We’re seeing more research that virtually all organizations have some concrete AI adoption plan in progress or on their roadmap. But many of these organizations do so without similar plans for AI oversight. So how do we balance the speed of innovation with security and compliance concerns that can change on a dime?
This week’s episode is hosted by me, David Spark, producer of CISO Series and Mike Johnson, CISO, Rivian. Joining us is Jennifer Swann, CISO, Bloomberg Industry Group.
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Vanta
Full Transcript
Intro
0:00.000
[Voiceover] What I love about cybersecurity. Go!
[Jennifer Swan] I love that cybersecurity is never boring. I’m a doer. I like to learn. I like to get my hands dirty. I like to find ways to clear up my team cycles by automation and leveraging emerging technologies like AI and just learning about new things.
[Voiceover] It’s time to begin the CISO Series Podcast.
[David Spark] Welcome to the CISO Series Podcast. My name is David Spark, I am the producer of the CISO Series, I’ve always been the producer of the CISO Series. There are other producers of the CISO Series. I didn’t start in the mailroom. This is where I started. Mike, did you ever start in the mailroom? Mike Johnson, he’s my co-host since show one. He’s now the CISO of Rivian. Did you ever work in a mailroom?
[Mike Johnson] I did, actually.
[David Spark] Really?
[Mike Johnson] I mean, obviously, that was a very long time ago, but a very different lifetime. What I was actually doing is, in a travel agency, I was stamping addresses on pamphlets that were being handed out to customers. So, essentially, the mailroom.
[David Spark] Everything you learned in cyber, you can trace back to that, correct?
[Mike Johnson] Everything. I learned so much stamping things.
[David Spark] Which comes in handy.
[Mike Johnson] You never know when you might need to stamp something.
[David Spark] This action, just moving the hand up and down, pounding the table.
[Mike Johnson] [Laughter] Yes, the pounding the table.
[David Spark] We are available at CISOseries.com, where you can find all of our wonderful programming right there. Our sponsor for today’s episode is Vanta, a spectacular sponsor of the CISO Series. Automate compliance, security, and trust with AI. You can do that with Vanta. More about exactly that a little bit later in the show. All right, Mike, we as security professionals, I know you’ve said this before, the way to get people interested in cybersecurity is talking about it for themselves personally. Now, I’m always concerned about myself for my own security and the people in my household, their cybersecurity, but then there’s the people who are close to me that are not in my household, and I’m also concerned about their cybersecurity. How often do you proactively go out and provide advice to your immediate family and friends? Because I had a situation where I should have been a little bit more proactive, and there was someone who got a little hurt as a result of it. And so, I was wondering, what do you do? And what is the advice you provide?
[Mike Johnson] I take the opportunities when there’s something in the news.
[David Spark] Mm-hmm.
[Mike Johnson] My parents are like, “Hey, have you heard about this thing?” Because they know what I do.
[David Spark] Oh, that by the way, that’s a select few – parents who know what their children do.
[Laughter]
[David Spark] In cyber.
[Mike Johnson] They know the career that I’m in.
[David Spark] By the way, hold it. If I was to ask your parents, “What do you do?” How would they describe it?
[Mike Johnson] I don’t know how they would describe it, but I think it’d be pretty close. I mean, again, I’ve been doing this for almost 30 years, David. By now, they’ve figured out roughly what it is that I do.
[David Spark] But I want to know what “roughly” means. Come on.
[Mike Johnson] I don’t know. I honestly don’t know.
[David Spark] You don’t know. You’ve never asked, “Mom, Dad, how would you explain what I do for a living?”
[Mike Johnson] I’ve never asked that.
[David Spark] You know what? Next time you chat with them, ask them. I would love to know the answer to that.
[Mike Johnson] I will have that conversation and I will report back.
[David Spark] That would be great. All right. But let’s go back to the question of how do you sort of educate the family? You say you start off with big news.
[Mike Johnson] Or it is sometimes they will ask me, “Hey, did you hear about this thing?” One of the ones was my father-in-law forwarded an email about that was the six billion passwords leak thing that happened not too long ago.
[David Spark] Oh, yeah.
