The capabilities of generative AI systems are impressive, but we need to be realistic about constraints. This applies to the limits of the systems themselves, but also to our ability as humans to spot them. So how do we take advantage of these new capabilities with getting taken for a ride along the way?
This week’s episode is hosted by me, David Spark (@dspark), producer of CISO Series and Andy Ellis (@csoandy), partner, YL Ventures. Joining us is our sponsored guest, Sam Curry, global vp, CISO at Zscaler. This episode was recorded at a Zscaler event in Boston, MA.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Zscaler
Full Transcript
Intro:
0:00.000
[Voiceover] Biggest mistake I ever made in security. Go!
[Sam Curry] One of three things. Is it I deleted 40 million copies of Word once, I deleted McAfee antivirus on all instances of NT351 and 4.0, or I deleted 7 million credit card numbers? I’ll let you decide.
[Voiceover] You’re listening to CISO Series Podcast, recorded in front of a live audience in Boston.
[Applause]
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I’m the producer of the CISO Series. And to my very far left over there, that is Andy Ellis, who is one of the partners of YL Ventures. Let’s hear it for Andy.
[Applause]
[David Spark] We are available at CISOseries.com. And where we are right now, we’re in Boston, Massachusetts, doing a live show with our wonderful sponsor Zscaler. Remember, Zscaler enhances zero trust with AI and comprehensive insights to power more secure, efficient digital transformation. We will be talking about that a little bit later in the show, but let’s hear it for Zscaler for making this event happen. I appreciate that.
[Applause]
[David Spark] And actually, normally I bring in the guest a little bit later, but I’m going to bring you in now because we’re going to talk a little bit about the fact we’re in Boston. Also sitting to immediate left right here is our sponsor guest, who is the global VP CISO for Zscaler, Sam Curry. Let’s hear it for Sam.
[Applause]
[Sam Curry] Thanks for having me. All right. So, I am in my hometown. I grew up out here and I grew up specifically in Westwood. And many people might not know this, but Westwood was at one time referred to as the second Silicon Valley. Did anyone know this?
[Sam Curry] Only the people in Westwood, just to be very clear.
[David Spark] So, let me point out…
[Sam Curry] It was more 128.
[David Spark] It was 128, but it was the property lines of Westwood actually did poke out over.
[Sam Curry] So, it touched it is what you’re saying.
[David Spark] Yes, it touched. But it was one of those things where the quote…
[Andy Ellis] Because I think Brentwood is Beverly Hills adjacent.
[Sam Curry] That’s right.
[David Spark] Yeah. The second Silicon Valley was, not in any way to compare to the first Silicon Valley, it was extremely tiny. If you drove through it on 128 and you blinked, you missed it. Because it was, I think, only like four companies, I think Sybase and Digital were there. And I can’t remember who else.
[Andy Ellis] I don’t remember. This is before I moved to Boston.
[David Spark] This is late ’70s, early ’80s too. But, Andy, you can speak to why Boston is a tech hub now. It’s really Kendall Square, yes?
[Andy Ellis] Really, I think the center on Kendall Square is a huge piece. And Waltham is where people who didn’t want to drive into Kendall Square, and they move out.
[Sam Curry] They move out. They move from the center and go out.
[Andy Ellis] Especially real estate in Kendall Square is ruinously expensive. But that’s where you see a lot of the big biotech firms and some of the really big tech companies, the FAANGs or the MANGAs or whatever we’re calling them these days.
[David Spark] Well, here’s the thing. I grew up… Westwood is a small town. And when I mention to people that I grew up there, everyone’s attitude is, “Oh, I can’t afford Westwood.” We were the local joke when I lived here, and it is definitely not the local joke anymore.
[Andy Ellis] I mean, Kendall Square was also a joke back then. It was an industrial park in need of nuking, and now it’s like this amazing high tech and very expensive place to live.
[Sam Curry] And we both work there.
[Andy Ellis] And we both work there.
Yippie, look what came into my inbox!
3:25.652
[David Spark] “You know when you’re really jet lagged and really tired and the cogs in your head are just moving that little bit too slow? That’s me right now.” And that’s actually a quote from Troy Hunt, who started out his blog post about getting phished for his Mailchimp subscriber list. And by the way, for those who don’t know Troy Hunt, he started the Have I Been Pawned site, and he’s quite an influencer on the side. So, he’s a savvy guy, but he had a moment of weakness. And that’s all it took for a highly automated scheme to grab the list. Now, to his credit, Hunt quickly published a very transparent account of how it happened. Now, this proves that even the best of security professionals can have moments of weakness. We heard about three right at the beginning of the show from Sam here.
[Sam Curry] That’s just stupid, though.
[David Spark] Those were just stupid. Okay.
[Andy Ellis] Those aren’t weak. Those are just bad ideas.
[Sam Curry] That’s right. Well, it was dumb. Anyway.
[David Spark] All right. Well, I’m going to go to Andy here. I want to know, are there some checks and balances we can create that even when we are in a weakened state mentally, like Troy was in this case, we can help defend ourselves against our own temporary poor judgment? Because even the smartest of us can make stupid mistakes.
[Andy Ellis] So, I’ve been thinking a lot about this lately as people talk about security awareness and whether it’s physical security. I do synagogue security. And so, we have a lot of conversations about how do you recognize the difference between a lost parishioner and somebody who actually means to do you harm, or on the corporate side, we think about information security. And I think the biggest challenge is we try to rely on observation, and I think about so much of security awareness training is trying to teach you how to notice. And what we should really be talking about is what to do. Like, I don’t care if you can spot the phish. I think you should have a plan for what are reasonable actions I will ever take, and what are the unreasonable actions I will take?
And I look at it this way, like I have to do Docusigns. I have to do a lot of Docusigns. I sit on a lot of boards. And like every quarter, there’s probably like three or four things that come across my inbox. I will tell you, in addition to those three or four things coming across my inbox I need to sign as a director, I have about 100 things pretending to be from Docusign. I can’t rely on my ability to detect. So, I have to rely on my ability to decide how I’m going to do things. Right? So, it’s like, I know that if I interact with a Docusign and it asks for credentials, something’s already gone wrong. Like, recognize the phish at that moment. Like I never will type in my credentials unless I was expecting to.
