Security Visionaries LIVE at Infosec Europe: CISO / CEO Crucial Conversations

0:00:01.7 Emily Wearmouth: Hello and welcome to the Security Visionaries Podcast. I have something a little bit different for you today. Attendees at the Infosecurity Europe Conference in London this year had an enviable opportunity to witness and participate in our first ever live podcast show. We had a great time doing our thing in front of real human faces and we promised to see what we could do to clean up the audio and make it available for those who couldn't attend. So that's exactly what we've done. What you're about to hear is a recording of that show, so please forgive a little background noise. We've done some post production magic so it's hopefully atmospheric rather than annoying. And now I'm going to hand you over to, well, myself. Enjoy.

0:00:42.1 Emily Wearmouth: Hello and welcome to the first ever Security Visionaries live show. If you've not been to a live podcast show before, just a bit of expectation setting. It's just like listening to an ordinary podcast, but you don't have to do any washing up at the same time. So you're already winning. And we'll crack on from there. The Security Visionaries Podcast has been running for a few years now. If you're not familiar with it, have a little dive in our back catalog on your way home. You can find it on Spotify, you can find it on Apple Podcasts. We aim to get leaders from the cybersecurity data related industries to come and talk to us and we grill them with some tricky questions to hear what interesting things they've got to say. So you'll find episodes with people from Rolls Royce, World Rugby, CISA. We've had Dr. Zero Trust and the Godfather of Zero Trust, but we kept them on separate episodes so that we didn't have a fight. But you can catch both of those as well. Today we're going to be talking about the conversations that CISOs need to have with their CEOs this year.

0:01:41.2 Emily Wearmouth: So let me start by introducing our guests. First up next to me we have Holly Foxcroft. Holly recently joined OneAdvanced as their cybersecurity business partner. She's over 15 years experience in cybersecurity. She started with military service, she moved through academia and now is in the private sector. Her strengths are aligning security with commercial interests to drive stronger cyber resilience. And you've probably seen Holly out and about because she's a big advocate. She advocates for women, she advocates for the neurodiverse, and you can catch her previous Security Visionaries Podcast episode where we deep dived into neurodiversity. And I highly recommend that one. So, welcome back to the podcast, Holly.

0:02:20.6 Holly Foxcroft: Thank you for having me. It's a pleasure to be here.

0:02:23.4 Emily Wearmouth: Our next guest is Ian Golding. Now, Ian is the Chief Digital and AI Officer at TC Group. Did I get that right?

0:02:30.3 Ian Golding: Yes.

0:02:30.7 Emily Wearmouth: Excellent. Almost not. Ian's been kicking around this industry for well over 20 years as CIO, CTO and DPO for a range of companies. The Natural History Museum is the one I think is the coolest, but he's also got ERM Group, RNLI, pretty cool too, and lots more. There's a theme that you had to audition to get on this stage. So Ian has also been on the podcast before and you can check out his episode where we were talking about different leadership roles within cyber security. We were looking at interim and fractional roles. So welcome back.

0:02:58.8 Ian Golding: Thank you. Pleasure to be here. I'm just trying to get used to the fact that we can only just hear our own voices.

0:03:03.7 Emily Wearmouth: I know.

0:03:04.0 Ian Golding: But everyone else can hear us booming out, perhaps. It's very weird.

0:03:06.1 Emily Wearmouth: I don't know whether I'm shouting for them, but I'm straining for you.

0:03:08.9 Ian Golding: Thanks.

0:03:10.3 Emily Wearmouth: Now, our final guest won't mind me saying he's a stand in. If you've looked at the program and you're expecting Neil Thacker. This isn't Neil Thacker.

0:03:18.2 Rich Davis: I'm not tall enough to be Neil Thacker.

0:03:19.6 Emily Wearmouth: You're not tall enough to be Neil Thacker. But Rich Davis is a cybersecurity strategist at Netskope, and he spends his time reimagining network and security technologies to solve organisational challenges. And then he helps CISOs and CIOs importantly get green lights on their projects. So I think he's got some interesting insights for us today. He has nearly 25 years of experience, has a really nitpicky forensic eye for detail, so I'm sure he'll pick us up on some of the conversations that we have. Thank you ever so much for saving the day and filling the seat, Rich.

