July 23, 2025 • 41 mins
Looking for the best cybersecurity practices to protect your business? This episode reveals the real-world limitations of AI in cybersecurity and why human strategy and digital resilience are more important than ever.
In this episode of Executive Connect, Amar Singh delivers a hard-hitting perspective on everything from the psychological barriers to automation adoption to the threats posed by third-party vendors and hostile geographies.
You'll get practical frameworks for building a secure organization and eye-opening commentary on phishing, password managers, and access control.
Whether you’re a CIO or a security leader, this is a must-listen for understanding both the promise and peril of emerging tech.
Timestamps:
00:00 – Welcome & Introduction
01:00 – The Fear of AI & Automation in Business
03:00 – Top Risks of Using AI in Cybersecurity
05:45 – Education & Human Behaviour in Cybersecurity
08:15 – AI vs. AI: The Battle for Digital Defence
10:45 – Third-Party Risk Management
14:00 – IoT & Innovation: Benefits and Blind Spots
16:30 – Operational Resilience & Earthquake Analogy
22:00 – Passwords, Passphrases & Password Managers
25:15 – ROI of Cybersecurity: Investment vs. Expense
29:30 – Building a Culture of Cyber Accountability
32:50 – Zero Trust: Buzzword or Backbone?
36:00 – Final Thoughts & Top 3 Takeaways
Guest:
Amar Singh
Host:
Melissa Aarskaug Episode
Connect With Us:
Visit our website: www.executiveconnectpodcast.com
Watch full episodes on YouTube: Executive Connect YouTube Channel
Social:
LinkedIn: Melissa Aarskaug | Amar Singh
Instagram: @executiveconnectpodcast
TikTok: @executiveconnectpodcast
Facebook: Executive Connect
In this episode of Executive Connect, Amar Singh delivers a hard-hitting perspective on everything from the psychological barriers to automation adoption to the threats posed by third-party vendors and hostile geographies.
You'll get practical frameworks for building a secure organization and eye-opening commentary on phishing, password managers, and access control.
Whether you’re a CIO or a security leader, this is a must-listen for understanding both the promise and peril of emerging tech.
Timestamps:
00:00 – Welcome & Introduction
01:00 – The Fear of AI & Automation in Business
03:00 – Top Risks of Using AI in Cybersecurity
05:45 – Education & Human Behaviour in Cybersecurity
08:15 – AI vs. AI: The Battle for Digital Defence
10:45 – Third-Party Risk Management
14:00 – IoT & Innovation: Benefits and Blind Spots
16:30 – Operational Resilience & Earthquake Analogy
22:00 – Passwords, Passphrases & Password Managers
25:15 – ROI of Cybersecurity: Investment vs. Expense
29:30 – Building a Culture of Cyber Accountability
32:50 – Zero Trust: Buzzword or Backbone?
36:00 – Final Thoughts & Top 3 Takeaways
Guest:
Amar Singh
Host:
Melissa Aarskaug Episode
Connect With Us:
Visit our website: www.executiveconnectpodcast.com
Watch full episodes on YouTube: Executive Connect YouTube Channel
Social:
LinkedIn: Melissa Aarskaug | Amar Singh
Instagram: @executiveconnectpodcast
TikTok: @executiveconnectpodcast
Facebook: Executive Connect
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
One of the biggest problems in many organizations in the world today is the lack of automation.
(00:05):
How do you create a culture of cyber security?
How do you educate the human?
In cyber, I guess you wholeheartedly believe that you are wonderful.
You can't do the NIST prepare response.
You need to be able to determine one key factor, which is can my staff identify a malicious
(00:26):
wanted. And if you can do that, I think you are ahead of the game because you can then stand
up and say hello 75% of my staff are able to clearly identify malicious.
Welcome to the Executive Connect podcast, where we will explore cutting-edge intersection between
AI and cyber security. A marvel discuss how AI transforms our defense against complex cyber
(00:53):
attacks. Whether you're enhancing your company's cyber security measures or keen on the latest
digital safety, Omar's insights are your guide to navigating today's dynamic cyber security
threat landscape. Welcome Omar. Greetings everybody, Melissa. Thank you for having me here.
We're so excited to have you here. I read recently on a Google study that 63% of security
(01:21):
professionals believe AI will improve corporate security from your perspective. How can
organizations integrate AI in a way that complements their cyber security team strengths?
Wow, we could be here for several hours. So I'm going to give you soundbites.
Even if we keep the age of AI to one side, one of the biggest problems in many organizations
(01:50):
even today, Melissa is the lack of automation. Now, I say it's not lack of automation, I say it's the
belief in automation, the fear of automation. Right? So AI, I think, is already offering quite a lot,
(02:10):
has a lot more to offer, but what may be the biggest roadblock to implementing AI for the benefit
of security? Maybe the fear of what AI may do. And to summarize that, the best way to summarize it,
the fear of interrupting business, right? If you're an e-commerce business, if you're high transaction,
(02:35):
business, if you're a critical national infrastructure business, right? You don't want AI switching
off the nuclear reactor just because it's seen something. So I think there are loads of benefits of AI,
and we're going to discuss many other challenges and opportunities, but in summary, I think
(02:56):
organizations need to embrace AI, but that fear of disruption and interruption by AI is going to
be a massive roadblock. Yeah, absolutely. I think you touched on it. So just jump in right into the
(03:16):
risks of AI. So from your perspective, are there any, I know there's a lot of risks we hear that
is going on right now in the world of cybersecurity, but from your perspective, and AI, are there
kind of the top potential risks? And how can companies prepare for some of those risks with using AI
(03:36):
tools? Ready to lead smarter and invest wiser? On the Executive Connect podcast, we unpack executive
strategies for wealth and influence. Hit the subscribe button now. Don't just watch, act.
Yeah, so I think one of the threats to AI, and this may be a general statement, if I may, I think,
(03:59):
but especially in cyber and IT, one of the threats to AI is the lack of available data,
am I making sense? So, you know, chat GPT and barred and co-pilot all brilliant, because they have
access to a lot of data that they are learning from. But now imagine a large organization or a
(04:21):
medium-sized organization brings in AI, but they're only monitoring 25% of what they can monitor,
if you see what I mean. So, you now have the situation where 75% of their data is not being monitored.
And then you add to the recipe, the complication of privacy, maintaining that privacy of an
(04:44):
individual of staff members of clients, you add additional pressure on AI, not accidentally exposing
something, which it might very well do, because we are still quite, you know, relatively early days of AI.
Am I being saying, so the risk of privacy, the risk of not having sufficient learning data of an
(05:08):
organization, because it costs a lot to gather the data and store the data, and then you got the cost of
AI where you need unlimited CPU, you know, to constantly keep learning. I hope I kind of captured
some key risks there. Yeah, no, no, you make a good point. I talk often about education. I think a lot of
(05:35):
times in cyber security, a lot of the IT teams I deal with, their job responsibilities used to be
very clear, you know, setup computers, put the ink in the printer, setup the dust tops, keep the
infrastructure up. And I think as cyber security becomes front and center in the world today, AI,
(05:55):
you know, layering in AI tools, I think a lot of times, you know, it's easy to say, well, this, you know,
we had a ransomware attack, it's this administrative assistance fault, or it's this other marketing
person's fault, but I do, you touched a little bit on it, education, it's such an important part,
your employees are your first line of defense, they're the first way in. How do you create a
(06:22):
security-centric culture where everybody in the organization, whether you're proficient and
understand AI tools and cyber security, or whether you're an HR in marketing and cyber security is
not your forte, how do you create a culture of cyber security? Are you a high-income professional
(06:44):
looking for smarter ways to protect your wealth? The Texas Freedom Fund gives you the opportunity
to invest in energy assets leveraging proven fracking technology and prime access to global markets.