[David Spark] Well, directly off of an email too, when you’re clicking in an email.
[Andy Ellis] But like I know exactly the reasons why I would need to interact with my credentials. I have a tab open to a document I’ve been managing, and I go over to it, and it says, “Oh, like, you need to sign back in.” Great. If I open up a new tab and it asks me for credentials, to me, that’s an action I shouldn’t take. So, I’ve trained myself that that’s the moment where now I have to stop and think about it.
[David Spark] Okay. That’s a good example. Sam, I throw this to you. Again, we can be in weakened states, make stupid decisions. Are there sort of some sort of ways you sort of protect yourself even knowing you could do that?
[Sam Curry] Yeah. First of all, I love what Andy said there. The actions thing, that’s what should set off the little hairs on the back of your neck, but I’m reminded of all those, all those biases, the human biases that we all learn about, and we still fall for them. It’s human behavior. Ultimately, humans behave like humans. So, that’s why I like the advice in particular. But I think there’s more to unwrap in that. I don’t think we’re really taking enough to take self-care seriously and mental health in our industry. So, if you’re in that state, we have to teach people it’s okay to take a break and it’s okay not to be working under those conditions. Even then, it could have happened, and I think that’s super important.
[David Spark] Here’s the thing that I’ve done for myself. I don’t do anything financial late at night because I chronically make mistakes. If I have to do write a contract or deal with something financial, I’ll do it in the morning. That’s always my attitude.
[Andy Ellis] It’s a great model.
Let’s look under the hood.
7:44.885
[David Spark] All right. We’re going to talk about quantum computing, and I do not want people to run. All right? Stay where you are. Okay. Because we’re going to make it digestible, I promise. Andy’s going to help here in a second but let me set this up. What dangers would arise if malicious hackers gained access to a quantum computer? Now this question came up on the cybersecurity subreddit in the wake of Microsoft announcing its Majorana topological core chip. Commenters were quick to point out that the current state-of-the-art chips are still thousands of qubits away from being able to break traditional encryption. And last year, NIST released a set of quantum resistant encryption standards, although it’s unclear if any would survive contact with a quantum computer in the years to come.
But how easy would it be to completely break through most security systems? Not the current systems we have in them, I’m going to get into more of that. But I want to talk though about what is quantum computing because it confuses a lot of us. It confuses me. And we were talking about this earlier, Andy, and I likened it, and I said, is this kind of like a thousand monkeys in front of a thousand typewriters? And you said, no, that’s kind of version 1.0. We’re at version 7.0. So, explain.
[Andy Ellis] So, I think the easiest way to think about it is two different models I’m going to put in front of you. So, one is just how to think about the math involved, which is there’s a bunch of problems that are easy to check the answer, but hard to find the answer. And so, the simplest answer is prime factoring, is if you take a number that is a multiple of two primes, if I tell you what the two primes are, it’s really easy to do the math and be like, “Yep, that is in fact a multiple of those two prime numbers.” But if I only give you the answer and say, “Go find the two primes,” that’s hard to do. And so, these take what we call non-deterministic polynomial time. It takes polynomial time to check the answer, but it is undetermined whether you can do it, like, the first time, or you’re going to have to do it for a long period of time.
And so, what quantum computers do is solve problems like this much more quickly, and the best way I had it described to me, it’s like listening to a computer sing and it’s seeking harmony. And so, if we look at these row of people here and each one of them is a voice in a choir and we’re trying to produce the Ave Maria, we know what the Ave Maria sounds like, but we don’t know what each one of them is supposed to sing, but they start singing and they can hear each other. And at some point, they’ll reverse engineer the Ave Maria without ever having seen the notes. And the moment they do, we’re like, “Ah, you got the Ave Maria, great, write down what you just sang.” And so, now we know what each person is singing, and that gives us this hard to generate answer. Like, sitting here cold, if you said like, “Draw for every singer what they’re supposed to sing,” that’s a hard problem.
[David Spark] So, it’s this extraordinarily impressive rationalization model, I guess, is the way…
[Crosstalk 00:10:50]
[Andy Ellis] Yes. It’s sort of reversing, it’s saying, “We know what the answer has to look like. So, all of you self-arrange until you get to the right answer quickly.”
[David Spark] All right. Now, the question that came up in this subreddit, and I’m going to throw it to you here, Sam, is, it seems that our computing is a joke compared to that kind of model. So, like, how, like, just wasted would…
[Sam Curry] Well…
[David Spark] I mean, would we all be pwned if quantum computing hackers got ahold of it?
[Sam Curry] The short answer’s no, but there’d be a huge panic. There’s a few things you have to take into account. One is that simply programming on a quantum computer is non-trivial. It takes a whole different set of skills to do it. In fact, there’s a shortage of them here in this country. There’s a shortage of them throughout the world, by the way. So, if you want to have a job and have some job security, there’s actually fairly cheap courses for this online where you can learn it. They’re not easy, but you could learn how to do it. So, the first thing is it would take them some time to program it. And so, let’s say they found the best ones.
The second is it would have to have enough qubits to do the job. In other words, what Andy’s talking about is, I always used to say, it’s an easy problem to solve in one direction when you make keys. It’s a hard problem to solve in the other way when you try to go back and find out what the primes were. Because you want to go from the public half of an asymmetric key pair to the private half. And by the way, because of the way numbers work, you wind up needing really big keys to get strong encryption when you’re doing asymmetric encryption. So, asymmetric would immediately be at risk, and that is just because when you publish the public half, if they had enough qubits and they had the skills, they could start to back out and find private keys. And therefore, things start to look a little ugly for things like signing and being able to understand and decrypt messages.
Now, symmetric keys, it’s harder. They would have to have plain text samples, and they would have to brute force. And what Andy was talking about when he said it’s non-deterministic is you don’t know how many tries they have to go through, but it’s still a large number space. It’s a bigger number space for an equivalent length private key for symmetric keys.
