Threat Vector 1.23.25
Ep 51 | 1.23.25

The ABCs of IOT Cybersecurity

Transcript

May Wang: I see bright future for both IoT and AI. At the same time, they are bringing us new challenges. We need to work together across the board to make sure that IoT and AI are bringing us more benefits than harm. [ Music ]

David Moulton: Welcome to "Threat Vector," the Palo Alto Networks podcast, where we discuss pressing cybersecurity threats and resilience and uncover insights in the latest industry trends. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] Today I'm speaking with Dr. May Wang, CTO for IoT Security at Palo Alto Networks. Dr. Wang is an industry trailblazer recognized as the 2023 AI Entrepreneur of the Year by VentureBeat. She co-founded Zingbox, a groundbreaking company that developed the industry's first AI-based IoT security solution later acquired by Palo Alto Networks. With a PhD in electrical engineering from Stanford University, Dr. Wang has over two decades of experience at the intersection of cybersecurity, AI, and IoT, driving innovation in the field. Dr. Wang also serves on several boards, including Cepton, a public company in the autonomous driving space, and has been a venture partner and angel investor. Her career spans impactful roles at Cisco's CTO office and authoring the book Women Executives in Silicon Valley. Today, we're going to talk about IoT security, how AI is transforming the way we secure connected devices, and what's next in this critical field. There's a lot to cover, so let's dive in. May, welcome to "Threat Vector." We're really excited to have you with us today.

May Wang: Thank you.

David Moulton: To start us off, can you tell me a little bit about your journey and what led you to focus on IoT security and artificial intelligence?

May Wang: Sure. I have always been nerd. I'm very passionate about data ever since day one of my career. And ten years ago, I co-founded a company called Zingbox, and we focus on leveraging AI for IoT security, doing traffic analysis, analyzing huge amount of data to provide visibility and detection for IoT devices. And five years ago, our startup, Zingbox, was acquired by Palo Alto Networks. And I have been at Palo Alto Networks for the past five years, leveraging AI for better detection and protection.

David Moulton: That's really fascinating. As somebody who is a fellow nerd, I'm with you. It's always interesting to see what gets other people excited. And I don't know about you, but I've decided that the definition of nerd that I like the most is somebody who is deeply into something but also willing to share that passion and those ideas with others. And that's certainly what we're going to do on today's episode, talking about IoT cybersecurity and how AI is transforming the way we secure these connected devices. May, can you help frame the current scope of the IoT landscape for us? How many devices are we talking about globally, and maybe what are some of the main industries leveraging IoT right now?

May Wang: Yeah, sure, David. We're definitely seeing increasing amount of IoT devices being deployed around the globe. If you look at the numbers, the statistic can be different. But we're all talking about tens of billions of IoT devices being deployed. Some data shows about 20 billion nowadays. It has improved tremendously from 2019, about 10 billion. So some predictions show in the next five years, we're going to double that. And some says next year, we're going to have 75 billion. Regardless, all these large numbers that might sound so far away from us, but if you look at each individual, you can see just around us, not only we're having more IoT devices in enterprises, in manufacturing, in hospital, in schools, but we actually can also see that on each person, we're seeing increasing amounts of IoT devices, all these wearable devices that measure our heart rate and measure our glucose level, etc. Actually, just this over weekend -- over this weekend, I was at a event. And a speaker on the stage, I counted, he had five big rings on his fingers. And all of those were IoT devices measuring all kinds of things to help us better understand ourselves. So we definitely see huge increase in terms of deployment of IoT devices. And the industries we're seeing most are definitely manufacturing. We call them operational technology, OT, healthcare enterprises, and in many critical infrastructures such as energy plants and water plant, etc.

David Moulton: As you mentioned the five rings, I was trying to go through my own inventory of how many IoT devices and quickly ran out of mental bandwidth as I'm counting them up. I'm going to need to make a list. And it's something that each year, it seems like there's more. They are added kind of quietly to my life. I can only imagine, at the enterprise, how explosive those numbers are with the, you know, the 75 billion that you mentioned before. You know, it's certainly not just one or two devices per individual. It's got to be a large amount of growth at the enterprise or the industry level. Can you talk about which industries or maybe even device categories that you're seeing as the most vulnerable right now? And maybe why is that?

