April 30, 2025 • 31 mins
The rapid evolution of artificial intelligence and machine learning has created a pivotal moment for financial institutions. As these organizations race to implement AI solutions, they face both transformative opportunities and significant cybersecurity challenges that demand immediate attention.
Sean Gerber draws from over 20 years of cybersecurity experience to demystify the complex intersection of AI, machine learning, and financial security. With his straightforward approach, Sean breaks down the fundamental differences between AI (the broader field) and ML (the subset that enables systems to learn from data without explicit programming), making these concepts accessible even to those without technical backgrounds.
The central message resonates clearly throughout: AI must be developed and employed with a secure design approach from day one. Financial institutions that implement security as an afterthought rather than a foundation will inevitably face costly remediation down the road. Sean outlines practical security considerations including data anonymization, network segmentation, intellectual property protection, and AI-specific policies that organizations should implement immediately.
Through real-world examples from JP Morgan, Bank of America, and Capital One, we see how leading financial institutions are already leveraging AI for legal contract reviews, fraud detection, customer engagement, and risk assessment—all while implementing varying degrees of security controls to protect their systems and data.
Looking toward the future, Sean previews emerging trends including generative AI for threat analysis, federated learning approaches, and quantum-aware AI security that will reshape financial cybersecurity within the next five years. His practical action items emphasize building multidisciplinary teams spanning AI, cybersecurity, legal and business domains to ensure comprehensive implementation.
Whether you're a CISO at a major bank or a security professional preparing for emerging challenges, this episode provides the strategic framework needed to navigate AI implementation securely. The message is clear: investing time and resources in proper security foundations now will determine whether AI becomes your competitive advantage or your greatest vulnerability.
Gain exclusive access to 360 FREE CISSP Practice Questions delivered directly to your inbox! Sign up at FreeCISSPQuestions.com and receive 30 expertly crafted practice questions every 15 days for the next 6 months—completely free! Don’t miss this valuable opportunity to strengthen your CISSP exam preparation and boost your chances of certification success. Join now and start your journey toward CISSP mastery today!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Speaker 2 (00:26):
Good morning, good afternoon and good evening.
This is Sean Gerber with CISSP,Cyber Training, reduce Cyber
Risk and NextPeak.
This presentation is apresentation related to AI and
cybersecurity as it relates tofinancial institutions.
So, as a background on all ofthis, the reason I'm bringing
this up is that I've been aconsultant now for about a bit
(00:47):
of a year, but I've been in thecybersecurity space for going on
20 plus years and one of thethings that I have realized over
the past 23 years incybersecurity things have
changed and things have changeda lot.
And as I'm seeing this changein as it relates to AI and ML, I
wanted to record this just sothat you all have some basis to
understand.
(01:07):
What is the differences?
What is AI, how does it dealwith ML, how does it deal in
financial institutions?
And so that was the kind of theoverall plan around it, because
I've seen the gaps and I'veseen it growing so quickly.
If you are in a financialinstitution and then
realistically, even if you'renot, if you're just considering
use of AI and ML within yourorganization, you really truly
(01:28):
need to start understanding thefoundational aspects of it.
And the reason I say that isbecause in the next year two,
maybe three, but probably notmuch more than three.
From the time that you haveimplemented AI and ML within
your organization, you're goingto wish that you actually would
have paid attention to it andmaybe made some changes at the
beginning.
It's a big, big deal and Ithink it's really important that
(01:50):
, if anything you just take awayfrom this, is that a new
education related around AI andML.
So let's go ahead and getstarted.
A little bit of background aboutmyself.
I'm currently a partner withNextpeak and we are a boutique
type of cybersecurity companywhere we will provide how to set
up SOCs within differentsectors.
(02:11):
We're big in the financialindustry.
We help do the uplifts in thecase after breaches.
We have virtual CISOcapabilities as well, so there's
a very large plethora ofopportunities within NextPeak
and how we can help you and yourorganization.
We focus real strongly rightnow on the financial industry is
where we're part of our breadand butter, but we also are in
the manufacturing space and M&A,so a lot of great things we can
(02:35):
provide with NextPeak.
If it's not just myself, wehave lots of individuals that we
have in our stable that we canbring to bear any needs you may
have.
I'm also the owner of ReduceCyber Risk, a consulting company
, as well as CISSP CyberTraining, which is where I'm
teaching students how to passthe CISSP exam, but not just
pass the test but actually getthe content they need to be able
(02:56):
to understand it and then takethat information once they pass
the exam and use it in theircybersecurity world.
So it's a different approachthan many that just go out and
try to pass the exam and getthat done.
It's more for self-studystudents, people that don't have
the time to go spend a week ormaybe the financial resources to
do so.
They can go take my CISSPtraining courses and have all
(03:17):
that they would need to besuccessful.
I'm also I was corporatesecurity for information
security within Koch Industries,a very large multinational here
based out of Wichita, kansas.
I worked in there from securityarchitecture to managing their
SOC, and then I was a virtualnot a virtual I was a CISO for
one of the large multinationalcompanies that's tied to it, so
(03:39):
that I dealt with manufacturing,chemical manufacturing,
intellectual property protectionall of those different pieces
within Koch Industries.
I was an adjunct professor atWichita State University,
teaching cyber physical systemsas well as cyber risk.
I did that for a couple ofyears and then I stood up and
kind of basically designed,built and stood up the Air Force
(04:00):
Red Team for the Air NationalGuard here in Wichita, kansas,
the Air Force Red Team for theAir National Guard here in
Wichita, kansas did that fromaround 2002 to 2010, 2011, and
had a great opportunity doingthat.
So learned a lot from theadversary perspective.
And this again, this is still afew years ago, but we were in
the throes of trying tounderstand how cybersecurity was
going to affect many companies.
(04:22):
And I was in aviation.
I actually went to school to bean airline pilot and ended up
flying B-1 bombers and I was aweapons systems officer on B-1
bombers as well as a commercialpilot in the aviation space.
So, as you can tell, I've got alittle bit of a different
background than many that are incomputer security and so forth.
But that's cool, because whatthe bottom line is is it's just
(04:43):
designed to try to help youunderstand that it doesn't
really matter where yourbackground is.
This whole cybersecurity spaceis changing so much and it's up
to all of us to really kind oftry to stay ahead of it.
So what are we going to talkabout?
I'm going to kind of just breakthis down into artificial
intelligence and machinelearning, one of the key aspects
that I struggle with.
And again, I was born on a pigfarm.
That's where I come from inIowa.
(05:04):
So, yeah, my background is notone of a blue blood.
I don't understand real complexconcepts.
So the ultimate point was to putout there what is this?
Because I see the terms AI andML thrown around like candy.
They just kind of people don'treally even know what they're
saying.
And so I did that and I wantedto make sure I understood what I
was getting at and what I wastrying to explain and trying to
(05:25):
understand.
So therefore, this is kind ofwhat this slide's talking about.
So AI, again, this is acomputer science broad field,
right, it's big.
If you look at the buckets tothe right, you have the big
green bucket.
