In this episode, you will be fascinated as our guest discusses his journey into cybersecurity, the importance of attending conferences like DEF CON, and how to align security initiatives with business goals. We also dive into the impact of AI on the role of CISOs and the challenges and opportunities it presents. Don't miss this insightful episode packed with valuable information!
Guest: Jack Leidecker, Chief Information Security Officer, Gong
LinkedIn: https://www.linkedin.com/in/leidecker
Host: Dr. Rebecca Wynn
On ITSPmagazine 👉 https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/rebecca-wynn
________________________________
This Episode’s Sponsors
Are you interested in sponsoring an ITSPmagazine Channel?
👉 https://www.itspmagazine.com/sponsor-the-itspmagazine-podcast-network
________________________________
Episode Description
In this episode of the Soulful CXO, host Dr. Rebecca Wynn welcomes Jack Leidecker, the Chief Information Security Officer at Gong. Jack shares insights into his journey into cybersecurity, starting from pentesting and advancing to building robust security and compliance programs in the technology and financial sectors. Additionally, they discuss the importance of attending conferences like DEF CON for cybersecurity professionals, the importance of a responsible approach when using AI in cybersecurity, the need to validate outputs generated by AI systems to ensure accuracy and reliability. This validation process is crucial as it helps in verifying the results and identifying any potential errors or biases in the AI-generated outputs, legal liabilities, and more. Tune in to learn from these top world-class cybersecurity professionals.
________________________________
Resources
Balancing Critical Thinking with Professionalism: A Guide to Constructive Feedback
https://medium.com/@soulfulcxo/balancing-critical-thinking-with-professionalism-a-guide-to-constructive-feedback-8888542a507f
Enhancing Professional Communication: Strategies for Effective Feedback and Collaboration
https://medium.com/@soulfulcxo/enhancing-professional-communication-strategies-for-effective-feedback-and-collaboration-2f3f3b5f9c38
NIST AI Risk Management Framework
https://www.nist.gov/itl/ai-risk-management-framework
Shields Up: Guidance for Corporate Leaders and CEOs
https://www.cisa.gov/shields-guidance-corporate-leaders-and-ceos
________________________________
Support:
Buy Me a Coffee: https://www.buymeacoffee.com/soulfulcxo
________________________________
For more podcast stories from The Soulful CXO Podcast With Rebecca Wynn: https://www.itspmagazine.com/the-soulful-cxo-podcast
ITSPMagazine YouTube Channel:
📺 https://www.youtube.com/@itspmagazine
Be sure to share and subscribe!
Cybersecurity Leadership: AL, Burnout, and Success Strategies | A Conversation with Jack Leidecker | The Soulful CXO Podcast with Dr. Rebecca Wynn
[00:00:00] Dr. Rebecca Wynn: Welcome to the Soulful CXO, I am your host, Dr. Rebecca Wynn. Please take a moment to LIKE, SUBSCRIBE, and SHARE the show.
We are pleased to have with us today… Jack Leidecker…
Jack is the Chief Information Security Officer at Gong, a leading revenue intelligence platform, where he oversees security and compliance initiatives. His extensive career includes senior roles such as Senior Director of Information Security at Teradata and Vice President of Information Security at Digital Realty Trust. Jack has a proven track record in building robust security and compliance programs across technology and financial sectors.
In addition to his role at Gong, Jack collaborates with YL Ventures and provides advisory support to multiple startups. He is a highly sought-after speaker at prominent cybersecurity conferences, including SecureCIO, ISC2, IANS, and Evanta, where he shares expertise and insights on advancing cybersecurity practices.
I know that was longer than you wanted me to have for you today, Jack, but welcome to the show. [00:01:00]
It's great seeing you again.
[00:01:06] Jack Leidecker: , I appreciate that intro. It's great to be here and looking forward to the conversation.
[00:01:10] Dr. Rebecca Wynn: How did you get started on your journey into cybersecurity and being the world class CISO that you are?
[00:01:19] Jack Leidecker: Sure. Back in the day, as I'm sure you probably know as well, I've been in security quite a while, so there wasn't a security degree, um, in that perspective.
I started in pen testing and actually even from that, one of my favorite conferences that I'm going to again this year that I've been going to for many, many years, which is where you see lots of badges, even behind me is Defcon. So I started that kind of in the late nineties, uh, moved in some technical roles when I was working for a bank.
