Who’s responsible when AI starts making mistakes?
Sachin Jain: What people miss that is they feel that they implement something, they define certain policies and controls, and they are done. But they need to continuously improve.
Dustin Childs: Yeah.
Sachin Jain: They need to constantly look at what other technologies they have implemented, how it is evolving, because AI is changing so fast.
Dustin Childs: Right.
Sachin Jain: You cannot deploy control today, and then you can say, oh, we are done. [ Music ]
Johnny Hand: Welcome to the AI Security Brief, where we're unpacking emerging AI threats, vulnerability research, and the strategic decisions security leaders are making right now. I'm Johnny Hand.
Dustin Childs: And I'm Dustin Childs. So back in 1979, an IBM manual stated that a computer can never be held accountable, and therefore a computer can never make a management decision. And that was a reasonable position at the time. But AI agents are making management decisions right now. So the question is, who is actually responsible when something goes wrong?
Johnny Hand: Yeah, and that's exactly what we get into today. So our guest is Sachin Jain. He's the Senior Vice President of Technology at Eventus. He has over two decades of experience spanning both the global CIO role, but also the CISO role. And Sachin has such a great perspective about accountability, and it goes well beyond his CISO desk.
Dustin Childs: Yeah, Sachin also brings practical advice on one of the biggest challenges that security leaders face - learning to talk the board's language. So if you've ever struggled to translate technical risk into budget approval, this conversation is going to resonate. Let's dive in. So, welcome to "The AI Security Brief", the security podcast for leaders who want to anticipate what's coming next. We're excited to have you with us.
Sachin Jain: Yeah, my pleasure.
Johnny Hand: So, Sachin, I have to ask this, because we live in a tech world where security leaders transition every few years, if they make it a few years. And you've demonstrated what I would really consider, like, an extreme tenure in your previous role. You were there for over 20 years, not only as a global CIO, but also in a CISO leadership role in security. So how did you keep your security strategy fresh and avoid that trap of complacency and, like, lull?
Sachin Jain: On the tenure, I think it's been a long journey. And the way it kept me going, I was trying to do everything fresh. I was trying to do a lot of new things. I was trying to do things before it could hit the market. And you could say probably I was more experimental than probably more a practitioner. And that's what kept me going. And my technology role actually helped me a lot in looking at the security role, which eventually complemented. Because I could translate the technological value or outcome into the security, and that was something I was able to translate back to the business. And that kept me going for quite a long time, because there was, like, so much happening. I kept on doing a lot of things, whether it was cloud, virtualization, and adoption of various software as a service applications. And then on top of that, the security, which was actually growing and sort of evolution, I could say, what I've witnessed in terms of basic, like, firewall-based security or endpoint-based security to now a very comprehensive cybersecurity, which is far beyond just the end user and firewall.
Dustin Childs: Yeah, so I know when it comes to AI security, one of the things that we want to talk about today especially is accountability. So you must have had a lot of instances of accountability over your career. How does accountability for you reach into the AI realm?
Sachin Jain: That's where, that's an interesting question. And security is something what I have always maintained, even in my CISO role. It is not just one person or one team who's accountable for security. And CISO can obviously put those guardrails or can create a framework, but it has to be a shared responsibility. It has to be practiced jointly, not just independently as a team. And whatever we protect, whether it's data or machines or, you know, AI, it's all being used by the business. And the end users, for example, AI, they are the one who bring the technology to the enterprise. They are the one who are gaining on the efficiency. They are the one who's utilizing the outcome for their work and to generate revenue. And we as a CISO, we cannot control the outcome alone, because we don't know what is being used today and what will come to the enterprise tomorrow. This technology is changing so fast. Even if I try to put guardrails on maybe 10 AI applications today, AI is everywhere. You talk about any software as a service or any, even for example, CRM application or maybe ITSM tools, everything has AI. You don't know where your data is getting exposed. Unless you have everyone coming together.