[Mike Johnson] That made it into the mass media, and that was a really great opportunity. Actually, my wife fielded that one, but it was a great opportunity for her to talk about passkeys and how he should switch to using passkeys rather than passwords. We got him on a password manager years ago, and it was a great opportunity to say, “Hey, you’re using the password manager, right?”
[David Spark] And now is he starting to use passkeys?
[Mike Johnson] Yes. Yes.
[David Spark] Well, then look what a good son-in-law you are.
[Mike Johnson] Well, again, my wife takes credit for that particular one.
[David Spark] For that particular one.
[Mike Johnson] That is an example of an opportunity.
[David Spark] My wife and I started doing this a while ago in that I do tech support for her mother, and she does tech support for my mother, and that has saved a lot of heartache with us.
[Mike Johnson] [Laughter]
[David Spark] That has worked out beautifully.
[Mike Johnson] You got to have a strategy.
[David Spark] That was our strategy. All right, let’s jump into our show.
[Mike Johnson] We should do that.
[David Spark] This is not like the real meat of the show. We want to get into the real show.
[Mike Johnson] Yeah, we should get to it.
[David Spark] And we have a great guest. I’m thrilled that she’s here. Our first time having her. It’s fantastic. It is the CISO over at Bloomberg Industry Group. None other than Jennifer Swan. Jennifer, thank you so much for joining us.
[Jennifer Swan] Thank you for having me. It’s a pleasure.
Is this the best use of my money?
5:16.095
[David Spark] “While the cybersecurity industry continues its obsession with CVE tracking and patch management, a growing number of practitioners are questioning whether we’re fighting the wrong battle.” Now, that thought came from the cybersecurity subreddit, which pointed that the problem isn’t just that we’re chasing shiny new vulnerabilities, but that “most successful attacks rarely rely on exotic CVEs.” Instead, the true problems are the classics, misconfigurations like exposed S3 buckets, forgotten subdomains, and leaked Git repositories. Organizations pour resources into vulnerability management while basic asset discovery and configuration controls lag behind. If misconfigurations are doing the most actual damage, could you build an effective security program that essentially ignores traditional vulnerability management? And if so, what would that look like in practice, Mike?
[Mike Johnson] One of the things I think people forget is they do forget the past. There was a time where every compromise, every issue in security was related to the exploit of a software vulnerability. Vulnerability in a browser, a vulnerability in your internet-facing applications. We didn’t worry as much about the configuration-related vulnerabilities at the time because they weren’t a big thing. So, imagine if we had built our entire programs ignoring configuration-related vulnerabilities and focusing entirely on software vulnerabilities. We would have missed all those. And so, I think it’s very tempting to say hey, all the breaches today are somebody misconfiguring their S3 bucket or they’re misconfiguring their various EC2 instances, or they’ve left a hole in the firewall or something like that. And then forget that software does have vulnerabilities. And then one of those vulnerabilities comes by and just bites you. We had the Log4j vulnerability a few years ago.
[David Spark] Mm-hmm.
[Mike Johnson] Software vulnerability, that was not configuration, and that was really widespread. So, I think it would be too much to say, hey, we’re only going to focus on configuration vulnerabilities. This is really an example of the sprawl that we see in cybersecurity, that the threat surface keeps getting bigger and we keep having more things to focus on. Now, you might think about prioritization. That would be a thing to say like…
[David Spark] Yes.
[Mike Johnson] …right now, configurations, these are our biggest concern right now today, so we’re going to focus on those. Absolutely. Use it to solve your prioritization, but I don’t think you can say, “You know what? I just don’t care about software vulnerabilities anymore.
[David Spark] Well, it was honestly, and I’m going to throw this to you, Jennifer, we actually did a whole episode about this where we just sort of, it was more a logic exercise where we asked like, how would you do it? Like if you were truly building a zero-trust architecture, would vulnerability management even be a thing? So, let me ask you, even as a thought exercise, could you do it, Jennifer?
