Balancing Risk & Innovation with Alex Dow

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Very good question.
Let's make sure that we areaware of those decisions.
We do need to recognize that ifwe're going to let computers
make some decisions, the firstimpact with AI is it increases
the valuation of startups.

Speaker 2 (00:16):
Welcome again to another episode of Sell Me this
Podcast.
Today we have another episodeexploring one of the most
critical and evolving fields inbusiness today cybersecurity.
I'm thrilled to welcome Alex Dow, the Chief Innovation Officer
at Mirai Security.
Mirai is dedicated to helpingorganizations protect their
digital assets with cutting-edgeproactive security solutions.

(00:37):
Alex not only brings a wealthof expertise, also leads
innovation at Mirai, drivingforward new ways to stay ahead
of evolving threats Without toomuch more buildup.
I'd like to officially welcomeAlex.
Welcome again to anotherepisode of Sell Me this Podcast.
Today we have another episodeexploring one of the most
critical and evolving fields inbusiness today cybersecurity.

(00:59):
In a world where digitalthreats seem to be growing day
by day, cybersecurity isn't justa necessity.
It's a strategy for survivaland to help us navigate this
complex landscape.
I am thrilled to welcome AlexDow, the Chief Innovation
Officer of Mirai Security.
Mirai is dedicated to helpingorganizations protect their

(01:24):
digital assets with cutting edgeproactive security solutions.
Alex not only brings a wealthof expertise in cybersecurity,
but also leads innovation inMirai, driving forward new ways
to stay ahead of evolvingthreats.
This different perspective willhopefully help you make noise
of all the choices in security,understand what to prioritize
and how to make the most of theinvestments that you make in

(01:46):
securing your business Withouttoo much buildup.
I'd like to officially welcomeAlex.
Thank you, keith, for having meAwesome.
Thank you so much for beingwith us today, alex.
I'm going to jump right intothings and can you tell us a
tiny bit about your journey andhow you arrived in the wonderful
world of cybersecurity and whatled you to becoming the chief

(02:07):
innovation officer at MiraiSecurity?

Speaker 1 (02:10):
Yeah, thank you.
In 1996, the movie Hackers cameout.
And as a teenager that couldturn on the sprinkler system of
a school and impress a youngAngelina Jolie, assign me up to
hacking.
So I got on the internet around1996 as well, and as a kid
didn't have a lot of access to acredit cards, had to figure out
how to access the internet myown way, went to school for it.

(02:30):
Really just gotten involved incybersecurity at an early age.
Joined Bell Canada to work intheir security operations center
, moved out west to build out asecurity operations center for
the Olympics and then got intoconsulting and that really is
where I really hit my passion ofexploring solutions and trying
to innovate.
On the side, I helped co-foundB-Sides Vancouver and various

(02:51):
other events in Vancouver and in2017, took that community that
I built to form Mirai Security,and really I love building.
I'm a very curious person, soinnovation is just right up my
alley.

Speaker 2 (03:04):
So I'm going to quickly take a step back to the
movie that I feel like waspivotal for a lot of our
generation.
Right now that's in IT Favoritemoment in Hackers.

Speaker 1 (03:13):
You know, I'm always very fascinated by the telecom
networks and how phone systemswork, and so when they were all
at the payphone boothsconnecting in with the modems
where you put the handset in, Ialways thought that was really
fascinating.
And I'll give one sidebar story.
On the internet, with dial-up,you're always craving just a
little bit more bandwidth, andthat's when you started learning

(03:33):
about telecom services thatwere not accessible to residents
the residential and whatnot.
So the T1, the 1.44 megabitsper second, that was just so
fast.
And in my hometown there was ahotel being torn down and as
kids we broke into it to checkit out, and I remember going to
the basement and finding thismassive bundle of twisted pair

(03:55):
and I was like this must be theT1 because it was just so big.
Turns out it wasn't.
That was just a bunch of phonecircuits.
A T1 is actually just twistedpairs.

Speaker 2 (04:04):
That makes sense, and so hopefully you haven't
implicated yourself in too muchthere.
Statue of limitations there yougo.
So it's it's in the past, we'regood to go.
So the role of chief innovationofficer, I think, is a very
interesting one in the world ofsecurity, and this is a space
that is evolving incrediblyquickly.
What does your role entail andwhat does it look like on a

(04:25):
day-to-day basis?

Speaker 1 (04:26):
I like to solve complex problems.
I challenge clients.
When they say they want X, Iask why?
And really I try to help themzoom out and say what problem
are we trying to solve here?
How does your business operate?
And I had a recent conversationwith a client that was really
adamant on network security andI said tell me about your
environment.
And they're using mostly cloud.
So is network security really athing anymore?

(04:51):
And it pains me to say thatthat was what I cut my teeth in
this industry on big ironenvironments, big networks,
packet inspection, all thatstuff.
But at the end of the day,everything that travels over a
network now is encrypted.
It's all going out to the cloudand we've lost our visibility
for the most part there.
So really I challenged them tosay we need to ascend that layer
to where we can actually seewhat's going on, and really it's
about the data.

(05:11):
So how can we help betterdetect and respond to threats at
that data layer where thebusiness actually needs?

