you get a city and that’s, and a logo, but not a name. And so we’re going to go like, it’s, we’re watching local hockey. It’ll be fun. I put it on Facebook. I said, here’s where my seats are. Within a day, like every seat around me had been sold. Well, that’s pretty cool.
So people were just looking for an excuse to say, Hey, let’s go do something.
[David Spark] That is now that. And, but you have to set it up well and easy, like there are plenty of tickets available. They’re probably free to cheap. Here’s an excuse to go have a good time. So all right. I’m buying into that, but you had to orchestrate that.
[Andy Ellis] Oh, literally, the orchestration was, I bought my tickets. I made sure that I bought them with empty seats around me.
And I posted the link on Facebook and said where my seats were. That’s the entire amount of work I did. Like it could be zero people showed up or 50. I don’t know.
[David Spark] There is a feature on Goldstar and I don’t always see it, but it can do something similar. You can buy a ticket through Goldstar and they’ll give you a link to share with your friends and say, if you share this link, we will put seats next to your seats.
[Andy Ellis] Oh, that’s kind of cool. That is a great I’ve never heard of Goldstar, so this is a totally new ad placement.
[David Spark] Oh, so Goldstar is this thing, Goldstar events, which allows you buy sort of discounted last minute tickets to anything, to music, concerts. Like Ace tickets.
[Andy Ellis] But in San Diego?
[David Spark] Oh, it’s all over the place. It’s not just San Diego, it’s everywhere.
[Andy Ellis] Oh, okay.
[David Spark] But you have to be in a major city for it to work. I’m sure they have a Goldstar in Boston.
[Andy Ellis] I’m sure they’re trying to break in here, but there’s a lot of competition.
[David Spark] This conversation has nothing to do with cybersecurity. Are you trying to find a loose connection, Andy?
[Andy Ellis] Oh, I could totally make up some connections if you really want to. Like, I’m advertising a location I will be at, I put it on social media, we could all have the crazy, like, oh my god, you’re gonna leave your house unattended on a specific date.
[David Spark] But actually, that date will have passed by the time people hear this.
[Andy Ellis] Absolutely, and I’ll have the alarm set in my house anyway.
[David Spark] Yeah, so you’re safe. There you go. Unless Our listeners have developed a time machine.
[Andy Ellis] Hey, if you have a time machine, I will just point out that you have much better uses than coming to my home. But I will say that my time travel policy is murder on sight.
Time travel is immoral. Did you use it? You should, you deserve to die.
[David Spark] Well, that opens up a whole nother can of worms that we’re not going to get into.
[Andy Ellis] It’s the only, only capital crime that’s like that high up.
[David Spark] If you are listening to another voice that’s giggling through all this nonsense, that is our guest who I’m thrilled to bring on right now is our sponsor guest from our sponsor Thoropass.
He is the director of compliance, Jay Trinckes. Jay, thank you so much for joining us.
[Jay Trinckes] Thank you, David. Thank you, Andy. I’m excited. It’s going to be a lot of fun.
Is this the best use of my money?
[David Spark] “Ever since the SolarWinds Orion attacks, there’s been a lot more awareness around the software supply chain. So why hasn’t this led to more action? The reality is that while CISOs might be more aware of supply chain risk, it’s only one among many that they’re dealing with,” noted Matt Middleton-Leal in a recent piece on Dark Reading.
Software Bill of Materials or SBOMs seem like an obvious solution here, but it isn’t happening even if you pressure an outsourced development team to require them for acceptance of the job. So someone has to take responsibility here. If SBOMs are going to be the answer, how are we going to get there?
If they’re not the answer, What other way can we combat third party risk?
Because what we’re doing right now, I don’t think is working because we’re hearing these problems all the time, Andy.
[Andy Ellis] So I, I got to say SBOM is like the biggest snake oil thing. And I don’t know how many times on this podcast, I’m going to have to say something like that. Let’s go look at what happened in SolarWinds.