[Jennifer Swan] I don’t know that I could. I think for me, vulnerability management is still very, very important. Even when you’re talking about zero trust. For me, CVEs are still very, absolutely important. But for me, I don’t draw a hard line between a CVE and a misconfiguration or anything like that. For me, if it introduces risk, it’s a vulnerability. So, that includes things like leaked secrets, overly permissive roles, accounts, exposed buckets or whatever you want to call it. But once you start tracking all of that, not just CVEs, like things do get noisy really fast. So, as Mike pointed out, the challenge really isn’t visibility, it’s prioritization. That’s why I’m a fan of things like the exploit prediction scoring system and other like context-aware frameworks or tools. For me, it helps us focus on the vulnerabilities that are actually likely to be exploited. And I think we need more of that kind of thinking across the board, whether we’re dealing with software flaws or cloud misconfigurations or vulnerabilities in software.
What’s the starting point for a CISO?
9:53.531
[David Spark] “While open-source software powers over 90% of modern applications, the cybersecurity community has largely ignored the glaring absence of the verify portion in the trust by verify,” said Dan Lorenc, who’s the CEO of Chainguard in a recent CyberScoop op-ed. Now, the problem isn’t just that we’re using code from anonymous developers, but that “attackers had spent years slowly gaining trust and inserting malicious code into a tool relied on by Linux distributors worldwide.” Unverified code is the next national security threat as demonstrated by the XY Utils backdoor discovery. There is an ongoing conversation, look no farther than the Huawei ranking as a top contributor to Kubernetes. If malicious attackers view open-source infiltration as a logical standardized attack vector, why are we still treating verification as optional rather than systematic? So, I ask you, Jennifer, even if we do get better, how do you coordinate open-source verification efforts across the industry? I mean, it seems like someone’s got to take the reins and nobody is.
[Jennifer Swan] Right, absolutely. I think verification is hard and I don’t think anyone’s pretending it’s easy, but I think that’s exactly why things like SBOM, software bill of materials, are so important. You have to at least know what’s in your environment if you want like a fighting chance, right, when it comes to open-source supply chain security issues. I think as an industry, we all need to make sure that we’re setting up guardrails and not doing everything by hand, doing things like dependency scanning, having things like repository firewalls in place, blocking untrusted packages before they even get pulled. It all helps reduce risk. And obviously, it’s just not a what-if scenario. Like we’ve seen this happen, as you’ve mentioned. And not just with that, but there’s things like dependency confusion attacks and other things, tampered packages that go unnoticed.
[David Spark] All right. Mike, your thoughts on this issue of verifying all this open-source code out there.
[Mike Johnson] So, I really like that Jennifer started with know what’s in your environment. I think that’s really important. If you don’t have a piece of source code in your environment, like if you don’t have XZ Utils, you don’t care. It’s not something that you need to spend time on. So, knowing what you have really gives you a leg up when things like this are discovered. I think it was always a myth that there was an assumption that people analyze every piece of source code that they incorporate. I mean, when was the last time someone really took a deep dive into the Linux kernel? That’s not something that we can expect our teams to do. That’s always an unreasonable expectation. But the flip side is when something goes wrong, it is available. The XZ Utils example is actually a good example for multiple reasons, and one is that it was discovered because a researcher went and looked at the source code. The source code was available. Someone was like, “Hey, this behavior’s weird,” and they went and deep dived into it.
The flip side of this is SolarWinds. There were thousands of companies that were compromised by SolarWinds. They never had a chance. They couldn’t look at the source code. They had no way of knowing that the backdoor had been shipped into their environment. So, that the source code is available, there’s a community that people can talk about these things. Sure, you don’t have the ability, capacity, capability to look at every piece of source code that comes into your environment, but you have a fighting chance with open source that you don’t have the same chance with closed-source systems.
[David Spark] You do, though, essentially have to rely on someone. There’s got to be some trust put on someone/someones to be verifying this code. And like you said, in some cases, you don’t even realize you’re dealing with it. And so, you really got a lot of blind trust going on. Don’t we, Jennifer?
[Jennifer Swan] Yeah, I agree. There’s a level of trust that you do have to have when it comes to this, but…
[David Spark] And it’s this blind trust of the community of open-source supporters, like, “I’m using this just hoping somebody else is looking out for me and everybody else.”
