March 29, 2024

00:39:54

Episode 252 Deep Dive: Mario Duarte | Navigating Cloud Complexity: The Evolution of Infrastructure

Episode 252 Deep Dive: Mario Duarte | Navigating Cloud Complexity: The Evolution of Infrastructure
KBKAST
Episode 252 Deep Dive: Mario Duarte | Navigating Cloud Complexity: The Evolution of Infrastructure

Mar 29 2024 | 00:39:54

/

Show Notes

Mario has 20 years of experience as a security professional working across the retail, healthcare, and financial sectors. He has built and managed security teams, developed and implemented security programs, and managed PCI and HIPAA compliance initiatives for medium and large organizations. He also currently serves as both an advisor and investor at Silicon Valley CISO Investments (SVCI) and SYN Ventures.

View Full Transcript

Episode Transcript

[00:00:00] Speaker A: We have to get into an honest conversation with our senior executives and explain to them that we do want to get into this exciting field of AI. But let me tell you right now, right now we don't have a lot of visibility. If we're going to do this, we need to do x first or convey to the employees, give us a little time by a little time by saying, here are the policies around AI we need to do x for the next period. These are difficult conversations, but we have to have them and at least inform our senior executives about these risks that we're taking. The idea that you're going to go use AI in a company and let people use it if you have no visibility or level of visibility in what people are doing is dangerous. [00:00:47] Speaker B: This is KBCAt as a primary target. [00:00:51] Speaker A: For ransomware campaigns, security and testing and. [00:00:54] Speaker B: Performance risk and compliance. [00:00:56] Speaker A: We can actually automate that, take that. [00:00:58] Speaker B: Data and use it. Joining me today is Mario Duarte, VP of security from Snowflake. And today we're discussing how AI fits into the state of cloud security. So, Mario, thanks for joining and welcome. [00:01:12] Speaker A: Welcome. Thank you, Katie. Thanks for inviting me. [00:01:15] Speaker B: So I want to start with your view on the current state of cloud security. [00:01:21] Speaker A: Well, I think there's been a lot of progress in cloud security. You could see that through some of the lesser events that have happened around cloud misconfiguration. I mean, it still happens, but I think people are generally getting used to the differing infrastructure and the technology. I think we're becoming better at it. So that's really helpful. It also has proven to be a very useful platform to use cloud and also cloud security as well. [00:01:50] Speaker B: So do you think people feel a little bit overwhelmed when they hear, like, cloud security? Because if I go back to when the cloud was somewhat emerging and it wasn't as ubiquitous, people felt afraid. And now it's, we met, like cloud security. How do you think people are sort of responding to those sort of terms from your perspective? [00:02:06] Speaker A: I think it's kind of regularly accepted now. When I first looked at when we were talking about cloud, or just even the cloud back in 2007, 2008, and it was really a foreign topic, foreign subject, and people didn't quite understand it. Imagine when I first joined Snowflake was back in 2014, and we didn't even have a product or customers back then. And the idea of putting your most precious data on the Internet was what would sound crazy to a lot of the companies back in 2014. You fast forward to now, and that's a generally accepted and approved model of hosting your data. [00:02:48] Speaker B: So just another quick question on that front then. Do you think people in general get cloud security? Because I've spoken to people on this show at length just about cloud in general, and then we're talking about cloud security. Do you think that there are a lot of misconceptions still in the space, and then if so, what would they be? [00:03:04] Speaker A: A lot of the companies have moved on that journey from being on prem or solely on Prem to kind of a hybrid model. In some cases, like us at Snowflake, we were born in the cloud, we didn't have any infrastructure, so it was very different. Those are still kind of rare cases. Kb when a company is strictly cloud, but I would venture to say the vast majority of companies have a hybrid model. And when I talk to them about cloud security, I believe they have a general understanding and comfort with the particular cloud that they're using. I think things get a little bit more complicated and more difficult and difficult to secure, quite honestly, when you're having to do multiple clouds. So if you have Azure GCP or AWS, that becomes a bigger daunting problem for companies. That's where I see some of the challenges when it comes to cloud security. [00:03:59] Speaker B: Would you able to elaborate a little bit more on those challenges that you're sort of seeing even like maybe two of the challenges? [00:04:06] Speaker A: Well, I think even think of something as basic as logs and the way the logs are presented by Azure, or it could be very different. And there are some cloud providers, I'm not going to pick on any of