What happens when the technology designed to make us more productive quietly becomes one of the biggest security risks inside the enterprise? In this episode of The Business of Cybersecurity, I sit down with Leslie Nielsen, CISO at Mimecast, to discuss the growing tension between AI adoption and cybersecurity, and why many organizations may be exposing sensitive information faster than they realize.
As businesses race to deploy generative AI, AI agents, and Model Context Protocol integrations, Leslie explains why AI models themselves are becoming valuable targets. When organizations pool large volumes of sensitive data into centralized AI systems, they create what he describes as a corporate brain, one that can quickly become attractive to attackers if the right controls are not in place.
We explore the rise of shadow AI, where employees use unsanctioned AI tools to meet deadlines and improve productivity, often without understanding the long-term consequences. Leslie shares why a simple upload of financial data, customer information, or proprietary documents into a public AI platform can create risks that traditional security teams struggle to contain once the information has entered a large language model.
The conversation also examines the changing nature of insider threats. From negligent behavior to deliberate misuse of credentials, attackers are increasingly targeting employees directly. Leslie discusses how AI is making it easier for threat actors to identify vulnerable individuals, while growing concerns around job displacement may create new pressures inside organizations.
We also discuss why visibility remains one of the biggest cybersecurity challenges facing modern enterprises. As AI changes data flows, communication channels, and user behavior, many organizations are discovering that traditional security controls were never designed for the speed and complexity of today's AI-powered environments. Leslie explains why cybersecurity leaders need to become AI champions rather than blockers, helping businesses adopt AI safely while maintaining visibility, governance, and trust.
Looking ahead, Leslie remains optimistic about using AI to strengthen cyber defenses. As attackers embrace AI, defenders are doing the same, creating a new chapter in cybersecurity where automation, intelligence, and human expertise will work together to protect organizations from emerging threats. How is your organization balancing AI innovation with security, and are you confident you can see where your data is really going? Share your thoughts with me.
00:00:00 --> 00:00:02 And if you are running a business right now,
00:00:02 --> 00:00:04 you may have noticed there's a quiet shift happening.
00:00:05 --> 00:00:07 One that most people are still underestimating.
00:00:08 --> 00:00:10 And that is, your company doesn't live inside
00:00:10 --> 00:00:14 your network anymore. It lives inside the browser.
00:00:15 --> 00:00:18 That's where your SaaS apps sit. That's where
00:00:18 --> 00:00:21 your data moves. And increasingly, that's where
00:00:21 --> 00:00:24 attackers are focusing their attention. So Nord
00:00:24 --> 00:00:27 layer has just launched its new business browser.
00:00:27 --> 00:00:30 and it's designed specifically for small and
00:00:30 --> 00:00:33 medium sized companies that need visibility and
00:00:33 --> 00:00:37 control without the overhead of enterprise security
00:00:37 --> 00:00:40 tools. What I like here is the balance. You get
00:00:40 --> 00:00:43 advanced protection, better compliance and full
00:00:43 --> 00:00:46 visibility into how your team is working online
00:00:46 --> 00:00:49 but without slowing anyone down or forcing them
00:00:49 --> 00:00:52 to learn anything new. It feels like a practical
00:00:52 --> 00:00:55 step forward rather than another security layer
00:00:55 --> 00:00:57 that adds friction. So if you want to see more
00:00:57 --> 00:01:01 about how it works please head over to Nordlayer
00:01:01 --> 00:01:04 .com slash browser and check it out and let me
00:01:04 --> 00:01:07 know your thoughts. But now on with today's show.