[Jennifer Swan] Yeah, I agree. And that’s why, obviously, we don’t have the manpower to look at every single thing [Laughter] like that researcher did. That was amazing what he did with the XZ. But I think, again, just making sure that you have the right tools in place can really help limit the, I don’t want to say blast radius, but limit some of the things that could happen.
[Mike Johnson] And I think over time, you do build up trust in the maintainers or in the software project because other people are using it. It’s not like we’re going and grabbing some random piece of source code and building our entire security infrastructure on top of that. There is some community validation that comes to play in the packages that we’re choosing to use.
Sponsor – Vanta
15:20.059
[David Spark] Our sponsor this week, it’s Vanta, and they’ve been a phenomenal sponsor of the CISO Series. And if you are dealing with compliance issues and you’re not going to get done fast enough, you do want to hear what I’m about to say. Compliance regulations, third-party risk, and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you’re thinking there must be something more efficient than spreadsheets, screenshots, and manual processes, you are right. GRC can be so much easier, while strengthening your security posture and actually driving revenue for your business. Oh, all sounds good, right?
So, Vanta’s trust management platform automates key areas of your GRC program, including compliance, internal and third-party risk, and customer trust, and streamlines the way you gather and manage information. And the impact is real. Listen to this. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. So, you get more time and energy to focus on strengthening your security posture and scaling your business. Vanta, GRC, how much easier trust can be. It can be, and you need to check it out for yourself. So, go to their website, that’s vanta.com/CISO. Really important to add the /CISO so they know we sent you there. Vanta.com/CISO, check it out.
It’s time to play “What’s Worse?”
17:01.781
[David Spark] All right, Jennifer, do you know how this game is played?
[Jennifer Swan] Yes.
[David Spark] So, two horrible scenarios. I will make Mike answer first and you will agree or disagree with him. He’ll give his reasoning, and I want you to give your reasoning whether you agree or disagree with him as well. Because your reasoning sometimes can be completely different. We’ve had that. We’ve had complete agreement but completely different reasoning.
[Mike Johnson] Mm-hmm.
[David Spark] That sometimes happens. All right. This one comes from a frequent contributor, Jonathan Waldrop, who is now a former CISO over at The Weather Company. Here we go. Here’s the “What’s Worse?” scenario. You have a SOC as a service provider who only detects and escalates 90% false positives, 10% true positives to investigate. So, you’re essentially wasting 90% of your time. Okay? Or you got a vulnerability management system that reports 90% false positives and only 10% true positive. So, essentially the scenario boils down what’s worse, poor response or poor prevention? So, being the SOC being the poor response, the vulnerability management being poor prevention, both of them are essentially making you spin your wheels 90% of the times. Which one is worse here, Mike?
[Mike Johnson] Actually, this isn’t even detection versus prevention because they’re both detection.
[David Spark] Yes.
[Mike Johnson] Right? The vulnerabilities, that’s detection.
[David Spark] Yeah, it’s detection, but vulnerability management’s also prevention too.
[Mike Johnson] Well, it is the, at least the scenario is the escalation of vulnerability scans, like we’ve found this thing, which is different than we’ve fixed this thing. They’re both detection ultimately.
[David Spark] Well, vuln management is detection too, hopefully be prevented. So, that means of all the vuln management you’re doing, you’re preventing 10% of it, 90% is a waste.
[Mike Johnson] Well, on the other hand, for both of these, what you’re saying is 90% of what comes in is a false positive and 10% of what comes in is a true positive.
[David Spark] Correct.
[Mike Johnson] That could actually be the entirety of your true positives.
[David Spark] Mm-hmm.
[Mike Johnson] Literally, it could just be 90% of what comes in is noise and they’re telling you all about it, but there’s 10% that is something that has gone wrong.
[David Spark] It is conceivable, but it also could be conceivable that they’re just really crappy here, and you are missing another 90% of true positives.
[Mike Johnson] Yes, I’m trying to react.
[David Spark] You don’t know.
[Mike Johnson] I’m trying to react to what was presented before me, which is not that I’m missing 90% of the true positives. I’m being told that I’m getting a whole bunch of false positives and then 10% true positives. So, ultimately where we’re at is, are we detecting something before it has been exploited or after? A vulnerability is this is a problem, this is something there, but we don’t know that it’s been exploited. An alert is there’s an action has been taken that is potentially a bad day.