Speaker 2 (05:19):
it.
So is that where the innovationcomes in, then?
Because I feel like the worldis evolving so quickly,
especially in cybersecurity.
When you think about the toolsand the methods that some of
these bad actors are using, howare you using innovation to stay
ahead of the curve, and how areyou taking some of that
knowledge for yourself to buildout your own perspective, but

(05:39):
also then imparting that to yourcustomers?

Speaker 1 (05:41):
Innovation very much is how can we do things better,
how can we do things more, howcan we do things more
efficiently?
And it's both an internalfunction but also an external.
So, of course, helping clientssee what the future looks like
and helping make sure we'remanaging the threats of the
future and not just doing whatour CISSP book told us to do 10
years ago.
And if I step back for a second, like my journey was working in

(06:02):
Ottawa, working with federalgovernment environments, high
security and then moving outwest to a market that, for all
intents and purposes, didn'treally care about security all
that much, and arguably theystill don't, but they need to be
compliant.
So now they do.
But it is a very forwardlooking market.
In terms of the technologiesthey use, they were very
aggressive at moving out of thedata center and into the cloud

(06:26):
and thus the technologies thatthey use are different.
The technologies they use tohelp prevent, detect and respond
to threats is different.
So one of the things I dointernal with Mirai is help make
sure that our services reallyalign to how we're addressing
threats of the future.

Speaker 2 (06:40):
So let's not just keep on doing the same thing,
particularly if it's not reallyaddressing the modern ways we're
using technology and how thosethreats are now existing in
those infrastructure does havesome challenges in terms of
security adoption, in terms ofmaybe some of the security

(07:05):
maturity, even to the pointwhere some really sophisticated
platforms Canada, or evenWestern Canada is a little bit
of an afterthought because theorganizations are a little bit
smaller the digital maturityisn't necessarily there yet, and
so there's such a role ofeducation before they can even
get started.
How much of your world iseducation and how much of it is
actually implementation of thosedifferent platforms?

Speaker 1 (07:28):
Again, we're mostly a consultancy, so we're there to
advise and really help verysimilar to yourself, like help
the buyer understand.
Is this the right product forme?
Beyond the market texture ofthe PDFs and PowerPoints, is
this a tool that is going tosolve the problem technically
and can we operate it people andprocess wise?
And that's where I see a lot ofchallenges.

(07:49):
My background being in Ottawa, Igot to play with all the cool
tools and when I moved out WestI had a security clearance.
I had so much experience withgovernment networks, Olympic
networks, and that was actuallya bit of a detriment because
many companies were like Ooh,you're too good, you're really
going to call our baby ugly andI had to pivot really quickly to

(08:09):
meeting them where they are.
And that was a lot to do withcloud.
For a long time, I was veryopposed to cloud, thinking banks
will never, ever use cloud, butit turns out it was totally
wrong and actually I've come torealize that, like moving out of
the data center and into thecloud actually can enable better
security as long as you let thecloud be secure, and cloud can

(08:30):
be very insecure if you let itas well.

Speaker 2 (08:33):
Yeah, I guess so can.
Data centers can be insecuretoo, right?
It's really about the controlsand mechanisms you put in place.
Are there any recentinnovations or breakthroughs,
specifically in the securitymarket, that you're particularly
excited about, and whatdifference are they making for
your customers?

Speaker 1 (08:51):
Very good question and it's not going to be one
answer to that, but what I willsay, and going back to, as I
mentioned at your event lastnight, we're not going to solve
cybersecurity.
It's always going to be aproblem.
Just, we're not going to solvecar crashes Like we've tried.
We can't do it.
So it's really a matter ofminimizing the impact of when
something does happen, when itdoes and it will.

(09:12):
So many companies have built upvery large sets of IT
infrastructure and their datacenters and whatnot, and
patchwork quilt of differentconfigurations and et cetera,
and when I was consulting, I wasvery much assessing a lot of
this and the conclusion I cameto is we're never going to be
able to secure this.
It's too complex.
So going to cloud provides theopportunity this arguably

(09:36):
greenfield opportunity as longas you let it build it better,
build it simpler and build it sothat you can secure it.
Particularly with cloudadoption and very much how we're
codifying everything, it givesus an opportunity to have better
consistency and that gives itbetter auditability so that we
can actually validate that thisenvironment is actually aligned

(09:56):
to the standard that we saywe're using or the policy that
we've defined on how we're goingto do things.
You just can't do that in anaffordable and economical way in
traditional IT.

Speaker 2 (10:07):
Amazing.
So when you think about some ofthose advancements, then and I
know that you're a hugeproponent of the idea of taking
some of those proactive steps tosecure environments, and not
necessarily just from a securityperspective but also from a
resiliency perspective could youexplain what that approach
might look like in practice,when you think about those
technologies, when you thinkabout those philosophies and why

(10:27):
that's important for a business?

