0:00:01.7 Emily Wearmouth: Hello and welcome to the Security Visionaries Podcast. I have something a little bit different for you today. Attendees at the Infosecurity Europe Conference in London this year had an enviable opportunity to witness and participate in our first ever live podcast show. We had a great time doing our thing in front of real human faces and we promised to see what we could do to clean up the audio and make it available for those who couldn't attend. So that's exactly what we've done. What you're about to hear is a recording of that show, so please forgive a little background noise. We've done some post production magic so it's hopefully atmospheric rather than annoying. And now I'm going to hand you over to, well, myself. Enjoy.
0:00:42.1 Emily Wearmouth: Hello and welcome to the first ever Security Visionaries live show. If you've not been to a live podcast show before, just a bit of expectation setting. It's just like listening to an ordinary podcast, but you don't have to do any washing up at the same time. So you're already winning. And we'll crack on from there. The Security Visionaries Podcast has been running for a few years now. If you're not familiar with it, have a little dive in our back catalog on your way home. You can find it on Spotify, you can find it on Apple Podcasts. We aim to get leaders from the cybersecurity data related industries to come and talk to us and we grill them with some tricky questions to hear what interesting things they've got to say. So you'll find episodes with people from Rolls Royce, World Rugby, CISA. We've had Dr. Zero Trust and the Godfather of Zero Trust, but we kept them on separate episodes so that we didn't have a fight. But you can catch both of those as well. Today we're going to be talking about the conversations that CISOs need to have with their CEOs this year.
0:01:41.2 Emily Wearmouth: So let me start by introducing our guests. First up next to me we have Holly Foxcroft. Holly recently joined OneAdvanced as their cybersecurity business partner. She's over 15 years experience in cybersecurity. She started with military service, she moved through academia and now is in the private sector. Her strengths are aligning security with commercial interests to drive stronger cyber resilience. And you've probably seen Holly out and about because she's a big advocate. She advocates for women, she advocates for the neurodiverse, and you can catch her previous Security Visionaries Podcast episode where we deep dived into neurodiversity. And I highly recommend that one. So, welcome back to the podcast, Holly.
0:02:20.6 Holly Foxcroft: Thank you for having me. It's a pleasure to be here.
0:02:23.4 Emily Wearmouth: Our next guest is Ian Golding. Now, Ian is the Chief Digital and AI Officer at TC Group. Did I get that right?
0:02:30.3 Ian Golding: Yes.
0:02:30.7 Emily Wearmouth: Excellent. Almost not. Ian's been kicking around this industry for well over 20 years as CIO, CTO and DPO for a range of companies. The Natural History Museum is the one I think is the coolest, but he's also got ERM Group, RNLI, pretty cool too, and lots more. There's a theme that you had to audition to get on this stage. So Ian has also been on the podcast before and you can check out his episode where we were talking about different leadership roles within cyber security. We were looking at interim and fractional roles. So welcome back.
0:02:58.8 Ian Golding: Thank you. Pleasure to be here. I'm just trying to get used to the fact that we can only just hear our own voices.
0:03:03.7 Emily Wearmouth: I know.
0:03:04.0 Ian Golding: But everyone else can hear us booming out, perhaps. It's very weird.
0:03:06.1 Emily Wearmouth: I don't know whether I'm shouting for them, but I'm straining for you.
0:03:08.9 Ian Golding: Thanks.
0:03:10.3 Emily Wearmouth: Now, our final guest won't mind me saying he's a stand in. If you've looked at the program and you're expecting Neil Thacker. This isn't Neil Thacker.
0:03:18.2 Rich Davis: I'm not tall enough to be Neil Thacker.
0:03:19.6 Emily Wearmouth: You're not tall enough to be Neil Thacker. But Rich Davis is a cybersecurity strategist at Netskope, and he spends his time reimagining network and security technologies to solve organisational challenges. And then he helps CISOs and CIOs importantly get green lights on their projects. So I think he's got some interesting insights for us today. He has nearly 25 years of experience, has a really nitpicky forensic eye for detail, so I'm sure he'll pick us up on some of the conversations that we have. Thank you ever so much for saving the day and filling the seat, Rich.
0:03:48.0 Rich Davis: And I have been on the podcast before as well.
