Season finale: Leading security in a brave new world.
Ethan Cook: Welcome to the season finale of "CISO Perspectives." I'm Ethan Cook and for today's episode I sit down with show's host Kim Jones to reflect on this season's conversations. Over the past season, we've dove into some complex and pressing conversations. Whether they were looking at what is looming on the horizon or challenges are already taxing us today, these are the realities that we as an industry need to stay on top of. [ Music ]
Kim Jones: We've had an interesting series of guests talking about interesting topics and bringing some interesting perspectives. This has been really lots of fun as we've been able to deep dive into some of these issues as we go. Yes.
Ethan Cook: Yes, I, you know, reflecting back on the past couple episodes, I think there has been some interesting conversations, both about technologies that are already here, technologies that are coming down the pipeline, as well as the really interesting different viewpoint on this ecosystem and how businesses look at it from a non-security perspective on why certain groups fail, why certain ones are successful and how we can really evolve that and I think take some of those lessons into our operations. So, let's start with the first conversations and go back to the AI. We met with -- we had two different episodes and we talked about both AI's implementations from a security perspective as well as kind of this promise that AI holds. You know, what -- it -- it can do all these things and, you know, you look around and there is 40 million AI startups, it feels like every other week, that have all emerged from stealth and they're all going to do -- change the world. So, I think, you know, before we dive into both episodes and kind of dive into the specifics, I would love to take a step back and look at, you know, what are your thoughts on this AI culture, you know, especially as it's continued to evolve over just this year alone?
Kim Jones: Wow. Yes, there -- there's a loaded question.
Ethan Cook: I wouldn't have asked it if I didn't want it.
Kim Jones: Yes. Yes. So, you know, it -- it's -- it almost seems today that if you are a naysayer regarding AI, you're treated as a Luddite or an ignoramus within the environment. And I don't consider myself to be either of those things, but I've been around long enough to see a lot of ready, fire, aim happen within technology. And what I do not believe we are effectively doing is recognizing the potential challenges and problems that exist out there because we are all leaping to, "It has to be AI. It has to be AI. It has to be AI," without understanding the potential ramifications, the potential threats that exist out there within the environment. AI can do some great and wonderful things. The problem is several-fold. One, as we test the limits, note the big air quotes, of what AI can do, we're deploying AI in means that are probably either overextending or increasing risk within the environment. And two, we are operating and being encouraged to operate in a model that says AI should be trusted within the environment. It's -- I'll use Google as an example or any major search engine as an example. One of the challenges we have with protecting data is when you go to protect data, you have two options. You either build Fort Knox, or you convince people that the data that they're surrendering isn't worth as much as the service they're getting. Google took Option Two and said, "Hey, you know, Gmail, Google -- you know, Google Utilities, etcetera, Google search engine, all of this data itself is meaningless. Just give it to us. We'll be fine." And they're using that to market to us, sell to us, sell our data, etcetera, where we've become the product within the environment. Now, as of October, we have all agreed, if you haven't done the formal opt out, that Google then can then utilize this data to train AI tools and -- and large language models. You know, that was one of these changes within the terms and services that if you didn't do it by Halloween, trick or treat, you've agreed to do this if you're using any Google products within the environment. The analytical power and the intelligence that can be derived from that is potentially massive. Yet we have freely surrendered that data for the ability to have a quote-unquote "free email address" or a quote-unquote "free word processor," or quote-unquote "free cloud storage" within the environment. I think we're seeing similar habits or traits erupt with AI, within the environment. And everybody is focused on, "We need to do this quickly to try and stay ahead." And in doing so, we're squashing and not paying attention to the potential threats that are out there, the potential risks that are out there. And my concern is that these things will erupt bigger -- with a bigger blast radius when it's too late, as Silicon Valley and other organizations attempt to push AI without looking at all of the ramifications that are associated with it. So, I -- I think AI is a great tool. I think used properly, AI can be, you know, absolutely meaningful, helpful and raise the bar. I think we're racing towards chaos and disaster. I actually read a research paper and I'm going to have to dig out to find it, saying that if, you know, garbage in, garbage out. If AI takes in data that's inaccurate and tries to synthesize that to do certain things, and then agentic AI then utilizes that data to build on its own algorithms and its own code, and then the cycle continues --
Ethan Cook: The data poisoning is crazy.
Kim Jones: -- and -- and frankly, we're building crap is what it amounts --
Ethan Cook: Yes.