May Wang: Sure. Actually, you'd be surprised. There are two winners. One is how many -- the number of devices we're seeing the most. But surprisingly, those might not all be the ones contribute the most to cybersecurity issues. For example, in healthcare, we actually see the number one device is infusion pumps. They consist of 44% of all IoT devices or medical devices we're seeing in hospitals. But actually, they only contribute to 2% of the security issues. On the other hand, we see over 50% of cybersecurity issues are actually contributed by these things called the medical imaging systems, that including X-ray machine, MRI machine, CT scanner, etc., even though they only consist of 16% of all the medical devices we're seeing. But they contribute to majority of the cybersecurity issues. And there are many reasons for these vulnerable devices. They are, for IoT devices, there is so many different kinds of devices and so many devices spread out. And these devices also been deployed for 10s or 20 years. And they don't -- often, they don't have enough cell protection. And their security risk is actually much higher. For example, for these medical imaging systems, because they all have full-blown operating systems running on them, so hackers or sometimes even medical staff unintentionally or intentionally can leverage them to do things that these machines are not supposed to do. For example, we actually see lots of crypto mining, increasing amount of crypto mining in these imaging systems because they have enough computation power. And people -- attackers are actually leveraging them to do crypto mining. And we also see lots of malware that is already extinct in IT world. But because these devices have been deployed for so long and some of them without patches for years, so we still see lots of malware running, ancient malware running on these medical devices. And again, because they use full-blown operating systems, staff members can use them to go to shopping sites and watching Netflix or YouTube, etc., which are now supposed to happen on these devices because all these activities are going to increase risk factors to these devices.

David Moulton: So, May, you mentioned that some of them have been deployed for a decade or more. And a lot are running really old operating systems. I imagine the fact that there is an out-of-date inventory or some of the operating systems just don't get updates could be leading to some of the problems. But what is it about securing Io -- IoT devices that is more challenging than, say, a traditional IT environment?

May Wang: Yeah, there are so many new challenges to protect these IoT devices. One thing is we cannot or people don't upgrade them, patch them, as frequently as we do for these IT devices. Well, first of all, actually, in our IT world, we change our cell phone every other year, every two, three years. We update our laptop. We refresh, basically change to a new laptop every three years, probably. While for these devices, they've been there for, again, 10, even 20 years. And we still see lots of Windows '98 running on these medical imaging systems. And then talking about upgrades or patches, some of it because we don't have enough resources. There are so many devices, and we don't have enough experts to manage these devices. And also partially because lots of these IoT devices are in industries that are heavily regulated. And once these devices are working fine, nobody wants to touch them anymore because it showed again and again, even though the upgrade worked well in research labs. But sometimes, when you upgrade, when you do patches in real world, it can affect the functions of these devices, can bring down operation, can shut down the system for whatever reason. And that's the last thing people want to do on these IoT devices: to impact the operation, to have the downtime. And also, for example, in hospitals, there's very strict FDA regulation. Devices have to go through HIPAA compliance. And after you upgrade these devices, after you patch these devices, sometimes you have to go through the process again, which is a big headache. So nobody want -- nobody wants to touch them once they are working fine. But of course, there are so many security risks behind the scene. And people don't really see. And very often, you know, everybody is busy. There are gazillions of top-priority tasks. So when we don't see any problems, people just tend not to do anything about them.

David Moulton: So kind of an out of sight, out of mind. And then if it is in mind, it becomes really laborious to go after the updates. And I'm thinking about one of the devices that I have. It's an IoT or a connected panel for our pool here in Texas. And there's not a chance that I want to go out and spend a lot of time or money updating it or replacing it, even though it's a few years old and likely doesn't have the greatest security. So I can imagine if you layer on a regulation where you've got to go get recertification for a HIPAA. I do know that you were working on AI and IoT at Zingbox. And I'm wondering if we can shift into how does AI help in detecting and mitigating some of the threats in the IoT ecosystem. What advantages does AI offer over traditional security methods? Talk to me about the infusion or the marriage between IoT and AI.