0:03:50.8 Emily Wearmouth: And he's been on the podcast before. He's done his audition. You can check out his episode, which was all about whether doing an annual day for things like changing your password was ever a good idea, whether it could achieve what we wanted it to. Spoiler alert. Probably not. So what are we talking about today? I'm stealing. There's a piece of research that's just come back from field, done by Netskope, where they've talked to CEOs and their tech leadership teams around the world, and they've been looking at how is the relationship? What are the conversations that are had between those senior members of an organisation's team and how would the CEO like those conversations to go? This is research that is literally hot off the presses. It's not launching until the autumn, so you're getting an exclusive access to it. It transpires there are seven conversations that leaders need to have with their CEOs. We don't have time for seven. We're going to be focusing on four of them. We're going to be talking about cost, risk, innovation, and AI. And I'm going to dive straight in with a very un-British one. We're going to start with cost.
0:04:50.0 Emily Wearmouth: I'm going to give you a little bit of an insight into what the researchers found, and then I'm going to ask your responses. So, the researchers heard that CEOs want their tech leadership to act as a gatekeeper when it comes to cost. So rather than always recommending more spending as a way to bolster digital systems, they told researchers that they want tech leadership to focus on challenging suppliers and driving efficiencies, being seen to ask difficult questions. The researchers heard that CEOs want tech leaders to simplify technical jargon when communicating cost back to them, not spin them in circles with acronyms that makes them open their wallet up, and be able to think and express themselves in commercial language. So, how can a CISO prove to their CEO that they're challenging suppliers and driving efficiencies without getting bogged down into the details of what those suppliers are doing for them? And you're looking at me eagerly, so I'm going to come to you first, Holly. What are your thoughts?
0:05:45.0 Holly Foxcroft: Like a little puppy dog waiting for a treat, isn't it? So my role is specifically to work with the business side of our organisation, OneAdvancedd. So I look over all of our business, our product and platforms, and everything that Emily has just discussed is my role. So it's actually engaging with everyone outside of the technical and cyber security teams. And I have to have these conversations with people that generally think when I'm talking about cyber security, I'm still talking about very low risks or the same changing passwords, and that's about it. So what are the measurable outcomes such as a risk reduction? The best way to engage is finding out from them what their terminology is. If I'm reporting into the CFO, I'm of course going to be talking about finance. If I'm talking to my CEO, it's about innovation, how to stay one foot ahead, but with that risk in mind. So it's very much actually more of a study of linguistics. How am I reporting into them, so how they need to receive the message from me and not just taking it from that technical stance of tooling or how it's going to help us with the big threats. It's changing it into risk reduction, cost saving if we're looking at duplicating tooling and why I want to change things. And really driving the message forward from that area.
0:07:09.6 Emily Wearmouth: What about you Ian? Have you got any thoughts to add?
0:07:11.4 Ian Golding: Yeah, so I very much agree with you Holly on the outcomes question. We get bogged down in all sorts of lists of stuff. Quite often there's quite a lot of cost around software. Most of us in organisations have a long tail of software that's perhaps been around for a while, the legacy, the tech debt that perhaps holds us back. So rather than us thinking about hundreds and sometimes thousands of pieces of software at a certain cost, figure out what is the outcome or the group of capabilities that perhaps are associated with product set. Could be cyber security or tech foundational stuff. But I think by grouping those and then finding out the accountabilities to make those decisions can really demystify. So you no longer talk about the bit of software but what's needed to make something happen that the organisation needs. I think that starts to then connect more senior people to what the on the ground detail is looking like. So then the fog can then start to clear. I think it's up to us to make sense of those conversations. So cyber security is no exception. There will be a lot of legacy tools. At some point you have to figure out what's the path forward to decide what you want your tech stack to look like in cyber or it could be other areas.
0:08:24.4 Ian Golding: So really I think working across functions is a very, very good way to work towards that. I mean you need the finance, the people that deliver the product. Perhaps not everyone has the same view of the world. But get people to debate it and come to a consensus view on that.
0:08:37.9 Emily Wearmouth: How do you demonstrate how you're behaving with your vendors? How do you demonstrate that you're demanding efficiencies without creating an acrimonious relationship with your vendors?