Kim Jones: -- to. And we're heading down a path where that possibility exists. Nobody's talking about it --
Ethan Cook: Yes.
Kim Jones: -- because everyone sees the potential. Nobody sees the potential harm. And those that do, are being labeled as tinfoil hat-wearing idiots within the environment. So, my concern here is not that we've leapt on the AI bandwagon, but that we have done it haphazardly as usual. And I -- I -- I think the light at the end of the tunnel may be a train, if we're not careful.
Ethan Cook: Yes. So, you know, I -- I agree with you on that perspective, that it is -- there are, "Well, it can do a lot of great things." There are massive, massive caveats that need to be considered.
Kim Jones: Yes.
Ethan Cook: But I think there is this concern. I was at a panel, like a couple weeks ago and this came up, which is one of the people were talking and they said, "The reality is, is that shadow AI is a thing. If you don't get ahead of it, your employees are absolutely going to be using it with or without your approval, because that's just the nature."
Kim Jones: So -- so -- so, let's be clear. Who here thinks they're ahead of it? And if you're already behind --
Ethan Cook: Absolutely.
Kim Jones: -- who here thinks you're going to get ahead within the environment?
Ethan Cook: But I think the -- I think -- I agree with that. I think it's evolving at such a pace that you can't truly get ahead of it, but I think there's a difference between getting ahead of it, like quote-unquote, "Actually being ahead of it, properly managing it and trying to take at least some proactive measures to control maybe what AI goes out." You -- you met with Ben Yelin earlier this year.
Kim Jones: Yes.
Ethan Cook: And actually him and I had a great conversation about how UMD, the school that he works for, has an AI program that is controlled and it is heavily built up and it is heavily monitored about what data can go in, who can log in to use it, it is vetted, etcetera. And I don't think that obviously that is a perfect solution. I'm sure -- I don't know the solution to that myself, but the aspect of attempting to just not have a gung ho, people just putting in and just going crazy with it.
Kim Jones: Yes. And I -- and I have no problem because again, AI is not the Antichrist. AI is not skydiving.
Ethan Cook: Yes.
Kim Jones: And, you know, we have to figure out how to adopt the tool. So, coming up with a structured formal plan in terms of how to adopt for utilize -- utilization of AI in your environment makes sense. Trying to, you know, from storage, from Q and A, etcetera, that is a different animal than turning over all of your Tier One SOC analyst work to agentic AI.
Ethan Cook: Yes. No, very [inaudible 00:08:59].
Kim Jones: That is a different animal from what Shop [phonetic] has done is entered AI within their employment chart and started asking questions of interviewees as to, "What can you do that AI can't? Why should I hire you?"
Ethan Cook: Yes.
Kim Jones: Those are very different approaches. So --
Ethan Cook: I agree.
Kim Jones: -- making sure -- yes. So, what you're talking about makes perfect sense. But think about the things that I've just mentioned and that's going on now and continues to do so. And --
Ethan Cook: Yes.
Kim Jones: -- you know, transitioning a little bit to some of the conversations we've had.
Ethan Cook: Yes.
Kim Jones: You know, both of the individuals who I had conversations with are former colleagues, and I consider them both very, very dear friends. But, you know, I -- I will go back to the conversation I had with Tony Yota [phonetic] --
Ethan Cook: Yes.
Kim Jones: -- who you know is -- Tony is a serial entrepreneur. He -- you know, he's an innovator. And part of the challenge I have with Tony in some cases, because I -- I brought him because I am the operator and have to operationalize his, you know, his wild ideas on some occasions is to say, "Tony, you're an evangelist. You're evangelizing. And I have no problem with evangelizing, but I have to implement what you evangelize in the environment." And Tony's solution to that was to evangelize for the entire podcast, which is cool because it was very helpful. You know, "Sorry, Tony, I got to give you -- I got to give you shade because it's us and we do this." Was helpful, but that's what's happening in the environment. I have great people who are evangelizing and telling me what's going to go wrong if we don't adopt now, but these same people aren't contributing to the solution and they'd rather ignore it. And then when the, excuse my language, when the shit hits the fan, the rest of us have to clean up. And these evangelists have gone on, in some cases have taken their cash and gone on, while the rest of us are cleaning up the mess. That's my concern.