0:03:48.0 Rich Davis: And I have been on the podcast before as well.

0:03:50.8 Emily Wearmouth: And he's been on the podcast before. He's done his audition. You can check out his episode, which was all about whether doing an annual day for things like changing your password was ever a good idea, whether it could achieve what we wanted it to. Spoiler alert. Probably not. So what are we talking about today? I'm stealing. There's a piece of research that's just come back from field, done by Netskope, where they've talked to CEOs and their tech leadership teams around the world, and they've been looking at how is the relationship? What are the conversations that are had between those senior members of an organisation's team and how would the CEO like those conversations to go? This is research that is literally hot off the presses. It's not launching until the autumn, so you're getting an exclusive access to it. It transpires there are seven conversations that leaders need to have with their CEOs. We don't have time for seven. We're going to be focusing on four of them. We're going to be talking about cost, risk, innovation, and AI. And I'm going to dive straight in with a very un-British one. We're going to start with cost.

0:04:50.0 Emily Wearmouth: I'm going to give you a little bit of an insight into what the researchers found, and then I'm going to ask your responses. So, the researchers heard that CEOs want their tech leadership to act as a gatekeeper when it comes to cost. So rather than always recommending more spending as a way to bolster digital systems, they told researchers that they want tech leadership to focus on challenging suppliers and driving efficiencies, being seen to ask difficult questions. The researchers heard that CEOs want tech leaders to simplify technical jargon when communicating cost back to them, not spin them in circles with acronyms that makes them open their wallet up, and be able to think and express themselves in commercial language. So, how can a CISO prove to their CEO that they're challenging suppliers and driving efficiencies without getting bogged down into the details of what those suppliers are doing for them? And you're looking at me eagerly, so I'm going to come to you first, Holly. What are your thoughts?

0:05:45.0 Holly Foxcroft: Like a little puppy dog waiting for a treat, isn't it? So my role is specifically to work with the business side of our organisation, OneAdvancedd. So I look over all of our business, our product and platforms, and everything that Emily has just discussed is my role. So it's actually engaging with everyone outside of the technical and cyber security teams. And I have to have these conversations with people that generally think when I'm talking about cyber security, I'm still talking about very low risks or the same changing passwords, and that's about it. So what are the measurable outcomes such as a risk reduction? The best way to engage is finding out from them what their terminology is. If I'm reporting into the CFO, I'm of course going to be talking about finance. If I'm talking to my CEO, it's about innovation, how to stay one foot ahead, but with that risk in mind. So it's very much actually more of a study of linguistics. How am I reporting into them, so how they need to receive the message from me and not just taking it from that technical stance of tooling or how it's going to help us with the big threats. It's changing it into risk reduction, cost saving if we're looking at duplicating tooling and why I want to change things. And really driving the message forward from that area.

0:07:09.6 Emily Wearmouth: What about you Ian? Have you got any thoughts to add?

0:07:11.4 Ian Golding: Yeah, so I very much agree with you Holly on the outcomes question. We get bogged down in all sorts of lists of stuff. Quite often there's quite a lot of cost around software. Most of us in organisations have a long tail of software that's perhaps been around for a while, the legacy, the tech debt that perhaps holds us back. So rather than us thinking about hundreds and sometimes thousands of pieces of software at a certain cost, figure out what is the outcome or the group of capabilities that perhaps are associated with product set. Could be cyber security or tech foundational stuff. But I think by grouping those and then finding out the accountabilities to make those decisions can really demystify. So you no longer talk about the bit of software but what's needed to make something happen that the organisation needs. I think that starts to then connect more senior people to what the on the ground detail is looking like. So then the fog can then start to clear. I think it's up to us to make sense of those conversations. So cyber security is no exception. There will be a lot of legacy tools. At some point you have to figure out what's the path forward to decide what you want your tech stack to look like in cyber or it could be other areas.