0:08:48.8 Ian Golding: I think it has to be starting with what does the organisation want to be doing. Times change and the vendors that may have been in place for a few years and the suppliers may be delivering something that is more or less valuable as time goes on. So then putting the organisation needs first. Sometimes organisations are not super crystal clear about what the services are that are needed. But again I think that's where we can help to start that conversation. I mean ultimately you wouldn't say all of us in our tech functional roles are necessarily going to make those decisions. But we can certainly demystify and provide the elements of an informed conversation to have that debate. I think ultimately you want to have good suppliers that have a good rapport and relationship and understand what you're trying to do. So it shouldn't be acrimonious and it probably shouldn't just be beating down on cost. It should be about something that's more positive and more progressive. And then maybe it falls out of that that some other organisations or suppliers are not necessarily what you need for the future.
0:09:46.9 Emily Wearmouth: Brilliant. Now Rich I'm going to ask you, what are some of the areas this year that you think would be an obvious place to look to find cost efficiencies?
0:09:58.5 Rich Davis: I think in my role, talking day-to-day with CISOs and helping them greenlight their projects, I think the whole area of consolidation and platform consolidation comes up time and time again. And helping CISOs figure out what that balance is between going all-in with a single vendor and thinking about a platform-of-platform strategy. What is your organisation's level of risk appetite? Where does that sit in relation to your spend? Where does that balance with spend? And more importantly, and this is something that I think is often overlooked, is what is changing vendors or changing the underlying solution going to do to your user's experience? What is the day-to-day experience of those users going to be like? What's the performance of this change going to do? It's all well and good looking at potential efficiencies by consolidating tools, but if it has a negative effect on the productivity of the organisation, then ultimately that's the sort of conversation and aspect that CEOs are going to care about. They're going to understand that it's not just about saving that bottom line on your cybersecurity spend, but is this going to help me innovate as an organisation?
0:11:07.4 Rich Davis: If so, how can I put some figures around that? And I also work with organisations to go through business value discussions and actually put metrics around both hard and soft cost savings that they can then take to their organisation. And of course, hard costs are quite easy to calculate. But when you think about soft costs, you're thinking about things like the ability to be more efficient as an organisation. How's this going to potentially drive innovation within my organisation? How can my organization do things quicker and easier through the tooling that I'm putting in place and the changes that I'm making? And if we can get to the point where, yes, we're saving and reducing our budget, our spend, and we're getting these efficiencies on top, then that's a very, very easy conversation to have and very easy for a CISO to then get a project greenlit because the two most common issues that a CISO would face is, well, where's the level of risk that we're going to be facing in doing this? And secondly, how's this going to affect my user experience? How's this going to affect our organization as a business and our day-to-day?
0:12:15.9 Emily Wearmouth: Brilliant. All right. We're moving on to our second research area where the CEOs were talking about risk, which feels very apt sitting here today. So CEOs told the researchers that they want their tech leadership to present costed options with an understanding of the risk levels and associated trade-offs for each one, appreciating that you pay for certain levels of risk mitigation. The CEO will then use this information, they argue, to make informed decisions. Some CEOs want their tech leadership to find a balance and communicate that balance between risk and reward, but others specifically ask that their tech leaders are pessimists because they see themselves as the sort of gung-ho optimists driving the business forward and they want their tech leaders to sort of be the voice of reason and pulling them back. So Holly, how would you convey risk to a CEO? How would you make sure they understand risk?
0:13:09.2 Holly Foxcroft: First of all, it's understanding your CEO's or your EXCO's risk appetite. You have to understand where are their crown jewels and that's where you really need to guide the conversation. So this is where these softer skills in cybersecurity really need to move from focusing so much on that technical acumen, but in how to engage and how to deliver. So framing that investment is part of your risk mitigation. A £200,000 investment could save you from a £5 million breach and that's a 30% chance of a breach down to a 5% chance. Using graphs, using heat maps, different ways, and of course this is going to lean into obviously my work within neurodiversity and understanding the different learning types. Finding ways that people are going to interpret that data that actually means something to them. Finding that if your CEO is very much, and I know we're going to come to innovation, CEOs have a great habit of being very innovation focused. They really want to get to the end of why their business is a differentiator and unfortunately what they're then going to do is they're going to blindside all of that risk and they're not going to be able to see them.