00:01:11 --> 00:01:14 What happens when the very AI systems designed
00:01:14 --> 00:01:18 to accelerate your business quietly become your
00:01:18 --> 00:01:22 biggest security risk? As organisations continue
00:01:22 --> 00:01:26 in that race to adopt all things AI and implement
00:01:26 --> 00:01:31 AI agents, many are pooling sensitive data, exposing
00:01:31 --> 00:01:35 new attack surfaces, and teams are underestimating
00:01:35 --> 00:01:38 just how quickly things could go wrong. Now today
00:01:38 --> 00:01:42 I'm joined by Leslie Nielsen from Mimecast. and
00:01:42 --> 00:01:45 he's a cyber security veteran with nearly three
00:01:45 --> 00:01:48 decades of experience. So today we're going to
00:01:48 --> 00:01:51 explore why AI models are becoming high value
00:01:51 --> 00:01:56 targets, how shadow AI is creating unseen risks
00:01:56 --> 00:01:59 inside organisations and come away with some
00:01:59 --> 00:02:02 actionable takeaways of what leaders need to
00:02:02 --> 00:02:05 be thinking and doing right now to stay ahead
00:02:05 --> 00:02:08 of some of these threats. But enough from me,
00:02:08 --> 00:02:13 let me introduce you to my guest now. So a massive
00:02:13 --> 00:02:15 warm welcome to the show. Can you tell everyone
00:02:15 --> 00:02:18 listening a little about who you are and what
00:02:18 --> 00:02:21 you do? Oh Neil, thanks so much for the invite
00:02:21 --> 00:02:24 really honored to be here. My name is Leslie
00:02:24 --> 00:02:26 Nielsen I am a well, I've been in cyber security
00:02:26 --> 00:02:29 longer than it's been called cyber security I'm
00:02:29 --> 00:02:33 I think I just hit 27 28 years Started as a cryptographic
00:02:33 --> 00:02:35 programmer back in the day. I used to say crypto,
00:02:36 --> 00:02:38 but that has a different connotation now, so
00:02:38 --> 00:02:41 cryptographic programmer. I've been around the
00:02:41 --> 00:02:43 block a bit. I did a little bit of outsourcing,
00:02:43 --> 00:02:46 a little bit of consulting. I've had the good
00:02:46 --> 00:02:48 fortune to be the Chief Information Security
00:02:48 --> 00:02:51 Officer of six companies. Mimecast, the company
00:02:51 --> 00:02:54 I'm at now, is my sixth. We are a cybersecurity
00:02:54 --> 00:02:59 provider. I'm so happy to be here and I will
00:02:59 --> 00:03:01 just tell you, I do have a soapbox for cybersecurity.
00:03:01 --> 00:03:04 security, I absolutely believe all of us have
00:03:04 --> 00:03:09 the mandate to ensure the digital safety and
00:03:09 --> 00:03:13 security of those around us. Fantastic. Well,
00:03:13 --> 00:03:15 you are in the right place, my friend. Step on
00:03:15 --> 00:03:18 that soapbox and feel free to preach your gospel
00:03:18 --> 00:03:20 today. And one of the reasons I was excited to
00:03:20 --> 00:03:22 get you on here to join me is I was reading one
00:03:22 --> 00:03:26 of your reports that suggested that AI models
00:03:26 --> 00:03:29 themselves could actually become a new high -value
00:03:29 --> 00:03:32 target, essentially a corporate brain trained
00:03:32 --> 00:03:36 on sensitive data. So how real is this risk today,
00:03:36 --> 00:03:38 and why are organizations underestimating it?
00:03:38 --> 00:03:41 Because on one side, I'm going to countless tech
00:03:41 --> 00:03:42 conferences all around the world. Everyone's
00:03:42 --> 00:03:45 talking about agentic AI getting excited. The
00:03:45 --> 00:03:47 other side, I'm seeing Target, I think, in the
00:03:47 --> 00:03:49 US this week, and said, hey, if your agent goes
00:03:49 --> 00:03:52 and buys anything, it's your responsibility,
00:03:52 --> 00:03:56 nobody else's. So what are you seeing here? You
00:03:56 --> 00:03:59 know, there's two sides of it just like there
00:03:59 --> 00:04:03 is to everything. One is, if you take all of
00:04:03 --> 00:04:07 your data and put it in a central place, you're
00:04:07 --> 00:04:09 running a risk, right? Because you probably had
00:04:09 --> 00:04:12 other controls and things around it. And then
00:04:12 --> 00:04:16 secondly, if you're exposing that data in a way
00:04:16 --> 00:04:21 like just a rapid fast paced agile way getting
00:04:21 --> 00:04:23 things out as quickly as you possibly can cuz
00:04:23 --> 00:04:26 ai is accelerating faster than just about anything
00:04:26 --> 00:04:29 if not anything we've seen then you're running
00:04:29 --> 00:04:32 risk and that's the biggest challenge we're having
00:04:32 --> 00:04:37 right now. People are exposing the data to prompts
00:04:37 --> 00:04:39 and. There's the ability for other people to
00:04:39 --> 00:04:43 take advantage of the prompts for agents to expose
00:04:43 --> 00:04:46 things for MCP servers, the model context protocol
00:04:46 --> 00:04:48 servers where people are trying to do integrations
00:04:48 --> 00:04:51 between things to be exposed. It's just you don't
00:04:51 --> 00:04:54 have to stop, but you do just have to take a
00:04:54 --> 00:04:56 step back and make sure that the controls you
00:04:56 --> 00:04:58 already have in place are going to be sufficient
00:04:58 --> 00:05:01 or find the right controls. Know what you're
00:05:01 --> 00:05:03 doing and know what's going on in your environment.