them, but some of them are easier to interface with and to collect logs, for example. And the richness of those logs and telemetry compared to another vendor who might be a little bit more difficult to integrate with and difficult to assess some of the telemetry that's being provided by that cloud provider via their logs, that's an example that I can think of. [00:04:41] Speaker B: And I know you're sort of generalizing, you're not sort of picking on anyone in particular, but do you think those cloud providers are aware that maybe it's a little bit complex? So they're working on making that easier? Because the whole sort of idea about cloud, to some degree from a vision point of view, is to make it easier for people to do stuff. So if you're saying it's hard to integrate, isn't that sort of counterintuitive, then. [00:05:01] Speaker A: It'S more about automation and the richness of their API, their cloud APIs. And some of these folks, if you look at the cloud of these three clouds, for example, you just have to kind of look at their history. I like to go back to where they started from, and that tends to be kind of their angle. So like somebody like, for example, Azure, they are know you started with the pc, for example, and they're more of the on prem, more of the enterprise model, while you got something like AWS or even GCP. And what you get is you get a lot more developer driven cloud infrastructure where it's less like a system administrator, more of an engineer developing on top of those clouds. And these are very general, right. You can have the same thing happen with Azure engineers as well. But I'm just talking about the basics, components for these cloud providers and their heritage. [00:05:57] Speaker B: Okay, let's focus now on the role of cross cloud security. So maybe walk me through your thoughts on this. [00:06:06] Speaker A: We started doing this cloud migration or cloud integration at Snowflake. So Snowflake was originally born on AWS, and we were primarily AWS for three, four years. And then we needed to start working on Azure and deploying snowflake on top of Azure. Even then, some of the challenges you would have, even though a lot of times even the terms are not even the same. Right. So your hsms may be different, they may be called key vaults on azure, kms on AWS, or hsms on AWS. So even the jargon is different. Where it gets kind of interesting was, again, I'm talking about three, four, five years ago, some of their hsms provided by Azure may not have had the same level of ciphers or type of ciphers that AWS had. So even then that was difficult. I think things are getting a lot more, I think some of the basics are being shared across these cloud providers, but it's still challenging when you go from one cloud to the next cloud. [00:07:13] Speaker B: That's a really interesting point. You just said there, Mario and I had this conversation with a friend of mine who's head of security for a retailer. Do you think that people, it's a challenge, right? So do you think people sort of just stay with cloud providers even because it just becomes too hard, couldn't be bothered. It's all too much work. So do you think that perhaps people stay in compromise or because this is too hard or what are your thoughts then on that front? [00:07:38] Speaker A: I think people get used to it. One, so engineers get used to something. You want to be efficient, you want to be productive. Anytime you have a change, a different infrastructure, that becomes more challenging for that engineering team to learn something new. Sometimes you need to hire those engineers that have that mean, that's kind of what we did at Snowflake. We needed to actually hire folks who were engineers from Azure that came from Azure. They had experience with Azure and we did the same thing with GCP. So you need to bring in some talents at times that are experts or are knowledgeable in those particular cloud providers. And eventually you find ways to be able to manage multiple cloud providers. You make it easier to work with, and that becomes kind of your secret sauce as a company. But bottom line, it really is one about comfort. And when you think of comfort that has an impact on productivity. And so a lot of companies would hesitate to do multiple clouds because they understand how challenged a problem can be. [00:08:42] Speaker B: Yeah, I totally hear your point around. You get used to it. Even on this platform we're recording on today. Like we've been using this for a while. There are multiple other ones out there. But why would we change when we know the processes, we know how to fix it since we had that issue before you and I jumped on here today. So I think that it's sort of a mindset thing. So why would be the impetus to someone moving anyway? I get the whole multiple cloud, especially from a backup Dr. Point of view, but why would a company go, all right, let's just go and move everything. What would be the reasoning then behind that? [00:09:15] Speaker A: From a business perspective, having multiple cloud providers gives you, the consumer, potentially a better way to bargain for pricing, to negotiate for better pricing from these cloud providers, you basically says, you