0:08:24.4 Ian Golding: So really I think working across functions is a very, very good way to work towards that. I mean you need the finance, the people that deliver the product. Perhaps not everyone has the same view of the world. But get people to debate it and come to a consensus view on that.

0:08:37.9 Emily Wearmouth: How do you demonstrate how you're behaving with your vendors? How do you demonstrate that you're demanding efficiencies without creating an acrimonious relationship with your vendors?

0:08:48.8 Ian Golding: I think it has to be starting with what does the organisation want to be doing. Times change and the vendors that may have been in place for a few years and the suppliers may be delivering something that is more or less valuable as time goes on. So then putting the organisation needs first. Sometimes organisations are not super crystal clear about what the services are that are needed. But again I think that's where we can help to start that conversation. I mean ultimately you wouldn't say all of us in our tech functional roles are necessarily going to make those decisions. But we can certainly demystify and provide the elements of an informed conversation to have that debate. I think ultimately you want to have good suppliers that have a good rapport and relationship and understand what you're trying to do. So it shouldn't be acrimonious and it probably shouldn't just be beating down on cost. It should be about something that's more positive and more progressive. And then maybe it falls out of that that some other organisations or suppliers are not necessarily what you need for the future.

0:09:46.9 Emily Wearmouth: Brilliant. Now Rich I'm going to ask you, what are some of the areas this year that you think would be an obvious place to look to find cost efficiencies?

0:09:58.5 Rich Davis: I think in my role, talking day-to-day with CISOs and helping them greenlight their projects, I think the whole area of consolidation and platform consolidation comes up time and time again. And helping CISOs figure out what that balance is between going all-in with a single vendor and thinking about a platform-of-platform strategy. What is your organisation's level of risk appetite? Where does that sit in relation to your spend? Where does that balance with spend? And more importantly, and this is something that I think is often overlooked, is what is changing vendors or changing the underlying solution going to do to your user's experience? What is the day-to-day experience of those users going to be like? What's the performance of this change going to do? It's all well and good looking at potential efficiencies by consolidating tools, but if it has a negative effect on the productivity of the organisation, then ultimately that's the sort of conversation and aspect that CEOs are going to care about. They're going to understand that it's not just about saving that bottom line on your cybersecurity spend, but is this going to help me innovate as an organisation?

0:11:07.4 Rich Davis: If so, how can I put some figures around that? And I also work with organisations to go through business value discussions and actually put metrics around both hard and soft cost savings that they can then take to their organisation. And of course, hard costs are quite easy to calculate. But when you think about soft costs, you're thinking about things like the ability to be more efficient as an organisation. How's this going to potentially drive innovation within my organisation? How can my organization do things quicker and easier through the tooling that I'm putting in place and the changes that I'm making? And if we can get to the point where, yes, we're saving and reducing our budget, our spend, and we're getting these efficiencies on top, then that's a very, very easy conversation to have and very easy for a CISO to then get a project greenlit because the two most common issues that a CISO would face is, well, where's the level of risk that we're going to be facing in doing this? And secondly, how's this going to affect my user experience? How's this going to affect our organization as a business and our day-to-day?

0:12:15.9 Emily Wearmouth: Brilliant. All right. We're moving on to our second research area where the CEOs were talking about risk, which feels very apt sitting here today. So CEOs told the researchers that they want their tech leadership to present costed options with an understanding of the risk levels and associated trade-offs for each one, appreciating that you pay for certain levels of risk mitigation. The CEO will then use this information, they argue, to make informed decisions. Some CEOs want their tech leadership to find a balance and communicate that balance between risk and reward, but others specifically ask that their tech leaders are pessimists because they see themselves as the sort of gung-ho optimists driving the business forward and they want their tech leaders to sort of be the voice of reason and pulling them back. So Holly, how would you convey risk to a CEO? How would you make sure they understand risk?

