Panel | AI in Cybersecurity

We just go fluently over into the panel. So you heard Thomas J already talking about ai. I have two more very, very qualified CSOs in the room that will join me for the panel over here, Andrew Ka Val from Vodafone Business head of Cybersecurity, welcome, enter, and then Maxim Bill. And you saw him yesterday already being on stage, the AE group, CSS O for N 26. And virtually we have Thomas joining as well. But we are used in the meanwhile to do those things virtually and physical. So building Thomas on what you just said in response to Max's question, Bert's question as well. Let me start with a bit of a warmup question to all of you. And we start with you Max over here. And you're allowed to say more than one word, but AI threat opportunity,
Both
Two words.
So I definitely see and and understand why AI can be a threat for certain things. Like, like just Thomas also said for, yeah, there will be potentially jobs being impacted by, by the rise of ai, but on the other hand, we will have other opportunities that AI will bring, right? New job opportunities. We heard this also during the last two days. Basically, you will have new jobs like prompt engineers now that will basically try to come up with the right terms to feed the AI so that you will really get the results that you will really need. And of course, other opportunities that we have in technical areas, technical advantages like writing a program, but then also writing a secure program by an ai that will be a whole different area where we will see, again, threats, but also opportunity. So I think both
Andre, threat opportunity,
Massive threat, huge opportunity. And, and it, and I think it comes back to something Thomas talked about, right, was actually the differences in the scale. You think about how AI is being used by cyber criminals at the moment. It's, you know, they're automating the early stages of the kill chain, right? To drive noise and volume of attacks. It's also being used to drive huge information, operations, misinformation, and fake news. Next year in 2024, we've got 40 major elections around the world, 50% of the world's GDP starting with Taiwan, us, India, possibly the uk, right? A series of elections which could be hugely influenced by information operations and fake news driven by AI at scale, right? And the US elections in 2016, or I think, you know, the, the estimation was 25% of all the data was fake news linked to fake news sources. 15% was block driven.
I think we're gonna see that huge threat at scale, but I think the opportunity though, talks directly to something we, we we addressed, which is that talent gap, right? AI will not take the role of a ciso, but what about organizations who do not have a ciso, right? We look at it across Europe. If you look at even the SME space, I think there's a nearly 20 million businesses, organizations who do not have access to security advice. So how do they get access to security advice? Can we place, you know, a virtual ciso, a you know, a co-pilot, a bodyguard next to those people who can give them advice about what to do, about how to understand phishing attacks, how to remediate attack, how to respond in real time. So I think the opportunity is really there is to help people who don't, not to replace CISOs, but to scale CISO capability to places where, you know, it would never reach otherwise.
It's interesting, I was talking to Mark Hoffman yesterday about this, and he mentioned that one of their first use cases is to have an AI telling the IT person what controls to consider for that type of tool. Yeah. So there is a lot of opportunity. Max, before you respond to that, Thomas, I wanna just sort of conclude the first threat opportunity question. And any additional thoughts on, on top of what the tool guy said and what you said earlier,
I'm not so sure whether it's a threatening opportunity or opportunistic threat. So maybe it's both and it's happening already. Yeah, that's, that's the truth. Yeah. So if you see for instance, a major software supplier, take one out of the US west coast providing a software update, what they're telling to the customers is here, this is critical software update. You should implement it very fast. What they don't tell is how the vulnerability behind works and what is the, the threat in detail. And what we see these days, and this is totally different than in the past, is that couple of hours after the software was released, we see full automized attack scanning the entire internet. And in the past, let's say five years ago, it was months between the release of in critical update and the first exploits we, we saw in the wild, and this is become true just because of automation. I won't say ai, but because of automation also on the threat actors. And now think about what it would mean when using really ai, which is much easier to use. So we need to catch up at the defense side with the technology, but I'm clearly would say it's also a huge opportunity for us as a community to build new kind of capabilities here.
Max,
I just wanted to jump on what Andre said regarding the, the organizations that don't have a ciso, right? So you have people out there already that offer their services as a vcso, right? Like a virtual ciso. So this has a whole new meaning now, right? You could write AGPT that is a vcso GPT now and offer it up to, to everyone out there using it, saying, acting like a ciso, what should I do in this, in this, in this case?