know what, if this cloud provider is offering me this while the other cloud provider is not, or they're charging you more. So even though it's comfortable to be one cloud provider, I caution and I encourage folks to consider looking on leveraging more than just one cloud provider, not just for the backup, but just from a business perspective, you want to have better negotiation leverage. [00:09:57] Speaker B: Okay, so talk to me a little bit more. You said you can bargain for better pricing. So what does that sort of look like? And is that effective for people? Because sometimes speaking to people, whether it's on the show or just people that I know in my network, they do say like, hey, looking at x cloud provider, they're better at this area, but not as good in that area. So I get like, you're not going to always have, in a perfect world, everything's going to be amazing. Some are better than others at certain areas, depends on what you're looking for. But how does that then look for people that perhaps are thinking about better bargaining, getting better bang for buck, et cetera. [00:10:33] Speaker A: Well, one of the things you want to do is you start thinking about storage itself, and one vendor might charge you $10, $20, $30 for a gigabyte of storage while the other one is charging you $100. Why? This is the first question. Why are you charging me more while these other vendors charging me less? And the technology is basically the same, and that's just a basic one, just right. I mean, then you start thinking about transfers. If you're moving data in and out, that also becomes pricey depending on who the cloud provider is. And that's another area where you can negotiate better pricing. [00:11:10] Speaker B: So just going on your two examples, storage and transfers, do you think that these are sort of areas that people forget about, then are blindsided when the bill comes or when they are actually going through how it all looks from a pricing perspective? [00:11:22] Speaker A: I think most of us have been more used to that because there's a kind of basic, it really actually goes more up the chain. It's more about more feature richness and what they have to offer. Some features are better on one vendor than others. There's more integration on another vendor than the other one. You can certainly live with that and accept some of those challenges, but that is also a way to negotiate better pricing with your cloud providers. [00:11:47] Speaker B: Okay, I want to switch gears now. And now depends on who you speak to. And people are varying opinions on AI, as you know. So now I want to sort of talk through how AI fits into the state of cloud security. And then what is your opinion then on this? [00:12:06] Speaker A: Just like cloud. I was thinking about this recently at another chat with alias thesis in the industry, and we were talking about when the original cloud, or when you started hearing about the cloud back in, like I was mentioning two thousand s and people started testing it, kind of dabbing into it slowly, or some people just went all the way in, but it was new. I would say the same thing happened with containers, kubernetes, containers, dockers, whatever that is. When they first came out, it was a weird creature to begin with. How do you security was the next question. I don't feel comfortable supporting this. Why is the business having us do this? And so those are the things that we would generally think about in security. It's the same thing with AI. I mean, I know there's all these amazing things that AI, or at least people are saying AI is going to do, but it's just another form of technology. It's a new technology and we're going to get used to it. We're going to learn from it and we're going to learn how to secure it better. We have to. [00:13:10] Speaker B: So people talking about ethical frameworks around AI and all of these types of things. Now, what are your thoughts then on that? [00:13:18] Speaker A: I'm more concerned about, it's not that I'm not concerned about ethical AI and how people should be using it. I'm just reading a book recently called Chaos Machine. I don't know if you read that before, and if you read that, you'll be like, wow, oh my goodness, this is scary. From what AI can do and the ethics part of it, I kind of leave that to the smarter people. KB my job really is to think about much more basic. I'm a much more basic animal. I'm thinking about how can our company use AI in a secure way that doesn't expose customers data or our own data, and how we can manage and govern that. [00:13:59] Speaker B: So on that note, so how can your company leverage AI then? [00:14:03] Speaker A: One of the things that a lot of companies do is they've invested heavily in their security program, in their governance. They understand to an extent where their data is at, who's accessing their data, as an example, what are they doing with that data. So you build some processes, technologies, people that understand that, and you kind of want to call it a virtual castle. But think of it as you get comfortable with these controls that you implement. What one needs to do, in my opinion, is bring the models to your data, closer to your