Dustin Childs: Okay.
Sachin Jain: Creating a sort of a governing council, then you can probably maybe lead the way, but it has to be practiced jointly.
Johnny Hand: I noticed you said something a few minutes ago when you were talking about that journey. And, like, you said that these leaders, especially technology leaders, they need to be able to speak the business language and understand that. And I know even today, even though we have a more integrated leadership roles with CISOs and their having access to the boards and those things, it's still a big challenge that we have with organizations. We have highly technical CISO leaderships, and then we have more business-focused. Where in your career did you learn to navigate that, and maybe do you have a couple tips around that? Because wearing that CIO hat and the CISO hat is uniquely different. So I'm just curious how you gained that perspective, and maybe give us some tips around building that business relationship.
Sachin Jain: Absolutely, and it's so funny. When I started having face time with the board, all of my presentations used to have a lot of technical jargons. And I was so fascinated by that. I was hoping that everybody will understand that how much work I'm doing and what kind of world I'm living in.
Dustin Childs: Yes.
Sachin Jain: But I was so wrong. And in my first few meetings, I was making, like, a deck of 30, 30, 40 slides. And then I was stopped at, like, one or two slides. And they said, oh, just focus on these two slides. And I realized they are not willing to see more than a couple of slides.
Dustin Childs: Right.
Sachin Jain: Even if I make six slides, they will stop me at one or two slides and keep on asking questions, because they have so many questions and they get very little face time with you. They might be talking to you during some of the review meetings otherwise. But when you are in that boardroom and when you are sort of leading the discussion and it is also leading towards some of the decision making, then you need to be on the spot. You need to learn, first of all, the language your board understands because everybody is different.
Dustin Childs: Right.
Sachin Jain: Some people are, they know a lot about technology. They understand the value that technology can bring. Some people will not understand. And that's the reason, the one thing I could figure out that CISOs or CIOs, they could not get approval on the budget because they could not translate the outcome in the business language.
Dustin Childs: Right. So we've talked about how you talk to the board. I want to talk about how you talk to your own organizations or the organizations that you deal with, and what steps can organizations take to clarify roles and responsibility for AI risk? Again, going back to this accountability thought. I mean, so tabletop exercises, real-life scenario planning, what do you do to get the organization together and understand where that accountability in AI comes from?
Sachin Jain: Yeah, no, that's an interesting point. And I think, as I said, accountability cannot lie just in just one function or one person.
Dustin Childs: Right.
Sachin Jain: And when you try to put the governance framework around it, you really need to understand what are those, I can define maybe more as pillars or maybe key points in that framework. One is very important is the visibility. A lot of organizations do not have the visibility as of today. They do not know what is being used. Even if they try to create an inventory today of let's say 10 tools, they don't know tomorrow they will have another 10 tools and how do you discover that?
Dustin Childs: Right.
Sachin Jain: And that's, the visibility part is very, very important, visibility discovery. Then second is whatever guardrails you're trying to put, whatever maybe policies, access control, you need to identify that. How do you do that without really becoming a barrier, without really creating a roadblock? Third is that governance council. How do you tell people that, how do you basically create the responsibility metrics, and how do you communicate that in the organization? And over the period of time, I've also realized that communication is actually very, very important.
Dustin Childs: Right.
Sachin Jain: You can create a responsibility matrix. You can sort of distribute that in the organization and tell everybody, okay, look, you carry this additional responsibility. And that person can say, oh, why is this coming to me? I already have a full-time job. I'm already spending more than 100% time in my current work. I'm not putting additional workload on me. But you need to, one, you need to define responsibility, and second, you need to communicate that very well, which becomes an essential part of their day-to-day work. It should not sound like an additional responsibility. It's like an enabler. Whatever work they're doing, it enables them to do that work faster and secure.
Dustin Childs: Okay.
Sachin Jain: And the other part is the continuous improvement. What people miss that. They feel that they implement something, they define certain policies and controls, and they are done. But they need to continuously improve.