That's AI.
That is everything out there,that where it can reach, and
this deals with typicalrequiring human intelligence
intelligence such as learning,problem solving and even
decision making.
So all of that is there, it'sall in this AI bucket.
(05:50):
Ml is a subset.
It's a subset of AI thatenables the systems to learn
from the data without beingexplicitly programmed to do so.
So it's learning on its own,based on the algorithms that are
there.
Now, the types of learningthat's available to you are
three specific types.
They're supervised,unsupervised and reinforcement.
Now supervised learning thisthe model will learn from
(06:12):
labeled data with input outputpairs right to protect in
outcomes, based on new andunseen data.
So that's but it's looked.
It's maintained in itssupervised state.
There's also an unsupervised,where your model learns patterns
and structures from unlabeleddata without guidance, without
explicit guidance on what to do,so it's thinking on its own a
little bit.
Then there's the reinforcementlearning, where they learn
(06:35):
through trial and error and itinteracts with the environment,
makes a mistake, receivesbenefits and there's penalties
for making the mistakes, but theultimate goal in all of this is
to get down to.
If you look at these LLMs,they're that small little dot in
the middle of all of this pieceof this, and the goal is that
utilizing these capabilitiesthrough AI and ML to help
(06:58):
enhance your daily activitiesand make it much more productive
, make it more financially sound, do all these different things
that are really rudimentarytasks that employees, people,
have to do that one that couldbe done by a machine and then
allowing you to be able to useyour creative juices to be able
to do more and better thanactually the more rudimentary
(07:19):
type activities let's start offwith.
We'll talk about rpas in alittle bit, but it kind of start
off in that space as well.
So the goal that's AI and ML ina nutshell and again breaking
it down to the third grade level.
That's the point.
So early adopters of AI and ML,especially as you're getting
into this space, iscybersecurity, healthcare,
(07:40):
retail, financial services andmanufacturing.
Those are some of the big, bigpeople that are trying to get
into AI and ML and they all havedifferent reasons behind it.
But just to kind of go over someof the key things, and as we go
through this presentation, I'mgoing to highlight some key
points that I'll get into.
I'm not going to read from theslides, because you all are way
smarter than me listening tothis.
So the point is that I don'twant it to take too long to get
(08:02):
through all the content, becausethere's so much content.
You are going to need to figureout in here what is something
that is important to you andmaybe you can drill deeper into
it or you can reach back out tome and I'm happy to kind of go
into some different aspects withyou.
So again, cybersecurity this isthe AI-powered stuff Now in
this world I've dealt with in asecurity operations center, got
(08:28):
to deal with people, analystsfrom all over the globe that are
trying to deal with thesealerts.
How do I deal with them, whatdo I do with them?
And having AI that can gotriage that first tier of alerts
would be extremely valuable andthis helps reduce the cyber
risk.
It also helps deal with all ofthe aspects that are manually
being done by people.
So cybersecurity is a big win.
Healthcare diagnosis, drugdiscovery, personal medicine
(08:49):
those are big things.
I was reading a book, oractually listening to it,
related to AI and ML, and thebook was talking about how
oncologists were having to lookat different types of tests to
be able to determine what isgoing on with this person.
Well, now they have this.
The AI and ML are able to dothis.
They have a program that can dothis.
(09:10):
It is just effective as a veryexpensive oncologist, but it can
do it in milliseconds comparedto the oncologist taking 10, 15
minutes looking at each one.
So it's imperative to know thathealthcare is a big deal Retail
, e-commerce, obviously,training, pricing, the need for
personal shopping.
You see that with Amazon all thetime.
Financial services, whichreally we're going to talk about
(09:32):
a little bit here today.
Again insider threat, theanti-money laundering.
There's all of these differentareas in the financial sector
where AI and ML are beingingested and being used because
of the financial gain that theycan get out of it.
And then manufacturingespecially dealt with this in
the manufacturing space aroundpredictive analysis Systems that
(09:52):
are going to go down becausethey're about ready to their
mean time.
To failure is a certain periodof time and if you're dealt with
a manufacturing space, theycan't just go turn a machine
down, especially if this thingis running at a plant.
There's a process by which theywould turn equipment down and a
lot of times when they do whatthey call a turnaround, they'll
(10:12):
go in and they'll replace a lotof different equipment.
Well, if they know thatequipment is going to fail or it
looks like it might fail,before you go into the
turnaround, the best time to doit is during the turnaround.
The worst time it could happenis right after the turnaround is
done.
You've shut everything down,you're now bringing everything
back up and then all of a suddena part fails and forces you to
(10:33):
shut back down again.
That's extremely expensive.
So what can you do?
If you have an idea of what isfailing before the turnaround,
you can preemptively replace itand save you a ton of money.
And that's just one area withinthe manufacturing space.
So lots of different adopters ofAI and ML, and this is only
going to improve over time.
(10:53):
So how's AI's impact on bankingand cybersecurity?
Well, obviously, we talked alittle bit about it earlier,
where there's key financialinnovation automating tasks,
increasing customer engagement,reducing operational costs.
I'll use myself as an example.
Perfect thing I wascommunicating with the bank and
they tell you it's a chatbot.
You know that going into it,but it has the ability to
(11:15):
communicate with you in a waythat you don't really even think
it's a chatbot.
I was talking also to a companyon the phone.
I called them asking about someHVAC work on a property that we
have, and I called them andasked a specific question.
But I get a robot that comes up, basically because it's a
chatbot, but at first I did notknow that it was a chatbot.
(11:36):
It sounded like a personcompletely, and so you therefore
real quickly realize going,this is pretty crazy cool and it
also kind of crazy scary, butthe point of it was was that
it's available right now and itis good.
It's not perfect, it doesn't itdoesn't meet all the needs, but
it's pretty good and it helpedme through this entire process
in many different ways.
(11:57):
So it does help in in helpingyour organization become more
effective and more productive.
Real-time decision-making,again, obviously we we talked
about that where it'll help youin that case.
Now, as you're dealing withcybersecurity, how does this
work?
Well, from an AI standpoint,it's both a defensive tool and
an attack surface.
Ai can be used to attack you,and they're seeing more of that
(12:20):
increasing.
That's going on.
It also can help with financialdata models, and the pipelines
are attractive targets from badguys going and girls going after
those.
So there's an intersectionbetween what cybersecurity and
AI can do.
It can help your companyimmensely, but it also is going
to be the target of attackersagainst your company.
(12:41):
If there's one thing you cantake away from this presentation
, it's this bang box.
Ai must be developed andemployed with a secure design
approach.
Okay, if you develop thesethings by a secure design at the
beginning, this is going tomake your life so much easier.
All the books, I've beenreading all the podcasts and
different types of video.
I've been seeing the sameconcept Secure by design.
(13:03):
Develop it at the beginning ina secure manner, and this is
going to take some people tohelp you do this.
But if you do this right, ifyou do the security right by
designing it well, you are goingto be in a much better position
a year, two years down the road.
So there's a lot of bullets youcan see in the secure by design
, but I'm going to focus onthese four main ones, but
(13:24):
they're all important.
