2975: AI in Cybersecurity: Balancing Innovation and Risk

[00:00:01] [SPEAKER_00]: How secure is your digital landscape? As we navigate through this rapidly evolving cyber-security environment,

[00:00:10] [SPEAKER_00]: where threats almost morph and adapt at unprecedented parties right before our eyes. The need for robust and proactive secure images rather than reactive have never been more apparent.

[00:00:24] [SPEAKER_00]: So today, I'm joined by Dave Merkel. He's the CEO of a company called Expel.

[00:00:31] [SPEAKER_00]: And they're at the forefront of managed detection and response or MDR. And today, I want to dive into how the landscape of cyber-security is shifting.

[00:00:42] [SPEAKER_00]: And also learn more about the dual role that AI plays in both A-Ding and Challenging Security measures.

[00:00:49] [SPEAKER_00]: And also find how once and for all, whether today's CEOs are truly prepared to understand and tackle the complexities of cyber-security.

[00:01:00] [SPEAKER_00]: A big thank you to my amazing sponsor who helps me keep exploring the world of tech and bringing you daily updates.

[00:01:06] [SPEAKER_00]: Quick wake up call for everybody. Legacy DRM failed to securely enable external collaboration on sensitive files.

[00:01:15] [SPEAKER_00]: And as a result, organisations face a risk-trust contradiction. They must share content with untrusted third parties.

[00:01:24] [SPEAKER_00]: Yet, protect that day here. And I think it's time for a modern DRM solution that solves this dilemma without compromising on either security or productivity.

[00:01:34] [SPEAKER_00]: And that's what our joint forces with Clydeworks who offer a robust DRM governance and centralise control for all your files.

[00:01:44] [SPEAKER_00]: Making it easy to enforce granular access controls, detailed auditing, not to mention managed versions automatically and maintain complete data custody without relying on user key-based encryption.

[00:01:58] [SPEAKER_00]: And you can do that by visiting kightworks.com to get started with Kightworks safe edit next generation DRM.

[00:02:05] [SPEAKER_00]: That's kightworks.com to get started today, but now on with today's show.

[00:02:10] [SPEAKER_00]: Well, buckle up and hold on tight because no matter where you're located in the world, it's time for me to be your ears all the way to sunny San Diego where today's guest is waiting to join me.

[00:02:22] [SPEAKER_00]: So, a massive welcome to the show. Can you tell everyone this thing a little bit who you are and what you do?

[00:02:30] [SPEAKER_01]: I'm sure the online name is Dave Merkel. I'm the CEO and one of the co-founders of expel were a cybersecurity company that initially started here in the US and it's our job to protect companies from bad things that happen.

[00:02:44] [SPEAKER_00]: And when it comes to protecting companies from those bad things that happen, you see like every day there is something scary happening before I think before you came on the podcast there was that 10 billion passwords that had been leaked and it's all over the way but there are many.

[00:02:59] [SPEAKER_00]: I've got to ask, I mean, to set the scene for our conversation, how have you seen the cybersecurity landscape evolve over the last few months in particular?

[00:03:08] [SPEAKER_00]: Of the ones talking about AI, I suspect there but what emerging trends should organization be aware of right now when it comes to cybersecurity?

[00:03:17] [SPEAKER_01]: Well, this is one of those areas. I hate to be a peddler of fear uncertainty and doubt because I actually don't think that's terribly useful but it is true that

[00:03:29] [SPEAKER_01]: you know attackers have not gone anywhere. In fact, there is more and more of them constantly whether you're talking about criminal activity, some of it just wants to

[00:03:37] [SPEAKER_01]: maybe do a ransomware attack and steal your data and make some money or if you're talking about nation states that are conducting economic espionage or nation state level espionage each year that goes by, just you know the volume seems to intensify.

[00:03:53] [SPEAKER_01]: Also, the kinds of tools that are available for attackers, they can kind of continue to trickle down if that makes sense.

[00:04:03] [SPEAKER_01]: So something that maybe 10 years ago used to be a really sophisticated attack or tradecraft is now commonplace where someone that doesn't necessarily have, you know, the greatest skill sets can still get access to the tools to affect a really impactful attack.