And, and I don’t actually care about SolarWinds itself being breached, but all the downstream effects, cause that’s who really cares is SolarWinds customers. How did you get breached? You got breached because there was a malicious code change injected in directly to SolarWinds Orion, and you were using Orion.
That’s your problem. SBOM’s not going to solve that at all. Zero. Nothing at all. There is no possible way that you can take solar winds and say, and SBOMs will help solve that problem. It doesn’t. So I just want to stop right there and say, that’s our issue. Our issue is we have a very interconnected ecosystem and you trust a lot of people.
And here’s my simple thing. Everybody does TPRM. We all do like to send out these questionnaires. Questionnaires are awful, by the way, like at this point, you should just grab a startup that will fill it out for you using generative AI. They literally take your last answers and fill in your new questionnaire with them.
Don’t waste time filling them out. Ask 10 questions. And like, number one question is going to be, do we need to give your app administrative access and to what? Because how many people really knew that Orion had root access to everything? Like, most CISOs did not know SolarWinds existed prior to its breach.
That’s the real problem.
[David Spark] Okay. How much access you’re giving? But then there’s a lot of other things like APIs going on here, and maybe that falls under the same umbrella.
[Andy Ellis] Same umbrella, a lot of other problems, but we are giving administrative access to distributed tools to lots of systems. We talk about zero trust and what zero trust has come to mean is, well, I don’t want to trust you, but you should trust me because I’m the admin and we need to get out of that world.
That’s SolarWinds is eliminating distributed admin privileges.
[David Spark] Okay, so I’m throwing this to you, Jay. Andy is very anti SBOM. Most of the other part of the industry is not anti SBOM, but he believes it’s a lot of snake oil that’s going on. A pretty harsh remark. Same, his attitude towards time travel. I don’t know if he wants to murder anyone who uses an SBOM, though.
Do you, Andy? No?
[Andy Ellis] No, no, no, I don’t.
[David Spark] You’re more gentler.
[Andy Ellis] I think they’re just, I think they’re doing it to themselves very slowly.
[David Spark] A gentler touch. All right, Jay, I’m taking this to you. Where do you fall in this debate?
[Jay Trinckes] So I’d like to go back a little bit where you said it was required for acceptance of the job, right?
[David Spark] That’s come up. That is definitely come up, right?
[Jay Trinckes] If it’s a requirement, then why isn’t it followed up on, right? So if you’re saying you need to have this SBOM in there, then who’s doing the followup and whether, and I’m kind of going to be in the middle on this neutral kind of side of it. I understand where Andy’s coming from on the SBOMs, but I’m kind of looking at it from that compliance perspective, right?
So if you say you need to have it. Why isn’t it there? Right? And if there is no enforcement, there is no compliance, right? You allow what you accept and I think that’s really coming down to that problem with that third party, right? They’re not following up with this stuff. They’re just taking a alright.
Yeah, you fill out that questionnaire You got AI to fill out the questionnaire, but what other validation are you doing to make sure that? They are doing what they’re supposed to be doing. I know the FDA just came out. They’re making it a requirement for response. I kind of see it as a fact of, well, if you don’t know where your data is at, right, and it’s similar.
If you don’t know where your data is at, you can’t protect your data. So if you don’t know what applications and what’s making up the libraries in your application, You know, I think you’re going to have a harder time. And I think that’s what you found in the seller, right? Someone ejected something, didn’t know what they had in their system, and now you have a problem.
Does shaming improve security?
[David Spark] Credential stuffing attacks put companies in a tricky spot. An organization can tell people to change their password and use unique ones until they are blue in the face. But if reused credentials are used to access your systems, Victims often don’t see that nuance.
Of course, it doesn’t help when a company like 23andMe uses wording like, quote, “users negligently recycled and failed to update their passwords in legal filings”, which sounds like throwing victims under the bus, which kind of clearly sounded like they did.
So obviously. Organizations need to balance potential reputation damage from either a perception or being hacked or victim blaming. So what kind of reasonable expectations can companies have about how much their users will protect themselves? Because there’s a lot of attitude of, no, you have to protect me 100%.
Like, there’s one point where it’s like, there’s just so much I can do. So what’s expected of the users?