Every, every one of these isimportant, but let's just focus
on these four so we don't loseour mind because there's so many
bullets.
So first off is securityrequirements.
From the start, you need tounderstand security is at the
core of this thing and you needto consider that when you're
doing your initial AI setup.
You can't just go well, hey, Ijust need AI and I'm going to go
throw it in here.
You can do that, but you'reprobably going to pay for it a
(13:50):
couple of years down the road.
So consider how you want tohave security baked into this at
the beginning.
Deploy it securely.
This is a secure infrastructureand environment for your model.
You want to make sure that it'sin a good, secure place when
you build it, because once youbuild it, like I mentioned
before, unpacking it and goingback and fixing it again can be
very challenging.
Privacy by design Privacy isgoing to be a huge factor with
the AI and ML Anything you putin there.
(14:12):
You want to consider privacyfrom the beginning.
Do not ignore it.
If you're a small company andyou're going well, I don't need.
I mean, we don't really have todeal with personal privacy
issues, so it's not a big dealthat may be the case right now.
However, if you see value inthis and all of a sudden you're
like well, I really like this,let's build upon it.
You're going to want privacybecause you may use it in an
(14:33):
area where you're dealing withcustomer databases, customer
input, anything like that.
Begin at the beginning with yourprivacy, and then the last one
is secure integration with othersystems.
This ensures that you haveinteraction between the AI and
other IT components, having astrong integration, api
integration, saas integration,application integration.
(14:56):
All of those things need to beconsidered when you're deploying
this in your environment.
But again, start small.
Do not go too big into thisright away, unless you have a
whole team of people that canhelp you deploy this in the
correct fashion.
So, as you're looking at thesetechnologies from the financial
services standpoint, I mentionedRPA.
(15:16):
If you go down to about thethird line, third row over,
robotic process automation Dealtwith RPAs in the past and the
RPA is just a robot that is justrunning more or less a script
that keeps running over and overagain and it helps with
different types of datacollections.
But this is something that waskind of I feel is the beginning
of where I started to see AIbaked into different systems and
(15:39):
all this talks about is thedifferent use cases that are on
the left and the securityconcerns that you could have on
the right.
Take this piece of information,look at it, decide hey, you know
what?
There's something I'm trying toaccomplish.
If you look on the right,that'll give you an idea of what
are some of the things you needto be concerned about
Generative AI and LLMs.
Obviously, hallucinations,misalignments and data
exfiltration big factor there.
Intellectual propertyprotection.
(16:02):
One of the big areas that wewere always concerned about was
IP theft and if you're puttingyour IP in an LLM to help you
and your scientists.
You need to really have a goodunderstanding of how do I get
the data.
I get the data in, but can Iget the data out and do I want
to have the employees get thedata out?
That's a big deal, I mean.
And if you are dealing withintellectual property protection
and you're using LLMs, thinklong and hard about how you want
(16:25):
to deploy it.
It can be done well and it canbe done right, but there is risk
and you will never, ever beable to reduce the risk to zero
unless you just basically don'tuse it.
So you're going to have tounderstand how much do you want
to utilize AI and LLMs withinyour organization, especially if
you have intellectual property.
Now, also think about it thisway.
(16:45):
But your AIP may not be ColonelSanders' 11 Herbs and Spices.
It could just be the fact thatyou have a certain pricing model
with your clients.
You know how much your pricingis.
You know it in relation to yourcompetitors.
That is intellectual property.
You have to determine, if youput this in your LLM for maybe
your sales consultants, whathappens if they get this out?
Could it affect your company?
(17:07):
Big things you got to kind ofconsider before you go jumping
into this.
So AI-driven use cases infinancial institutions there's
all kinds of things from frauddetection, customer engagement,
credit risk and loan processing.
That one's a huge one becauseif you have dealt with a loan,
loans take forever and they canbe challenging, especially if
you've got credit risk.
But if you can have the AI gothrough and help all this stuff
(17:29):
out at the beginning, it's huge.
One thing I saw is lawyers arenow a lot of the paralegals that
no longer were working withcompanies.
They're getting less and lessparalegals or moving them on to
different kind of opportunities,because the AI and the ML can
do a lot of what the paralegalswill do.
I saw this recent article whereSaudi Arabia is looking to
draft laws with AI and MLutilizing that capability.
(17:53):
So it's amazing where this isall going to go.
One of the key points I wantedto bring up around financial
institutions, as it relates tothe security piece of this and
AI, is security operations Again, ai for cyber defense,
incorporating that in with yourSIEM and your SOAR platforms
SIEM, I should say not SIEM yourSIEM, your SOAR platforms.
(18:13):
This helps a lot with behaviordetection, predictive phishing,
malware classification and soforth.
So a lot of really good thingsthere.
So, yeah, real world use cases.
I will just kind of bring up acouple key points here as you
look at this.
One is JP Morgan's coin.
They automate legal contractreviews.
If you've dealt withcybersecurity, you know I've had
to go through variouscybersecurity legal reviews
(18:35):
breach response, what happens tomy third parties that provide
me information that comes in andwhat happens if they have a
breach, what happens if more ofmy data is stored?
All of those pieces are tiedinto legal contract reviews.
(18:57):
Jp Morgan uses theircapabilities to review that and
help protect sensitive legalcontract data.
That's being watched forutilizing AI.
So if anything gets slipped inthere accidentally, then that
could be a factor.
I've dealt with this with legalreviews multiple times, where
they don't usually come to usuntil the deal's almost done and
(19:19):
then they go well, hey, can youlook at this and you're like,
oh no, and all of that would begreat if it was already baked in
with the capability from usingAI.
It had already seen it dealtwith it.
That would be a huge factor.
Cyberlens, robust DLP controls.
Again, they have strict DLPcontrols to prevent unauthorized
disclosure of confidential data.
(19:40):
So having a DLP programutilizing Microsoft tools or
other tools out there is great,but now you can throw on another
level of protection around AI.
Having a DLP program utilizingMicrosoft tools or other tools
out there is great, but now youcan throw on another level of
protection around AI and in thecase of this, with CyberLens,
they're able to do that.
Capital One has got some stuff.
Bank of America you can seethere's a lot of movement in
this space, especially in thefinancial industry.
(20:03):
Now, when you're dealing withsetting up AI within your
company, you're going to go howdo I deal with this?
Well, there's basically threedifferent types of frameworks.
You need to consider An AIsecurity framework, and this is
based a lot on the AI RMF.
And if you want to kind of evenbreak it down a little bit more
, there's the NIST cybersecurityframework.
That is really the foundationof the AI RMF and if you utilize
(20:27):
that framework, it's going togive you some great guidance on
where to go.
The downside is that, becauseAI is so new, these frameworks
are relatively immature and asthey're growing, they will
become better and better overtime, and so when you look at
this framework, you may go okay,well, this isn't a whole lot
different than the cybersecurityframework and you're not that
far off.
There are some differentnuances to it, but the ultimate
(20:48):
goal is to just get you somedirection on where to go as it
relates to implementing thiswithin your company.