So, that’s not immediately going to die. Now, is that a scary thing? Sure. But the thing people should be doing right now is they should be getting quantum ready. They should be doing inventories of where’s their crypto. And if you had to start from still and replace your libraries with quantum resilient algorithms that can withstand this type of calculation, you should make that an easier job than it is today. Because right now, let’s say you’re T-shirt sizing it, you’re an engineering department and it’s a triple X job, right? Triple XL.
So, bring it down, make it a large job, make it a medium job. And anything that you do touching crypto, you should know where that stuff is. In fact, there’s work happening right now to put quantum resilience into things like TLS and we’re only doing it now. Be wary, be leery of some FUD though. There’s a lot of that fear, uncertainty, and doubt out there.
[David Spark] [Laughter] All right.
[Andy Ellis] 2014 was actually really helpful for us because in 2014, we had Heartbleed and Poodle, and so crypto agility became a thing, and that was the first step towards quantum resilience.
[Sam Curry] I thought you were going to say since I left RSA in 2014.
[Andy Ellis] Well, that also made us a lot safer.
[David Spark] All right, quickly, Andy, I want to hear from you. Do you agree with Sam? Is it people are going to panic, but it’s not going to be a problem?
[Sam Curry] You can disagree.
[Andy Ellis] So, I think that people will panic…
[Sam Curry] Less of a problem.
[Andy Ellis] …and it will be a problem, but it will not be as big a problem as the people panicking are saying. So, I’m directionally aligned with Sam.
[Sam Curry] Yeah, actually, that’s actually a better way to say what I meant, yeah.
[Crosstalk 00:14:14]
[Sam Curry] It’s not the end of the world.
Sponsor – Zscaler
14:18.116
[David Spark] For those of you in this room, you know who our sponsor is. It’s wonderful Zscaler. And in fact, they’re on our screen right behind us. But let me tell you about Zscaler. So, undoubtedly, data security stands as the top concern when integrating AI applications in the workplace. We all know this. And in recent years, we’ve all witnessed alarming instances where sensitive or proprietary information was unintentionally exposed to external AI tools – by the way, we’re going to be talking more about this – and whether through input prompts or training data, all resulting in potentially damaging leaks.
Now, one of the most critical threats is shadow AI. We went through this before. The unchecked use of unsanctioned or unauthorized AI tools. These tools often lack robust data handling safeguards and fail to incorporate essential security measures. As a result, what employees share with these tools can create significant vulnerabilities, leaving organizations exposed to compliance violations, data breaches, and heightened security risks.
Now, Zscaler is the gold standard in securing enterprises against the evolving risks of AI-driven threats. By embedding AI-powered threat detection into a true zero-trust architecture, Zscaler eliminates attack surfaces and ensures uncompromising security across every interaction. Their zero-trust approach inspects all traffic in real time, using advanced AI, stops lateral movement natively, and protects sensitive data from being exposed to unauthorized entities. And with Zscaler, businesses can confidently unlock the potential of AI without compromising on security. So, stay secure, stay ahead with Zscaler, and go to their website, zscaler.com.
It’s time to play “What’s Worse?”
16:17.247
[David Spark] All right, for those of you, you’ve all listened to this show before, and you know how this game is played. What we have is we have two bad scenarios. These are submitted from our audience members, so thrilled that they send them in. I always make Andy answer first, and then you can agree or disagree. And I think you’re going to like this one, Andy, because it’s kind of a different take than we’ve done before.
[Andy Ellis] As long as it’s not another ranked choice one like the last one we did two weeks ago.
[David Spark] No, it’s not.
[Andy Ellis] Okay. Just making sure.
[David Spark] This one I will just say is different than any one we’ve ever done before.
[Andy Ellis] Okay. As long as we don’t have to take notes to get an answer.
[David Spark] It comes from a past guest we’ve had on many times.
[Sam Curry] You did a risk calculation…
[Crosstalk 00:17:04]
[Andy Ellis] We literally had to take notes to keep track.
[David Spark] Trust me, you don’t need to take notes for this one. Okay, this comes from TC Niedzialkowski, who’s the head of security and IT over at Opendoor. All right, here’s your situation. Andy answers first, you’re going to answer second, and then I’m going to the audience for applause to see what you like. All right. Scenario number one, your company has no engineers nor any ability to acquire competent engineering. None. And by the way, I’m going to say you’re a sizable business, you’re not like a small business.
[Andy Ellis] So, ChatGPT is my engineering team. Gotcha.
[David Spark] That’s the best you can do. Or… Well, ChatGPT may be the answer here. Or your company has no lawyers, nor any ability to acquire competent legal counsel. So, between those two, which one is worse?
[Andy Ellis] Not having lawyers.
[David Spark] Not having lawyers?
[Andy Ellis] Much as I hate lawyers. Sorry if there’s any lawyers in the room. But let’s just be clear, if you don’t have any lawyers, I question how you are validly incorporated in the location in which you’re doing business, how you’re correctly employing people. Like the amount of liability you’re going to expose to for not having any competent lawyer at all. Like, where are your articles of association? How are you dealing with who makes decisions and interacting with local governments? Like, you can’t exist as a corporation without a lawyer, let alone produce a product.
[David Spark] There are many businesses, and I did say this was a sizable business, but there are a considerable number of businesses that do not retain a lawyer.
[Crosstalk 00:18:33]
[Andy Ellis] I am a small business myself, and I have three separate lawyers, depending on what I need them for, that are all when I need a thing, I go get a thing from them. It’s all transactional. But I could not legally do business in the Commonwealth of Massachusetts.
[David Spark] You don’t have any engineers on Andy Ellis’ staff?
[Andy Ellis] No, just me.
[David Spark] Just you.
[Andy Ellis] And you could argue whether I count.
[David Spark] All right. All right. So, he says having no lawyers is far worse.
[Sam Curry] So, I’m going to agree with him. But originally, my initial gut reaction, if you’d asked me first, I would have said something different. I had some time to think about it while he was talking.
[David Spark] Hold it. What was your first gut reaction?
[Sam Curry] My first reaction was, “Oh, we’re going to be using ChatGPT for something. Can I use it for legal?”
[David Spark] Yes, you can.
[Andy Ellis] No.
[Sam Curry] No, no. Hang on.
[David Spark] Yes, you can ask legal questions.
