Security Unfiltered
Security Unfiltered
The SHOCKING Truth About AI Security in Hospitals
Security is increasingly viewed as a strategic business advantage rather than just a necessary cost center. The dialogue explores how companies are leveraging their security posture to gain competitive advantages in sales cycles and build customer trust.
• Taylor's journey from aspiring physical therapist to cybersecurity expert through a chance college course
• The importance of diverse experience across different security domains for career longevity
• How healthcare organizations have become prime targets due to valuable data and outdated security
• The emerging AI arms race creating unprecedented security challenges and opportunities
• Voice cloning technology enabling sophisticated social engineering attacks, including an almost successful $20 million fraud
• Emerging trends in security validation with tools pulling data directly from security systems
• The shift from viewing security as a cost center to leveraging it as a sales advantage
• Why enterprises are driving security standards more effectively than regulators
Eden Data provides outsourced security, compliance, and privacy services for technology companies at all stages, from pre-revenue startups to publicly traded enterprises, helping them build robust security programs aligned with regulatory frameworks and customer expectations.
Discover how technology is reshaping our lives and livelihoods.
Listen on: Apple Podcasts Spotify
Follow the Podcast on Social Media!
Tesla Referral Code: https://ts.la/joseph675128
YouTube: https://www.youtube.com/@securityunfilteredpodcast
Instagram: https://www.instagram.com/secunfpodcast/
Twitter: https://twitter.com/SecUnfPodcast
How's it going, Taylor?
Speaker 2:It's great to get you on the podcast, you know we had this thing scheduled. I think it was like just before my newborn was here, or right after, or something like that, you know, and it's been a whirlwind ever since I can only imagine Joe so thankful to be here.
Speaker 1:Thanks for having me on the show and congrats again on the baby girl.
Speaker 2:Yeah, yeah. Well, I mean thanks for waiting to come back on and whatnot you know, but I'm real excited for our conversation. I think it'll be really fascinating, good.
Speaker 1:I mean, I love nerding out about security, compliance, privacy, but I realize, I'm totally biased too. So I'll have to get some interest out of it.
Speaker 2:Yeah, you know, I feel like when I started in security no-transcript, and that you're starting to like thread the thread, the line there of like what you should and shouldn't be doing.
Speaker 1:Yeah, you're essentially trying to pass a test all the time and no one likes taking tests. One of my colleagues says it better than me, but essentially saying nobody gets jazzed up about an auditor walking into the room either. I have a background being an auditor first before jumping over to the advisory side, and so either side it doesn't matter. Even if you're internal, folks think that compliance team is always trying to get them into trouble. Oh yeah.
Speaker 1:Yeah, I mean, I used to work for a credit bureau and you know we had nonstop audits, literally, you know, 365 days a year.
Speaker 2:We had our own internal audit compliance team and they would audit us in front of you know, like the SOC 2 that's coming up or whatever it is, you know, and I mean we'd be in a, we'd be in a conference meet conference room and they one of them would walk in like a party poopers here. You know like no fun now guys you know.
Speaker 1:So true, we fall in the same bucket as lawyers, right, unfortunately?
Speaker 2:Yeah, yeah, that's a really good point. I didn't think about that. Well, you know.
Speaker 1:Taylor, why don't we start?
Speaker 2:with how you got into security. What made you want?
Speaker 1:to go down that path Right.
Speaker 2:Because, it's not really a normal, not really a normal path.
Speaker 1:I feel like you know you got to have a few screws loose somewhere.
Speaker 2:You know to like want to go into this field.
Speaker 1:I feel like that's a fair point. I actually fell into this by accident. Huge shout out to Dr First, who was my MIS 270 professor back in the day in college. I thought I was going to be a physical therapist. First thought I was going to be a chef. Then I went into school for physical therapy and I one was failing anatomy miserably. And two I got to. Everybody has to take a business class. I had early influence from an impactful professor and that allowed me to jump into the MIS program, which gave me exposure to cybersecurity.
Speaker 1:And then the big four recruited pretty heavily from college and so I got this opportunity to jump over to Deloitte right out of college and work as an IT auditor initially, but within the big four it's a lot of networking and meeting different partners that work on different engagements, and so I actually got this great, unique opportunity where I got to bounce back and forth between cybersecurity and IT audit, which we were just talking about, compliance and cybersecurity how they go hand in hand. That gave me deep exposure and it allowed me to understand things like control, objectives and risks and procedures and policies and all those fun buzzwords.
Speaker 1:Yeah, it's really it's fascinating when you go down the consulting rabbit hole right, because it's like every day is you know completely different and you're supposed to be the expert in the room when you know in the beginning you probably don't feel like you're the expert by any degree right and I always wondered what it would be like for me to go down that path.
Speaker 2:I feel like. I don't know. I feel like I might be in a different situation.