data. I think where we run into some challenges is when we start using some public AI models, Gen AI models, LLM models that are used in the public. We should be concerned with employees using our data company data in public forums, public areas that are used by other, by other companies as well. It's the idea of, think of, I had a colleague of mine whose kid had turned 21, and they took a picture of their driver's license when they turned 21 and posted it on Instagram. The entire driver's license, with all the minutiae of the driver's license numbers and everything else, you would never do that, right? Never do those things, not where everybody can see it. It's the same concept with AI. Bring your models where your data is at, where you're managing and governing your data. [00:15:38] Speaker B: But isn't this the part where people like what you're saying makes sense and it's correct, but people are still trying to do, like, basic stuff here, like basic stuff like patch management. I've gone on about that for so many times on this show. So we're talking about from your perspective, yes, it seems really simple, but people are struggling just to do day to day stuff. And so then when we're talking about AI and the complexity to it, and yes, I do agree that it does make life easier, but you still got to wrap your head around it. And people about, you mentioned it before about being comfortable. I don't know if people are comfortable yet. Would you agree with that statement? [00:16:13] Speaker A: People are not comfortable with it yet. There's a lot of geekiness to it. There's a lot of really smart people. I look at this in all fairness, KB, I wouldn't say scared, but I'm a little bit intimidated. I study statistics, but I wouldn't call myself a scientist in this field. So I'm a little bit apprehensive. I think that is natural. But just because something is foreign, we're in technology for a reason, especially in security, right? We're constantly changing technologies and we have to readjust and learn and relearn. This is just no different. AI is no different. We are going to have to learn. We're going to have to embrace this change and we're going to have to figure quickly how to make it secure and usable in a company. [00:17:06] Speaker B: So how do we sort of get people comfortable, though? Do you think it's just a matter of time, like with anything, with any change, it takes time, or do you think there are other ways people can start to get a little bit more comfortable? [00:17:16] Speaker A: Well, first you need to have visibility. Like you need to understand who's using it, where they're using it and how they're using it. And so first you got to ask yourself, how am I able if I'm looking at a company, like when I go talk to other cses as well, it's okay. First, you have to have visibility in how your employees are using it. Second, you need to provide one. The companies need to provide our employees with the right AI tools that are approved in an approved environment so our people can go work with them, learn from them, test, et cetera, but in a controlled and safe environment. So we want you to have visibility, but then we need to quickly provide the right environment for them to work on. [00:18:00] Speaker B: Okay, so going back to the visibility comment, I do understand what you're saying, but there's probably people that turn around to you say, well, I don't even have that. Why? Because look at all the major data breaches that have happened here in Australia. People don't have visibility. So then what happens when someone turned you and said, well, Mario, I'd love to have visibility, but I don't. What do you do then and how do you respond to that? [00:18:19] Speaker A: That's not an AI problem, KB. That's a visibility problem. So instead of going, I mean, sort of talking about AI. Yeah, you're right. But you can't learn how to swim right now if you don't know how to get in the water. So it sounds to me like what we have is a visibility problem. Okay, let's figure that out. How can we improve our visibility? How are your employees working and where they're working from? How are they accessing resources? How are you collecting that information and bringing into a central place that you can make sense of that? So to me it's a different problem. It's a visibility problem, not an AI problem. [00:18:51] Speaker B: Yes, but that's the part that I'm asking. If it is a visibility problem, you've got to crawl before you can walk, run, whatever that saying is. So then that's the part that I'm curious to know if people aren't even doing that or aren't even there at the visibility and don't really have that, which is fair enough. I understand that. So then we're trying to introduce complexity then already it's like saying to a baby, okay, go out and run like 100 meters. [00:19:16] Speaker A: That's correct. [00:19:17] Speaker B: So how do you move past that? [00:19:18] Speaker A: Then we have to get into an honest conversation with our senior executives and explain to them that we do want to get into this exciting field of AI. It's going to make us more productive, it's going to advance our, and if we don't keep up with the competition, they're going to