February 5, 2025 • 20 mins
In this episode of Cybernomics, Josh Bruyning and Kyle Bhiro discuss the hidden costs associated with vulnerability management in cybersecurity. They explore the importance of understanding these costs, the role of AI in improving efficiency, and the necessity of human oversight in security operations. The conversation also touches on the concept of security debt, compliance, and the future of vulnerability management as organizations adapt to new technologies.
• Understanding what vulnerability management encompasses
• Triage as a crucial yet costly part of vulnerability management
• Leveraging AI to streamline the triage process and reduce costs
• Risks associated with unaddressed vulnerabilities
• The relationship between vulnerability management and compliance costs
• Tailoring vulnerability management strategies to business size
• The concept of security debt and its implications
• Future outlook for security roles in a tech-heavy era
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome to another episode of Cybernomics where we
talk about the hidden costs incybersecurity, and today we are
talking about the hidden costsof vulnerability management.
And this is not emotionalvulnerability, you know.
That's another show, it's atotally different topic.
We're talking about securityvulnerability management, and
(00:20):
how do we as business leaders,security leaders, get ahead of
those hidden costs?
Even if licensing costs areclear and upfront, organizations
can face significant indirectexpenses over the lifecycle of a
vulnerability managementprogram.
So, actively accounting forthese factors, from human
(00:48):
resources and cultural aspectsto compliance demands this can
help CTOs and CISOs and otherexecutives shape a more accurate
budget and create moreresilient security strategies.
Here to help us get ahead ofthese costs is Kyle Biro, the
co-founder and CEO at Pensar.
Kyle, welcome to Cybernomics.
Thank you for having me, josh.
I'm really excited for this.
(01:09):
So I'm really interested inwhat you guys are doing over at
Pensar.
We're not going to talk aboutthe product too much because we
want to talk about this approachof getting ahead of the costs
in vulnerability management.
For those who are notcompletely security savvy or
tech savvy, can you describewhat vulnerability management is
and how PENSAR is thinkingabout the landscape?
(01:30):
Vulnerability management canprobably best be described as
finding those little nodes ofattack before they're exploited.
You know, what can we do tomanage this from day one is well
, first, building secureproducts.
Why not teach our developers towrite secure code, buzzword in
(01:53):
security.
But this is really pushing ourlandscape of developers and
security engineers.
What have you towards a futureusing tools to their advantage,
(02:13):
and so I'm really excited abouta future where we can maybe
start talking less about theconcerns around security because
we're considering security fromday one.
However, that future isn't hereyet.
Vulnerability management rightnow, and the way it exists, is
identifying these attack nodes,finding them in the code base,
(02:35):
triaging them which is a hugepart and I hope that we can get
into and then fixing andpatching those.
Let's start with triage, sinceyou mentioned that that's a
really big cost to organizations.
I mean, when you talk aboutmanual processes, that's often
where you find the greatestcosts, right, because you've got
often SOC analysts or others inthe security organization who
(02:57):
are going through logs, likejust you know, one by one, and
the SOC analyst is goingcross-eyed.
To quote my friend, alan AlfordShout out to Alan.
It takes a lot of effort, a lotof brain power and just raw
energy and time to triage, andwhenever I hear vulnerability
management, I usually thinkfalse positives.
(03:19):
I think that things are goingto get through the door that are
not supposed to be there andwe're going to miss the things
that we should have caught Right.
So it is obvious thatorganizations will incur costs
in terms of not being able tofind all of the vulnerabilities
that are in their system and, ofcourse, those vulnerabilities
(03:39):
get exploited.
There could be a breach andthat incurs you knowurs all the
costs associated with breaches.
So, naturally, any kind ofmanagement solution or any
approach to vulnerabilitymanagement has to address manual
triage and being able to findall of the vulnerabilities, if
(04:01):
not most of them, and react tothem in a way that is time
sensitive and risk averse, or atleast risk conscious.
How are you thinking aboutmanual triage?
Is this something that we justhave to deal with?
Is this something thatorganizations just have to put
up with, or is there a way tomanage those vulnerabilities and
(04:25):
to triage those logs and thosevulnerabilities in a more
effective way?
Triageing is the most manualpart of a security organization.
You put it perfectly it is likesifting through, if you've ever
been inside of a record storeright, going through every
(04:47):
single record until you find theone that needs to be plucked
out.