Speaker 1:I don't know.
Speaker 2:Situation is probably a bad bad word to describe it right.
Speaker 1:But I would be in a different position, for sure, yeah.
Speaker 2:Because being able to build your career off of something like that, it's really, it's really you know, monumental for your career because you're getting that diverse range of experience which I think a lot of people are missing out on nowadays.
Speaker 1:Right, they kind of want to just get into security, you know and I feel like a lot of people just think about the offensive side of security, and I remember when I was getting my master's you know, there was one whole semester where we took a pen testing class and then the next one we took a defending class right.
Speaker 1:We took a blue team class and you know, getting to see both sides of it, the professors, you know they were from the NSA and they were saying like this is the only way that you're going to figure out one, where you want to go in security, and two, you need to figure out, like, if you are going to go red team, you need to know the blue team stuff like inside and out.
Speaker 2:And if you're going to go blue team, you need to know the red team stuff inside and out Like there's no. There's no in between.
Speaker 1:You can choose a different team or a different focus, but you need to know it Right, and so I'm bringing it up, because it's that diverse range of experience that really pays dividends down the road. Absolutely, I think it think right now we're dealing with a crisis where security professionals, or aspiring security professionals, are trying to get into the space. They have no experience and therefore the job market is grim for them, and so they're kind of stuck in this crux of wanting to get more experience but needing to be able to get a job to allow them to build that experience, and so any kind of exposure that you can get in any domain allows you to at least get your foot in the door and then gives you the credibility to be able to jump around. And then, of course, what you just mentioned, joe, of being able to understand now that when I talk to auditors, I at least have empathy, knowing what they're going through and what they're trying to do.
Speaker 1:And then also for my customers perspective when I'm representing them. The idea is that I get to now know how to protect them against an auditor. We always ask them are you protecting against an auditor or a hacker? In the case of an auditor, I know exactly what they're looking for. I know exactly how to pass an audit with flying colors. Those are great fundamental skills to have, and that's audit versus just general cybersecurity. Those are just two examples of many. The security world has like 112 different domains. I just encourage listeners and folks trying to get into security or even in security today like to expand their horizons Opportunity for us, and it seems like it's changing quite a bit, especially with the rise in AI and such a key area that I think a lot of people you know overlook right is getting that broad range of experience and I tell this story
Speaker 1:sometimes where you know, I was working for a fairly well-known investment firm and someone one of my coworkers there.
Speaker 2:He wasn't on the security team, it was more like network security slash help desk, you know, like light on the security side, more help desk focus. But he was at the company for probably 20 years, I mean at least 20.
Speaker 1:And I was telling him, I was talking with him when I first started there. I said hey, you know, what do you focus?
Speaker 2:on what do you do, what's your specialty, and all that sort of stuff.
Speaker 1:And he told me and I said well, why don't you branch out? Right, like you should be learning, you know like a step deeper into network security. Right, like you know the firewalls. Well, let's get you into the WAF. Right Like, let's you know, learn about this other stuff and he never. It never happened, it never you know, took place for whatever reason. And sure enough, you know, seven, eight years go by, right he thinks that he's going to retire there.
Speaker 2:He's early 50s, right and uh, when layoffs are are there, he's the first one out the door, because he was the first one.
Speaker 1:You know that's most easily to be replaced because they're just like well, he does help that stuff, like we can outsource that to india, we can give that to an intern, we can, you know. So he never like diversified and ever since then he's actually had trouble you know getting back into the field because he knew those one you know systems, he knew that one way of doing things at that one company and he never really learned how other places do it.
Speaker 2:He never saw different things, and so I always.
Speaker 1:I always look at that and I think to myself like how can I make myself? You know, how can I?
Speaker 2:make myself more difficult to lay off.
Speaker 1:Right, like if you're going to lay me off right, like you know.
Speaker 2:Let it be a good reason, rather than we. How can we make sure that we're sticky right?
Speaker 1:And you need to think about that from the standpoint of if you're an employee, a contractor, a vendor, how can you add a tremendous amount of value in the security space? And then, how do you stay on top of where the industry is going? We are up there with the healthcare industry, where our industry changes very rapidly. Technology's changed very rapidly, our industry changes very rapidly, technology has changed very rapidly. You have to have, as you mentioned, like just even having network security skills, expanding that into WAF, expanding that into cloud network capabilities, like you have to stay on top of where the market is going. And I think sometimes people just bury their head in the sand and say, well, this skill set that I have is what I want to master and I don't want to think about all these other domains.
Speaker 2:Yeah, yeah, yeah, when you're thinking about it, from you know, providing a service to a customer right and you're in a space that rapidly evolves.
Speaker 1:I mean just a couple of years ago right, llms were something that was brand new in everyone's face right.
