Category: Cyber Security

Cyber security impacts everyone from private individuals to multinational firms. On Episode 46 of The Cyber Security Matters Podcast we spoke with Oliver Pinson-Roxburgh, the Co-Founder and CEO of Defense.com, about the biggest cyber security threats of today. Oliver is regularly quoted in prestigious press publications, and has been interviewed on the BBC World Service as a subject matter expert in cyber security. During the podcast, we asked him for his perspectives on the World Economic Forum’s Global Cyber Outlook report and what its findings mean for the cyber security sector. Here are his insights: 

“I think they’ve just genuinely looked at the industry and gone, ‘There’s some problems here, but there’s some there’s some light at the end of the tunnel’. The ultimate goal of the report seems to have been just to highlight those areas that all of us in the industry knew were a big issue, and put some stats around it. 

One of the key takeaways which is really interesting, is they found that there’s a big difference between how good cyber security is in enterprise organizations versus everybody else. That’s true to the point that a statistic within the report said there is a 31% decline in the baseline of cyber resilience in SMEs. That’s a significant decline. 

Now that might seem like we’ve found a report that aligns with what Defense.com is doing, but the data is there to back it up. When you go and speak to people or look at the statistics around these reports, you’ll see that SMEs don’t have the same amount of budget for talent. Businesses are saying, ‘I don’t have the expertise in my team, and I don’t think I can even hire people because we don’t have the budget’.

Is this an issue with education? It doesn’t matter if you want to get into cyber security or not, having some sort of cyber security awareness would stand you in good stead going into any business because companies are crying out for those skills. If you can promote cyber security as something that you care about and you’re interested in evolving within a business, even if you don’t want that to be your job, that would be amazing for your career because it is such a big target. Anybody who has that background knowledge would be worth their weight in gold. 

People assume that everybody in their business is a cyber security expert and won’t fall for a phishing attack. That’s not true. You’ve got people in every business who are not naturally cyber security savvy and haven’t spent years researching security. We’ve done phishing tests on our own team and we caught people who are pen testers and consultants. That just shows that everybody can get caught. 

The report highlighted these crazy statistics, like only 15% of organizations are optimistic about cyber security skills and education significantly improving in the next two years. That’s scary, isn’t it? It’s worrying to think that most organizations don’t think we’re going to get any better at cybersecurity. It puts into question some of the things we provide ourselves, like cybersecurity training, phishing awareness, etc. Are they working? Are people investing in those things? Again, it goes back to a lack of skills and lack of resources. 52% of organisations think they lack the right skills or resources, and that’s their biggest challenge in designing their own cybersecurity strategy. 

This might sound almost like a plug for recruitment in cyber security, but this is just what the report is saying. There are hacks every week. I know some parties think it’s probably because SMEs think attackers won’t target them, but phishers are so opportunistic that they’ll target anyone. They’re just hitting the internet. We did some statistics on this a few years ago, and we put a machine on the internet, and within 32 milliseconds, it had been scanned by something. If you make a mistake and expose something that’s unpatched just by clicking the wrong button, which is really easy to do these days, you could put it on the internet almost immediately. If that gets hacked, your whole company go down. 

Everybody should read the report. It sounds a bit nerdy, but there are some amazing statistics in there, and it shines a light on the fact that there’s a real need for businesses of all sizes to really think about security differently.” 

To hear more from Oliver, tune into Episode 46 of The Cyber Security Matters Podcast here.  

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

We uncovered a surprising connection between cyber security and martial arts through our conversation with Yumi Nishiyama, the Director of Strategic Alliances at Anvilogic, on Episode 45 of The Cyber Security Matters Podcast. Yumi joined us to talk about partnerships within the industry, her work around culture and how she supports and advocates for women in our sector. However, something else that stood out during our conversation was her unusual background and what drew her to cyber security. Read on to find out more. 

How did you first get into the cybersecurity industry in the first place?

It was quite by accident. I’d gone to graduate school to study how women in developing countries were leveraging this new thing called the Internet for economic empowerment back in 2001. My first advisor there was a woman named Dorothy Denning, and she wrote a book called Information Warfare and Security. I took a class with her, and I just fell in love with the topic. There was so much happening out there that I had no idea about. 