There's intense amount of noiseand we start using this word in
security, but it pours into thedeveloper experience as well,
which is alert fatigue, and sothese tools that are currently
(05:08):
being used by larger enterprisesthat can afford them and I will
get into how expensive thesecan become these tools are not
building triaging into theircurrent workflow.
Now, I think triaging, being ahighly manual part of the
security organization, isprobably one of the first areas
(05:30):
where we can start to leveragemachine learning and AI to
create efficiencies, and so thecost immediately becomes a
question of okay, what work canwe start to sell to companies or
tools, for example, these AIpowered tools and solutions
that'll take care of this verymedial task for us, and triaging
(05:51):
is probably the first to go.
So, in my opinion, I thinksecurity engineers and
developers would actually bequite more excited to do higher
leverage tasks, and we are notin any way to go and immediately
replace the security engineer.
I would much rather providethem with tools so that way they
(06:11):
can go and do their jobs better.
This means more effective hiresright, instead of spending
hours.
Maybe we can quantify it to be10, a dozen hours a week finding
vulnerabilities just to siftthrough them and flag the false
positives and actually move theones that need to be addressed
into high criticality.
(06:31):
It's a huge waste of time Now,without going too deep into what
we do at Pensar, but toeliminate that step, we've
trained a language model totriage and sift through those
vulnerabilities for you.
Immediately, we're able toshift that cost associated for
the decision maker to our tool.
Now, if you wanted to also lookat the potential risk and
(06:57):
slowdown that vulnerabilities inyour code base cause an
organization, this is much moredifficult to quantify.
What does a breach cost to abusiness?
Now you can look at headlines.
This could be millions ofdollars.
There are tremendous examplesof highly regulated industries.
Healthcare is a great exampleto take a look at here, where
(07:20):
patient data or hospitals.
The worst case scenario is youhave a hospital be knocked
offline and then one yourinstitution is no longer
trustworthy.
But also what happens to theactual day-to-day operations and
managing the people andmanaging the patients.
This is a terrifying reality.
This part of vulnerabilitymanagement and finding those
(07:42):
attack nodes and vulnerabilitiesbecomes really really, really,
really important in managingthat future risk, something to
(08:06):
also continue on for compliancereasons.
Vulnerability management is ahuge part of getting your SOC
compliance or any otherregulated framework that you'd
probably pursue as an enterpriseorganization.
Since we're spending heaps andI could speak to a small
organization will probably spend$20,000, I'm talking early
stage startups even $20,000 justto get their SOC 2.
(08:28):
A larger organization that'sdoing over a million dollars in
ARR is probably spending northof $100,000 to get this process
done, thousand dollars to getthis process done.
And part of the evidence that'scollected in the SOC 2
procedure is do you havesufficient vulnerability
management?
And so this part if you forsome reason fail your SOC 2
(08:50):
audit or it's a slowdown andyou're not on the timeline to
get your audit prevents you frombeing able to unlock new
business channels, prevents youfrom being able to increase
revenue operations, and so nowwe're able to shift the
narrative of security tobecoming table stakes in doing
deals.
So let's say I go into acompany and I'm going to
(09:14):
implement an AI driven solutionfor vulnerability management.
Right, it's going to helpeverybody do vulnerability
management better, or at leasthelp the SOC analysts.
Like you said, empower the SOCanalysts and the other security
analysts to be able to do morewith less right, so let's say
this works too well.
Now the SOC analysts instead of40 hours a week, they can do
(09:37):
the same work in 20 hours.
Analyst instead of 40 hours aweek, they can do the same work
in 20 hours.
What does the organization dowith those employees?
Do they expand their role orare they laying off half of
their employees?
This is a great question.
I want to break it intosegments of organization.
(09:59):
So let's talk about smallbusinesses first.
A small business is not hiringa security engineer in their
first 10, maybe even their first20 employees.
The reality is, smallbusinesses right now are not
concerned about security whenthey really should be about
(10:23):
security when they really shouldbe A lot of the attack nodes
for high-profile exploitations.
I was recently talking to agroup of students about early
January.
Cisa had reported that the USTreasury was breached and the
attack node for this could betracked all the way back to a
company.
I'll leave out their name.
However, this is the pack ofattack and it's not the large
(10:44):
organizations who need to beworried about this.
