CISO Leadership Panel – Real-World Strategies from Security Executives

All right, welcome. This is the SISO panel. Really appreciate everybody taking time out of their day uh to come attend as well as uh participate in the panel. I'm Bryce Coons. Uh I'll be uh guiding this discussion a little bit. Um I'm going to pass the mic down so that uh everybody can do their introductions and you can get to know them a little bit more. Here you go. I am John Below. I'm the head of security at a company called Jasper. Uh we make an AI marketing tool. So we leverage AI models for marketers. Um I lead the security compliance IT and DevOps teams. So uh it's a lot a lot more than security, but security I think

is of as my uh main focus. Uh my name is Brent Dylan. Um I am with sportsman's warehouse. Um been there for 22 years at the end of this month. So um yeah I've been around there a while but I lead the infosc and GRC teams for sports warehouse. My name is Adam Marray. I am the CISO of Arctic Wolf. Been there about three years and I cover all security but I am focused on the security of the organization. It is a cyber security company. I'm not involved in sales or delivering the service. I'm involved in securing the company including physical security group. And I'm Josh Pugmmyer. Uh I head up security and IT over at Awardco. I've

been there Yes. Thanks, Jesse. Uh I've been there for a month and a half. It'll be two, I guess, two months next week. Uh but I oversee all of security, IT, GRC, and probably a lot more that I still need to focus on and learn as I'm picking things up. Good to be here.

Okay, great. Thanks for your great intros. Um, okay. So, you know, we'll just kind of take the conversation organically. Uh, the first thing that I just wanted to talk about is, and you know, whoever wants to jump in first is great. Um, you know, if you wanted to drill one principle into like a new employee, um, or get them up to speed on cyber security quickly, uh, what what do you think is the one thing that you would want to instill inside an employee?

take a second. Yeah, I think um as I think about that question, I think um probably not to be scared of it and don't be afraid to ask questions and don't be afraid to um you know just put it out there. Uh be vigilant but also uh be open to uh ask the questions, right? And I think we have to as cyber security leaders and and teams uh kind of foster that to where they feel comfortable doing that. But I I think that that is a good place to start. Kind of sort of two-part rule. Part one is if it's unexpected, don't click it. Don't touch it. Don't do it. Don't obey it. Don't do anything. Stop. And if it

is expected, trust but verify. Uh, I'd probably say you picked the wrong field. Just kidding. Uh, I I agree with what Brent and Adam both mentioned. I think there's a couple things that I may say. One that I think is important is find a balance between identifying the risks or going after the things that you feel like are risky as well as understanding what the business is trying to accomplish so you can facilitate uh, I guess a solution for the business. uh just making that I I feel like if you get that right out of the gates, it's a lot easier as you progress through security. So you're you're not having to learn, okay, no one's listening to me.

There's this huge risk associated with something uh while also like balancing what the business is trying to accomplish at the same time. Like you're getting paid because the company's in is in existence. So try to my main point is really just boil it all down. Find balance. Yes. Find risks, find solutions, but find ways to of doing it in a way that helps the business move

forward. I I'll get I'll throw my answer for employees in general. I think similar to what Brent said, it's just a healthy level of of skepticism um in kind of everything that you do. And then one thing we try to focus on in our internal training is um uh really focusing on what is employee responsibility like each individual responsibility versus what kind of tools we'll will cover. Um so that people kind of know what their actual uh what's kind of actually expected versus assuming that everybody kind of knows. Thanks John. Great, great advice there. So, I um yeah, I know each one of us has probably been new at a job before and uh really trying to instill that culture of

cyber security is easier said than done. Okay. What's the hottest new tech you'd bet on to boost the cyber security posture of organizations? I mean, it's got to be AI, right? Isn't that Isn't that what we're supposed to say? Uh, I I the the thing that I look for more and more in tools is is really specific application. I feel like even just a few years ago, we had really generic tools that that would, you know, do things like identify vulnerabilities without much context and and things like exploitability. We were I was talking about this with somebody today that that you know tools like Whiz really help you see um specific ways vulnerabilities can be exploited instead of just you know

throwing out a big list of of stuff that you might look at. So um just in general tools being much more specific and guiding um practitioners in actually how to do uh the response that we have to do. Yeah, I think AI is the the right answer today. I think quantum computing is going to turn the especially cryptography on its head, right? We're going to have to get ahead of that. I know NIST is always already working on that, but uh I think quantum computing is as that becomes more and more mainstream is going to change the way we do everything. Yeah, I'm gonna I'm stick with AI answer. Um because so unlike other technologies