0:14:23.2 Holly Foxcroft: So it's about navigating that conversation and being able to hold that conversation as an enabler that you're not looking to stagnate, but it's finding that common middle ground. And then when we're looking at costs, don't put it as one overhead, break your costs down. So it's cost per control versus cost per incident. And always keep highlighting back to what is residual risk? What is the residual risk you are willing to accept with regards to business risk? And it's not just in the cyber team, but this is also risk from HR, from finance, and actually I like to look at security awareness and behavioral training in terms of mean time to detect, mean time to respond, and where you can make those savings and costs. Sometimes we're spending so little on training and awareness that our risk is really going up in areas we haven't quite understood because we don't understand where that risk profile is.
0:15:23.0 Rich Davis: I think with that you can also typically then reassign resource into a much better area, right?
0:15:28.7 Holly Foxcroft: Absolutely.
0:15:29.4 Rich Davis: Going from a kind of a reactive to a proactive. And therefore, you're then getting ahead of the issues because you're thinking forward planning more. So I think that's some of the discussions I will have as well is actually not just the level of risk in a heat map, but looking at it with a forward lens as well. What's this going to look like? How are we going to change it as an organization in the next couple of years that might actually influence this?
0:15:54.9 Holly Foxcroft: You can even then go one step further, which is something that I'm doing and actually very much leading into my security operations team in how I can measure mean time to detect, mean time to respond, and actually look at my tooling to see where we can come down a tier because our security awareness and detection and training is really taking that ramp up. And that's something I'm driving in-house. Tooling I'm using is my time. And by me saying that's actually quite an expensive quality. I'll be giving too much information away. I'm then building and further bolstering not only our cybersecurity posture, but I'm actually taking our tiers of tooling down as well.
0:16:32.7 Emily Wearmouth: Ian, I'm going to ask you a slightly different one. Are there any risks that you think CEOs are blinder to than you would like them to be at the moment?
0:16:40.8 Ian Golding: I think the CEOs are comfortable rationalizing risks because in anything that's moving forwards, there is risk attached in multiple dimensions. So yes, I think CEOs actually are quite comfortable understanding the risks. And then to Holly's point, the difficulty is how to curate a conversation that doesn't descend into fine detail and doesn't become too lofty that it doesn't relate to anything. And I think one simple way to help with that is using data. Even if it fuels a conversation about what do people want their recovery point objectives to be. Another thing is I see a lot of generic current state assessments, which I do think are very important to have the baseline, which chief execs like. But I kind of prefer, but you know, NIST have this, if I can remember, identify, protect, detect, respond and recover, the sequencing in very relatable areas. So rather than saying we need a million pounds or something to update 55 different tools in different areas, otherwise everything's going to blow up, it's kind of breaking it down to where resilience is needed and where the risks might be. And quite likely lots of people have tools in all sorts of places overlapping, can consolidate.
0:17:55.2 Ian Golding: But once the organization and the chief exec is able to have a bird's eye view as to what that's looking like, you very quickly have a view as to where something is really needs some remediation. And therefore I actually think funding can more easily materialize in that sort of situation. I think executives are comfortable with taking risks, but they need us to help share what those look like in a tangible fashion to be able to discuss.
0:18:21.5 Emily Wearmouth: The point around optimism and pessimism really intrigued me because there was some research last year where it found that 16% of CISOs classed their own risk appetite as low, so they see themselves quite comfortable with risk. Those same CISOs, 32% of them said their CEO's risk appetite was low. So in this new research, the CEOs are saying, I'm an optimist and I need them to be a pessimist. And last year we heard the other view, which was CISOs saying they're really risk averse, but we're really comfortable with risk. And you can sort of see them swaggering around in this research. Does that seem strange to you, that differing perception of each other?
0:18:59.3 Ian Golding: Could I suggest that, I mean, it might be a little subjectivity in that someone may feel that their risk appetite is high or low, but in the absence of information to gauge where that is in a number of different areas, it might just be blindsided as we were just discussing.
0:19:15.0 Rich Davis: I think you also need to benchmark it against other organisations as well.
0:19:18.1 Ian Golding: That's a very good idea.
0:19:19.2 Rich Davis: Because you don't really know where your threshold is versus how other people see it.