I had a, an interesting opportunity to go more on the compliance side. Um, and that kind of moved me into management pretty quickly. And then from there kind of stumbled into, it feels like building a lot of teams for a long time in that regards.
[00:01:58] Dr. Rebecca Wynn: A quick question about DEF [00:02:00] CON. There, is two schools of thoughts out there about DEF CON that CISOs, CTOs, CIOs, and people like that should not go to DEF CON or ones like that, because afraid that you might be breached and then your information gets leaked out there.
And another side is like, that shows you how to one. Be more proactive and protect yourself. And it gets you to go ahead and see some really great security and networking experts out there that you might need to hire at some point in time, maybe for your teams, what's your viewpoint on that? And how do you think people should maybe go ahead and look at that?
[00:02:33] Jack Leidecker: Um, full disclaimer, I'm very biased from this perspective. I also think for me, it's fun to try and stay technical on some of those different areas with it. So I don't believe in him just kind of in this every tower and don't want to know what's going on. I definitely want to know what's going on. I think it's important to understand what's the threats what's going out there.
Um, A lot of the collaboration is really interesting. I would say it's a much bigger conference than it used to be. I mean, I've gone to over 25 DEF CONs at this [00:03:00] point. So, uh, I remember back when it was really small and smaller hotels and it's gotten much larger, but I think the net result of it for me, of why I've always really enjoyed it is it's a relatively open community.
And I say relatively, cause there's always little clicks. Oh, you haven't gone to enough or whatever the case is, but there's a lot of openness still. And it's always really interesting. Even back in the day. There's a chance for black hats and white hats and government and everyone in between to kind of get together, talk about what's happening, what's interesting, what's going on with it, what are people looking at to attack also that helps you understand what to protect.
So, I think one, if you're just scared to go into a conference, I would kind of question how robust is your program. If that's really your fear, there's obviously ways to mitigate it. You don't want to be going in with stupid passwords and Bluetooth and everything else on, but at the same time, it is a very big conference .
I think some of that gets a little overblown, the collaboration and introductions and people, especially like you said, hey, you might want to hire some of these people, um, because I've been going for so long. I [00:04:00] get to run into people that maybe I haven't to in a long time to me. It's just that it's a really fun event and gathering to be able to get together and collaborate on different things.
So, obviously, from that perspective, that kind of gives you my answer. Really love it. Even I brought my team to it. Last year, uh, even this year, we're trying to see how many of my team is going to go, but like, that's even something I try and give to my team. And it's always been something important for me where again, it's a few days, a lot of content packed into it, but it does get pretty busy.
So you just have to figure out how you want to manage it. But I think it's really beneficial even if you are a senior leader to be able to go.
[00:04:35] Dr. Rebecca Wynn: I know one of the things we do here in the Phoenix area is we do a recap several weeks later. We do a deep dive, that's, you know, six, eight hours. Usually they have me come in and speak first on privacy, governance, risk, legal ramifications and stuff like that.
It's pretty funny. But then we go ahead and, um, Eric Graham and others come. And what we do is we do a deep dive then through several of the sessions and the coolness of them. And so maybe if you were on the [00:05:00] side that. Maybe your job doesn't like you to go directly, maybe go ahead and work in your communities to go ahead and let's go ahead and do recaps and deep dives and working sessions that way in a, in quote, unquote, a safer environment.
[00:05:12] Jack Leidecker: Yeah, and I would say, even since, um, kind of pandemic, they did this a little bit before and some of them get broadcast too. Right? So there's some sessions you can see. It's interesting because it will arrange a gambit of very technical to very legislation focus too. So, I mean. Especially SCC roles are probably going to be another topic again this year and some other stuff that goes on with it.
So it really is a variety of different things. And to your point, there's lots of other, not just recaps, local conferences too. So, I mean, I think my takeaway, regardless of whether it's DEF CON or some other ones. I think there's a lot of value in getting out into the community, because I would say no matter how good you are individually, the more that you can kind of collaborate with other leaders, it helps you become a much stronger leader.
And I don't think I would have gotten to where I was if I wasn't able to collaborate with a lot of people. They just, you end up hitting more of a [00:06:00] plateau, I think, because it's like, Hey, I ran into this issue. How did you deal with it? Right? That's always a far more effective path than just trying to figure it out by yourself.
[00:06:08] Dr. Rebecca Wynn: And talking about conferences and the importance of times going to conferences, . I just caught you getting off an airplane, being at a conference last couple of days. What conference was that?