I think that experience, coupled with the fact that my father was a Sensei, was a huge influence on my career path. I wore my first karate gi when I was two months old, so I grew up in martial arts. This whole concept of combat and defence was very natural to me, so when I took Dr Dennings’s class, it was eye-opening because it was martial arts but in the digital world.

What’s the best advice that you’ve been given over the years?

There are three different parts, some of which I’ve mentioned already. My father was a huge influence on me, and when he was really ill and knew that his days weren’t long, I apologised to him for not taking the standard path of marriage and kids. My father mustered all his energy, and he told me that everyone has their own path. That meant so much to me because it freed me from these expectations that society has on all of us about what we need to be or become, and it freed me to be who I want to be. 

Alongside that, I’ve worked with some amazing executive coaches. Dr Sharon Melnick has been fantastic – and I’m paraphrasing here, but she talks about how external factors can make us feel powerless, so the only thing we can do is be responsible for our 50%. I’ve taken that to heart and tried to control what I can, and everything else I just have to adapt to. 

I’ve also been fortunate to work with this woman named Bronia Hill, who talks about the value of being your authentic self, which I think aligns well with what my father said. I’m in the cybersecurity realm. I will never be someone who loves to spend hours and hours breaking apart a system to find the vulnerability to exploit in order to protect it. But, I’ve taken what I love to do, which is working with people, being creative and innovating, in this realm of partnerships, and now I love this role in cybersecurity. 

Can you pinpoint any key themes that have contributed to your success?

Growing up in martial arts teaches you all these lessons and stories. One thing that really resonated with me was part of my fencing training and martial arts training with my father, who said, ‘If you’re standing in front of your opponent and you’re thinking about winning or losing, you’ve already defeated yourself.’ It’s about approaching things like a game. That’s what I’ve applied to my professional life; you don’t think about the outcomes or what you will succeed in. Instead, you focus on being in the game. 

For me to be happy in a job, I need three things. They are surrounding myself with great people, problem-solving, and being creative. I’ve learned that you take these great people, and they become your network. The solutions that you’ve developed become your intellectual property, and creativity is the way that you reach your outcomes. If you are true to yourself and know that you’ve succeeded in what you love to do, everything else is just icing on top.

To find out more about Yumi’s work in the cyber security sector, tune into Episode 45 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Meet David DellaPelle, the Co-Founder & CEO of Dune Security. David’s an experienced strategist who joined us on The Cyber Security Matters Podcast to talk about his personal approach to leadership. He also has a diverse cybersecurity strategy and management consulting background and now specialises in AI-powered employee risk management. Read on for his insights into leadership, key talent topics and the most important soft skills in the sector. 

As a leader, your leadership style sets the tone for an entire company. How would you describe your approach to leadership, and how has it evolved over time?

The most important thing is to lead by example. Not to be cliché, but I think that if you want to lead a team of people, you have to believe in the company’s vision, especially in the early stages. Maybe you’re not able or allowed to pay a lot of money, or maybe you’re paying mostly in equity. It’s really just you and your vision keeping the team together. You need to firmly believe in the vision and communicate it properly. You have to paint a picture of what the future looks like for people to follow you. 

The other side is that leaders have to do the hard work in the trenches building the company. The most important thing is to lead from the front and be fair. It’s not about being nice, especially if you’re the CEO of your company. Oftentimes, people aren’t going to like you, and that’s just something that happens as you become a successful company and founder; you have to make some people unhappy.

In your view, what are the key talent topics that need addressing in cyber security? 

Location can be incredibly important. We’re a very hot cybersecurity company using AI in the heart of downtown Manhattan, so it’s been easy for us to recruit incredible talent from Columbia University and New York University. It’s quite difficult, though, as a startup, to start to hire your more senior leadership. That’s definitely challenging. Companies like Google, Facebook, Meta, Amazon, etc, can pay individuals a really high amount, so recruiting individuals away from those super high salaries takes a lot of salesmanship. You have to align those people with your vision for them to take a pay cut. Either that or you offer them more of an equity package. But overall, the hardest thing is hiring at the more senior levels.

What do you believe are the most critical soft skills for thriving in a startup business?