[00:04:19] [SPEAKER_01]: You mentioned AI, AI falls right into that category and let me be more precise because I do get a little good little nerdy and an annoyed one people say AI and they're not specific. So I will be specific if we talk about AI which right now, most people when they say that are talking about things like chat GPT and large language models and having more sophisticated interaction with software almost like it's a human being so it's just that piece.

[00:04:45] [SPEAKER_01]: If you look at what it's good at, which is mimicking human communication that's another example of trickle down where if you wanted to conduct a really good social engineering attack whether it was crafting a really clever email or a text message.

[00:05:00] [SPEAKER_01]: And maybe your target speaks English you don't even have to speak English like you can now actually get the software to actually put together really effective communications so again we're trickle down more access to tools increases the volume of attacks.

[00:05:13] [SPEAKER_01]: And I know that sounds kind of do-mish but it's true. I mean, it's not going anywhere all you're going to do is see volume increase sophistication increase. So we're in a forever cycle of having to continue to innovate to protect ourselves.

[00:05:30] [SPEAKER_00]: And I guess the big question for business leaders listening they're seeing these ongoing attacks they're subscribing to this landscape that you've just described perfectly that what kind of strategies should their organization be implementing.

[00:05:44] [SPEAKER_00]: To better prevent and mitigate cyber attacks in this increasingly complex environment we all find ourselves in.

[00:05:51] [SPEAKER_01]: Well, if I'm going to provide some general advice particularly to business leaders so people running companies and organizations that are not cyber security.

[00:06:00] [SPEAKER_01]: Kind of like long cyber security practitioners like I am as opposed to giving them some sort of mystical cyber advice I actually have just some practical business advice which is your cyber security function wherever it lives in your organization.

[00:06:13] [SPEAKER_01]: You should understand that as well as you do the parts of your business that actually make you revenue.

[00:06:20] [SPEAKER_01]: And so and you should hold the leadership of that organization accountable the same way that you hold other business unit leaders accountable.

[00:06:28] [SPEAKER_01]: You know too often I've seen Osibers Hard in its mystical and it's technical and sometimes we as cybersecurity practitioners don't help that perception because we talk in technical terms in jargon and you know all this other kind of you know mystical stuff.

[00:06:43] [SPEAKER_01]: And so we're not helping the business understand what we do better.

[00:06:48] [SPEAKER_01]: But if you take the time to do that and hold your leaders accountable you can actually start to do the same kinds of things with cyber that you do with other parts of your business.

[00:06:55] [SPEAKER_01]: Have performance metrics understand how they impact the business understand how they impact not just your quote risk.

[00:07:02] [SPEAKER_01]: But how they also prevent risk and create positive business outcomes positive business opportunities by helping you manage the situation.

[00:07:09] [SPEAKER_01]: It's not mystical and unknowable it's no more complicated than other parts of a business that if you think about done think about the well company like the process of controlling instruction from the earth's crust is tremendously technical and complicated.

[00:07:22] [SPEAKER_01]: It's not more complicated or less complicated than cyber.

[00:07:24] [SPEAKER_01]: It is totally possible for a business leader instead of business leaders and CEO and their leadership team.

[00:07:31] [SPEAKER_01]: You're really inspect how they think about cyber the same way they inspect their rest of their business.

[00:07:36] [SPEAKER_01]: That's probably the number one don't wave it away and say, well it's too technical or I don't need to understand that and issue do.

[00:07:41] [SPEAKER_01]: It's like you need to understand the parts of your business that make you money.

[00:07:43] [SPEAKER_00]: And one particular attack that doesn't seem to be going anywhere especially for all the headlines I see about people still actually paying the ransomware attackers and they are becoming more and more sophisticated.

[00:07:56] [SPEAKER_00]: Any steps that you come that company should be taking to protect themselves against these threats to.

[00:08:02] [SPEAKER_01]: Yeah, certainly so if we do kind of delve into specific technical advice probably the most relevant advice is the most boring.

[00:08:12] [SPEAKER_01]: Which is think about things like hygiene and when I talk about hygiene I mean things like batching your systems and keeping yourself for up to date having backups and being able to restore those backups like real basic stuff.

[00:08:26] [SPEAKER_01]: But if you do it well, you're suddenly very resilient.

[00:08:29] [SPEAKER_01]: If you have a good backup regime if you know where your critical data is and you can restore it from a backup if you have a problem.