[Sam Curry] Yeah, you can. However…
[David Spark] By the way, I’ve done it.
[Sam Curry] However, it won’t stand a shot in court standing up for you and dealing with torts and negotiations. I mean, are you going to park it there with a speaker?
[David Spark] Hold it. You’re doing, I’m just making arguments here, you’re doing business every day. You need engineers every day.
[Sam Curry] To a point.
[David Spark] You don’t need a lawyer every day.
[Andy Ellis] David…
[Crosstalk 00:19:40]
[Andy Ellis] …do me a favor. For a second, look behind you. What do you see up there?
[David Spark] Logos.
[Andy Ellis] Okay. I’m sure the Zscaler, that you have a mark…
[Crosstalk 00:19:49]
[David Spark] It says TM right next to it.
[Andy Ellis] That’s a registered mark.
[David Spark] Yes.
[Andy Ellis] Like…
[Sam Curry] The TM’s different from an R, but yeah.
[Andy Ellis] Yeah.
[Sam Curry] But I honestly was thinking, with engineering, ChatGPT can actually teach you that, so you wouldn’t be purchasing skills. I mean, you try to roll a product out, it might take you a bit longer, but you can also go into business not doing a technical thing.
[David Spark] Yes. Businesses can survive without a lawyer and an engineer.
[Sam Curry] They do that.
[Andy Ellis] Oh, absolutely.
[David Spark] It’s happened. You’re arguing that you can’t even be in business if you don’t have a lawyer.
[Andy Ellis] You can’t legally be in business without having had legal somewhere along the way.
[David Spark] Yes, first of all, there are all these tools out there that allow you to do your sort of self-legal help for those sort of DIY businesspeople.
[Andy Ellis] Uh-huh. And do you know what’s on the other end of that tool? Some lawyers that wrote those for you, and so you’re taking advantage of a lawyer.
[David Spark] Well, no. The argument is that you’re not getting any actual legal help here whatsoever.
[Andy Ellis] Sizable business, I don’t see how you function without having any lawyers at all. Not in this day and age. I would love this to not be true. Just to be very clear, this is not me arguing that this is a great state of the world, but it is the state of the world.
[Sam Curry] Can I give up marketing instead?
[David Spark] No.
[Laughter]
[Sam Curry] Sorry to marketing department.
What is Dave’s mom talking about?
21:11.186
[David Spark] All right. We played this game on our last live show in San Francisco, and we’re going to play it again.
[Andy Ellis] We did. And for those listening, David will make it sound like David’s mom is being made fun of with these, but I actually think this is a long con. I think David’s mom is making fun of us.
[David Spark] Yes. She’s making fun of the entire cybersecurity industry. She’s smart as a fox. She’s outwitting all of you here. So, I asked my mother to explain some cybersecurity terms, all right? I said the term, and she made her best effort to describe what it is. Surprise, surprise, my mother is not in cybersecurity. There was no other prompting I did at all, and all of her answers, I will admit, are varying degrees of wrong. Okay? So, some do have an element, and I’ll mention that, if there’s an element that is correct in it, but this is a reverse logic game. You all know these, everyone in this room knows these terms, but what you have to do is to try to figure out, like, if I didn’t know this, how would I describe it? I was thinking it’s also kind of like the game Balderdash in a way too as well.
[Andy Ellis] Yes.
[Sam Curry] Nice.
[David Spark] All right. Here we go. I’m going to play the first one. By the way, if they don’t get it right, I toss to the audience, see if you can figure it out.
[Sam Curry] It’s a hair item that keeps your hair in place in the wind.
[Andy Ellis] Keeps your hair in place.
[David Spark] So, I’ll just tell you, this is obviously 100% wrong.
[Andy Ellis] A hair item could be a net, a clip, a hair net.
[David Spark] Okay, you’re getting somewhere.
[Sam Curry] A botnet.
[Andy Ellis] Botnet, there we go.
[David Spark] Bingo! He gets it. Good job. All right. Very good.
[Sam Curry] Yes. Teamwork. Whoo.
[Andy Ellis] I’m trying to figure out like what’s the key word that might’ve come across in that phrase?
[Sam Curry] Net…
[Crosstalk 00:23:00]
[David Spark] Okay. A point for Sam right here. Okay. Here’s your next one.
[Sam Curry] Some people get information and they’re able to go further and the rest of us don’t know.
[David Spark] And I would say there’s some element of that’s correct.
[Andy Ellis] It almost sounds like insider…
[Sam Curry] Threat information or…
[Crosstalk 00:23:19]
[Andy Ellis] …threat feed or something like that.
[David Spark] No, no. Let me play it one more time.
[Sam Curry] Some people get information and they’re able to go further and the rest of us don’t know.
[Andy Ellis] And the rest of us don’t know. Like that’s an interesting phrasing there.
[Sam Curry] And the rest of us don’t know. Okay.
[Andy Ellis] We don’t know that they’re getting further ahead may be what it is. So, they’re going further because they have information. They’re going further. That’s the…
[Crosstalk 00:23:43]
[Sam Curry] Like testing? Penetration testing? Is it…
[David Spark] No.
[Sam Curry] No.
[David Spark] I’m going to throw this to the audience now.
[Andy Ellis] Let’s see if anybody…
[Crosstalk 00:23:49]
[David Spark] Yell it loud. We’ve got the microphone here. What do you think this is?
[Sam Curry] Software engineering?
[David Spark] Engineering? No, it’s not. What did someone say here?
[Sam Curry] Algorithm?
[David Spark] Algorithm. No, you’re further off than they are.
[Crosstalk 00:24:00]
[Laughter]
[David Spark] No, not inside.
[Sam Curry] Secrets management.
[David Spark] Secrets management, no.
[Andy Ellis] Ooh.
[David Spark] You’re all wrong.
[Andy Ellis] Secrets detection.
[David Spark] No, no. Here, I’m going to play it one more time and let you know.
[Sam Curry] Some people get information and they’re able to go further and the rest of us don’t know.
[David Spark] It’s privileged…
[Sam Curry] Access management.
[David Spark] Privileged escalation. Right there. You got it. Right. Very good. Very good.