With strategic oil and gas investments, you can build real wealth while benefiting from tax advantages
under laws dating back to the Reagan era. Take control of your financial future. Visit
(07:06):
Texas Freedom Fund.executiveconnectpodcast.com. How do you educate the human?
It's a big a question to me, you know, and I think some organizations do it better, but it's also a
human problem if I may, what I mean by that is your staff member has to meet you halfway, so
(07:28):
you know, they've got to be entrusted in learning, but one of the key mantras that I give people
is one of the key KPIs that performance, if I may, is can your staff identify something malicious?
Am I making sense, right? Yeah. Fishing, you know, we can be three years from now and fishing will still
(07:49):
most likely be the biggest entry vector for criminals. So, so I think education is absolutely key.
It's changing the interaction, the ability to automate the gaming, etc. I think different cultures
have different challenges, organizational cultures, but unless you can determine
(08:13):
after all of that education is my staff actually educated, right? You need to be able to determine
one key factor, which is can my staff identify a malicious content, right? And and if you can do that,
I think you're ahead of the game because you can then stand up and say hello 75% of my staff are
(08:37):
able to clearly identify malicious content. Yeah, absolutely. I think there's great
cybersecurity learning tools and I know from my perspective, I used to get
fishing emails where it was abundantly clear that they're fishing emails. Maybe Microsoft was spelled
wrong or the logos were wrong or it wasn't a complete sentence, you know, fast forward to all these
(08:59):
fantastic AI tools that are out there. Now people that, you know, English is not their first language,
they can create a fishing email that is harder to spot. I know I've received one recently that looked
exactly like me and how I communicate. They had basically taken something I posted on social media,
(09:20):
reworded it and sent it over to me. And even I working in cybersecurity regularly, I was shocked at how
good it looked and how easy, you know, my first instinct was to think it was real.
And and and if I may build on that, I think where AI today can add a lot of value is in these kind of
(09:47):
not just for the spammers, if I may, but for for us because AI is adding tremendous value as you
highlight Melissa for the the the average spammer who has to create really good email, they are now
I'm absolutely as you identified, I've seen emails that are absolutely brilliant, right?
(10:08):
In in terms of the fishing, you know, approach and trying to trick people. But I think on the other
side of the fence, organizations should start embracing AI to combat the AI coming in
from the other side of that makes sense. And and that that's where you would get tremendous value,
(10:30):
but I repeat, we speak to different types of clients, the fear of AI, you know, taking over
the day I say the terminator sky net fear, which may be true five years from now, etc, but right now
that that that fear is keeping people away from what AI can absolutely do.
(10:54):
Yeah, absolutely, and I think you know, we talked a little about education and kind of pivoting a
little bit, you know, AI is just a tool, right? People are using the tool and it takes people to use
the tool to make them work just like cyber security tools, people have to run tools,
to scan environments. And so I think it, you know, I look at it as just another tool for my toolbox
(11:20):
and not something to be fearful of because people need to use the tools that are in their toolbox
and tell the tools what to do. I think also just, you know, kind of switching gears a little bit
and talking about third party. Like I'm also fearful from other third parties now and how third party
(11:41):
risk management is really crucial in organizations now. So managing their vendors as well. So it,
you could have a great, you know, cyber security team, you could have great tools, your people can
be trained, but now there's third parties that you're letting into your environment. Can you address
a little bit about third party management? Wow, that's that's a full day. I think the third party risk
(12:08):
is going to be probably has always been and will be and you know is the biggest Achilles heel if I may,
right, of any organization. And part of that again comes to lack of trust in organizations saying,
okay, here are the documents you want. Don't worry, everything's fine. And, you know, sadly,
(12:34):
the few things that you can do with third parties are contractual clauses, right? Now,
in the EU and UK when the GDPR became very popular in the initial days, there was one very
interesting clause that was called right to audit that many people managed to put into their new
(12:55):
contracts. You know, I would say you should add right to on-site audit. So if you're dealing with a
massive third party supplier who manages your IT, for example, not just right to audit, but I think
you should visit their site to get a feel of who is working there. You know, I think this opens a
(13:18):
massive Pandora box because because of working from anywhere after the pandemic. Many third parties are
now have allowed their staff members to work from countries that may not be hostile. Sorry, that may,
that may be hostile, you know, to the West. And they themselves don't know because, you know,
employee now works from Asia, but now moved to a different country in Asia. How do they track
(13:41):
that risk of staff working from hostile countries? So if you add, if you add all of that and then
you rely on the third party coding your application, supporting your AI, you know, data, I think it
opens a bigger box to manage than as I would exist. Yeah, and I, great point, GDPR is one of the,
(14:10):
you know, a frame, another framework. There's lots of them in cyber. We've gotten this. We have
CMMC now that's come out. We've got new PCI standards. There's a plethora of frameworks to
comply with. And if you're in, you know, healthcare, you have hip-hop compliance and other, there's
other banking compliances. And so I think it's just a lot now for organizations to say, okay, well,
(14:32):
we might adopt this framework, but we also have to pay attention to, like you mentioned, GDPR
or HIPAA compliance. And so I think it's becoming more tricky to navigate and, you know, layering on
again, IoT, Internet of Things, you know, how can companies effectively implement strategies for,
(14:57):
you know, shifting innovation at IoT AI? How can they, you know, maybe the better question is,
how can they manage that when you layer technology with organizations that may be on-prem and never
use the IoT devices? Again, a brilliant question. And I think if you look at it from the digital
(15:25):
innovation side, you know, embracing IoT, embracing technology is brilliant. But what most people
don't understand, and this may be a problem where many people who are driving digital transformation
don't necessarily understand digital, right? They just want digital, right? You know, and I think
(15:47):
COVID did a good thing in a way. It forced a lot of digital transformation. If that's one of the
good things that did, but right now I think if you want to embrace IoT, you've got to ask yourself,
how will IoT destroy my business? In my big sense, right? So that's the same kind of strategy we use
when we do tabletop exercises with clients or whatever, how do you destroy your business? If you can
(16:11):
figure that out and then you can work backwards to try to mitigate those risks. So if you're embracing
IoT for whatever reason, that's brilliant. If it's going to help you increase your profits, all of
that's brilliant, but you've also at the same time as a risk assessment, say, what's the worst case scenario,
(16:32):
will it have a devastating impact in my business, on my business, and then try to mitigate that risk
to make sure that you can still IoT, but at least you mitigate those risks.
Yeah, absolutely. It made me, when you said that, it kind of made me chuckle a bit because I know
in industries that I work a lot of times, the marketing departments, which I love marketing,
(16:56):
and I love marketing departments, but they'll have grandiose visions of kiosks or apps or things
they want to implement. And the IT departments are like, wait, we need to get involved before we just
open things up for you. So I chuckle because people that are in the IT as a general germ and marketing,
(17:19):
don't always see eye to eye with these, like you mentioned, what's the worst that can happen, focus
there, and then work backwards. So I think when we look at cyber threats that are constantly evolving,
and they're constantly changing, which would affect not only your brand, but your IoT devices,
everything that encompasses an organization. So I think emerging threats are always on my mind.
