0:00:01.7 Emily Wearmouth: Hello and welcome to the Security Visionaries Podcast. I have something a little bit different for you today. Attendees at the Infosecurity Europe Conference in London this year had an enviable opportunity to witness and participate in our first ever live podcast show. We had a great time doing our thing in front of real human faces and we promised to see what we could do to clean up the audio and make it available for those who couldn't attend. So that's exactly what we've done. What you're about to hear is a recording of that show, so please forgive a little background noise. We've done some post production magic so it's hopefully atmospheric rather than annoying. And now I'm going to hand you over to, well, myself. Enjoy.
0:00:42.1 Emily Wearmouth: Hello and welcome to the first ever Security Visionaries live show. If you've not been to a live podcast show before, just a bit of expectation setting. It's just like listening to an ordinary podcast, but you don't have to do any washing up at the same time. So you're already winning. And we'll crack on from there. The Security Visionaries Podcast has been running for a few years now. If you're not familiar with it, have a little dive in our back catalog on your way home. You can find it on Spotify, you can find it on Apple Podcasts. We aim to get leaders from the cybersecurity data related industries to come and talk to us and we grill them with some tricky questions to hear what interesting things they've got to say. So you'll find episodes with people from Rolls Royce, World Rugby, CISA. We've had Dr. Zero Trust and the Godfather of Zero Trust, but we kept them on separate episodes so that we didn't have a fight. But you can catch both of those as well. Today we're going to be talking about the conversations that CISOs need to have with their CEOs this year.
0:01:41.2 Emily Wearmouth: So let me start by introducing our guests. First up next to me we have Holly Foxcroft. Holly recently joined OneAdvanced as their cybersecurity business partner. She's over 15 years experience in cybersecurity. She started with military service, she moved through academia and now is in the private sector. Her strengths are aligning security with commercial interests to drive stronger cyber resilience. And you've probably seen Holly out and about because she's a big advocate. She advocates for women, she advocates for the neurodiverse, and you can catch her previous Security Visionaries Podcast episode where we deep dived into neurodiversity. And I highly recommend that one. So, welcome back to the podcast, Holly.
0:02:20.6 Holly Foxcroft: Thank you for having me. It's a pleasure to be here.
0:02:23.4 Emily Wearmouth: Our next guest is Ian Golding. Now, Ian is the Chief Digital and AI Officer at TC Group. Did I get that right?
0:02:30.3 Ian Golding: Yes.
0:02:30.7 Emily Wearmouth: Excellent. Almost not. Ian's been kicking around this industry for well over 20 years as CIO, CTO and DPO for a range of companies. The Natural History Museum is the one I think is the coolest, but he's also got ERM Group, RNLI, pretty cool too, and lots more. There's a theme that you had to audition to get on this stage. So Ian has also been on the podcast before and you can check out his episode where we were talking about different leadership roles within cyber security. We were looking at interim and fractional roles. So welcome back.
0:02:58.8 Ian Golding: Thank you. Pleasure to be here. I'm just trying to get used to the fact that we can only just hear our own voices.
0:03:03.7 Emily Wearmouth: I know.
0:03:04.0 Ian Golding: But everyone else can hear us booming out, perhaps. It's very weird.
0:03:06.1 Emily Wearmouth: I don't know whether I'm shouting for them, but I'm straining for you.
0:03:08.9 Ian Golding: Thanks.
0:03:10.3 Emily Wearmouth: Now, our final guest won't mind me saying he's a stand in. If you've looked at the program and you're expecting Neil Thacker. This isn't Neil Thacker.
0:03:18.2 Rich Davis: I'm not tall enough to be Neil Thacker.
0:03:19.6 Emily Wearmouth: You're not tall enough to be Neil Thacker. But Rich Davis is a cybersecurity strategist at Netskope, and he spends his time reimagining network and security technologies to solve organisational challenges. And then he helps CISOs and CIOs importantly get green lights on their projects. So I think he's got some interesting insights for us today. He has nearly 25 years of experience, has a really nitpicky forensic eye for detail, so I'm sure he'll pick us up on some of the conversations that we have. Thank you ever so much for saving the day and filling the seat, Rich.