[Jay Trinckes] If you’re leaving security up to the users, in my opinion, it’s, that’s going to be a bad practice, right? If you’re making your systems to where you have to rely on the users to have their safe and eight character passwords and all this other stuff, you really aren’t doing your, yourself any favors on that.
[David Spark] But, but don’t they own some level of responsibility? That’s my question. It’s any, I’m going to go to Andy. Andy’s shaking his head. Nope. Users none whatsoever.
[Andy Ellis] No, this is, this is not their responsibility. This is a bad system design. In fact, let’s, let me go really far and say 23andMe should not use passwords at all.
Either, accept another source of truth, Google auth, AD auth, whatever you want, let people link it to their Apple ID, to whatever it is, or force people to just re login using an email based link. If you’re going to let me reset my password by email, then don’t have a password at all, and when I want to log in, you send me email, or you send me a text message, and I click it.
Because, and before all the listeners say, but Andy, that’s not secure, the answer is, because I can always reset a password using that mechanism. Then I already have that security holes. Let’s take out the reused password security hole instead.
[David Spark] What’s your attitude here?
[Jay Trinckes] No, I agree with Andy on that. I mean, if companies you’re supposed to do better, take security seriously, you aren’t protecting yourselves.
What makes you think users are going to protect themselves when it comes to this, especially in the design that you currently have? So I mean, don’t get me started with, well, we had a breach, but we’ll give you free credit reporting to help you mitigate the risks. Guess what? I just got my Mr. Cooper data breach notification the other day.
So, hey, private right of actions, companies have to take a higher standard when it comes to securing their products, securing their services, and you can’t rely on users to do it.
[David Spark] So part of your product is making sure all users are secured, that the user does not have hold responsibility on this. Am I putting words in your mouth, Jay or Andy?
That’s how you feel.
[Andy Ellis] And by the way, when I say no, that’s yes, I agree with David.
[David Spark] Before I go any further, I do want to talk about our absolutely awesome and brand new sponsor Thoropass. So most InfoSec compliance journeys take months to complete, and that’s a lot of employee time and company resources to devote to something that needs to be renewed.
Each year, is there a way to get the job done faster while still feeling confident that it will be done the right way? TheraPaths can save your company time and money by completing audits in, listen to this, a fraction of the time without sacrificing confidence. in your controls. Thoropass’s powerful automation technology can get your team started and up to 90 percent complete within days, while their in-house experts and auditors can make sure that your systems are safe and long lasting.
in no time. Now, find out why more companies are using Thoropass to get and stay compliant in a fraction of the time they used to devote to traditional audits. Audits is a time consuming task. These guys have done it again and again and again, and so they’ve refined their system. So, save time and money without sacrificing confidence.
That’s a combination you want. We all want. Jeez. So, go to their site. Thoropass.com to discover how they fix audits.
It’s time to play what’s worse.
Alright, Jay, you know how this game is played, correct? Yeah, I’m scared. . Don’t be scared. Two awful suggestions. It’s going to come from an anonymous user. This person did not want to use their name.
[Andy Ellis] Is it a new anonymous person or is this Osman Young?
[David Spark] It is not Osman Young. No, this is not.
This is a new “Anonymous.” They actually sent me like nine different “What’s Worse?” pairs.
[Andy Ellis] Awesome. So, are we starting with the best one or the easiest one?
[David Spark] I, first of all, I try not to give you easiest ones. Every now and then I make a mistake and give an easy one. I try not to. I always love when you do that. Yeah. And I’m like, ah, like I blew it again, you know?
All right, here we go. Reducing your risk of data loss. through third party AI tools by blocking commonly used applications and web extensions without any advanced communication. So you just start blocking things for the business and you don’t tell them you’ve done it.
[Andy Ellis] Okay. It’s stupid. Don’t ever do that. By the way, if you’re, if you’re a listener and you think this is at all a reasonable idea, it’s almost certainly not.
[David Spark] Okay. It’s stupid. All right. And so no advanced communication, no organizational change management at all. Or the other option is, Thinking that they were blocked for six months, but they weren’t.
