BG - Generative AI: The Three Concerns Problem and A Tale of Three CISOs

thanks Damon um yeah I don't know why I got that reputation as the smartest person I I keep telling Bryson and others uh they need to meet more people but that said um I've had a chance to really um do some really interesting things in my career uh currently I'm now actually I left the ceso role and it's kind of actually part of the story here too The Tale of Three cesos um but I'm now a security Ambassador at juper 1 I used to be the ciso there um I used to be that Chief security scientist at B of America and while I was there I had a chance to create two things that uh hopefully you guys have heard about in some respect or another if you were at the uh Chris Hoff's um keynote last year he actually mentioned these two he mentioned the Cyber defense Matrix which I brought copies of and I'm more than happy to give them away please come and see me if you want to get a copy as well as the DI Triad and I'm want to talk a little bit about those in context but um those are just two things that I'm generally known for um oh and and if I run out of books um there's a book signing that if you have one of those expensive uh business hall passes that you should really get for free um I'll do a book signing over there as well all right now as I mentioned um I I don't really consider myself the smartest person in cyber security and I certainly would not put myself in the category for uh anything associated with this new found new founded new fangle technology by the way so I I hate calling it I hate using buzzword I prefer to just call it new fangled technology or nft and so if you hear me um just call it that just just make sure you understand why I'm calling it nft okay so in this uh new fangle technology I I'm I I think I've passed the peak of Mount stupid okay but I'm not that much further okay and so I'm sure there's people who are way way smarter than I am more way more confident I am in in in this particular new space um but I try to think more deeply about what are the ramifications what are the things that we can look at um beyond the problem space that we might be facing and to kind of going and look at what uh Josh talked about yesterday he kind of gave that 10year recap so I'm looking for 10 years and that was kind of my role at Bank of America as the chief security scientist I said what kind of things should I be looking for 18 months out three years out uh so that we can be prepared to tackle some of the challenges that we might face and so that's of the perspective I'm taking as well but I'm even though I said 10 years maybe it might take 10 years but I hope it's much sooner and for us to be prepared to be able to take on um the opportunities that come from this is what I would like to share here so as we look at um what's coming uh it seems like we're in this dichotomous uh time where it seems like it's the best of times and the worst of times and if you're in security wow it seems like we're in the worst of times we have uh a lot of challenges with how employees use this technology how developers are building these uh Technologies and how attackers are weaponizing them okay and each of those poses um a real challenge for us and three you know Three core problems that we run into but I think I'm not not going to spend too much time on that because I'm sure um there's more than enough material on that okay and I'm not planning on sharing that piece as much but I'll give you a little quick snapshot of that just so you understand the context of how I'm thinking about it but the real question is how do we make this the best of times how do we take the opportunities that are presented before us and really capitalize that uh for our careers for our industry and what we can do going forward okay so what are those opportunities and that's what I'm going to focus on primarily now as I talk about these best of time opportunities um you know it's it's somewhat Pro prognosticating okay as I mentioned I hope that these will come to pass and I have I've looked at this for a while to see the signs of it and I would say um well well you know I think one of the things I would look for is so key indicators that this is actually um trying to it's starting to happen and I've already started to see some of these things happen so um we'll see if it turns out but uh I hope it's not well as I as I predict a future for you I hope it's not the too high fluting and high too Ivy Tower I think there's some real practical troops that can take away for some of these things all right so first let's talk about the worst of times and how employees use this new fangle technology well first of all is that we have a lot of uh fear uncertainty and doubt and as we have folks um using these Technologies we have people saying oh wait um it seems like it's spewing out the same intellectual property that we just put in okay and I would say no no you got to understand this is not that's not how it works okay that's not how LM works and and the way I characterize it is that llms generate but they don't commemorate they generate new information they generate information but they don't commemorate uh information that's already in the system unless statistically it's it's highly prevalent uh Caleb Sima actually gave a great example if you type in um what is my Social Security number and you give it um the first five characters it won't be able to figure out the remaining five even if it was trained on your asso on a whole bunch of social security information okay so this perspective that uh llms generate and not commemorate is one of the uh misconceptions or at least people thinking that uh we can um that it'll spin out spit out a whole bunch of information about intellectual property and so we're seeing a bunch of things happen in the industry for this I was going to put a bunch of logos of companies U but as you probably know the the curve for the number of companies being created around is like vertical okay so it's it's hard to keep up I said you know what it's not worth trying to capture that but there are tons of those Technologies and um I was also part of a a group that helped uh uh produce a policy around how should we look at these this as a concern okay however that said okay I'm not going to uh hit that much because you guys can I'm sure you're already well versed in a lot of that where you can hear a lot of talks on it but I think there's an opportunity for us to again uh change the role so change how we look at our role and the opportunities that we have so how can we Elevate the ceso role in this new um new this new