[David Spark] Jennifer, let me just clue you in on this. He really likes to overexplain things.
[Jennifer Swan] [Laughter]
[David Spark] He uses this as a mechanism to try to figure out what his answer is because he’s still… Let me get you.
[Jennifer Swan] He’s thinking.
[David Spark] Are you still stumbling to come up with an answer here, Mike?
[Jennifer Swan] Just thinking.
[Mike Johnson] I don’t have the answer yet. And so, it just…
[David Spark] You don’t have the answer? You’re still working on it.
[Jennifer Swan] He’s thinking it through.
[Mike Johnson] This is part of the tax that comes with me going first, David.
[David Spark] Right, but this is the job of the CISO.
[Mike Johnson] Yes.
[David Spark] Make sure you understand the problem clearly or as best as you can because often, you don’t have all the information. Like, we don’t hear. We don’t know if it’s 10% of a much bigger pie or the 10% is everything.
[Mike Johnson] Yeah.
[David Spark] Who the heck knows?
[Mike Johnson] You got to break it down and go from there. And if I look at it as an action has occurred versus an action might occur.
[David Spark] Mm-hmm.
[Mike Johnson] I’m more worried about the action that has occurred.
[David Spark] So, the SOC situation is worse.
[Mike Johnson] Well, for this one, if my choice is I get a whole bunch of vulnerabilities that it’s unreliable data or I get a whole bunch of alerts that is unreliable data, I’d rather have the unreliable vulnerability information than the unreliable alert information. So, yes, the SOC one is the worst of the two because I can’t trust what’s going on in that environment.
[David Spark] All right. Well, you can’t trust either for that matter. [Laughter] But the actionable, the fact that this is what’s happening in real time.
[Mike Johnson] Yes.
[David Spark] That’s what you’d say. All right.
[Mike Johnson] Practical versus theoretical.
[David Spark] All right. Now, Jennifer, do you need to do the same endless reasoning that Mike did?
[Jennifer Swan] No, Mike did it for me actually. So, I’m good there.
[Laughter]
[Jennifer Swan] But no, I agree with him. If he wasn’t going to come to an answer, he said the thing that I was going to say.
[Mike Johnson] [Laughter]
[Jennifer Swan] I think that’s the most important, right? I’m a former IR analyst and manager, right? So, the first thing is identification. That’s very important. I’m of the mindset that things will happen, and if they happen, we should be able to respond to those accurately and efficiently. So, I agree with Mike.
[David Spark] All right.
[Mike Johnson] Blue team represent.
[Jennifer Swan] Yes.
[Laughter]
Should you hire this person?
22:50.590
[David Spark] In cybersecurity, landing the job isn’t just about what’s on your resume or the search you’ve racked up. It’s about how you show up when the pressure’s on. That’s the takeaway from a recent cybersecurity subreddit thread where a veteran security manager laid out what really matters in interviews. Technical chops are table stakes, but true standouts are those who can communicate clearly. We talk about this endlessly. Collaborate with the business and maintain composure when things get heated. The comments echoed these points with hiring managers and practitioners sharing stories of candidates who faltered by relying on AI during interviews or who could talk risk but could not bridge the gap with business partners. Others pointed out that soft skills aren’t just “nice to have.” They’re career defining. So, Jennifer, I’m going to start with you. How do you build real-world composure and presence? This is in the interview. Is it about relentless self-improvement, which kind of you pointed out in the very beginning in our cold open, or simply surviving enough fire drills to learn what calm looks like? What do you think?
[Jennifer Swan] I think it’s both, right? I think that you should continually improve, but at the same time, experience is what’s going to get you that calm, right? I think that we’ve all gone through enough fire drills where we know what we need to do as seasoned professionals, but I think for people that haven’t had that experience or need to develop that skill of being calm, just making sure that you’re practicing, or there are tabletop exercises that you do with your organization or your team, or that you’ve done it previously before going to a [Laughter] new job. It’s really important that you do those things, right? Like I said, I’m incident response. That’s my background.