0:13:09.2 Holly Foxcroft: First of all, it's understanding your CEO's or your EXCO's risk appetite. You have to understand where are their crown jewels and that's where you really need to guide the conversation. So this is where these softer skills in cybersecurity really need to move from focusing so much on that technical acumen, but in how to engage and how to deliver. So framing that investment is part of your risk mitigation. A £200,000 investment could save you from a £5 million breach and that's a 30% chance of a breach down to a 5% chance. Using graphs, using heat maps, different ways, and of course this is going to lean into obviously my work within neurodiversity and understanding the different learning types. Finding ways that people are going to interpret that data that actually means something to them. Finding that if your CEO is very much, and I know we're going to come to innovation, CEOs have a great habit of being very innovation focused. They really want to get to the end of why their business is a differentiator and unfortunately what they're then going to do is they're going to blindside all of that risk and they're not going to be able to see them.

0:14:23.2 Holly Foxcroft: So it's about navigating that conversation and being able to hold that conversation as an enabler that you're not looking to stagnate, but it's finding that common middle ground. And then when we're looking at costs, don't put it as one overhead, break your costs down. So it's cost per control versus cost per incident. And always keep highlighting back to what is residual risk? What is the residual risk you are willing to accept with regards to business risk? And it's not just in the cyber team, but this is also risk from HR, from finance, and actually I like to look at security awareness and behavioral training in terms of mean time to detect, mean time to respond, and where you can make those savings and costs. Sometimes we're spending so little on training and awareness that our risk is really going up in areas we haven't quite understood because we don't understand where that risk profile is.

0:15:23.0 Rich Davis: I think with that you can also typically then reassign resource into a much better area, right?

0:15:28.7 Holly Foxcroft: Absolutely.

0:15:29.4 Rich Davis: Going from a kind of a reactive to a proactive. And therefore, you're then getting ahead of the issues because you're thinking forward planning more. So I think that's some of the discussions I will have as well is actually not just the level of risk in a heat map, but looking at it with a forward lens as well. What's this going to look like? How are we going to change it as an organization in the next couple of years that might actually influence this?

0:15:54.9 Holly Foxcroft: You can even then go one step further, which is something that I'm doing and actually very much leading into my security operations team in how I can measure mean time to detect, mean time to respond, and actually look at my tooling to see where we can come down a tier because our security awareness and detection and training is really taking that ramp up. And that's something I'm driving in-house. Tooling I'm using is my time. And by me saying that's actually quite an expensive quality. I'll be giving too much information away. I'm then building and further bolstering not only our cybersecurity posture, but I'm actually taking our tiers of tooling down as well.

0:16:32.7 Emily Wearmouth: Ian, I'm going to ask you a slightly different one. Are there any risks that you think CEOs are blinder to than you would like them to be at the moment?

0:16:40.8 Ian Golding: I think the CEOs are comfortable rationalizing risks because in anything that's moving forwards, there is risk attached in multiple dimensions. So yes, I think CEOs actually are quite comfortable understanding the risks. And then to Holly's point, the difficulty is how to curate a conversation that doesn't descend into fine detail and doesn't become too lofty that it doesn't relate to anything. And I think one simple way to help with that is using data. Even if it fuels a conversation about what do people want their recovery point objectives to be. Another thing is I see a lot of generic current state assessments, which I do think are very important to have the baseline, which chief execs like. But I kind of prefer, but you know, NIST have this, if I can remember, identify, protect, detect, respond and recover, the sequencing in very relatable areas. So rather than saying we need a million pounds or something to update 55 different tools in different areas, otherwise everything's going to blow up, it's kind of breaking it down to where resilience is needed and where the risks might be. And quite likely lots of people have tools in all sorts of places overlapping, can consolidate.

0:17:55.2 Ian Golding: But once the organization and the chief exec is able to have a bird's eye view as to what that's looking like, you very quickly have a view as to where something is really needs some remediation. And therefore I actually think funding can more easily materialize in that sort of situation. I think executives are comfortable with taking risks, but they need us to help share what those look like in a tangible fashion to be able to discuss.