Speaker 1 (10:30):
So, if you look at like traditional IT, if you had
a catastrophic problem cyber orIT or hardware failure or
whatnot what's the time to bringthose systems back online and
bring and thus the businessoperational again?
It's not minutes, it's probablynot hours, right?
So, looking at how we want tohave more resiliency, and when

(10:52):
we're talking about resiliencyit's what's your threshold for
being offline?
Is it a day, is it an hour?
And based off of that criteriathat the business defines, not
us IT folk, the business defineswhat's their tolerance.
That way, we start saying, okay, this is how we could do it.
And when we start looking atusing cloud, it affords us the

(11:13):
ability to codify theirinfrastructure and thus that
one's broken, spin it up inparallel, almost identical
within seconds, minutes.
That's something that we couldnever, ever do in traditional
infrastructure, and that's notto say that's the like, the
panacea of all things.
Businesses are complex andtheir IT systems are complex,
but every time we're doing anincident response that we're in

(11:35):
the recovery phase.
If it's a traditionalenvironment, we're talking weeks
of recovery.
If it's cloud environment,we're probably able to wrap up
that same day, as long asthey're prescribing to the
infrastructure's code principlesand code revisions of that code
, being able to roll it out andbring it back up in short order.

Speaker 2 (11:55):
So is Mirai's approach and philosophy to that.
Would you say it's unique ordifferent, or really it's just
been really disciplined inapplying those different
philosophies.

Speaker 1 (12:03):
Founding Mirai, I got to work for large consultancies
, vars and whatnot, and myfrustration was always a tools
first perspective and whatthat's resulted in is a
technology rich company that ispeople and process poor and
coming moving out from Ottawa tothe West Coast.
I brought a unique set ofskills over the course of my
career with very high-endproducts that were sold as you

(12:28):
want military-grade security,buy this.
The problem is that all thesecompanies bought it, burned
their entire budget buying thatand didn't have the budget to
even have internal staffsupporting it.
So after three years they wereripping out these technologies
and that was a frustrating partfor me because I really saw a
lot of potential in thesetechnologies if they spent the
time to build it out properly,build the processes around it.

(12:51):
When founding Mirai, it wasreally always about solving a
problem and understanding thesolution and then figuring out
the technology pieces that willfit in, because it is that
trifecta of people, process andtechnology.
It can't just be a technologysolution.

Speaker 2 (13:05):
So do you think that's one of the problems of
the industry right now?
Because I feel like there's somany different cybersecurity
organizations.
The market is growing at anincredible rate.
There seems to be a new startuppopping up every three days
that solves some particularangle of cybersecurity, and I
feel like people are buying themright.
There's a market for it.
Do you think there's bloat inthe market?

Speaker 1 (13:30):
It's the human condition.
We believe we can solveproblems by buying stuff and
it's simple, right.
I give the Home Depot analogy.
It exists because a bunch ofpeople that own homes think that
they can fix everything and alot of times they do, but a lot
of times they're calling theplumber afterwards because
they've actually made it worse.

(13:50):
I'm not anti-technologyCertainly I love technology but
I've seen so much technology getmothballed or deracked because
it was sold as a panacea and theinconvenient truth of you're
probably going to need to hireanother person this is the
actual total cost of ownershipwas obfuscated and that is that
technology.
Rich people process problem.

(14:10):
People process poor problem.
On my mind, the hill I'm goingto die on is trying to increase
awareness to the buyer of whatit actually takes to get
something to work, and a lot oftimes I am a strong proponent on
the people and process side.
It's actually arguably cheaperand you can get more value out
of your technology investmentswhen you got the people using

(14:32):
the tools properly and havingdefined process of how the tool
should work.
Buying the tool and hoping itworks is not the strategy I
would recommend.

Speaker 2 (14:41):
So if you were giving advice to a business leader
then that is looking to bolstertheir cybersecurity posture,
would you then say start withthe people, start with the
process.
And where do they even start?
In this world that is growingquickly, that is evolving
quickly and for most businessleaders is an overwhelming topic
, so where do they start?

Speaker 1 (15:03):
I hate to be so cliche, but what problem are we
trying to solve here?
And when I hear a technologyleader looking to buy a product,
I'm generally asking like,what's the threats that you're
addressing with this?
What do you think the efficacyof that product or technology
will be to resolve that?
And it's merely to push back tosay is that the biggest problem
that you need to solve rightnow?

(15:24):
And we tend to focus on thescary things that we read in
airports, what we hear on thepodcasts and blogs, and those
are all things that we need toaddress, but we fail to
understand some of those threatsthat are from within.
Again, human error, janky IT canreally impact a business's
ability to operate.
Doesn't need Vlad from Russiato attack like it can actually

(15:47):
be because of our sort ofignoring some of the less sexy
parts of IT that are problems,and that's why I don't think we
can really fix our legacy, andwe really shouldn't, because
that is very expensive anddoesn't actually move the needle
forward too much.
There's legacy IT and thenthere's heritage IT, and one
thing I'm seeing a commonalityof is VPNs, which we used to use

(16:10):
quite a bit, and all those VPNproviders have been acquired
after acquired, it's like thethird owner of this product.
I can assure you that the braintrust that built that VPN has
retired.
They've driven their Porscheoff to the sunset.
It's not a supported platformanymore, and that's why we're
seeing so many vulnerabilitiespopping up with VPNs, because

(16:31):
the companies that are owningthem are just looking to keep
profiting from the licensing.
They're not innovating thosethings, and that's really bad,
because we're seeing prettycatastrophic ransomware attacks,
not by people clicking onemails for once, but actually by
a VPN allowing them into thesoft Yoki center of their IT

(16:51):
environment, and that's where wehave to start looking at.
We should not be thinking thatthe IT that we have today is
working that dogma of it'senvironment.
And that's where we have tostart looking at.
We should not be thinking thatthe IT that we have today is
working that dogma of it'sworking.
Why are we fixing it Like itcertainly is doing its job, but
it is actually costing us a lotmore money because it's more
complex, it's more hard, it'sharder to support and there's a
likelihood it's going to be.
It is vulnerable and it willimpact us in the future.