environment and so let me give you an analogy consider what a CFO does what is the CFO in charge of they are um they govern the wise and appropriate use of money they allow businesses to essentially uh spend money to basically make more money right so that's the whole point of businesses right they don't actually make money too by the way they don't generate money I guess they can do fundraising but that's not really creating new money and if if a CFO said you can't spend any money you might as well fire them right they're not a really good CFO in that regard but what if the opportunity is for us to become the CFO for intellectual property so we have a bunch of intellectual property going out and we have these concerns around them but it's sort of like what if what if again it's a form of currency and we spend currency to make better currency so what is what's the role then we govern the wise and appropriate use of intellectual property uh we allow them to spend this IP and this IP by the way has different you know I don't know if I want to put a dollar value to it I'm really deep well versed in the uh cyber risk quantification space and you know there's a whole bunch of stuff around that but I don't want to get into that let's just talk about it in the context of like are we talking about low denomination bills or high denomination bills okay are we talking like if I went to a CFO and asked hey I want to spend $25 on something they will come to me and say what what are you asking me for I'm like just go swipe your credit card and go on what what is a low denomination intellectual property for us might I suggest for example our source code is low value denomination bills okay do I really need to ask for permission to transmit Snippets of source code now a lot of low denomination bills may add up to a high denomination bill so to speak and so we have to be you know figure out what what that sort of threshold is but the perspective is is we have a lot of intellectual property and if I said as a as a say so you cannot spend any of that intellectual property well guess what you should probably fire me right and so what what if uh we change our role and the opportunity is for us to consider what what it looks like to be a CFO for intellectual property now with that comes actually some other interesting implications or interesting uh Concepts and with Finance and Accounting it's a very mature practice as you as you well know and in that context there is um lots of different things that we can borrow from that as well okay and we don't have those tools here but the these practices are things that we can probably figure out how we can adapt them to uh security as well and so I just pulled up a bunch of terms in generally accepted accounting practices I'm going to call them security practices and uh here's an example impairment impairment is a financial term okay and it did some slight tweaking just to uh uh remove some of the finance specific words but if you read it it sounds like what we can do in security what is impairment it's when some sort of resource is impaired okay it's it's deated as impaired when I can no longer have any sort of of assurance that it can be fixed within a certain time frame okay sound like something we deal with on a regular basis right should we call it maybe impaired okay versus you know vulnerable or whatever else is yeah it pro maybe okay and guess what when you have the term impairment there's also all these calculations that come into how we think about um like how do you calculate impairment cost assets we call them assets right it just seems natural except assets on a balance sheet is on the positive side of The Ledger but most of the assets that we deal in security are actually more liabilities okay do we actually have it on the right side of the Ledger uh and maybe we can start representing it as a as a liability and not as a quot to asset all of a sudden the business will see it as wait why are we carrying these liabilities not doing something about it maybe we should try to get rid of these liabilities okay so again just slight wording change but you can see how that helps as well um survival metric so if you're in a startup or if you um if you're any Venture funded company uh there's whole bunch of metrics that we rely upon to see how much um time we have before we die as a company so they're called survival metrics uh what's your burn rate what's your Runway what's your turn and in the context of assets and how we look at liabilities I should say uh and and the way that we look at the resources that we have to be able to uh run a company um what H how how does how does an impairment reduce our Runway how does an impairment increase churn and I'm not talking about churn in customers I'm talking about churn in other uh ways that we think about um how the these digital assets work as well um later on have a uh later today I have a talk on Double Entry accounting so what is double entry accounting it's a simple way to be able to have two ledgers two different systems provide a check against each other okay and I'll share some examples of that later today uh during a talk specifically on that so I'm not going to spend too much more time on that and then um EAA there's a whole bunch there the industry the finance industry has been reshaped a lot because of the simple concept of iida and we can think about like what does it mean to have income in the context of cyber security we know what the term technical debt means right but how do we translate that into how it offsets this notion of income and the value that's being created by these assets that or these assets liability that we have see even I I still keep throwing myself off from these things but that's it the the premise here is that we have a set of practices that we can now uh try to cify within how we do cyber security and I think the reason why this is particularly important is because I've been fairly deeply concerned and if you haven't been deeply concerned you should let you should be concerned about how the government is deciding some of these things for us okay and whether you agree or disagree with uh de Joe Sullivan's verdict um I I could put myself in his shoes and there are many T many cases where I would have probably done similar things as he would have done maybe a few things I wouldn't have done but nonetheless I can see how many of us can have fall into the same traps that he did and then Tim Brown with the wells notice that he got served I mean there's there's a center of practice that they're assuming that we can't ever achieve okay so when we think about um when we