that have come out that where they've claimed that they're going to change everything like blockchain I don't know if we're going to talk about that later but where it came out it does a very specific thing but then all the hype around it was you know not has not been realized for many reasons. I don't think that's AI and there are some people skeptics out there still saying that but I do not think it's true because you are starting to see it being used in many many places very specifically and it's starting to boost those specific tools or specific domains in ways that are hard to anticipate how much it's going to change. Like you can see what's going

to happen now but if you extrapolate even a little bit into the future one or two years it's going to be it's hard to predict where it's going to go. But even just seeing what it's doing now to enable people to do more and enable attackers to do more, I just think that is the thing that is going to change the faith face of this. And within five years, I think some of what we're doing now is going to be unrecognizable. So ditto, [Applause] can I add just one more thing on the on the AI? I think the the thing that it's doing for me is is helping to eliminate the skills gap. We we were talking about

this earlier that security is such a broad domain es especially for small teams where you have to be you're looked to to secure the business in general right so that's computing systems and people and and and everything uh throughout physical security everything throughout the business and it's impossible to be an expert in all of those fields. It's just impossible. So, previously you would hire like someone on your team to be an expert in the areas where you have gaps and I think more and more we can turn to AI to kind of be that skills gap for um for the people that are on the team especially for teams that are strapped with the number of people that

they can hire. Yeah. So, is there anybody in the room that does not do their job differently um from what you were a year ago because of AI? Every one of us are doing our jobs differently, right? Um and and it's going to just continue to go that way. Yeah, great answers. I uh feel like there's two main takeaways there. Well, maybe three, right? We got AI, we got quantum, we got Blockchain way the future. That's joking. Um, okay. So, talking about AI specifically in a future where AI can write and execute its own code, how do you think AI will protect itself from cyber threats? Anybody got a any ideas on that or any speculations?

I I mean I think it's I think it's important to say right now it's speculation, but I do think there's there's really compelling evidence right now that AI is going to be good at at investigation and cyber security tasks in general. Um I think there's some gaps there but uh you know if you if you use tools like um like GitHub advanced security that that leverages copilot to not only identify vulnerabilities but then suggest remediations for those vulnerabilities. The percentage of of those remediations that are accurate and good we've found at least is really high. Um, and so I think that that at least leads me to believe that there's a a future where um you'll have this kind of iter

iterative approach inside um these AI agents and and other tools that can develop the code and then look at it with a kind of a different lens, evaluate the code, suggest remediations, and potentially apply them. Um, I mean, I think there's still a a a long future with humans in the loop there. Uh, but I think we'll see that that iterative process of development and evaluation and remediation happening inside agents going forward. I again speculation, but I think that's possible. Okay, I'll go sci-fi with everybody here. So actually there's been predictions about AI by the end of 2027 being able to first we have superhuman coding right so we get AI not only to do

coding but to do coding better than humans then the AI itself learns how to train machine learning models then it begins to train machine learning models to create better AI and then does that at scale and really the only limiting factor you have there is its access to compute so if you think about that it's going to get very very good very very fast and you know there's some people say it's not going to happen it'll hit a wall. But let's go with that, right? So then you can imagine code that essentially creates im an immune system for itself. Imagine imagine code either either reaching out to another agent and agentically doing this or it can even

reach out to a human team and saying, "I want you to pentest me, figure out what my vulnerabilities are, and then I'm going to patch those myself." And of course, it creates copies of itself so it can go back to that in case it gets attacked in a certain way. And as it does that, it gets better and better at what it does, evaluating its own ability to execute on its tasks and then repairs itself and improves itself over time. And if you think of malware doing that, I don't think you have to go very far down your imagination to think of how scary that is. But then, of course, you're going to think there are going to

be defensive, you know, AI meshes that will react and do the same thing as it gets attacked by one of these. But that's that's where my mind goes when you ask the question. Yeah. To add to that, Adam, I think um I did read an article fairly recently about AI being able to, you know, do millions of models of what it might look like, right? And then start looking um you know, to things that haven't even happened yet to to create those models ahead of time and then be able to instead of react to them, anticipate them. um and and start building off that. I think it's scary. I mean, everything that's been said so far is is really how

I feel. And often when I think about AI and possibilities, it doesn't take long for me to start thinking about movies that I've seen and ways that you see these robots or whatever taking over and and whatever that might look like. But I I think I don't know how long like what the time frame is for any of these things that Adam kind of mentioned a little bit like at some point we're gonna we're gonna see like some really crazy things. I mean even like two years ago if you think back and you were probably just getting introduced a little bit to chat GPT and now there's so many different tools out there you can use for all of those type

of things. We just we'll just continue to see I guess advancement as well as what threats look like. Uh the way it's being used even now sometimes the tools that I'm seeing when I'm being approached are kind of amazing to me how much they have AI integration. Some of it's kind of terrifying to see how good it is uh and how few people can catch on to I mean if it's like language in a fishing email or something like that like how realistic it looks or even if they have something that's like a video that's been created by AI using a 10-second clip of the CEO. All that stuff is just terrifying. And I think a lot of it comes back to what are

we doing on our part at our respective companies to help raise awareness for our employees so they can try to make good calls as best they can with those attacks as they come in. Uh that that part's probably the most terrifying to me. Maybe among a bunch, but one of them.