0:18:21.5 Emily Wearmouth: The point around optimism and pessimism really intrigued me because there was some research last year where it found that 16% of CISOs classed their own risk appetite as low, so they see themselves quite comfortable with risk. Those same CISOs, 32% of them said their CEO's risk appetite was low. So in this new research, the CEOs are saying, I'm an optimist and I need them to be a pessimist. And last year we heard the other view, which was CISOs saying they're really risk averse, but we're really comfortable with risk. And you can sort of see them swaggering around in this research. Does that seem strange to you, that differing perception of each other?

0:18:59.3 Ian Golding: Could I suggest that, I mean, it might be a little subjectivity in that someone may feel that their risk appetite is high or low, but in the absence of information to gauge where that is in a number of different areas, it might just be blindsided as we were just discussing.

0:19:15.0 Rich Davis: I think you also need to benchmark it against other organisations as well.

0:19:18.1 Ian Golding: That's a very good idea.

0:19:19.2 Rich Davis: Because you don't really know where your threshold is versus how other people see it.

0:19:22.6 Ian Golding: That's true, because generally I think organisations don't necessarily want to be on the bleeding edge and necessarily 10 times better than the next competitor. They want to be reasonably well assured that they're doing all the things reasonably possible that are affordable. You don't want to go out of business being so secure that you don't have a business, but you need to calculate those risks. And people generally like to be probably with the pack or at the front of the group of a pack in managing their risks appropriately.

0:19:50.1 Rich Davis: What they don't want to be is they don't want to be so risk averse that they're losing their competitive edge because of that risk profile, because they want to get that balance right. And I think that's what you were talking to, right?

0:19:59.0 Ian Golding: Quite true, yeah. Exactly, yeah.

0:20:00.3 Holly Foxcroft: I also think it's about risk of what? What are we risk averse for? We need, and this is again coming back around to that conversation with CEO or with CFO, understanding risk of what. What risks are they most afraid of? Is it reputational damage? Do they understand that cyber risk is, oh no, we'll be closed down for 48 hours, which will cost the business X. We'll also cost our customers X. That again is bringing in financial loss. Are we looking at risk of an ICO file for example? So I think when we say risk, we need to really explore exactly what risks, but also open it up to the risk they don't know about. And the ones that we're still kind of navigating, who else in the business is using online technology that we don't know about? Because they may not be using it on machines from the business. I promise you, your organisation's using AI where you don't. What's scary more than that, if you're joining collaborative calls with another organization that uses an AI to screen record, in that terms and conditions, which just by joining that team's call or Zoom, we've already accepted that that AI has then taken that whole recording, even screen sharing, and all of your information you've used to join the call, and then record that and then store it into their database. How many of us are actually within our cyber teams now processing that within our data back to our CEOs to say this is a risk?

0:21:35.4 Emily Wearmouth: Yeah, it's quite, you can see the strength of an anecdote as well. You can talk in these grandiose numbers that aren't attached to anything. The minute you give them an anecdote that they understand, that's their day-to-day experience doing their job, it brings to life the risk a little bit more.

0:21:50.8 Ian Golding: I think it's like an interesting conversation to have. When you can get the conversation started, if the finance system is down for a day, it may be very inconvenient, it may be very disruptive, it may be very annoying, far from ideal, but most organisations probably, it depends on the extent of the interactivity with customer base. A lot of organisations can actually work quite well with their systems being offline for some hours, some days, but it really is about understanding what's that tolerance, and when does it become intolerable? But it's interesting because that's not detailed or technical in a way. It's like just having the plain English pragmatic discussion with colleagues about what they would expect to happen from which other decisions can follow.

0:22:33.0 Emily Wearmouth: I'm going to move us on to the third of our conversations, which is innovation. You've been trailing my topics as we go, Holly. This is one of the ones you've been trailing for us. This is what the researchers found. CEOs that participated in the research said they wanted their tech leadership to be aware of the latest developments while also perming their enthusiasm for adopting them wholesale. They want tech leaders to take a, quote, rational approach where they, quote, police innovation and, my favorite quotes, avoid new toys, focusing instead on business values and outcomes. There's some very loaded words, implied criticism, let's put it that way. What is your reaction as the person that they're talking about? Do you think that tech leaders are guilty of potentially over-enthusiasm for innovation? Ian, I'm going to come to you first.