[00:08:35] [SPEAKER_01]: You're you know one step closer to being you know quote and means ransomware so that'd be step number one.

[00:08:42] [SPEAKER_01]: Step number two is making sure that you do have the blocking and tackling right so some of the basic cyber investments.

[00:08:51] [SPEAKER_01]: End point detection and response software whether that's a Microsoft product or crowd strike or something along those lines.

[00:08:57] [SPEAKER_01]: Good network detection for those companies that still having network some cloud native companies don't so.

[00:09:02] [SPEAKER_01]: But where you have those investments that's relevant.

[00:09:07] [SPEAKER_01]: Making sure that your monitoring across your cloud infrastructure and then making sure that someone's job is to look at that stuff 24 seven because if something bad does happen.

[00:09:16] [SPEAKER_01]: The best way to mitigate it is to quickly detect it.

[00:09:20] [SPEAKER_01]: You know figure out where it is and then knock it down and if you've made the right investments and if you have the right kinds of people operating your security infrastructure.

[00:09:27] [SPEAKER_01]: You can mitigate the vast majority of these attacks and continue operating business effectively.

[00:09:36] [SPEAKER_00]: And AI has been described as somewhat of a double-edged sword in cyber security and I keep reading about AI being used by both attackers and defenders.

[00:09:45] [SPEAKER_00]: I like it.

[00:09:47] [SPEAKER_00]: Is this a vulvigant to a good AI versus bad AI boss by a lib souls?

[00:09:52] [SPEAKER_00]: What are you saying?

[00:09:53] [SPEAKER_01]: That's a good question.

[00:09:56] [SPEAKER_01]: I have seen, I have yet to see anything in the wild where I think it's AI fighting AI without humans involved that doesn't mean that it hasn't happened.

[00:10:03] [SPEAKER_01]: It just means that if it did it didn't present in any distinct way that looked somehow different than an attacker using various kinds of automation or other software to attack a bit under.

[00:10:13] [SPEAKER_01]: I know defenders are using AI we do in order to find attackers in order to automate your response in order to augment our humans.

[00:10:23] [SPEAKER_01]: I can't replace humans yet.

[00:10:25] [SPEAKER_01]: So there's no kind of self-driving cyber security protection team that is fully AI.

[00:10:31] [SPEAKER_01]: There's still a human in loop but there's a lot AI can do to really scale that human so that they can get more done more effectively.

[00:10:36] [SPEAKER_01]: So that's definitely happening but I haven't seen anything yet in the wild where it's been full on AI versus AI.

[00:10:44] [SPEAKER_01]: I have seen some researchers as Ashbant six months ago, but they had staged the AI versus AI attack where there was a AI attacker that was crafting malicious emails on its own to affect a certain outcome.

[00:10:57] [SPEAKER_01]: And there was an AI protecting the email system that those emails were coming into and they kind of let them sound each other.

[00:11:05] [SPEAKER_01]: But as for seeing any of that in the wild, not yet will we? I'm sure we will. It's inevitable.

[00:11:12] [SPEAKER_01]: If it does happen in what I think it's going to look like is larger scale faster iteration of attacks.

[00:11:19] [SPEAKER_01]: You know, it's going to look kind of like two humans moving at light speed.

[00:11:22] [SPEAKER_00]: And for any security professionals that could be listening to our conversation today, any advice on how they could be leveraging AI to maybe stay ahead of some of the cyber threats or just improve their own cyber hygiene as a result.

[00:11:38] [SPEAKER_01]: Yeah, a couple of thoughts first.

[00:11:40] [SPEAKER_01]: Do educate yourself understand when someone says AI what they mean because there's some AI techniques that didn't that bucket we've been doing forever.

[00:11:49] [SPEAKER_01]: You think about maybe training and applying a machine learning model to certain kinds of data to detect attackers as an example. That's not new like that's been going on for a long time that is still using AI.

[00:12:01] [SPEAKER_01]: It could be utilizing large language models and things of that nature to augment your humans and implementing things like.

[00:12:09] [SPEAKER_01]: You know, things that will help you automate report writing things that will act as a copilot and maybe recommend courses of action.

[00:12:16] [SPEAKER_01]: So they're starting to be a lot of different features showing up in different cyber security products now.

[00:12:20] [SPEAKER_01]: So educate yourself on what the realm of kind of the possibilities might be.