Yeah, those are some great points. So I think you know resonating with what Adam was saying right that singularity point where the AIS can self-improve um really is going to mark you know kind of that tipping point where things change rapidly from us kind of understand what's happening to you know the AI you know basically getting superhuman or super intelligence where you know we don't really have a chance of really understanding what it's doing but uh yeah my hope is that uh you know Uh, AI clicks all the links because I'm going to click all the links, too, you know. So, all right. Okay. Oh, we also talked a little bit about quantum computer. I

think Brett brought that up. Um, I if quantum computers go mainstream and we've seen some recent developments in that like namely I think Google came out maybe it was called the Willow chip recently. um they had some big improvements on stabilities around their quantum chips. Uh how how do you guys how do we feel like that's going to change cyber security and change just like overall you know society's landscape? I I think I don't get I don't get that scared of AI, but I get kind of scared of of like quantum because I I think it if it if the if the promises come true, right, or the the the things that we think will happen

come true. Like no communication is safe. Um and and we know that there are people, you know, gathering all the encrypted communication that they can right now for a future state where it can be decrypted. And that that is really concerning. And so but but we've seen this in the history of the field is it's kind of a cat and mouse game of of back and forth uh capabilities improving. So, I hope there are people smarter than me that are working on uh solutions to that because I'm, you know, it's certainly not something that uh I spend too much time worrying about because if it happens, I'm just I'm just kind of hosed anyway and there's not a lot I can

do about it. that that kind of capability jump really concerns me for all of the historically encrypted data that that is just flowing everywhere and being captured by everyone because right now it kind of doesn't matter because it can't be decrypted and and we feel like it's safe. But if that whole paradigm of of assumed trust or assumed safety of that encrypted data changes, I I don't know things things change really fast, I think. Yeah. I mean, I said it before, right? Cryptography is going to change a lot um when that day comes. and uh you know whether it be blockchain or whatever it is all of that's going to be out the window if if what happens is you know

what they tell us is going to happen is is happens. So yeah it's another technology that is difficult to imagine and extrapolate how much it's going to change things. And I think the one thing we can grab on to is is cryptography because we understand the mathematical cycles it takes to do that and you know to break it you know it's very very difficult but if with quantum computing suddenly it's possible but then you just have to go one step further to think of what else is possible with that much compute power and then if you couple that with AI now we have AI running on you know quantum computing power it just supercharges the

other things we've been talking about but in addition to lots of other compute that we haven't thought about. So much of the way we do things depends on the physics of the way our current uh processors are able to operate and when suddenly you're freed from those restrictions. It's going to be amazing to see what happens both for good and uh you know for ill as well. Yeah. As we as I've been listening to this and I've been thinking a little bit more about it, there's a couple things that come to mind. One is in the classes when you learn about encryption now and how long it takes to encrypt, the longer things get uh like how many millions of

years it would do. That class would have to change with quantum computing, which would be nice. Uh, I think the other part, and Adam touched on this too, I think there are scary parts to a lot of this stuff, but I'm also really anxious and excited to see how the tooling that we have comes to match the threats, the advanced threats that we'll see from quantum quantum computing as well as through AI. Just the way that we're using using both of those to our benefits. what bright minds out there are currently working on something or will work on something that can help us and the security community do a lot of our work a lot faster and be

able to be a lot more uh I guess preemptive as well as when we see something like an alert comes in how quickly that's going to be triaged without necessarily having someone hands- on keyboard doing a lot of that stuff. So yes, the scaries exist, but I'm also looking forward to a lot of the cool things that that will come with it.