(17:48):
I'm always concerned about my own personal life and my bank accounts, my home, my things.
So is there, how can companies develop resilience against some of these sophisticated
cyber attacks? Yeah, operational resilience, a massive, massive topic, we are kind of specialists
(18:10):
in that area. I think the best example, if I may, the biggest natural thread in Japan, I want to
pick on Japan as a country, it's a beautiful place, but the biggest natural thread in Japan is earthquakes.
Now imagine if you and I lived in Japan and we operated an organization there and we declined
(18:31):
any preparation for earthquakes, in my making sense. I hope everyone listening in and you
agree that that would be absolute stupidity. Living in Japan, operating in Japan, and saying,
nah, what are the chances of an earthquake hitting us? Now, if we take that same logic, if you want to
(18:55):
operate in cyberspace, you're going to be hit by earthquakes in cyberspace. If you don't acknowledge
that fact, because we do, we do a very, very popular training called cyber incident planning and
response, and we actually do this for clients. One of the biggest learnings, Melissa, is
you and I can be sitting here planning for an earthquake, but if you and I and all the other participants
(19:17):
don't believe that we are going to be hit by that earthquake, then the planning session is going to be
boring and it's not going to be interactive and the participants are not going to absolutely put
their mind to it. So whatever people are doing, if they want operational resilience in cyber,
because people are very concerned about flooding, building, not being available, that's all where
(19:44):
humans can, even non-technical humans can understand, oops, my building will not be available,
so I better plan for that. I think when it comes to cyber, many non-technical people, and sometimes
they say techies, a guilty of, either techies are guilty of over trusting technology, and
non-techies are guilty of, I've given you one million dollars, why should I be attacked?
(20:09):
Now, they're not going to say that in Japan, because they're going to invest that million dollars,
but still understand that there will be an earthquake and the building might be saved,
but they still need to prepare. If I make sense, right? But in cyber, unless you wholeheartedly
believe that you are wonderful, you can't do the nist-prepared response, right? Because
(20:34):
you believe that nothing shall happen to me if I put enough money in it.
Right, yeah.
Am I making sense? Yeah, yeah, absolutely. You also made me think when you were saying that,
I was with a friend of mine this week, and they were saying,
I have six credit monitoring subscriptions now, because six separate companies that were just
(21:01):
attacked had hit them from healthcare to their banking. So, six of them in a,
less than 90-day period, and so I'm thinking from their perspective, they were, they sent this
individual an email that said, "Clean up your password, that's going to fix it." And so I think of all these,
(21:27):
it's a good point that you don't want to set up shop in a place that has earthquakes, has a lot
of these challenges, but you also don't want to set up shop in a way that you're not clear,
like you mentioned with what your goals are, right? What are, what are we trying to protect? How are we
(21:50):
going to protect it? I also think about, you mentioned a little bit about GDPR, like transparency
in people's data. So I'm kind of touching on a lot of different points here, but I think of like my
my data with, you know, the companies that I do business with personally, and I'm concerned,
(22:11):
right? I'm concerned that, yes, I've gotten great password hygiene, I've got, you know, but they have
my data either way where I live, what my social is, when my birthday is, all my, my private data,
no matter how great my password is, and how I'm using their mobile app, they still have my information,
and how, how can I, as a user of these products, whether it be banking products or healthcare products,
(22:38):
how can I, as an end consumer, feel safe putting in my information into these IoT mobile device
apps or websites? How can I feel safe? So from your perspective, maybe the question is, you know,
I always, everybody says, "Robust passwords the way." You know, and I kind of juggle because
(23:02):
this not just passwords, it's understanding where your data is going and how it's being used as
well. So maybe I don't know if you have any thoughts, kind of following up with, kind of like
password protection, slash security of people's information. Wow, this is a really very good,
(23:24):
very good question again. I think, I think, quick takeaways, one, everybody should be using a
password manager, right? That's, I think, a baseline, whether you're technical or not, it doesn't
bother, in my opinion, everyone should have access to a password manager. That's number one. Number two,
(23:45):
the recipe in my professional opinion is very simple recipe for passwords, easy to remember,
difficult to guess, right? Okay, and the problem with historical password, you know, education was
super complex password with 20 characters, ABC, one, two, three exclamation mark,
(24:07):
ampersign, who is going to remember that, right? So in the end, that broke the principle where it was
easy to guess and actually difficult to remember the other way around. So, so for everyone listening in,
I think one, you need to get a password manager because the good news, Melissa, as you know,
majority of password managers, these days are warning users that it's a weak password,
(24:32):
that the password has been breached on, you know, this particular website, etc, etc. So that is
making people more secure because it's in their face, you know, the password manager,
I'm not going to name any particular brands, but majority of them are informing the user,
(24:54):
don't use this password because it's too easy to guess, etc. So, so is difficult to guess,
but very easy for someone and the best way and the best advice today is use three or four
pass phrases, three or four words as your password. So, you know, if you like Harry Potter books,
(25:17):
for example, or any book that you like to read, remember page 54, paragraph one,
and, and take five words or three words from that paragraph one.
Well, that's a good idea. I think I think I'll use that, Marr, it's really great,
really great idea. Might or long, but not that long, so I probably need to tighten them up.
(25:47):
One thing I hear a lot in cybersecurity from people I work with are, it's how expensive
cybersecurity is now in all industries and all spaces and a lot of times people will say, well,
we're a non-revenue generating department, we're not like the marketing department that's
(26:07):
doing this to the sales department that's bringing in business. We're just IT. So,
can you help me just from a RLI perspective? What, how do you talk to your clients from an RLI
perspective and looking at cybersecurity as an investment versus a cost?
(26:32):
Very good question. I think we've got to break it down into two buckets if I may. One is
practical security, and then as we discussed earlier, the other is about monitoring, detection,
and response, right? So, let's look at it from the practical angle. I think there is
(26:53):
the two frameworks, if I may, one of them is the UK's framework called cyber essentials.
It's a very, very tiny framework of five controls.
The other one I really like is the US. You must have obviously heard about it. The Center for
Internet Security. It used to be called SANS 20, but now it's CIS, and I think they are now 18 controls.
(27:16):
Now, we work with a lot of clients, and if you look at CIS 18 for the majority of those controls,
you can do a lot of good things without significant investment. Am I making sense with that?
Absolutely. Because one of the fallacies in techie and non-techie minds is if I throw
(27:37):
enough money at cyber, we won't be hit by the earthquake, right? Which is a fallacy. So,
if you take a step back, don't throw any money at what you have, but actually take a practical
approach similar. And I think if I may introduce one sound bite, to me, this is probably the most
(27:57):
sound bite, no access, no hack. Now, what does that mean? That means if you can control
access, oh, access control, right? Who has access to what and who can do what?
It may be a boring topic in the grand scheme of next generation, AI, etc, etc. However,
(28:21):
majority of advanced criminals, even nation states, in most of their attacks require privileged access.