The most important thing is getting along with the team. Being someone who is personable, fair, and someone that other people want to be around is important, especially in startups. Candidly, startups will fail if they aren’t in person initially. That can change as the company expands and grows, when remote or even offshore might be a good option, but at least at the initial stages, if you’re trying to build a multi-billion dollar business, being in person is incredibly important. 

What we try to test for and control in our fourth or fifth round interview is a person’s cultural fit. We’ll bring them in in person and do lunch or coffee with their hiring team and with their management team to make sure that that person is a good fit for each group. Are they someone that you really want to spend time with? Being a person ready to roll up your sleeves and work super hard is important, but not as important as being a great part of the team. 

To hear more from David about his experiences as an early-stage entrepreneur, tune into Episode 44 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On episode 43 of The Cyber Security Matters Podcast, we were joined by Tristan Kalos, the Co-Founder and CEO of Escape, to talk about all things API security. He shared his perspective on the future of the API security space, as well as the current challenges that Escape solves for its customers. Read on for some fresh insights into the API security sector. 

What’s the main thing customers are looking for, and how do you solve their challenges? 

The general idea is that in the past 10-15 years, the cloud appeared, and suddenly every company started moving to the cloud. Suddenly, the previous security tools that were designed for the on-premise infrastructure were not up to date anymore. There are cloud security companies that appeared to help those companies do their transition in a safe manner, but with the transition to the cloud, the technologies used to build applications and run applications also evolved. Mobile applications suddenly appeared. Then you had single page applications and APIs, which is the technology that allowed any companies in the world to exchange data with each other and their customers. APIs also let developers enhance their capabilities and communicate and exchange data. 

APIs have become central to every data transfer on the Internet and to every business that flows to the Internet. The legacy security tools do not understand APIs or how to secure them or find security issues, so they are very vulnerable. At Escape, our ambition is to create a platform that can properly secure cloud applications, starting with securing the APIs that represent 80% of the global web traffic today. What we do is create security and engineering teams create and provide more secure APIs to empower their business.

What do you think some of the trends will be in API security in the next three to five years?

First of all, I think IA will be a catalyst for exposing APIs. It’s like mobile apps 10-15 years ago when everyone wanted to have a mobile app, so websites were not enough anymore. We have had to expose a private API portal, which was the first API revolution. Soon everyone will have LLM agents working for them. We will use applications in a completely standalone way without humans intervening in the process. What happens if, in five years, we live in a world where everyone has their own LLM assistant that does a lot of things for them? They book plane tickets, Airbnbs, and car rentals. They could do everything for you, but only if they can interact with public APIs.

If, in five years, or even less than that, your business doesn’t have a public API that LLM more external agents can connect to, you will let a lot of money slip off the table because half of the internet users will be IA and they can’t connect to your website. It’s like not having a website in 2009 – it’s already too late. My take is that the development of large language models, or large multi-model agents in general, will make having a public API required for every business. I’m pretty excited about what’s coming from the market. 

To learn more about the future uses of APIs, as well as the current API market, tune into Episode 43 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

With a growing number of companies building Channel offerings to distribute their products, understanding this space and how to navigate it is of increasing importance. In a special roundtable episode of The Cyber Security Matters Podcast, we were joined by four women who work in the channel to explore their experiences of the space. Read on for their insights on why businesses are focusing on their channel offerings more. 

Surja Chatterjea, the Senior Director of Channels and Alliances at Cobalt

“It’s really about the extension of your sales force. It’s about the force multiplier effect because your partners are your trusted advisors. Not only do they expand your sales motions and build out scale and reach in the channel, but your partner advisory board will also be a point of validation for your product and revenue strategies across your entire go to market process.”

Deborah Caldwell, the Global Channel Account Director at Illumio

“Creating a channel is a definite win relationship for everybody involved. That’s because it’s an easier and more efficient way to scale for the organisation, but it also provides better service for customers as well because you can connect with them at multiple points. Those intersection points make the whole relationship stronger.”

Christine Camp, the Fractional Chief Partner Officer at Conatus Advisors

“There’s a lot of consolidation going on in the market. There’s some and platformisation too. Both of those things drive the the demand and the need for channel go-to-market strategies, because people can’t be as efficient anymore when it comes to scaling and consolidation. I think it’s the era of the channel.”