0:23:19.6 Ian Golding: Well, innovation is a really, really good thing. However, shiny things, shall we say, in their own rights don't necessarily achieve that much, but they could in the right context. Again, I think this is another example of a team sport, and there's a bit of a theme with what are the outcomes here. If there's a shiny thing or something that plugs the gap or provides a capability to do something organisations need, that may be very valuable. But to be successful in cultivating that spirit of innovation to lead to something tangible probably needs a good cross-functional group of people to assess what it's going to be doing. I mean, you need people to understand the IP, maybe increasingly it's AI and ethics. How's it going to be used? Don't surprise your customers or people with your brand and reputation they didn't know something was happening with their data. Where's the IP just for protecting your own IP, the stability, security, et cetera, of the platform? But all these are things that often lie in different teams as well as the people that want the attractive quality of what that tool can or that piece of software, whatever it is, can bring.

0:24:27.6 Ian Golding: But I think still lies in orchestration, getting the right people together. It doesn't have to be a very, very large group. Maybe it's a handful or a cluster of people that really dig deeply into those things to perhaps gather the information for a more informed decision. But that could work really well. I think that's the opposite of what is quite often the case where a lot of ideas are inbound and it's really hard to know what to do with them. And the enthusiasm suddenly gets overtaken with a bit of despair because all these good ideas seem to go nowhere. And I think that's just the orchestration thing we need to get to.

0:25:03.1 Emily Wearmouth: Rich, what do you think? Does a CISO's head turn with too many shiny things?

0:25:08.7 Rich Davis: I think CISOs are always looking for those efficiencies, right? What tools are out there that are going to shorten the time to do something or present me that data in a better way? And I think we only have to look through the floor here to see how many vendors are promising AI will solve this and AI will solve that. And if you do this, then, you know, you'll get a great return. But it comes down to actually what is that value? And I think a lot of CISOs will look at it and they'll jump into maybe a proof of concept. Let's jump in a proof of concept to see if this tool does what it says it's going to do. Well, my response to any CISO when I'm discussing this is typically, no, let's start with a proof of value. Before you jump in and check, actually, this is going to do what it says on the tin, what value is this going to bring the organisation? And work with that vendor to actually understand what value is going to bring for your specific organisation. And they may have examples of value which shown for other organisations, but every organization is different, right?

0:26:13.0 Rich Davis: So we want to see for my organisation, for what I care about the most, what impact is this going to have? And go through that exercise first before you then go down and say, actually, does this technology do what it says it should do?

0:26:28.2 Ian Golding: As you mentioned this exhibition, I'm mindful of all the cyber threats and, you know, ransomware and all these things would sound cool, but they're terrifying. And then the onslaught and the pace of AI as a threat, but also people using AI. So definitely suggest that the older tooling is not going to be fit for purposes like going into a knife fight with paper or something. It's just not going to come out well. So it definitely is a case for updating the tooling in the environment we're in now with cybersecurity.

0:26:56.4 Rich Davis: I think the other thing is AI is moving at such a fast pace in terms of Gen AI development and how organisations are using things like LLMs within their own technology that there has to be that forward thinking aspect as well, which is actually what value is this going to bring my organisation, not just today, but in a year's time, in two years time, in three years time, if I make that strategic decision to work with that vendor? And what does their roadmap look like? Where are they going to take this and how is this going to help me?

0:27:23.8 Emily Wearmouth: Do you like shiny things, Holly?