Right? Now, yes, they require unpatched software, I agree. But if you follow a life cycle of an attack,
or the non-technical people listening in and for the techies, if you can control access and
(28:46):
limit access, you are significantly at a very low cost, increasing your protection.
Number one, number two, everyone's heard about it, two factor authentication. Now, many people will
say, yeah, yeah, yeah, we have switched it on, but they need to ask one question in the organization.
(29:09):
If an administrator, Melissa, switched off to FA, would they know? Seems like a very simple question,
but and let's assume the administrator is, he or she or they are, you know, non-molicious,
but they may accidentally switch off the two factor across the organization because they can't
(29:34):
get their work done, so they may have done it accidentally. It goes back into that question,
do you, would you know if someone switched that off? Why am I bringing these two topics here?
Because similar to what you're saying, for an immediate ROI, right? This practical approach of
no access, no hack, and when would you know, or would you know if someone from the administrator side,
(30:00):
the system admin, the techie, switched off to FA, two factor authentication because they wanted to
get their job done? These two can give you, without significant investment, significant return
because you are controlling who can do what? I love it. That's a really good piece of advice.
(30:26):
I love it. That's spot on and I absolutely agree. I think, yep, yep. I think that the other thing too,
I think low-hanging fruit is is education, basic, like, what are we clicking on?
And just, you know, companies shouldn't be sending out some of the emails that they're sending out now,
(30:52):
you know, offering free Starbucks or those kind of things. If you can't control it,
and people are clicking on everything, you need to get, like, a report card, right?
Okay, we did a phishing exercise and when we have 100 employees and 85 of your 100 employees
clicked on something, we have a problem, right? I had to do this, Melissa, sorry to interrupt you.
(31:14):
Yeah, yeah, definitely. Here is another really interesting and important sound bite,
because humans are humans and we are going to do what you are saying because, you know, I put my
hands up, I'm, you know, although I am, like, yourself more paranoid, I may fall for a phishing email.
I think the key is, can I admit to you? Can I phone the boss and say, hey, boss, I made a mistake,
(31:40):
because I can only do that if I can identify, in my big sense. So, identifying in admit is that
sound bite, I regularly tell my customers, you need to encourage one, your staff needs to be able to
ah, oops, I fell for this, but they also then need to be able to either hit the report button or
(32:00):
admit by email or phone saying, hey, boss, you know, last Friday, I was really tired, oh, I was at
the pub and I opened an Excel macro that rebooted my laptop. I mean, that's gold dust, you know,
but the question is, are your staff encouraged to own up?
(32:23):
That's a fantastic point because you're right. I made me chuckle again because I have done that myself
or clicked on something or, but I think it's, it's, you make a great point is, is creating a culture
where it's okay to make mistakes because we're all human and bringing it forward so we can fix
(32:44):
the problem instead of scared and sweeping it kind of under the rug because when we do that,
that's when the big problems happen and people get into our environment and they sit for
for days, weeks, months and they learn what's going on in our environment, then they make decisions.
So I think that's a really, really good point. I'm sitting here thinking like, what are the top
(33:05):
things that are low-hanging fruits for companies that don't cost anything that they can do? We've just
given a few of them, right? That they can low-hanging fruit, creating a culture where they're able to
bring that forward or they're leveraging a managed security services company where they forward that
(33:26):
over. They look at it, contain it, clean it up, make sure nobody else clicked on it and they investigate
it. And I think the sooner that those that you can have your people feel safe, like you mentioned,
to forward whoops, I made a mistake, the sooner your organization can fix it and get the smart people
on the phone to figure out what happened, if anything. Absolutely. Yeah, so just a couple final things,
(33:55):
I know you mentioned some really good tips and tricks. Anything else from your mind, maybe that we
haven't discussed that companies across many different sectors can focus on, that's low-hanging
fruit from a cyber security and AI perspective and closing thoughts. Yeah, absolutely.
Related to access control and I know this term has been used or abused by marketing companies and
(34:19):
agencies, zero trust, right? You don't, okay, and the problem is zero trust is, again, it's one of those
things, would you challenge someone who has worked at your organization every day for 10 years?
In the zero trust culture, you would, right? Because if that individual didn't bring his or her
(34:42):
pass, they shouldn't be able to enter the organization as an example. You know, it's fairly, you don't
need great technology, it's more of a cultural organizational, cultural and human cultural issue.
But if you can, that's when again, and it relates to access control, isn't it? Because imagine
(35:06):
me telling you, hey, Melissa, I just need access to the AD. It's a Friday evening. You go, yeah, I know
more, you know, I'm going to give him access. Instead of saying, whoa, Friday, why do you need access,
a more? Where is the change control? Blah, blah, blah, you know, it's that if, if you can implement it,
(35:27):
again, the ROI on this is because it just simply makes it really difficult to then succeed in an attack.
I think that's one of those, this things, but yeah, the other one is look at CIS 18. I absolutely
love that. A lot of it, a lot of what CIS 18 can be done on the cheap. It's again more of a,
(35:48):
can we, are we willing to say, you know, no to someone, are we willing to tighten access control?
Are we willing to remove unwanted apps? For example, Melissa, you know, are we willing to say for
corporate people that they cannot install apps without their permission? It's this balance of
(36:11):
everyone wants to be very digital and modern, but then again, every, you know, at the same time,
you'll be asking them to be more, more restrictive, which the day I say the younger folks may find
very irritating, but, but I think if I made this close this, the good, the benefit is if someone doesn't
(36:32):
is not allowed to work, you know, CNN or BBC from their website, most people have a separate
smartphone or tablet that they can use it on. So that again, very simple process of why do you need
this website, go and surf it on your own phone? Yeah, and you make another really fantastic point is
(36:54):
if, if you're not sure as, at the IT department and you don't know, and something seems off, ask,
and get your employees on the phone, ask them, why are you doing this? Or why are you putting a
USB key at 12 o'clock at night in your computer and offloading all your files? If that's happening,
(37:17):
that's a problem, right? And ask the person. And maybe the person's like, hey, Amar, I'm presenting
next tomorrow. I need to get these PowerPoints on this USB stick because they need it that way.
And they're like, okay, make sense. Yes, right? Because it could be the other way. They could be doing
things, not for the right reasons. And so I think you make a really good point. I always say,
(37:43):
trust but verify in the industry is trust your people, but verify when things aren't up to the
sniff test and ask. And at the end of the day, I know I, you know, I spent a lot of my time in,
the sales marketing strategy kind of kind of role. And so I'm not a delivery person in my career. But
(38:07):
a lot of times people have asked me, Hey, Melissa, what about this? And I'm like, oh, it's this. And
but they've asked. And I've been able to explain. So I think you nailed it, you know, ask and wonder.
On the AI front, if I may have just thought one more thing, you know, one of the challenges with AI
right now is, and this is not an accusation at any company, but I can, I can confidently say
(38:31):
everyone's now saying their product is AI, you know, right? And it may well not be AI or true AI
like chat GPT or barred or co-pilot, right? So this, this, this again, then creates this
snake oil industry where as long as you say AI, your product will be sold, but the end user may not
(38:54):
actually see the benefit. And that itself then, you know, reduces the trust on what could be true AI.