It really is the small ones,and then your reputation is on
the line.
So, small organization.
They need these resources,these vulnerability management
tools, maybe a condensedsecurity tool to put in their
tech stack to start to addressthese problems immediately.
Now let's shift towards themedium-sized, maybe your small
(11:08):
to medium enterprise.
These are 200, 500 to 1,000person organizations.
You have a security group.
You likely have a CISO, maybeyou have a handful of security
engineers.
These people are very, verybusy, especially right now.
Budgets are quite lean, there'snot a lot to work with and they
(11:32):
are spending immense amount oftime on, like we were talking
about, vulnerability managementA lot of tasks that can be
highly, highly automated.
Now we can move them ontohigher leverage tasks and
projects.
What that might be, it could bepreparing their organization
for a new framework that they'regoing to explore.
It could be some, probably high, critical vulnerability that a
(11:55):
tool like Pensar finds and nowthey can address rather than,
you know, spending the half theday looking for that
vulnerability.
This is what they'll be doing.
I want to reiterate I don'tforesee a future where security
engineers are being laid off.
I actually see a future wheresecurity engineers are more
(12:16):
important to the businessorganization because they're
taking care of these tasks,because they're enabling revenue
to open up and protect theirbusiness.
Let's take a look at the reallylarge organization as well.
I could point to an example ofa scan we recently done on an
organization that has a couplethousand developers.
(12:38):
These industries, especially ifthey're highly regulated.
They have pretty large budgetsand pretty large security groups
.
The CISO is highly, highlyconcerned with a million things,
and that doesn't consist oftrying to pluck out
vulnerabilities, especially ifyou don't even know that they're
there.
So what we're working on andthis is a future that is not
(13:02):
here yet is self-healing andauto-fixing right.
So allowing the securityanalyst, security engineer, the
CISO, to be flagged when there'ssomething important to take a
look at, rather than spendingtime sifting through the
vulnerabilities, triaging themmanually, instead of just
getting you know.
(13:23):
Bing, bing, bing, bing, binglots of noise and lots of alerts
.
You're flagged when somethingactually needs to be taken care
of.
I'll wrap up by saying theselarge organizations and I group
CISOs into two different bucketshere.
There's those who are excitedand looking for these types of
solutions and there's those whoare not receptive to them yet.
Do organizations still needpeople to double check the work
(13:44):
of the AI platform At thispresent moment?
The answer is yes.
However, we are going to betbig on a future where LLMs are
going to be able to handle thisvery manual part of security for
us.
Let me give you a little bit ofcontext.
Whenever I use Chad GPT, ithelps me a lot.
(14:05):
I save a lot of time by usingChad GPT, but on certain tasks I
always have to double check andit creates more work for me.
So are we at the stage where,yes, ai has the potential to
catch all these vulnerabilitiesand to take the work off of the
SOC analysts or the securityanalysts whoever is doing the
(14:28):
work or managing the solutionduplicate their efforts in that
they have to triage, but thenthey have to double check that.
The AI did a good job oftriaging, which some may some
(14:50):
CISOs or some CTOs may look atthat and think, well, now you've
not cut my workforce's work inhalf, you've kind of doubled
their work.
What would you say to that CTOor that CISO?
I think this example withChatGPT is easy to understand
for everyone.
It's not just specific tosecurity people.
If you asked ChatGPT to showyou what the score is on a
(15:17):
basketball game and it spitssomething out, maybe it's not
accurate, right, it's notpulling the right data, you
definitely double check.
At a certain point, there willbe a trust element to using
tools like this.
Right, right, and that'sultimately what it comes down to
.
That's ultimately what I'masking how much should they
trust it?
This is a good time to say howlong have we been using AI tools
(15:39):
?
Yeah, since time to say howlong have we been using AI tools
Since the really exciting maybeChatGPT 3.5 came out Five years
maybe, if we were to look atthe timeline for where this
could be and how this changesbusinesses in the next hundred
years.
We're in the very beginning,and so right now I think it is
exciting and I think companiesthat adopt these types of tools
(16:01):
and these types of practices aregoing to get ahead.