And I think that's exactly the point that Thomas brought up. But you know, I think hit some of the real highlights in his, in his talk part part of that for me is, is this a trusted virtual ciso? This is a trusted avatar, right? And, and if so, then I can understand, I can, I can believe that, you know, the, the playbooks, the advice, the options I'm being given come from a, you know, a trusted space. You know, I wouldn't want to just, you know, ask anybody, ask the, the Microsoft paperclip what I should do with my, you know, with, with my environment or my controls or I'm remediation. But I think for a lot of people, a lot of organizations, just a simple question, right? Is this phishing or not? And getting an answer with a 90, 95% probability is a really big step forward. You don't, you need in the moment prompting and advice as well as I think some CISO guidance.
And that's, that's, that's the one you said before. Andre is super important coming back to the deep fake point, and Thomas is one of the major advocates of cybersecurity in the German market. Nearly everybody knows that in that space. And a lot of not, not only your clients Thomas know us well. So if you are deep faked giving guidance on what to do for those companies who don't have a ciso, good luck. Yeah, there will be, there will be a lot of damage coming out of that. Yeah. So that's why we need to be mindful. We, I think we're all about, sorry,
It's not only that, it's, it's also if, if you ask Jet GPT, just a simple example, how to build a bomb, you won't get an advice if you ask how to protect against the bomb and ask some more questions around you. Get also the advice how to build a bond. And this is exactly the topic of the trustworthiness of those kind of models and how to ensure that in the future, this is an unanswered topic in my view today.
Absolutely. By the way, anecdotally, if I ask Jet g PT as a bank, whether I should block it or not, it depends on the way of asked the question, you get a yes or a no. So you can use Jet G PT even to educate yourself. So we've talked a lot about the threat. I, I want to have sort of one more round talking about the opportunities, some of those were mentioned, but where are the big opportunities really for us as CSOs or for us as a sort of cybersecurity community to make use of ai?
So, you know, this is one of the topics that we are always talking about and always hearing is this topic of human factor, right? So the human factor in cybersecurity and security in general and why this is so important. So I guess one of the main benefactors of AI could really be in terms of training for people, how to train them properly, maybe even train them at certain times when it's specifically needed. So an idea that basically just popped into my head was an AI solution that could maybe be on your laptop, right? Or even on your smartphone and checks if you are either at home or in the office or not at all in you are on the move somewhere and then tries to determine what you're looking at on your phone or who you are speaking with. And the contents of what you're speaking about is proper for the situation in the location where you are. And then just basically either just shutting down the machine because it's saying, look, you're sitting in a train and you don't have a filter and anything on the screen. So we just, I, I'm just shutting off now, right? Of course. Not so easy to implement properly. But that would be something I would say is a good kind of more like preventive measure for humans as well to leverage an AI capability for scenario based trainings.
We often say there's no patch for people, right? But I think AI is the patch for people, right? You know, artificial intelligence, human stupidity there, there's a lovely link between the two. But who would you most trust? A stupid person or an artificial intelligence, right? And I think therein, you're absolutely right. So upfront thinking about how you provide real time in the moment, guidance to people to make risk-based decisions, right? All of us in the room know that humans are really bad at making nuanced risk-based decisions, you know, we jump off buildings, we cross the road when we shouldn't, we drink and eat things we shouldn't, you know, we, we are really bad at making risk-based decisions, right? AI guidance can give us those in the moment, nudges, and I think on the other end you talk about preventative measures, actually speed of response and automation of response would change the operational heavy lifting for security teams, right? Our security teams, the more we can automate the playbooks always has to be a person in the loop, right? The more we can do the operational heavy lifting, right, the better we will be at patching people and systems and networks and infrastructures. So I think, you know, there, there's a, there is an opportunity there to change the operational way we engage with users, but also how we change like the efficiency and effectiveness of our delivery teams.