Speaker 2 (17:13):
So you've mentioned a little bit of that shift, which
is really interesting, from the, I think, the bad guy that
everyone always imagines, whichis I'm being clicking on a link
personally targeted forransomware of some of these
malicious attacks throughtraditional means.
But there's other things thatare now starting to pop up.
You mentioned the VPNs, whichis a really interesting example.
What are some of those otherkind of macro trends that you're

(17:34):
seeing that are different fromthe perception of the
traditional cybersecuritythreats that are out there that
people really need to be awareof.

Speaker 1 (17:43):
We like to buy toys and I'm one of them.
Black Friday is tomorrow.
I'm excited, but the problem isthat we buy toys and then maybe
we don't roll them out properly.
And while I certainly stronglyadvise anyone operating an
exchange server on-prem to moveaway from that, because it is
impossible to manage thatwithout a team of experts and

(18:06):
those experts are retiring.
Moving to something like M365 isa really good idea.
It provides a much morereliable service of a fairly
important technology.
In most businesses Turning onM365, depending on the year you
did it is how insecure it is,and we see that with so many
different technologies that webring it in, we turn some things

(18:28):
on and up until recently mostvendors really weren't
prescribing to the secure bydefault principle and M365 is no
different.
When we do pen tests as anexample, that's our bread and
butter is finding misconfiguredtechnologies that everyone
thinks is working properly andwe exploit and we get on to a
SharePoint site and realize afriend actually mentioned

(18:49):
regarding the insecurities ofSharePoint is like, well, it's
in the name share and I was like, okay, that's pretty clever,
but it's hard to hardenSharePoint.
Sharepoint's a bit of amonolithic beast anyways, but
access control can be tough.
Identity and access managementis way more complex than just
thinking it's just usernames andpasswords and what they have

(19:10):
access to, and manyorganizations don't have that
built into the culture of thisleast privileged principle.
If you are a user on theenvironment or a hacker has
obtained user credentials,you're usually very trusted.
It's that soft yolky center ofthe egg, hard on the outside,
great.
But if you have an untrusteduser, like an insider threat, or

(19:31):
a user account that's beencompromised by an attacker,
attackers are- just going towalk all around that
organization and pulling lots ofsensitive data out Interesting.

Speaker 2 (19:42):
And so, when you think about the risks that
you're talking about, which is,the business owners and leaders
that are having trouble evencomprehending some of these
things and they're investing inthe wrong areas.
But you also mentioned that,from a skillset perspective,
it's challenging for them to beable to even find the people to
do these things, and so, if I'ma small business, you're hearing
all over the news on the mediathat there's shortages in some

(20:05):
of the skilled talent,specifically in cybersecurity.
How do I even start to tacklethese problems and how do I even
compete with organizations likeMirai, like with some of the
other organizations, and that'sall they do is hire these
security folks?
How do I even keep up in thisworld?
What's your advice to them inthat scenario?

Speaker 1 (20:23):
So I think there's two parts to that.
So I'll break up.
The first is I think buyers arechallenged finding good data
and good knowledge and they relyon sales teams and marketing
teams to provide that.
There is obviously incentive toany information you receive
from those teams and I do findthat some buyers get misled the
promise of a utopian solutionthat will solve all problems.

(20:44):
We've bought into that and it'sour human nature to believe
that we can do that.
I do believe that, like I runroundtables in Vancouver and
that was one thing.
I asked this roundtable of CIOslike where do you get your
information, and it didn't havea really good answer.
The roundtable it was likeGoogle it.
I attend webinars.
I do this.
I think it's good, but there'sa signal-to-noise problem there.

(21:06):
The webinars are quite biased.
So these roundtables that Ihost is really about an
unfettered view of solutions bypractitioners.
We actually have a pitch jarthat if anyone pitches it's $20
in that jar, because we don'twant it to be about the
technology.
We want it to be about solvingthose problems.
Now, the skill set problem thebuyer has a knowledge gap issue

(21:28):
and doesn't really have a reallygood source of truth on that,
the skills gap.
I'm on the fence on thatbecause it is a problem and when
we hire it's hard to find goodtalent.
But that's also because a lotof the bar set quite high.
Like we would like ourentry-level role to have 10
years of cloud experience, like,okay, like cloud hasn't been
around that long and certainly ajunior has not had that much

(21:51):
experience.
But there's a bit of a mixmatch of those requirements and
that's making it morechallenging for the students
that are coming out of schoolwith some decent lab experience
but no real world working in acorporate environment and
securing those environments.
But there's certainly a lot ofsmart kids out there that are
eager to get those roles.
But you can't just hiresomebody and expect them to land

(22:15):
and execute.
Those are called consultantsand that's what consulting is.
You hire somebody that you don'thave to worry about.
But if you're going to bringsomebody in as a team member on
your cyber side, you do need tohave a little bit of a
foundation for them to beworking on and governance is a
bit of a snooze word a lot oftimes, but like having the
framework that when we bringsomebody in, they have a

(22:35):
knowledge base of how we work,define process, of how they need
to work, it's going to enablesomebody that doesn't have all
the experience to land on theirfeet and really provide value to
those organizations.
Like the shortage is it's.
I think it's a little overblownbecause we're not necessarily
we're expecting everyone to beexperts in technology.
That hasn't been around longenough for people to be experts

(22:57):
in Certainly the population oftechnologists out there that
want to do security but alsocan't even get their entry level
job to get the experience.