(16:21):
So vulnerability scanners maymiss a lot in an environment
because you might have a serverthat's sitting in the basement
that's collecting dust, thatnobody's really unplugged but
nobody really knows what it does, and so when you implement at
least traditionally, when youimplement a vulnerability
scanner or some sort ofvulnerability management
solution, one of the costs justassociated with that is missing
a lot, not being able to findall of the vulnerabilities that
(16:43):
are affected, and I know thatyou guys have a very unique take
on this and you've kind ofbuilt a robust philosophy around
how you deal with security debt.
So, in the time that we haveleft, how can companies curb the
costs of just missing stuff intheir environment?
Great question Security debt asa concept similar to technical
(17:08):
debt.
These are I like to call them,skeletons in the closet.
The security organization for along time knows that they have
vulnerabilities and they letthem collect cobwebs.
This is huge risk for theirCISO, for their organization,
and these need to be addressed.
The costs associated with thisimmediately, by leveraging LLMs
(17:33):
and triaging thesevulnerabilities, are cut down
massively.
If you were to put one securityengineer on a code base that
has a decently large one thathas a million lines of code, it
would be their full-time salaryto go through and sift and find
these vulnerabilities and a hugewaste of time and probably
(17:53):
their skill set.
If we were to use anLLM-powered vulnerability
management solution and siftthrough these vulnerabilities,
allowing it to do it the time toaccomplish and find the
vulnerabilities, the ones thatwe know are there, identify how
high criticality these are tosolve, and then find the ones
(18:15):
that we didn't know were thereto solve a huge problem, a huge
point of attack before a breachoccurs, but also building and
(18:35):
securing your posture beforegoing for potential compliance
frameworks.
Yeah, so time to value ispretty high, or at least it
should be, and I'm going to callthis vulnerability management
2.0.
Is there like an official namefor the new way of doing
vulnerability management, withAI involved?
You know I like VulnerabilityManagement 2.0.
I've also been saying this forquite a bit of time.
(18:56):
You know we've been doingsecurity for one way a long time
.
We're having a revolution.
Yeah, the vulnerabilitymanagement revolution has begun,
and on the battlefront of thatrevolution is Pensar.
Kyle, thank you so much forjoining me on Cybernomics.
Thank you for being graciouswith your time.
If people want to find you andlearn more about Pensar, how can
(19:19):
they do that?
Yes, they can go towwwpensaraicom.
I am on LinkedIn.
Kyle Biro.
I'm happy to chat with anyonewho has questions.
I love this space.
I think it is probably the mostimportant problem in the world.
Feel free to reach out.
All right, and I'll go dealwith my vulnerability issues the
(19:39):
emotional ones right after thiscall.
So thank you so much.
Thanks again.
Great Thanks, joshosh.
Thanks for having me.
Thank you.
Welcome to another episode of Cybernomics where we
talk about the hidden costs incybersecurity, and today we are
talking about the hidden costsof vulnerability management.
And this is not emotionalvulnerability, you know.
That's another show, it's atotally different topic.
We're talking about securityvulnerability management, and
(00:20):
how do we as business leaders,security leaders, get ahead of
those hidden costs?
Even if licensing costs areclear and upfront, organizations
can face significant indirectexpenses over the lifecycle of a
vulnerability managementprogram.
So, actively accounting forthese factors, from human
(00:48):
resources and cultural aspectsto compliance demands this can
help CTOs and CISOs and otherexecutives shape a more accurate
budget and create moreresilient security strategies.
Here to help us get ahead ofthese costs is Kyle Biro, the
co-founder and CEO at Pensar.
Kyle, welcome to Cybernomics.
Thank you for having me, josh.
I'm really excited for this.
(01:09):
So I'm really interested inwhat you guys are doing over at
Pensar.
We're not going to talk aboutthe product too much because we
want to talk about this approachof getting ahead of the costs
in vulnerability management.
For those who are notcompletely security savvy or
tech savvy, can you describewhat vulnerability management is
and how PENSAR is thinkingabout the landscape?
(01:30):
Vulnerability management canprobably best be described as
finding those little nodes ofattack before they're exploited.
You know, what can we do tomanage this from day one is well
, first, building secureproducts.
Why not teach our developers towrite secure code, buzzword in
(01:53):
security.
But this is really pushing ourlandscape of developers and
security engineers.
What have you towards a futureusing tools to their advantage,
(02:13):
and so I'm really excited abouta future where we can maybe
start talking less about theconcerns around security because
we're considering security fromday one.
However, that future isn't hereyet.