00:05:04 --> 00:05:06 And these concerns that we're highlighting here
00:05:06 --> 00:05:08 are very real and we're not alone with these
00:05:08 --> 00:05:12 concerns either. We're seeing 80 % of organizations
00:05:12 --> 00:05:15 that have voiced concerns about sensitive data
00:05:15 --> 00:05:17 leaking through generative AI tools. And we've
00:05:17 --> 00:05:20 got the shadow AI problem in the workplace as
00:05:20 --> 00:05:22 well, which is an entirely different topic. But
00:05:22 --> 00:05:24 where are these leaks actually happening in practice
00:05:24 --> 00:05:27 and what behaviors are driving them? You know,
00:05:27 --> 00:05:31 there are multiple avenues for leaks, but really
00:05:31 --> 00:05:32 the biggest one that we're seeing in the wild
00:05:32 --> 00:05:37 right now is just unsanctioned AI usage by good
00:05:37 --> 00:05:40 intentioned employees. And I'll just build on
00:05:40 --> 00:05:43 that a little bit. So your boss comes to you,
00:05:43 --> 00:05:45 there's a deadline, and you're trying to get
00:05:45 --> 00:05:46 something done. And they're like, look, I need
00:05:46 --> 00:05:49 this done. And someone had told you about using
00:05:49 --> 00:05:55 insert your favorite unsanctioned AI online that's
00:05:55 --> 00:05:57 not licensed by the company and controlled by
00:05:57 --> 00:05:59 the legal protections that you have with a contract
00:05:59 --> 00:06:03 or a license. you upload a bunch of sensitive
00:06:03 --> 00:06:07 data, financial data, etc. The difference in
00:06:07 --> 00:06:09 that versus years ago where maybe you'd have
00:06:09 --> 00:06:13 a data leak or data loss, a spill, and you could
00:06:13 --> 00:06:15 contact Google, you could contact web pages,
00:06:16 --> 00:06:19 have stuff taken down, have stuff removed. Once
00:06:19 --> 00:06:23 data's into a large language model, especially
00:06:23 --> 00:06:24 a large language model that you're not paying
00:06:24 --> 00:06:27 a licensing fee with, it's effectively gone.
00:06:29 --> 00:06:32 not only is it gone from your control, other
00:06:32 --> 00:06:35 people can then start querying it and seeing
00:06:35 --> 00:06:38 that data or pulling information out about your
00:06:38 --> 00:06:42 company. So using the financial example I was
00:06:42 --> 00:06:46 using, if you take your end of year, let's say
00:06:46 --> 00:06:47 you're a private company, you take your end of
00:06:47 --> 00:06:49 year, you put it up, your competitors might be
00:06:49 --> 00:06:51 able to figure out just how you're doing and
00:06:51 --> 00:06:53 what you're focusing on and what's not going
00:06:53 --> 00:06:57 well. So it's a real danger. It is happening.
00:06:57 --> 00:07:01 More than most people probably think because
00:07:01 --> 00:07:03 they just don't have the visibility and what's
00:07:03 --> 00:07:07 happening on the use of AI. And one of the most
00:07:07 --> 00:07:11 striking findings is that malicious insider activity
00:07:11 --> 00:07:14 is now rising at the same rate as negligent behavior.
00:07:15 --> 00:07:18 And I saw a BBC report recently where the reporter
00:07:18 --> 00:07:20 himself put himself out there on the dark web
00:07:20 --> 00:07:23 and he was quickly offered a King's ransom just
00:07:23 --> 00:07:25 to have his log in. So what do you think this
00:07:25 --> 00:07:28 tells us about how the insider threat is evolving
00:07:28 --> 00:07:32 too? Yeah, years ago, the biggest cybersecurity
00:07:32 --> 00:07:35 risk was a vulnerability on the edge of the network
00:07:35 --> 00:07:37 that somebody was going to be able to exploit
00:07:37 --> 00:07:41 and then get into your network. Then the attackers
00:07:41 --> 00:07:43 got more sophisticated. They started using email
00:07:43 --> 00:07:46 and other things, and then it was somebody clicking
00:07:46 --> 00:07:48 on something, malware or something getting into
00:07:48 --> 00:07:52 your network. Then introduce crypto. That's the
00:07:52 --> 00:07:55 next level. Then they were able to lock up your
00:07:55 --> 00:07:58 network and ransom your network. As email security
00:07:58 --> 00:08:00 and other things got better, then they just said,
00:08:00 --> 00:08:02 well, hey, why don't we just contact the employees
00:08:02 --> 00:08:05 directly? We've looked on blind and other websites
00:08:05 --> 00:08:07 where people are complaining about companies.