0:03:48.0 Rich Davis: And I have been on the podcast before as well.
0:03:50.8 Emily Wearmouth: And he's been on the podcast before. He's done his audition. You can check out his episode, which was all about whether doing an annual day for things like changing your password was ever a good idea, whether it could achieve what we wanted it to. Spoiler alert. Probably not. So what are we talking about today? I'm stealing. There's a piece of research that's just come back from field, done by Netskope, where they've talked to CEOs and their tech leadership teams around the world, and they've been looking at how is the relationship? What are the conversations that are had between those senior members of an organisation's team and how would the CEO like those conversations to go? This is research that is literally hot off the presses. It's not launching until the autumn, so you're getting an exclusive access to it. It transpires there are seven conversations that leaders need to have with their CEOs. We don't have time for seven. We're going to be focusing on four of them. We're going to be talking about cost, risk, innovation, and AI. And I'm going to dive straight in with a very un-British one. We're going to start with cost.
0:04:50.0 Emily Wearmouth: I'm going to give you a little bit of an insight into what the researchers found, and then I'm going to ask your responses. So, the researchers heard that CEOs want their tech leadership to act as a gatekeeper when it comes to cost. So rather than always recommending more spending as a way to bolster digital systems, they told researchers that they want tech leadership to focus on challenging suppliers and driving efficiencies, being seen to ask difficult questions. The researchers heard that CEOs want tech leaders to simplify technical jargon when communicating cost back to them, not spin them in circles with acronyms that makes them open their wallet up, and be able to think and express themselves in commercial language. So, how can a CISO prove to their CEO that they're challenging suppliers and driving efficiencies without getting bogged down into the details of what those suppliers are doing for them? And you're looking at me eagerly, so I'm going to come to you first, Holly. What are your thoughts?
0:05:45.0 Holly Foxcroft: Like a little puppy dog waiting for a treat, isn't it? So my role is specifically to work with the business side of our organisation, OneAdvancedd. So I look over all of our business, our product and platforms, and everything that Emily has just discussed is my role. So it's actually engaging with everyone outside of the technical and cyber security teams. And I have to have these conversations with people that generally think when I'm talking about cyber security, I'm still talking about very low risks or the same changing passwords, and that's about it. So what are the measurable outcomes such as a risk reduction? The best way to engage is finding out from them what their terminology is. If I'm reporting into the CFO, I'm of course going to be talking about finance. If I'm talking to my CEO, it's about innovation, how to stay one foot ahead, but with that risk in mind. So it's very much actually more of a study of linguistics. How am I reporting into them, so how they need to receive the message from me and not just taking it from that technical stance of tooling or how it's going to help us with the big threats. It's changing it into risk reduction, cost saving if we're looking at duplicating tooling and why I want to change things. And really driving the message forward from that area.
0:07:09.6 Emily Wearmouth: What about you Ian? Have you got any thoughts to add?
0:07:11.4 Ian Golding: Yeah, so I very much agree with you Holly on the outcomes question. We get bogged down in all sorts of lists of stuff. Quite often there's quite a lot of cost around software. Most of us in organisations have a long tail of software that's perhaps been around for a while, the legacy, the tech debt that perhaps holds us back. So rather than us thinking about hundreds and sometimes thousands of pieces of software at a certain cost, figure out what is the outcome or the group of capabilities that perhaps are associated with product set. Could be cyber security or tech foundational stuff. But I think by grouping those and then finding out the accountabilities to make those decisions can really demystify. So you no longer talk about the bit of software but what's needed to make something happen that the organisation needs. I think that starts to then connect more senior people to what the on the ground detail is looking like. So then the fog can then start to clear. I think it's up to us to make sense of those conversations. So cyber security is no exception. There will be a lot of legacy tools. At some point you have to figure out what's the path forward to decide what you want your tech stack to look like in cyber or it could be other areas.