beat us. But let me tell you right now, right now we don't have a lot of visibility. If we're going to do this, we need to do x first or convey to the employees, give us a little time by a little time by saying, here are the policies around AI. We need you to do x for the next period. Now these are just conversations. These are difficult conversations, but we have to have them and at least inform our senior executives about these risks that we're taking. The idea that you're going to go use AI in a company and let people use it if you have no visibility or level of visibility in what people are doing is dangerous. [00:20:11] Speaker B: So what specifically about the conversation makes it difficult? Is it people are like reluctant, you said before, apprehensive. Is it they, I've got to invest all this money, time, resources. What is it though, from your point. [00:20:22] Speaker A: Of view, it's a newer technology. So anything new, anything change is difficult for us human beings. Our minds are not designed to handle change very well. Okay, so that's one. You got to just be empathetic. Quite honestly, a lot of the times you have to understand, okay, what is the business? What is it that you're trying to do? For example, every marketing organization out there wants to use every marketing tool on public Internet, as you probably are familiar. But maybe some of these vendors you're going to work with in the marketing department are maybe not the most secure hygiene folks in the world, and maybe those are not the ones you want to work with. I think you need to have these conversations with the business and say, okay, maybe we can use all these AI tools that you want, but let's go look and partner up with those vendors who appear to be ahead of the game or at least understand the problem and are providing a secure environment to work with. [00:21:14] Speaker B: Okay, you said something before that I want to just press on, which is empathy. So would you say not enough people are being empathetic? Now, I say this with love to my cybersecurity community. I'm a practitioner by trade myself. But if we look at the standard stereotypical cyber person, it's like, just do the thing. And there's maybe perhaps at times not a lot of empathy then around it. So would you say that maybe people aren't approaching that with love and care towards their executives? [00:21:42] Speaker A: Let me use an analogy. If you think of a company as being a vehicle, and every group in that vehicle is a wheel, if security is a square wheel and everybody else is a run wheel, that driver, that CEO is not going to take that for too long. They're going to pull over and they're going to replace that square wheel with a run wheel that fits the model, fits the business, fits with the culture, and helps the car drive more efficiently, I think we security people need to be more empathetic and listen to the business, listen to the folks who need to do whatever it is as a function of the business, but understand our challenges, especially when we're telling them when we're deploying new controls, because when we put controls on people, it makes their job potentially a little bit more challenging. It's definitely different. So I think if you don't listen first to how they work, what is it that they're doing and what challenges you're going to introduce? Your security program is going to introduce to somebody, then I don't think you should be in the security industry. [00:22:45] Speaker B: Well, that's a fair point. So do you think after hearing people hearing you say that, they're going to say, well, maybe I'm out? [00:22:54] Speaker A: Yeah, I think, look, I got into security 25 years ago. I love technology. I love technology for the sake of technology, okay, I can just tinker around with it. I love working on systems and code and everything, but not everybody is wired like that. And if you're going to be a leader in security, you have to learn to appreciate the different audiences you're working with, even the terms that we use. You need to understand who you're speaking with, who is your customer, who is your partner, and if you're trying to have a communication, if you're trying to communicate, you're trying to get a point across. Learn to listen first. Listening means also how to communicate with that person so your message resonates better. [00:23:38] Speaker B: So you say AI will be an enabler. So maybe, what does this sort of look like in your mean? [00:23:45] Speaker A: Let's just give you an example. So think, know, if you get cloud trail events, let's talk cloud trail logs, right? You get them from AWS, Azure or GCP, and they have a lot of, oftentimes you'll consume those. You put them in your either security data lake or you put them in some sim, whatever that is, right. And so if you look, if you consume all those JSON files, they have patterns, they have brackets here, brackets there. Oftentimes the security analyst needs to review this. We get used to, it's almost like the Matrix, right? We're kind of looking at these logs and making sense out of them. Using some AI, some basic AI tools, you can make it user friendly, where the models can actually consume the cloud trail events, remove