Speaker 2 (23:06):
Right.
So I'm going to open a littlebit of a can of worms and that
is the kind of worms of AI rightnow, and I know that there's
kind of two differentconversations around AI,
specifically when it comes tosecurity.
When we think about, first ofall, ai being used as a tool for
both, as we'll say, offense anddefense, what are your
perspectives on how AI ischanging the world of security

(23:27):
and, as an organization, how areyou incorporating it to keep up
and what are, how is thatimpacting, some of the threats
that are out there?

Speaker 1 (23:35):
first.
The first impact with ai is itincreases the valuation of
startups and what's.
I remember years ago being insan francisco and, like the
first wave of ai, well beforeopen ai, and there's billboards
all over with pumping up that aiwas everywhere.
It really was machine learning,which is really good and
important.
We as humans suck at the moredata we have, the terrible.

(23:57):
We're just way more challengedat understanding and
synthesizing it.
So ML is a great tool for that.
In the world of generative AI,I think that it amplifies the
good, but also amplifies the bad, and on the good side, it
really does help synthesizelarge data sets and converts it
into human readable.
The bad side is some people dothink it's a cheat sheet or a

(24:19):
cheat code to not have to dotheir own work and went on.
You can certainly tell who'susing the unpaid version of chat
, GBT in emails and documentsand stuff like that.
I use it all the time.
I've taken prompt engineeringcourses.
My prompts are one to two pageslong, right, Like I want to get
.
I want to get as close to that80% mark on my outputs and if

(24:41):
you put the time in to reallytrain your AI on what you want,
you'll get some decent results.
It won't be perfect and that'swhy it's.
It's a co-pilot, not marketingMicrosoft or anyone else's
version of co-pilot with AI, butthat's really what it is.
It should not be the driverever, but we should be able to
rely on it Now.
From a security perspective,working in a SOC, I always
described when we weremonitoring screens is that I had

(25:04):
like the littlest cup stickingin a waterfall trying to catch a
fish, and I think AI reallydoes help reduce the noise to
signal ratio.
So I think that is definitely ahuge benefit.
Whether that is ingrained inthe products and technologies
you use or you're using it as asidecar.
There's a lot of opportunity tosynthesize a lot of large data

(25:27):
and be able to now use ournatural language to ask that it
used to be.
You needed to know Python forthat On the threat side, I've
got this behemoth server at homethat is my AI server, and I
pulled down the recent metamodel and I started stress
testing it to see like what Icould do and ask it for the, the
illicit things.
And one of the things that Icouldn't get, even with the

(25:49):
jailbreaking that, thetechniques that are out there,
was to write me a phishing email.
So they're building it into allthese models to not create
phishing emails becausecertainly that's going to be a
problem.
We've had clients that haveactually been targeted with deep
fakes and doing the please movethis money over to this new
bank account for us, and stufflike that, and that is becoming

(26:12):
a bit of a problem.
Now, is technology going tosolve that?
Ideally, we should have somesort of authenticity technology
that helps us understand thatyou're real and I'm real.
That is a bit of a problemright now, and certainly
technology can help with that.
We've got tons of cryptographictechnologies that can help
support that.
But I'm going to have to goback to the human side of it is

(26:34):
that most of these attacks arestill attacking a human and
manipulating social, engineeringthem to do something that they
shouldn't, and in my mind it's.
We need to empower our peopleto recognize that the picture on
the screen, the image on theteams, could be fake, and if
something's going outside ofwhat we consider normal
operations, you should questionit and it's okay to say no, even

(26:58):
with all the pressure thatthey're pushing.
It's okay to say no If it's ifyou're starting to recognize red
flags.

Speaker 2 (27:04):
So how much of that needs to be trained, how much of
that needs to be built intoprocess, like one of the
conversations that I seem to behaving a lot of these days, as
well as around trust and how canyou?
I can trust you right nowbecause I'm sitting three feet
away from you, but if you'reexchanging an email video used
to be the source of trust Videono longer is as a person that is
deep into the cybersecuritylandscape, what advice would you

(27:27):
have for people around trust?

Speaker 1 (27:31):
Yeah, generative AI has certainly made that a
problem, and I do S sauna talksat my home with a few
technologists as well, and wewere talking about this last
year on the like, theauthenticity problem that, like
everything we see online,whether it's written or images
now could be generated, could benot from who we think it is,
and that's going to be a problemand I don't necessarily have a
solution for it.

(27:52):
Beyond solution, I will say, isthat cybercrime is a business.
It operates like a business.
There are literally officetowers that have floors of
criminal activity happening invarious parts of the world
Eastern Europe, india, ithappens so and they have CRMs
and they have processes and allthis like it's a mature business
.
It's a multi-billion dollarbusiness.