[Andy Ellis] Oh, the first one is still worse. This is, this one is easy. Because the second one, instead of doing something career limiting, stupid and dumb, you failed at doing it and you did not get in the way of the rest of the business for six months.
[David Spark] But you thought you had protections that you didn’t have.
[Andy Ellis] You didn’t have the protections. If you went and said, Oh, I’m going to block chatGPT. So I’m going to block OpenAI, and I do it in all the best ways.
[David Spark] But that means you weren’t scanning that.
[Andy Ellis] What it means is that somebody goes in and says, Oh, look, I can’t get to OpenAI. So let me go to my personal browser on my personal laptop and take company data and hand it to OpenAI.
And now you have no visibility into what’s going on. You’re using a private account and you’re totally screwed.
[David Spark] But in the first case, you don’t have visibility either because you probably weren’t scanning it. Right. Because you thought it was all blocked.
[Andy Ellis] So you’ve got no visibility in either case. In the first case, you have a career limiting move.
And in the second one, you don’t. So I’m going to go with the first one is worse. It’s like straight up easy. Like I pissed off the business or I didn’t piss off the business. And in neither case, did I actually get meaningful security?
[Jay Trinckes] Well, unless you throw a pack that, Hey, what we got policy and procedures are supposed to go through us in the first place and you didn’t.
So now this is going to come back on you. So you may or may not even know that. They have any complaints and they just might go ahead and wipe that
[Andy Ellis] up. Yeah. As soon as you do step number one, the whole business is going to figure out like how to work around you. So you never know what’s going on in the business.
Like your, your whole security program just got thrown in the dumpster.
[David Spark] But hold on, let’s say I’m throwing this out. Scenario number two, you thought you did it for six months. You didn’t. That means also if you thought you did it and the business didn’t respond, you’re thinking. Oh, the business thinks it’s great that we’re blocking things.
So you think it’s quite the opposite of a career limiting mood. They’re totally cool with it. So that’s how you’re operating too. In scenario number two.
[Andy Ellis] Right, so in scenario number two though, at least you’re incompetent at career limiting moves. Like, if your argument is, like, this is worse because you’re incompetent at the career limiting move.
No, no, no,
[David Spark] like you think that they’re cool with it
[Andy Ellis] We’re not allowed to have second order effects david. You’ve made that rule
[David Spark] The second order effects that’s how it’s that’s how the trickle down effect will have all these things have trickle down effects All right, jay. I want one here. Where do you stand on this?
[Jay Trinckes] Actually, I would think that the second one, I’m standing in the second one is worse. Okay, why is it worse? Because I actually put in the first one and it’s isn’t bad and I’ve taken the risk that hey, number one, my business information shouldn’t be on your personal. Computers in the first place.
And if it is, and I’ve got other issues on that standpoint, I’m not saying it probably isn’t, but it might be, but my DNS filters and my, my filtering systems are pretty good about picking up AI.
If I block that, I’m generally going to get within a day or two. Hey, I’m using this computer for that. Well, then, you know what? Put in a vendor request that we can review at that point, or you’re telling on yourself that you’re doing stuff you’re not supposed to be doing. And now I’m looking out extra hard on you because you’re doing things that you’re not supposed to be doing.
[David Spark] Andy, what do you say to Jay? Jay makes a good argument here. Jay has a lot of confidence. What do you think, Andy?
[Andy Ellis] No, I think that I can see people trying to run their security organization that way. And I’ve known people who’ve done it. And the challenge is the company works around them. You have just demonstrated that you are not a partner to the business.
You’re not interested in helping the business do anything. That you, as the CISO, just decided nobody gets to use generative AI. You didn’t talk to the CMO who’s using it, you didn’t talk to sales support who’s using it, you didn’t talk to the engineering team who’s using it. You just decided you’re blocking it.
Why is anybody ever going to want to partner with you? That was key to this thing was you decided to do it and rolled it out with no talking to anybody.