Dustin Childs: Yeah.
Sachin Jain: They need to constantly look at what other technologies they have implemented, how it is evolving. Because AI is changing so fast.
Dustin Childs: Right.
Sachin Jain: You cannot deploy control today, and then you can say, oh, we are done.
Johnny Hand: One great thing, and it's such an interesting thing because you're talking about, like, those additional roles. And I think we've all been in that experience where we take on sometimes more or we always take on more when we feel like we can't take on more. And sometimes you wonder about that. There is a challenge, though, because we talked about you mentioned how the board and those executive leaders in an organization can be influenced by their peers. And sometimes that drives an organization to change what they're doing or maybe surprise you, like you said. And I feel like that's exactly what's happening with AI adoption, because it's creating a fever storm of people needing to figure out how to adopt because everyone else is adopting it. And what are you seeing in your leadership role now with the MSP? Is that driving that fever storm for you? And what does that look like?
Sachin Jain: Oh, absolutely. This is something, as you rightly said, it is coming as a storm. And everybody wants to see how they actually ride along, and they do not get uprooted or disrupted just because of this wave. And even in the MSP business, it is going to disrupt big time. And we use AI a lot, but we need to probably figure out what is the next step and what is the next wave we need to really figure out. Because in security, as you can imagine, there's a huge amount of data which all the security analysts have to analyze. Even a threat researcher, he or she has to look at, like, a huge amount of data. And it's humanly impossible to analyze so much data. I was reading an article that, you know, because of AI, the time which an attacker used to spend to infiltrate in an organization has gone down significantly. It is now less than half an hour. And if you're talking about less than half an hour, that is the time you have as a defender to detect and respond. And it's humanly impossible if you want to do that. You need to be, one, you need to create your strategy, which should be much faster than the attacker can come inside. And then secondly, you also need to be constantly looking at the ways that how you can be ahead of attackers and how your strategy can help you prevent, like, multiple doors. For an attacker, it's just one door they need to get in. But for a defender, it can be multiple doors. It can be, like, hundreds and thousands of doors across the globe. And how do you basically create a strategy which is further ahead? And AI is the only thing which can help you analyze, sort of do triaging, do, like, correlation, analyzing, removing, looking at some of the historical patterns. Looking at some of those maybe the forecast, the predictive side of it.
Dustin Childs: Right. I want to go back to something you said earlier, because I want to make sure I understood it correctly, because I've been through these things before. There used to be this concept of shadow IT, and now you're saying there's a concept of shadow AI, where there's AI agents that you just don't know about. Is that, are you seeing that as a problem in organizations?
Sachin Jain: Absolutely. I think it's knowingly or unknowingly. It happens both ways. And when I say knowingly, knowingly it happens when you try to be very restrictive. You try to create a friction within the company, and then people find ways to, they know, they challenge you. They know that you have created some restrictive layer around me. I'll show you how do I get out of that layer and how do I be more successful. Because they have to use it, whether you block it or you allow it. And the other challenges, a lot of companies I was talking to, they even don't know whether people are using corporate credentials or personal credentials with some of those AI tools. And so they don't know what to protect, how to protect.
Dustin Childs: Okay.
Sachin Jain: And even if they're not, even if they're putting, let's say, guardrails or not putting guardrails, even if they're fine with all this technology or maybe tools being used within the organization, there is so much happening in the world. As I was mentioning, there are 10 tools now. Tomorrow there can be, let's say, 100 tools. And when I say tomorrow, it's literally, like, maybe a week or maybe next month, you will see. Earlier we used to talk about if something is evolving, probably it will take maybe three months or a year. The cycle time of some changes, even if we talk about cloud, when we started talking about cloud, the cloud evolution, if you see, it has taken some time. The AI evolution is very, very fast.
Dustin Childs: Right.