[00:12:26] [SPEAKER_01]: And then select very carefully understand what you're trying to optimize don't throw 47 different kinds of it quote AI at something when you don't understand what problem you're trying to solve.

[00:12:36] [SPEAKER_01]: So select carefully and then experiment.

[00:12:39] [SPEAKER_01]: I think we're in a time of experimentation right now. It's not like I can plant at a suite of cybersecurity AI products and say pick these four or five.

[00:12:47] [SPEAKER_01]: We're definitely in a phase of fast evolution. So experimentation with a clear eye on what you're trying to improve what you're trying to get out of it.

[00:12:56] [SPEAKER_01]: And a good evaluation of that I think is the is the name of the game and at least right now can continue to experiment because I think the space is evolving the kinds of solutions that are available today will look different six months from now a year from now year and a half from now.

[00:13:09] [SPEAKER_00]: 100% with you on that and I'm curious do you think that most CEOs have the necessary skills and knowledge to make informed cyber security decisions.

[00:13:18] [SPEAKER_00]: But the reason I asked that is been a lot of talk over the years at the board room of not actually understood the ROI and the value of cyber security.

[00:13:26] [SPEAKER_00]: Is that still the case? Is that changing and if there is a gap, how can we better bridge that go?

[00:13:32] [SPEAKER_01]: So I do think like I said, you know, standing here in 2024 it is a much better landscape than it was 10 years ago. So board members probably know something about who's running cybersecurity for the business.

[00:13:48] [SPEAKER_01]: They probably have seen something in terms of metrics or information or measurements of effectiveness. Now do I think like the seat here or the board themselves fully understand on their own?

[00:14:00] [SPEAKER_01]: How to think about that ROI like what are you spending, what are you getting out of it? How did you measure efficacy?

[00:14:04] [SPEAKER_01]: Know but what they should be doing if they're not already is they should be holding the executive in charge of cybersecurity whether that's the CIO, whether that's the chief information security officer chief security officer.

[00:14:17] [SPEAKER_01]: Whoever owns that remin and is showing up to talk to the board in the CIO about the program, they should have the expectation that that person can talk to them in a way that they can understand it.

[00:14:28] [SPEAKER_01]: And if that person can't, they have the wrong executive in charge of the function and they should be shopping for a better leader that helps bridge that gap.

[00:14:36] [SPEAKER_01]: And that's kind of that step of hey hold that business function accountable the same way you hold every other business function accountable.

[00:14:42] [SPEAKER_01]: The executive that owns it is supposed to show up understand it and be able to help translate so that the board in the CIO can transact on.

[00:14:49] [SPEAKER_00]: And what role do you think managed detection and response or MDR plays in helping organizations better minimize business risk and also what makes you stand out and a different in this space too because again quite a crowded market isn't it?

[00:15:03] [SPEAKER_01]: Now there's no question that well I mean to your point that the market's crowded the reason is there's a great need and the reason there's a great need is you know as we talked about through this entire conversation.

[00:15:14] [SPEAKER_01]: It's not like the attackers are going away it's not like the kinds of things that you have to protect or becoming fewer number or less complex like all that's going the other direction.

[00:15:23] [SPEAKER_01]: And so trying to be effective on your own 24-7 always eyes on you know looking for the bad guys and chasing them when you need to.

[00:15:35] [SPEAKER_01]: That's a pretty serious business to get into and if it's a cost center it's really hard for businesses to be as good at that as they need to be to operate in today's environment.

[00:15:43] [SPEAKER_01]: So when I think about the benefits of MDR you can particularly expel that I make that problem go away we don't have to manage it 24-7.

[00:15:53] [SPEAKER_01]: We have the ability to integrate with all your investments both today and into the future why that's how I make money.

[00:15:59] [SPEAKER_01]: So the amount of R&D I invest into that that science is far greater than anybody's individual cybersecurity program in a company that doesn't do this for a living.

[00:16:08] [SPEAKER_01]: And what we've done at expel is you know even though there is still a human in the loop and there is.

[00:16:14] [SPEAKER_01]: I don't need nearly as many humans because we invested heavily in technology when we started the business to optimize that whole process of detect something identify what to do about it and respond and reuse everything.

[00:16:27] [SPEAKER_01]: Pick a definition of AI it's in there up to an including utilization of large language models and some of the ways that I've described.