0:19:22.6 Ian Golding: That's true, because generally I think organisations don't necessarily want to be on the bleeding edge and necessarily 10 times better than the next competitor. They want to be reasonably well assured that they're doing all the things reasonably possible that are affordable. You don't want to go out of business being so secure that you don't have a business, but you need to calculate those risks. And people generally like to be probably with the pack or at the front of the group of a pack in managing their risks appropriately.
0:19:50.1 Rich Davis: What they don't want to be is they don't want to be so risk averse that they're losing their competitive edge because of that risk profile, because they want to get that balance right. And I think that's what you were talking to, right?
0:19:59.0 Ian Golding: Quite true, yeah. Exactly, yeah.
0:20:00.3 Holly Foxcroft: I also think it's about risk of what? What are we risk averse for? We need, and this is again coming back around to that conversation with CEO or with CFO, understanding risk of what. What risks are they most afraid of? Is it reputational damage? Do they understand that cyber risk is, oh no, we'll be closed down for 48 hours, which will cost the business X. We'll also cost our customers X. That again is bringing in financial loss. Are we looking at risk of an ICO file for example? So I think when we say risk, we need to really explore exactly what risks, but also open it up to the risk they don't know about. And the ones that we're still kind of navigating, who else in the business is using online technology that we don't know about? Because they may not be using it on machines from the business. I promise you, your organisation's using AI where you don't. What's scary more than that, if you're joining collaborative calls with another organization that uses an AI to screen record, in that terms and conditions, which just by joining that team's call or Zoom, we've already accepted that that AI has then taken that whole recording, even screen sharing, and all of your information you've used to join the call, and then record that and then store it into their database. How many of us are actually within our cyber teams now processing that within our data back to our CEOs to say this is a risk?
0:21:35.4 Emily Wearmouth: Yeah, it's quite, you can see the strength of an anecdote as well. You can talk in these grandiose numbers that aren't attached to anything. The minute you give them an anecdote that they understand, that's their day-to-day experience doing their job, it brings to life the risk a little bit more.
0:21:50.8 Ian Golding: I think it's like an interesting conversation to have. When you can get the conversation started, if the finance system is down for a day, it may be very inconvenient, it may be very disruptive, it may be very annoying, far from ideal, but most organisations probably, it depends on the extent of the interactivity with customer base. A lot of organisations can actually work quite well with their systems being offline for some hours, some days, but it really is about understanding what's that tolerance, and when does it become intolerable? But it's interesting because that's not detailed or technical in a way. It's like just having the plain English pragmatic discussion with colleagues about what they would expect to happen from which other decisions can follow.
0:22:33.0 Emily Wearmouth: I'm going to move us on to the third of our conversations, which is innovation. You've been trailing my topics as we go, Holly. This is one of the ones you've been trailing for us. This is what the researchers found. CEOs that participated in the research said they wanted their tech leadership to be aware of the latest developments while also perming their enthusiasm for adopting them wholesale. They want tech leaders to take a, quote, rational approach where they, quote, police innovation and, my favorite quotes, avoid new toys, focusing instead on business values and outcomes. There's some very loaded words, implied criticism, let's put it that way. What is your reaction as the person that they're talking about? Do you think that tech leaders are guilty of potentially over-enthusiasm for innovation? Ian, I'm going to come to you first.
0:23:19.6 Ian Golding: Well, innovation is a really, really good thing. However, shiny things, shall we say, in their own rights don't necessarily achieve that much, but they could in the right context. Again, I think this is another example of a team sport, and there's a bit of a theme with what are the outcomes here. If there's a shiny thing or something that plugs the gap or provides a capability to do something organisations need, that may be very valuable. But to be successful in cultivating that spirit of innovation to lead to something tangible probably needs a good cross-functional group of people to assess what it's going to be doing. I mean, you need people to understand the IP, maybe increasingly it's AI and ethics. How's it going to be used? Don't surprise your customers or people with your brand and reputation they didn't know something was happening with their data. Where's the IP just for protecting your own IP, the stability, security, et cetera, of the platform? But all these are things that often lie in different teams as well as the people that want the attractive quality of what that tool can or that piece of software, whatever it is, can bring.