[Sam Curry] Privilege escalation, not privilege…
[Crosstalk 00:24:24]
[Andy Ellis] Okay.
[Sam Curry] It was like pentesting.
[David Spark] All right.
[Recording] Oh, yes, sir!
[David Spark] Good job. I give that to you. All right. Here we go. Two more we have here. Listen.
[Sam Curry] Material was ordered and it’s not what we wanted.
[Sam Curry] Material was ordered. It’s not what we wanted.
[Andy Ellis] Sounds like a defect.
[Sam Curry] Provisioning.
[Andy Ellis] Software…
[Crosstalk 00:24:43]
[David Spark] Focus on the word ordered.
[Andy Ellis] Ordered.
[Sam Curry] Sorted…
[Andy Ellis] Supply chain security?
[Sam Curry] Trusted third party?
[David Spark] I’m going to give you that. It’s supply chain attack.
[Bell]
[David Spark] We’re going to give you that. Supply chain security, supply chain attack.
[Andy Ellis] Oh, ho, ho.
[Sam Curry] Oh, well done. Good job.
[Andy Ellis] That’s like two shows in a row, I’ve gotten at least one of them. These are my favorite game, and I usually suck at it.
[David Spark] All right. So, we’re all doing pretty well. So, we got an audience member got one. Actually, this is like last time.
[Andy Ellis] Same as last time.
[David Spark] Sam, you got one.
[Andy Ellis] Yeah.
[David Spark] Andy got one. Audience member got one. And I remember last time one stumped everybody. We’ll see if this one…
[Andy Ellis] Okay.
[David Spark] This one’s pretty tough, I’ll tell you. Listen. Listen to this one.
[Sam Curry] Older people can sometimes make really big boo-boos on the internet.
[Andy Ellis] Older people…
[Sam Curry] Phishing, is it? No.
[Andy Ellis] Older people.
[Sam Curry] Older people.
[Andy Ellis] So age…
[Sam Curry] It’s age dependent of some sort.
[Andy Ellis] Older people can sometimes make bigger mistakes. Bigger boo-boos.
[David Spark] Focus on the sort of maybe a term in cybersecurity that would denote older people.
[Andy Ellis] David… Ah.
[Laughter]
[Sam Curry] Like aging or…
[Andy Ellis] A parent.
[David Spark] Well, it’s one word I’m thinking of in particular, and that will kind of set it off for you.
[Andy Ellis] Oh, is this like grandfathering?
[David Spark] Oh, no, no. You’re going well with the grr.
[Andy Ellis] Great?
[David Spark] No.
[Sam Curry] Granular? No.
[David Spark] Anyone want to try this in the audience? Anyone have an idea? Let me play it one more time.
[Sam Curry] Older people can sometimes make really big boo-boos on the internet.
[David Spark] Anyone? This is going to be like last time. Nobody’s going to…
[Andy Ellis] [Inaudible 00:26:25] now.
[David Spark] It’s a…
[Sam Curry] Something maturity?
[David Spark] No.
[Recording] Aw!
[David Spark] Gray hat hacker.
[Sam Curry] Oh!
[David Spark] There you go.
[Sam Curry] Wow.
[David Spark] Yeah. I know it was a tough one.
[Laughter]
[David Spark] By the way…
[Andy Ellis] That term nobody uses anymore. Like…
[David Spark] I know. I told you it was a tough one. It was tough.
[Sam Curry] Yeah. There’s no such thing as gray…
[Crosstalk 00:26:45]
[David Spark] I do want to acknowledge…
[Sam Curry] It’s black hat.
[David Spark] I didn’t want to put her on the spot, but my mother is here in the audience.
[Sam Curry] Good job…
[Crosstalk 00:26:53]
[David Spark] She’s out there. Everyone’s appreciative of that. [Laughter]
[Laughter]
[David Spark] And she’s a good sport for putting up with this.
Please, enough! No, more!
27:01.503
[David Spark] All right. Today’s topic is generative AI. Because, of course, it is. It’s in every keynote, every product or upcoming roadmap, and apparently every pitch deck. Now, we’ve heard it’s going to revolutionize threat detection, automate red teaming, and maybe even write our board reports, but are we actually using it in meaningful ways to be more productive daily? We all have great one-off examples, but I don’t get the sense it’s changing the daily work-life experience. All right. Andy, a classic “Please, enough! No, more!” situation. What have you heard enough about when it comes to generative AI in cybersecurity, and what would you like to hear a lot more?
[Andy Ellis] So, I think the biggest challenge that I have is people who take organizational problems and think you can throw an LLM into an organizational problem and solve it. I think of patch management in this one. Why don’t people patch stuff? It is not because there isn’t an AI there. It’s because the organization disincentivizes patching things. Like, the AI can help in some places, like where there’s somebody who wants to, but doesn’t know what the first step is. And so, you can hand them an agent. That’s great. But let’s stop pretending that most security problems are technical problems. Most security problems are organizational problems that show up as a technical problem, and you can’t just solve that by throwing a badly designed LLM at it. You actually have to have a process orientation, which involves automation and people management, and yes, some LLM.
[David Spark] All right. I throw the same question to you.
[Crosstalk 00:28:43]
[Sam Curry] You’ve opened the box now.
[David Spark] What have you heard enough about? What would you like to hear a lot more with generative AI? In cyber, that is?
[Sam Curry] I’m tired of the word copilot. I’m tired of that. It appears everywhere.
[David Spark] It is sucking the oxygen out of the room.
[Sam Curry] I mean, everybody should be doing it, but it’s not noteworthy at this point. It’s that plateau of productivity, right? But what bothers me is there’s a lot of other uses and applications that aren’t being used or developed, there’s not enough diverse innovation happening with it, and on top of that, there’s a lot of leaky abstraction happening, meaning when people don’t actually understand how these things work under the hood, then we sort of tend to a mean in defense. And when we have an intelligent opponent, any form of automation becomes a predictable weakness, and that really worries me. So, we’re going to get over-learning in the machines, and we’re going to get over-learning in the people that operate them. And what I’d really like to see is a SecDevOps revolution, like the DevOps revolution. I’d like to see people who are actually operating in security able to get – Daniel Miessler calls it a yellow team, right? And that’s people who build tools for red teams and blue teams. And I don’t mean vendors. I mean actually engineers. I’d like to see them actually use them to make more efficient tools in shorter periods of time. That would be cool.