00:08:07 --> 00:08:09 All we have to do is just find a couple of disgruntled
00:08:09 --> 00:08:11 employees with some good user credentials. We'll
00:08:11 --> 00:08:16 just pay them. And it's happening. I mean, it
00:08:16 --> 00:08:19 is a real threat. It is happening to companies.
00:08:21 --> 00:08:23 I've been at companies that have been approached.
00:08:24 --> 00:08:26 We've had people say, we're being reached out
00:08:26 --> 00:08:30 to on LinkedIn. We do a counter Intel program
00:08:30 --> 00:08:32 where we get a burner phone and go at it, et
00:08:32 --> 00:08:33 cetera. The main thing is to find out what they're
00:08:33 --> 00:08:35 looking for. And a lot of them are looking for
00:08:35 --> 00:08:38 customer lists. If you have any customers that
00:08:38 --> 00:08:40 use crypto, they want those lists so that they
00:08:40 --> 00:08:43 can then attack those people and try to get their
00:08:43 --> 00:08:46 crypto wallets, et cetera. But yeah, it's a really,
00:08:46 --> 00:08:51 really real risk. And ironically, AI is making
00:08:51 --> 00:08:55 it worse twofold. One, AI is making it easier
00:08:55 --> 00:08:58 to go through and do that enumeration to find
00:08:58 --> 00:09:00 out who the susceptible people are in your org.
00:09:00 --> 00:09:04 And people are becoming afraid of being replaced
00:09:04 --> 00:09:09 by AI and ergo are then becoming bitter to the
00:09:09 --> 00:09:11 company and then becoming that malicious insider.
00:09:12 --> 00:09:15 And there really seems to be a clear gap between
00:09:15 --> 00:09:19 awareness and action. There's any excuse for
00:09:19 --> 00:09:21 not being aware of what's happening. We've seen
00:09:21 --> 00:09:23 all these news articles. We've seen the big breaches,
00:09:23 --> 00:09:28 et cetera. But with many organizations recognizing
00:09:28 --> 00:09:31 the risks, but lacking preparation. Why is that
00:09:31 --> 00:09:33 gap proving so difficult to close? What are you
00:09:33 --> 00:09:37 seeing here? Yeah, this is twofold also. The
00:09:37 --> 00:09:40 beginning of the problem is that We know the
00:09:40 --> 00:09:43 right things to we cyber security know the right
00:09:43 --> 00:09:46 things from a compliance and security awareness
00:09:46 --> 00:09:48 training perspective to tell our employees people
00:09:48 --> 00:09:52 go through it etc. Time goes on maybe they forget
00:09:52 --> 00:09:56 etc but at the end of the day. We have to follow
00:09:56 --> 00:09:59 up on those that are having problems. Sometimes
00:09:59 --> 00:10:02 we jokingly call them frequent flyers, but it's
00:10:02 --> 00:10:04 the people that don't take training. It's the
00:10:04 --> 00:10:06 people that are having other problems at work,
00:10:06 --> 00:10:08 et cetera. We need kind of a cross -functional
00:10:08 --> 00:10:10 view of what's going on. It's the human risk.
00:10:12 --> 00:10:15 Getting that view and understand what employees
00:10:15 --> 00:10:17 are at risk, are most attacked, et cetera, is
00:10:17 --> 00:10:21 a very important thing for the security team
00:10:21 --> 00:10:22 as well as the human resources team and other
00:10:22 --> 00:10:25 people to have a view into. The second part of
00:10:25 --> 00:10:28 it, one of the reasons it's so hard to get a
00:10:28 --> 00:10:32 handle on is things are moving so fast. And I
00:10:32 --> 00:10:35 often liken this back to the day when public
00:10:35 --> 00:10:38 cloud came along. Most cybersecurity people were
00:10:38 --> 00:10:41 deathly afraid and deathly against public cloud.