Vulnerability management rightnow, and the way it exists, is
identifying these attack nodes,finding them in the code base,
(02:35):
triaging them which is a hugepart and I hope that we can get
into and then fixing andpatching those.
Let's start with triage, sinceyou mentioned that that's a
really big cost to organizations.
I mean, when you talk aboutmanual processes, that's often
where you find the greatestcosts, right, because you've got
often SOC analysts or others inthe security organization who
(02:57):
are going through logs, likejust you know, one by one, and
the SOC analyst is goingcross-eyed.
To quote my friend, alan AlfordShout out to Alan.
It takes a lot of effort, a lotof brain power and just raw
energy and time to triage, andwhenever I hear vulnerability
management, I usually thinkfalse positives.
(03:19):
I think that things are goingto get through the door that are
not supposed to be there andwe're going to miss the things
that we should have caught Right.
So it is obvious thatorganizations will incur costs
in terms of not being able tofind all of the vulnerabilities
that are in their system and, ofcourse, those vulnerabilities
(03:39):
get exploited.
There could be a breach andthat incurs you knowurs all the
costs associated with breaches.
So, naturally, any kind ofmanagement solution or any
approach to vulnerabilitymanagement has to address manual
triage and being able to findall of the vulnerabilities, if
(04:01):
not most of them, and react tothem in a way that is time
sensitive and risk averse, or atleast risk conscious.
How are you thinking aboutmanual triage?
Is this something that we justhave to deal with?
Is this something thatorganizations just have to put
up with, or is there a way tomanage those vulnerabilities and
(04:25):
to triage those logs and thosevulnerabilities in a more
effective way?
Triageing is the most manualpart of a security organization.
You put it perfectly it is likesifting through, if you've ever
been inside of a record storeright, going through every
(04:47):
single record until you find theone that needs to be plucked
out.
There's intense amount of noiseand we start using this word in
security, but it pours into thedeveloper experience as well,
which is alert fatigue, and sothese tools that are currently
(05:08):
being used by larger enterprisesthat can afford them and I will
get into how expensive thesecan become these tools are not
building triaging into theircurrent workflow.
Now, I think triaging, being ahighly manual part of the
security organization, isprobably one of the first areas
(05:30):
where we can start to leveragemachine learning and AI to
create efficiencies, and so thecost immediately becomes a
question of okay, what work canwe start to sell to companies or
tools, for example, these AIpowered tools and solutions
that'll take care of this verymedial task for us, and triaging
(05:51):
is probably the first to go.
So, in my opinion, I thinksecurity engineers and
developers would actually bequite more excited to do higher
leverage tasks, and we are notin any way to go and immediately
replace the security engineer.
I would much rather providethem with tools so that way they
(06:11):
can go and do their jobs better.
This means more effective hiresright, instead of spending
hours.
Maybe we can quantify it to be10, a dozen hours a week finding
vulnerabilities just to siftthrough them and flag the false
positives and actually move theones that need to be addressed
into high criticality.
(06:31):
It's a huge waste of time Now,without going too deep into what
we do at Pensar, but toeliminate that step, we've
trained a language model totriage and sift through those
vulnerabilities for you.
Immediately, we're able toshift that cost associated for
the decision maker to our tool.
Now, if you wanted to also lookat the potential risk and
(06:57):
slowdown that vulnerabilities inyour code base cause an
organization, this is much moredifficult to quantify.
What does a breach cost to abusiness?
Now you can look at headlines.
This could be millions ofdollars.
There are tremendous examplesof highly regulated industries.
Healthcare is a great exampleto take a look at here, where
(07:20):
patient data or hospitals.
The worst case scenario is youhave a hospital be knocked
offline and then one yourinstitution is no longer
trustworthy.
But also what happens to theactual day-to-day operations and
managing the people andmanaging the patients.
This is a terrifying reality.
This part of vulnerabilitymanagement and finding those
(07:42):
attack nodes and vulnerabilitiesbecomes really really, really,
really important in managingthat future risk, something to
(08:06):
also continue on for compliancereasons.
Vulnerability management is ahuge part of getting your SOC
compliance or any otherregulated framework that you'd
probably pursue as an enterpriseorganization.
Since we're spending heaps andI could speak to a small
organization will probably spend$20,000, I'm talking early
stage startups even $20,000 justto get their SOC 2.