And what were some cool things that you learned there?
[00:06:19] Jack Leidecker: Yeah, no, it's, uh, 10 ISC East, so they've been, uh, going on this, I think, actually, over 20 years now, so my team was nominated for a project, um, we were with a lot of other really cool projects we didn't win, but it was still fun to present, talking about how we helped, um, Increased revenue, even at Gong as part of a security program.
So actually using security, not just as, let's say, an abler, but actually being part of that business, um, which was fine. And then I also was nominated for executive of the year, which I did make the finalists this year. So that's an improvement didn't win, um, some other people won there, but it was still, it's a super fun event.
Um, it's one that they put on where [00:07:00] it's very kind of, I would say rapid fire. In some of the cases, you get a lot of content really quickly talking about different things, hearing, hearing some of the other projects that people did is always interesting. And it's just nice where we have a conference to kind of celebrate kind of security teams and security projects and security executives, right?
Like that for me is always kind of a fun thing, regardless of. Whether you win, don't win this time, actually got a little trophy, so I will say that was kind of nice.
[00:07:25] Dr. Rebecca Wynn: It's always a challenge for us to try to align with executives, try to get sponsorship for , our projects and really get it out of cybersecurity techno babble. So they can understand that. What words of wisdom can you share with us on how to try and do that successfully and how to pick projects that can be really beneficial to the business and not just something that we think is cool.
[00:07:51] Jack Leidecker: Yeah, so, um, I think this has been a challenge for a long time, but it's obviously still a challenge. We even hear the business sometimes complain about it. Uh, [00:08:00] back in the day, I went to get my MBA mainly because I wanted to be more strategic. So I did that to focus more on strategy and I wanted to talk to the business because I was having a hard time, especially early on in my career.
I'm like, we know exactly what we need to do. We explain it. But it's kind of technical, so it didn't really mean much, but it was like, why is there this just like, why aren't they jumping the, yeah, of course we need to upgrade our firewalls and we need to throw this new IDS in, right? Like it felt like it should be self explanatory, but I think.
In being able to understand that, like, honestly, in some cases, we're not speaking the same language. Of course, that doesn't mean anything to them, right? Like, what does that mean? Is it reducing my risk? Is it helping me get new business? What's going on there? So, I think that was a good basis for me, but I also think whatever company you're at, as silly as this seems.
You need to understand how you make money, right? Companies are driven. We're very capitalist society. Unless you're working for a nonprofit, you usually have a way of how does a company make money? And the reason why I say that is you want to [00:09:00] understand how you make revenue and then how do your projects contribute or protect that revenue?
Right? Because if they don't, then there's a question of how much of a priority should it be or shouldn't be. I will say for me personally, this is where I would say I shifted more from retail into more B2B. I want customers to want us to have a robust security program, because then I think that's actually something where we can directly provide value.
Can't do that necessarily in the BC as well. Just don't get impacted with credit cards. Um, from my perspective and being in that industry. So it's hard to have that same type of ROI, find minds a bit easier where I'm like, Hey, look, when my team is involved, our SAO win rate. Is two X, right? That's something that a CRO can actually understand, right?
Oh, okay. Hey, why is that? To some extent, some people are a little skeptical of role. Of course, we know that we have to go through security because of this, but I will say when I started, that wasn't the case, right? When I started, it was security is the number one thing stopping us from being able to get new revenue right now.
Security is the thing that's helping them close. [00:10:00] So even just shifting that mentality was extremely helpful. But more importantly, when you're looking at different places, you want to understand. What does your company do and what can I do to align with it? Cause that just makes your discussions a lot better.
Because if I try and push again. This new software, this new thing that I need to do, hell, even a new certification, if I can't tie that back into the so what, it's a much more difficult sell, and this is why I think you also see a lot of CISOs, quite frankly, burn out pretty quickly, right? Because if you can't get that alignment where they're able to understand you and you understand them.
It's a really, uh, unfulfilling time.
[00:10:37] Dr. Rebecca Wynn: How do you write that business case? Do we just write it from our perspective on we need it? And you know, you hit them over the head with a compliance standard. Do you try and.
Follow what the CFO is doing. Do you try and do customer service? What kind of bottom line do you put up front and how do you write through that? Can you walk us through at least on a high level, how to do that more effectively? Cause I think a lot of people out there [00:11:00] struggle with that.