Ethan Cook: It feels like, to your point in the market right now, not just within, you know, the broader market, but really within cyber, where if you don't see on a cyber page AI somewhere, you are losing the race because --
Kim Jones: Yes.
Ethan Cook: -- everyone is looking for the next solution that's going to revolutionize it. And that's why we talk about there's an AI bubble in general, right? Because everyone has it. It's all perfect. It's all going to change the world. And -- and reality is that most of these companies are not going to be successful and most of them are going to get either -- are going to fail or they're going to get swallowed up. Right?
Kim Jones: No, I agree with you completely. People are throwing spaghetti on the wall to see what sticks, and it will be a very small fraction who do within the environment and what that uniqueness looks like within the environment and where the need is within the environment. And right now, the technology is so new that I think everyone is throwing down and saying, "Well, maybe it can do this and maybe it could do this, and we're just trying it in different places." But it gets back to that old adage, "Just because you can, doesn't mean you should."
Ethan Cook: So --
Kim Jones: And we need to understand the differences between the two. And we haven't drawn those lines because we're all saying, "If you don't try it, we are behind." That sense of where we have to catch up.
Ethan Cook: Yes.
Kim Jones: We are behind. So, we're trying everything, not understanding the nature of the problems we may be creating.
Ethan Cook: So, let's, you know, let's take that back, you know, for the -- the listeners who, you know, either are aspiring or are current CISOs, etcetera, or leaders within the space. What do you do when you get tasked with this? Because oftentimes these things get -- they are above your pay grade of whether they get put in or not. To your point about Tony, this is what we're going to do and you kind of have to deal with it, right? And what do you do? How do you manage that? What are the steps that people can take to implement security measures or as attempt to make it as secure as possible without having a -- even if they don't have the option to outright refuse or say, "Well, maybe let's pump the brakes."
Kim Jones: So, I -- I go back. I'll -- I'll give this specific example, and that's our other guest on AI, Eric Naugle [phonetic]. In terms of what Eric's role was, and, you know, I think we mentioned it during the episode, you know, Eric is a recovering CISO like myself. He was on staff at Intuit like I was. I think he's actually just moved on to be an advisor for an AI startup, if I remember correctly, within recent weeks --
Ethan Cook: They're all joining.
Kim Jones: -- as a matter of fact. Yes, they're all being stimulated. But Eric is also, you know, a patent attorney because it's the California bar. When he went to grad school, he went to law school. So, having someone understand both the legal ramifications, the risk and the technology, etcetera, allowed him to put in governance models and reasonable controls and reasonable guardrails around what Intuit was doing within AI. And we were -- we're doing some innovative stuff with -- within the environment. So, what I would say here is for people who are being tasked to put this in is to say, "Okay, what is the end outcome and the desired outcome that you're looking for within the environment? What is the risk you're willing to accept within the environment?" And part of that means we need to understand the technology, the potential risks that are out there with the technology and communicate those accordingly. And then once we understand and have communicated those, and there's an organizational desire to accept those things within the environment, we now need to put in appropriate guardrails to make sure that risk stays in. In other words, we have to do our job, because I could have said this about cloud. I could have said this about wireless. I could have said this about outsourcing. I could have said this about off -- off -- offshoring. This is the same thing we do with any other massive place in technology. The challenge that we have is we're now being placed even more in a position because of an artificial sense of urgency that if we slow down enough to do this, we're standing in the way.
Ethan Cook: Yes.
Kim Jones: But guys, this is the same challenge we've been facing for decades within the environment, just faster. Yes, stand your ground. You're going to have to. This is a case where, and I've had conversations on this podcast before about professionalism versus careerism, etcetera. This is the case where professionalism has to win, even at the expense of careerism. You know what you need to do. You know what you need to understand. Don't ignore it. Educate yourself. Make sure you're educating your constituents out there and do the job we're being paid for.
Ethan Cook: Yes.
Kim Jones: It -- it -- it real -- the "how" can be more complex. We understand that. I'm not downplaying the how within organizations, cultures, etcetera. But the "what" guys, we have been doing since networking existed. This is what we've been paid to do for decades.
Ethan Cook: So, let's take that same conversation and apply it to a different conversation that we had about technology and something that is, you know, you talk about how we've had the same approach over the past, I don't know, decade with different technologies, whether it be cloud, etc. AI is the current one, but the thing that has been promised for is coming every five years for the better part of 20 years --
Kim Jones: I know where this is going.