[David Spark] Mm-hmm.
[Sam Curry] But when the opponent can actually know what you’re going to do and how it’s going to affect your operations and your team and your administrative controls and everything else, then they can start to plan on that and use it to their advantage. I did a presentation in 2019 called Mirror Chess and about how to avoid some of those problems with automation – it’s actually on the web if you want to look it up – with a guy named David Berliner. This is a problem, and it bothers me. I’ll give you an example just in the thought leadership domain. I actually asked ChatGPT. I said, “I want to do a thought leadership piece on OT and IoT, and I don’t want it to be on the standard things people talk about. I’d like it on these four things,” and I wrote about those four things. I said, “Generate it for me, please. Give me 600 words.” It wrote about the things that I told it not to because none of those ideas were in the mainstream.
[David Spark] Oh.
[Andy Ellis] Yes.
[David Spark] By the way, that is a major problem with these AI tools is the second you say, “Write me something, but do not include elephants,” you’ll get a boatload of elephants.
[Sam Curry] Everything’s elephants.
[David Spark] Right.
[Sam Curry] So, then I kind of realized that. So, I asked it, “Okay, I’m not going to mention the elephants. Tell me about zebras.” It still talked about elephants. So, I got a completely different instance, did the same thing, still talked about elephants. And so, imagine if you’ve got this copilot and you’re like, “Show me what I need to be concerned about,” and it says, “Well, you like these things. I’m going to keep bringing them to you.”
[Andy Ellis] Right.
[David Spark] I’ve actually used it for a little legal help, actually. I wrote a contract. I said, “Look at this and tell me what I’m missing,” and it gave me some great tips.
[Andy Ellis] Oh, LLMs are great for that.
[David Spark] Yes.
[Andy Ellis] Because think about what an LLM does is it says, “The mass of humanity has approached this problem and has come out with an answer that looks like X.” Contracts are perfect for this. Like, what is standard indemnity language? You’ll get that.
[David Spark] Yes.
[Andy Ellis] Like, go do something creative nobody else has done before.
[Sam Curry] There’s two types of chaos. The first order of chaos is no intelligence opposing you, right? Nature’s the enemy. And the second order of chaos where there’s an intelligent opponent. Writing a contract is first order chaos.
[Andy Ellis] Right.
[Sam Curry] Going to court is second order chaos, right? So, use ChatGPT if you want to go and make those standard contracts because the body of knowledge exists.
[Andy Ellis] Yep.
[Sam Curry] But if you’ve got to go to court and you’ve got to actually stand up and have your day in court, you probably need another intelligence on your side.
Why has this topic suddenly become the center of attention?
32:14.212
[David Spark] Our listeners say they listen to this show to learn more about cybersecurity. Well, this segment is not going to help with that.
[Andy Ellis] At least we admit it about this segment.
[David Spark] Yes. Hold on. You’re going to like this one. So, on the cybersecurity subreddit, redditors shared their least valuable cyber knowledge. There were complaints about hardware-specific education since most of it gets outsourced or falls under IT. Others complained about dated or useless models and frameworks such as the Biba and Clark-Wilson models of cybersecurity or Six Sigma and Agile. Others claim vendor risk management was a waste as were certain CISSP requirements like cryptography and physical security domains. I’m going to start with you, Sam. What’s some of the least valuable knowledge you’ve got rolling around in your brain and it will not get out?
[Sam Curry] Some of that’s up there. I mean, some of the CISSP stuff is never going to leave, and it sits there. Ugh. But I think the biggest is probably my mainframe security knowledge. Like, ouch.
[David Spark] But do you get delighted when all of a sudden that knowledge all of a sudden comes to play?
[Sam Curry] When?
[David Spark] There are moments, aren’t there?
[Sam Curry] Not really, no.
[David Spark] No?
[Sam Curry] I mean, they don’t come up at cocktail parties. It just doesn’t happen. Certainly it’s not going to happen…
[Crosstalk 00:33:39]
[David Spark] But wait a second. Hold on, hold on. You actually, you’re armed with something quite valuable.
[Sam Curry] What?
[David Spark] If you want to get rid of someone, you bring up your mainframe knowledge.
[Sam Curry] Oh, I guess I could do that.
[Crosstalk 00:33:47]
[Sam Curry] But even worse than that is – some people hoard all sorts of things – but I can’t throw a technical manual out. So, I’ve still got like ACF2 and Top Secret and RACF documentation. Why? I’m not going to use these. It’s all online anyway.
[David Spark] So, there’s about a dozen listeners, maybe more, who are listening to you.
[Sam Curry] Maybe four.
[David Spark] Maybe hearing you say this.
[Andy Ellis] And some of them are in this room.
[Crosstalk 00:34:12]
[David Spark] And are delighted to know that I’m not the only one.
[Sam Curry] There’s a club.
[David Spark] And the rest of everybody is tuning out.
[Sam Curry] Joining both of us. Yeah, yeah, exactly.
[Andy Ellis] I just threw out, as part of the prep for the move I’m about to do, I just threw out my Cisco IOS documentation for IOS 10.7, I think.
[Sam Curry] Nice, nice.
[David Spark] Why? Oh. Yeah, because you’re moving.
[Andy Ellis] Because I’m moving.
[David Spark] You’ve hoarded a lot of books.
[Sam Curry] Do you have an iOS 2 manual around somewhere?
[Andy Ellis] I didn’t, but I do have the Network Systems BorderGuard 2000 manuals, I didn’t get rid of those, and here’s my esoteric…
[Crosstalk 00:34:43]
[David Spark] By the way, I just want to warn you. We don’t want to walk the audience here. [Laughter]
[Andy Ellis] But that’s for the most esoteric knowledge.
[David Spark] Yes.
[Andy Ellis] On the BorderGuard 2000, a 255 in an IP octet was read as a wild card because the folks at Network Systems had never encountered a Class A network that might have 255 as an actual valid octet.
[David Spark] Mm-hmm. Yeah. Nobody’s getting excited about that.