[00:11:00] Jack Leidecker: Yeah. So I think some of it's going to vary a little bit by industry, but it's kind of the same concept, right? So for me, one of the things that I always love doing when I start in a new place, and I know we need to build up a program because it's something I've done a lot of my career. And what I learned is rather than me coming with a framework that I have to get alignment on. Why don't I start with what we've already agreed to simplistic as that is, it's actually super powerful. And it usually actually identifies where you already have gaps anyhow.
Right? So I can look at my contracts. What did we agree to whatever our customers expect? How are we doing? A lot of times, especially if they're a newer company, there's going to be some gaps, right? So being able to focus on that 1st. That's usually a pretty easy alignment where there's not a lot of debate, right?
I'm not having to go back and forth a lot. It's like, oh, shoot, we didn't realize that. If that's what we want to do, we want to do it. Then I would say the 2nd part, if you can, and again, not every industry is the same, um, sales sales is the one that honestly is the best one because they can help really quantify it.
Right? So, for example, [00:12:00] um. One of the things, and this was at a different company, they really wanted cloud providers, but it's like, what are we missing to be able to do that? So I'm like, Hey, this is what we're missing. This is what I need from a program perspective. This is what it costs. And then they're like, great.
Now I can give you a dollar figure that was really, really high for what they think they can actually get from a revenue perspective. And when those two actually go together and it shows that it works, it becomes a much easier discussion to move things ahead. So the more that you're aligned to what your key company initiatives are, the easier it is to kind of have those discussions and be able to make progress.
[00:12:34] Dr. Rebecca Wynn: How do you dig through and find out really what that true security strategy is?
A lot of times you might follow a CISO and they say this is our security, initiatives, or you might have that in interviews, but once you get there, you find out that, no, that's not how they're really rolling. How do you navigate that, especially for people who are, Either being new CISOs because the company has never had a CISO before, or they're coming into new jobs.
I think that's the reason when you talked initially about [00:13:00] burnout, I think that's the reason a lot of burnout is you're coming in thinking that they're really set to be this one direction because you got that from all those interviews. And then you get there and you find out that it is, it's, you're not even on the same playing field at all.
[00:13:11] Jack Leidecker: Yeah. Um, I think bringing reality back to the situation is the first step. Um, I would say maybe because I've always been skeptical, and again, kind of maybe starting on the other side where I feel like we usually were able to break something, I've never gone into a place expecting it to be perfect.
One, I think it was perfect. I'd probably be bored anyhow, quite frankly. Um, but I think a lot of it is just being able to understand where are we actually at? We said we're here. But we're actually here. Do we need to be there? Do we need to be higher? Do we need to be lower? Right? And lower may sound a bit crazy, but in some cases, hey, some of these controls may not be providing a lot of value.
It may not mitigate risk. You want to reevaluate what you're doing overall. But then again, I would still tie it back into what do we have to do? Right? Because I would say, [00:14:00] if you look at good security programs, a lot of the basics, quite frankly, sadly, are still the same things that actually prevent a lot of the risk, right?
How am I patching? Am I doing MFA and managing my users? Well, how well can I protect email? How well do I develop code? Like, these aren't really new concepts. So I think from that standpoint, it's being able to understand where do we think we are? Where are we actually, where do we want to go? And how do I build a plan to be able to do that and be able to include what some of those benefits are?
And again, looking at what do I have to do? Hey, if I'm a regulated entity, all right, I'm supposed to be. FedRAMP or FISMA, but I'm really not even close, but half my contracts are, well, shoot, that's a pretty high risk for us that we need to be able to fix, right? Or we're in healthcare and we need to go to HITRUST, right?
So you can use, I would say some of the compliance aspects to help a little bit. Uh, my only caution with that is I've also been at a lot of places where we have a lot of certifications and we don't necessarily have the best [00:15:00] security. So it's a good baseline to start, but you don't want that to be your destination.
Right. And I think that's the part that where people get tripped up a little bit where it's like, Hey, we have to do those. And if we do good security, they come really easily, but we want to make sure that we kind of know what our end point is. And what do we want our goal to be? And be realistic about it too.
Even though it may be painful and you'll get pushed really hard of like, no, I want everything good in a month. Awesome. It gets into like writing a really good book. I can throw a thousand people at a book. It's still not going to come together really quickly in a week. Right? So there's only so much manpower you can shift in an organization and so much change at once.