May Wang: Yeah, David. Actually, you just brought up a very good and important point for AI because it's hard to manage and secure these IoT devices. And actually, AI not only can help us better detect and protect but also can bring out ease of use of these IoT devices. As you just mentioned, the management system of your pool, if it is a lot easier for you to monitor what's going on, a lot easier for you to update it, just press a button, then everything is updated with better security position gesture, then probably you upgrade it a lot more frequently. You do patches a lot more frequently because it's easier to use. So we do see that AI has been tremendously helpful to better management of IoT devices and better secure these IoT devices. Actually, about exactly almost 10 years ago, that's when we at Zingbox started using AI for IoT security. We came out. Actually, I just took a summer intern and did some experiment. And turns out it was a, I call it, perfect marriage of AI and IoT security. We got amazing results. And the whole team rolled out the industry-first AI-based IoT security solution. I actually think it was a great success. And, of course, during the past 10 years, we learned lots of lessons, gained lots of experiences about how we can better apply AI for IoT security, and now actually expand to even beyond IoT security, but just whole cybersecurity in multiple directions. I would say, traditionally, we do cybersecurity mainly in signature-based. We see something bad, and we figure out why it is bad, what are the features, and then we build up signature. Next thing, we see something similar bad and we can easily catch it. And then the second phase, we move over to machine learning, where we feed tons of information, huge amount of data, into machine learning models, and we identify the key features. For example, we actually collect more than thousands features all the way from MAC address, IP address, port number, application, etc., traffic patterns, everything. But among all these thousands or even thousands of features, what are the top features for this particular task I'm looking for? And then we identify the top maybe 10 most important features, and then we use machine learning. And then, actually, the third phase we move to is actually deep learning, where we don't have to predefine all these features. We just send a whole bunch of data into machine learning models. And the models would automatically learn and pick up the important features to weigh them heavier than other less important features for this specific task. And now we actually move to, we can call that phase four, gen AI. We've been using gen AI for the past couple years. And brought to us tremendous amount of efficiency and benefits. And I can summarize the benefit of AI for IoT security into probably ABCDE. And of course, we can go all the way to ABCDEFG, all the way to Z, because it brought us so many benefits. But given the time constraint, let's just talk about ABCDE. A, I call it automation because of AI can help us automatically identify devices, detect anomaly, give us automation on visibility and detection. And B stands for a broader coverage. And because of AI, because of the automation, now we can cover a lot more devices than we could before that we had to put in lots of manual effort. And the third one is customization. And for each organization, you might have different requirements or different constraint about your security policies and what is considered normal range, etc. So because of AI, intelligence of AI, we can do a lot more customization. And D stands for dynamic. So a device is secure today doesn't mean it's going to be secure tomorrow. So the whole environment, the usage, the deployment context is changing all the time with time. And, David, if you remember, years ago, we were mainly talking dealing with hardware. And we ship a hardware to customer site. And next time we upgrade this hardware is the next release time that we ship a new hardware to replace the old one. And then we move over to software and cloud. And then we can do a new release, do a remote upgrade maybe every month or every week, sometimes even every day. But in the new AI era, and actually, every time our customers using our system, our AI system is actually learning from the customer's behavior, from the customer's interaction. So it's a lot more dynamic. We can actually, in real time, upgrade our AI systems, make our system a lot more intelligent. And then E is for efficiency. Because of all the above, it can be a lot more efficient in terms of identify patterns in data a lot faster because we're collecting huge amount of data. And AI system help us to analyze all these data from different sources with different styles and patterns, etc., can give us insights a lot more efficiently. So ABCDE, automation, broader coverage, customization, dynamic, and higher efficiency. [ Music ]

David Moulton: Well, May, I think you just named the show, The ABCs of IoT Security. And I love that. As you were talking through this, the thought that kept going through my mind was we went from rules to machine learning to an area where there's gen AI. And I would wonder if you've noticed a difference from human-led rules and rule writing and what we think is most important to once we have observational data and the machine coming back and saying, actually, you know what? This is important. This data is important. Or this machine, this device is important. And it was less important in the rules era. And have we learned from that? Or is it pretty similar where a human and a machine would come to the same conclusion?