(28:15):
So, if you want to like, avoidagain, we're not going to be
able to stop this at all.
So it's really a matter of youdon't have to be faster than the
bear, you just have to befaster than the slowest person.
So in that sort of diresituation, it's really about
breaking their process.
So they're going to useautomation to do a lot of the
targeting, at least the initial,if you think of like a sales

(28:36):
process of discovery,opportunity, intent to buy, et
cetera.
There's a process that theyfollow for targeting people, and
the first part of that's goingto be automated.
It is they're trying tomanipulate you emotionally to
click something, do something,share something.
As soon as you get a littlewhiff of that's a bit weird,
break their process.

(28:57):
So don't do what they're saying.
So a good example is oh, siri'semailing you, you're in trouble
.
Click on this to do that.
Cool call Siri.
Break their process, go out ofband.
And now you've avoided being avictim.

Speaker 2 (29:10):
Interesting.
So we've talked about a lottoday.
I want to turn our lens alittle bit to the future.
So, with all the things thatare happening right now, where
do you see the industry going?
What are some of the trendsthat people should be watching
out for, and what do you thinkthe future of cybersecurity
looks like?

Speaker 1 (29:30):
If I knew, I guess, if you have a crystal ball, yeah
, and, as I mentioned, like lastnight at your event, we're bad
at managing risk, particularlynovel risk, and these novel
risks of using AI and cloud interms of our data is
proliferated across the internetto all these different startup
sasses and whatnot.
That's going to be a problem,right?

(29:52):
Our data, whether it's personalor business, is no longer ours,
like it's no longer in ourwalled garden, so that's a bit
of a problem.
And so we have to recognize,like the cat's out of the bag,
that we're not really going tobe able to get to where we were
with being able to be veryconfident that our data is
protected.
So we have to recognize thatit's out there.
It may be used for unintendedpurposes.
What are those consequences?

(30:13):
And that's where it goes backto resilience.
The business isn't a business tostay operational and, in
business, making money.
So we should always be focusingon recognizing that we will
have issues, we will haveoutages, and how can the
business stay somewhatoperational?
When we look at some of therecent ransomware breaches with
retailers and grocery stores,they had to shut down fully,

(30:35):
meaning that they were losingmillions of dollars a day
because they didn't have anability to operate, for lack of
a better description by pen andpaper.
So businesses do need toconsider those worst case
scenarios that if you've builtyour entire business on
technology, your business isentirely dependent on that
technology working all the timeand we should recognize that it

(30:56):
won't and putting processes andcontingencies around.
How you can operate at least ina degraded state, but at least
be able to operate somewhat, issomething a lot of businesses
need to consider.

Speaker 2 (31:10):
So, as you see more businesses operating,
integrating AI into theiroperating models, integrating
agent-based service into theiroperating models and more and
more technology into how theyactually even deliver and run
their business, do you seepeople getting further away from
that idea of understanding howtheir business could run without
electricity, without some ofthese things that are now

(31:31):
becoming critical to how theyactually even deliver their
business?
Even if you think aboutdecision-making, as AI starts to
take on differentdecision-making capability, how,
what advice do you have forbusinesses and balancing that
security and risk component asthey continue to innovate?

Speaker 1 (31:48):
Let's talk about that , ai integration so beyond the
chat bot, but doing things,making decisions I don't see
that as necessarily a bad thing.
Like many things, we adopt andfigure out the bad as we go
hashtag Chernobyl but like whenwe look at, when we look at like
this opportunity, we have anopportunity to actually document

(32:09):
our processes.
So if we're building outworkflows and using AI, this may
be the first time a company'swritten down how something works
before it was in Bob's head ofhow something operates, and this
is well beyond just how itoperates, but how the business
operates, how accountingoperates, et cetera.
I see that as a greatopportunity to document your

(32:30):
process and actually standardizeit.
I'm a big fan of the capabilitymaturity model, like you're
going from a level one, leveltwo, up to a level three or four
, because AI and building outworkflows with AI gives you the
ability to have a verystandardized way of doing things
that no longer has deviationsand as long as you build it, it
now logs it, so you actuallyhave a paper trail.
Now the scary part is that someAI is very black box on how it

(32:53):
returns data.
So you know we there is aconcern where it's making a
decision, we don't know why it'smaking that decision and
sidebar even open AI.
Engineers are somewhat confusedof how AI operates and returns.
Sometimes They've mentionedthat they've noticed that AI has
a bit of a personality thatthey're not coding in and that

(33:15):
surprises them, and in my mindit's just an amalgamation of
billions of Reddit posts hasturned into the personality of
humanity for better or worse.
It's terrifying yeah it is, butI see that as a really good
opportunity.
But recognizing there's a blackbox Is there in the proverbial
example of Chernobyl.
They were operating and doingsome risky things with a very

(33:37):
new technology nuclear but theyalways were operating under the
impression that, a, the designof the reactor was really good
and, two, that they had anemergency stop button that could
stop everything and while maybewreck the reactor would not
result in anything terrible,catastrophic.
And we have to recognize that.
If we are going to startletting AI making decisions like
that, let's make sure thatthere is a bit of a red button,