0:24:27.6 Ian Golding: But I think still lies in orchestration, getting the right people together. It doesn't have to be a very, very large group. Maybe it's a handful or a cluster of people that really dig deeply into those things to perhaps gather the information for a more informed decision. But that could work really well. I think that's the opposite of what is quite often the case where a lot of ideas are inbound and it's really hard to know what to do with them. And the enthusiasm suddenly gets overtaken with a bit of despair because all these good ideas seem to go nowhere. And I think that's just the orchestration thing we need to get to.
0:25:03.1 Emily Wearmouth: Rich, what do you think? Does a CISO's head turn with too many shiny things?
0:25:08.7 Rich Davis: I think CISOs are always looking for those efficiencies, right? What tools are out there that are going to shorten the time to do something or present me that data in a better way? And I think we only have to look through the floor here to see how many vendors are promising AI will solve this and AI will solve that. And if you do this, then, you know, you'll get a great return. But it comes down to actually what is that value? And I think a lot of CISOs will look at it and they'll jump into maybe a proof of concept. Let's jump in a proof of concept to see if this tool does what it says it's going to do. Well, my response to any CISO when I'm discussing this is typically, no, let's start with a proof of value. Before you jump in and check, actually, this is going to do what it says on the tin, what value is this going to bring the organisation? And work with that vendor to actually understand what value is going to bring for your specific organisation. And they may have examples of value which shown for other organisations, but every organization is different, right?
0:26:13.0 Rich Davis: So we want to see for my organisation, for what I care about the most, what impact is this going to have? And go through that exercise first before you then go down and say, actually, does this technology do what it says it should do?
0:26:28.2 Ian Golding: As you mentioned this exhibition, I'm mindful of all the cyber threats and, you know, ransomware and all these things would sound cool, but they're terrifying. And then the onslaught and the pace of AI as a threat, but also people using AI. So definitely suggest that the older tooling is not going to be fit for purposes like going into a knife fight with paper or something. It's just not going to come out well. So it definitely is a case for updating the tooling in the environment we're in now with cybersecurity.
0:26:56.4 Rich Davis: I think the other thing is AI is moving at such a fast pace in terms of Gen AI development and how organisations are using things like LLMs within their own technology that there has to be that forward thinking aspect as well, which is actually what value is this going to bring my organisation, not just today, but in a year's time, in two years time, in three years time, if I make that strategic decision to work with that vendor? And what does their roadmap look like? Where are they going to take this and how is this going to help me?
0:27:23.8 Emily Wearmouth: Do you like shiny things, Holly?
0:27:25.6 Holly Foxcroft: I've got a bag full of shiny things down there. Has anyone seen the port vendors got the best shiny thing I can take home to my children? How did anyone get into technology? How did anyone fall into cybersecurity? We all just kind of just appeared, didn't we? But I think what majority of what we can say brings us together is because we like shiny things and we like things that can do things which are really quite exciting. So naturally, we are curious when there's an innovative product, when there is also something that is saying it's going to take away a pain point we're experiencing. And unfortunately, as part of a strategic leadership team, being a CISO, you have a lot of pain points. And then if somebody is going to come to you, especially in an environment like this saying, "I see you're in trouble, I can fix that for you." But really, it's about taking a step back and saying, is this going to fit the business's agenda? Is it going to fit the business problem? Or am I just looking at this because my friend's CISO is using it exactly the same? Am I just chasing the technology because it's the technology that's being mentioned on every single stage at Infosec? And AI is a prime example here.
0:28:43.2 Holly Foxcroft: There's this arms race for adoption of AI, for the adoption of AI without looking at the practicality as to why we're actually using it, or the risk of us using it, and the risk that actually comes with AI security. There is not enough focus on the security or how to secure against AI. We see so much being spoken about AI adverse attacks. Actually, let's look at that adoption of AI security within our teams, and also the guardrails of people using AI. We made this mistake with the internet, right? It was cast out, people used it, people abused it. Same is happening with AI movement. Same thing.
0:29:23.4 Ian Golding: Yeah, even a year and a half or two years ago, I remember, because bearing in mind I go in and out of different roles and talk to lots of companies, people were grappling with whether they should allow or disallow AI. I mean, it seems strange to say that now because it's like here and everywhere and it goes underground if you don't have an approach.