[Laughter]
[Andy Ellis] I know there’s at least one listener of our show who will get that reference.
[David Spark] Okay.
[Andy Ellis] Hi, Craig.
[Sam Curry] I know at least one person in the audience.
[David Spark] By the way, we don’t play to single individuals. We try to play to all. But here’s my question. Pick any, maybe, either old piece of technology or old manual. When’s the last time you touched it and used it for any reason whatsoever? Maybe even a floppy disk for that matter.
[Sam Curry] That’s so funny you say that because I was teaching a class, and I was part of a startup in ’96 that did VPNs, and we actually were the inventors of the personal firewall. And I pulled down the box where the documentation and the floppies in it for the Unix operating system and the old Windows 3.5’s. It was really special.
[David Spark] One of my most popular posts, if not my most popular post, was I went to a Hack The Box event in Boca Raton, Florida. We did a live show there. And the badges that they had were five-and-a-half floppy disks. And what they did is they printed exactly where the label was your information, your name, and company right there. But you could also see what the disk originally was. So, I talked to the event producers, and they found somebody online who was selling like 300 or 500 of these disks for like a couple of hundred bucks. There was stuff on them if you had a floppy drive. There you go. Do you really have a few hundred?
[Sam Curry] Oh, not a hundred, but I certainly have enough to make some money, I mean.
[David Spark] Put them up. You could probably sell them. But again, you’re looking at less than a buck a floppy.
[Sam Curry] I’ll have to get a hole punch and wipe them.
[Andy Ellis] Yeah, that’s the problem.
[Sam Curry] I’m worried about the data on them.
[David Spark] Is there any data on them?
[Crosstalk 00:36:47]
[Andy Ellis] That’s the problem.
[Sam Curry] It’s like, “Whew!”
[Crosstalk 00:36:52]
[Andy Ellis] How many people have like the graveyard of old hardware that they just never got around to wiping and now they don’t know what’s on it?
[Sam Curry] I had a fire at one point, so I lost some computers that way, yeah.
[Andy Ellis] Okay.
[Sam Curry] But I still have the cables.
[Andy Ellis] I literally have a box labeled “Necromagnetic hygiene required.”
[Sam Curry] Love that.
[Laughter]
It’s time for the audience question speed round.
37:13.462
[David Spark] All right. I have some questions here from these audience members right here, and we have just a few minutes left. We’re going to get through as many of these as we can in the little time that we have. So, please, quick responses on these. Now, this one I like, it’s fun. This comes from Brooke Ward of Grip Security. I understand Brooke is over there. Brooke is I think day three, you said, on the job?
[Sam Curry] Correct.
[Andy Ellis] Welcome, Brooke.
[David Spark] You’re in day three. Welcome, Brooke. All right. I thought this was an interesting question. When you go to a cyber networking event like this, I mean, you had a purpose to come, but say you weren’t doing a recording, do you have an agenda when you actually come to a cyber networking event, or just looking to meet people and that’s it? It’s as open as possible.
[Sam Curry] No agenda for me.
[David Spark] No agenda.
[Andy Ellis] Oh, I absolutely have agendas. I’m just not telling you all what they are.
[David Spark] Oh, come on.
[Andy Ellis] Because that would defeat the purpose. So, some of the agenda is I’m trying to make some connections. Who else am I going to reach out to later?
[Sam Curry] But I think that’s the other area.
[Andy Ellis] Planting…
[Sam Curry] He’s saying networking or agenda.
[David Spark] So, why…
[Andy Ellis] But planting thoughts in people’s heads because part of what I do is help build demand within our portfolio.
[David Spark] Right.
[Andy Ellis] So, I want people thinking about certain problems.
[David Spark] Ah. So, the problems that your portfolio is solving, you want to sort of let them know.
[Andy Ellis] Yeah. Mention that they exist, talk about them from time to time. And if they resonate, great.
[David Spark] Well, I mean, that’s what any vendor does when they pitch.
[Andy Ellis] No, that’s what every vendor should do. What most of them try to do is sell rather than just…
[David Spark] That is a good point. Very good point. Interesting. This came up and I was writing about this as well on LinkedIn about my thoughts on RSA. The number of times people I spoke to, and this is not me walking up to a booth but just gave me their vendor pitch without really me asking for it, and I was sitting there waiting for them to stop talking.
[Sam Curry] That’s a little like turning up for a date and standing on the front step naked, like…
[Laughter]
[Andy Ellis] Let me show you what I got.
[David Spark] Have you done this, Sam? Have you done that?
[Sam Curry] No, I think a little more subtlety is required.
[David Spark] All right, so hold it. You say you don’t have an agenda. Why don’t you have an agenda?
[Sam Curry] Because for me, I like connecting with people. And usually I’m going there and I’m actually looking around the room to see who I’d like to know and find a good conversation. I do enough of the schmoozing for corporate events. And even at those events, I’m still looking for the same thing. The funny thing is I have this thing, even with my team, I say, “What’s the time at which you’re looking for the exit to go find a smaller group or recharge?” Like at some point, everybody goes from being an extrovert to being an introvert. You may be the person who’s there closing the place, but some folks it’s like right at 6:00 p.m. when it starts, and some it’s like 7:00, 8:00, 9:00. Usually for me, it’s about 7:15, 7:00.
[David Spark] All right, here’s another question. All right, we got a few more. Let’s go through these quick. From Murad Sid of Cyber Cedar Advisors, what are the reasons you’ve dumped a tool? I’m sure there’s many. Give me a few. Either one of you, jump in.
[Sam Curry] When it was shelfware.
[David Spark] Shelfware?
[Sam Curry] Just didn’t get deployed, yeah.
[David Spark] Didn’t get deployed. Is that the most common reason?
[Sam Curry] Not the most common. I think probably vendor promises didn’t hold up.
[David Spark] Okay, that’s a good one.
[Andy Ellis] Vendor tried to blackmail or extort me.
[David Spark] That’s never fun.
[Andy Ellis] Had the product in and we’re like, “Oh, look, price went up, feature went up,” whatever it’s going to be, like nope. I will go…
[David Spark] Hold it. Is that the most common reason or just one good reason?