May Wang: That's a very good question, David. Believe it or not, when we first applying AI to IoT security, to cybersecurity, to analyzing data and making up rules and policy, our accuracy rate or the effectiveness rate was actually very low because especially, for example, at Palo Alto Networks, we have accumulate about 20 years of expertise. We have amazing cybersecurity researchers. They know this field inside out. They have tremendous amount of experience. And when they saw the data, they can build really effective and efficient signatures, even though it takes a while to, you know, collect the data, analyze the pattern. But they can build really good signatures and can very effectively catch all these malware, which often derive from previous seen or known malware. So when we first tried AI, because AI didn't have this in-depth knowledge and we were just experimenting with it, and when we tried to kind of sell AI to our product team, to our PM internally, we actually faced lots of challenges or pushbacks because the accuracy rate was just no comparison to what our human experts could do. But through the years, through our learning experience, lots of experiments with huge amount of data put on it and also learning from our security researchers, leveraging their expertise, combined with their expertise, and we gave feedback to the AI systems, now our AI systems became a lot smarter and intelligent. Not only they can do as good as a job as our security researchers can do, but as we mentioned before, it can scale up a lot faster and to a tremendous degree that there's no way, no matter how many human beings we throw to the problem, we can catch up to AI. That's the miracle of AI. It can scale up to billions of tens of billions of devices. We're talking about deployed in all different environments can dynamically adapt it to the environment to tailor towards the specific needs of each customer.

David Moulton: Yeah, it doesn't seem possible to write a efficient set of rules for 75 billion IoT devices and expect that there aren't going to be just a few problems with that. So that's really encouraging. I think you called it the marriage between IoT devices and our need for security and artificial intelligence coming in with that scale, speed, and what sounds like an ability to catch up with the human operators on its effectiveness at putting together the security that's needed. May, the concept of device identity has become really crucial in IoT security. Could you tell our audience what that means and how it factors into comprehensive IoT security strategies?

May Wang: Yeah. Actually, every time we talk to customer interest in IoT security solution, the number one question a CISO or a CIO has is actually, can you tell us how many devices do we have on our campus, on our network, at any given moment and what these devices are? And, for example, a X-ray machine can be run by a Windows system, and so is your laptop. So it's very important for us to be able to identify, okay, this is a Windows system running X-ray machine versus the other Windows system is running on laptop because once we have this kind of identification, then we can know exactly what kind of security policy access control we should have on these devices. For X-ray machine it should only do images, take images, upload images, archive images. That's it. Probably a handful tasks it should do, it's allowed to do. While on your laptop, it's normal for you to go to Facebook, Netflix, YouTube, anything you want. So we think device identification is the foundation of all the security policies and actions later on. That's why we think device identification is so critical important. While for IoT, it's very challenging because it's not like IT devices that each device can send you message, send you signal to tell you, okay, I'm this device. I have all these parameters, etc. Lots of these devices, they cannot do that. Then it's very important for us to be able to automatically identify all these different types of devices spread out in an organization. And what we have done is we actually collected all kinds of data -- from all different kinds of data sources, whether it's dynamic data sources or static data sources, whether it's pre-existing or it's something we collected from traffic and from Palo Alto Networks, because we have cybersecurity all the way from endpoint to network to cloud. So we can integrate and aggregate all these -- all these data information that we collected from different resources. And we can analyze these devices. That can give us a lot high accuracy rate to identify IoT devices.