that JSON complexity and make it human readable, human understandable. Imagine a new security analyst getting into this industry, how effective they could be, how much more productive they can be if the cloud trail events are translated in human form. [00:24:43] Speaker B: And is that the part where you believe people don't see that on how much more productive your team can be? Is that the part you think maybe people don't quite understand? [00:24:54] Speaker A: I think they're starting to, but I think what they don't understand is they probably are afraid of like where do I start? I don't know. This, this is very different. And so they get cut, they just paralysis analysis, right? Basically, I think KB, you were talking about multiple clouds. Well, imagine having to, you could use an AI tool that allows you to simplify the complexities, the uniqueness of each of these cloud providers and make you more productive where you don't have to worry so much about the individual minutiae of each cloud infrastructure and you can abstract all of it in a much simpler way for you to work with that becomes very powerful really quickly. [00:25:37] Speaker B: So just quickly on the mindset approach to AI, et cetera. Now, you said before you've been in the space 25 years, so when the Internet sort of started to emerge, if you want to call it that, in the 90s, do you think people sort of had the same sort of apprehension like, oh, what's this going to do? But then look how much it's transformed the businesses, how many more jobs it's been able to provide to people. So do you think there's this element of, well, we don't know what we don't know yet, but hindsight is always a beautiful thing. So do you think in five years time you come back on the show and you're like, hey, that conversation we had, KB, a lot of those things have been demystified because now people understand what's happening. And when people understand, maybe they're a little bit more comfortable. [00:26:20] Speaker A: I would hope so. And I would look just at past history of how we embrace newer technologies, we humans do. And the wonderful thing about competition and competitors out there, they're constantly trying to produce or provide a service that's better than the competition and that makes their customers happier. Competition is going to drive us to embrace AI and to make it more secure to work with, because that's just what's going to happen. The competition is going to do it. [00:26:54] Speaker B: So would you also say that in this my doing air quote, you can't see me, but AI world, if you want to call that, or how we're traversing towards this way of operating, isn't this the inevitable though? Weren't we eventually going to get here? Like it had to happen at some point, whether it's in the last couple of years or the next ten years, eventually this would be the natural progression, wouldn't you agree? [00:27:16] Speaker A: 100%. This is exactly what's happening, right? Like we're going to have this just like we did again with cloud providers before we had to put this hardware or these network devices in our closets. In our network closets, right? So there was always this physical component of it and we moved to the cloud and we removed all of that, I think. Remember, KB, maybe you may not be around, but maybe 20 years ago you had a bunch of network administrators, network engineers for a lot of, for companies, right? You needed your network engineers. Where are they now? I mean, they're still around, but they're certainly not the size that they were before. So where did they go? Well, they either learn new skills for the new needs of technologies, or they either change jobs or they retire. That's what's going to happen. It never stops. [00:28:07] Speaker B: So would you say that's the part that people are struggling? I know there's lots of parts, but I've just focused now on learning new skills because back in the day, like, I don't know, my parents growing up, you would go to university or college and then you'd sort of just do the one thing and there wasn't much change, whereas now things change daily. It's a lot more constant upskilling that you need to do than ever before. So is that the part where people are like, oh, I couldn't be bothered. I've already done my six year degree and now I've got to do these micro credentials courses. And like you said, well, what happens to them? They either go outside of the company, the business, in that role, they retire, or they're forced to upskill. [00:28:42] Speaker A: Right. And if you're forced to upskill, I think you get rewarded. Well, from a salary perspective, opportunities. It's just AI is not going to replace the developers. The developers who use AIs are going to replace the developers who don't. That's really what's going to happen. And a lot of these, what we call AI would just be, you won't even call AI, it would just be the way we work. It will just be part of kind of an augmentation to some of the things that we do. So it'll become seamless, quite honestly. [00:29:21] Speaker B: So the other side of this coin I want to look at now is you also say that AI could become a potential blocker. So talk to me more about this