Yeah, I'm excited for quantum computers to get here. So, seems like some sci-fi technology for sure when you start to dig into it a little bit more. Definitely going to be exponentially faster than we're running currently. And um you know, I do know there's some quantum proof algorithms that that the government's been working on and things like that and I'm sure more of that will come out in future. But I think really one of the big questions there in my mind is what's going to be the accessibility of quantum, right? Is this going to be locked up in a few labs or a few tech companies or is this going to be in everybody's PCs? And really that's

really going to dynamically change the game and especially if we can get the more of the compute down to the endpoint layer, we could probably do some phenomenal cyber security functions. So cool. Um,

all right. I refuse to buy anything in my house unless it's smart. It needs to be connected. Doesn't matter what it is. It's got to be a toaster water cooler, maybe a doorork knob. It's all got to be connected, you know. Is that a good strategy? What do you guys think? Yeah, Brent's got an input. Yeah, I mean, first thing you do is change the password, right? We've we've learned that. Um, no, it it doesn't scare me. Um, I mean, one thing I do is look to see where the traffic's going, right? If it's going to China, then, you know, I'm maybe a little bit more worried about it. But uh yeah, but maybe may you know maybe

China's no different than somewhere else too, right? It's it's uh but yeah, I mean it it doesn't scare me, but I do I do keep an an eye on it and where that traffic's going. I I want to know where it's going. So I think I learned this lesson from you Bryce. That's a bad start. Uh we had a conversation like I don't know 5 years ago or so when we were still at Adobe together. Uh you had left. We talked about how the scale in the bathroom could get popped and then be sending personal information elsewhere. Uh I I like to embrace it myself. I'm like Brent. Like I I'm a little cautious with the ones that I

bring into my house. And occasionally when I have neighbors and friends that tell me about something that they just bought, I ask, "Well, did you buy the real the real thing or did you buy the knockoff that's that's supposed to do a lot of the same stuff has free and unlimited storage and whatever? And what else do you know about it?" And often it's going back to China or whatever. They just buy some knockoff off Amazon. And I just tell them look into it. You kind of get what you pay for. They don't they probably don't have a security team. uh at least not one that's doing what you want them to be doing. Oh yeah, that's that's my take.

So I'll go with the spicy answer. Um so who here has like an IoT device in their home that operates? Okay. And who in here has any type of social media on your phone right now? Okay. So, if you're thinking about what am I worried about someone hacking me or knowing about me or surveilling me between those two technologies, I am way more concerned about social media than I'm about any of your IoT devices. It knows more about your psychological profile, your habits, your location, and everything you're doing than any of those devices in your home. And someone can use that to manipulate you, change your opinion, and do many other things to you. And some of those

companies, if anybody's got Tik Tok, you know, they're beholden to a foreign nation. So, I'm just saying, let's make sure we do proper risk assessment and and assess what we're doing, right? Did you I I I 100% agree with with Adam. That's the thing I was going to say is it's important to understand what the risk is that we're afraid of here instead of just being afraid in general. Um there's there's two stories that I always think about related to this this topic. One was the there was a this was a long time ago. There was a a military guy in a military base somewhere and he would go on runs and uh you know

whatever running app he used made Yeah. It made his runs public and so you could literally see like the outline of a military base because he would run the perimeter of the base every day. um a a base that like wasn't on Google Maps and and that is some uh that is a serious failure of operational security, right? But um my house is on Google Maps. Um and if you Google me, you can find out where I live. Like I don't have that level of that that level of need for uh security. If if if my uh you know if I were to run if my running data were to get onto the internet, okay, uh if I

started to run um not a big deal, right? But but for that person in that situation, it is a big deal. Um I know of some executives who have had um death threats against their family, um children, you know, attempted kidnappings, things like that. for for them, they have a different level of of of need for operational security in their lives. So, um I think it'll be a little bit different for everybody. The other story that I think about this is um after we got Google Homes, we had them for a while. Um I found out you can go just uh listen to the recordings of like when you trigger the, you know, the the

keyword. I don't want to say it. It's not going to trigger here though. Um, if you trigger for most of these, for for the Amazon ones and Google ones, you can go and listen to snippets from the recordings from when it triggers. Um, that's pretty weird. Uh, because, you know, they trigger on accident all the time. Um, and even though I don't know if you've noticed, but if you watch them closely, the little light will come on. it won't say anything, but it like I don't know if there's like levels of when it thinks it hears uh the keyword and it kind of listens to an analyze to see if it thinks maybe it really did.

There's a lot of situations where it's recording when you don't think it did. And so if you have one of these devices, go back and listen to these recordings. Um, they trigger a lot when you yell at your kids, especially uh like if you have like one of my daughter's names is Sarah and we trigger Siri accidentally like all the time when we say her name loudly trying to get her attention. Um, so maybe those devices are recording stuff that you don't want them to record, but go, you know, go look, go do the research and and understand what you might be afraid of instead of just being scared in general and just have again a little bit of

healthy skepticism, but don't don't go crazy. To Adam's point, I I think social media and the influence that that has is in a in a whole other world. Um, comparing the the damage that it could do.