0:08:24.4 Ian Golding: So really I think working across functions is a very, very good way to work towards that. I mean you need the finance, the people that deliver the product. Perhaps not everyone has the same view of the world. But get people to debate it and come to a consensus view on that.
0:08:37.9 Emily Wearmouth: How do you demonstrate how you're behaving with your vendors? How do you demonstrate that you're demanding efficiencies without creating an acrimonious relationship with your vendors?
0:08:48.8 Ian Golding: I think it has to be starting with what does the organisation want to be doing. Times change and the vendors that may have been in place for a few years and the suppliers may be delivering something that is more or less valuable as time goes on. So then putting the organisation needs first. Sometimes organisations are not super crystal clear about what the services are that are needed. But again I think that's where we can help to start that conversation. I mean ultimately you wouldn't say all of us in our tech functional roles are necessarily going to make those decisions. But we can certainly demystify and provide the elements of an informed conversation to have that debate. I think ultimately you want to have good suppliers that have a good rapport and relationship and understand what you're trying to do. So it shouldn't be acrimonious and it probably shouldn't just be beating down on cost. It should be about something that's more positive and more progressive. And then maybe it falls out of that that some other organisations or suppliers are not necessarily what you need for the future.
0:09:46.9 Emily Wearmouth: Brilliant. Now Rich I'm going to ask you, what are some of the areas this year that you think would be an obvious place to look to find cost efficiencies?
0:09:58.5 Rich Davis: I think in my role, talking day-to-day with CISOs and helping them greenlight their projects, I think the whole area of consolidation and platform consolidation comes up time and time again. And helping CISOs figure out what that balance is between going all-in with a single vendor and thinking about a platform-of-platform strategy. What is your organisation's level of risk appetite? Where does that sit in relation to your spend? Where does that balance with spend? And more importantly, and this is something that I think is often overlooked, is what is changing vendors or changing the underlying solution going to do to your user's experience? What is the day-to-day experience of those users going to be like? What's the performance of this change going to do? It's all well and good looking at potential efficiencies by consolidating tools, but if it has a negative effect on the productivity of the organisation, then ultimately that's the sort of conversation and aspect that CEOs are going to care about. They're going to understand that it's not just about saving that bottom line on your cybersecurity spend, but is this going to help me innovate as an organisation?
0:11:07.4 Rich Davis: If so, how can I put some figures around that? And I also work with organisations to go through business value discussions and actually put metrics around both hard and soft cost savings that they can then take to their organisation. And of course, hard costs are quite easy to calculate. But when you think about soft costs, you're thinking about things like the ability to be more efficient as an organisation. How's this going to potentially drive innovation within my organisation? How can my organization do things quicker and easier through the tooling that I'm putting in place and the changes that I'm making? And if we can get to the point where, yes, we're saving and reducing our budget, our spend, and we're getting these efficiencies on top, then that's a very, very easy conversation to have and very easy for a CISO to then get a project greenlit because the two most common issues that a CISO would face is, well, where's the level of risk that we're going to be facing in doing this? And secondly, how's this going to affect my user experience? How's this going to affect our organization as a business and our day-to-day?
0:12:15.9 Emily Wearmouth: Brilliant. All right. We're moving on to our second research area where the CEOs were talking about risk, which feels very apt sitting here today. So CEOs told the researchers that they want their tech leadership to present costed options with an understanding of the risk levels and associated trade-offs for each one, appreciating that you pay for certain levels of risk mitigation. The CEO will then use this information, they argue, to make informed decisions. Some CEOs want their tech leadership to find a balance and communicate that balance between risk and reward, but others specifically ask that their tech leaders are pessimists because they see themselves as the sort of gung-ho optimists driving the business forward and they want their tech leaders to sort of be the voice of reason and pulling them back. So Holly, how would you convey risk to a CEO? How would you make sure they understand risk?