then. What does that look like? [00:29:34] Speaker A: I think the biggest problem is if you start moving your data or using your data in a public forum where other people will be able to see that information, that will become a blocker in this industry. You don't want that. I think when we start making mistakes, or potentially even internally, what may happen is somebody who's really excited about these new AI models that they want to implement, gain more access to data that they shouldn't, and expose it internally, unbeknownst to them. But once you feed these things, this data into the model, other people can ask the model for some of that data, even though they may not have access. Those things are going to start becoming blockers. Those are concerns that we need to think about and address. [00:30:23] Speaker B: So if you had to boil it down to if AI is more of enabler rather than a blocker, would you agree that AI is definitely hands down wins the race of being more of an enabler rather than a blocker? If you had to wait it percentage wise? [00:30:37] Speaker A: Yes, it is an enabler with the right mindset, the right timing, getting the right skill sets, understanding who you have in your company regarding those skill sets, and partnering up with the right vendor or partners out there. Yes, it is a very strong solution. [00:30:57] Speaker B: So is it going to take a little bit of time from your perspective to people to get the right skill sets? Because obviously people don't get qualified overnight, so to speak. So is it going to take a little bit of time before people can start really motoring along in their AI journey? If you want to call it that. [00:31:15] Speaker A: Yeah, I'm thinking about that problem. I love encryption kb, right? But I'm not an encryption kind of guy. I don't have a PhD for that kind of level of looking at the mathematics behind encryption. I mean, I look at it, but I can never create my own encryption tools. Right. I would argue most of us may not appreciate all the math. You don't have to be a mathematician to be able to use TLS in your environment. Right. I'm going to encrypt traffic, okay. I'm just using this program that has TLS already built into it. I think that's what's going to happen with AI. Not every person is going to need to be a scientist and statistics and build their own models. This is already happening. There are already models available in open source community or even commercial folks have tested these models with data and they're reasonably strong. You don't have to go and reinvent a model. You don't have to reinvent the wheel. Let me leverage those, use my data and come up with new insights. So there will be different versions, I mean, there will be different levels of what it means to use AI and what kind of skill sets you're going to need. But you don't have to be a scientist to do this. [00:32:23] Speaker B: So what about moving forward then? And I know that there's still a lot of questions that need answering and we still don't know what we don't know. But I mean, I've been sort of asking this question in the last, maybe twelve plus months now, specifically on, I would say, significant shift when chat GPT was really launched in the market hard around November, December in what, 2022. That's when a lot of these AI conversations started to really emerge. So I'm always very curious now, twelve plus months on where that journey is going, but then also another twelve and beyond. So do you have any thoughts then on that front? [00:33:02] Speaker A: I sometimes worry about the herd mentality that people have, humans have, right. And I remember Chap GPT and there was also a significant investment by some companies, right, in those organizations and that attracted a lot of attention, a lot of vc money into a lot of startups. And I live in San Francisco, so I'm seeing all these new startups popping on AI and it just reminds me of the.com. I hate to say this, some of these folks are not going to survive two, three years from now. So I see that as a concern. But at the same time, what I do see is a lot of our vendors that we have relationships with are going to start leveraging or already have leveraged some of these models to improve their services. So we're going to start experiencing this in the next twelve months, if we haven't already visa vis our vendors. Think for example, Zoom, right, Zoom now is leveraging some AI for some of the meetings. There's a lot of new technology being introduced, of applications that we today use that are implementing AI and we're naturally going to do some of that ourselves internally, companies will do that as well. So in the next twelve months, I just see this rapidly growing more and more. This is not slowing. You need to embrace it. I mean we need to embrace it and understand what our role is going to be in this next space in the next twelve to 36 months. [00:34:31] Speaker B: So it's going back to your comment around some of these companies won't exist, sort of akin to the.com boom. So do you think they're just going to go out of business? Do you think that they just become obsolete or what do you think sort of is going to happen? There's just too many of the same type