[00:16:33] [SPEAKER_01]: It's a extensible platform so every time there's a new security product that enters the space and there is always going to be a new security product.

[00:16:41] [SPEAKER_01]: We have the ability to integrate quickly and then be able to use that investment on our customers behalf.

[00:16:47] [SPEAKER_01]: So we're able to continue to keep up with the landscape as it evolves which if you haven't made the kinds of technology investments that we have is really challenging to do you certainly will have a hard time doing it on your own.

[00:16:58] [SPEAKER_01]: We find our competitors can keep pace with us in there.

[00:17:02] [SPEAKER_00]: And the pace of technological change can be breathtaking when there's also a lot of argument it will never move this slower game so looking ahead right what do you see as the biggest challenges and equally the opportunities may be to end on a positive note for the cyber security industry.

[00:17:18] [SPEAKER_00]: I can't say over the next five years because things are changing that quickly at the moment but for the foresee I agree with you.

[00:17:24] [SPEAKER_00]: What do you see here?

[00:17:25] [SPEAKER_01]: I think the pace is the thing that is both a problem and a benefit.

[00:17:32] [SPEAKER_01]: If I take a look at the cycle we're going through with you know that AI technologies particularly large language models it's not that the cycle we're going through has a different shape than other innovation cycles like the shape of the cycle looks like the shape of cloud innovation.

[00:17:47] [SPEAKER_01]: Hey, here's new technology people experiment try to figure out how to use it there's a bunch of hype and excitement.

[00:17:53] [SPEAKER_01]: Then there are some disappointment and there is eventually some realization of what the real value is and then there's adoption at scale so that's basically the shape of the of the curve here.

[00:18:03] [SPEAKER_01]: It's just that the time cycle around AI is so massively compressed right so it's not going through a.

[00:18:10] [SPEAKER_01]: But to your point five six seven eight year cycle like if we go back and take a look at cloud adoption you need to argue how long that cycle was but it was years long to get through sort of ubiquitous realization of value.

[00:18:23] [SPEAKER_01]: AI is going much faster and so I think that does create.

[00:18:27] [SPEAKER_01]: Problem because the pace at which you have to keep up with it is going to be pretty high and if history isn't a guide attackers are doing it today like they're spending their time there so they're figuring out.

[00:18:37] [SPEAKER_01]: How to utilize a company zone AI infrastructure against itself to produce now come that that business doesn't want that benefits the attacker is happening right now and so that the pace is the big problem but the pace is also the solution because.

[00:18:51] [SPEAKER_01]: The innovation and the cybersecurity space to help defenders be effective I mean I'm we're doing it and I'm watching it with other vendors that we partner with an integrate with it is also moving really fast and so I do think that.

[00:19:04] [SPEAKER_01]: Yeah as opposed to gloom and doing I know will never be able to protect it we we've been able to keep up with everything before not that bad things can't happen they do.

[00:19:12] [SPEAKER_01]: But there's still an internet there's still cloud infrastructure there's still businesses that have been operating through all of it quite profitably creating great value for shareholders it is possible to keep pace it is possible.

[00:19:23] [SPEAKER_01]: To protect your business it is possible to operate effectively.

[00:19:26] [SPEAKER_00]: Thank you so much for sharing your insights around the trends within the cybersecurity security as well as how all gunnaisations and individuals can prevent and mitigate those cyber attacks.

[00:19:37] [SPEAKER_00]: There's only so much we can do looking forward and as this site the old Steve quote Steve Jobs quote is about and you can only join up the dots by looking backwards.

[00:19:45] [SPEAKER_00]: I've never looked asking and look back at your career now because none of us are able to achieve any degree of success without a little help along the way very often there's someone that is invested in a little time and as maybe they saw something in as maybe we can just look back and join up the dots and see how things happen for a reason so.

[00:20:05] [SPEAKER_00]: Is there a particular person who you're grateful towards or maybe helped you get you where you are we can give a little shout out to today.

[00:20:11] [SPEAKER_01]: I really like this sentiment of what you're saying I you know if you're ever talking to a founder and somehow they magically created all their success and there was never any luck or helpful on the way you know didn't get the real story.

[00:20:24] [SPEAKER_01]: And so when when I look back you know right I started my career in the US military and so you know I am extremely grateful for my time there because.