[Jay Trinckes] Well, the other part of that though is we’ve already got policies and procedures set up prior to that. But who wrote those policies? Oh, those, those have been approved by multiple stakeholders within the organization.
[Andy Ellis] And you enforce this on like everybody in marketing who’s signing up with like 50 SaaS apps every month? Because most people aren’t doing that.
[Jay Trinckes] Well, yeah. It’s actually been working.
[David Spark] Here’s the thing. I don’t think it’s that career limiting. And here’s my argument on it. First of all, if all of a sudden the business goes, hey, you just blocked open AI.
Unblock it. They’re not going to say you’re fired. They’re just going to say unblock it. That’s, you know, it’s like you unplugged the computer, plug it back in.
[Andy Ellis] You haven’t been in that room, have you, David? So I can tell you the story. I won’t tell you who it was, but it was a bank in Canada. So I’m delivering it to seven people.
Canada was doing very well in the World Junior Hockey Championships. And so everybody’s live streaming it. And this, this CISO was like, my network is being hammered. And without telling anybody, just goes in and says, oh, I see what the problem is. It’s Akamai, because that’s what we were streaming it.
So, just blocked Akamai.
Ouch. Now, you would think that they would get in trouble. For all the other downside effects, like you can’t get software updates, no antivirus downs, all this stuff. No, no, no. The next day, the CISO is called into the CEO’s office. And the opening words are, are you a traitor to your country?
[David Spark] Oh my God.
[Andy Ellis] Blocking hockey from Canadians. Really? So. All I want to say is, be very careful about, like, who you impact when you make a security change like that. Because you hit the CEO, and you surprise them, everybody’s going to be having a real bad month.
[David Spark] Alright. I still think Jay wins. Well,
[Andy Ellis] You win, David, because we disagreed. That’s your whole goal is to get us to disagree.
[David Spark] Well, it wasn’t so easy. Jay.
[Andy Ellis] I still think it was easy, I just don’t agree with Jay.
[David Spark] That can also be true.
[Jay Trinckes] Within reason. Within reason.
Please, enough, no, more.
So today’s topic is a big one. It’s a granddaddy, but we’re going to try to sort of narrow down to some specific issues. And I’m going to say it’s, it’s just compliance, which is a very large category, but it’s a whole industry. So, Andy, I’ll start with you. You don’t have to boil the ocean here, just pick some elements.
What have you heard enough about with compliance issues, dealing with compliance, audits, and what would you like to hear a lot more?
[Andy Ellis] So, I’m really tired of listening to people talk about the processes that support security controls. I don’t mean the compliance work, I mean the actual controls you’re trying to measure.
I’m really tired of hearing them talk about them as transactions. Right? We say, Oh, we make sure that there’s a second approval on changes. But all that that is is you go look at the change and see, did an engineering manager check the box like this is not how process control works. Process control works by saying things like we have a control that says until an engineering manager checks the box, this software cannot.
be released. And our compliance program is just validating that all of the safety controls work. I don’t want the safety controls to be, Oh, some human operator is supposed to go look and see if that was there. If it isn’t there, it doesn’t move forward. We need to think about process controls like trains, not like train stations, right?
A train station doesn’t care what happens to the train after it leaves the station. But the train operator does. Like if you get shunted onto a sidetrack, the train station’s like, yeah, not my problem, but the train operator has a problem. So we need to focus on the trains that are moving somewhere rather than the transactions of where they stopped along the way.
[David Spark] Very good point. All right. Now I throw this to you, Jay, and this is in your wheelhouse and Thoropass’s wheelhouse. So, uh, because you are the director of compliance too. So I’m asking you to boil the ocean with your own job for that matter. Let’s start with what you’ve heard enough about with regards to compliance and what would you like to hear a lot more?
[Jay Trinckes] Yeah, so I, I constantly hear about there’s just Too much compliance, right? Too much regulations, right?
[David Spark] We hear that everywhere, yeah.
[Jay Trinckes] Unfortunately, it’s come down to the point sometimes where organizations haven’t really policed themselves, right? And so to try to do right by the customers, you may not have needed some of these regulations that have gone out there, some of these compliance aspects, right?