David Moulton: So, as you were talking about the number one question from CISOs being just how many devices I have in my network or in my environment, it made me laugh. A lifetime ago, I was a consultant. And we were talking to clients about this device that they could put on their Caterpillar, bulldozer, or, you know, a digger, those sorts of things. And we thought we were very clever. It would tell you like how long it had been in use and if the thing had tipped over. And it would help you figure out if you needed to replace the treads, all kinds of really great data that could come off of this device. And, May, the number one thing that customers were excited about was, where is my bulldozer? Where is my dump truck? Like, and I was just stunned that you could lose a dump truck. Like, how do you -- how do you misplace your bulldozer? But it was a huge problem. And whether the treads or the wheels needed to be replaced or how long it used or if it tipped over, all those are very good to know. But when you go and you lose a multi-million dollar vehicle, it really does become a problem for these companies that were trying to keep an eye on where all their construction equipment was. So, you know, different industries, same problem. How many do I have? Maybe where they're at. And then all the telemetry that you're talking about. I'm certain that that accuracy and that ability to peer into your network and see what's going on, where you need more security, maybe where you needed to update because it is a critical part of your business is hugely important. But we'll start with the simple things. How many do I have today?

May Wang: I'm glad and not glad to hear the example you just gave. And actually, we see exact same challenges in healthcare, for example. There are so many infusion pumps, as I mentioned, in each hospital. And but often people lost them and don't know where they were. And when they need an infusion pump, they cannot find it. So what happened is people start, the medical staff members, start to hide these infusion pumps. And so by the time the end of physical year, when they try to figure out how many infusion pumps we have, they often found lots of them are missing. Then they have to budget to acquire more. But actually, our data shows, okay, you already got so many infusion pumps and maybe half of them are idling, not being used because people are hiding them and make sure whenever they need it, they can find it.

David Moulton: So they're kind of squirreling one away for that day when they need it. But then it becomes a problem for inventory management because you're going, well, I have 100. I can only find 40. So I've got to go buy another 20, 60, however many to get up to the levels. And, you know, the coordination between the folks that are actually using it and the folks that are securing it, you solve that problem or attempt to solve that problem for some of these critical environments like a hospital. I'd like to know, you know, that it's safe there both, you know, to use the device and that they have them and that they've been updated.

May Wang: Yeah. And actually, you know, for asset management, the very beginning of first step of identify devices used to be years ago that organization used to send, once a year, send like 200 people from consulting firms to go to each floor to manually collect how many devices we have and what kind of devices. And that's how they do inventory management as a management. Of course, we know, with today's dynamic environment, people bring devices to your network, bring devices to a hospital, to your campus all the time. And we need real time information about these devices.

David Moulton: Certainly. Especially as vulnerabilities in IoT devices have been a big source of news and concern, I know that there have been some major cybersecurity attacks. And I'm wondering how today's IoT-based threats are evolving and what kind of attacks businesses should be most concerned about.

May Wang: Well, we actually, Palo Alto Networks, we just came out with The State of OT Security for 2024. And in our survey, it shows three out of four OT manufacturing plants experienced attacks. So we're definitely seeing increasing amount of attacks across the board. And the top three attacks people are most concerned about are still malware, ransomware, and insider attacks. And we actually see 72% of all these OT attacks originated from IT. The relationship between OT team and IT team are very frictional. And 40% of survey organizations report they have issue to work with each other. And 70% of the organizations want to consolidate IT-OT vendors. That's why Palo Alto Networks came up with this platformization. We want to consolidate the infrastructure, consolidate the cybersecurity platform so that whether we collect data from IoT or from IT, they can help each other provide more insightful analysis. And another trend we're seeing is because of the AI. So AI is this double-edged sword. As I mentioned, it help us tremendously to provide better cybersecurity protection, detection, etc. At the same time, the attackers are also leveraging AI to do more attacks. And also, because AI is getting ubiquitous, our employees are using AI, all organizations are using AI, there are more vulnerabilities brought in, unintentionally maybe. But we're definitely seeing more vulnerabilities brought in by AI. So we're seeing more security challenges because of AI. For example, we see, due to AI, we've seen in three aspects: speed, scale, and scope when it comes to attack. First of all, about speed, we see because of AI, because attackers are leverage AI, they're building ransomware a lot faster than before. It used to take 12 hours. Now it's only taking 15 minutes. And also, it takes changes from nine days in order to compromise your enterprise to steal your data. Now it's down to 20 minutes to explore vulnerability. It used to take nine weeks. Now it's less than 60 minutes. So we see the speed of the attack is increasing tremendously. And then the second one is scale. And there's a study shows if you use AI to automatically generate some phishing email, the click rate went up 25%. And during past 12 months, we've seen 10-folds of increase in phishing email, all thanks to AI. And the third one is scope. Not only we seeing increasing amount of malware, phishing email, now we're all seeing deepfakes, which means attackers can mimic your voice, can mimic your video to pretend it is you, David, but while it's really not David but can ask you to do all kinds of crazy things. So we see more AI-generated attacks. And we see more vulnerabilities because of AI.