(33:58):
there's some oversight, there'ssome guardrails of how it's
operating, but we can stop it.
And a prime example of that isAir Canada got sued because
their chatbot gave bad advice tosomebody and that person was
out a bunch of money because ofthat bad advice.
And they said oh, it'scomputers, it's not us, it is
your computers.
And the court awarded the winto the victim of a bad AI advice

(34:19):
.
So we do need to recognize ifwe're going to let computers
make some decisions, let's makesure that we are aware of those
decisions.
Let's make sure there's someguardrails, parameters around
how those decisions are made.
So we're not having a big myculpa on oops.
We used really novel technologyand didn't really understand
what we were doing.
Quantum computing is prettyinteresting and I will say that

(34:41):
that is something that isbecause it's so far down.
It's like fusion energyproduction.
It's so far down the road asfar as I'm concerned that I'm
less concerned about it.
Now to your question of hey,all these people are harvesting
our data and they're going touse quantum computing.
Let's rewind our data andthey're going to use quantum

(35:02):
computing.
Let's rewind.
That's how OpenAI and that'show Google, gemini and Facebook
or Meta's llamas are built.
It's off of all the thingswe've done on Reddit, facebook,
gmail.
It's already happened andthat's creepy.
And that's why I don't use alot of those services is because
I do feel that I don't want mydata being used in unintended
purposes and we had no idearight Like when we started
signing up for Gmail and usingFacebook and all that we had

(35:24):
really no idea.
Back in like 2015, I spoke atsome privacy event and I was
demoing some like scary bartricks and the privacy
commissioner at BC at the timewas there and I was able to
demonstrate that his phone wasbeaconing a bunch of data about
all the wireless networks heconnects to and, oddly enough,
his Wi-Fi for his home was hisactual address.

(35:46):
So that was awkward.
But I've always said that it'svery concerning of what we are
doing.
That we can't undo, and I givethe example that on Instagram it
was very popular to takepictures of very gluttonous food
that you're buying.
That's still a thing.
The problem is that insurancecompanies are quite interested
in not paying out.
So if they have an ability toknow that you tend to eat butter

(36:10):
way more than most people, yourlife insurance is going to be
affected, and we're seeing thatwith bits and smartwatches now
being, you're getting a discountfor life insurance, but they're
also now monitoring your healthand if there's any deviation
from what you claim you are andhow they measure you, they can

(36:30):
easily reduce payments andthings like that.
I read in South Africa thatpeople were gaming it by putting
their smartwatch on their dogsto show that they were doing so
much.
They were doing so much.
Exercise in my mind, but theinevitability is same thing with
, like, plugging the littlething into the car.
We are going to be giving moredata than we are today.

(36:50):
I am a bit of a Luddite there.
I want to reduce that attacksurface until they say if you're
not sharing, then you'redefinitely paying more.
Then I'll probably be pressuredto share a little bit more.
But think about people for thelast 10 years that have been
sharing bad habits drinking,smoking, eating delicious but
gluttonous food.
Insurance companies are veryinterested in that, and now,

(37:12):
with AI being able to synthesizeall that data, it's a little
bit scary.
Now back to the quantumcomputing thing.
In 2015, for one of my hackerconferences, I reached out to
D-Wave, one of the quantumcompanies, and said hey, let's
do a hackathon with quantumcomputing, which I didn't really
have much understanding ofquantum computing then and
arguably don't now.
And he said here, that's reallycool.

(37:32):
But here's the thing Developersfor quantum computing aren't
software developers, they'rephysicists.
There's no actual programminglanguage.
It's still just a bunch ofcrazy math to do very simple
computing at this point.
So we're so far ahead of.

(37:54):
There's still such a longrunway before we get to a point
where we've ascended the layerof abstraction, where there's an
actual programming language forgeneral purpose use.
But to your point like,theoretically, quantum computing
could do things like crackingencryption, and that's a scary
future because we do needencryption.
It's not just to protect ourpictures and stuff, but our
entire economy and our totalsociety relies on the trust of

(38:15):
our financial systems and if weaffect that integrity by having
a technology that can crack thatencryption, society falls apart
really quick.
Yeah, yeah, I am very concernedby that.
I don't really know much moreabout where quantum is today
beyond that.

Speaker 2 (38:28):
It is scary, but probably down the road so we
don't have to be concernedtomorrow, but it's definitely
something to keep our eyes on,definitely for our kids.
Amazing.
I feel like we've talked a lotabout today and I want to
transition a tiny bit towardssome practical advice for
someone that is looking to getstarted.
Maybe there's a business owneror leader that isn't quite sure
where to take these first steps.

(38:49):
I can't imagine there's ascenario where a business hasn't
invested in some form ofcybersecurity, but let's say
that there's a business, thatthey have experienced some
growth and they want to take itmore seriously.
What are some of the firststeps that you can practically
suggest that they take to getstarted on that journey, without
getting caught up in the waveof all of the kind of fear,

(39:12):
uncertainty, doubt and all ofthe platforms and tools that are
out there?