So you want to see what makes the most sense. And then I would say the most important thing is how do you track it? Because I think that's the part that makes it where it becomes real. We agree. This is what it is. We track progress every month, every quarter, whatever you want to do with it. And as long as you're doing better, that's really what you want to be able to focus on.
Right. And sometimes you have to shift based on the business, but that gives you a roadmap that you can work with. [00:16:00] Um, because without that, you kind of jump around trying to do this, trying to do that, saying, Oh, we have to do this. This new risk popped up. You jump around at a bunch of different places and then you ultimately don't usually make progress, which I think is also where you see a lot of burnout where it's like, Hey, I was there for a year.
Couldn't get anything done. This sucks. I just need to get out, um, which I've heard from some of my peers that sucks and sometimes that happens. And I would say, I think there's the other side of it. The company that you join may not always want to do what you need to do. I know even I've said some fun things in the past that some people look at me a little strange where I've told CEOs.
Hey, if you want checkbox compliance. That's awesome. You can actually probably do that twice as fast as I will. I am the wrong person to hire. You really should not hire me because if that's what you want, I'm not going to do it. You're not going to be happy. I'm not going to be happy. Let's just not get through that.
And I think trying to set those expectations as difficult as they are up front. Usually makes it a little bit easier down the road because you never want to find that after the fact.
[00:16:59] Dr. Rebecca Wynn: I agree. I [00:17:00] tell people if your framework is going to be "Hope and pray that it's going to be okay." I'm not the CISO for you. And if you just want to be reactionary all the time and not think about process improvement and taking that stress off your people so they can do the mindful work you need to do.
I'm not the right CISO for that situation. .
How can we better do analysis of those positions so then we can better align with what's going to resonate with us as CISOs and not hopefully take that wrong position.
[00:17:31] Jack Leidecker: Yeah, so I can't say I've always picked everything that worked out the way I wanted and sometimes it's good and then you grow out of it.
Right? Like I would say, I've typically been a lot of growth. And then after a while, if it becomes too stable, it may not still be the right thing. So I think it's also where are they doing? How are they aligning? But also, I think sometimes people don't always push as hard as they probably should during an interview process, right?
It's going both ways. They're interviewing you. You should be interviewing them just as much [00:18:00] because simply. It's going to be disruptive if you're not going to be able to be successful and vice versa. And sometimes that's hard because it's like, hey, I need to get the job or I want to leave my previous job or whatever the case is.
Um, but you really need to take a step back, right? Like, I think being very up front of this is some of the expectations I have. Now, I would say at the same time, I never really go with a budget number, though, because I don't know enough yet. Right. But what I can say is, Hey, I have an idea that what it is, but depending on what we want to do, it's going to change.
Right. And then we should be able to have that conversation, decide, do we want to do this, not do this, et cetera. Right. There's some other people that don't like building. Right. So if you're going to a place that's more stable, maybe they're more compliance oriented, been doing it for a long time, it's more static, and they just want someone to kind of carry the torch.
That's great. Right. If that's what you want to do, then you want to kind of seek that out. Or if again, if that's not what you want to do, definitely want to make sure you understand what you're kind of walking into. And I also think what helps is what are the reasons why they're looking now, [00:19:00] right? Is it.
Someone left, someone got fired, they had a breach, they had an incident. They're going in a growth phase because now it's like, hey, we've had all this business, but we know we need to up level our program as we're expanding industries. Those triggers are probably going to be more telling than most of the other areas.
They kind of help you understand if this is really what you want to do and whether or not that's a challenge that you like to do. Because I think for me, security is a field that obviously I love and I've been in a long time, but I could say, If this isn't something you like to do and you want to dig in details and go through stuff all the time, you'll be very, very bored and hate your life.
And that's not so fun, right? So, because I think people are jumping in going, Hey, it's this great career, which I think it definitely is, but it's also one of these because it's not so defined as some of the other ones. You have to constantly want to learn and dig, uh, otherwise you fall behind.
[00:19:50] Dr. Rebecca Wynn: What are some of the things that, that cause you pause when you look at a possible position?
I know for me, you end up having job description that's six and 10 pages long. There's nobody [00:20:00] on the planet who can do that. That's a warning sign for me that you don't know what you want or your expectations. There's no way I ever can meet them. And so I'm, I'm, you're setting me up to fail in my opinion.