00:10:41 --> 00:10:44 And the reason they were wasn't because they
00:10:44 --> 00:10:46 thought public cloud was a bad idea. It's because
00:10:46 --> 00:10:49 they didn't even have the security controls in
00:10:49 --> 00:10:52 place. for their private cloud or on -prem, so
00:10:52 --> 00:10:54 therefore they couldn't extend those to public
00:10:54 --> 00:10:57 cloud. And that's what we're running into. Companies
00:10:57 --> 00:11:00 just haven't taken the time, they've been accelerating,
00:11:00 --> 00:11:03 they've had cutbacks, et cetera, to do the correct
00:11:03 --> 00:11:06 investment and maturity on the security controls
00:11:06 --> 00:11:09 they need to be able to expand those to, you
00:11:09 --> 00:11:11 know, an AI and an agent -centric environment.
00:11:12 --> 00:11:15 Big thank you to Denodo for supporting the Tech
00:11:15 --> 00:11:18 Talks Network and making these conversations
00:11:18 --> 00:11:21 possible. Because when your lake house stores
00:11:21 --> 00:11:24 the data, the real challenge is getting that
00:11:24 --> 00:11:28 data where it needs to go and faster. And your
00:11:28 --> 00:11:32 lake house stores the data, but Denodo helps
00:11:32 --> 00:11:35 deliver it faster. So with real -time access,
00:11:35 --> 00:11:38 built -in governance and a business -ready data
00:11:38 --> 00:11:41 marketplace, Denodo can help your teams unlock
00:11:41 --> 00:11:45 insights without costly duplication. And you
00:11:45 --> 00:11:48 can learn more by simply visiting denodo .com.
00:11:49 --> 00:11:52 I'm curious, from your perspective at Mimecast,
00:11:52 --> 00:11:54 how should organizations and leaders listening
00:11:54 --> 00:11:57 to this conversation today, what should they
00:11:57 --> 00:12:00 be doing to maybe rethink security when employees
00:12:00 --> 00:12:03 are actively feeding sensitive data into AI systems
00:12:03 --> 00:12:06 as part of their daily workflows, almost like
00:12:06 --> 00:12:08 small children playing with dangerous toys, unaware
00:12:08 --> 00:12:12 of the dangers? Yeah, you know, there's a framework
00:12:12 --> 00:12:15 that many cybersecurity professionals use called
00:12:15 --> 00:12:17 NIST CSF, National Institute Standards of Technology
00:12:17 --> 00:12:21 Cybersecurity Framework, and it has several steps
00:12:21 --> 00:12:23 in it. I'll get to the point, I promise. I just
00:12:23 --> 00:12:24 want to be complete, though, on acronyms. I hate
00:12:24 --> 00:12:27 people that talk acronyms and don't define. And
00:12:27 --> 00:12:29 it's govern, identify, protect, detect, respond.
00:12:30 --> 00:12:32 Protect, detect, respond are really the important
00:12:32 --> 00:12:36 ones. Protect means to proactively put controls
00:12:36 --> 00:12:38 in place to stop something bad from happening.
00:12:39 --> 00:12:43 Detect and respond is if those proactive controls
00:12:43 --> 00:12:46 fail. Things are moving so fast that we're not
00:12:46 --> 00:12:48 necessarily getting the proactive controls in,
00:12:48 --> 00:12:51 so we have to be ready to detect and respond.
00:12:52 --> 00:12:54 And that just literally comes down to visibility.
00:12:55 --> 00:12:58 You have to have visibility into what's in, what's
00:12:58 --> 00:13:00 on, and what's transversing your network, and
00:13:00 --> 00:13:03 what the people and the systems and the non -human
00:13:03 --> 00:13:07 identities on your network are doing. Yeah, I
00:13:07 --> 00:13:09 completely agree with you there and I do think
00:13:09 --> 00:13:13 many companies still rely heavily on native security
00:13:13 --> 00:13:16 controls within email and Collaboration tools
00:13:16 --> 00:13:19 even though they admit those controls are not
00:13:19 --> 00:13:21 quite enough because so much has changed in the
00:13:21 --> 00:13:23 last three years alone But what would you say
00:13:23 --> 00:13:26 is missing from the environments now because
00:13:26 --> 00:13:29 it was about five years ago Everything switch
00:13:29 --> 00:13:32 and to a few people the privileged few working
00:13:32 --> 00:13:34 from home to everyone then we've moved to hybrid
00:13:34 --> 00:13:38 working now AI What's missing in today's environments?
00:13:39 --> 00:13:41 You know, there are so many communication channels,
00:13:41 --> 00:13:43 and with kind of that proliferation of communication
00:13:43 --> 00:13:47 channels, we've also end up with silo visibility.