David Moulton: In our Threat Frontier report, we had a section on deepfakes. And I got to tell you, it caught me off guard. Wendi Whitmore is one of our VPs here, and I've worked with her for years. And the team was able to use commercial tools to deepfake her voice in a way that was so convincing, it was so authentic-sounding, that I was convinced that it was the sample that she recorded so that we would know what to make. And the team came back and said, no, absolutely not. All right? These were all generated. So those deepfakes are certainly frightening and getting better all the time.

May Wang: Yeah, definitely. David, for example, I think it will be very easy to mimic your voice and make it sound exact like David because you've done so many podcasts and can easily get so many training data and sample of your voice. And AI can easily generate a podcast for you without you knowing it.

David Moulton: You know, to be fair, a couple of months ago, I did put a lot of my recordings into a training model and had it come back and gave it a -- gave it a text to read back in my voice. May, it was absolute nightmare fuel, not because it was so good, but it lost, I guess, the dynamic range of my voice. And it sounded like a terrifying robot. So, if you ever want to be able to stay up for days on end, I can send -- I can send you a copy of that audio.

May Wang: So we still need the real David.

David Moulton: For maybe another week or two, for sure. You know, let me keep doing this. I don't know if I told you the reason I love doing podcasts. You mentioned being a nerd earlier. One of my strengths in the StrengthsFinder system is learner. And I'm able to convince really smart people like yourself to sit down with me for half an hour or an hour and talk to me about a topic that I know a little bit about. But during the podcast, I can get the world's greatest education and have a conversation about really interesting topics. And then we dress it up as a podcast and send it out into the world so that everyone else can benefit from it as well. So it really checks a box for me as a way of telling good stories and getting into topics but also just being very much a personal enrichment. So I appreciate you giving that time.

May Wang: Sure, David. I'm so glad you're doing this because I think your podcasts help people, for example, for this episode, help people to realize and understand how important IoT security is and what kind of role AI can play in it because today, both AI and IoT security are very relevant to each individual organization and to each individual person. It's not just the IT department's job. It's not just CISO's job, but it's so relevant to our everyday life and work.

David Moulton: Yeah, as you're talking about that, it makes me think about your comment earlier about healthcare being an area that has a lot of vulnerable devices. Certainly, here in Texas, we've had our share of trouble with our energy grids and our utilities. I'm curious if you can talk about some of the unique challenges in securing IoT devices in some of those environments and maybe some of the potential consequences.

May Wang: Lots of these devices are in critical infrastructure, like you mentioned, energy grid and water plant, etc. So these industries are very heavily regulated. And they have lots of their preparatory protocols and equipment, etc. And how to understand all these protocols, that's also where AI came in because they have gazillions preparatory protocols. And it's very hard to throw enough human bodies on to analyze each one of these protocols. While AI actually have the capability to learn a lot faster and learn lot more efficiently to figure out, okay, what these protocols are and what is considered safe, what is considered security anomalies, etc. And the second challenge is actually, because they're in critical infrastructure, they can be exposed in different environment. That's also why, from Palo Alto Networks, we came out with ruggedized firewall so that we have all these equipment that can be deployed in any kind of tough environment.