Speaker 2:They existed in some extent for years prior, but now it turned into something that everyone uses. I mean, I use Grok more than I use Google, to be completely honest with you, I'm using Grok heavily for my PhD. Hopefully my chair doesn't hear that, but I'm definitely using it. How do you look at the market?
Speaker 1:and then say we're going to build a service around this, Because I'm thinking about it from the big four perspective.
Speaker 2:Right, it probably takes the big four a year to launch a new service and build things around it, build an offering around it and everything else like that how do you adapt, and then how do you also? Find that skillset either internally or externally to actually lead up that practice.
Speaker 1:Yeah, fantastic question. First of all, on the big four, it takes them sometimes it feels like a decade to get a new service off the ground. I think that they do an okay job of staying on top of relevancy for the industry, for the industries they play in, but getting an actual service off the ground not so much. So on our end, one of the things that we fundamentally attempted to do from the get-go at Eden Data is simply be agile, and so we have a methodology internally on when the market is producing new things let's talk about. We're talking about AI, ISO 40 2001, for example. That is the latest and greatest framework on the market related to AI security, and it's that way to get your digital certificate on your or your certificate on your digital fridge to brag about the security around your AI. And so we it's not hard like that's public information. We know it was coming. There are plenty of firms out there that have never touched that framework, but we decided, hey, let's figure this out before it hits the market, not wait for it to play itself out and wait for people to adopt it, because then it's too late. And so I encourage everyone to think about how, like a lot of the security industry in general.
Speaker 1:A lot of the principles remain true across multiple domains. So the idea of why you're incorporating a system or a process is always the same it's to address a risk. And the idea of having a control and a policy and a procedure, and all of that collaborating together, that knowing that process well is dangerous, Like it's you know enough to be dangerous in a good way, and so you can apply those principles to be able to pick up net new frameworks, for example. So I think that, to answer your question succinctly, really just staying on top of the frameworks that are coming out and then taking the mindset that just because something is new doesn't mean you need to go get a whole certification in it, Doesn't mean you need to get a PhD in it that wasn't related to your PhD, of course, but a lot of people say, oh well, I have to have all this experience and in reality the security industry is largely just building upon what's already there. So that's kind of my advice in general.
Speaker 2:Yeah, I feel like the vast majority of the people in security are really good at maybe knowing 5 to 10 percent of a topic and then building off of it and saying, yeah, I can do it, and then learning from there, that's. I feel like that's almost what you know the hiring managers are overlooking right Like I didn't know anything about IAM before I got an IAM dedicated role. And now I'm leading this product you know globally right, Like I didn't know that much.
Speaker 2:I knew enough to be able to look around and know if something was wrong or right.
Speaker 1:And I feel like that is something you know that would definitely change hiring practices if they just implemented that and had that logic behind it where it's like okay, they know the basics, you know they can build from here.
Speaker 1:Exactly, and there's ways to gauge that quite easily, I think, in a hiring process alone. There's ways to gauge that asynchronously or live, and I do believe that being able to have those fundamentals is really all you need to be able to build upon. I think the other important thing to point out is that most of these frameworks are either free online or you can get them for quite cheap. So ISO 42001, you can go buy it for like 80 bucks on the ISO website, nist, csf. You can download that for free. Like there are frameworks out there that you can start to learn and match the puzzle pieces. That allows you at least to figure out how to read pig Latin in our industry and understand these principles of how things are talked about with risk, objectives and controls and all that good stuff.
Speaker 2:So you were saying how the healthcare industry you know, changes so rapidly right? Were you focused more on the HIPAA side of it or the technology?
Speaker 1:side of it, because at least from my perspective right, solely an end user.
Speaker 2:I've never worked for a healthcare company or anything like that right the technology side seems to like it moves along, but it moves along slowly right, at least from what I can tell. But I would imagine that HIPAA is changing constantly, like pretty frequently, especially even on a per state basis here in America.
Speaker 1:Yeah, forgive me, I didn't bridge the gap between my comment around healthcare versus security. I was actually going broader than that and talking about how the healthcare industry as a whole when we're talking about health and wellness, that is changing so rapidly because of multiple factors right, the vaccines that we release and the food that we eat. And now AI is evaluating things at a faster scale. So doctors these days have to stay on top of their knowledge base. But I guess, if you were to take it from a security perspective, if you want to look at the healthcare industry in that regard, the healthcare industry has been largely laggard when it comes to technology, just as you mentioned.
Speaker 1:But now, because we have gotten to this crisis of security, where folks are not protecting data, data breaches are very prevalent, all that good stuff, all the fear mongering. The healthcare industry is one that's been hit the hardest, coupled with the fact that they have the most valuable data on the market. So you're seeing a scramble in the healthcare industry for folks to try to build towards things like high trust because HIPAA actually it hasn't updated. There's a HIPAA update coming that they've talked about for a while, but it hasn't been touched in over a decade, and so the standards are not meeting expectations for leveling up the healthcare excuse me, the healthcare industry. I'm getting all choked up talking about HIPAA. It's a very emotional topic. Now we're finally starting to see the regulations catch up with the with the technology not the technologies, but the security practices that that that health care industries are trying to adopt in order to stop the bleeding.