[David Spark] Hold on, let me pause you right there. Do you remember your first incident? Your first significant incident. Yes, Jennifer, you do? Were you cool as a cucumber back then or were you a little bit more panicked back then and you’ve learned to sort of manage your emotions better today? Like, what were you back then as opposed to today when it comes to significant incidents?
[Jennifer Swan] I was definitely more panicked for sure. I didn’t know what to do, [Laughter] scared, not sure what was going to happen to the organization or if it was something that was going to be minimal or if it was going to be very drastic.
[David Spark] Did you have a leader at the time that could direct you?
[Jennifer Swan] I did have a leader. We were a small team, but I did have a leader, and he did direct me pretty well. But even if he directed me at that time, it was still scary, right? So, as you said, being a part of those fire drills, that among the other numerous ones I’ve had throughout my career, as well as doing like tabletops and things like that, really helped improve that calm nature that I needed to have.
[David Spark] All right. Mike, do you remember your first time?
[Mike Johnson] Well, I remember the first incident that I caused, but it wasn’t actually a security incident. But I do think it’s…
[David Spark] Was this the one where you had to like drive a great distance to solve the problem?
[Mike Johnson] Yes.
[David Spark] Remind me, what was that again?
[Mike Johnson] I remotely disconnected a firewall from the internet and that was my only way of talking to the firewall and everything behind it, so…
[David Spark] How many hours did you have to drive?
[Mike Johnson] It was five hours each way.
[David Spark] [Laughter]
[Mike Johnson] In the middle of the night.
[David Spark] For the five hours down to the location, what was going through your head at that time?
[Mike Johnson] Oh, at that point it was like, well, this is just the situation. We’re here now, we just have to deal with it.
[David Spark] You didn’t like beat yourself up, “My God, I’m such an idiot, why did I do that?”
[Mike Johnson] There was certainly the, “What should I have done differently?” right? Part of that was I was doing the retrospective.
[David Spark] You sound so cool as a cucumber right now. I don’t think you were that cool at the time. Were you, really?
[Mike Johnson] Gosh, it was 25 years ago at this point. It’s really hard to…
[David Spark] So, you were like seven or eight years old? How old?
[Mike Johnson] Yeah, exactly.
[David Spark] [Laughter]
[Mike Johnson] Yeah.
[Crosstalk 00:26:54]
[David Spark] You had a driver’s license back then?
[Mike Johnson] …years getting into my car for sure. But you certainly, you gain through experience that calm that Jennifer’s talking about. Some of it is really having to understand what is and isn’t okay. Like this isn’t going to end the company. This isn’t going to end my career. This is something that we can recover from. And knowing what that is going to be like and having that experience of saying, “This is similar to something that I’ve been through before and that didn’t end the company. So, this is also unlikely to end the company.” And that experience helps give you that calm. And I think having a background as an incident responder is a really great lead-in to a CISO career because you do have that experience. You’ve been through the fires. When you are now at that point where everything rolls up to you, you’ve seen a lot to the point where you are calm, and you can remain calm or at least remain the appearance of calm even if your brain is going a mile a minute and help your team through that situation. You can be that person that provides that guidance to, this is the first time this incident responder is dealing with an incident. And you can say, “Hey, it’s okay. We’ve been here before. Here’s what we need to do to get through it.” And I think it’s experience and learning from those who have been through the experience.
How is AI going to solve this problem?
28:31.797
[David Spark] “While AI agents promise to revolutionize business operations, their unpredictable nature creates a governance nightmare that traditional compliance frameworks simply can’t handle,” said industry experts cited in a recent CSO Online article. Now the problem isn’t just that these systems can make autonomous decisions, but that “AI agents blur traditional boundaries between data, logic, and action in ways that create entirely new risk categories.” Recent research shows over 90% of enterprise decision makers have concrete AI adoption plans, yet many are deploying agents without adequate oversight structures. But this creates a practical dilemma. How do you balance innovation speed with the need for continuous monitoring and adjustment in an environment where customer satisfaction and regulatory compliance can shift month by month, Mike?
[Mike Johnson] The regulatory compliance aspect is fortunately something that I don’t have to spend my time on. We’ve got a great legal team. They’re on top of that. What I need to do…
[David Spark] By the way, so your answer to everything is have someone else do it.