think about for example some of these practices let's I I'll I'll talk about this in double during accounting how precise is accounting okay or how accurate are are the books how much variance do CFOs allow and guess what they do allow some variance okay it's not a perfect I mean the this the ledgers don't always match and yet they don't get sued well if it's a huge various they might but um within acceptable amounts they don't get sued they don't get fined they don't get these issues and it seems like that's not the same for us in cyber security and so we have an opportunity to to well we have a couple opportunities one is to redefine our role not as a as a person that tries to secure as a technical weenie that tries to secure all these little things but rather in the sort of governance role of how we um manage and govern intellectual property and the institutional knowledge of the organization and we have these tools to help us well we need to come up with these tools and in doing so we end up with ways that we can potentially provide um guidance for the government and for us as a practice so that we can not uh deal with these in the future as well all right so that's the first um best of times opportunity how can we become the CFO for intellectual property the second challenge that we deal with the second problem is developers building and um I'm I'm sure pretty much every company out there is now and you know using these new fangle technologies to try to do something with uh llms or generative AI um here's a a diagram that you can barely see because it's the wrong contrast um that uh that Andre and heret sent out it's a reference architecture for how you build llm uh applications and don't worry about the detail at this point but I do want to point out a couple things that uh in the context of uh what we've always learned in security there are a couple inviable rules right um one you know never getet it into a land war with Asia land war in Asia but the one that's prob more important or well you know just slightly well less known but nonetheless important is to never trust user input and fundamentally one of the issues with uh one of the fundamental flaws with llms potentially fundamental flaws is that we can't separate out the control plane from the data plane all right so we know that I mean this is like a such a well-known uh uh principle in cyber security and yet when I go back to that chart that reference architecture everywhere that I've highlighted in blue is user input unsanitized user input okay and it's pretty much everywhere right so okay um are we going to it seems like it's going to be a pretty bad thing if we build against this reference architecture that doesn't necessarily capture this uh core principle of um not trusting user input so uh how do we deal with this again there's there's tons of things out there I'm not going to uh spend too much time on them but just for reference you have things like Barryville institutes um Barryville Institute of machine learning U their taxonomy attacks I I love this particular one because it's the most straightforwards uh structured way to think about uh attacks against machine learning of course many of youall seen the OAS top 10 there's mider Atlas so again I'm not going to spend too much time on those things but the but the perspective is that there's a lot of work that we're trying to do to to to address this problem which is all these places where we have um unsanitized user input and all these attack surfaces but I think there's an opportunity and to be able to explain that opportunity uh let me let me talk about Safety and Security something that actually Josh talks about often as well and by the way there's a a vendor out there integrity that's giving out this really big uh poster that says Safety First and I love that because they're using the word safety now if you're not sure why I think that matters um here's the thing okay so if if you if you know um if you know Spanish then the word for safety is security and the word for security is security D so in Spanish we have one word for the same thing so for two different things in English we have two words and in cyber security we have the same word again so why don't we I mean in English why don't we call it something different because we have two different things that we do one that's called cyber safety and that one that's called cyber security and if you want to understand the diff if you want to get a sense of what that distinction is we can apply um other context so let's take food so when we talk about food safety what are we talking about we're talking about things like hygiene compliance inspections good practices uh bill of materials having a sense of personal responsibility and when we talk about security we're think talking about things like starvation or like where's the Ukrainian weed or the baby formula and when people talk about security or rather safe um compliance doesn't equal security might it be because compliance is safety and safety doesn't equal security okay let me give you another example so uh airplanes if I'm an engineer at Boeing or at Airbus my job is to ensure that the airplane stays up in the air doesn't come crashing to the ground pretty simple right my job is not to dodge Russian and Chinese missiles that is somebody else's job to make sure that the air space is free and or that that we have airspace security okay which is to have the space uh free and clear of Chinese and Russian missiles it's not my job rather it's somebody else's job usually the private uh the public sector right but the perspective here is that there's a activity that we do that most of us actually do that's actually safety oriented most of us do safety work okay and there are still some of youall that do security work but just be clear that we do cyber safety more than we do cyber security okay uh by the way just real quick aside um s years ago Equifax got hit by a Chinese missile okay three years ago uh solarin got by hit by Russian missile all right but that event seven years ago as time passes on that Russian missile starts to look like a bird strike and that bird strike now is something that I'm responsible for okay if I'm designing an aircraft I need to make sure I can survive a bird strike um but I shouldn't be able to survive there should be no expectations that I can survive a missile strike at least most for most organizations if you're apple and you manufacture iPhones you're probably building the equivalent of f-16s and you better be able to survive Russian missiles because guess what you're going to get those shot at you but nonetheless