Speaker 2:Yeah, it's, there's fewer industries that you could you know with relative ease attack success successfully and cause just widespread damage. You know I'm thinking about, you know, other sectors, right, like the power grid, for instance, or the banking industry. Those would be like very widespread touches almost everyone in a region or the country, right?
Speaker 2:But those are very hard targets I mean maybe not the power grid is that? You know heart of a target. I have to bring on actually some experts in the area to talk about it. But you know heart of a target. I have to bring on actually some experts in the area to talk about it. But you know, when you look at hospitals and medical systems, those seem to be like low hanging fruit and you know I'm based out of.
Speaker 2:Chicago, right. So here we have, you know, Northwestern Memorial Hospital, lurie Children's Hospital, those are like the two biggest you know hospital systems, for sure in the region and I think it was last year sometime.
Speaker 1:You know one of those hospitals they went down. I think it was Lurie's yeah, lurie's Children's right. And I'm not talking you know out of pocket about anything.
Speaker 2:There was a news article about it, yeah, but they went hard down for several months. Right now I don't. I thought for sure I didn't have a problem, right, because why would that matter to me? I'm out in the burbs, I go to my, I take my kids to a different pediatrician. The region that are linked up to.
Speaker 1:Lurie's because all of them are are down as well right.
Speaker 2:And then you know, I have someone hitting me up on the side saying, hey, we're really swamped over here.
Speaker 1:We could really use your help. And I'm sitting over here saying, like I applied to you guys six months ago I don't know what you want me to do. You know I need some money.
Speaker 2:I need a contract.
Speaker 1:You know, I need some legal disclosures before we go and dive into this. They were like they were swamped.
Speaker 2:You know, I have.
Speaker 1:I have a friend that was working at Northwestern and you know, physically those two buildings are connected in Chicago and he was telling me he's like it is so bad that we had to, literally physically unplug the network connections between us and them just to make sure that nothing happened to our network.
Speaker 2:Because they were. They were hard down, they were down to you know pads of paper for managing doctors, schedules and stuff.
Speaker 1:That's horrible, oh my gosh yeah, our cmo was when, when they him and his wife had his baby, they were hit by a cyber attack. That, yeah, the hospital, and so everything was being done by paper. It was taking a lot longer. Those situations hit close to home, but you have to. We also get all of those notifications on oh, your data has been ended up in a breach, and a lot of times it's healthcare entities.
Speaker 1:But you pointed out something very important, joe, which is that a lot of times people are very reactive and so in this case, they didn't pay attention to needing that cybersecurity support until they were caught with their pants down, and then it's a scramble, and then they want everything yesterday, and then there's all this. There's there's this speed associated with it that then causes more issues because you're you're missing things and it's very lumpy in how people invest in security and why they invest in it. They have to have some material need, whether they are being impacted by a breach or their customer's not going to sign with them because they don't have their SOC 2 attestation or whatever the case may be, and we need to get security shining in the same light as marketing and finance and these other departments at any company that's collecting sensitive data.
Speaker 2:Yeah, that's a really good point. You know, I feel like security is always viewed, as you know, like a black hole that CEOs and boards just send money to and it disappears, you know when in all actuality, yeah, it disappears. We don't really make the business any money, but surely we protect the business from extreme losses. You know, like, even that hospital breach that I just discussed, right, if they just had simple backups, right, and they tested the backups maybe once a year, that problem would be resolved, you know, in an afternoon, in a weekend, right, with a competent engineer on the other side of it, but lo and behold they thought they had backups and they didn't have any backups, and so then they were in a situation where they had to rebuild everything from scratch right, and that's
Speaker 1:where security really shines right. It's like, hey, you want the rest of the business operating at a high level.
Speaker 2:Well, security enables that. It allows you to be able to do that. It protects your ability to do that.
Speaker 1:And we got to find a way to shift that narrative. Yeah, everybody views security as a cost center and some costs, and it's just not true. You can either look at it from that perspective of it's not a sunk cost anymore for that hospital that lost millions and millions of dollars. And then also there's this new trend where you can actually leverage security in your sales cycle and be able to talk about it in your sales cycle to showcase hey look, I care about your data, mr or Mrs Customer, and these are the things we're doing to protect it. So there ends up being an ROI on security, and I want to see more of that, but unfortunately regulation's not driving that. It's more enterprises. It's enterprises that are demanding more security standards across the board, which then, in turn, requires these companies to invest in it, and so we do need that to be more prevalent in the industry for what you just said to catch on, for folks to look at this in a more positive and necessary light.