Sara Verri, the Global Head of Field & Partner Marketing at Nozomi Networks

“Being based in the EMEA region, there is a cultural component as well. Having local partners in every territory brings certain advantages. If you look at somewhere like the Middle East or China, if you’re a smaller company, having someone on the ground that understands the local language, the local culture and how to do business there, that definitely accelerates the power of your organisation. The extension and collaboration you get in the channel are amazing.”

To hear more about working in the channel, tune in to Episode 42 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

AI has been one of the biggest technological developments of the last decade. Cloud security is another growing concern as so many people and businesses move their assets onto digital storage platforms. Both come with increased security concerns, but what happens when you combine the two? On Episode 41 of The Cyber Security Matters Podcast we spoke with Raf Chiodo and Shai Alon, the Chief Revenue Officer and Director of AI Innovation at Orca Security, about their experience of blending AI and cloud security to create innovative new cyber security solutions. Here are their insights: 

The cloud security space is both innovative and hugely competitive. How does Orca Security distinguish itself from some of the other players in the field?

Raf: “First and foremost, we’ve got to make cloud security easy. We’re coming from the days where every little niche and security had a different tool, and the complexity was really overwhelming. We’re taking a holistic view and helping our customers really focus on what matters most. Secondly, the platform has to help stakeholders communicate across teams and make their security tools generate alerts. It’s got to be a great platform to help teams communicate, whether you’re in security or DevOps and engineering or compliance, it’s got to be something that helps facilitate that communication. Our vision and our approach is to help drive more security earlier into the development lifecycle because that creates such strong results. Finally, we’re building partnerships and integrations that really matter, helping customers take this platform approach, and integrating it with other tools that they’re already using, so that they collectively get a better outcome.”

How do you see AI integrating with cloud security?

Shai: “The capabilities brought about by the modern AI are profound. There’s an endless selection of opportunities to create and unlock new value – and specifically in cybersecurity, we found it very useful for enhancing our product and improving the user experience. One of the standout features we developed allows natural language search across the Orca data model by integrating AI. Orca goes and scans all these cloud environments and finds thousands, sometimes millions, of different things. They are often a bit cumbersome to navigate. So we created an AI that lets our customers search using their own words instead of traditional UI filters, and it’s something they really love. It’s been especially popular with non-native speakers who prefer searching in their native language, which is a testament to the accessibility that AI can provide. We’ve been working on dozens of user experience enhancements for the product. Each one unlocks new personas that can use the product because it’s much easier. 

Another interesting avenue that we took is optimizing the workflow of our security researchers. We have dozens of security researchers at Orca who are the ones behind the scenes, creating all the configurations for how you map out the cloud, how you create alerts, how you prioritize these alerts, how you remediate them, etc. It’s a lot of work. Unlike developers that have coding assistance, like GitHub or CoPilot, our cloud researchers have a dynamic field where they are able to create AI that helps them streamline their processes. It can do the tasks that require expertise, but it mainly helps with mundane tasks. For example, our AI helps with creating metadata, so writing descriptions for cloud entities, or documenting alerts with their remediation steps. This doesn’t replace our researchers, it serves as a force multiplier, boosting their productivity and allowing them to accomplish much more.”

What change have you seen in the appetite for customers using AI or learning how AI can influence and impact their cloud security solutions?

Raf: “AI discovery and natural language applications are very natural extensions for customers to expect in their environment. What they love and are surprised about our use of AI to create remediation steps. The overhanging issue in our industry is the skills gap, right? There are so many unfilled jobs of increasing complexity, so any tool that can be used as a force multiplier to boost productivity is greatly welcomed. On the other side though, there’s a lot of concern. We’re starting to see customers require not just a standard master services agreement in terms of service documents, but data security agreements that incorporate AI, as well, covering what data is feeding the models, where the data goes, who owns the data, what the risks are, etc? AI is adding a new complexity that customers are clearly concerned about.”

Where would you hope the cloud security space develops over the next 10 years? 

Shai: “It is a long horizon, but I am looking forward to seeing products that can take action on your behalf. Today, as an industry, we started by just being able to map out what exists and where the risks are, and we’ve transitioned to integrating all your tools to helping you solve problems. I would like to see a future where the products solve the easier problems themselves, and don’t even involve human beings, leaving us to solve the most challenging and influential parts of security.”