[Mike Johnson] Yeah. I mean, that’s part of being a leader, right?
[Jennifer Swan] Delegate.
[Mike Johnson] Is delegate. But it’s really, it’s fine.
[David Spark] So, if you’re a very good leader, you should be doing little to nothing.
[Mike Johnson] Yes, that’s really what, sit around, do nothing. You’re a glorified router. That’s really what it comes down to. That’s the job.
[David Spark] Okay.
[Mike Johnson] Yeah.
[David Spark] By the way, you’ve said that, you’ve said that in job interviews, I hope.
[Mike Johnson] Absolutely.
[David Spark] [Laughter] Okay.
[Mike Johnson] I’m just going to come in, I’m going to take problems from A and route it to solver B and that’s it. That’s all I do.
[David Spark] You say to the employer, “You have a throne of some sort that I can dictate demands?” Yes?
[Mike Johnson] Yes. Dictate demands. I ask when, “When can I have my crown?”
[David Spark] That was good.
[Mike Johnson] That’s the first question that comes out in the interview.
[David Spark] Should be everybody’s first question.
[Mike Johnson] Absolutely.
[David Spark] All right, go on. I have sidetracked your, quote, intelligent response with my stupidity.
[Laughter]
[David Spark] Go ahead.
[Mike Johnson] Where I believe that security needs to be, the part that we’re playing with AI and AI agents, is really providing the opportunity for businesses to move quickly. We didn’t do that very well in the cloud era. A lot of cybersecurity was, “Oh, slow down. This is scary. I don’t know what to do here.” Our businesses are rapidly adopting AI, and we need to support them. And we need to give them the tools and the methods and the capabilities and the mechanisms and all of that for how they can safely adopt AI, how they can experiment. A lot of the things that businesses are doing with AI aren’t going to work out. They’re going to try a whole lot of different things to find the ones that work. So, my job is really to help them do that safely, provide them test environments, provide them test data.
[David Spark] And have you actively been doing that?
[Mike Johnson] Yes. I’m the co-chair of our AI Committee.
[David Spark] Mm-hmm.
[Mike Johnson] And our AI Committee’s goal is to help the company adopt AI. So, it’s very much in that charter of a body that I’m a part of and helping to lead because it’s that important to us. We have to look at ways that we can automate, that we can take manual processes and scale them, and AI is one of those tools. Again, they’re not all going to work, but we don’t know until we try, and so we have to help the company try.
[David Spark] Yeah. This is definitely the most experimental technology that everyone sees value in, but they don’t exactly know what that is.
[Mike Johnson] Yeah.
[David Spark] Jennifer, I throw it to you, and I’m going to throw in a little extra wrinkle in regards to this question. A lot of the tools your team is already using is they’re adding AI without your approval or not, just their own business imperative. And so, essentially, AI capabilities are being spun up in tools that are already approved in your environment. How do you manage that? How do you manage the desire of the team? Because I’m sure there’s lots of need and desire. Do you have sandboxes? What do you do for the apps that are just all of a sudden deploying it, and it’s already running in your environment approved? Like, where do you start here with all of this?
[Jennifer Swan] So, for the application that’s already in our environment and they’re spinning up AI capabilities, one of the things that I do like about some of the tools that we have, they’re not automatically turned on. It’s something you have to configure in the backend. So, that’s a discussion with the appropriate teams, like the compliance, AI governance team, and privacy, as well as engineering teams to understand what that looks like. And if it’ll be useful, if the juice is worth the squeeze, or are we concerned about our privacy by turning this on? When we’re talking about developers maybe going out and wanting to use these open-source models, we want to make sure we don’t obviously cause friction, and we don’t want to be a blocker of innovation.
So, things that I think generally that companies should do is create those isolated environments where you can spin up like scanning services, with like tools like Garrick, which can scan for things like prompt injection and data leakage and anything that could bring a bad brand reputation to your business. It’s just a matter of just understanding what the issue is and trying to find ways to make sure we’re developing securely and not being a blocker, but more of a business partner to developers in a large organization.
[David Spark] I’m going to close with one quick question for both of you. I only need one example. Mike, in this testing phase that you’ve done with your team, what is one thing you learned about securing AI that you did not realize prior to the testing phase?