Ai governance frameworks reallyimportant part Governance is a
huge factor in all of this whenyou're dealing with AI, and this
considers ethicalconsiderations, risk management,
compliance and accountability.
So you really need to have agood plan when it comes to AI
governance.
And then ethical frameworks isanother one to consider, and
(21:11):
this is a foundational elementas well.
Does it have the ethics?
Is it going to be trustworthy?
Does it have something thatwill not give hallucinations and
people won't pay attention toit?
So really understand thesethree frameworks when you're
deploying AI within your company.
Now there's the risk framework.
(21:32):
As you can see, the NIST AI100-1.
Yeah, that's new.
If it's 100-1, it's new, it'sbrand new.
It's like a baby.
It's just coming out and it'san important part of the
framework.
It's just something you need toconsider Now.
It goes into four corefunctions govern, map, measure
and manage.
These are designed to help youget this process down the pipe.
Something to consider if you'rein the financial industry.
(21:53):
There is the CRI, which is yourCyber Risk Institute framework
and they have a framework thatis tied to the cybersecurity
framework.
If you follow those and thenkind of sprinkle in AI where
you're at and tie it alltogether, you're going to be
much happier down the road.
You'll be much happier as youmove this thing down to the end
(22:14):
of the conclusion.
So the ultimate goal is payattention to the frameworks,
determine which way you want togo with them and then start
implement them within yourcompany.
Now here's some of the top LLMrisks that you will have to deal
with if you're deploying thisinsecure, insecure output
handling.
There's lots of differentplaces here, but I'd say what
(22:34):
the number nine is, one that Ikind of globbed on myself and
that is over reliance, and thepart of over reliance is over
reliance on the modelsthemselves.
So you really need to consideris it something that I'm going
to have my people?
They're going to just take itas truth, as gospel?
It's going to happen.
You need to really understandand built in some level of
protections around that to avoidover-reliance on the overall
(22:56):
LLM.
So some differentconsiderations I've highlighted
again, as you can see, this isan eye chart.
I didn't want to go through allof those, but I wanted to
highlight some key points aroundthis as it relates for
considerations in cybersecurity,dealing with AI, data
anonymization.
So if you're going to bedealing with this within your
organization, privacy is a bigfactor.
You want to at least bake intoit at the beginning.
(23:19):
How do I anonymize this data?
How, when I store it or when Ipresent it?
How do I ensure that the datais anonymized so that privacy
standpoints can't come back tobite me?
Mentioned this before goingthrough.
Data governance is an importantpart, very important part, of
your overall foundationInfrastructure.
Kind of struck that chordbefore.
(23:39):
Network segmentation big factorIf you are in manufacturing
space, one of the big things wedo is we would segregate the
manufacturing network from thebusiness network.
Again, you want to limit theblast radius.
If something were to happen, itdoesn't affect your
manufacturing and vice versa,your manufacturing doesn't
affect your business.
Same concept with AI.
You want to really trulyunderstand network segmentation
(24:00):
and how to isolate your AIcomponents for in the event that
something bad were to happen.
So think about that ahead oftime, before you actually need
it.
Ip protection of models thiscomes down to you're developing
these models.
You want to make sure that youdevelop something that is
available to your masses, but ifyou're putting a lot of work
(24:20):
and time into it, you want tomake sure that it's protected
from it being stolen.
You may have a model that yougrab from off the shelf air
quotes and then you tweak it tomeet your specific needs and you
put in some, you sprinkle itwith some salt and pepper to
make it work for you and yourcompany.
Well, that could beintellectual property not that
it could, it is.
If that gets stolen, how doesthat affect your overall
(24:42):
company's performance?
Can it impact you in a waythat's negative and I would be
willing to bet in many cases,yes, that is the case.
Ai specific security policiesokay.
So if you have a cyber securityfor your organization but it
doesn't have really anything todo with AI, you need to have a
specific policy tailored to AIML use.
Your broad brush policy couldbe fine at the beginning, as
(25:04):
you're just getting started, butonce you start integrating this
and people start utilizing itmore, you need to have a robust
policy schema set upspecifically for AI and you need
to educate your people around.
That and that's one of the bigaspects about policies is having
a good education programteaching them what can they
expect from these policies.
And then regulatory compliancefor AI.
(25:25):
If you're in the financialindustry, that is becoming a
bigger factor and you're goingto have to maintain that.
Auditors are going to want toask questions about that.
You have to be prepared.
But it's not just the financialindustry Many organizations.
When I was in manufacturing, Idealt with governments,
different countries, andtherefore you had to have a good
plan on how you're going todeal with the AI.
In our case it was more or lessadvanced technologies with the
(25:48):
governments.
But if you're dealing with AIin a government and a different
country, they're going to wantto have some level of compliance
and legality written around it.
So what is a current and afuture?
What does this look like?
Obviously, for AI andcybersecurity, there's
operational and customer gains.
I'm a personal recipient of it.
I loved it.
It was great.
It helped me out immensely andit met my needs.
(26:10):
Was it perfect?
No, but from a customerstandpoint of being satisfied,
it was positive.
It was very good Securityenhancements.
Obviously people cannot see allthe risks that you're looking at
, or that we can't see them allbecause we're people.
But the computer can see therisks that we can't, and it can
pull in feeds from differentplaces and it can help analyze
(26:31):
and then potentially block someof these security risks that are
to your organization.
Analyze and then potentiallyblock some of these security
risks that are to yourorganization Fraud response,
intelligent monitoring with SOXand then potentially dynamic
risk scoring based on behaviorand transactions.
So now you're tailoring orprofiling people and how their
activities are happening.
So where are some future trends?
You got generative AI forthreat analysis.
(26:51):
It's basically auto-generatingincident response based on
malware.
Reverse summaries looking atwhat's going on with that.
Federated learning, quantumaware AI, security AI and
blockchain.
All of these are kind of thefuture that's coming and you're
going to see those not within 10years.
You're going to see them infive years or less, because we
all know that we're marchingdown towards this path.
(27:13):
So some key takeaways as we'regetting an ending up this
presentation.
One of the things around thefinancial industry is AI in
banking is here to stay.
It's transformationaltransformational, but it's not
without risk and you need toplan for it.
Cybersecurity must befoundational when you're dealing
with AI and it should be notreactive.
(27:33):
Regulatory alignment and secureframeworks are an essential
component and you for trust andcompliance passpoints of it.
So you really truly need tobake all of that into what
you're trying to accomplishAction items.
So embed security in everyphase, which we talked about.
Build multidisciplinary teams.
They understand AI, cyber,legal business.
(27:55):
They're all together.
One of the things that I raninto with my legal teams is I
had to educate them on this tech.
They were very smart people.
They are very smart people.
They're brilliant, right, butthey're brilliant in what they
do.
They're not necessarilybrilliant in tech, so I had to
help them understand how are allthese technologies changing
their life.
(28:15):
Once they got it, they got itand it was easy, and then it
also made that transition mucheasier to communicate with them.