Ethan Cook: -- is quantum. The next, I think, hot button word. You know, theoretically, it's here or it's going to be here. You know, I've heard that since I was in high school. So, you know.
Kim Jones: Yes.
Ethan Cook: Sure, I, you know, I think we all make that joke, but I think it's starting to become very real now that you have government organizations putting out recommendations, putting out requirements for timelines, etcetera. And I think that that is kind of the momentum shifter where it's like, "Okay, this is may be actually be a reality, not something that's a promise."
Kim Jones: Yes. Quantum computers exist now and they exist beyond just academia --
Ethan Cook: Yes.
Kim Jones: -- within the environment. Are you going to go down to your local Best Buy and buy one within the next year to four years? Probably not. Definitely not within the next year to two, but in the next year to four years? Probably not. But there are impacts of quantum becoming more commercially available, even to larger organizations within the environment.
Ethan Cook: Yes.
Kim Jones: And we talk about that with Michael Santilli, who is the CISO of Quantinium [phonetic], if I'm pronouncing -- Quantilium [phonetic], I apologize. You know, in -- in the environment and some of the things to do, but, you know, the big things for me as I look at the new tech, also start with basics. Part of basics is asset analysis. Any good CISO who wants to defend, needs to know what their assets are. In the case of quantum, what are your quantum vulnerable assets? And we talked about this, you know, in -- during a, you know, in the essay leading up to that episode. In terms of what systems are using pre-quantum encryption algorithms? Where are those keys stored? Are -- is the encryption baked into the actual application or, you know, into the system? You know, what's the ability to disentangle that within the environment? And just right now be aware and build awareness. Be aware of the different quantum standards that are out there and build awareness that this is what quantum means within the environment. And it's not tomorrow, but it's not a decade out either. And that's all we can really do right now on that space, Ethan. And there's nothing wrong with understanding that quant -- those quantum vulnerable assets and migrating even, you know, as much as possible to quantum assured encryption algorithm -- algorithms out there. If I can begin to do that now, we won't be in the scramble because remember what happened with Gen AI.
Ethan Cook: Yes.
Kim Jones: It's coming, it's coming. Holy [inaudible 00:18:39], it's here.
Ethan Cook: Yes.
Kim Jones: And there's a lot of scramble. If we begin to take that level of approach now, we won't see that scramble when the time comes.
Ethan Cook: And do you think there is some concern that, I mean, it's something that I've been wondering that, you know, obviously everyone's so caught up in Gen AI, some of it's catching up to your point of being like "Oh, we didn't think it was here and suddenly it's here. We need to get ahead of this now. Like get onto it now, now, now, now, now," etcetera. That quantum isn't getting probably the attention it deserves for the impact that it's going to have, especially on security in terms of encryption, stored data, PII, etcetera, that the attention that is being gobbled up, so to speak, by AI, GenAI, etcetera, is that going to detract here?
Kim Jones: I don't think so. I don't think so. Think about this for a second. AI's impact was B to C.
Ethan Cook: Yes.
Kim Jones: Okay? Quantum's impact will initially be B to B. It will allow things within large enterprises to work differently, smarter or faster, etcetera, within the environment. Your mom-and-pop store is not going to right away, I don't think -- I don't think within the next five to ten years have a quantum laptop on their desk.
Ethan Cook: Yes.
Kim Jones: Or --
Ethan Cook: Very fair.
Kim Jones: -- facing in any -- in that environment. Their impact is going to be a change of the underlying encryption software that exists on it. "You need to upgrade your laptop because your laptop can't handle, you know, the quantum sort of encryption software." I think we're going to see that level of change down to the individual consumer. But the impact of AI and the scramble, in my opinion, and I've got the business acumen of a fiddler crab, is because it went directly to the consumer and now we're all responding as to how do we build upon that momentum that exists within the consumer? I don't think quantum is going to have that level of consumer-based impact versus business-based impact. And it will start with large-scale enterprises who are doing research or product development. And I'm -- I'm totally riffing here. So, if this comes true, you heard it here first. I -- I -- I could see large pharmaceutical companies using it for --
Ethan Cook: Date and time it.