0:13:09.2 Holly Foxcroft: First of all, it's understanding your CEO's or your EXCO's risk appetite. You have to understand where are their crown jewels and that's where you really need to guide the conversation. So this is where these softer skills in cybersecurity really need to move from focusing so much on that technical acumen, but in how to engage and how to deliver. So framing that investment is part of your risk mitigation. A £200,000 investment could save you from a £5 million breach and that's a 30% chance of a breach down to a 5% chance. Using graphs, using heat maps, different ways, and of course this is going to lean into obviously my work within neurodiversity and understanding the different learning types. Finding ways that people are going to interpret that data that actually means something to them. Finding that if your CEO is very much, and I know we're going to come to innovation, CEOs have a great habit of being very innovation focused. They really want to get to the end of why their business is a differentiator and unfortunately what they're then going to do is they're going to blindside all of that risk and they're not going to be able to see them.
0:14:23.2 Holly Foxcroft: So it's about navigating that conversation and being able to hold that conversation as an enabler that you're not looking to stagnate, but it's finding that common middle ground. And then when we're looking at costs, don't put it as one overhead, break your costs down. So it's cost per control versus cost per incident. And always keep highlighting back to what is residual risk? What is the residual risk you are willing to accept with regards to business risk? And it's not just in the cyber team, but this is also risk from HR, from finance, and actually I like to look at security awareness and behavioral training in terms of mean time to detect, mean time to respond, and where you can make those savings and costs. Sometimes we're spending so little on training and awareness that our risk is really going up in areas we haven't quite understood because we don't understand where that risk profile is.
0:15:23.0 Rich Davis: I think with that you can also typically then reassign resource into a much better area, right?
0:15:28.7 Holly Foxcroft: Absolutely.
0:15:29.4 Rich Davis: Going from a kind of a reactive to a proactive. And therefore, you're then getting ahead of the issues because you're thinking forward planning more. So I think that's some of the discussions I will have as well is actually not just the level of risk in a heat map, but looking at it with a forward lens as well. What's this going to look like? How are we going to change it as an organization in the next couple of years that might actually influence this?
0:15:54.9 Holly Foxcroft: You can even then go one step further, which is something that I'm doing and actually very much leading into my security operations team in how I can measure mean time to detect, mean time to respond, and actually look at my tooling to see where we can come down a tier because our security awareness and detection and training is really taking that ramp up. And that's something I'm driving in-house. Tooling I'm using is my time. And by me saying that's actually quite an expensive quality. I'll be giving too much information away. I'm then building and further bolstering not only our cybersecurity posture, but I'm actually taking our tiers of tooling down as well.
0:16:32.7 Emily Wearmouth: Ian, I'm going to ask you a slightly different one. Are there any risks that you think CEOs are blinder to than you would like them to be at the moment?
0:16:40.8 Ian Golding: I think the CEOs are comfortable rationalizing risks because in anything that's moving forwards, there is risk attached in multiple dimensions. So yes, I think CEOs actually are quite comfortable understanding the risks. And then to Holly's point, the difficulty is how to curate a conversation that doesn't descend into fine detail and doesn't become too lofty that it doesn't relate to anything. And I think one simple way to help with that is using data. Even if it fuels a conversation about what do people want their recovery point objectives to be. Another thing is I see a lot of generic current state assessments, which I do think are very important to have the baseline, which chief execs like. But I kind of prefer, but you know, NIST have this, if I can remember, identify, protect, detect, respond and recover, the sequencing in very relatable areas. So rather than saying we need a million pounds or something to update 55 different tools in different areas, otherwise everything's going to blow up, it's kind of breaking it down to where resilience is needed and where the risks might be. And quite likely lots of people have tools in all sorts of places overlapping, can consolidate.
0:17:55.2 Ian Golding: But once the organization and the chief exec is able to have a bird's eye view as to what that's looking like, you very quickly have a view as to where something is really needs some remediation. And therefore I actually think funding can more easily materialize in that sort of situation. I think executives are comfortable with taking risks, but they need us to help share what those look like in a tangible fashion to be able to discuss.