Yeah, we kind of asked it already, but if like who in here has something that is connected to the internet at their home that they use on a daily basis? Nothing. the one person in here that doesn't uh I I agree with what's been said. I think it's really interesting to to see the way that we've adopted it over time. I tend to be kind of a late adopter for some things because of my own skepticism. Like I it took me a while to get like we got an Alexa because my kids were asking for one. when we did that all that I mean if that thing was to profile us it would be like Alexa make a

toot noise or Alexa call Santa Claus stuff like that that my kids were just obsessed with doing all the time. Uh which I think is interesting I and like somewhat scary at the same time. But now I along with social media and what what my phone is collecting about me and my sentiments like I don't have a lot of social media on my phone in the first place. But the stuff that I do have, I pivoted from what I first did on social media to now using it to my advantage. So, I often tell it, "Hey, I need a million dollars." I say that pretty loud so that if I ever get served up an ad

that says, "Here's here's a million dollars," I know where it came from. Uh, but I like it for other reasons, too. that it's like if I ever feel like I want something to be uh I don't know kind of front and center for myself as far as either the problems that I have from a security perspective I I'll use not that I'm using social media other than maybe LinkedIn occasionally uh but some other things like if I'm interested in outdoor gear or something sometimes I'll follow and do like a reverse psychology so that all the tracking and scary stuff that's being done is feeding me stuff that I actually care about. I'll just add it's obviously not an

eitheror, right? Secure yourself across all domains. It's just if you're going to spend your time and energy somewhere, make sure you do a risk assessment. Understand where you can spend your limited resource to have the most effect on the security of your life. Uh as opposed to just being afraid of the new flashy thing or the thing you don't understand. Josh, if that million-dollar strategy works, you just be sure to let me know. Okay. I got I got a funny I got a little funny tidbit. So, uh no, I don't endorse this strategy. Okay. So, but I I've noticed that if I just click things I want my wife to buy me enough that they start appearing on

her computer as ads. So, it's like inception into her brain about what things she's like, "Oh, I should buy Bryce this for Christmas." It's like it totally just appeared randomly. I'm like, "Oh, yeah. I did not click that link like 50 times." And the second one is uh there's a news article about a year ago about a high-ranking member of the Russian military and uh they they believe he was actually assassinated by a Ukrainian uh person uh based on his Straa data. So they tracked him and he would go through the same park every day and they tracked him on Straa and assassinated him when he was doing his morning run or whatever in inside of Moscow. So So yeah, it's

all about your wrist posture, right? like probably none of us need to worry about that, but you know, if you're in the military, then probably a bad thing, right? So, yeah, pretty crazy. Okay.

Um, okay. looking forward or ahead, do you feel like cyber security is going to boil down to technical wizardry to solve it or is it really going to be more about just cracking the code of human quirks? Okay, I'm just going to say one thing uh that Signal is a great app until you add the wrong person to the chat thread.

You did that wrong, John. You're supposed to drop the mic. We only have one. No one wants to touch it after that comment. Yeah, I think we're a long ways away from you removing the human element out. Um, you know, I'm I'm I'm thinking about I'm this industry that we're in is so unique, right? I mean, how many of these conferences do we go to every year, meet new people in the field, right? Um, these guys, I consider them my friends, right? We know each other very well. Our wives know each other. Um, you know, we we we, you know, this industry of cyber security, the way we share and and collaborate and and everything else. Um, and I think

that even goes, you know, into our teams and stuff, right? Um, in our individual, um, uh, employer, uh, places where we're employed. But, um, yeah, I I I just think that I I don't know of any accounting, you know, conferences that everybody's going to every, you know, three or four times or even it, right? We're just in a very unique place to where um it's kind of we're all in this together and everybody's trying to help each other. And I don't think we're going to ever remove that out of cyber security. I just think if you look back, humans have been tricking each other for personal gain or other reasons since the beginning of time. I don't think it's

going to change. It just moves where it happens. So not no matter where unless we take the computer the human completely out of the loop there's always going to be a human involved and when there's a human involved you can always trick that human and if we're allowing that human to do things to cause things to happen you know make decisions transfer money push buttons then we're always going to attack that human because we have thousands of years of of history that shows us how we can trick and manipulate one another to do things that we want to do. So, the only way I think we're ever going to get away with that is if like and this is like a

crazy future state could possibly happen. If the internet fades into the background of our lives and it's just AI bots talking to AI bots and they just give us what we want and we don't have to really interact with it much anymore. Maybe there we'll have a less of a focus on trying to secure the human. But I think until then, as long as humans are involved, we're going to try to trick each other and we're going to be really good at it. On the subject of AI bots, what what advice would you give to new people in the industry on AI bots? Are they going to take its job like aentic AI or how can they