To find out more about the relationship between AI and cloud security, tune into Episode 41 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Small-medium businesses (SMBs) often struggle to create effective cyber security solutions. On Episode 40 of The Cyber Security Matters Podcast, we spoke to Amanda Berlin, the Director of Incident Detection Engineering at Blumira, about her company’s innovative solutions that are specifically tailored to SMBs. Amanda is also the Author of The Defensive Security Handbook, Co-Host of the Breaking Down Security Podcast, and CEO of Mental Health Hackers, giving her a wealth of insights into the space. Read on for her insights on cyber security solutions for SMBs. 

What challenges do SMBs face from a security perspective, and how do their challenges differ from larger enterprises?

Enterprises usually are bigger targets. When they get a breach, they have a budget, people, software and all the implementations necessary to deal with it. SMBs, even if they are breached, don’t necessarily get that afterwards. They have to make do with the software that they have at their disposal, and usually not many people. There are multiple roles that these people play. SMBs don’t have a CISO or anybody in charge of cyber security. Many times, they won’t even have a security team. There are just one or two tech people who are fixing everything from printers to security breaches. 

How have you seen the awareness of SMB business security changing over your time in the space at Blumira? 

When we started Blumira, people said it’s not changing that fast. They thought we were crazy for creating a product for SMBs because it’s a hard market to reach. A lot of them don’t realise that they need the security that they do, or they think they can’t afford it. There are all of these software platforms that are built for enterprises that SMBs are trying to implement themselves, but they can’t maintain it forever. We saw the constant struggle for SMBs to implement anything that was designed for a larger scale, and having worked at SMBs for pretty much my entire life, it’s a problem that I’m really passionate about fixing. I tried to implement a SIM once too, and it was terrible.

How does Blumira fit into the SIM and XDR market, and what’s your approach to securing those businesses? 

When we started Blumira, our leadership talked about making a sim for SMBs that you could implement in under a week. I thought they were insane because our onboarding process was at least six months in the companies I’d worked in before. You had to set up the servers and ingest the logs, which was a two-month-long process. You had to talk to them about all their use cases and work with the customer one-on-one. Coming from that, I was like, ‘There’s absolutely no way we can create a product that you can do in three months.’ But then we did it. And that’s why I’m still here because I never thought it would happen. We’ve had customers roll out their entire infrastructure in less than an hour. Just from the technology perspective, that’s a really difficult thing to accomplish. 

When you work in a SOC, there are a lot of level-one analysts who are fresh out of college or really new to the space and are doing a lot of repetitive work and missing things. Because they’re seeing 10,000 alerts a day, they have to make sure they don’t miss escalating something that could be worse. We’re leaving that to the most junior people in the company. Instead, we automated everything that we possibly could in a SOC and the platform. Anytime we have a network scan done, we would get an email from every single UPS device underneath somebody’s desk. That’s how a lot of SIMs are, but we just automated all of that because you shouldn’t have to deal with 10,000 alerts every time you do a scan.

To hear more from Amanda, tune in to Episode 40 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

As we rely more and more on technology, our risk of cyber attacks or information leaks is also increasing. On a joint episode of The Cyber Security Matters Podcast we spoke with Jake Bernardes, the Field CISO at anecdotes, and Ido Shlomo, the Co-founder & CTO of Token Security, about their advice for people and companies who are looking to secure their cyber assets. Read on for their insights on how to reduce your cyber security risks, including insider threats. 

Jake: “Insider threats are divided into two categories; intent and incompetence. But insider threats are real. If I look at most attacks and incidents that I’ve worked out in my time, 90%  of the insider threats have been in the incompetence category. People accidentally hard-coded credentials into IDP. That’s like identity providers leaving the credentials for the entire customer database on a public-facing URL. But there are different ways to catch them. 

There is also the compliance piece, which is where anecdotes come in. We’re really good at identifying how people will divert from the norms and what control is best to use. We could connect a US to anecdotes and say, ‘This is what a normal VM looks like. This is what it has to look like to comply with PCI SOC or ISO’. As soon as someone creates one which doesn’t comply with that regulation, our system will flag a noncompliance and therefore show what was wrong. It gives you a chance to both logically correct it and then go and work with the person to educate them or uncover their intent. You have the visibility to fix it before it becomes an issue. That’s the key point of all compliance and regulation-based security; fixing things before you have a breach or before damage occurs.”