0:29:39.7 Emily Wearmouth: Do you remember when Italy blocked it? Italy just said you can't use ChatGPT. That seems bonkers looking back now. I mean, it was pretty bonkers at the time.
0:29:46.9 Ian Golding: It all combines with everything we're discussing about being progressive, finding the path, the risk appetite, the innovative tools that will allow you to work well in this environment.
0:29:56.0 Holly Foxcroft: And it's very much that because you could be scared of the new or you think you're being risk appropriate. And this is with shiny new tools where you go, yeah, absolutely fantastic. But innovation is not the enemy. Unquestioned innovation is. I was very proud of that. Well done. That's what ChatGPT gave us.
0:30:16.6 Ian Golding: Right, I don't.
0:30:17.7 Holly Foxcroft: It actually did. I'm not afraid, but also, many of us are afraid to actually say, I actually use ChatGPT for that. I actually use AI. And making that part of the conversation and being honest and transparent about our uses of AI, because with shiny new technology, we almost don't want to say that we're using it because we want to take the credit for that new technology. And particularly with regards to AI, when we're automating things or when it's doing jobs for us, we almost want to take the credit for that.
0:30:47.6 Emily Wearmouth: I've got an idea. I might get ChatGPT on the podcast as a guest and see how it fares. See if anyone will listen. See how it deals with my slightly more kooky questions.
0:30:58.3 Ian Golding: I assumed we were all being cloned as we speak.
0:31:00.5 Emily Wearmouth: Probably. So we've talked a lot about AI. AI was the fourth topic that I wanted to pick specifically. There's some conflict in some of what we heard from CEOs. When they talk about innovation and when they talk about AI, they say slightly different things. So they said they want their tech leaders to be expert advisors on the possibilities of AI, specifically, as you've said, in terms of where it can solve business problems. And the AI conversation is unusual in that it's one that the CEO is likely to initiate. But they want a willingness to adopt improvements from AI alongside this level-headed advice. And Gartner found out recently that 44% of CEOs think their CIO is not AI savvy, which is fascinating. So they like shiny things, but not AI, apparently. So I wanted to get your reaction to that, first of all. Is that unfair criticism? Why do you think the CEOs are confident in saying that their tech leaders aren't AI savvy? Does anyone want to take that one? You all look a bit befuddled. I know, it's fascinating.
0:32:01.0 Rich Davis: I think this is a very interesting topic. And I think a lot of it is because of the fast-moving pace of where we are. We very quickly moved on to do we or don't we allow our employees to use public ChatGPT, and other Gen AI services to how can this actually help our business? And I think a lot of this may come from the fact that many CISOs are just constantly chasing their tail. They're constantly trying to keep up to date with actually what's the latest advancement? What's the latest model that's in use? And how is that changing the landscape? And where does our organization want to use this first? So I think a lot of CISOs are still trying to get to grips with actually where does my business want to use it the most? And what impact is that going to be? Is it that the business wants to put it into a tool that our end customers will be using? And that brings in different risks to an internal tool where actually data is just maybe being exchanged within internal employees. And that shifts the risk again. And I think that probably stems from a lot of that discussion, which is I think the expectation is that CISOs are the all-powerful, knowledgeable oracle of everything.
0:33:11.7 Rich Davis: And I think every CISO just needs time to breathe from time to time. And that's the situation we're in where it's just so fast moving. Can everyone keep up?
0:33:20.2 Emily Wearmouth: Fan. Now, time has run away from us a little bit. It always does on Security Visionaries Podcast because I could talk forever with all of our guests. So I just want to say thank you very much to Holly and Ian and Rich for joining us today. If you aren't already a subscriber, dive onto Spotify, get onto Apple Podcasts, wherever you listen, and subscribe. And then you will hear, once we've done a little bit of post-production, your episode. Thank you very much for joining us.
0:33:47.1 Emily Wearmouth: Well, there you have it. I hope you stuck with us. You can probably tell that alongside the excellent expert insights, we also learned some useful lessons from this first live show, mainly about where to place our microphones next time. I've been Emily Wearmouth, one of the hosts of the Security Visionaries Podcast. Thank you for joining us, and we'll see you back in the studio as normal for our next episode.
){kind=icon}