00:13:48 --> 00:13:51 And what we need is the ability to cross -functionally
00:13:51 --> 00:13:54 look across those channels. If something's happening
00:13:54 --> 00:13:57 within email and it's bad, the reality is that's
00:13:57 --> 00:13:59 probably going to propagate out. It may end up
00:13:59 --> 00:14:02 if, you know, if somebody gets a toehold, a hacker,
00:14:02 --> 00:14:06 a nation state actor, a threat actor, they're
00:14:06 --> 00:14:09 probably then going to get in and start checking
00:14:09 --> 00:14:11 out the collaboration tools, the instant messaging
00:14:11 --> 00:14:16 tools and things such as that. And we can usually
00:14:16 --> 00:14:21 see we being the industry as a whole, the individual
00:14:21 --> 00:14:24 attacks that might happen within those. But then
00:14:24 --> 00:14:28 once an account takeover or a valid credential
00:14:28 --> 00:14:32 is compromised, We don't necessarily have the
00:14:32 --> 00:14:35 user behavior analytics to understand that that's
00:14:35 --> 00:14:39 happening. And the meantime to detect and meantime
00:14:39 --> 00:14:43 to respond, that's what lessens the impact of
00:14:43 --> 00:14:46 any event, both financially, reputationally,
00:14:47 --> 00:14:51 and just for the company as a whole. And the
00:14:51 --> 00:14:54 report also highlights somewhat of a lack of
00:14:54 --> 00:14:56 visibility into exactly how data moves across
00:14:56 --> 00:14:59 systems, especially AI models. Well, we've seen
00:14:59 --> 00:15:02 this in the past with APIs, and a select few
00:15:02 --> 00:15:05 know how they work, which data goes where, et
00:15:05 --> 00:15:08 cetera. But how critical is that visibility now?
00:15:08 --> 00:15:10 And what does good actually look like in a modern
00:15:10 --> 00:15:13 enterprise when you've got AI on top of APIs?
00:15:13 --> 00:15:15 Again, we're talking way too many acronyms there.
00:15:15 --> 00:15:20 Yeah. Yeah, and I'll try not to introduce any
00:15:20 --> 00:15:24 more, but from a data flows perspective, what's
00:15:24 --> 00:15:27 kind of happened in a lot of the industry is
00:15:27 --> 00:15:30 people have said, you know what, I may not know
00:15:30 --> 00:15:35 all the data on my network, but I have good vulnerability
00:15:35 --> 00:15:38 management. I have good security awareness training,
00:15:38 --> 00:15:40 and I have good identity management. So they
00:15:40 --> 00:15:43 put those proactive controls in place. And then
00:15:43 --> 00:15:46 it's, so with all those things in place, the
00:15:46 --> 00:15:49 chances of a data spill, a data leak, et cetera,
00:15:49 --> 00:15:52 are lessened because what we've done is we've
00:15:52 --> 00:15:54 done network segmentation, we've done the various
00:15:54 --> 00:15:58 good controls. Back to the original premises
00:15:58 --> 00:16:01 we talked about on AI, people are pooling data
00:16:01 --> 00:16:03 together. They're pulling a lot of data together
00:16:03 --> 00:16:06 in either a central location or a central resource
00:16:06 --> 00:16:10 that can be accessed. It's completely changing
00:16:10 --> 00:16:12 the behavior, and it's changing the data flows.
00:16:12 --> 00:16:15 So they had controls in place to work with the
00:16:15 --> 00:16:19 system that they weren't 100 % aware of how it
00:16:19 --> 00:16:22 operated on the very lowest level, all the data
00:16:22 --> 00:16:25 elements. And now the acceleration of that data
00:16:25 --> 00:16:31 is just proliferating the network. You have to
00:16:31 --> 00:16:34 have visibility. into the flows, you have to
00:16:34 --> 00:16:37 see what things are being touched, what employees
00:16:37 --> 00:16:40 are reaching out to, the shadow AI, the shadow
00:16:40 --> 00:16:44 IT and things such as that. It is just paramount
00:16:44 --> 00:16:49 these days. As we look ahead, an AI inevitably
00:16:49 --> 00:16:52 becomes even more embedded across every workflow.