0:27:25.6 Holly Foxcroft: I've got a bag full of shiny things down there. Has anyone seen the port vendors got the best shiny thing I can take home to my children? How did anyone get into technology? How did anyone fall into cybersecurity? We all just kind of just appeared, didn't we? But I think what majority of what we can say brings us together is because we like shiny things and we like things that can do things which are really quite exciting. So naturally, we are curious when there's an innovative product, when there is also something that is saying it's going to take away a pain point we're experiencing. And unfortunately, as part of a strategic leadership team, being a CISO, you have a lot of pain points. And then if somebody is going to come to you, especially in an environment like this saying, "I see you're in trouble, I can fix that for you." But really, it's about taking a step back and saying, is this going to fit the business's agenda? Is it going to fit the business problem? Or am I just looking at this because my friend's CISO is using it exactly the same? Am I just chasing the technology because it's the technology that's being mentioned on every single stage at Infosec? And AI is a prime example here.

0:28:43.2 Holly Foxcroft : Il y a une course à l'armement pour l'adoption de l'IA, pour l'adoption de l'IA sans tenir compte de la raison pour laquelle nous l'utilisons, ou du risque que nous courons en l'utilisant, et du risque qui vient avec la sécurité de l'IA. L'accent n'est pas suffisamment mis sur la sécurité ou sur la manière de se protéger contre l'IA. On parle beaucoup des attaques adverses de l'IA. En fait, examinons l'adoption de la sécurité de l'IA au sein de nos équipes, ainsi que les garde-fous des personnes qui utilisent l'IA. Nous avons fait la même erreur avec l'internet, n'est-ce pas ? Il a été rejeté, les gens en ont usé, les gens en ont abusé. Il en va de même pour le mouvement de l'IA. Même chose.

0:29:23.4 Ian Golding : Oui, même il y a un an et demi ou deux ans, je me souviens, parce que je vais et viens dans différents rôles et je parle à beaucoup d'entreprises, que les gens se demandaient s'ils devaient autoriser ou non l'IA. Je veux dire que cela semble étrange de dire cela maintenant parce que c'est comme ici et partout et que cela devient clandestin si vous n'avez pas d'approche.

0:29:39.7 Emily Wearmouth : Vous souvenez-vous quand l'Italie l'a bloqué ? L'Italie vient de dire que vous ne pouvez pas utiliser ChatGPT. Avec le recul, cela semble insensé. Je veux dire que c'était assez fou à l'époque.

0:29:46.9 Ian Golding : Cela se combine avec tout ce dont nous avons discuté sur le fait d'être progressif, de trouver la voie, l'appétit pour le risque, les outils innovants qui vous permettront de bien travailler dans cet environnement.

0:29:56.0 Holly Foxcroft : Et c'est en grande partie cela, parce que vous pouvez avoir peur de la nouveauté ou vous pensez que vous prenez les risques nécessaires. Et c'est avec de nouveaux outils brillants que vous vous dites, oui, absolument fantastique. Mais l'innovation n'est pas l'ennemi. L'innovation est incontestable. J'en étais très fier. Bravo ! C'est ce que ChatGPT nous a apporté.

0:30:16.6 Ian Golding : C'est vrai, je ne sais pas.

0:30:17.7 Holly Foxcroft : En effet. Je n'ai pas peur, mais aussi, beaucoup d'entre nous ont peur de dire, j'utilise ChatGPT pour cela. En fait, j'utilise l'IA. Il faut que cela fasse partie de la conversation et que nous soyons honnêtes et transparents quant à l'utilisation que nous faisons de l'IA, parce qu'avec une nouvelle technologie brillante, nous ne voulons presque pas dire que nous l'utilisons parce que nous voulons nous attribuer le mérite de cette nouvelle technologie. En particulier en ce qui concerne l'IA, lorsque nous automatisons des choses ou que l'IA effectue des tâches à notre place, nous voulons presque nous en attribuer le mérite.

0:30:47.6 Emily Wearmouth : J'ai une idée. Je pourrais faire participer ChatGPT au podcast en tant qu'invité et voir ce qu'il en est. Voyez si quelqu'un vous écoutera. Voyez comment il répond à mes questions un peu plus farfelues.

0:30:58.3 Ian Golding : Je pensais que nous étions tous en train d'être clonés en ce moment même.