So that way, when I hadchallenges, the legal team knew
that they could trust me, Icould trust them, and it was a
really great partnership.
You want to invest inexplainability, adversarial
testing and then also ingovernance.
You got to have a good plan.
(28:35):
You're probably looking at thisgoing this all costs money and
guess what?
You're right, it's going tocost money.
It's going to cost money andtime, both capital expense and
opportunity costs.
However, if you spend the timenow, you will be much happier
down the road when you're havingto implement this within your
organization.
So at a later time it's goingto be a big, big deal.
Even though it's a big deal atthe beginning, it's going to be
(28:57):
even bigger at another point inthe near future.
You, you, you, you.
Welcome to the CISSP Cyber Training Podcast, where we
provide you the training andtools you need to pass the CISSP
exam the first time.
Hi, my name is Sean Gerber andI'm your host for this
action-packed, informativepodcast.
Join me each week as I providethe information you need to pass
the CISSP exam and grow yourcybersecurity knowledge.
(00:20):
All right, let's get started.
Speaker 2 (00:26):
Good morning, good afternoon and good evening.
This is Sean Gerber with CISSP,Cyber Training, reduce Cyber
Risk and NextPeak.
This presentation is apresentation related to AI and
cybersecurity as it relates tofinancial institutions.
So, as a background on all ofthis, the reason I'm bringing
this up is that I've been aconsultant now for about a bit
(00:47):
of a year, but I've been in thecybersecurity space for going on
20 plus years and one of thethings that I have realized over
the past 23 years incybersecurity things have
changed and things have changeda lot.
And as I'm seeing this changein as it relates to AI and ML, I
wanted to record this just sothat you all have some basis to
understand.
(01:07):
What is the differences?
What is AI, how does it dealwith ML, how does it deal in
financial institutions?
And so that was the kind of theoverall plan around it, because
I've seen the gaps and I'veseen it growing so quickly.
If you are in a financialinstitution and then
realistically, even if you'renot, if you're just considering
use of AI and ML within yourorganization, you really truly
(01:28):
need to start understanding thefoundational aspects of it.
And the reason I say that isbecause in the next year two,
maybe three, but probably notmuch more than three.
From the time that you haveimplemented AI and ML within
your organization, you're goingto wish that you actually would
have paid attention to it andmaybe made some changes at the
beginning.
It's a big, big deal and Ithink it's really important that
(01:50):
, if anything you just take awayfrom this, is that a new
education related around AI andML.
So let's go ahead and getstarted.
A little bit of background aboutmyself.
I'm currently a partner withNextpeak and we are a boutique
type of cybersecurity companywhere we will provide how to set
up SOCs within differentsectors.
(02:11):
We're big in the financialindustry.
We help do the uplifts in thecase after breaches.
We have virtual CISOcapabilities as well, so there's
a very large plethora ofopportunities within NextPeak
and how we can help you and yourorganization.
We focus real strongly rightnow on the financial industry is
where we're part of our breadand butter, but we also are in
the manufacturing space and M&A,so a lot of great things we can
(02:35):
provide with NextPeak.
If it's not just myself, wehave lots of individuals that we
have in our stable that we canbring to bear any needs you may
have.
I'm also the owner of ReduceCyber Risk, a consulting company
, as well as CISSP CyberTraining, which is where I'm
teaching students how to passthe CISSP exam, but not just
pass the test but actually getthe content they need to be able
(02:56):
to understand it and then takethat information once they pass
the exam and use it in theircybersecurity world.
So it's a different approachthan many that just go out and
try to pass the exam and getthat done.
It's more for self-studystudents, people that don't have
the time to go spend a week ormaybe the financial resources to
do so.
They can go take my CISSPtraining courses and have all
(03:17):
that they would need to besuccessful.
I'm also I was corporatesecurity for information
security within Koch Industries,a very large multinational here
based out of Wichita, kansas.
I worked in there from securityarchitecture to managing their
SOC, and then I was a virtualnot a virtual I was a CISO for
one of the large multinationalcompanies that's tied to it, so
(03:39):
that I dealt with manufacturing,chemical manufacturing,
intellectual property protectionall of those different pieces
within Koch Industries.
I was an adjunct professor atWichita State University,
teaching cyber physical systemsas well as cyber risk.
I did that for a couple ofyears and then I stood up and
kind of basically designed,built and stood up the Air Force
(04:00):
Red Team for the Air NationalGuard here in Wichita, kansas,
the Air Force Red Team for theAir National Guard here in
Wichita, kansas did that fromaround 2002 to 2010, 2011, and
had a great opportunity doingthat.
So learned a lot from theadversary perspective.
And this again, this is still afew years ago, but we were in
the throes of trying tounderstand how cybersecurity was
going to affect many companies.
(04:22):
And I was in aviation.
I actually went to school to bean airline pilot and ended up
flying B-1 bombers and I was aweapons systems officer on B-1
bombers as well as a commercialpilot in the aviation space.
So, as you can tell, I've got alittle bit of a different
background than many that are incomputer security and so forth.
But that's cool, because whatthe bottom line is is it's just
(04:43):
designed to try to help youunderstand that it doesn't
really matter where yourbackground is.
This whole cybersecurity spaceis changing so much and it's up
to all of us to really kind oftry to stay ahead of it.
So what are we going to talkabout?
I'm going to kind of just breakthis down into artificial
intelligence and machinelearning, one of the key aspects
that I struggle with.
And again, I was born on a pigfarm.
That's where I come from inIowa.
(05:04):
So, yeah, my background is notone of a blue blood.
I don't understand real complexconcepts.
So the ultimate point was to putout there what is this?
Because I see the terms AI andML thrown around like candy.
They just kind of people don'treally even know what they're
saying.
And so I did that and I wantedto make sure I understood what I
was getting at and what I wastrying to explain and trying to
(05:25):
understand.
So therefore, this is kind ofwhat this slide's talking about.
So AI, again, this is acomputer science broad field,
right, it's big.
If you look at the buckets tothe right, you have the big
green bucket.
That's AI.
That is everything out there,that where it can reach, and
this deals with typicalrequiring human intelligence
intelligence such as learning,problem solving and even
decision making.
So all of that is there, it'sall in this AI bucket.
(05:50):
Ml is a subset.
It's a subset of AI thatenables the systems to learn
from the data without beingexplicitly programmed to do so.
So it's learning on its own,based on the algorithms that are
there.
Now, the types of learningthat's available to you are
three specific types.
They're supervised,unsupervised and reinforcement.
Now supervised learning thisthe model will learn from
(06:12):
labeled data with input outputpairs right to protect in
outcomes, based on new andunseen data.
So that's but it's looked.
It's maintained in itssupervised state.
There's also an unsupervised,where your model learns patterns
and structures from unlabeleddata without guidance, without
explicit guidance on what to do,so it's thinking on its own a
little bit.
Then there's the reinforcementlearning, where they learn
(06:35):
through trial and error and itinteracts with the environment,
makes a mistake, receivesbenefits and there's penalties
for making the mistakes, but theultimate goal in all of this is
to get down to.
