👁 🐝 Ⓜ️ | Architecting Secure Solutions • IBM Inventor • IBM Open Innovation Community (OIC) • Member of the IBM Academy of Technology (AoT) • Open Source Advocate • Hacker • ex-OpenBSD (xsa@) | Field Hockey Coach
Automating 80-90% of a $100 Billion Market 👀
BSidesSF recently released their playlist from their 2024 event (cc: Clint Gibler)
So naturally I've been binge watching all the talks, including the keynote from Chenxi Wang, Ph.D.
Chenxi is someone I've followed for quite a while and whom is incredibly sharp and experienced.
She gave a talk on AI and Cyber, and towards the tail end of the talk she said something that really caught my attention.
She pointed out how Cybersecurity is roughly a $200 Billion USD market - and about 50% of that is Professional Services.
Chenxi then went on to say she or some believe that about 80-90% of that can be automated with AI.
Now, I'm as excited about AI as everyone else, but this metric seems incredible.
After several decades of cybersecurity experience in large complex environments, I know that despite all the VC focus, buzz, and marketing being around tools - they generally require human involvement.
Deploying, tuning, configuring, optimizing, monitoring and using them to drive down organizational risk - all in a coherent and orchestrated manner coupled with policy, process and leadership.
Furthermore, organizations are complex, full of humans, requiring expertise in communication, empathy, story telling, building buy-in and relationships and countless other non "cyber" skills when it comes to building and leading effective cybersecurity programs.
The idea that any technology, even AI, can automate 80-90% of cybersecurity professional services is really tough to grasp, even for an AI optimist like myself.
What does everyone else think?
Do we foresee AI automating much of the human element required in leading effective cybersecurity programs and risk reduction?
Or do we think it will make the human cyber workforce more effective, while not outright eliminating a large portion of them?
(Be sure to watch the BSides 2024 playlist, which is full of amazing talks and speakers - I will drop a link in the comments below 👇)
#ciso#ai#cyber
Navigating AI
A Blueprint for Leadership
Rob van der Veer gave an excellent concise talk for leaders looking to help get some governance on their organizations AI Development efforts.
In the talk:
- He lays out practical recommendations, including leveraging longstanding software security best practices (e.g. inventory, version control, testing etc.)
- Avoiding recreating the wheel and leading to siloing AI security efforts
- Leaning into existing guidance such as recent ISO standards as well as the OWASP AI ExchangeOWASP® Foundation
- Accounting for some of the new and novel attack vectors and threats associated with AI
Rob continues to be a valuable asset for the community - if you have a chance to give the talk a watch you should!
#ciso#ai#cyber
Decipher Podcast 🎤
Had a great time on this episode chatting with Dennis Fisher from Duo Security
We dove into:
- All things software supply chain security
- SBOM’s, Open Source and SaaS
- Secure-by-Design
- The nuances of running a cybersecurity consulting firm that’s focused on the public sector
https://lnkd.in/e6RgBnxX#ciso#cyber
Resilient Cyber Newsletter #4
A lot to unpack this week.
- Is cybersecurity “full”, or full of gatekeepers? With input from Stuart Mitchell, Jerich Beason and Helen Patton among many others
- GenAI Misuse Taxonomy and Real-World insights from Google
- LLM’s in Cyber: Threats, Exposures and Mitigations (great free book!)
- Explosive CVE growth as laid out by Jerry Gamblin
- The Exploit Prediction Scoring System (EPSS) Guide from Chris Madden
And much more!
Safe to say there’s a ton of activity around securing AI, getting a handle on the vulnerability landscape and dealing with longstanding cyber workforce woes
Hope everyone enjoys this issue, and as always, be sure to subscribe and share it with a friend 🙏
https://lnkd.in/eB9FAKew#ciso#ai#cyber
Department of Air Force ZT Strategy
Recently the United States Department of the Air Force released their Zero Trust Strategy
It's a concise document showing the direction the USAF is headed when it comes to implementing and achieving Zero Trust objectives.