Speaker 2:How do you think we make that change? You know, because I always look at like GDPR right.
Speaker 1:And I actually love everything about it for the most part of what they did where they said hey, here's the standard. How you enact it is kind of up to you.
Speaker 2:But this is what we're requiring you, you know, to be able to do the functionality and all that to have with someone's data. I feel like here in America we need something like that where it's like, hey, you know all these states you can do whatever you want to do, but here's the bare minimum. You know you need to. You know encrypt personal data. You know you need to store it this way. You need to have relevant backups, all that sort of stuff, right.
Speaker 2:I feel like that's almost the only way that it'll work, because each state is just going to be, you know, completely different. And then even from like the security team perspective, am I really going to like geofence my data in Texas versus New York because they have two different compliance standards?
Speaker 1:No, typically.
Speaker 2:I'm going to not be very specific with it and I'm going to make it to the higher standard across the board and call it done right, exactly. So what's the point of that lower standard? Yeah?
Speaker 1:I couldn't agree more. You pick the most comprehensive and you run towards it. The issue is that right now there's not a lot of enforcement, and I don't want to be the person that says that state regulators need to go and actually issue fines. But in cases where your lack of care for your customers' data is prevalent, then I do think that those folks are going to need to be able to have the opportunity to fix it but deal with the repercussions. Otherwise, we just do not look at data as a sensitive asset anymore, and now the sensitivity of it has changed.
Speaker 1:It used to be that you don't want your social security out on the internet and your birthdate and your home address and all that, and that's still true for the individual. But we've been just fatigued by data breaches to where people don't even care anymore, which is sad. But now you have this whole new element with AI, where we've got this silicone curtain between the USA and Russia and China and all of these nation states that are all racing towards the best LLM, racing towards the best database, for lack of a better term and training models. So now it is imperative that we're keeping our IP out of China's hands, for example, and Russia's hands because we're giving them an unfair advantage and working towards global catastrophe. So I know that sounds like fear mongering, but that's kind of the world we live in now. So data is definitely worth something for both of those reasons.
Speaker 2:Yeah, yeah, I don't think you're fear mongering. I mean I don't think that you're. I think that you're probably like even understating the importance of this AI arms race that we're in right now.
Speaker 1:Yeah. Right, I wonder for the regulatory side of it.
Speaker 2:I wonder if these fines aren't even enough. Right, because just a couple months ago, facebook got fined some astronomical number, I mean I think it was like what? $4 billion or something like that. And then CNN you know CNN ran the math and they're like, oh yeah, they're going to make that by Friday.
Speaker 1:They're literally going to make that by Friday, and I'm just sitting here like, well, what's the point, you think, mark?
Speaker 2:Zuckerberg is worried about that number, then you know, like, whatever it was I can't remember what the number was, but I literally remember them- running the math like live and be like like yeah, that wouldn't even like keep him up at night.
Speaker 1:That wouldn't even like mess up his you know his sleep schedule, let alone, you know, put a, put a dent in his, in his vault, you know of $100 bills right, like it's um, you need to have something, you need to have a penalty that's a little bit steeper or something like okay, well, you're limited in what data you can actually maintain for the next 24 months, you know like maybe you can't sell data to advertisers like you did, or maybe you're only allowed to sell them a certain amount right.
Speaker 2:Limit that sort of stuff, because that's the only way that these companies are really going to start falling in line, because they'll pay like they will literally pay the fine every single time. I literally had a call with a CEO, you know, a couple of weeks ago, right, and I was making the pitch for like a hundred thousand dollars, just so. I could see I could buy a tool to allow me to see what's going on in the cloud.
Speaker 1:And he asked me what's the risk if I don't do anything?
Speaker 2:I was like well, if we get breached, I'm not going to even know. Like I literally won't know, there's nothing I can do about it. I won't know for probably three months minimum. And his response was I accept the risk, like moving on.
Speaker 1:What are we talking about right now? Like that, can I accept it.
Speaker 2:It's like okay you know that's an interesting response, but it's not a rare response.
Speaker 1:You know, like CISOs get that every day. Yeah, it's all too prevalent. Cisos are getting their hands tied behind their backs constantly. I think that there needs to be some kind of public shaming element that goes beyond simply just a news article. I think that if you are found to be guilty of egregious data malpractice, that you have to post it on your website and you have to let every customer that signs with you know for the next 24 months that you've experienced a data breach.
Speaker 1:We have these security questionnaires floating around, right? Those are a joke because people can just put whatever the heck they want and there's not any kind of validation. Right, those are a joke because people can just put whatever the heck they want and there's not any kind of validation, right, all of that is manual, and so there's. I fill out those questionnaires for customers fairly often and they have, uh, they have line items in there saying have you experienced a breach in the last 24 months? You can just say no and nobody would ever know, which is crazy. I'm saying that's what I do, uh, just to be clear. But, uh, it's.