0:31:00.5 Emily Wearmouth : Probablement. Nous avons beaucoup parlé de l'IA. L'IA était le quatrième sujet que je voulais choisir spécifiquement. Certains des propos tenus par les chefs d'entreprise sont contradictoires. Quand ils parlent d'innovation et quand ils parlent d'IA, ils disent des choses légèrement différentes. Ils ont donc déclaré qu'ils voulaient que leurs leaders technologiques soient des conseillers experts sur les possibilités de l'IA, en particulier, comme vous l'avez dit, en ce qui concerne la manière dont elle peut résoudre les problèmes des entreprises. Et la conversation sur l'IA est inhabituelle en ce sens qu'elle est susceptible d'être initiée par le PDG. Mais ils souhaitent que ces conseils avisés s'accompagnent d'une volonté d'adopter les améliorations apportées par l'IA. Et Gartner a récemment découvert que 44% des PDG pensent que leur DSI ne connaît pas l'IA, ce qui est fascinant. Ils aiment donc les choses brillantes, mais pas l'IA, apparemment. Je voulais donc connaître votre réaction à ce sujet, tout d'abord. Est-ce une critique injuste ? Pourquoi pensez-vous que les chefs d'entreprise sont sûrs d'eux lorsqu'ils affirment que leurs responsables techniques ne connaissent pas l'IA ? Quelqu'un veut-il s'en charger ? Vous avez tous l'air un peu perplexe. Je sais, c'est fascinant.

0:32:01.0 Rich Davis : Je pense que c'est un sujet très intéressant. Et je pense que c'est en grande partie dû à l'évolution rapide de la situation dans laquelle nous nous trouvons. Nous sommes très vite passés de la question de savoir si nous autorisons ou non nos employés à utiliser le ChatGPT public et d'autres services Gen AI à la question de savoir comment cela peut réellement aider notre entreprise. Et je pense que cela est dû en grande partie au fait que de nombreux RSSI sont constamment en train de courir après leur queue. Ils essaient constamment de se tenir au courant des dernières avancées. Quel est le dernier modèle utilisé ? Et comment cela change-t-il le paysage ? Et où notre organisation veut-elle l'utiliser en priorité ? Je pense donc que beaucoup de RSSI essaient encore de savoir où mon entreprise souhaite le plus utiliser les technologies de l'information. Quel en sera l'impact ? Est-ce parce que l'entreprise souhaite l'intégrer dans un outil que nos clients finaux utiliseront ? Et cela entraîne des risques différents de ceux d'un outil interne où les données sont simplement échangées entre les employés internes. Le risque s'en trouve à nouveau modifié. Et je pense que cela découle probablement d'une grande partie de cette discussion, à savoir que l'on s'attend à ce que les RSSI soient l'oracle tout-puissant et compétent de tout.

0:33:11.7 Rich Davis : Et je pense que chaque RSSI a besoin de temps pour respirer de temps en temps. Et c'est la situation dans laquelle nous nous trouvons, où tout évolue très rapidement. Est-ce que tout le monde peut suivre ?

0:33:20.2 Emily Wearmouth : Fan. Aujourd'hui, le temps nous a un peu échappé. C'est toujours le cas dans le podcast des visionnaires de la sécurité, car je pourrais parler indéfiniment avec tous nos invités. Je tiens donc à remercier Holly, Ian et Rich de nous avoir rejoints aujourd'hui. Si vous n'êtes pas encore abonné, allez sur Spotify, sur Apple Podcasts, où que vous écoutiez, et abonnez-vous. Vous entendrez ensuite votre épisode, une fois que nous aurons fait un peu de post-production. Merci beaucoup de nous avoir rejoints.

0:33:47.1 Emily Wearmouth : Eh bien, vous l'avez. J'espère que vous êtes resté avec nous. Vous pouvez probablement constater qu'en plus des excellents avis d'experts, nous avons également tiré quelques leçons utiles de cette première émission en direct, notamment en ce qui concerne l'emplacement de nos microphones la prochaine fois. Je suis Emily Wearmouth, l'une des animatrices du podcast Security Visionaries. Merci de vous être joints à nous, et nous vous retrouverons en studio pour notre prochain épisode.