David Moulton: So one of the things I keep hearing about is 5G plus IoT. And this new marriage or this new combination certainly changes the IoT landscape. But I got to think that it changes the IoT security landscape. Do you see new threats, or do you anticipate different challenges from this combination of technologies?

May Wang: Actually, almost all customers we talk to are very interested in 5G technologies and because it's going to enable us to have even a lot more devices all over the place. So the scale is going to be even larger when all these devices are deployed. And again, the key thing is visibility. It's going to actually bring more challenges in visibility. And also, usually, when we talk about 5G, 5G security, mainly people are talking about the management plane, the signaling plane, but also, we see lots of challenges on data plane. So, from Palo Alto Networks, we are actually trying to address cybersecurity issues on both management plane, signaling plane, and data plane. And another challenge is, as we mentioned, the device certification, visibility are always the key and foundation and their different parameters to identify these devices in the IT world or the traditional IoT world. We mainly look into MAC address plus IP address to identify these devices in addition to gazillions other parameters. While for the 5G world, there are other ways to identify these devices, for example, IMEI, International Mobile Equipment Identity. So we need to figure out way to identify these devices using their specific cellular-based identifiers. And at Palo Alto Networks, we have already integrated into our firewall already so we can provide the same kind of cybersecurity protection to 5G-IoT devices.

David Moulton: May, as you've talked about the coming wave of predicted number of devices, 75 billion, I think you said, within -- within the year, the marriage of IoT with AI, the addition of 5G and the deployment on cellular networks, those are some big, big challenges to face and certainly, the types of things that I would think that boards or folks in advisory roles are grappling with today. I know you advise on a number of boards. What advice do you give to corporate leadership or board members so that they're able to shape their IoT security strategies for their unique organizations?

May Wang: Yeah, I've been on boards of public company, private company, nonprofit organizations. One thing I'm very glad to see is that now cybersecurity becomes a boardroom discussion topic on regular basis. I'm very glad to see more and more boards are paying attention to the health of their cybersecurity. I would say, actually, there are three things each board needs to be on top of. First, make sure your organization has the right tools, has the right procedure, has the right infrastructure to provide everything on your campus, whether that's user, whether that's application, or that's devices, etc. And second, you want to have finger on the pulse to have regular status check, just like at every board -- every board meeting, we do the financial updates. We should, moving forward, we should have cybersecurity updates or regular reports on how -- what's the security posture we're having now in our organization. And the third one is to have the correct, right way, for instance, response in case your organization is attacked, being hacked. What are you going to do? What are the procedures? What kind of help you can leverage, etc. And I think, moving forward, I think I heard there's some kind of proposal to have -- On each board, we have expertise on financial, on finance, have the in-depth expertise, and we have audit committee, etc. I think moving forward, we need that kind of structure and expertise on cybersecurity because it's going to be ubiquitous as the finance information and the health of the organization relies on finance and also relies on cybersecurity. Nobody wants to be hacked. Nobody wants to be attacked. But given the cybersecurity landscape we're seeing now, it's just a matter of time, just sooner or later, or just the matter of scale, small scale or large scale. So we all need to, as a organization, we all need to be very well prepared in case anything happens. And we need to beefen [phonetic] up our cybersecurity protection.

David Moulton: May, thanks so much for such a great conversation today. I really appreciate you sharing your insights on IoT, on AI, and a little bit on your background.

May Wang: Thank you so much, David, for having me. And this is definitely very exciting topic about IoT and AI. I'm so glad you are hosting a session on this. I really enjoyed our conversation. [ Music ]

David Moulton: That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcasts or Spotify. Your reviews and feedback really do help us understand what you want to hear about. I want to thank our executive producer, Michael Heller, our content and production teams, which include Kenny Miller, Joe Bettencourt, and Virginia Tran. Elliott Peltzman edits the show and mixes the audio. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]