Yeah, in AI is the buzz word right now. Everybody's in AI and even in cybersecurity, everybody's
in cybersecurity in AI right now because they're the popular topics, the shiny things. And, you know,
(39:16):
we, you know, if we're five years from now, we look back and there's, there's going to be a lot
of convergence in that space and some will survive others won't. I think of it, you know, similar to
the rise of, you know, tech companies and which ones are still standing and which ones are acquiring
the others. And so I agree, I think it's a popular shiny thing now is we're secure and we're using
(39:40):
AI. So I think everybody's kind of using that now, but companies like Microsoft, like you mentioned
co-pilot and chat GPT, there's a lot of companies that are embedding some of these tools into their
products. So I think it's great to use them. But yeah, you make a good point.
Any final thoughts before we close? I really appreciate you being on executive connect. Anything,
(40:10):
maybe top three things you want to share with the listeners before we close?
Yeah, I mean, I can easily do that. Thank you so much for having me here. I think one, as we said
earlier is access. You know, it's a very good return on investment and you can do a lot of it on
the cheap who has access, restrict access. The second point I would say is you have to admit that your
(40:34):
organization will be attacked. I know I don't normally say will, but you know, the likelihood is very high.
So you've got to focus on not just protecting or building a wall, but actually how would you
detect and respond and recover? So those are the kind of things I would say. And like I said,
(40:55):
you know, certainly yourself on something like CIS-18, for example, and in, you know, very
popular international framework and try to map and align yourself. There I say, and I know I'm
going to go on record here. ISO, the standards are too onerous. I think CIS-18 is probably the best
(41:15):
most and nest obviously, but CIS-18 is a control framework. I think for many organizations is very useful.
That's great. Thank you so much for being here today, Omar. I know you're a busy man.
And that's the Executive Connect podcast.
One of the biggest problems in many organizations in the world today is the lack of automation.
(00:05):
How do you create a culture of cyber security?
How do you educate the human?
In cyber, I guess you wholeheartedly believe that you are wonderful.
You can't do the NIST prepare response.
You need to be able to determine one key factor, which is can my staff identify a malicious
(00:26):
wanted. And if you can do that, I think you are ahead of the game because you can then stand
up and say hello 75% of my staff are able to clearly identify malicious.
Welcome to the Executive Connect podcast, where we will explore cutting-edge intersection between
AI and cyber security. A marvel discuss how AI transforms our defense against complex cyber
(00:53):
attacks. Whether you're enhancing your company's cyber security measures or keen on the latest
digital safety, Omar's insights are your guide to navigating today's dynamic cyber security
threat landscape. Welcome Omar. Greetings everybody, Melissa. Thank you for having me here.
We're so excited to have you here. I read recently on a Google study that 63% of security
(01:21):
professionals believe AI will improve corporate security from your perspective. How can
organizations integrate AI in a way that complements their cyber security team strengths?
Wow, we could be here for several hours. So I'm going to give you soundbites.
Even if we keep the age of AI to one side, one of the biggest problems in many organizations
(01:50):
even today, Melissa is the lack of automation. Now, I say it's not lack of automation, I say it's the
belief in automation, the fear of automation. Right? So AI, I think, is already offering quite a lot,
(02:10):
has a lot more to offer, but what may be the biggest roadblock to implementing AI for the benefit
of security? Maybe the fear of what AI may do. And to summarize that, the best way to summarize it,
the fear of interrupting business, right? If you're an e-commerce business, if you're high transaction,
(02:35):
business, if you're a critical national infrastructure business, right? You don't want AI switching
off the nuclear reactor just because it's seen something. So I think there are loads of benefits of AI,
and we're going to discuss many other challenges and opportunities, but in summary, I think
(02:56):
organizations need to embrace AI, but that fear of disruption and interruption by AI is going to
be a massive roadblock. Yeah, absolutely. I think you touched on it. So just jump in right into the
(03:16):
risks of AI. So from your perspective, are there any, I know there's a lot of risks we hear that
is going on right now in the world of cybersecurity, but from your perspective, and AI, are there
kind of the top potential risks? And how can companies prepare for some of those risks with using AI
(03:36):
tools? Ready to lead smarter and invest wiser? On the Executive Connect podcast, we unpack executive
strategies for wealth and influence. Hit the subscribe button now. Don't just watch, act.
Yeah, so I think one of the threats to AI, and this may be a general statement, if I may, I think,
(03:59):
but especially in cyber and IT, one of the threats to AI is the lack of available data,
am I making sense? So, you know, chat GPT and barred and co-pilot all brilliant, because they have
access to a lot of data that they are learning from. But now imagine a large organization or a
(04:21):
medium-sized organization brings in AI, but they're only monitoring 25% of what they can monitor,
if you see what I mean. So, you now have the situation where 75% of their data is not being monitored.
And then you add to the recipe, the complication of privacy, maintaining that privacy of an
(04:44):
individual of staff members of clients, you add additional pressure on AI, not accidentally exposing
something, which it might very well do, because we are still quite, you know, relatively early days of AI.
Am I being saying, so the risk of privacy, the risk of not having sufficient learning data of an
(05:08):
organization, because it costs a lot to gather the data and store the data, and then you got the cost of
AI where you need unlimited CPU, you know, to constantly keep learning. I hope I kind of captured
some key risks there. Yeah, no, no, you make a good point. I talk often about education. I think a lot of
(05:35):
times in cyber security, a lot of the IT teams I deal with, their job responsibilities used to be
very clear, you know, setup computers, put the ink in the printer, setup the dust tops, keep the
infrastructure up. And I think as cyber security becomes front and center in the world today, AI,
(05:55):
you know, layering in AI tools, I think a lot of times, you know, it's easy to say, well, this, you know,
we had a ransomware attack, it's this administrative assistance fault, or it's this other marketing
person's fault, but I do, you touched a little bit on it, education, it's such an important part,
your employees are your first line of defense, they're the first way in. How do you create a
(06:22):
security-centric culture where everybody in the organization, whether you're proficient and
understand AI tools and cyber security, or whether you're an HR in marketing and cyber security is
not your forte, how do you create a culture of cyber security? Are you a high-income professional
(06:44):
looking for smarter ways to protect your wealth? The Texas Freedom Fund gives you the opportunity
to invest in energy assets leveraging proven fracking technology and prime access to global markets.
With strategic oil and gas investments, you can build real wealth while benefiting from tax advantages
under laws dating back to the Reagan era. Take control of your financial future. Visit
(07:06):
Texas Freedom Fund.executiveconnectpodcast.com. How do you educate the human?
It's a big a question to me, you know, and I think some organizations do it better, but it's also a
human problem if I may, what I mean by that is your staff member has to meet you halfway, so
(07:28):
you know, they've got to be entrusted in learning, but one of the key mantras that I give people
is one of the key KPIs that performance, if I may, is can your staff identify something malicious?
Am I making sense, right? Yeah. Fishing, you know, we can be three years from now and fishing will still
(07:49):
most likely be the biggest entry vector for criminals. So, so I think education is absolutely key.