Speaker 1:But it's just a wild. It's the wild west right now with how you basically enforce this, how you validate how you can believe what your vendors are telling you, and so there needs to be at least better measures for trusting but verifying when you're dealing with vendors that are collecting your most sensitive assets. Yeah, yeah, the trust but verify piece is going to become, you know, only more important because of the AI aspect. Right, the AI genie out of the bottle that we're racing towards. I mean, the genie is already out of the bottle, we just don't know what to do with it yet. You know, like that's the thing.
Speaker 2:Currently I'm getting my PhD.
Speaker 1:You know in zero trust security on communication satellites to prepare for post quantum. And so with that I'm looking at, like the quantum encryption requirements and what it takes to, you know, maintain that standard and all this other stuff right and with that.
Speaker 2:I keep on just continuously thinking like, oh my God, this is probably not that my PhD is the most important thing, but this area is probably the most important topic or focus area that we've ever seen in humanity, right, like since the nuclear bomb.
Speaker 1:Right, because with an AI I mean guess what?
Speaker 2:Like I'm getting into that nuclear bunkers computer.
Speaker 1:You know I'm finding a way in, maybe the most one, one of the most impressive, you know espionage attacks. Ever was Stuxnet right.
Speaker 2:Completely air gapped under a mountain, in a, in a environment that had been rebuilt right Five, six seven times all of the cables pulled out of it, all of the cables you know replaced and whatnot right and Stuxnet still prevailed in destroying that environment.
Speaker 1:All of the cables pulled out of it, all of the cables you know replaced and whatnot right, and Stuxnet still prevailed in destroying that environment.
Speaker 2:So what's to say? You know that this doesn't impact a siloed network. You know, in a nuclear missile silo somewhere right, Like that Mission Impossible movie that just came out I don't know if you saw it. I haven't seen it yet.
Speaker 1:It hit a little bit too close to home because I'm sitting here and I'm like well that's possible.
Speaker 2:Yeah, that's possible.
Speaker 1:It's just like going down the list of this almost sentient AI and how it's like piecing apart society. It's like, yeah, that's actually, that's a real possibility, terrifying. Yeah. I think that we all. There's a lot of dismissal of AI simply because it's people think that it's blown out of proportion and they can't do much now. But we as security practitioners at least have to think about what the next 12, 24, 36 months and beyond incorporate and what is possible and what is possible with how fast it's already developed just in the last 24 months. You'd be quite ignorant to think that we're not going to be at a state by 2030 where the AI is going to be able to just at the very least, find vulnerabilities in existing systems today, right, simply because it can do so many reps and so many attempts on any given system. There's so many different rabbit holes we could go down with AI.
Speaker 2:Yeah, yeah, I mean, if you look at the DARPA competition that they were putting on at DEF CON, you know they did it for several years in a row. I don't think they did it the past couple of years.
Speaker 1:But when they?
Speaker 2:were doing it. They had these two AI models, you know, on these two servers attacking each other, and you know they talked about how it got to a point where they were no longer doing.
Speaker 1:You know known vulnerabilities and exploits like they were finding brand new vulnerabilities that had like never been seen before. And they're launching it against each other and everything. And they kind of stopped it early, right, Because it started to find zero days. And the military is there saying maybe we should, you know not disclose that to the public just yet you know, and all these different things right.
Speaker 2:So it's like the AIs are already, they're already doing it and we kind of like have this, we have this poor mentality that we can kind of control it to some extent right now, and it's like is it allowing us to think that we? Can control it right now, or can we actually?
Speaker 1:control it. Right now, the movies are coming true. Yeah, it is a wild time to be alive. Yeah, that's for sure.
Speaker 2:Yeah.
Speaker 1:It's going to be fascinating, you know, from a security perspective, because we bring a certain mentality into everything that we go into right.
Speaker 2:It's like we're going into completely uncharted territory.
Speaker 1:Yeah, and to tie this back to everything we've been talking about, I think for the listeners that are getting into security or wondering what the next phase of their security journey is going to be, there's a tremendous opportunity of a market being created right before our eyes around AI security. There is absolutely going to be a fundamental need for the good guys to understand how AI works and how we can use it defensively and even potentially offensively, because it's already being used nefariously.
Speaker 2:Yeah, yeah, I mean it's already being used by, you know, these hacking groups to create malware that we've never seen before. To just get into a target that was you know would have taken them months to prepare, for they're using this AI to get it done that we've never seen before. To just get into a target that was you know would have taken them months to prepare, for they're using this AI to get it done in an afternoon, right.
Speaker 1:It's pretty crazy. Those phishing emails are getting legit as hell. It's crazy.