[Mike Johnson] One of them was really understanding how data blends together, like the whole training concept. This was early on, but I don’t think a lot of organizations really understood that if their provider is providing an AI tool and it needs to learn from somewhere, it’s probably learning from your own customer data. And learning that was a hard lesson but also learning that a lot of companies now provide zero data retention, zero training on your data, agreements in their contracts. Everybody’s kind of solved that and figured that one out, but that was something that was quite a surprise in the early days of AI.
[David Spark] Yeah, I think early days, we were awakened to that rapidly, but it required a wakeup call. Jennifer, same question to you. What is one thing you learned about AI security that you did not know about until you started testing?
[Jennifer Swan] I didn’t know about data poisoning and things like that. [Laughter] I didn’t understand, like first we’re just testing to see is it malicious, things like that. But then it goes back to like looking at the models that we’re downloading, and there’s a concern around is the training data good or bad? Those are things that I wasn’t thinking about prior when we started building out the testing plan.
[David Spark] Ah, data poison, yes. And it doesn’t take much to poison a data set. Very, very little. That is the thing that I think shocked me the most, how minute it takes to ruin it for everyone. It’s like the pee in the swimming pool. Same idea.
[Jennifer Swan] [Laughter]
[Mike Johnson] I think it’s a little bit different. I think it’s a little bit different.
[David Spark] No, it’s exactly the same. It’s exactly the same. Because you rarely see it, Mike.
[Laughter]
Closing
36:47.028
[David Spark] With that being said, first, we do not advise you pee in the swimming pool. I think we all can get behind that advice. And second, I want to thank our sponsor. Not the best lead up to our sponsor, I don’t think.
[Mike Johnson] Nope. You might want to rethink that one, David.
[Laughter]
[David Spark] No, I think they’ll appreciate it. No, they’re a great sponsor. We love our sponsor, Vanta. Vanta.com/CISO. Seriously, for your compliance needs, to speed up your compliance, remember, 129% faster with Vanta. Go to Vanta.com/CISO. Go check it out. Please remember to add /CISO so they know we sent you there. All right, Jennifer, I’m going to let you have the very last word. Mike, your final thoughts on today’s episode.
[Mike Johnson] Thank you so much for joining us, Jennifer. I really loved that you brought your incident responder background. Even before you mentioned it, I was like, “Hmm, I wonder.” So, thank you for sharing that. And what I really appreciate specifically was you’d mentioned exploit prediction or the likelihood of an exploit actually occurring, and I think that’s something that more folks should look into because I really do think that helps to prioritize the vulnerability. So, that’s a good tip for folks to really spend some time with. So, thank you for sharing that, and thank you for sharing your background.
[David Spark] Yes. And I think in the very first segment, when we were talking about vulnerabilities and doing zero trust, you bottom line said, “If it’s introducing risk, I got to deal with it, no matter where it’s coming from.” So, yeah, that’s what it is. It doesn’t matter. That’s it. Any last words?
[Jennifer Swan] Thank you so much, both of you, for inviting me onto the podcast. If you want to look at my LinkedIn and follow me, I’m always available to talk. And it’s Jennifer Swan. You’ll see me. I work at Bloomberg Industry Group.
[David Spark] We will link to it in the blog post for this episode.
[Jennifer Swan] Awesome. Awesome. Yes. Please follow me. And yeah, I would love to talk to anybody about security. It’s my favorite subject.
[David Spark] Well, we’re thrilled to have you on talking about just that. Thank you to Jennifer. Thank you to Mike. And thank you to our audience. I do mean this when I say it. Thank you very much for your contributions and for listening to the CISO Series Podcast.
[Voiceover] That wraps up another episode. If you haven’t subscribed to the podcast, please do. We have lots more shows on our website, CISOseries.com. Please join us on Fridays for our live shows – Super Cyber Friday, our virtual meetup, and Cyber Security Headlines Week in Review. This show thrives on your input. Go to the Participate menu on our site for plenty of ways to get involved, including recording a question or a comment for the show. If you’re interested in sponsoring the podcast, contact David Spark directly at David@CISOseries.com. Thank you for listening to the CISO Series Podcast.