Kim Jones: -- for -- for research. I -- I could see companies that do massive amounts of data analytics, the alphabets of the world, etcetera, utilizing quantum-based computing to speed up their processes as well within the environment. That combined with AI engines, you know, can present a lot of opportunity. Speaking of opportunities, I can see a lot of nation states utilizing AI engines and quantum computing within the background to glean different pieces of intelligence and do levels of predictive analysis within the environment. I see those being the first big markets before quantum commercializes within the environment. That -- it's for that very reason that we are, you know, there are folks that are pushing back on the concern regarding the encryption algorithms, a la harvest now, decrypt later because there's a belief that look, the large -- Google doesn't necessarily have an incentive to try and break your encryption. You know? Apple doesn't necessarily have an incentive to try and break your encryption. It's not the first thing they're going to do with the quantum computer. And Google and Apple and Meta are going to be probably the first big buyers of the -- the big quantum computers if they have not done so already.
Ethan Cook: Yes.
Kim Jones: So, I don't see quantum be -- quantum got pushed to the back burner because a new shiny toy and widget got marketed to the average consumer and now everyone's jumping on that bandwagon. I don't think it's changed the trajectory of quantum, and I don't think it will cause quantum to be downplayed. I think quantum has always been downplayed because the question we've been asking is how it's going to impact my day to day, my week to week, by month to month? And other than encryption, I don't see that answer yet, again other than what Michael, you know, and what Michael discussed and he knew -- what we're talking about is in line with a lot of what he said. [ Music ]
Ethan Cook: Yes. So, to pivot to the -- the last episode of the season, because we talk about businesses that are here now, a technology that's here now and the marketing that's going on with it and technology that is coming. And in the last episode you met with John from --
Kim Jones: Yes.
Ethan Cook: -- Data Tribe and you guys talked about --
Kim Jones: It was a fun conversation.
Ethan Cook: It was a very great conversation. I - I highly implore people to go listen to it because I it shines a light on the business side of cyber and tech that many don't consider. And I think in previous conversations, you've alluded to this, which is obviously there has to be caveats but you know, we have to -- the goal is to make as secure infrastructure as possible. The goal is to get technology that isn't just, I think the way you would describe as window tinting and not, you know, and is actually changing what we're doing and making it better, right? And I think you know, he shined a light on this perspective which is sometimes it's not even, "Oh, let's keep the money in the house and do these small little incremental upgrades." There's other issues with trying to gain these companies funding. That's -- it has nothing to do with that at times.
Kim Jones: Yes. And it's interesting because those of us who are sitting in the trenches, we talk about the goal being there to make the environment as secure as possible. One of the things I teach, when I teach SANS, is to do so in a way that allows the business to operate and generate revenue and advance a strategy within the environment. And when I say that to a group of technologists, I look at who push back and say, "Question, do you work for free? Do you work for free? Would you work as hard as you do right now when I pay you no money?" All of you, all of us want to generate revenue. I generate revenue by going to work every day and doing the things that I'm doing in the environment. So, us securing the environment to a point where the business fails is a gesture in stupidity. And we need to change that perspective. What I liked about my conversation with John was it was a reminder of the need to change that perspective. In many cases, it's not that VC folks aren't listening. It's not that private equity folks aren't listening. And it's not that they don't care. It's how we balance out the need for us to adopt, you know, you know, to solve the problem in a way that will allow those investors who are investing not small dollars, to generate revenue and some basis of return and balancing that collectively across the board. In the essay that I intro this one, that -- that episode with, I talk about the use case where a technology that would have solved, genuinely solved a lot of the identity problems we're trying to solve right now, was put in front of a VC firm X number of years ago and was rejected because he was told it would drive the rest of the portfolio out of business. You know, while that does not feel good, as someone who's trying to solve an identity problem and watching companies almost ten years ago try and solve the same problem with more inferior technologies out there, it was not an unreasonable stance to take. Why adopt something that's going to cause 50% of my portfolio to go away? It doesn't make that individual evil, though they were kind of rude about how they did it, and it doesn't make them unreasonable in terms of what they did within the environment. And John gave some good insight into how VCs, you know, pick different, look at different startups, look at the problem and some of the things that they're doing to try and close the gap between, you know, the needs of me, the operator and the needs of them, the investor. There were two things that he mentioned during that that I want to re-emphasize here. One is their time horizon. I -- I mentioned during the episode that I genuinely believe that they're just not enough truly strategic CISOs out there who are thinking about the problem strategically. And I spend a lot of time on these shows and when I teach SANS to try and elevate thinking to truly strategic thinking. The strategic thinking tends to at the best case go five years out. Usually, it's one to three. Some cases it's one to four, one to five years out. In some cases, VCs are looking at time horizons beyond the strategic window. So, truly beginning to stretch the thinking within the cone of plausibility beyond your initial strategic window is hard even for the best strategic CISOs. But the other thing that he mentioned that we need to do more of is if we are going to complain that we're not seeing investment in those companies that meet our needs, we have to show up and communicate those needs to venture capitalists and things like you know, the advisory boards, or the dinners, or the calls, etcetera, or how we do that. So, when we choose not to do that, we take away an opportunity for someone who is asking our opinion to get that opinion and insight so that they can make better decisions. In other words, if we want to solve the problem, we got to show up. And we don't do that as well as we should.