Ido: “Incompetence is a hard word, but most of the time, it’s just a lack of education or understanding. For example, one of them is people being off-boarded from a company, and the entire resource they’d created isn’t kept track of. That’s an insider threat, but the insider is still in the company because it’s people don’t take care of it that are the problem. You see a lot of those issues in identity space. People are so passionate about technology that they make every mistake possible. They plug in their CFO’s Excel, and they allow them to query all of the organization’s data with zero limiting on the permissions they have, and nobody’s keeping track of that. In the identity space, that’s crucial. We’ve just seen Ticketmaster, Santander Bank, and TNT suffering from those types of threats. Securing your own people is the hardest thing to do right now for security teams.”

Jake: “There are a few things ways to handle insider threats, one of which is slow down. We’re obsessed with being fast to market, so we almost encourage issues and errors. Look at the desire – and desperation – to get AI chatbots to the market last year. That resulted in a flight and a car that were both bought for $1 because these tools had been improperly tested. That will have happened because someone was pressured either internally by themselves or externally by their leadership to deliver and develop quickly, so they either skipped steps or just didn’t do them thoroughly enough. 

Another way to mitigate these threats is to understand what you’re doing. A lot of the time, people build stuff without really realising what they’re doing. It’s important to understand that a software development lifecycle goes from A to B, and it shouldn’t be limited. Understanding what the end goal is means you can make sure you have those steps lined up in the process. 

Finally, getting the client there when you talk about compliance and regulations always sounds boring, but when we get a bug, we can see everything happening in security. We can see everything from identity issues or cloud security issues, onboarding issues, lack of training and policies not being signed – all of that stuff. Once you get a holistic view, you can educate the leadership and filter down the necessary information.”

Ido: “It is still very important to keep the pace. You want to understand where you’re taking too big of a risk, and you need to understand how to do things securely. Security should really invest more time into the auto-remediation of problems; not when you have an incident but much before that.”

To hear more about securing your cyber assets, tune into Episode 39 of The Cyber Security Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

On Episode 38 of The Cyber Security Matters Podcast, we discussed changes to AI governance with Patrick Sullivan, the VP of Strategy and Innovation at A-Lign. He shared his insights on changing legislation and what that means for organisations that use AI as part of their workflow, as well as his definition of ‘AI governance’. Here’s what he said:

What does the term ‘AI governance’ actually mean? 

ISACA through COBIT has introduced control objectives for AI and has defined governance as a value-creation process. When we think about governance, we think about value creation. COBIT says that governance is creating desired outcomes at an optimized risk and cost. So for us, we need to ask ‘What do we want to create? What risk are we willing to bear? And what budget do we have to support all these things?’ Our practices are processes that are employed to ensure that we’re creating the outcomes that we want as an organization in both a risk-appropriate and resource-appropriate way. 

What frameworks or guidelines can organizations adopt to ensure AI systems are used responsibly and ethically, and does this vary based on the size of the organisation? 

Generally, we won’t see the applicable frameworks vary based on organizational size. In the market today, there are two frameworks that most organizations are using to build their AI governance systems to adhere to X number of regulations. For neuco as an example, we saw that the EU AI Act was written into the Official Journal last week. These regulations are pressing, which means many organizations that are bound to the AI Act now need to take significant action to prepare themselves. 

How do those frameworks and guidelines actually physically enhance trust within the supply chain?

ISO 42001 is a certifiable standard and management system. Organisations that implement ISO 42001 as their AI management system can have a third-party auditor certification body, of which A-lign is one, independently validate that appropriate processes are in place, that appropriate procedures and commitments have been made, and that the management system is running effectively to meet the intent of the standard. So there’s a certification mechanism that organisations can use to offer assurance to others in their supply chain and their value chain. 

Many in the security space are already very familiar with security questionnaires. We’re currently seeing a lot of pressure on organisations to answer AI questions because the market is really educating itself about what’s important. That is then driving the need to respond to those questions or unknowns to or from suppliers. While regulation will always be a pressing concern, self-policing in the market is where I see us go with responsible AI use.