I like the example Anthony from Elastic this morning brought up right where he basically was showing that these alerts they, that were popping up in, in their Zoom site could already be automatically through AI transmitted back to the source, to the employee asking, Hey, we saw this alert, was that really you was, do you have like a justification for this action? And if you put something in and send it back, it goes through and says, yeah, okay then that's fine then we don't treat this as an alert, but as an, as a false positive, that would've been a couple of really huge human steps to take
And it changes the speed of reaction, right? Yeah. At the moment, the route, I dunno what your organization is, the round trip on a phishing email is he's, you know, a normal employee looks at it, doesn't know, sends it to the phishing mailbox to get a response back in two days to say, no, no, that was okay, or no, that wasn't okay. Right? I don't think in today's world, a 24 hour, 48 hour round trip for something critical like that is appropriate, effective, right? But in the moment, direct response is where we need to be. Yeah,
I agree, Thomas.
Yeah, I think we don't even have a clue about the entire benefit we get in the future. And taking just different example, think about a surgeon surgeon looking for breast cancer, for instance, judging on x-ray pictures. So there's already technology existing, which can do much better and see also more tiny details than a surgeon could ever see. So this is clear benefit coming out of pattern recognition, right? It's, it's technology we used in cyber defense as well. So the same kind of technologies now for good and, and really for, for helping and supporting people on their health. And eventually we'll also learn a lot in this disciplines where we could shift back to cyber domain, which we can use in cyber domain. Like, like we worked a lot with our t labs in Beersheba in Israel, together with surgeons they know pretty good when a patient is going to collapse just because of parameters their, they're measuring like blood pressure and oxygen in the blood and what kind of, of, of parameters.
And out of that they build algorithms to predict when a patient is going to collapse and they able to foresee it five minutes before it's really happening and so they can save life. And we are working on taking those kind of algorithms, also put it into cyber defense back and trying to figure out when or to predict when a malicious activity is starting and it's happening to, to flow out in the networks and then to stop it eventually at the very beginning and not just when we had the first harm in the infrastructures. So I see this benefit is moving between different disciplines back and forth, and we will learn a lot in future out of those technologies and the usage out of these technologies. Perfect. We
Got prevent, detect and respond.
Absolutely. So then let's take the further one. So we've talked about the threat, we've talked about the opportunity, we've talked about that AI will not do our job. So let's talk about maybe final round in the next sort of four minutes. What is our job? What is our role as a CSO when it comes to ai, maybe with the sort of aspects around governance versus enabler? Andrea, why don't you start this then?
I, I think the, the role is to think carefully about how do we extract the maximum value and bring that value forward. And there are, I think there are some fundamental things that we can act as the conscience of the, you know, of our organizations and think about that, right? The, the value of AI is that at scale you can deliver personalized and targeted interactions. To do that, we need to create trusted data sets, understanding, govern, and put rules in place about how those AI models work and then provide that last mile provide at scale and unlock that advice. I think if we can do that for our organizations and we can share information between us, so we create a, an even bigger scaled set of trusted knowledge base upon which for our, you know, you know, AI avatars or models to train and learn, then we make a big difference for organizations. We make a big difference for our employees and we make a big difference for all of the people who consume our services. But I think those foundational elements are really important. Yeah. And they won't necessarily come from, you know, the innovation aspects of a business from, you know, rampant consumer adoption. I think the trustworthiness, the scale and the sharing of information between CISOs is absolutely vital.
Perfect. Thomas?
Yeah, for me it's our role is just to make the world a safer place. Sounds sounds huge, but actually like, like you are doing katon, you're taking care that your customers not be afraid to lose their money because of threat actors. I'm doing the same here and, and by the way, max is doing so as well and, and I'm doing the same here, that people are not afraid and using the internet. I guess this is our role is really making the world a better, safer place and to support our business in trustworthiness.
Max closing word for the panel
Closing word. I guess looking back at the topic of AI and how we as CSOs should approach this is I guess from my point of view, the I in CSO not always stands for just in information, but most importantly, innovation, right? We gotta always be the ones who are open for innovation and how to securely and trustworthy implement it and use it.
Perfect closing. Thomas, first of all, thank you for you being remote. I know that's difficult, we've done that forever, but then everybody was remote, but I think it, it felt like you were sitting next to me on that free chair. So thanks for your speech. Thanks for being on the panel. Max enter was really a pleasure to have you there. It was as lively as yesterday, max. I really enjoyed that and I'm closing sort of the last panel for those three days. Thank you very much indeed.
Thank you for having me.