Speaker 2:I saw I recently I think last week I put out the clip of it and it's a, it's a true story right. Like my, my current CFO got an email followed by a phone call. Right.
Speaker 1:From what seemed like our CEO and it sounded exactly like him on the phone right Saying hey, I need you to send 20 million to this.
Speaker 2:This you know organization this account or whatever, and the.
Speaker 1:CFO said. He said I was 100% convinced like because this has happened before he's called me.
Speaker 2:he sent an email and then he called me, requested it, you know went to the right place and everything.
Speaker 1:But we've recently changed the protocol and there was one final step in the protocol that he was required to check right with the person on the other end of the phone and the person on the other end of the phone or the robot or whoever didn't know that answer and he immediately hung up and called security and said hey, this is what just happened.
Speaker 2:I didn't send anything, but can you just look into it, and I mean the email looked totally right. The headers were manipulated, obviously, but you're not going to see that you know as a normal end user or whatnot.
Speaker 1:But the email address looked totally right you know and I heard we pulled up the phone call and the phone call sounded exactly like him.
Speaker 2:And I'm just sitting here, you know, as a security professional, and I'm like this would have fooled me. You know, like this absolutely would have fooled me, like this absolutely would have fooled me.
Speaker 1:You know my boss telling me to do something, sends me an email, sends me a team message gives me a call afterwards because maybe it's a little bit out of the norm, right?
Speaker 2:Maybe it's a little bit, you know, iffy for me to potentially create this rule in the firewall, or whatever it might be right. Like just a random example.
Speaker 1:Like I wouldn't question it after the phone call. Why would I question it? Like at that point I'm not and we just don't have great ways to validate this. Like we have to stay on our toes more and more, but that's only goes so far. So what you just said like I would have been fooled by the same thing. What's wild is someone could take this podcast right and record each of us and use that nefariously, like it's just anything that's on the web of you talking. It's being used in cool ways, but it's also being used in nefarious ways, as you mentioned. So I can't even imagine a public figure like a CEO that's shooting fish in a barrel. It's too easy to get that audio clip and that into something.
Speaker 1:Yeah, I mean they're doing interviews, they're doing quarterly calls and all that sort of stuff, like their voice is out there it has to be out there.
Speaker 2:That's the that's the thing too right Like it has to be out there, because we're we're moving into a area where you kind of have to look at your own online presence more closely, even Even what you're posting on social media, not just your location not just things that are up
Speaker 2:to date and whatnot right, but you have to look at it in a way of an attacker, almost where they would say, oh, he said he's out of town. I'm going to go rob his house. I know where it is because I can do a public title lookup and see what he owns. Right, Like that's a possibility. Well, now you know, like you could give them unknowingly too much information online and now they mimic your voice by this podcast. Right, and they're doing something else.
Speaker 1:They're calling your bank and they're.
Speaker 2:You know it sounds like you.
Speaker 1:The banks have the voice detection software right, they have that software, so it's going to, it's going to check that box, right. And I mean that's the thing too right. I call my account manager and I, like I, don't have to answer almost any security questions, I have to answer stuff that a hacker would have you know. That's the thing I have to answer stuff that a hacker would have you know, that's the thing I have to answer stuff that a hacker would have.
Speaker 1:If you made it all the way to that point where you called my account manager, you 100% have all the other stuff that they're going to ask me about. And so it's like well, what do we do? You know, because that account manager can do anything.
Speaker 2:They can get me on the phone with anyone at that bank.
Speaker 1:You know, yeah, the technology that our tools need to catch up, the good guys tools need to need to catch up and we're just not there yet. So it's putting in compensating controls, like what you're talking about of having multiple people involved in a process. I'm super thankful that my bank uses the voice recognition but then has additional measures for how they would validate and there's separate processes too. So I think the banks are at least figuring out. If your bank does not do that and you're listening to this just stop everything you're doing and go switch banks. We are at that stage where you don't even need someone voice mimicking and calling your grandma to get her to send $5,000 or whatever in the mail because you're arrested, and that trick worked on my grandparents years ago. Now I can't even imagine for especially just the elderly going through this and not understanding the technology, but getting a call from a loved one saying I need money. It's crazy that it is as easy as that, but unfortunately that's where we're at as a society.
Speaker 2:Yeah, yeah, we're going into a scary place honestly. But you know, taylor, why don't we touch on? You know Eden Data and the services that you provide.
Speaker 1:Why don't we?
Speaker 2:dive into it a little bit and talk about the services that you're providing the great content that you're putting out.