It's changing the interaction, the ability to automate the gaming, etc. I think different cultures
have different challenges, organizational cultures, but unless you can determine
(08:13):
after all of that education is my staff actually educated, right? You need to be able to determine
one key factor, which is can my staff identify a malicious content, right? And and if you can do that,
I think you're ahead of the game because you can then stand up and say hello 75% of my staff are
(08:37):
able to clearly identify malicious content. Yeah, absolutely. I think there's great
cybersecurity learning tools and I know from my perspective, I used to get
fishing emails where it was abundantly clear that they're fishing emails. Maybe Microsoft was spelled
wrong or the logos were wrong or it wasn't a complete sentence, you know, fast forward to all these
(08:59):
fantastic AI tools that are out there. Now people that, you know, English is not their first language,
they can create a fishing email that is harder to spot. I know I've received one recently that looked
exactly like me and how I communicate. They had basically taken something I posted on social media,
(09:20):
reworded it and sent it over to me. And even I working in cybersecurity regularly, I was shocked at how
good it looked and how easy, you know, my first instinct was to think it was real.
And and and if I may build on that, I think where AI today can add a lot of value is in these kind of
(09:47):
not just for the spammers, if I may, but for for us because AI is adding tremendous value as you
highlight Melissa for the the the average spammer who has to create really good email, they are now
I'm absolutely as you identified, I've seen emails that are absolutely brilliant, right?
(10:08):
In in terms of the fishing, you know, approach and trying to trick people. But I think on the other
side of the fence, organizations should start embracing AI to combat the AI coming in
from the other side of that makes sense. And and that that's where you would get tremendous value,
(10:30):
but I repeat, we speak to different types of clients, the fear of AI, you know, taking over
the day I say the terminator sky net fear, which may be true five years from now, etc, but right now
that that that fear is keeping people away from what AI can absolutely do.
(10:54):
Yeah, absolutely, and I think you know, we talked a little about education and kind of pivoting a
little bit, you know, AI is just a tool, right? People are using the tool and it takes people to use
the tool to make them work just like cyber security tools, people have to run tools,
to scan environments. And so I think it, you know, I look at it as just another tool for my toolbox
(11:20):
and not something to be fearful of because people need to use the tools that are in their toolbox
and tell the tools what to do. I think also just, you know, kind of switching gears a little bit
and talking about third party. Like I'm also fearful from other third parties now and how third party
(11:41):
risk management is really crucial in organizations now. So managing their vendors as well. So it,
you could have a great, you know, cyber security team, you could have great tools, your people can
be trained, but now there's third parties that you're letting into your environment. Can you address
a little bit about third party management? Wow, that's that's a full day. I think the third party risk
(12:08):
is going to be probably has always been and will be and you know is the biggest Achilles heel if I may,
right, of any organization. And part of that again comes to lack of trust in organizations saying,
okay, here are the documents you want. Don't worry, everything's fine. And, you know, sadly,
(12:34):
the few things that you can do with third parties are contractual clauses, right? Now,
in the EU and UK when the GDPR became very popular in the initial days, there was one very
interesting clause that was called right to audit that many people managed to put into their new
(12:55):
contracts. You know, I would say you should add right to on-site audit. So if you're dealing with a
massive third party supplier who manages your IT, for example, not just right to audit, but I think
you should visit their site to get a feel of who is working there. You know, I think this opens a
(13:18):
massive Pandora box because because of working from anywhere after the pandemic. Many third parties are
now have allowed their staff members to work from countries that may not be hostile. Sorry, that may,
that may be hostile, you know, to the West. And they themselves don't know because, you know,
employee now works from Asia, but now moved to a different country in Asia. How do they track
(13:41):
that risk of staff working from hostile countries? So if you add, if you add all of that and then
you rely on the third party coding your application, supporting your AI, you know, data, I think it
opens a bigger box to manage than as I would exist. Yeah, and I, great point, GDPR is one of the,
(14:10):
you know, a frame, another framework. There's lots of them in cyber. We've gotten this. We have
CMMC now that's come out. We've got new PCI standards. There's a plethora of frameworks to
comply with. And if you're in, you know, healthcare, you have hip-hop compliance and other, there's
other banking compliances. And so I think it's just a lot now for organizations to say, okay, well,
(14:32):
we might adopt this framework, but we also have to pay attention to, like you mentioned, GDPR
or HIPAA compliance. And so I think it's becoming more tricky to navigate and, you know, layering on
again, IoT, Internet of Things, you know, how can companies effectively implement strategies for,
(14:57):
you know, shifting innovation at IoT AI? How can they, you know, maybe the better question is,
how can they manage that when you layer technology with organizations that may be on-prem and never
use the IoT devices? Again, a brilliant question. And I think if you look at it from the digital
(15:25):
innovation side, you know, embracing IoT, embracing technology is brilliant. But what most people
don't understand, and this may be a problem where many people who are driving digital transformation
don't necessarily understand digital, right? They just want digital, right? You know, and I think
(15:47):
COVID did a good thing in a way. It forced a lot of digital transformation. If that's one of the
good things that did, but right now I think if you want to embrace IoT, you've got to ask yourself,
how will IoT destroy my business? In my big sense, right? So that's the same kind of strategy we use
when we do tabletop exercises with clients or whatever, how do you destroy your business? If you can
(16:11):
figure that out and then you can work backwards to try to mitigate those risks. So if you're embracing
IoT for whatever reason, that's brilliant. If it's going to help you increase your profits, all of
that's brilliant, but you've also at the same time as a risk assessment, say, what's the worst case scenario,
(16:32):
will it have a devastating impact in my business, on my business, and then try to mitigate that risk
to make sure that you can still IoT, but at least you mitigate those risks.
Yeah, absolutely. It made me, when you said that, it kind of made me chuckle a bit because I know
in industries that I work a lot of times, the marketing departments, which I love marketing,
(16:56):
and I love marketing departments, but they'll have grandiose visions of kiosks or apps or things
they want to implement. And the IT departments are like, wait, we need to get involved before we just
open things up for you. So I chuckle because people that are in the IT as a general germ and marketing,
(17:19):
don't always see eye to eye with these, like you mentioned, what's the worst that can happen, focus
there, and then work backwards. So I think when we look at cyber threats that are constantly evolving,
and they're constantly changing, which would affect not only your brand, but your IoT devices,
everything that encompasses an organization. So I think emerging threats are always on my mind.
(17:48):
I'm always concerned about my own personal life and my bank accounts, my home, my things.
So is there, how can companies develop resilience against some of these sophisticated
cyber attacks? Yeah, operational resilience, a massive, massive topic, we are kind of specialists
(18:10):
in that area. I think the best example, if I may, the biggest natural thread in Japan, I want to
pick on Japan as a country, it's a beautiful place, but the biggest natural thread in Japan is earthquakes.
Now imagine if you and I lived in Japan and we operated an organization there and we declined
(18:31):
any preparation for earthquakes, in my making sense. I hope everyone listening in and you
agree that that would be absolute stupidity. Living in Japan, operating in Japan, and saying,
nah, what are the chances of an earthquake hitting us? Now, if we take that same logic, if you want to
(18:55):
operate in cyberspace, you're going to be hit by earthquakes in cyberspace. If you don't acknowledge
that fact, because we do, we do a very, very popular training called cyber incident planning and
response, and we actually do this for clients. One of the biggest learnings, Melissa, is
you and I can be sitting here planning for an earthquake, but if you and I and all the other participants
(19:17):
don't believe that we are going to be hit by that earthquake, then the planning session is going to be
boring and it's not going to be interactive and the participants are not going to absolutely put
their mind to it. So whatever people are doing, if they want operational resilience in cyber,
because people are very concerned about flooding, building, not being available, that's all where
(19:44):
humans can, even non-technical humans can understand, oops, my building will not be available,
so I better plan for that. I think when it comes to cyber, many non-technical people, and sometimes
they say techies, a guilty of, either techies are guilty of over trusting technology, and
non-techies are guilty of, I've given you one million dollars, why should I be attacked?