Ethan Cook: And I think there's a -- an argument to be made there that yes, like that, I don't want to say the word politicking, but -- or maybe networking, that aspect of having those conversations, some of them may not be fruitful and that can be both discouraging and frustrating. But I think it is valuable because even if only one or two or a handful of them do bear fruit, that does lead to an eventual better market position for you as a leader to buy better security products, actually have impact on what you're trying to do. And I thought it was very interesting from John's conversation with you that you know, another challenge that he saw was entrepreneurs who don't really want to commit to being a full-time entrepreneur. Maybe they --
Kim Jones: Yes.
Ethan Cook: -- are professors. Maybe they are semi-retired. Maybe -- you could be many other things. Maybe they have -- they're multi entrepreneurs. They have multiple ideas. And the aspect that while the idea may be really good or the product may be very good, there's a risk element that VCs take on and that's a --
Kim Jones: Yes.
Ethan Cook: -- a reality.
Kim Jones: If I'm going to ask you for a seven-digit figure to help fund my new idea, I want to know that you're as committed as that seven digit figure.
Ethan Cook: Yes.
Kim Jones: And that's not a part-time commitment. And that can be difficult. I -- I've run into, you know, Arizona State also has an incubation model where one of our professors, former military guy, actually, was developing a product in-house, but didn't want to give up his teaching assignment. So, figuring out how to do both of those was very, very difficult.
Ethan Cook: Yes. It's something that makes sense as a challenge, but nothing that I would normally have considered because my thought process was from the VC side. If someone is looking for money, they're all in. They're -- they're ready to go. They're not looking to buy and sell off or just be half-ended. I always thought it was, "Okay, we're going VC. Let's, you know, get everyone involved on this."
Kim Jones: Yes. And it -- it gets really interesting because there's that balance between that and putting food on the table. I -- I had mentioned after the show, you know, my -- my time with -- working with Jack Jones, who was -- founded the FAIR Institute and built and created the FAIR model. I met Jack at the time, you know, he was working with that model, but he was also working a CISO for a Midwestern bank at the time because he had to keep food on the table while he was developing the company that was deploying, you know, you know, the model, at the time. So, balancing those two can be difficult.
Ethan Cook: So, taking a step back, because while we did this reflection on the past couple episodes, I'd like to put it into picture for the whole season, because throughout this season, we've had fantastic conversations about emerging technologies. We've had fantastic conversations about hard realities. We've had fantastic conversations about existing blind spots that could get worse if they're not addressed. And I think when you sit back and you look at this entire season, how do you feel about this, you know, brave new world? This, you know, this word, this phrase that we've been talking about -- about the -- what are the major challenges that you're seeing from a business side and from a security leader side, as well as what are the biggest opportunities that you think are emerging out there?