(08:28):
A larger organization that'sdoing over a million dollars in
ARR is probably spending northof $100,000 to get this process
done, thousand dollars to getthis process done.
And part of the evidence that'scollected in the SOC 2
procedure is do you havesufficient vulnerability
management?
And so this part if you forsome reason fail your SOC 2
(08:50):
audit or it's a slowdown andyou're not on the timeline to
get your audit prevents you frombeing able to unlock new
business channels, prevents youfrom being able to increase
revenue operations, and so nowwe're able to shift the
narrative of security tobecoming table stakes in doing
deals.
So let's say I go into acompany and I'm going to
(09:14):
implement an AI driven solutionfor vulnerability management.
Right, it's going to helpeverybody do vulnerability
management better, or at leasthelp the SOC analysts.
Like you said, empower the SOCanalysts and the other security
analysts to be able to do morewith less right, so let's say
this works too well.
Now the SOC analysts instead of40 hours a week, they can do
(09:37):
the same work in 20 hours.
Analyst instead of 40 hours aweek, they can do the same work
in 20 hours.
What does the organization dowith those employees?
Do they expand their role orare they laying off half of
their employees?
This is a great question.
I want to break it intosegments of organization.
(09:59):
So let's talk about smallbusinesses first.
A small business is not hiringa security engineer in their
first 10, maybe even their first20 employees.
The reality is, smallbusinesses right now are not
concerned about security whenthey really should be about
(10:23):
security when they really shouldbe A lot of the attack nodes
for high-profile exploitations.
I was recently talking to agroup of students about early
January.
Cisa had reported that the USTreasury was breached and the
attack node for this could betracked all the way back to a
company.
I'll leave out their name.
However, this is the pack ofattack and it's not the large
(10:44):
organizations who need to beworried about this.
It really is the small ones,and then your reputation is on
the line.
So, small organization.
They need these resources,these vulnerability management
tools, maybe a condensedsecurity tool to put in their
tech stack to start to addressthese problems immediately.
Now let's shift towards themedium-sized, maybe your small
(11:08):
to medium enterprise.
These are 200, 500 to 1,000person organizations.
You have a security group.
You likely have a CISO, maybeyou have a handful of security
engineers.
These people are very, verybusy, especially right now.
Budgets are quite lean, there'snot a lot to work with and they
(11:32):
are spending immense amount oftime on, like we were talking
about, vulnerability managementA lot of tasks that can be
highly, highly automated.
Now we can move them ontohigher leverage tasks and
projects.
What that might be, it could bepreparing their organization
for a new framework that they'regoing to explore.
It could be some, probably high, critical vulnerability that a
(11:55):
tool like Pensar finds and nowthey can address rather than,
you know, spending the half theday looking for that
vulnerability.
This is what they'll be doing.
I want to reiterate I don'tforesee a future where security
engineers are being laid off.
I actually see a future wheresecurity engineers are more
(12:16):
important to the businessorganization because they're
taking care of these tasks,because they're enabling revenue
to open up and protect theirbusiness.
Let's take a look at the reallylarge organization as well.
I could point to an example ofa scan we recently done on an
organization that has a couplethousand developers.
(12:38):
These industries, especially ifthey're highly regulated.
They have pretty large budgetsand pretty large security groups
.
The CISO is highly, highlyconcerned with a million things,
and that doesn't consist oftrying to pluck out
vulnerabilities, especially ifyou don't even know that they're
there.
So what we're working on andthis is a future that is not
(13:02):
here yet is self-healing andauto-fixing right.
So allowing the securityanalyst, security engineer, the
CISO, to be flagged when there'ssomething important to take a
look at, rather than spendingtime sifting through the
vulnerabilities, triaging themmanually, instead of just
getting you know.
(13:23):
Bing, bing, bing, bing, binglots of noise and lots of alerts
.
You're flagged when somethingactually needs to be taken care
of.
I'll wrap up by saying theselarge organizations and I group
CISOs into two different bucketshere.
There's those who are excitedand looking for these types of
solutions and there's those whoare not receptive to them yet.
Do organizations still needpeople to double check the work
(13:44):
of the AI platform At thispresent moment?
The answer is yes.
However, we are going to betbig on a future where LLMs are
going to be able to handle thisvery manual part of security for
us.
Let me give you a little bit ofcontext.