(20:09):
Now, they're not going to say that in Japan, because they're going to invest that million dollars,
but still understand that there will be an earthquake and the building might be saved,
but they still need to prepare. If I make sense, right? But in cyber, unless you wholeheartedly
believe that you are wonderful, you can't do the nist-prepared response, right? Because
(20:34):
you believe that nothing shall happen to me if I put enough money in it.
Right, yeah.
Am I making sense? Yeah, yeah, absolutely. You also made me think when you were saying that,
I was with a friend of mine this week, and they were saying,
I have six credit monitoring subscriptions now, because six separate companies that were just
(21:01):
attacked had hit them from healthcare to their banking. So, six of them in a,
less than 90-day period, and so I'm thinking from their perspective, they were, they sent this
individual an email that said, "Clean up your password, that's going to fix it." And so I think of all these,
(21:27):
it's a good point that you don't want to set up shop in a place that has earthquakes, has a lot
of these challenges, but you also don't want to set up shop in a way that you're not clear,
like you mentioned with what your goals are, right? What are, what are we trying to protect? How are we
(21:50):
going to protect it? I also think about, you mentioned a little bit about GDPR, like transparency
in people's data. So I'm kind of touching on a lot of different points here, but I think of like my
my data with, you know, the companies that I do business with personally, and I'm concerned,
(22:11):
right? I'm concerned that, yes, I've gotten great password hygiene, I've got, you know, but they have
my data either way where I live, what my social is, when my birthday is, all my, my private data,
no matter how great my password is, and how I'm using their mobile app, they still have my information,
and how, how can I, as a user of these products, whether it be banking products or healthcare products,
(22:38):
how can I, as an end consumer, feel safe putting in my information into these IoT mobile device
apps or websites? How can I feel safe? So from your perspective, maybe the question is, you know,
I always, everybody says, "Robust passwords the way." You know, and I kind of juggle because
(23:02):
this not just passwords, it's understanding where your data is going and how it's being used as
well. So maybe I don't know if you have any thoughts, kind of following up with, kind of like
password protection, slash security of people's information. Wow, this is a really very good,
(23:24):
very good question again. I think, I think, quick takeaways, one, everybody should be using a
password manager, right? That's, I think, a baseline, whether you're technical or not, it doesn't
bother, in my opinion, everyone should have access to a password manager. That's number one. Number two,
(23:45):
the recipe in my professional opinion is very simple recipe for passwords, easy to remember,
difficult to guess, right? Okay, and the problem with historical password, you know, education was
super complex password with 20 characters, ABC, one, two, three exclamation mark,
(24:07):
ampersign, who is going to remember that, right? So in the end, that broke the principle where it was
easy to guess and actually difficult to remember the other way around. So, so for everyone listening in,
I think one, you need to get a password manager because the good news, Melissa, as you know,
majority of password managers, these days are warning users that it's a weak password,
(24:32):
that the password has been breached on, you know, this particular website, etc, etc. So that is
making people more secure because it's in their face, you know, the password manager,
I'm not going to name any particular brands, but majority of them are informing the user,
(24:54):
don't use this password because it's too easy to guess, etc. So, so is difficult to guess,
but very easy for someone and the best way and the best advice today is use three or four
pass phrases, three or four words as your password. So, you know, if you like Harry Potter books,
(25:17):
for example, or any book that you like to read, remember page 54, paragraph one,
and, and take five words or three words from that paragraph one.
Well, that's a good idea. I think I think I'll use that, Marr, it's really great,
really great idea. Might or long, but not that long, so I probably need to tighten them up.
(25:47):
One thing I hear a lot in cybersecurity from people I work with are, it's how expensive
cybersecurity is now in all industries and all spaces and a lot of times people will say, well,
we're a non-revenue generating department, we're not like the marketing department that's
(26:07):
doing this to the sales department that's bringing in business. We're just IT. So,
can you help me just from a RLI perspective? What, how do you talk to your clients from an RLI
perspective and looking at cybersecurity as an investment versus a cost?
(26:32):
Very good question. I think we've got to break it down into two buckets if I may. One is
practical security, and then as we discussed earlier, the other is about monitoring, detection,
and response, right? So, let's look at it from the practical angle. I think there is
(26:53):
the two frameworks, if I may, one of them is the UK's framework called cyber essentials.
It's a very, very tiny framework of five controls.
The other one I really like is the US. You must have obviously heard about it. The Center for
Internet Security. It used to be called SANS 20, but now it's CIS, and I think they are now 18 controls.
(27:16):
Now, we work with a lot of clients, and if you look at CIS 18 for the majority of those controls,
you can do a lot of good things without significant investment. Am I making sense with that?
Absolutely. Because one of the fallacies in techie and non-techie minds is if I throw
(27:37):
enough money at cyber, we won't be hit by the earthquake, right? Which is a fallacy. So,
if you take a step back, don't throw any money at what you have, but actually take a practical
approach similar. And I think if I may introduce one sound bite, to me, this is probably the most
(27:57):
sound bite, no access, no hack. Now, what does that mean? That means if you can control
access, oh, access control, right? Who has access to what and who can do what?
It may be a boring topic in the grand scheme of next generation, AI, etc, etc. However,
(28:21):
majority of advanced criminals, even nation states, in most of their attacks require privileged access.
Right? Now, yes, they require unpatched software, I agree. But if you follow a life cycle of an attack,
or the non-technical people listening in and for the techies, if you can control access and
(28:46):
limit access, you are significantly at a very low cost, increasing your protection.
Number one, number two, everyone's heard about it, two factor authentication. Now, many people will
say, yeah, yeah, yeah, we have switched it on, but they need to ask one question in the organization.
(29:09):
If an administrator, Melissa, switched off to FA, would they know? Seems like a very simple question,
but and let's assume the administrator is, he or she or they are, you know, non-molicious,
but they may accidentally switch off the two factor across the organization because they can't
(29:34):
get their work done, so they may have done it accidentally. It goes back into that question,
do you, would you know if someone switched that off? Why am I bringing these two topics here?
Because similar to what you're saying, for an immediate ROI, right? This practical approach of
no access, no hack, and when would you know, or would you know if someone from the administrator side,
(30:00):
the system admin, the techie, switched off to FA, two factor authentication because they wanted to
get their job done? These two can give you, without significant investment, significant return
because you are controlling who can do what? I love it. That's a really good piece of advice.
(30:26):
I love it. That's spot on and I absolutely agree. I think, yep, yep. I think that the other thing too,
I think low-hanging fruit is is education, basic, like, what are we clicking on?
And just, you know, companies shouldn't be sending out some of the emails that they're sending out now,
(30:52):
you know, offering free Starbucks or those kind of things. If you can't control it,
and people are clicking on everything, you need to get, like, a report card, right?
Okay, we did a phishing exercise and when we have 100 employees and 85 of your 100 employees
clicked on something, we have a problem, right? I had to do this, Melissa, sorry to interrupt you.