How do you expect AI governance and compliance to change in the coming years?

Over the next five years, I think we’ll see the skills gap become more pronounced. I don’t know that there’s necessarily the awareness that there needs to be. We’re seeing groups come online like a group called the International Association for Algorithmic Auditors, which helps new algorithmic auditors or AI auditors understand what skills they need to be successful, and I think we’ll see more organisations like that come online as the recognition of the AI governance and AI assessment skills gap becomes more pronounced. As that happens, the market will really largely start self-policing, and we’ll enter the hype cycle. But, once that begins to simmer down, AI governance will become more of an operational process just like any other governance, risk governance, or vulnerability management process. 

To hear more from Patrick, tune into Episode 38 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.     

Matthew Chiodi, the Chief Trust Officer at Cerby, joined us on Episode 37 of The Cyber Security Matters Podcast to share his insights into the industry. One of the topics that stood out to us was the best practices that he shared from Cerby’s work on securing cloud-native applications. Here are the highlights of his answers: 

“When people say cloud-native application, that refers to applications that are built cloud-first. If you have a VM that’s running on-prem and you move it to run in the cloud, that’s not cloud-native – that’s just cloud transferring. Quite frankly, it’s a waste of time and money to do that. Cloud-native means that your infrastructure was not built manually, but it was built using infrastructure as code templates, defining what your infrastructure would look like in code first. Then you’re using code to bring up things like lambda functions that only work during a certain period of execution. That doesn’t use a typical VM, it’s usually a microservices-based architecture. 

When it comes to cyber security, the basics still apply. Organisations have a massive data sprawl issue in the cloud because it’s so easy to upload to. If you go back 5+ years ago, if you needed a new data store, you had to open a ticket with your IT department and wait 2-3 weeks or even months, depending on the size of the organisation, before you got access to it. Data also tended to be much more centralised, and there were checks and balances. For a lot of cloud environments, that’s not a problem anymore. Developers generally have a fairly high level of access to create new services and they can create new data stores on demand by calling APIs, so you tend to get data in all different places. 

You have to know where your data is and what it is because if you don’t, sensitive data, like personally identifiable information, can easily end up in the wrong place. Health information that was intended to only be in a production environment can very easily be moved to lower environments that don’t have the same level of governance. I’d advise having a good tool that can tell you what you have and who has access to it. 

Knowing your code – specifically your application security code – is still highly important because you might know where your data is, and who has access to it, but if you’re writing crappy code, you’re introducing a vulnerability to your digital environment. So, you have to know who has access to your data and your code. If I get access to your data, I can do what I want with it. Or, if I get access to your code, I can inject things into your code that will then give me access to your data. 

In terms of what Cerby does; I usually say that in all organisations, you have two different types of applications. A lot of times we think of cloud apps versus on-prem apps, and that’s true, but really it comes down to identity and access management. You have standard apps that you can very easily integrate with your identity provider, and your IT team can manage them centrally in terms of who should have access through that type of identity provider. The other category is what we call non-standard applications or disconnected applications. This is a massive problem space because the apps that fall into the nonstandard category can’t be managed with your central identity systems. Cerby is focused on that non-standard space. 

We connect those non-standard applications back into identity platforms on trial ID. We did a little bit of research last year, and what we really wanted to understand was the scope and scale of the problem, and we found that organisations have a median of about 175 of these non-standard apps. We’ve spoken to some large healthcare companies who have 1000s of these, and we know there are hard costs associated with these applications because if you as an IT admin in one of these organisations have an employee who needs access to one of these non-standard apps, they can’t go through any kind of automated process – they can’t go into your access request system, they’re going to put a ticket in. Once you get to it, you have to manually log into this app, figure out what access they need, etc. and it’s all a lot of hassle. We make it so that you can centrally manage these non-standard disconnected apps, using your existing native tools.

To find out more about securing cloud-based applications, tune into Episode 37 of The Cyber Security Matters Podcast here. 

We sit down regularly with some of the biggest names in our industry, we dedicate our podcast to the stories of leaders in the technologies industries that bring us closer together. Follow the link here to see some of our latest episodes and don’t forget to subscribe.