The other thing is, is your first mandate is there absolutely could be no breach on your watch. I help manage risk. There's a lot that's not under my control and the other thing, I just tell people looking over the turnover rate, when they end up having a CISO that's leaving every 18 months, which means that usually that CISO was looking within four to five months.
Those are really big signs for me. What do you think people should probably pause and do, at least be a flag to do a reevaluation?
[00:20:36] Jack Leidecker: Yeah, I mean, I think some of the ones you mentioned are probably good. Um, I don't know. I would almost say maybe from my perspective, what I'm typically going for is I fully expect whatever job description they have not to actually be reflective of what I'm probably going to do.
So maybe I'm a bit more unique in that one, because again, over the last four or five positions, I've been either the first one or rebuilding entire teams. Right. [00:21:00] So from that one, it's more of like, Hey, I understand you're looking for all this. Why are you really looking for it? What do we want to accomplish and then kind of redefining it.
But that's not necessarily the right approach for everyone. Right? And it may not be what you're even looking to do. But I think, um, utilize your network as well. Like, I would say, Hey, wait, I thought you were there. What happened?
Like, Oh my, I can't believe that was so quick. And my other colleague was too. So even that I think is actually probably more telling. Um, I know one of my colleagues was going for something with him and they reached out to me. I'm like, you should just ask the recruiter. Why did they have three CISOs in the last nine months?
Now, granted, I will say there is a decent chance that that recruiter may ghost you as a result, but if they're a good one, they might explain why. And if you could figure out that challenge. You can help them overcome it, great. If not, maybe it's not the right one. But I think being able to be inquisitive, dig onto it, is key.
And then also, I think more importantly, which is really whether it's a CISO position or any other [00:22:00] position, when you're going through the interview process, Is the person you're reporting to someone that you can see yourself actually working with. And that always seems kind of silly, but I can actually say there's been a few where it's like, I know there was one in particular that comes on the top of my head.
I got along amazingly with the whole executive team, except for the person that I was supposed to report to. And it was really awkward because even like they're like, everyone loves you. Like. We want to try and have you talk to him again and see if we can get over this something. It's just like, wait, this, this is a little weird.
Like I never want to go in a position where the person I'm reporting to doesn't, they're not sure that they actually want me. Cause that's just setting up a bad precedent, obviously. But I think the people aspect is the thing that you really want to focus on too, right? How is the interview going? How are they doing?
Do they get back to you? Do they seem like they're people focused? All those things I think need to come into consideration when you're kind of looking at it to make sure that you're finding something that you feel it can be the most successful at. But I would even [00:23:00] say with that.
Sometimes you can jump into situations that even to your best of ability and control, it's just not meant to work out. Right? Like then at one where I remember I joined and all of a sudden we had data streaming everywhere and it was streaming for a long time before I started, but guess what? I'm still the one that found it.
So we had to deal with it and everything else. And it's just like, that was probably not meant to be a long term position in the end either, which was fine. I think for everyone with it, but like, those are some of those aspects that I think too, that you don't want to get too stuck on. It has to be perfect.
It has to be this. It's what do we want to do? Am I helping us move along? How does that work? And am I being fulfilled in what I want to do? And I think as long as you're doing that, then that's usually a lot better than just jumping around and doing something else with it.
[00:23:44] Dr. Rebecca Wynn: I have to ask the AI question.
So you think AI is going to continue to displace a lot of CISOs? I know a lot of small and medium size. That unfortunately they're getting rid of a lot of their CISOs are going more towards maybe a security [00:24:00] engineer and trying to have them use any of these bots to write policies, procedures, look at legal contracts and stuff like that.
And I tell people, you're going to be in a big hole for that. Cyber liability is huge out there. What do you see on that front? There's just been such a shift to the left and it's not only me seeing it, it's our peers are seeing that we talk about that a lot, that worries me quite a bit.
And that's why I think that breaches are going to be on the rocket scale up.
[00:24:25] Jack Leidecker: Well, I think they already are. Right. I mean, whether we're using AI or not. Bad actors are, they're moving much quicker. I think there's also a little bit of a misconception of what is a CISO do, right? CISO, a lot of it's risk management.
It's not just technology. It's also people process, it's legal liability. It's privacy and regulations as well. So if you think you're just magically going to get that. That's probably not going to work out so well, especially for a smaller company, but you know what? Hey, it's worth trying to do something different.