Speaker 1:So Eden Data is essentially the outsource, security, compliance and or privacy teams for tech companies around the world. So when I say tech companies, that's anything from early stage startups up to now they're calling themselves, scale ups, right when they're series C, d and beyond. And then we have publicly traded companies, enterprises and everywhere in between, and so we are typically taking over the security program or the compliance program and and helping them build against the frameworks that they need to align with, either from a regulatory perspective, like we talked about, from the expectations that their customers set, or we have customers that come to us and just say I I can't sleep at night because I want to protect my customer's data and I don't know how, and so building a robust security program around that. We have the great pleasure of working with customers all over the world. We have hundreds of customers that provide all kinds of cool technology services to their customers a lot of software companies, but law firms and clinics and those kinds of things as well.
Speaker 1:And the other tidbit that I'll add to this is that it's really been cool to see we've been around for four years now, and it's really cool to see that the industry is shifting towards security used to be very, very important for the series A, series B and beyond. Now we've got pre-revenue customers coming through the door left and right when you're building a new company and you're offering software. It's at least becoming more accepted that security is a necessity. Sometimes the founders are thinking it's a necessity because they just want to take it seriously and protect their customer data. Oftentimes it's because they know if I'm going to sell to the Walmarts of the world, walmart's going to tell me I need my SOC 2 and my ISO 27001 and all of these things, and so we are seeing a big uptick in. More companies at earlier stages invest in security.
Speaker 1:Yeah, that's huge that makes a lot of sense, though, because you know, as a young startup company, probably the worst thing that could happen is you get breached and you know your product is viewed as being insecure, especially nowadays, and so it would make a whole lot of sense for them to pay attention to it.
Speaker 1:Well, they were that company that got breached. I really want to give a shout out to the enterprises of the world that are really setting the tone for how security needs to be enforced and then also continuing to raise the bar. That's something that I hope to see continue to expand, because it's not the regulators doing it, like we already talked about, and I do think that there are. I'm seeing this beautiful thing in the world where this next generation of companies is embracing security from the start, and that's critical. These folks are going to go and start more companies. They're passing that knowledge along to the customers that they do business with, and so we are seeing this kind of uptick and security becoming fundamentally important. It's just being tied more to sales than simply the fear, uncertainty, doubt aspect, which is fine. I want people to see a return on investment for security, and that's something we obsess about over at Eden Data, because otherwise nobody's ever going to like us security professionals right.
Speaker 2:Before we wrap up, what are some top trends in the industry that people could start focusing on? Maybe it's a trend to help someone get into the industry or get more diverse in the industry. Maybe it's a trend that a company should start adjusting for and planning for for the rest of the year.
Speaker 1:Yeah, I want to try to be give a different answer than maybe some of your guests, because everybody and their mother's talking about AI. So I promise I won't say AI, but I will say touch on one thing technically, two things that we've already talked about. One is paying attention to the opportunities being created in security by AI and, more specifically, iso 42001. That is a big trend that's upticking. Now. That standard's only been around for a year. It's finally starting to get adopted and enforced by enterprises. So when I say by enterprises, I mean for the software companies that they're doing business with, and everybody is using AI in some capacity in their business and so pay attention to that standard. I think that there's going to be a lot of job opportunities, a lot of project opportunities coming from that. And then the second thing is this rise in using security for sales, like I talked about.
Speaker 1:But more specifically, you're seeing this big trend in people being more public about their security posture in a more detailed manner. So today it's really beautiful to see like safe base, which was acquired by Drada. There's multiple players in the space that allow you to build a beautiful security page that you put on your website. That's more interactive. But the reason I love this trend so much is because it's also there's a validation component. We talked a lot about how you could just make crap up as you go along earlier in the podcast With these types of tools. They're pulling data from GRC tools, they're pulling data from website. They're pulling. In some cases, they're doing scans. Safebase, for example, has integration with Qualys and Nexus and a couple others where they'll pull in recent scan scores, and so now you're starting to get what's basically like an automated control, and that trend is going to continue to expand. We're going to rely less on humans telling us what our security posture is and more on the systems telling us, and so I would encourage folks to pay attention to that as well.
Speaker 2:Yeah, it makes sense. It'll be really interesting to see where things evolve and where we end up in 2026,. I'll have to have you back on and maybe we'll redo like a trends, a trends episode for 2026.
Speaker 1:Heck, yeah, let's put it on the books. I can't wait to see what we got right and what we got wrong. Right, yeah, that'd be awesome Well.
Speaker 2:Hey, you know, thanks, Taylor for for coming on. It was a fantastic conversation I really enjoyed our time.
Speaker 1:Yeah, joe, I can't thank you enough for the opportunity and folks listening. Feel free to reach out to me on LinkedIn. I'm obsessed with this industry and would love to nerd out anytime on security, compliance or privacy.
Speaker 2:Yeah, yeah, absolutely. I'll put a link to your LinkedIn in the description. I'll put a link to your website, Eden Data, down in the description as well.
Speaker 1:Amazing. Thank you, joe, awesome.
Speaker 2:Well, thanks, Taylor.