It lays out goals across the defined ZT Pillars:
- Applications and Workloads
- Data
- Users
- Device
- Network and Environment
- Automation and Orchestration
- Visibility and Analytics
The overarching theme is moving away from the legacy network-centric security model and to a data-centric model.
It also aligns with the previously published Cybersecurity Executive Order (EO 14028 as well as the Federal Zero Trust Strategy M-22-09 from OMB.
If you're supporting Mission Owners within the USAF or looking for insights into how aspects of the DoD are approaching Zero Trust, this is a solid read.
cc: Venice M. Goodwine, CISSP, PMPJay BonciAaron B.#ciso#zerotrust#cyber
LLM's in Cybersecurity
Threats, Exposures and Mitigations
Incredibly comprehensive FREE resource
The book is broken into sections, covering:
- Introduction to LLM's
- LLM's in Cybersecurity
- Tracking and Forecasting Exposure
- Risk Mitigations
This eBook really covers a broad spectrum of concepts from the fundamentals of LLM's and their history, to common security risks and exploits, investments around LLM's and the evolution of AI policy and potential regulations as well.
It's awesome that the authors have made it publicly available for the community for free.
You can find the download link in the comments below 👇
Andrei KUCHARAVYAlain MermoudValentin MulderVincent Lenders#ciso#ai#cyber
OpenAI Security Breach
Interesting article detailing a security breach OpenAI experienced in 2023.
It wasn’t disclosed previously due to the organization claiming it didn’t impact partners or customers and had no national security implications.
It’s stated it didn’t impact the actual AI systems and infrastructure.
However, a former employee is detailed as being fired sometime after authoring a memo to OpenAI’s board raising concerns around security and safety.
Definitely something to keep an eye on, impacting the fastest growing technology that’s quickly being embedded into countless third party environments, API integrations and organizational data.
https://lnkd.in/emrEidaH#ciso#ai#cyber
Generative AI Misuse
Google recently published an excellent paper discussing a taxonomy and considerations for potential GenAI Misuse - grounded in real world data.
It covers:
- Exploitation of GenAI Capabilities
- Compromise of GenAI Systems
- An excellent breakdown of tactics, their definitions and real-world examples
As we see GenAI systems explored and integrated further, from a security perspective it is very helpful to have a taxonomy to discuss these tactics and use examples to gain lessons learned and bolster defenses from future attacks and misuse.
#ai#ciso#cyber
Is cybersecurity “full”?
That’s the case some are making
I caught this article floating around that’s caused quite a bit of discussion, with great input from folks such as Stuart Mitchell, Jerich Beason and Dakota Riley
While the debate around whether the field is “full” or not is fun, I found the author to be pointing out several valid and nuanced topics, such as:
- The surge of entry level talent being driven by the intersection of those seeking secure careers with livable wages, coupled with pushes for training, education and more from certification vendors, Universities and unfortunately, Charlatans in some cases.
- Poor practices by recruiting firms and even organizations who are hiring (we’ve all seen the job description’s)
- A hyper focus on Offensive Security, despite the reality that jobs in cyber are mundane (Ross Haleliuk has a great article on this)
- The myth that you don’t need to be technical (ironically Helen Patton has a great recent article on cybersecurity gatekeeping and the value folks from other fields can bring to cyber)
Most notably what jumped out to me is the harsh truth that “security is optional”.
As the author points out, barring some compliance requirement, security is generally viewed as optional, and even then, most will avoid doing the work and risk an incident or regulatory consequence if it means making broader revenue targets, speed to market and more (sounds a lot like the language from Jen Easterly and Cybersecurity and Infrastructure Security Agency’s Secure-by-Design push).
There’s some harsh realities in our career field that this authors article sheds light on.
That said, despite these challenges we know two things:
- Software increasingly powers countless aspects of modern society
- Malicious actors are taking advantage of that and exploiting it
Neither of these show any signs of slowing down.
https://lnkd.in/earDzDdU#ciso#cyber#career
Security Researcher
5dMy jiujitsu club closed for Canada Day... maybe I should emigrate 🤔