[00:20:35] [SPEAKER_01]: In the time I was serving I received far more than I was ever asked to give and so getting into cyber in the first place happened there.

[00:20:42] [SPEAKER_01]: So I'm thankful to that institution that created an amazing career opportunity.

[00:20:48] [SPEAKER_01]: In each company I've been in whether it was was a well where I worked for a wonderful man they dug big a low his no longer with us he had passed some seven years ago just a great my first civilian boss just a great meter.

[00:20:59] [SPEAKER_01]: In the early days of cyber really encouraged curiosity in learning and then when I left a well the company I did before I was manned in so Kevin Mandia the who was the CEO there.

[00:21:12] [SPEAKER_01]: He and I knew each other from the military and he took a leap of faith on me when I went to build his end point product business.

[00:21:20] [SPEAKER_01]: And that was just an incredible journey and in enabled me to go from being cyber security practitioner onto the vendor side building cyber security products to help a much larger set of people.

[00:21:31] [SPEAKER_01]: And it was just an amazing career step that's made a whole bunch of other things possible.

[00:21:36] [SPEAKER_00]: Well, well great and so important to get that shout out out there. I think very often these people are not aware of the impact that they have on ourselves and our careers.

[00:21:47] [SPEAKER_00]: So I big shout out to those people and for anyone listening just wanting to find out more information about expel your work you're doing now.

[00:21:55] [SPEAKER_00]: How you're helping your customers etc or just some of the insights that you've gained though where's the best.

[00:22:01] [SPEAKER_00]: I'm going to put everything up and have a little listening.

[00:22:05] [SPEAKER_01]: Oh, you can definitely just start on our website on www.expel.com.

[00:22:11] [SPEAKER_01]: And from there you'll find a whole host of things whether you're looking for a little more in depth of you on what we do for our customers or if you're just interested in our point of view.

[00:22:20] [SPEAKER_01]: We do have a blog there. We also publish regular threat reports so we help inform the broader cyber security public on the trends that we see.

[00:22:28] [SPEAKER_01]: And hopefully that information helps inform people's own programs as we all find you good played together.

[00:22:35] [SPEAKER_00]: Well, I'll add links to everything so people can find you in our SNESA.

[00:22:39] [SPEAKER_00]: We covered so much in 30 minutes today including how artificial intelligence is a almost double-edged sword that is impacting the security industry.

[00:22:47] [SPEAKER_00]: How it can be used by support security professionals and whether CEOs are equipped with the relevant skills to understand cyber security.

[00:22:55] [SPEAKER_00]: How this can contribute to the security decisions they make so many big talking points.

[00:23:00] [SPEAKER_00]: I'd love to hear from people listening their vantage point and what they take away from this conversation and the insights that they have,

[00:23:07] [SPEAKER_00]: but more than anything just thank you for bringing this topic to life today much appreciate.

[00:23:12] [SPEAKER_01]: Awesome. Thanks so much for the opportunity. You're definitely enjoyed it.

[00:23:16] [SPEAKER_00]: So I think today we unraveled the intricate web of cyber security challenges,

[00:23:20] [SPEAKER_00]: but also the opportunities and a big thank you to Dave Merkel of Expel for sharing his insights around the evolving threat landscape and

[00:23:31] [SPEAKER_00]: embracing AI's potential while also acknowledging its pitfalls.

[00:23:35] [SPEAKER_00]: But we covered so much crucial ground for business leaders today and before we part ways, I want you to reflect on its your organisation,

[00:23:44] [SPEAKER_00]: genuinely prepared to handle the cyber security challenges of tomorrow. What keeps you apart, no?

[00:23:51] [SPEAKER_00]: How are you preparing to be more proactive than reactive to those cyber threats?

[00:23:57] [SPEAKER_00]: Let me know your thoughts join the conversation by connecting with me online,

[00:24:03] [SPEAKER_00]: techblogwriteroutrook.com, linkedin to it, Instagram just at me, you'll see,

[00:24:07] [SPEAKER_00]: here's let me know, but remember stay vigilant and stay informed.

[00:24:11] [SPEAKER_00]: I think they're the most important factors and big takeaways for me.

[00:24:15] [SPEAKER_00]: So thank you for listening as always, but until next time, don't be a stranger.