better preposition themselves to um you know be less affected right negatively by the future of AI? Any thoughts in that area? I mean, personally, I'm hoping the AI takes my job, right? It'd probably do a much better job of running this panel than I would, let's be honest. So, I mean, I do think that I do think many industries will change and with that change will probably come some jobs being either eliminated or fewer people doing them. Um, and so I think it's important to be flexible and be aware of the technology that's coming. Um, I think in the short term the best way to protect yourself and and set yourself up for success is to be proficient with with AI

and and know how to leverage it to make yourself uh more valuable. uh because that's that's more and more that's who you're going to be competing with for a job is somebody who can you know 10x their own work with with um the best AI that's available uh in whatever space you're working in. Uh but I think to say that like we'll never experience job cuts or job changes because of AI is probably a little bit naive. I mean I think it's going to happen. I think the question is where that happens and what what new things come right and and what other benefits we get from it. The you know this the statistic around manufacturing that goes

around a lot in the US is we're producing you know a bunch more in the US now than we ever have just with a lot fewer jobs and that comes from robotics and automation in that field specifically. And so I think I think AI is just allowing that uh that type of proliferation of of automation to happen outside of manufacturing which is where which is the only place it was really practical before. So I think we'll see it in more and more places. But what I'm hoping is that we'll just see more um efficiencies um and more distributed efficiency across um industries and and continue to allow uh you know kind of humans to work

with this and just be more efficient in what they're doing. I think there's really two things you can do today uh to really try to tackle this this problem. And one is to do exactly what John's saying, like get really familiar with AI, understand what its strengths and weaknesses are today, try to look at what's coming, anticipate that, get good at it, make it part of what you do to make yourself valuable and more productive. I think the other thing you can do is really look at the industry and say what are the jobs the grunt work type jobs that I think are going to be the first ones to be replaced or automated with AI and just looking

across that and then maybe you know going where the puck is going to be and saying I'm not going to focus on that. I'm going to focus on some higher level tasks that aren't the ones that are the most likely early on to get automated away. And I think if you can think of can think of it that way it can help you a lot. I'll give you an example. My son, he really loves computer science. He was trying to decide on a major. And after talking to everyone and seeing all the advancements in AI, which were really happening as he was going through his early stage of his college career, he changed from computer science to uh

applied math and machine learning because then he realized, hey, now I can go where I'm building the models, I understand the models, I understand data science. it's higher level and it's not just being a coder which is probably one of the things that's going to get automated the most. Now it doesn't mean we're not going to need coders. It's just that was the decision he made to try to get ahead of it. So I think if you can think of those two things it'll really help you in the short term. I think in the longer term it's way harder to predict where this is going to go. So just you know buckle up and giddy up.

I feel like being at the end of the row, I could say I agree every single time. Uh I do agree with what every with what everyone has said about the the topic. I think that there's cool opportunities for AI and the way that it it's currently being used across all of business. Uh but especially within technology. I can't remember the last time I was on a demo for some tool where they weren't like, "Man, check out our AI." Uh, and and for that matter, I don't remember the last time I had like a meaningful conversation uh outside of maybe in this group. Oh, even in this group, but a meaningful meaningful conversation with people that

that was like that took I'll back this up. It seems like AI has seeped into every part of our life. Like last week I had a friend of mine whose daughter is on the same soccer team as mine uh as my daughter and he was like check this out. I put the schedule into Ical using the the the schedule that they gave us in this email. I just asked chat GBT to create this and it came back to us uh or it came to back to me is this if you want to add these to your calendar I have already done it for you which is really cool. Um but I think for our own

purposes and what we see in security we'll see more and more of that. I think what Adam was mentioning too where if you can try to get ahead of that as much as possible, I think it's beneficial to put yourself in a position like that if you understand how to do your job and kind of augment uh or add value to what you're currently doing using AI. I think that's helpful. Uh at a another conference that Bryce put on, Adam talked about what was it called? Deskkilifying. Was that the word? Uh, if you're using if you're using AI to deskkillify yourself, I don't think you're doing yourself any favors. But if you're doing it to to find ways of

making or finding efficiencies, like John mentioned, I think that's really beneficial to not just what you're doing, but your security program as a whole and to your company, uh, I think there's just a lot of a lot of areas you can kind of see and we we have a little bit of insight into what things are going to look like in the short term to Adam's point, but it is really hard to know what what things are going to look like in the long term. And I think having at least a pretty fundamental foundational understanding of AI and its capabilities is really crucial for any role, not just security.