If you look at these LLMs,they're that small little dot in
the middle of all of this pieceof this, and the goal is that
utilizing these capabilitiesthrough AI and ML to help
(06:58):
enhance your daily activitiesand make it much more productive
, make it more financially sound, do all these different things
that are really rudimentarytasks that employees, people,
have to do that one that couldbe done by a machine and then
allowing you to be able to useyour creative juices to be able
to do more and better thanactually the more rudimentary
(07:19):
type activities let's start offwith.
We'll talk about rpas in alittle bit, but it kind of start
off in that space as well.
So the goal that's AI and ML ina nutshell and again breaking
it down to the third grade level.
That's the point.
So early adopters of AI and ML,especially as you're getting
into this space, iscybersecurity, healthcare,
(07:40):
retail, financial services andmanufacturing.
Those are some of the big, bigpeople that are trying to get
into AI and ML and they all havedifferent reasons behind it.
But just to kind of go over someof the key things, and as we go
through this presentation, I'mgoing to highlight some key
points that I'll get into.
I'm not going to read from theslides, because you all are way
smarter than me listening tothis.
So the point is that I don'twant it to take too long to get
(08:02):
through all the content, becausethere's so much content.
You are going to need to figureout in here what is something
that is important to you andmaybe you can drill deeper into
it or you can reach back out tome and I'm happy to kind of go
into some different aspects withyou.
So again, cybersecurity this isthe AI-powered stuff Now in
this world I've dealt with in asecurity operations center, got
(08:28):
to deal with people, analystsfrom all over the globe that are
trying to deal with thesealerts.
How do I deal with them, whatdo I do with them?
And having AI that can gotriage that first tier of alerts
would be extremely valuable andthis helps reduce the cyber
risk.
It also helps deal with all ofthe aspects that are manually
being done by people.
So cybersecurity is a big win.
Healthcare diagnosis, drugdiscovery, personal medicine
(08:49):
those are big things.
I was reading a book, oractually listening to it,
related to AI and ML, and thebook was talking about how
oncologists were having to lookat different types of tests to
be able to determine what isgoing on with this person.
Well, now they have this.
The AI and ML are able to dothis.
They have a program that can dothis.
(09:10):
It is just effective as a veryexpensive oncologist, but it can
do it in milliseconds comparedto the oncologist taking 10, 15
minutes looking at each one.
So it's imperative to know thathealthcare is a big deal Retail
, e-commerce, obviously,training, pricing, the need for
personal shopping.
You see that with Amazon all thetime.
Financial services, whichreally we're going to talk about
(09:32):
a little bit here today.
Again insider threat, theanti-money laundering.
There's all of these differentareas in the financial sector
where AI and ML are beingingested and being used because
of the financial gain that theycan get out of it.
And then manufacturingespecially dealt with this in
the manufacturing space aroundpredictive analysis Systems that
(09:52):
are going to go down becausethey're about ready to their
mean time.
To failure is a certain periodof time and if you're dealt with
a manufacturing space, theycan't just go turn a machine
down, especially if this thingis running at a plant.
There's a process by which theywould turn equipment down and a
lot of times when they do whatthey call a turnaround, they'll
(10:12):
go in and they'll replace a lotof different equipment.
Well, if they know thatequipment is going to fail or it
looks like it might fail,before you go into the
turnaround, the best time to doit is during the turnaround.
The worst time it could happenis right after the turnaround is
done.
You've shut everything down,you're now bringing everything
back up and then all of a suddena part fails and forces you to
(10:33):
shut back down again.
That's extremely expensive.
So what can you do?
If you have an idea of what isfailing before the turnaround,
you can preemptively replace itand save you a ton of money.
And that's just one area withinthe manufacturing space.
So lots of different adopters ofAI and ML, and this is only
going to improve over time.
(10:53):
So how's AI's impact on bankingand cybersecurity?
Well, obviously, we talked alittle bit about it earlier,
where there's key financialinnovation automating tasks,
increasing customer engagement,reducing operational costs.
I'll use myself as an example.
Perfect thing I wascommunicating with the bank and
they tell you it's a chatbot.
You know that going into it,but it has the ability to
(11:15):
communicate with you in a waythat you don't really even think
it's a chatbot.
I was talking also to a companyon the phone.
I called them asking about someHVAC work on a property that we
have, and I called them andasked a specific question.
But I get a robot that comes up, basically because it's a
chatbot, but at first I did notknow that it was a chatbot.
(11:36):
It sounded like a personcompletely, and so you therefore
real quickly realize going,this is pretty crazy cool and it
also kind of crazy scary, butthe point of it was was that
it's available right now and itis good.
It's not perfect, it doesn't itdoesn't meet all the needs, but
it's pretty good and it helpedme through this entire process
in many different ways.
(11:57):
So it does help in in helpingyour organization become more
effective and more productive.
Real-time decision-making,again, obviously we we talked
about that where it'll help youin that case.
Now, as you're dealing withcybersecurity, how does this
work?
Well, from an AI standpoint,it's both a defensive tool and
an attack surface.
Ai can be used to attack you,and they're seeing more of that
(12:20):
increasing.
That's going on.
It also can help with financialdata models, and the pipelines
are attractive targets from badguys going and girls going after
those.
So there's an intersectionbetween what cybersecurity and
AI can do.
It can help your companyimmensely, but it also is going
to be the target of attackersagainst your company.
(12:41):
If there's one thing you cantake away from this presentation
, it's this bang box.
Ai must be developed andemployed with a secure design
approach.
Okay, if you develop thesethings by a secure design at the
beginning, this is going tomake your life so much easier.
All the books, I've beenreading all the podcasts and
different types of video.
I've been seeing the sameconcept Secure by design.
(13:03):
Develop it at the beginning ina secure manner, and this is
going to take some people tohelp you do this.
But if you do this right, ifyou do the security right by
designing it well, you are goingto be in a much better position
a year, two years down the road.
So there's a lot of bullets youcan see in the secure by design
, but I'm going to focus onthese four main ones, but
(13:24):
they're all important.
Every, every one of these isimportant, but let's just focus
on these four so we don't loseour mind because there's so many
bullets.
So first off is securityrequirements.
From the start, you need tounderstand security is at the
core of this thing and you needto consider that when you're
doing your initial AI setup.
You can't just go well, hey, Ijust need AI and I'm going to go
throw it in here.
You can do that, but you'reprobably going to pay for it a
(13:50):
couple of years down the road.
So consider how you want tohave security baked into this at
the beginning.
Deploy it securely.
This is a secure infrastructureand environment for your model.
You want to make sure that it'sin a good, secure place when
you build it, because once youbuild it, like I mentioned
before, unpacking it and goingback and fixing it again can be
very challenging.
Privacy by design Privacy isgoing to be a huge factor with
the AI and ML Anything you putin there.
(14:12):
You want to consider privacyfrom the beginning.
Do not ignore it.
If you're a small company andyou're going well, I don't need.
I mean, we don't really have todeal with personal privacy
issues, so it's not a big dealthat may be the case right now.