If you could build the trust within yourself, but I think when organizations don’t take due care and complaints start happening, you know, the regulators have to come down, the organizations have to build out these third party risk management, give you this four hundred security questionnaire to try to show that, hey, you’ve, you do what you’re supposed to say you’re supposed to be doing, and it creates a lot of work, right?
I mean, I think we’re under about seven or eight different compliance frameworks. We call them frameworks and all of those things that we’re trying to do. We make it a little bit easier by trying to standardize But on the same instance, right? We all always have to worry about what Randy was talking about with the processes, right?
What kind of processes do we need to put in place? Policies and those type of things are generally kind of easy, but how do we actually put it into action? Put it implementation and get those things going. That’s where. Some of the automation helps, right?
[David Spark] Let me ask you a follow up on that because you keep hearing this phrase of people, process, and technology.
And it goes, we talk a lot about the technology, but we don’t talk enough about the people. But I’m like, what are you talking about? We don’t talk much about the process. That’s what we don’t talk about. And I’m intrigued, like, what is some common process mistakes that you are seeing? Because this, I’m, I’m assuming is kind of your, your bailiwick is.
improving process issues, what is the common process problem you’re seeing? Or maybe one that is that people just aren’t aware of the, Oh my God, this is really a big issue. And most of you just don’t deal with this.
[Jay Trinckes] One of the biggest ones I’m having right now is basically this access review, right? And we’re, we’re rather small company.
We’re not very large, but we’ve got like 300 different applications and they’re all based applications, right? And we have individuals utilizing it for this and have admin rights for that. They leave that access is still there, right? How do we manage all of that? How do we get vendor reviews on that?
How do we make sure that they’re not using AI where they’re not supposed to be using AI think again, one of my biggest thing is that access review, making sure that process is in place, kind of controlling those access.
Data loss protection and so on in there, but it is a process and it’s how we did the procurement. How do we get finance on board? How do we talk to the different stakeholders that we just mentioned, right? To make sure that they’re using it in a responsible manner and then being able to go back and actually review it and monitor it and maintain it.
And so on. So big process, just in access reviews.
[David Spark] When you talk to your customers, where do you find they need the greatest help in essential, the entire approach? Cause I, one of the, the pitches that Thoropass makes is like wherever you are in your compliance journey, like we can help you, what’s the most common issue.
[Jay Trinckes] They just don’t know what they just don’t know. And sometimes you need that expert there to help guide them into, Hey, this is your industry. This is what you need to be concerned with. We have a lot of startups that come up and they just don’t know what they just don’t know. And so guiding them into that area, being able to have them move up market, right?
With these compliance. So SOC 2, Type 2, ISO certification, HITRO certification, some of these other ones that we work on, they’re trying to sell into bigger companies, but they don’t know how to do that. They don’t have the compliance or information security management program, privacy information management program, quality management system, all those things in place that they might need to be able to build that trust to move up.
And that’s where we come in and help them.
[David Spark] Andy, can I ask you a question? It sounds like to what Jay’s saying is like working with a compliance expert. I don’t know how much you’ve done this yourself. Kind of like sounds like working with an accountant or a lawyer. Like, I don’t know all the accounting laws or the lawyer, you know, legal issues.
Yes.
[Andy Ellis] Absolutely. Like there’s, there’s two different ways you look at it, which is there’s the specific expertise of like this standard requires you to do X, right? And that’s, that’s the piece that you actually don’t use that often, but it’s critical you have it handy when it comes up. But what it really is, and lawyers hate when I say this, like 90 percent of what a lawyer does for you is they’re a clerk.
They make sure words are written down correctly using great language. Like my favorite thing is best effort. How often have you heard somebody say, Oh, we’ll work on that best effort. Legally in a contract, best effort means like something very different than what you think it means, which is commercially reasonable effort.
Like, yeah, of course, I’ll try to do this, but if I don’t get to it, that’s okay, is the plain English, but that’s not the legal definition. And so that’s what a compliance expert does for you, is make sure that when you say, oh, we have a control that does X, they’re like, well, those words don’t mean what you think they mean.