Speaker 1 (39:15):
Understanding your business, what data is really
important and how computersreally support the operations of
the business.
So really understanding that isgoing to be crucial.
Most organizations have adoptedinherited technology over time
and it's working.
But it may be overly complexand they may experience a near

(39:37):
miss on cybersecurity and that'sprobably a little bit of a fire
to do more and like where doyou go?
But in my mind, since mostorganizations are sitting on top
of M365 or Google workspace,it's that's is your business Now
.
Your business is running offthis tool.
Let's make sure that'sfoundationally protected.
Second is the people.

(39:57):
Your people are your humanfirewall and I don't want to say
the weakest link.
It's.
They are your business, bothhow the business operates and
the users of technology.
So making sure that they'reenabled to do things safely and
appropriate is really important.
And again, that's bothawareness of hey, if you get an
email that looks like this, be abit suspicious, but also making

(40:20):
sure that there's a paved roadof how they should be using
technology and there'sguardrails to catch when they're
starting to deviate, whenthey're starting to break rules,
do something that's a littlebit less secure and things like
that.
And that goes from SMBs all theway to enterprise.
I strongly believe having thosefoundational things of making
sure the important pieces ofyour business are working and

(40:41):
secured and and resilient andredundant, ideally is going to
be really important.
Then you can expand out tostart addressing those other
threats.
There's an infinite list ofthreats which are the ones that
are likely to materialize thequickest.

Speaker 2 (40:54):
We need to start prioritizing that way amazing,
and so I think this is a greatopportunity and I don't have a
swear jar with the 20 bucks forpitching, but I'm actually going
to ask you if you want, if youwere to pitch Mirai services and
the in an elevator pitch style,like why would someone want to
work with Mirai and what exactlyis the work that you're doing
every day?

Speaker 1 (41:12):
Yeah, we do a few different things, but you know
why we have the clients we haveand and, and why they keep
coming back to us is that we arehelping them manage the risk
and help them sleep better atnight.
Our capabilities start at thegovernance, risk and compliance.
I say that's our why you needto have that North Star of why
the organization is doing cybersecurity anything, and then the

(41:34):
more tactical thingsunderstanding that once you've
hardened something, let's testit out, let's test our
assumptions.
But the biggest push for me isthe people side, and I'm a big
fan of tabletop exercises andit's because it's the cheapest
bang for buck you can get,because it's a safe space to
explore how things can go southand what your organization and

(41:54):
your people will do in thatregard.
A good tabletop has a lot ofjaw dropping, aha moments and a
lot of we really need to fixthis and that's perfect because
that gives the motivation fromthe business level all the way
down the tech team to figure outwhat they can do better.
And I'm a strong believer infrequency.

(42:15):
We we definitely will evacuateoffice towers at least once a
year.
Who's been involved with anoffice fire in the last 20, 30
years.
It's a fairly low occurrence,yet a very high occurrence is
being impacted by a cyber threator an IT failure.
We've all been impacted one wayor the other, either directly

(42:36):
because something we own gothacked, or our suppliers got
hacked.
They lost their data orsomething along those lines.
So having higher frequencytabletop exercises maybe a big
one annually and then smallerincremental ones really will
help an organization reallyunderstand what they need to do
differently to make sure thatthey can weather the storm and
continue to exist.

(42:57):
And I'm a cyber guy, but I alsohave to recognize that
tabletops don't always need tobe addressing a cyber attack,
because there are plenty ofother ways that your business
can stop working, and it doesn'thave to be Vlad out of Russia.

Speaker 2 (43:11):
Amazing.
So if you had one final pieceof advice to give to our
listeners around cybersecurity,around staying secure, what
would that be?

Speaker 1 (43:19):
How much time do?

Speaker 2 (43:19):
you have.

Speaker 1 (43:20):
Yeah, again, like I think there's a lot of great
technologies out there, but wehave a human nature to think
that we can solve complexproblems with simple tools and
really trying to understand andtalk to either peers or
professionals that don't have tosell you something on what
works, what doesn't.
This is a great technology.
What are the caveats?
What do I need to know that Idon't know about those
technologies?
I think that is the unknown inour industry.

(43:42):
That is either the dark art ofpractitioners.
Having a better understandingof how this stuff works and how
it can benefit the organizationand seeing those success stories
is probably a really good wayto inspire better business
resilience business resilienceAmazing.

Speaker 2 (44:00):
So we've talked about a ton today.
I feel like we could probablytalk for another three or four
hours.
If someone wanted to continuethis conversation, get in touch
with you.
What's the best way to reachout to Alex here?

Speaker 1 (44:08):
Yeah, I've got a few avenues Again professionally
through Mirai I've got we've gota contact form.
You can track me down onLinkedIn.
I'm also doing some creativearticle writing and some videos
on my new sub stack and I runevents about quarterly in the
Vancouver area.
So, yeah, find me out onLinkedIn.
That's probably the best wayand love to have that chat.

Speaker 2 (44:26):
Amazing.
Thank you so much, Alex.
This has been a blast and Ireally appreciate you coming on
the podcast today.
Thank you for having me.
It's great talk.

All Episodes

Episode Transcript

Popular Podcasts

On Purpose with Jay Shetty

Boysober

Crime Junkie

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Balancing Risk & Innovation with Alex Dow

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}On Purpose with Jay Shetty

Boysober

Crime Junkie

All Episodes

Balancing Risk & Innovation with Alex Dow

On Purpose with Jay Shetty