Sachin Jain: And you have to understand that how do you create an environment or a culture within the organization, along with all those policies and guardrails, which allow a sort of inclusive environment and creates that culture. That everybody understands the responsibility and everybody understands the importance of using AI, or the responsible behavior towards AI. That what is acceptable? What is not acceptable? And create that sense of accountability and responsibility within every person. Because you can't stop shadow IT, or shadow AI, for that matter. But you can create a culture so that people understand that even if they are doing something, they have the backing of the security function. They do not see them as somebody who's trying to block, but somebody who's going to allow, but with enough guardrails around it so that you cannot slip around.
Johnny Hand: It's interesting because we talk about the speed and pace of AI innovation, and we're clearly seeing that. And you've certainly mentioned that you're seeing it with your customers. There's a large appetite for adoption. But we fall back into the same, really, need around governance, accountability, and also that visibility piece. And so I love that you, in the age of this adoption, you still kind of pull back to those foundational aspects that probably were the same 20 years ago, would you agree with that?
Sachin Jain: Well, exactly. I think this was very interesting. I was talking about this yesterday and we were talking about some sandwich experience. And it is like ordering a sandwich and it's the same wrapper, but with different ingredients, different recipe. And when I say same wrapper, I think we talk about same organization, same data exposure. I think the threat is still the same. People are trying to protect the data. And they need to figure out how to basically put the guardrails around it so that they're constantly protected while the world is constantly evolving.
Johnny Hand: So, Sachin, you have such amazing experience speaking that language of the board and being able to make that transition that so many security leaders honestly really struggle with, being able to have a sound voice inside the board. What are some of the, like, what are three good takeaways for those up-and-coming security leaders that are going to navigate that water? How do they bring that value to the board?
Sachin Jain: That's a very good point. If I try to define these three key takeaways, one is be the experimenter. Be the person who can experiment with the technology, with the kind of wave you go through, the kind of security controls you need to build around. And second, you need to be an effective communicator. And you have to communicate a lot within the organization with your businesses, and then translate it back to the board. That has to be a second key point. And third is never try to be very instinctive, because it happens. I think it's because of maybe our muscle memory, that whenever we try to resonate or maybe whenever you try to see something new, it creates a sort of friction in our mind. And we say, oh, the first reaction is block it, restrict it, or maybe we'll think about it later. We will create a strategy. But in the security world, there is no time to think. You have to see it first, you have to react it first.
Dustin Childs: Well, Sachin, thanks for the great conversation today. It's so important for leadership teams to be making decisions on AI today. We can't wait to have you join us again on the show.
Sachin Jain: Thank you. [ Music ]
Johnny Hand: Sachin's framework is practical. Visibility, guardrails, communication. That's three ways security won't slow you down. It's what lets you go fast safely.
Dustin Childs: Yeah, I really agree. And for me, that real important takeaway is simple. If you're a CISO that's fighting this alone, you have already lost. So you have to get in the room with engineering, with legal, with business teams before they come to you.
Johnny Hand: Exactly. That's how you build a framework that actually holds. A huge thank you to Sachin Jain for joining us today and sharing the kind of hard-won perspective that only comes from two decades in the seat. To connect with Sachin, see our show notes for links on how to find him on LinkedIn and to learn about Eventus security.
Dustin Childs: And that does it for another episode of "The AI Security Brief". We really want to thank you for joining us and we hope this conversation has you thinking differently about security. And if it does, consider subscribing so you don't miss what's next.
Johnny Hand: "The AI Security Brief is mixed and produced by Elliott Peltzman with original music by Omnia Jinx. Our executive producer is Jennifer Eiben, with content strategy by Ma'ayan Plaut, Shannon Murphy, and Melanie Galant. Additional production help by Liz Stokes. Video and editing by Sarelle Joppy and Brigitte Criqui Wild.
Dustin Childs: Thanks so much for listening and we'll see you next time on "The AI Security Brief". [ Music ]