00:16:52 --> 00:16:55 What is the one shift you think organizations
00:16:55 --> 00:16:58 and leaders need to be making right now to avoid
00:16:58 --> 00:17:00 turning their own AI investments into a security
00:17:00 --> 00:17:03 liability? We've seen the dangers of the past
00:17:03 --> 00:17:06 of moving fast and breaking things. I like to
00:17:06 --> 00:17:08 think we're a little bit more sensible now, but
00:17:08 --> 00:17:10 it's easy to get caught up in the excitement,
00:17:10 --> 00:17:13 isn't it? It is. I'm going to start by putting
00:17:13 --> 00:17:16 it on the cybersecurity community. If you're
00:17:16 --> 00:17:18 a cybersecurity professional listening to me
00:17:18 --> 00:17:22 right now, do this. Be the leader in AI. Go out
00:17:22 --> 00:17:25 and adopt agentic software, put controls in place,
00:17:25 --> 00:17:28 and then make that the policy for, look, we know
00:17:28 --> 00:17:31 how to do it. Here's how to do it. Get visibility
00:17:31 --> 00:17:36 into the sanctioned AI and the unsanctioned AI
00:17:36 --> 00:17:39 and use the sanctioned. Talk about it. Do little
00:17:39 --> 00:17:42 webcast internally. Do enablement session, lunch
00:17:42 --> 00:17:45 and learns, et cetera. Just from a cybersecurity
00:17:45 --> 00:17:47 professional, so many times in the past, we've
00:17:47 --> 00:17:50 all been the office of no. There's no no when
00:17:50 --> 00:17:53 it comes to AI. It's here, it's going to happen,
00:17:53 --> 00:17:55 and it's going to keep going. We have to be a
00:17:55 --> 00:17:57 part of it, and we have to be enabling feature
00:17:57 --> 00:18:00 on it. And then just from the business perspective,
00:18:01 --> 00:18:05 think about a plan. A lot of people are just,
00:18:05 --> 00:18:09 hey, we got to go do this, go do it. Take a step
00:18:09 --> 00:18:11 back. What are you trying to solve? Are you trying
00:18:11 --> 00:18:14 to become more efficient? Are you trying to get
00:18:14 --> 00:18:17 more leads into your business development representatives?
00:18:17 --> 00:18:19 Are you trying to augment your sales force? Think
00:18:19 --> 00:18:21 about what you're going to do and build out a
00:18:21 --> 00:18:25 plan. Because what's the old line, right? Failing
00:18:25 --> 00:18:28 to plan is planning to fail. And I think that's
00:18:28 --> 00:18:30 the biggest mistake most people are making. They
00:18:30 --> 00:18:32 don't necessarily know what they need to do.
00:18:32 --> 00:18:35 And they're just kind of thrashing around. And
00:18:35 --> 00:18:38 we're ending up with unbeknownst data flows.
00:18:39 --> 00:18:43 potential data loss, data leaks, et cetera. Now,
00:18:43 --> 00:18:44 you did make the mistake at the very beginning
00:18:44 --> 00:18:46 saying you do like standing on a soapbox. I'm
00:18:46 --> 00:18:49 going to pull out my virtual soapbox now and
00:18:49 --> 00:18:52 ask you to maybe reflect on the conversations
00:18:52 --> 00:18:54 that you've had with your many clients around
00:18:54 --> 00:18:57 the world and also the news articles that you
00:18:57 --> 00:19:00 might come across, the LinkedIn posts when you're
00:19:00 --> 00:19:02 doom scrolling on social media. Are there any?
00:19:02 --> 00:19:05 myths or misconceptions you see about everything
00:19:05 --> 00:19:07 that we've talked about today. Are there any
00:19:07 --> 00:19:09 myths that you continuously read and you think,
00:19:10 --> 00:19:12 this is wrong, we need to stop this? But is there
00:19:12 --> 00:19:16 anything like that that comes to mind? The thing
00:19:16 --> 00:19:19 that sticks in my head, and it's kind of an inferred
00:19:19 --> 00:19:23 myth, but people don't think, and this is cybersecurity
00:19:23 --> 00:19:25 and other, they don't think that the controls
00:19:25 --> 00:19:29 exist to protect AI and to protect data. And
00:19:29 --> 00:19:31 some people are then just take it. Hey, we have
00:19:31 --> 00:19:33 to take the risk. Let's just go out there and
00:19:33 --> 00:19:36 do it. But the reality is those controls do.
00:19:36 --> 00:19:39 I mean, an agent is running under an identity.