Like, let’s figure out how to set this up correctly, how to make this scale. And it’s not work that people really value until they see how it works. Like it was like, Oh, I can just check a box. This is no big deal. No, there’s a lot of details that go into getting it right.
[David Spark] Jay, before I said that reminds you, like I remember going to a lawyer and I had to write a contract thing and I knew I wasn’t writing it correctly, but I knew I had to put the information in there as a draft for them to then write it correctly.
So it was like, here it is. My attitude was like, I handed it to him. It was like, okay, tear it apart. Do you kind of have that relationship where they’re like, this is my best effort to you, Jay, now tell me what I need to fix kind of a thing. Is that kind of the relationship?
[Jay Trinckes] Yeah, it could both work both ways.
We can get someone in fresh that doesn’t have any clue and then we can lead them and build that framework up for them. Or if they’ve already come in and with some of those things, right. Direct them and guide them into making sure that. those words are correct, right? And making sure that they’re doing what they’re supposed to be doing from a compliance perspective.
[David Spark] I’ll let you close this out. For someone to succeed working with Thoroughpatch, working and succeeding in compliance in general, what’s the best way for them to come to the table?
[Jay Trinckes] Have an open mind, understand their products, understand their services, whatever they’re offering, so that we can make sure that their scope is correct, right?
Making sure that, The expectations are set appropriately, and they have some objective or goal that they’re going to meet. If it means, Hey, we want to move up market. We want this customer, we need to get this certain compliance certification because we want this business, make it a competitive advantage, understanding that entire holistic view of how your compliance efforts help the business efforts.
How can we secure new technology without creating new risks?
[David Spark] Late in 2023, the EU Council and Parliament came to an agreement on the bloc’s AI Act. Now, it’s Europe, so there’s still a healthy dose of bureaucracy before it becomes law, but It’s now a question of when. This marks the biggest swing to regulate this emerging industry.
The AI Act will apply to so called, quote, foundation models. Essentially, large, versatile LLMs, or large language models. Essentially, the Act Attempts to set out transparency rules for high impact AI models while setting out banned AI applications, things like social scoring systems, mass facial recognition or circumventing free will.
The act also sets out rules for authorizing and monitoring high risk AI systems. But Andy. Are we too early in the game to really understand what constitutes a high risk AI? I mean, it seems confusing to everyone. Do we risk conflating the model size with risk in this approach? It seems maybe misguided, but intention good.
What do you think?
[Andy Ellis] Well, so I, I never trust the EU council in parliament. Let me just start with that. That’s, that’s my general bias is, you know, I love circumventing free will, excuse me. Isn’t that what governments are basically doing? That’s what laws are. But like, think about, you could stretch that and like, we’ll see what the, the proof will be in the pudding.
But when you think about circumventing free will. Isn’t that what advertising is sort of aiming to do to say, well, if you, if you actually knew the whole deal, you wouldn’t buy this, but we’re not going to tell you everything because we want you to buy it. So what’s different if the AI is doing it versus a marketer?
And I think there’s going to be a lot of questions here, which is, are we really complaining that it can be done at scale now? And so we’re putting in place ways to stop you from doing things at scale, like social scoring is a problem, but like, let’s note that China had social scoring long before there were your large foundational models because they did it manually because they had the people to do it.
I oppose social scoring, just to be very clear, although I think we’re sort of stuck with it at this point anyway. So I don’t think it’s really a question of the size. I just wonder, are we attacking things that we already do today just because they’re done by AI?
[David Spark] Oh, good. point. So are we, are we just attacking for the sake it’s AI, Jay?
Or does it something need to be regulated?
[Jay Trinckes] Well, I’m not going to cut down the EU. I commend them for trying to take some proper steps into trying to control this AI. I mean, the U. S., we still haven’t even gotten privacy, federal privacy regulations. So I mean, you know, how far behind are we in that part of it?