0:18:21.5 Emily Wearmouth: The point around optimism and pessimism really intrigued me because there was some research last year where it found that 16% of CISOs classed their own risk appetite as low, so they see themselves quite comfortable with risk. Those same CISOs, 32% of them said their CEO's risk appetite was low. So in this new research, the CEOs are saying, I'm an optimist and I need them to be a pessimist. And last year we heard the other view, which was CISOs saying they're really risk averse, but we're really comfortable with risk. And you can sort of see them swaggering around in this research. Does that seem strange to you, that differing perception of each other?
0:18:59.3 Ian Golding: Could I suggest that, I mean, it might be a little subjectivity in that someone may feel that their risk appetite is high or low, but in the absence of information to gauge where that is in a number of different areas, it might just be blindsided as we were just discussing.
0:19:15.0 Rich Davis: I think you also need to benchmark it against other organisations as well.
0:19:18.1 Ian Golding: That's a very good idea.
0:19:19.2 Rich Davis: Because you don't really know where your threshold is versus how other people see it.
0:19:22.6 Ian Golding: That's true, because generally I think organisations don't necessarily want to be on the bleeding edge and necessarily 10 times better than the next competitor. They want to be reasonably well assured that they're doing all the things reasonably possible that are affordable. You don't want to go out of business being so secure that you don't have a business, but you need to calculate those risks. And people generally like to be probably with the pack or at the front of the group of a pack in managing their risks appropriately.
0:19:50.1 Rich Davis: What they don't want to be is they don't want to be so risk averse that they're losing their competitive edge because of that risk profile, because they want to get that balance right. And I think that's what you were talking to, right?
0:19:59.0 Ian Golding: Quite true, yeah. Exactly, yeah.
0:20:00.3 Holly Foxcroft: I also think it's about risk of what? What are we risk averse for? We need, and this is again coming back around to that conversation with CEO or with CFO, understanding risk of what. What risks are they most afraid of? Is it reputational damage? Do they understand that cyber risk is, oh no, we'll be closed down for 48 hours, which will cost the business X. We'll also cost our customers X. That again is bringing in financial loss. Are we looking at risk of an ICO file for example? So I think when we say risk, we need to really explore exactly what risks, but also open it up to the risk they don't know about. And the ones that we're still kind of navigating, who else in the business is using online technology that we don't know about? Because they may not be using it on machines from the business. I promise you, your organisation's using AI where you don't. What's scary more than that, if you're joining collaborative calls with another organization that uses an AI to screen record, in that terms and conditions, which just by joining that team's call or Zoom, we've already accepted that that AI has then taken that whole recording, even screen sharing, and all of your information you've used to join the call, and then record that and then store it into their database. How many of us are actually within our cyber teams now processing that within our data back to our CEOs to say this is a risk?
0:21:35.4 Emily Wearmouth: Yeah, it's quite, you can see the strength of an anecdote as well. You can talk in these grandiose numbers that aren't attached to anything. The minute you give them an anecdote that they understand, that's their day-to-day experience doing their job, it brings to life the risk a little bit more.
0:21:50.8 Ian Golding: I think it's like an interesting conversation to have. When you can get the conversation started, if the finance system is down for a day, it may be very inconvenient, it may be very disruptive, it may be very annoying, far from ideal, but most organisations probably, it depends on the extent of the interactivity with customer base. A lot of organisations can actually work quite well with their systems being offline for some hours, some days, but it really is about understanding what's that tolerance, and when does it become intolerable? But it's interesting because that's not detailed or technical in a way. It's like just having the plain English pragmatic discussion with colleagues about what they would expect to happen from which other decisions can follow.