However, if you see value inthis and all of a sudden you're
like well, I really like this,let's build upon it.
You're going to want privacybecause you may use it in an
(14:33):
area where you're dealing withcustomer databases, customer
input, anything like that.
Begin at the beginning with yourprivacy, and then the last one
is secure integration with othersystems.
This ensures that you haveinteraction between the AI and
other IT components, having astrong integration, api
integration, saas integration,application integration.
(14:56):
All of those things need to beconsidered when you're deploying
this in your environment.
But again, start small.
Do not go too big into thisright away, unless you have a
whole team of people that canhelp you deploy this in the
correct fashion.
So, as you're looking at thesetechnologies from the financial
services standpoint, I mentionedRPA.
(15:16):
If you go down to about thethird line, third row over,
robotic process automation Dealtwith RPAs in the past and the
RPA is just a robot that is justrunning more or less a script
that keeps running over and overagain and it helps with
different types of datacollections.
But this is something that waskind of I feel is the beginning
of where I started to see AIbaked into different systems and
(15:39):
all this talks about is thedifferent use cases that are on
the left and the securityconcerns that you could have on
the right.
Take this piece of information,look at it, decide hey, you know
what?
There's something I'm trying toaccomplish.
If you look on the right,that'll give you an idea of what
are some of the things you needto be concerned about
Generative AI and LLMs.
Obviously, hallucinations,misalignments and data
exfiltration big factor there.
Intellectual propertyprotection.
(16:02):
One of the big areas that wewere always concerned about was
IP theft and if you're puttingyour IP in an LLM to help you
and your scientists.
You need to really have a goodunderstanding of how do I get
the data.
I get the data in, but can Iget the data out and do I want
to have the employees get thedata out?
That's a big deal, I mean.
And if you are dealing withintellectual property protection
and you're using LLMs, thinklong and hard about how you want
(16:25):
to deploy it.
It can be done well and it canbe done right, but there is risk
and you will never, ever beable to reduce the risk to zero
unless you just basically don'tuse it.
So you're going to have tounderstand how much do you want
to utilize AI and LLMs withinyour organization, especially if
you have intellectual property.
Now, also think about it thisway.
(16:45):
But your AIP may not be ColonelSanders' 11 Herbs and Spices.
It could just be the fact thatyou have a certain pricing model
with your clients.
You know how much your pricingis.
You know it in relation to yourcompetitors.
That is intellectual property.
You have to determine, if youput this in your LLM for maybe
your sales consultants, whathappens if they get this out?
Could it affect your company?
(17:07):
Big things you got to kind ofconsider before you go jumping
into this.
So AI-driven use cases infinancial institutions there's
all kinds of things from frauddetection, customer engagement,
credit risk and loan processing.
That one's a huge one becauseif you have dealt with a loan,
loans take forever and they canbe challenging, especially if
you've got credit risk.
But if you can have the AI gothrough and help all this stuff
(17:29):
out at the beginning, it's huge.
One thing I saw is lawyers arenow a lot of the paralegals that
no longer were working withcompanies.
They're getting less and lessparalegals or moving them on to
different kind of opportunities,because the AI and the ML can
do a lot of what the paralegalswill do.
I saw this recent article whereSaudi Arabia is looking to
draft laws with AI and MLutilizing that capability.
(17:53):
So it's amazing where this isall going to go.
One of the key points I wantedto bring up around financial
institutions, as it relates tothe security piece of this and
AI, is security operations Again, ai for cyber defense,
incorporating that in with yourSIEM and your SOAR platforms
SIEM, I should say not SIEM yourSIEM, your SOAR platforms.
(18:13):
This helps a lot with behaviordetection, predictive phishing,
malware classification and soforth.
So a lot of really good thingsthere.
So, yeah, real world use cases.
I will just kind of bring up acouple key points here as you
look at this.
One is JP Morgan's coin.
They automate legal contractreviews.
If you've dealt withcybersecurity, you know I've had
to go through variouscybersecurity legal reviews
(18:35):
breach response, what happens tomy third parties that provide
me information that comes in andwhat happens if they have a
breach, what happens if more ofmy data is stored?
All of those pieces are tiedinto legal contract reviews.
(18:57):
Jp Morgan uses theircapabilities to review that and
help protect sensitive legalcontract data.
That's being watched forutilizing AI.
So if anything gets slipped inthere accidentally, then that
could be a factor.
I've dealt with this with legalreviews multiple times, where
they don't usually come to usuntil the deal's almost done and
(19:19):
then they go well, hey, can youlook at this and you're like,
oh no, and all of that would begreat if it was already baked in
with the capability from usingAI.
It had already seen it dealtwith it.
That would be a huge factor.
Cyberlens, robust DLP controls.
Again, they have strict DLPcontrols to prevent unauthorized
disclosure of confidential data.
(19:40):
So having a DLP programutilizing Microsoft tools or
other tools out there is great,but now you can throw on another
level of protection around AI.
Having a DLP program utilizingMicrosoft tools or other tools
out there is great, but now youcan throw on another level of
protection around AI and in thecase of this, with CyberLens,
they're able to do that.
Capital One has got some stuff.
Bank of America you can seethere's a lot of movement in
this space, especially in thefinancial industry.
(20:03):
Now, when you're dealing withsetting up AI within your
company, you're going to go howdo I deal with this?
Well, there's basically threedifferent types of frameworks.
You need to consider An AIsecurity framework, and this is
based a lot on the AI RMF.
And if you want to kind of evenbreak it down a little bit more
, there's the NIST cybersecurityframework.
That is really the foundationof the AI RMF and if you utilize
(20:27):
that framework, it's going togive you some great guidance on
where to go.
The downside is that, becauseAI is so new, these frameworks
are relatively immature and asthey're growing, they will
become better and better overtime, and so when you look at
this framework, you may go okay,well, this isn't a whole lot
different than the cybersecurityframework and you're not that
far off.
There are some differentnuances to it, but the ultimate
(20:48):
goal is to just get you somedirection on where to go as it
relates to implementing thiswithin your company.
Ai governance frameworks reallyimportant part Governance is a
huge factor in all of this whenyou're dealing with AI, and this
considers ethicalconsiderations, risk management,
compliance and accountability.
So you really need to have agood plan when it comes to AI
governance.
And then ethical frameworks isanother one to consider, and
(21:11):
this is a foundational elementas well.
Does it have the ethics?
Is it going to be trustworthy?
Does it have something thatwill not give hallucinations and
people won't pay attention toit?
So really understand thesethree frameworks when you're
deploying AI within your company.
Now there's the risk framework.
(21:32):
As you can see, the NIST AI100-1.
Yeah, that's new.
If it's 100-1, it's new, it'sbrand new.
It's like a baby.
It's just coming out and it'san important part of the
framework.
It's just something you need toconsider Now.
It goes into four corefunctions govern, map, measure
and manage.
These are designed to help youget this process down the pipe.
Something to consider if you'rein the financial industry.
(21:53):
There is the CRI, which is yourCyber Risk Institute framework
and they have a framework thatis tied to the cybersecurity
framework.