But, uh, I think there has to be some Some sort of framework set up for AI, you know, where’s this going to go? I think it’s going to be an iterative process. I don’t think we’re probably going to get it right the first time. There’s going to be new AIs that come out, new technology that comes out. We don’t even know what, we don’t know at this point about AI, right?
[David Spark] So let me, but do you think it’s like just going after the large language models by the, that the size of the model is equated with risk? I don’t even know if there’s any kind of correlation you can build there.
[Jay Trinckes] Yeah, I don’t think so. I mean, I mean, if you got an AI model that’s looking at MRIs looking for cancer, right, and they don’t pick up a cancer or some other disease or something like that and made a diagnosis on it.
To me, that’s a high risk, but that model is probably not very large, right? So I don’t think that really correlates right in it. in the standpoint, but on the same instance, right? I mean, I think everybody kind of wants to get their hands out. New York Times is suing, right, OpenAI because of their copyright infringement, right?
[David Spark] Right. And there are a lot of concerns around it. I mean, my main concern is just the ease of faking things and the ease of putting out misinformation. And how much can you control or regulate that? It just seems difficult to impossible. Andy?
[Andy Ellis] Well, I mean, it’s always been easy to put out misinformation.
[David Spark] Right.
But it’s when it becomes easier and more and more people can get fooled is amazing.
[Andy Ellis] And maybe we can educate on it. But when governments say we want to be in the business of regulating misinformation, we should remember that the biggest purveyors of misinformation are almost always governments. And so it’s really they’re trying to regulate their competition out of business.
Sorry if my, my. You know, a couple of rants are going to come out there, so they’re coming like my issue with the New York, like the New York Times lawsuit is gonna be very interesting because in a sense, like training your model on published material should fall within fair use. The problem is the models don’t have a great way to say don’t reproduce the copyrighted material.
Like we train ourselves on copyright material all the time, and then we do novel new creations based on all the things we’ve learned. And sometimes we might accidentally point a phrase or to, but if you’re university president, you get fired if you, you know, copy.
[David Spark] But the question is, so at what point does it become plagiarism for that matter.
[Andy Ellis] Right. That’s the problem, which is the LLMs don’t understand plagiarism. But honestly, apparently humans don’t either, since there seems to be a crisis of plagiarism among universities.
[Jay Trinckes] And they don’t have that linkage, right? They don’t have the source. They can’t put it back. Where did we get this information from?
You’re looking at the probability of the next word being this word, right? And that’s kind of generally what they’re looking at. And it makes kind of sense. It sounds good. But is it really true? .
[David Spark] So I’m disappointed in both of you not being able to solve this problem in the five minutes that we allotted for it.
[Andy Ellis] I know it’s really tough. I guess I will drop down from being one of the top six hosts on the CISO series, one of the top seven hosts to push everyone up.
[David Spark] But everything else was you knocked it out of the park. So thank you very much. Jay, you were awesome. I’m going to let you have the very last word on this.
I do want to thank your company Thoropass for being an awesome sponsor. Remember, go to their website, Thoropass.com, check it out. Thank you, Andy, as always for being awesome on the microphone.
And Jay, we loved having you on the show. Any last call out for audience in terms of like offers, getting connected with you more about Thoropass let us know.
[Jay Trinckes] Yeah, sure. Thank you, David and Andy for your time today. I had a good discussion. This was a lot of fun. So if your audience ever needs any help, again, you’ve got our website, reach out to us.
We’ve got experts on standby to help you out. I’m always out there on the internet somewhere you can track me down. So thanks again.
[David Spark] Awesome. Thank you so much. And thank you, audience. We greatly, greatly appreciate your contributions and listening to the CISO Series podcast.
[Voiceover] That wraps up another episode.If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries. com. Please join us on Fridays for our live shows, Super Cyber Friday, our virtual meetup, and Cyber Security Headlines: Week in Review. This show thrives on your input. Go to the participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show.If you’re interested in sponsoring the podcast, contact David Spark directly at david@ciso-dev.davidspark.dcgws.com. Thank you for listening to the CISO Series Podcast.