0:22:33.0 Emily Wearmouth: I'm going to move us on to the third of our conversations, which is innovation. You've been trailing my topics as we go, Holly. This is one of the ones you've been trailing for us. This is what the researchers found. CEOs that participated in the research said they wanted their tech leadership to be aware of the latest developments while also perming their enthusiasm for adopting them wholesale. They want tech leaders to take a, quote, rational approach where they, quote, police innovation and, my favorite quotes, avoid new toys, focusing instead on business values and outcomes. There's some very loaded words, implied criticism, let's put it that way. What is your reaction as the person that they're talking about? Do you think that tech leaders are guilty of potentially over-enthusiasm for innovation? Ian, I'm going to come to you first.
0:23:19.6 Ian Golding: Well, innovation is a really, really good thing. However, shiny things, shall we say, in their own rights don't necessarily achieve that much, but they could in the right context. Again, I think this is another example of a team sport, and there's a bit of a theme with what are the outcomes here. If there's a shiny thing or something that plugs the gap or provides a capability to do something organisations need, that may be very valuable. But to be successful in cultivating that spirit of innovation to lead to something tangible probably needs a good cross-functional group of people to assess what it's going to be doing. I mean, you need people to understand the IP, maybe increasingly it's AI and ethics. How's it going to be used? Don't surprise your customers or people with your brand and reputation they didn't know something was happening with their data. Where's the IP just for protecting your own IP, the stability, security, et cetera, of the platform? But all these are things that often lie in different teams as well as the people that want the attractive quality of what that tool can or that piece of software, whatever it is, can bring.
0:24:27.6 Ian Golding: But I think still lies in orchestration, getting the right people together. It doesn't have to be a very, very large group. Maybe it's a handful or a cluster of people that really dig deeply into those things to perhaps gather the information for a more informed decision. But that could work really well. I think that's the opposite of what is quite often the case where a lot of ideas are inbound and it's really hard to know what to do with them. And the enthusiasm suddenly gets overtaken with a bit of despair because all these good ideas seem to go nowhere. And I think that's just the orchestration thing we need to get to.
0:25:03.1 Emily Wearmouth: Rich, what do you think? Does a CISO's head turn with too many shiny things?
0:25:08.7 Rich Davis: I think CISOs are always looking for those efficiencies, right? What tools are out there that are going to shorten the time to do something or present me that data in a better way? And I think we only have to look through the floor here to see how many vendors are promising AI will solve this and AI will solve that. And if you do this, then, you know, you'll get a great return. But it comes down to actually what is that value? And I think a lot of CISOs will look at it and they'll jump into maybe a proof of concept. Let's jump in a proof of concept to see if this tool does what it says it's going to do. Well, my response to any CISO when I'm discussing this is typically, no, let's start with a proof of value. Before you jump in and check, actually, this is going to do what it says on the tin, what value is this going to bring the organisation? And work with that vendor to actually understand what value is going to bring for your specific organisation. And they may have examples of value which shown for other organisations, but every organization is different, right?
0:26:13.0 Rich Davis: So we want to see for my organisation, for what I care about the most, what impact is this going to have? And go through that exercise first before you then go down and say, actually, does this technology do what it says it should do?
0:26:28.2 Ian Golding: As you mentioned this exhibition, I'm mindful of all the cyber threats and, you know, ransomware and all these things would sound cool, but they're terrifying. And then the onslaught and the pace of AI as a threat, but also people using AI. So definitely suggest that the older tooling is not going to be fit for purposes like going into a knife fight with paper or something. It's just not going to come out well. So it definitely is a case for updating the tooling in the environment we're in now with cybersecurity.
0:26:56.4 Rich Davis: I think the other thing is AI is moving at such a fast pace in terms of Gen AI development and how organisations are using things like LLMs within their own technology that there has to be that forward thinking aspect as well, which is actually what value is this going to bring my organisation, not just today, but in a year's time, in two years time, in three years time, if I make that strategic decision to work with that vendor? And what does their roadmap look like? Where are they going to take this and how is this going to help me?
0:27:23.8 Emily Wearmouth: Do you like shiny things, Holly?