00:19:40 --> 00:19:42 Humans run under identities, right? We've been
00:19:42 --> 00:19:45 managing human risk for years now. We're looking
00:19:45 --> 00:19:48 at a significant acceleration or perhaps proliferation
00:19:48 --> 00:19:51 of that. But the controls are there. We just
00:19:51 --> 00:19:54 have to double down on doing them right. And
00:19:54 --> 00:19:57 we just have to be very, very succinct about
00:19:57 --> 00:19:59 our expectations and what we're going to do.
00:19:59 --> 00:20:01 I think that's probably the biggest myth. It's
00:20:01 --> 00:20:03 the let's just put our head in the sand. We have
00:20:03 --> 00:20:04 to do this anyway. And let's not worry about
00:20:04 --> 00:20:08 security. Love it. And is there anything you're
00:20:08 --> 00:20:10 optimistic about looking ahead as well? We've
00:20:10 --> 00:20:12 talked a lot about the warnings, things we need
00:20:12 --> 00:20:14 to do, things we need to be prepared for. What
00:20:14 --> 00:20:15 makes you optimistic about this future we're
00:20:15 --> 00:20:19 heading towards? I'm using AI to fight the good
00:20:19 --> 00:20:21 fight on security. That's what I'm optimistic
00:20:21 --> 00:20:25 about. It's going to be AI versus AI, but the
00:20:25 --> 00:20:30 reality is many of the tools, cross -collaborations,
00:20:30 --> 00:20:33 efficiencies, maybe short staffing and stuff
00:20:33 --> 00:20:35 like that, we're able to combat a lot of that.
00:20:35 --> 00:20:38 Now, also the bad guys are doing it, but at the
00:20:38 --> 00:20:42 end of the day, it's giving us a new lease on
00:20:42 --> 00:20:48 just injecting enthusiasm and action. into all
00:20:48 --> 00:20:51 the good work that our teams do. Well, it's been
00:20:51 --> 00:20:53 an absolute pleasure sitting down with you today
00:20:53 --> 00:20:56 and talking about this, a language everyone can
00:20:56 --> 00:20:58 understand. For people listening, I'll include
00:20:58 --> 00:21:02 a link to the report we've referenced and your
00:21:02 --> 00:21:04 LinkedIn. Anywhere else you'd like me to point,
00:21:04 --> 00:21:06 everyone listening? Oh, I think that's good coverage.
00:21:06 --> 00:21:09 I really appreciate it. Awesome. Well, I would
00:21:09 --> 00:21:12 encourage everyone watching and listening to
00:21:12 --> 00:21:15 our conversation today, please feedback. What
00:21:15 --> 00:21:16 are you seeing? What are you doing differently?
00:21:16 --> 00:21:20 What would you change? Any myths that you'd like
00:21:20 --> 00:21:23 to come on here and share on this virtual soapbox
00:21:23 --> 00:21:25 too? I'd love to hear from you, but more than
00:21:25 --> 00:21:27 anything, just a big thank you for you coming
00:21:27 --> 00:21:29 on here and sharing your story. Really appreciate
00:21:29 --> 00:21:32 you, Tom. Thank you so much, Neil. If there's
00:21:32 --> 00:21:34 one thing that stood out today, I think it's
00:21:34 --> 00:21:38 that AI is, yes, moving fast. But security awareness
00:21:38 --> 00:21:43 and action are struggling to keep pace. And that
00:21:43 --> 00:21:48 gap is exactly where real risk lives. So a big
00:21:48 --> 00:21:50 thank you to Leslie Nielsen from Mindcast for
00:21:50 --> 00:21:53 sharing such honest and practical insights with
00:21:53 --> 00:21:56 me today. And for everyone listening, here's
00:21:56 --> 00:21:59 a question for you to take away. Are your AI
00:21:59 --> 00:22:03 initiatives creating competitive advantage? And
00:22:03 --> 00:22:06 are they quietly introducing risks that you can't
00:22:06 --> 00:22:10 see yet? Certainly food for thought. Look into
00:22:10 --> 00:22:12 that. Let me know your thoughts, what you found,
00:22:12 --> 00:22:15 what worries you, what excites you, everything
00:22:15 --> 00:22:18 in between. TechTalksNetwork .com I'd love to
00:22:18 --> 00:22:21 hear from you all. But that is it for today.
00:22:21 --> 00:22:23 So thank you to my guest and even bigger thank
00:22:23 --> 00:22:25 you to each and every one of you for not only
00:22:25 --> 00:22:28 listening, but listening to the end. Thank you.
00:22:28 --> 00:22:30 And I'll be back again real soon.