(31:14):
Yeah, yeah, definitely. Here is another really interesting and important sound bite,
because humans are humans and we are going to do what you are saying because, you know, I put my
hands up, I'm, you know, although I am, like, yourself more paranoid, I may fall for a phishing email.
I think the key is, can I admit to you? Can I phone the boss and say, hey, boss, I made a mistake,
(31:40):
because I can only do that if I can identify, in my big sense. So, identifying in admit is that
sound bite, I regularly tell my customers, you need to encourage one, your staff needs to be able to
ah, oops, I fell for this, but they also then need to be able to either hit the report button or
(32:00):
admit by email or phone saying, hey, boss, you know, last Friday, I was really tired, oh, I was at
the pub and I opened an Excel macro that rebooted my laptop. I mean, that's gold dust, you know,
but the question is, are your staff encouraged to own up?
(32:23):
That's a fantastic point because you're right. I made me chuckle again because I have done that myself
or clicked on something or, but I think it's, it's, you make a great point is, is creating a culture
where it's okay to make mistakes because we're all human and bringing it forward so we can fix
(32:44):
the problem instead of scared and sweeping it kind of under the rug because when we do that,
that's when the big problems happen and people get into our environment and they sit for
for days, weeks, months and they learn what's going on in our environment, then they make decisions.
So I think that's a really, really good point. I'm sitting here thinking like, what are the top
(33:05):
things that are low-hanging fruits for companies that don't cost anything that they can do? We've just
given a few of them, right? That they can low-hanging fruit, creating a culture where they're able to
bring that forward or they're leveraging a managed security services company where they forward that
(33:26):
over. They look at it, contain it, clean it up, make sure nobody else clicked on it and they investigate
it. And I think the sooner that those that you can have your people feel safe, like you mentioned,
to forward whoops, I made a mistake, the sooner your organization can fix it and get the smart people
on the phone to figure out what happened, if anything. Absolutely. Yeah, so just a couple final things,
(33:55):
I know you mentioned some really good tips and tricks. Anything else from your mind, maybe that we
haven't discussed that companies across many different sectors can focus on, that's low-hanging
fruit from a cyber security and AI perspective and closing thoughts. Yeah, absolutely.
Related to access control and I know this term has been used or abused by marketing companies and
(34:19):
agencies, zero trust, right? You don't, okay, and the problem is zero trust is, again, it's one of those
things, would you challenge someone who has worked at your organization every day for 10 years?
In the zero trust culture, you would, right? Because if that individual didn't bring his or her
(34:42):
pass, they shouldn't be able to enter the organization as an example. You know, it's fairly, you don't
need great technology, it's more of a cultural organizational, cultural and human cultural issue.
But if you can, that's when again, and it relates to access control, isn't it? Because imagine
(35:06):
me telling you, hey, Melissa, I just need access to the AD. It's a Friday evening. You go, yeah, I know
more, you know, I'm going to give him access. Instead of saying, whoa, Friday, why do you need access,
a more? Where is the change control? Blah, blah, blah, you know, it's that if, if you can implement it,
(35:27):
again, the ROI on this is because it just simply makes it really difficult to then succeed in an attack.
I think that's one of those, this things, but yeah, the other one is look at CIS 18. I absolutely
love that. A lot of it, a lot of what CIS 18 can be done on the cheap. It's again more of a,
(35:48):
can we, are we willing to say, you know, no to someone, are we willing to tighten access control?
Are we willing to remove unwanted apps? For example, Melissa, you know, are we willing to say for
corporate people that they cannot install apps without their permission? It's this balance of
(36:11):
everyone wants to be very digital and modern, but then again, every, you know, at the same time,
you'll be asking them to be more, more restrictive, which the day I say the younger folks may find
very irritating, but, but I think if I made this close this, the good, the benefit is if someone doesn't
(36:32):
is not allowed to work, you know, CNN or BBC from their website, most people have a separate
smartphone or tablet that they can use it on. So that again, very simple process of why do you need
this website, go and surf it on your own phone? Yeah, and you make another really fantastic point is
(36:54):
if, if you're not sure as, at the IT department and you don't know, and something seems off, ask,
and get your employees on the phone, ask them, why are you doing this? Or why are you putting a
USB key at 12 o'clock at night in your computer and offloading all your files? If that's happening,
(37:17):
that's a problem, right? And ask the person. And maybe the person's like, hey, Amar, I'm presenting
next tomorrow. I need to get these PowerPoints on this USB stick because they need it that way.
And they're like, okay, make sense. Yes, right? Because it could be the other way. They could be doing
things, not for the right reasons. And so I think you make a really good point. I always say,
(37:43):
trust but verify in the industry is trust your people, but verify when things aren't up to the
sniff test and ask. And at the end of the day, I know I, you know, I spent a lot of my time in,
the sales marketing strategy kind of kind of role. And so I'm not a delivery person in my career. But
(38:07):
a lot of times people have asked me, Hey, Melissa, what about this? And I'm like, oh, it's this. And
but they've asked. And I've been able to explain. So I think you nailed it, you know, ask and wonder.
On the AI front, if I may have just thought one more thing, you know, one of the challenges with AI
right now is, and this is not an accusation at any company, but I can, I can confidently say
(38:31):
everyone's now saying their product is AI, you know, right? And it may well not be AI or true AI
like chat GPT or barred or co-pilot, right? So this, this, this again, then creates this
snake oil industry where as long as you say AI, your product will be sold, but the end user may not
(38:54):
actually see the benefit. And that itself then, you know, reduces the trust on what could be true AI.
Yeah, in AI is the buzz word right now. Everybody's in AI and even in cybersecurity, everybody's
in cybersecurity in AI right now because they're the popular topics, the shiny things. And, you know,
(39:16):
we, you know, if we're five years from now, we look back and there's, there's going to be a lot
of convergence in that space and some will survive others won't. I think of it, you know, similar to
the rise of, you know, tech companies and which ones are still standing and which ones are acquiring
the others. And so I agree, I think it's a popular shiny thing now is we're secure and we're using
(39:40):
AI. So I think everybody's kind of using that now, but companies like Microsoft, like you mentioned
co-pilot and chat GPT, there's a lot of companies that are embedding some of these tools into their
products. So I think it's great to use them. But yeah, you make a good point.
Any final thoughts before we close? I really appreciate you being on executive connect. Anything,
(40:10):
maybe top three things you want to share with the listeners before we close?
Yeah, I mean, I can easily do that. Thank you so much for having me here. I think one, as we said
earlier is access. You know, it's a very good return on investment and you can do a lot of it on
the cheap who has access, restrict access. The second point I would say is you have to admit that your
(40:34):
organization will be attacked. I know I don't normally say will, but you know, the likelihood is very high.
So you've got to focus on not just protecting or building a wall, but actually how would you
detect and respond and recover? So those are the kind of things I would say. And like I said,
(40:55):
you know, certainly yourself on something like CIS-18, for example, and in, you know, very
popular international framework and try to map and align yourself. There I say, and I know I'm
going to go on record here. ISO, the standards are too onerous. I think CIS-18 is probably the best
(41:15):
most and nest obviously, but CIS-18 is a control framework. I think for many organizations is very useful.
That's great. Thank you so much for being here today, Omar. I know you're a busy man.
And that's the Executive Connect podcast.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com