0:27:25.6 Holly Foxcroft: I've got a bag full of shiny things down there. Has anyone seen the port vendors got the best shiny thing I can take home to my children? How did anyone get into technology? How did anyone fall into cybersecurity? We all just kind of just appeared, didn't we? But I think what majority of what we can say brings us together is because we like shiny things and we like things that can do things which are really quite exciting. So naturally, we are curious when there's an innovative product, when there is also something that is saying it's going to take away a pain point we're experiencing. And unfortunately, as part of a strategic leadership team, being a CISO, you have a lot of pain points. And then if somebody is going to come to you, especially in an environment like this saying, "I see you're in trouble, I can fix that for you." But really, it's about taking a step back and saying, is this going to fit the business's agenda? Is it going to fit the business problem? Or am I just looking at this because my friend's CISO is using it exactly the same? Am I just chasing the technology because it's the technology that's being mentioned on every single stage at Infosec? And AI is a prime example here.
0:28:43.2 ホリー・フォックスクロフト: AIの採用をめぐる軍拡競争が繰り広げられており、なぜ実際にAIを使うのか、あるいはAIを使うリスク、AIセキュリティに伴うリスクなど、実用性を見ずにAIを採用することが行われています。 セキュリティやAIに対するセキュリティの取り方には十分な焦点が当てられていません。AIの悪影響について多くのことが語られています。実際、私たちのチーム内でのAIセキュリティの採用と、AIを使う人々のガードレールを見てみましょう。 私たちはインターネットでこの失敗をしましたよね? それは追い出され、人々はそれを使い、人々はそれを乱用しました。 AIの動きについても同じことが起こっています。同じことです。
0:29:23.4 イアン・ゴールディング: ええ、1年半か2年前でさえ、私がさまざまな役割に出入りし、多くの企業と話すことを念頭に置いて、人々はAIを許可すべきか許可しないべきか悩んでいたことを覚えています。つまり、今それを言うのは奇妙に思えます、なぜなら、それはここやどこでもそうであり、アプローチがなければ地下に潜ってしまうからです。
0:29:39.7 エミリー・ウェアマス: イタリアがそれをブロックしたときのことを覚えていますか?イタリアはChatGPTを使えないと言ったばかりです。 今振り返ってみると、それは狂気の沙汰に思えます。つまり、当時はかなり狂っていたのです。
0:29:46.9 イアン・ゴールディング: それはすべて、進歩的であること、道を見つけること、リスク選好度、この環境でうまく働くことを可能にする革新的なツールについて私たちが話し合っているすべてのことと組み合わされています。
0:29:56.0 ホリー・フォックスクロフト: そして、それは非常に新しいものを怖がったり、リスクが適切であると考えたりする可能性があるためです。そして、これはあなたが行くところに光沢のある新しいツールで、はい、絶対に素晴らしいです。しかし、イノベーションは敵ではありません。疑う余地のないイノベーションです。そのことをとても誇りに思いました。よくやりましたね。それがChatGPTが私たちに与えてくれたものです。
0:30:16.6 イアン・ゴールディング:そうですね、私はそうは思いません。