Okay, great. Thanks. So I um you know strongly agree that you know we're in a technology industry. I mean you should expect things to change right as yeah time progresses. So part of that is figuring out how we're going to leverage these new technologies to push our cyber security initiatives. All right. Uh there's a few companies out there and they're working on computer chips to directly interface with our brains, right? Have you guys seen this Neurolink and all that? Do you guys believe that within our lifetime we're going to need to be installing firewalls into our brains? Josh Josh definitely needs to answer this one first. I [Laughter] agree. Uh I don't know about firewalls

in our brains. Maybe. I don't know. Although Yeah. Tony says filters. That's a good thing. It would probably be a good thing for a lot of people and including some users of Signal for that matter. Okay, I'm done. Uh, just kidding. I I I think I mean to a degree and we talked about this earlier capability currently exists to pretty much know our persona, right? If you have social media, we already are feeding all that stuff in there. like Adam was suggesting this earlier like a if you have social media on your phone like what kind of firewall are you putting in place to protect yourself from that as far as something in the brain I do think we're going to get

people that are really into that and want to adopt that really early uh which is crazy to me there's one person in particular I would be really interested into I mean all right Elon Musk if he gets Neurolink himself what is that going to look like I I want know, I'm like anxiously waiting just to observe what happens there. As far as firewall use and what that looks like, I I don't know. It's It's hard really hard to know exactly where that's going. I I don't want any part of computer or software in my in my body if I can help it. Yeah. I think uh obviously I think anyone here if you've touched security

at all with technology you're probably very leerary of putting that technology into your body in any way that can do anything. So I think we all have that healthy skepticism. But again I think in the short term especially this is a risk conversation. If I can't walk but putting a chip in my brain allows me to walk again at least partially I'm probably going to take the risk because now I can walk. or if I can't hear or if I can't see. And that is a miracle. And I think that's amazing. And I'm going to let all those people beta test for me before I consider doing any of that so that we can get the security

down and really have robust security of these systems and figure out how to put it in our bodies. But I I cannot imagine wanting to do that myself unless and until, you know, biology always wins. Until I get to that point where I'm really old or something happens to me and this could improve my quality of life and the risk is is worth taking, the ROI is worth it. At that point, I would call the technology direwolf. Has anybody read the book uh Terran Menace? Anybody? Okay. So, it kind of deals with this, right? Um, I'm actually listening to the third uh the third book right now in that series, but it brings up some really interesting

things like plugging that into an AI. What does it do to your shortterm and long-term memory, right? If they're all one thing and and it just brings up some really creative thoughts and and uh you know how it can mess with somebody really badly. Um it's about this guy that they make this young kid that makes they make him make him into this super warrior to combat this um alien you know uh super advanced uh um society that that has come that you know is coming into to um our universe I guess. But uh it really brings up some interesting things on how that would happen to interface those two uh together, our brains and AI

together. And um you know, yeah, it's all sci-fi, but you know, there's probably some real things there that we would never even think about on on how it would affect us. I think about the 23 and me breach uh or breach or they are being sold. Did they get breached? Bankruptcy. Yeah, there was no I don't want to I don't want to slander anybody here. Um the the concerns around around 23 of me. Um uh I I did it. So, uh I don't know, somebody's going to get my saliva information. Um but and so there's a couple of things I think about that eventually that you know that data is going to be breached or sold to some

company that I don't really want it to be or whatever is going to happen there. Um but but I think kind of to Adam's point, I think about the people who have experienced real benefits from those services. I I know somebody who um whose whose parent discovered that they like one of their parents wasn't the parent that they thought they had and have found like siblings and that that they didn't know about. Um my use of 23 andme was not that profound. Um I think I have like the wet ear wax thing. Uh which is about all I got from it. Um, but because my experience wasn't that profound, like I don't want to take

that experience away from those who were, I just, you know, again, it goes back to a risk thing that that I I know using these services, there's going to be some risk. There was there was a lot of talk when these came out that, you know, health care companies would use it to if you had the genetic marker for some forms of cancer, maybe they wouldn't insure you anymore. I don't think any of those like real um big fears have come true yet. Maybe they they still could. Um and so it's a you know it's a trade-off. Do we do we not face some of these risks um and then at the same time not get the

benefits that people have experienced from it? I I don't I I want to think that like there'll be these advancements where people can walk and talk because of um implant implanted devices in their brains. So I think that's good. I think this goes back to the previous question that the more we advance these types of new technologies, the more work there is for people in this room to secure those technologies. And as long as I think we approach it with a balanced approach of the more we expand into new realms of technology and new data collection uh methodologies, you know, the more we need to take steps to secure those and and uh respond and

and remediate the risks that we identify with those individual uh services and technologies. Yeah, agree. So, also I can't wait to ride a T-Rex. So that's that's where my money's at. Okay. Uh we're coming to the close. Um so final question and um also any closing thoughts that anybody on the panel wants to talk about. Um let's see here. My questions get progressively crazier as you go down the list. [Laughter] Okay. What what advice would you have for the for the next generation or for people that are getting started in cyber security? Um, you know, I know we talked a bit about the AI. Um, I know we talked a little bit there's a lot of people who