of tools out there. [00:34:45] Speaker A: Somebody comes out, you know what I get to in my space. And most cisos also get constantly targeted by salespeople, new salespeople saying, hey, I got a new tool, they want to sell you something basically. And a lot of these AI startups, they're just service, an idea, a feature. It is not a product, right? So they are getting millions of dollars in VC money for a feature where you should be looking at what is the product, what is the application. Yes, it can have multiple features, but that's what you want to see. I don't see that with a lot of these startups. They have one feature that's interesting, exciting, fine, but that's not worth millions of dollars in my opinion. [00:35:32] Speaker B: Yeah, this is where it gets really interesting because you are right, vcs are throwing lots of money at things and sometimes it becomes down to a lack of. Well, and look, I've spoken about this a lot and it's really interesting because sometimes these companies that you're alluding to are just a feature that don't really have a product. They're getting the money because they do really good pr and marketing and media and all of these types of things. They're the one that appears on the surface and gives the illusion to a VC that these guys are really, really good. Hats off to them. That's my world. I understand that. That's what you've got to do. I get that. But then it's like, well, don't you think the problem is then with the VC, because they're the ones funding these types of feature companies rather than product based companies, then aren't they the problem? [00:36:14] Speaker A: Look, it depends on the VC company. I guess I overgeneralize with vcs, but if you look at it, where is the VC getting involved? Is it the c round, a b round, whatever that is. And you'll get different flavors of vcs under temperament for risk. Some of them would just simply say, look, I'm going to find 20 of these or 30 of these and 29 are going to fail. But one of these is going to make up for all the 29s that are going to fail. That's been the game, there's nothing new about that. And that's what we're seeing, that's what's happening right now. I'm sure you've seen the same KB. [00:36:51] Speaker B: Yeah, I've definitely seen that. I think there's an actual, and I'm not an investment banking person, there's an actual term that they call it that they do some financial model, I don't know, someone smart will have to answer that. But then this is the other question that I have. So there are companies out there, I mean, RSA them for example, there's like thousands and thousands of vendors. Then you've got these little vendors and I'm all for innovation, but then when I'm speaking to startups, they're like, okay, cool, I've been around for 5 seconds and I just want to get acquired and I want Snowflake to acquire me, for example. So then it's like, are we really building innovation, or are we sort of just feeding the same beast that already exists? This is the part that gets me and I'm not sure about it. [00:37:29] Speaker A: Yeah. Without speaking for Snowflake, right. I'm not going to speak for my employer, but just looking at certain strategies, that's not a bad. If I take a step back, maybe as a startup, you want to get a single or a double, right? You're going to get acquired, you're not going to go public, you're not going to make the butlers of millions of dollars. You'll make a little, you go get acquire. And that's important for the company that's doing the acquisition. Well, it's either, do they have the talent? More often than not, what you're seeing is they're not buying the features or the code, they're buying the talent. KB, right. That's a strategy that we see oftentimes. We just get rid of the product and just want the people with their experience, because you can hire maybe 30, 40, 50 new engineers that have that muscle memory for that particular area, and you get it at one swoop instead of having to hire them individually. And that could take you years and the competition can get ahead of you. So I think there is a space for that. I don't want to be so black and white. I would not want to do that as a startup, but there is a space for that. [00:38:39] Speaker B: So, Mara, is there any sort of closing comments or final thoughts you'd like to leave our audience with? [00:38:47] Speaker A: Just. I know AI sounds really maybe a little intimidating, and I will be the first one to say I am intimidated by it. But being in security, you have to embrace change. You have to learn, and that's how you grow as a professional and how you keep yourself marketable. So embrace change. Get good at it. Figure out what that is. [00:39:15] Speaker C: This is KVcast, the voice of cyber. [00:39:19] Speaker B: Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today. [00:39:27] Speaker C: This episode is brought to you by Mercksec, your smarter route to security talent Mercksec's executive search has helped enterprise organizations find the right people from around the world since 2012. Their ondemand talent acquisition team helps startups and midsize businesses scale faster and more efficiently. Find out [email protected] today.

Other Episodes