0:30:17.7 ホリー・フォックスクロフト: 実際、そうでした。私は恐れていませんが、私たちの多くは、実際にChatGPTをそのために使っていると実際に言うのが怖いです。 実際にAIを使っています。 そして、その部分を会話の一部にし、AIの使用について正直かつ透明であることは、輝かしい新しいテクノロジーでは、その新しいテクノロジーの功績を認めたいから使っているとは言いたくないからです。 特にAIに関しては、私たちが自動化しているときや、AIが私たちのために仕事をしているとき、私たちはほとんどその功績を認めたいと思っています。
0:30:47.6 エミリー・ウェアマス: いい考えがあります。ポッドキャストにゲストとしてChatGPTを出演させて、どうなるか見てみるかもしれません。誰かが耳を傾けてくれるかどうか見てみましょう。それが私の少し風変わりな質問にどのように対処するかを見てください。
0:30:58.3 イアン・ゴールディング:私たちは皆、話しているうちにクローン化されているのだと思っていました。
0:31:00.5 エミリー・ウェアマス: たしか。これまで、AIについて多くのことをお話ししてきました。AIは、私が具体的に取り上げたかった4番目のトピックでした。私たちがCEOから聞いたことの中には、いくつかの矛盾があります。イノベーションについて話すときとAIについて話すとき、彼らは少し異なることを言います。そこで彼らは、技術リーダーにAIの可能性、特にあなたがおっしゃったように、ビジネス上の問題をどこで解決できるかについての専門家アドバイザーになってほしいと言いました。そして、AIの会話は、CEOが始める可能性が高いという点で珍しいものです。しかし、彼らは、この冷静なアドバイスとともに、AIによる改善を取り入れる意欲を求めています。また、ガートナーは最近、CEOの44%が自分のCIOがAIに精通していないと考えていることを発見しました。これは興味深いことです。つまり、彼らは光沢のあるものが好きですが、AIは好きではないようです。そこで、まず、それに対するあなたの反応を聞きたかったのです。それは不当な批判ですか?なぜCEOは、自分たちの技術リーダーはAIに精通していないと自信を持って言っていると思いますか?どなたかそれを取りたいですか?皆さんは少し困惑しているように見えます。それは興味深いことです。
0:32:01.0 リッチ・デイビス: これは非常に興味深いトピックだと思います。そして、その多くは、私たちがいる場所の速いペースによるものだと思います。私たちはすぐに、従業員が公開のChatGPTやその他の 生成AI サービスを使用することを許可するかどうか、これが実際に私たちのビジネスにどのように役立つかということに移りました。 そして、これは多くのCISOが絶えず尻尾を追いかけているという事実から来ているのではないかと思います。彼らは常に最新の進歩について最新の情報を得ようとしていますか?使っている最新モデルは? そして、それはどのように風景を変えているのでしょうか?そして、私たちの組織はこれを最初にどこで使いたいのか? ですから、多くのCISOは、私のビジネスがそれを最も使いたいのはどこなのか、まだ理解しようとしていると思います。 そして、それはどのような影響を与えるのでしょうか?それは、ビジネスがそれを最終顧客が使用するツールに組み込みたいということですか? そして、それは、実際にはデータが社内の従業員内で交換されているだけの社内ツールに、さまざまなリスクをもたらします。そして、それが再びリスクをシフトさせます。それはおそらく、CISOがあらゆるものに対して全能で知識豊富なオラクルであるという期待が、その議論の多くから生じていると思います。
0:33:11.7 リッチ・デイビス: そして、すべてのCISOは、時々息をする時間が必要だと思います。そして、それが私たちがいる状況であり、それは非常に速く動いています。みんなでついていけるか?
0:33:20.2 エミリー・ウェアマス:扇。今、時間が少し流れてしまいました。 Security Visionaries Podcastでは、ゲスト全員と永遠に話すことができるので、いつもそうです。ですから、本日はホリーさん、イアンさん、リッチさん、ありがとうございました。まだサブスクライバーでない場合は、Spotifyに飛び込み、Apple Podcastsにアクセスし、どこで聴いても購読してください。そして、ポストプロダクションを少し行ったら、あなたのエピソードを聞くことができます。ご参加いただき、誠にありがとうございます。
0:33:47.1 エミリー・ウェアマス: さて、あなたはそれを持っています。あなたが私たちと一緒にいることを願っています。優れた専門家の洞察に加えて、この最初のライブショーから、主に次回のマイクをどこに置くかについて、いくつかの有益な教訓を学んだことがお分かりいただけると思います。私は、Security Visionaries Podcastのホストの1人であるEmily Wearmouthです。ご参加いただきありがとうございます、次のエピソードではいつものようにスタジオでお会いしましょう。
){kind=icon}