[Andy Ellis] In my career, the number of times we’ve done that was pretty big. F-Secure, we did that too. F-Secure was like, “Oh, here’s how much money we’re going to charge you for licenses for SSH,” back when that existed. And we were like…
[Sam Curry] I used to be on the board of SSH.
[Andy Ellis] Yeah, sorry.
[Sam Curry] No, no, you’re right.
[Crosstalk 00:41:01]
[Andy Ellis] And I literally, for a long time, I have the box with the licenses in it for Akamai, because we then stopped using them, for like 10,000 unlimited use licenses forever. And they were like, “Oh, once you cross 10,000 servers, you have to start paying us an inordinate price.” Yeah, we dumped them and went to open SSH very early on.
[David Spark] All right, next one. All right, this comes from Tim Armstrong at K logix. They are a VAR. So, they want to know, you have a contact with a VAR, you have your first meeting. He wants to know, what should the second contact from a VAR be?
[Andy Ellis] Am I the vendor talking to the VAR or the buyer talking to the VAR?
[David Spark] The buyer. I’m sorry, the buyer talking to the VAR, not the vendor. So you had an initial meeting, they told you what their offering, how they could possibly help you.
[Sam Curry] It should be about me.
[Andy Ellis] Yeah.
[Sam Curry] I mean, it should be about what my biggest risks are, what my reference architecture is, and how I’m going to mitigate the risks in my risk registry.
[Andy Ellis] I mean, I think that’s a piece of it, but I think a really big piece is, like, why am I going to buy through a VAR? And why you? Because the answer is I can buy directly from all of these companies, and we’re not in an era where you have secret knowledge about the companies that isn’t really out there if I’m not willing to do. So, what value do you provide as a VAR that is not just…
[David Spark] Well, it is in the title and hopefully they’re doing that. It’s called value added.
[Andy Ellis] Yeah, that’s a marketing phrase.
[Crosstalk 00:42:25]
[Andy Ellis] So, what is that actual value that you’re going to provide?
[David Spark] Well, hopefully, you’re getting that in the first meeting. You want to know…
[Andy Ellis] Yeah, in the first meeting, they’re going to pitch me on some things about value. But I really want to understand, like, as we go forward, what is the value besides you’re going to negotiate a slightly better rate on the contract for me?
[Sam Curry] Or it’s faster to do business. Yeah. But a lot of vendors are channel-only or try to be channel-only. And so, that says that I have to work through you. Why you versus another VAR?
[Andy Ellis] Exactly.
[David Spark] Okay. Let’s close out with this one. This comes from Maria Teigeiro of Zscaler. So, AI has gone from noun to adjective. All SaaS apps now have some AI tool, it seems. It’s usage is happening, though, before policies are applied. So, I’m talking about not the ones that are AI-centric, like a ChatGPT, but just whatever SaaS tool you’re using that has it. So, how do you approach security on the ones that, oh, all of a sudden, all these SaaS tools we have have AI applied?
[Andy Ellis] You know what I love about this question? Is that five years ago, we just asked this question about SaaS. Like, oh, everybody’s just using SaaS, and we don’t have a policy about it, and how do we discover who’s using what? And now we just assume that we’re like SaaS-native companies, and now all SaaS is using AI. And it’s the same exact question. At the end of the day, here’s the answer. The business is going to adopt technology faster than you can plan for it. So, you had better figure out how you are chasing the business and supporting them, not chasing them to slow them down.
[Sam Curry] Was the question about how do you onboard it or was it…?
[David Spark] Well, it’s more of… You’re not onboarding. You onboarded it a while ago. Now the tools they’re already using have AI in them, and you haven’t applied policies. You may have applied policies to Copilot, ChatGPT, whatnot. These are the AI sort of centric tools, but you’ve got these other ones that have got AI slapped on.
[Sam Curry] Yeah, we did that with the cloud too, even IS as well and Pass [Phonetic 00:44:24]. Yeah, I think at that point you accept it, and you just go enumerate the risks. I once joined a company and in my first week was asked, “Hey, we’re moving from a data center to AWS,” at the time. And they said, “Can you do an assessment of it?” And I said, “Yeah, sure.” I did an assessment. I said, “Here are the risks,” but I had said up front, “We just have to make a business decision about accepting these risks. There’s also risks in the data center.” And somebody just literally looked at the list of risks and said, “Sam says we can’t move to the cloud.” I’m like, “That’s not what I said.”
[Sam Curry] Yep.
[Laughter]
[Sam Curry] Right? Like this is explicitly…
[David Spark] But it’s always fun to get the blame, isn’t it?
[Sam Curry] Yeah. The point is you then need to just accept that it’s a fact. You need to go through and understand what the risks are and get a strategy for it.
Closing
45:03.832
[David Spark] Well, that brings us to the very end of the show. Let’s hear it for my two guests, Sam Curry and Andy Ellis.
[Applause]
[David Spark] And let’s also hear it for our wonderful sponsor, that’s Zscaler. Let’s hear it for them.
[Applause]
[David Spark] Remember, they’re going to help you out with your AI, zscaler.com. I want to thank Zscaler for bringing us out here to Boston, my hometown. We’re thrilled to come back here. It was a lot of fun to talk with both of you, Sam and Andy. Are you hiring over at Zscaler?
[Sam Curry] Yep.
[David Spark] You are? So, there is a jobs board there?
[Sam Curry] There’s actually a jobs page on our website. So, go check it out.
[David Spark] And can people contact you if they find a job?
[Sam Curry] Anybody can contact me for anything unless they’re selling something. If they are, then they should at least demonstrate that they care about more than just pitch.
[David Spark] Well, but if someone…
[Sam Curry] Just like you getting pitched, right? It’s [Inaudible 00:45:48].
[David Spark] Well, looking for a job, they’re kind of selling themselves.
[Sam Curry] That’s fine. That’s fine. I’ll help anybody who’s trying to get by in cyber.
[David Spark] Well, great. Well, thank you so much. Thank you, everybody, for coming on out tonight.
[Applause]
[David Spark] And huge thanks to Zscaler. Thank you for contributing and listening to the CISO Series.
[Applause]
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.