are probably trying to figure out at this point in their career, should I, you know, go down the technical path or should I go into compliance or should I focus on risk management? Um, obviously any any avenue is is a valid path, right, to get into cyber security. um and you know as well as there's other paths out there uh but yeah kind of any parting thoughts on how people can get more involved in cyber security get started in the industry or grow in their careers so I'll give you guys a minute to think about that so and then and then I'll start with [Music] Josh I shouldn't have made any comment uh this is a really good question and I

think about this a lot not just for this panel but uh in the people that I work with I get asked questions like this pretty frequently uh one of the things I I have told people I think continuously meaning when I've been I look back and I've been asked this before this is something I go back to a lot but just to simplify the whole thing whatever you do do it well and I say that to I say that to students when they're going through school uh when people start on the team. If they can figure out what their niche is, then they get really good at it. Then they start getting really creative and and

they start pulling in all the elements we've discussed today, I think is really cool. U I really personally appreciate seeing someone that's like really passionate about what they do at work. Not that it's like it takes over their entire life, but if you are doing something, be really good at it. Makes yourself marketable and you you could be a thought leader. I mean, I'm not trying to toot Bryce's horn, but Bryce is very good at what he does and he's willing to give back. He He creates like these conferences to give back to the community and those kind of things, but whenever I sit down with Bryce, I'm constantly going, man, he's so like brilliant. The way that you think about

things, I think is just cool. And that's just one example of many that I could probably pick through even within this audience of ways that you differentiate yourself. So, whatever you are, be a good one. Yeah, it kind of this I get asked this question a lot and so it really depends on where someone is, but if there's one thing that I find is universal across everyone I talk to and one of the things that I see holds people back the most, it is your ability to communicate and deal with other human beings. So I just recommend you get good at that because that is so important. No one wants to hear it. They call it soft

skills. I don't think they're soft. I think they can be very difficult and you can study them your whole life and you can get better. But if you can communicate with somebody and really connect with them and get your information across or uh get the information from a person that you need and you can do that well, it is going to serve you well no matter where you are, no matter what you're doing. Yeah, I'll just echo that as well. Um, you know, I made an observation. And I I gave a talk at Besides last year and I I made an observation that um you know some of us are born to cyber security and some of us kind of stumble into it.

I definitely stumbled into it, right? Uh but um regardless and it doesn't matter where you come from, right? You can become good at at what you do. Some people are more predisposed to red teaming, some are more predisposed to blue teaming. It's just the way that we're we're made up. But um but yeah, just find what you love to do and just pursue it, right? And then I already said this, use the community, right? We we are unique in in what we have and uh the help that you have around you and who you can reach out to and ask questions to. Uh we do it all the time, right? Um but yeah, just just use the

community and who you have around you. Uh, I will echo what everybody said. Josh, I see what you're doing. Um, especially the community thing. I feel like my my career has changed a lot over the last, you know, 10 years especially. Um, but I but being flexible and kind of rolling with those changes, I think is super important. I've got a couple of friends in the audience that I worked with at a previous company when I was like a dedicated Splunk administrator and that that those associations that I made at that time are very important to me and continue um to be important to me as a as a head of security. I have different

um a different role. And so continuing to find communities that will help you where you're at and that you can give back to and help your peers is super important. Um I love being able to spend time with these guys and they have helped me a ton as I've kind of rolled into that into that new role. Um and just know that that change is going to happen for everybody as you progress in your career. the the the more responsibility and the higher you up you get in your role, the more your role is going to turn into a sales role. Um, I'm sure Bryce can talk about this with with the companies that he's been involved

with, but um, most a big portion of what I do now is working with customers to get them comfortable enough to buy the solution for the company that I'm at. um you know that's a that's a big part of it and I kind of hated sales before um but realized that I've got to embrace that um as a role and it's become like the fa my favorite part of my job um because I feel like I'm I'm giving uh real value back to the company that I'm that I'm at um and you know the same goes if you're even in a technical role like the principal appsc engineer on my team has to take those customer calls

when I'm not available. And if he sucked at that, he would not be as good at his job. Um because, you know, you need to be flexible with what you're doing. And a lot of that goes back to being able to communicate and speak well to people and and and communicate why what you're doing is important and how it provides value. That's great advice. Thanks, John. Thanks Brent, Adam, Josh. Really appreciate all four of you taking time out of your day on Friday coming down and sharing your journey and your knowledge and you know where you see the future going to everybody here at the Bides conference. So big big round of applause for the for the

panel. Okay, we're going to conclude now. Thanks everyone for coming out.