Sometimes, um, I'm less concerned around the longer term aspect. [00:25:00] There's always short term disruptions. Because ultimately, you see, what do we really need? It's how am I setting the strategy for what the company's doing? What's a risk appetite? And again, how am I helping that business grow? Because I think if you're doing that, it's much harder to be replaced with a bot that's just writing policies.
Again, if you want that checkbox compliance, like maybe that does work, but for most companies, that's not really giving them the value, right? Um, I think there's also a lot of fear around AI, a lot of it justified, right? Um, even a lot of the founders came out and said, Um, particularly from open AI. It has the appearance of greatness.
It's not great yet, but it has the appearance, but it still can help reduce a lot of mundane things. You get a lot better insights out of it.
You want to be using machine learning. You need to find better ways to utilize this, but you want to use it in a responsible way that makes sense. And I think, again, if you're at that company where you got replaced and they're just putting a security engineer in a bot, honestly, you probably don't want to be there because they're not going to do so well when things go sideways and you're probably not going to have the support you want.
When I look at the amount of [00:26:00] responsibilities, uh, CISO has, right? And if you look even at some of the more recent articles, we're now managing more functions as CISOs, then most other c-level executives, and most of those of us that are CSOs are not true c-level executives either, right?
So there's this weird dynamic in that perspective as well too. So I don't think there's any lack of work even. When it comes to AI, what's my AI governance strategy? How am I working with my data scientists? What's going to be our mitigation around that? What controls do we need? So you want to figure out where you're helping move along.
You don't want to be the blocker because then there is no use for you. Right. But you want to figure out how you fit through that whole process. But it is a shift and it's a pretty big shift. But I also think you've seen there was the initial shift of hype. So I think for better or for worse, it's still going to have a lot of people and process before technology can completely displace it.
[00:26:51] Dr. Rebecca Wynn: , I work with a lot of legal, a lot of legal contracts. And what I've noticed the shift in the last six weeks to two months is there's a lot of claw back in contracts.
Now I'm [00:27:00] being very specific. What are you using AI for? What are you not using AI for when we pay for X service? Is it AI doing it? Is a human doing it? Is a human oversight doing it because of the liabilities in part that's with cyber liability. And you made a key word that I always use too, insights. That means that someone else is using their critical thinking as a human to does this make sense, not make sense. We've been doing that for a long time in technology because we've been using a form of AI for a long time where it gave us flags, something to investigate. I think part of the.
Problem was, is people taking it as absolute fact. Is that what you see too?
[00:27:42] Jack Leidecker: Yeah. I mean, you kind of touched on a few different things, right? You even have some of the EU AI regulations that are coming down the pipe too. Um, there's the aspect of how do I validate output? Um, that isn't typically just an automated process.
How am I actually using it [00:28:00] responsibly? Do I know what's going in? Am I susceptible to hallucination? And. Other data poisoning. There's lots of different threat vectors on it. I mean, I think even last year we were talking, um, at Black Hat that. Outside of when we went to cloud quite a few years back, this is kind of one of those new frontiers again, right?
Lots of different threat vectors when we're throwing things in that we haven't thought about. So it's kind of a fun thing to both break and figure out how we want to protect in that regards. Um, but it is also kind of into that legal liability aspect of, are you doing it? Is someone else doing it? What are we doing as a company that heavily leverages LLM today?
As we get lots and lots of questions and it's like, Hey, when you have your model. There's public models, there's a combination of being able to describe what's used where, what data is trained, can I ensure that your data is not used by someone else? All those fun things are a lot more important now than they used to be, right?
And I would say it's something that I was focused on before, but now you actually have people asking more questions that are a little bit more poignant about it. So I [00:29:00] think it's actually a good thing for us overall, because it'll get us to a more responsible place to be able to utilize it in a manner where it's helpful versus just spitting you a bunch of garbage.
Okay. Right. So I'm actually think it's going to be a fun time to go through that.
[00:29:13] Dr. Rebecca Wynn: Unfortunately, our time is totally flown by. I want to thank everybody for joining us on this episode. If you haven't already, please LIKE, SHARE, and SUBCRIBE to the show . Look at the description. You'll have Jack's contact information and we'll put a lot of other resources for you there to help you on your journey.
Please subscribe also to the Soulful CXO Insights newsletter that comes out every other week. Again, thank you for joining us today, Jack. It's been a pleasure having you on the show.
[00:29:41] Jack Leidecker: I appreciate it. Thank you so much.