Whenever I use Chad GPT, ithelps me a lot.
(14:05):
I save a lot of time by usingChad GPT, but on certain tasks I
always have to double check andit creates more work for me.
So are we at the stage where,yes, ai has the potential to
catch all these vulnerabilitiesand to take the work off of the
SOC analysts or the securityanalysts whoever is doing the
(14:28):
work or managing the solutionduplicate their efforts in that
they have to triage, but thenthey have to double check that.
The AI did a good job oftriaging, which some may some
(14:50):
CISOs or some CTOs may look atthat and think, well, now you've
not cut my workforce's work inhalf, you've kind of doubled
their work.
What would you say to that CTOor that CISO?
I think this example withChatGPT is easy to understand
for everyone.
It's not just specific tosecurity people.
If you asked ChatGPT to showyou what the score is on a
(15:17):
basketball game and it spitssomething out, maybe it's not
accurate, right, it's notpulling the right data, you
definitely double check.
At a certain point, there willbe a trust element to using
tools like this.
Right, right, and that'sultimately what it comes down to
.
That's ultimately what I'masking how much should they
trust it?
This is a good time to say howlong have we been using AI tools
(15:39):
?
Yeah, since time to say howlong have we been using AI tools
Since the really exciting maybeChatGPT 3.5 came out Five years
maybe, if we were to look atthe timeline for where this
could be and how this changesbusinesses in the next hundred
years.
We're in the very beginning,and so right now I think it is
exciting and I think companiesthat adopt these types of tools
(16:01):
and these types of practices aregoing to get ahead.
(16:21):
So vulnerability scanners maymiss a lot in an environment
because you might have a serverthat's sitting in the basement
that's collecting dust, thatnobody's really unplugged but
nobody really knows what it does, and so when you implement at
least traditionally, when youimplement a vulnerability
scanner or some sort ofvulnerability management
solution, one of the costs justassociated with that is missing
a lot, not being able to findall of the vulnerabilities that
(16:43):
are affected, and I know thatyou guys have a very unique take
on this and you've kind ofbuilt a robust philosophy around
how you deal with security debt.
So, in the time that we haveleft, how can companies curb the
costs of just missing stuff intheir environment?
Great question Security debt asa concept similar to technical
(17:08):
debt.
These are I like to call them,skeletons in the closet.
The security organization for along time knows that they have
vulnerabilities and they letthem collect cobwebs.
This is huge risk for theirCISO, for their organization,
and these need to be addressed.
The costs associated with thisimmediately, by leveraging LLMs
(17:33):
and triaging thesevulnerabilities, are cut down
massively.
If you were to put one securityengineer on a code base that
has a decently large one thathas a million lines of code, it
would be their full-time salaryto go through and sift and find
these vulnerabilities and a hugewaste of time and probably
(17:53):
their skill set.
If we were to use anLLM-powered vulnerability
management solution and siftthrough these vulnerabilities,
allowing it to do it the time toaccomplish and find the
vulnerabilities, the ones thatwe know are there, identify how
high criticality these are tosolve, and then find the ones
(18:15):
that we didn't know were thereto solve a huge problem, a huge
point of attack before a breachoccurs, but also building and
(18:35):
securing your posture beforegoing for potential compliance
frameworks.
Yeah, so time to value ispretty high, or at least it
should be, and I'm going to callthis vulnerability management
2.0.
Is there like an official namefor the new way of doing
vulnerability management, withAI involved?
You know I like VulnerabilityManagement 2.0.
I've also been saying this forquite a bit of time.
(18:56):
You know we've been doingsecurity for one way a long time
.
We're having a revolution.
Yeah, the vulnerabilitymanagement revolution has begun,
and on the battlefront of thatrevolution is Pensar.
Kyle, thank you so much forjoining me on Cybernomics.
Thank you for being graciouswith your time.
If people want to find you andlearn more about Pensar, how can
(19:19):
they do that?
Yes, they can go towwwpensaraicom.
I am on LinkedIn.
Kyle Biro.
I'm happy to chat with anyonewho has questions.
I love this space.
I think it is probably the mostimportant problem in the world.
Feel free to reach out.
All right, and I'll go dealwith my vulnerability issues the
(19:39):
emotional ones right after thiscall.
So thank you so much.
Thanks again.
Great Thanks, joshosh.
Thanks for having me.
Thank you.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com