If you follow those and thenkind of sprinkle in AI where
you're at and tie it alltogether, you're going to be
much happier down the road.
You'll be much happier as youmove this thing down to the end
(22:14):
of the conclusion.
So the ultimate goal is payattention to the frameworks,
determine which way you want togo with them and then start
implement them within yourcompany.
Now here's some of the top LLMrisks that you will have to deal
with if you're deploying thisinsecure, insecure output
handling.
There's lots of differentplaces here, but I'd say what
(22:34):
the number nine is, one that Ikind of globbed on myself and
that is over reliance, and thepart of over reliance is over
reliance on the modelsthemselves.
So you really need to consideris it something that I'm going
to have my people?
They're going to just take itas truth, as gospel?
It's going to happen.
You need to really understandand built in some level of
protections around that to avoidover-reliance on the overall
(22:56):
LLM.
So some differentconsiderations I've highlighted
again, as you can see, this isan eye chart.
I didn't want to go through allof those, but I wanted to
highlight some key points aroundthis as it relates for
considerations in cybersecurity,dealing with AI, data
anonymization.
So if you're going to bedealing with this within your
organization, privacy is a bigfactor.
You want to at least bake intoit at the beginning.
(23:19):
How do I anonymize this data?
How, when I store it or when Ipresent it?
How do I ensure that the datais anonymized so that privacy
standpoints can't come back tobite me?
Mentioned this before goingthrough.
Data governance is an importantpart, very important part, of
your overall foundationInfrastructure.
Kind of struck that chordbefore.
(23:39):
Network segmentation big factorIf you are in manufacturing
space, one of the big things wedo is we would segregate the
manufacturing network from thebusiness network.
Again, you want to limit theblast radius.
If something were to happen, itdoesn't affect your
manufacturing and vice versa,your manufacturing doesn't
affect your business.
Same concept with AI.
You want to really trulyunderstand network segmentation
(24:00):
and how to isolate your AIcomponents for in the event that
something bad were to happen.
So think about that ahead oftime, before you actually need
it.
Ip protection of models thiscomes down to you're developing
these models.
You want to make sure that youdevelop something that is
available to your masses, but ifyou're putting a lot of work
(24:20):
and time into it, you want tomake sure that it's protected
from it being stolen.
You may have a model that yougrab from off the shelf air
quotes and then you tweak it tomeet your specific needs and you
put in some, you sprinkle itwith some salt and pepper to
make it work for you and yourcompany.
Well, that could beintellectual property not that
it could, it is.
If that gets stolen, how doesthat affect your overall
(24:42):
company's performance?
Can it impact you in a waythat's negative and I would be
willing to bet in many cases,yes, that is the case.
Ai specific security policiesokay.
So if you have a cyber securityfor your organization but it
doesn't have really anything todo with AI, you need to have a
specific policy tailored to AIML use.
Your broad brush policy couldbe fine at the beginning, as
(25:04):
you're just getting started, butonce you start integrating this
and people start utilizing itmore, you need to have a robust
policy schema set upspecifically for AI and you need
to educate your people around.
That and that's one of the bigaspects about policies is having
a good education programteaching them what can they
expect from these policies.
And then regulatory compliancefor AI.
(25:25):
If you're in the financialindustry, that is becoming a
bigger factor and you're goingto have to maintain that.
Auditors are going to want toask questions about that.
You have to be prepared.
But it's not just the financialindustry Many organizations.
When I was in manufacturing, Idealt with governments,
different countries, andtherefore you had to have a good
plan on how you're going todeal with the AI.
In our case it was more or lessadvanced technologies with the
(25:48):
governments.
But if you're dealing with AIin a government and a different
country, they're going to wantto have some level of compliance
and legality written around it.
So what is a current and afuture?
What does this look like?
Obviously, for AI andcybersecurity, there's
operational and customer gains.
I'm a personal recipient of it.
I loved it.
It was great.
It helped me out immensely andit met my needs.
(26:10):
Was it perfect?
No, but from a customerstandpoint of being satisfied,
it was positive.
It was very good Securityenhancements.
Obviously people cannot see allthe risks that you're looking at
, or that we can't see them allbecause we're people.
But the computer can see therisks that we can't, and it can
pull in feeds from differentplaces and it can help analyze
(26:31):
and then potentially block someof these security risks that are
to your organization.
Analyze and then potentiallyblock some of these security
risks that are to yourorganization Fraud response,
intelligent monitoring with SOXand then potentially dynamic
risk scoring based on behaviorand transactions.
So now you're tailoring orprofiling people and how their
activities are happening.
So where are some future trends?
You got generative AI forthreat analysis.
(26:51):
It's basically auto-generatingincident response based on
malware.
Reverse summaries looking atwhat's going on with that.
Federated learning, quantumaware AI, security AI and
blockchain.
All of these are kind of thefuture that's coming and you're
going to see those not within 10years.
You're going to see them infive years or less, because we
all know that we're marchingdown towards this path.
(27:13):
So some key takeaways as we'regetting an ending up this
presentation.
One of the things around thefinancial industry is AI in
banking is here to stay.
It's transformationaltransformational, but it's not
without risk and you need toplan for it.
Cybersecurity must befoundational when you're dealing
with AI and it should be notreactive.
(27:33):
Regulatory alignment and secureframeworks are an essential
component and you for trust andcompliance passpoints of it.
So you really truly need tobake all of that into what
you're trying to accomplishAction items.
So embed security in everyphase, which we talked about.
Build multidisciplinary teams.
They understand AI, cyber,legal business.
(27:55):
They're all together.
One of the things that I raninto with my legal teams is I
had to educate them on this tech.
They were very smart people.
They are very smart people.
They're brilliant, right, butthey're brilliant in what they
do.
They're not necessarilybrilliant in tech, so I had to
help them understand how are allthese technologies changing
their life.
(28:15):
Once they got it, they got itand it was easy, and then it
also made that transition mucheasier to communicate with them.
So that way, when I hadchallenges, the legal team knew
that they could trust me, Icould trust them, and it was a
really great partnership.
You want to invest inexplainability, adversarial
testing and then also ingovernance.
You got to have a good plan.
(28:35):
You're probably looking at thisgoing this all costs money and
guess what?
You're right, it's going tocost money.
It's going to cost money andtime, both capital expense and
opportunity costs.
However, if you spend the timenow, you will be much happier
down the road when you're havingto implement this within your
organization.
So at a later time it's goingto be a big, big deal.
Even though it's a big deal atthe beginning, it's going to be
(28:57):
even bigger at another point inthe near future.
You, you, you, you.
Popular Podcasts
Las Culturistas with Matt Rogers and Bowen Yang
Ding dong! Join your culture consultants, Matt Rogers and Bowen Yang, on an unforgettable journey into the beating heart of CULTURE. Alongside sizzling special guests, they GET INTO the hottest pop-culture moments of the day and the formative cultural experiences that turned them into Culturistas. Produced by the Big Money Players Network and iHeartRadio.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com