Kim Jones: Great question. So first, as a recap, because we've only used it a couple of cases throughout the -- the season, the tagline internally for this season was brave new world. Now, I -- I use leading into the season, "Congratulations, you're a CISO. Now what?" What are some of the things that you are facing, you know, beyond, you know, beyond just the tech stack and beyond just the -- the incident of the month or beyond just the new legislation that you need to be aware of? So, what I hope this did this entire season was allowed us to deep dive into some issues like identity and like fraud and like a regulatory landscape and AI and quantum, etcetera, to provide that education for even current CISOs who may not have had, you know, we know what our day is like, that don't necessarily have the opportunity to deep dive, to begin to have those conversations and begin to get a little education on that as we put the pieces -- as we put the pieces together within the environment. So, that was the intention of the season. As we are now looking at wrapping up the season, in terms of where my head is at, I see every CISO is an optimist and I -- I genuinely believe that because every day you look at ten quintillion different ways that things can go wrong and you get a under-funded, very tired, not enough sleep, etcetera and you get up and go stand in the gap and say, "Yes, we can take them." And you go ahead, you know? And -- and then you get up, you know, battered and bruised and do the same damn thing the next day. So, every CISO, in my opinion, is a consonant optimist. And as a former CISO, I'm still an optimist. I believe that the world is a little better, you know, because, you know, we stand in the gap, lying shoulder to shoulder, you know, you know, trying to beat back the bad guys. So, on the positive side, I believe in the opportunities. I believe in the value of the technology. I believe we are going to see some great things out of AI. I believe we're going to see some great things out of quantum. I believe that technologies are going to continue to evolve to beat back fraud better than we have before. But I also believe that I'm not going to lack for work while that is going on, to be brutally honest with you. But the other thing that I would emphasize that is a cause for not pessimism or skepticism, but concern is I believe we are losing sight of the fundamentals. I believe that, and this is an education problem, it's a critical thinking problem, it's also a cyber problem. I think the disconnect that exists between old farts like myself and people we're hiring is what we're not necessarily seeing are the critical thinking skills. As it becomes easier as I hold up my iPhone, for us to, you know, get everything we need by Googling on the iPhone and now by using ChatGPT on the iPhone, we are depending upon external sources for answers as to what went wrong and have to understand much less about the underlying pieces and parts of the systems that have caught, you know, in the environment to cause the problem. And that's a concern within cyber. I was talking to my class that that -- that I teach at Berkeley. About half of one of my sections are computer science majors. So, I said, "Okay, you know, there are six of you that are computer science majors. How many of you had to take a basic assembler course, you know, within college?" And four of them put their hands down. You know, if you don't understand the basic fundamentals of how the system works, your ability to effectively secure it will be limited. And as tools make it easier for us to get answers, ChatGPT, anyone, you know, just spit out at us if we frame the right question in, our need to understand those pieces and parts will continue to diminish. I mean I'm going to be old again. I'm old enough to remember where there's things called Script Kitties didn't exist. If you wanted to hack, you damn sure better know the code versus having an account to pay somebody some bitcoin to send you a piece of code to hack my environment. So, what, you know, Script Kitty is a real thing right now within the environment. So, you know, our continuing diminishment of the need to understand how things work as the technology becomes more capable of doing things, I believe is going to represent a significant challenge within the next ten years of our ability to secure the environment. Now, you add that to the conversation you and I had about AI continuing to produce bad code based upon bad code based upon bad data, we're going to see an increase in potential vulnerability, an increase in potential blast radius, and about the same time we have a decreased ability to understand truly what's going on in the environment. So, all I will say is this is a good time for me to think about retiring, but there's a good chance like for the last two times I ain't going to be able to because someone's going to tap me on the shoulder and say, "We need one more person with his sword and shield standing in the gap." Because I think that gap will be bigger unless we solve those problems. Part of that is educational, part of that is the education system figuring out what the requirements are for good cyber-professional. A goodly portion of that is the profession because we still haven't figured out what the requirements are in the environment. Part of that is our ability to give back, because there aren't enough of us who are whining and complaining about the lack of talented skill that we see coming out of various systems who are stepping up in doing anything about it except whining and complaining. So, we need to show up, tell people what we want and participate in the process rather than just complain and watch things continue to fall by the wayside. So, I am still very positive. I am still very optimistic. But I see that problem cresting the horizon. I hope and pray. You know, like the old -- the old show, "Monk." You know, the theme song. "I may be wrong now, but I don't think so."
Ethan Cook: Well, Kim, I thank you for your time today to take a step back and reflect on the conversations we've had, not just over the past couple episodes, but this season in general. It's been different from the last one, but I think just as equally valuable and insightful. So, I appreciate everything that you provided and all the quality conversations that your guests have also provided. [ Music ]
Kim Jones: And that's a wrap for today's episode and for this season of "CISO Perspectives." This episode was edited by Ethan Cook with content strategy provided by Mayon Plout [assumed spelling], produced by Liz Stokes, executive produced by Jennifer Eiben, and mixing, sound design and original music by Elliott Peltzman. Thanks so much for tuning in and for your support as N2K Pro subscribers. Your continued support enables us to keep making shows like this one, and we couldn't do it without you. We're so grateful to have had you with us this season. From all of us here, thank you for listening. We look forward to bringing you more expert insights and meaningful discussions next season. [ Music ]
