Cybersecurity and Incident Response in the Face of GenAI

Patrick Spencer (00: 01.386)

Hey everyone, Patrick Spencer. I’m here with my co-host, Tim Freestone. Tim, how are you doing this today? Bright and sunny Monday. Hey, we have a real treat for today’s Kitecast episode. We’re joined by Dan Lorman, who’s been a trailblazer, and I mean that for several different decades when it comes to cybersecurity, among other things, as you’re about to discover. I first met Dan when I was at Symantec Goshwood, Dan, 15 years ago or something like that.

Tim Freestone (00: 07.55)

Good. Now you go, Badger. Yeah, yeah, it’s nice.

Patrick Spencer (00: 31.826)

When he was a CISO over at the state of Michigan and they were undertaking some, some major, uh, IT innovation and transformation initiatives and, and security played a critical role in all those different efforts. Uh, since then, Dan served as the chief strategist and chief security officer, uh, for about 10 years at a company. And then he currently serves as the field CISO for the public sector at Procedio. Uh, he’s an author. We’re going to talk a bit about his book. He’s a podcaster.

listened to podcasts, probably heard him on some other podcast programs. I think he had his own podcast program. Maybe he still does. I forgot. And he regularly presents at various events. Hey, Dan, thanks for joining Tim and me today. We appreciate your time.

Dan Lohrmann (01: 16.153)

No, thanks for having me guys. It’s great. Tim and Patrick, it’s wonderful to be on your show. So thanks for the opportunity.

Patrick Spencer (01: 24.322)

So let’s jump right into it. Let’s talk about your book as a starting point. It was published a couple of years ago. You’re a co-author. What was the genesis behind it? And what can some of our audience members find in the book? Why should they pick it up?

Dan Lohrmann (01: 41.069)

Yeah, so the book’s title is Cyber Mayday and the Day After, and then there’s a long secondary title called A Leader’s Guide to Preparing, Managing, and Recovering from Inevitable Business Destruction, which is a mouthful, I know, for a lot. But it’s really ransomware stories. And so my co-author, Shemane Tannis in Sydney, Australia, she actually, Woman of the Year in cyber several times, won tons of awards, does TED Talks, and a lot more famous than I am actually.

I was going to be at an event down there. Actually, what prompted this, I was supposed to go to Australia for a wedding and for a conference. It all got wiped away by COVID twice, you know, got canceled because of we all know the travel. Everyone’s got their travel stories of things that got canceled because of COVID. But meanwhile, the conference went on. It was a big success, got a lot of global audience. And then, you know, we decided to partner on a book together.

And what we saw missing, a lot of stories about best practices do this, checklists, different things about ransomware. But what we saw missing were true stories through the eyes of the C-suite. So through the eyes of executives, CFOs, CEOs, and some CIOs and CISOs, but really what happened, kind of the backstory behind it. And so we really talk about stories before, during, and after a cyber incident. So there’s three parts to the book.

Not a really exciting stories. I won’t tell you a lot of long stories today, but I mean, there was some really good fun stories about negotiating with hackers, with criminals actually, but when you get a ransom and how that all works out, but what happens, what you can do before and then during, and then after cyber incidents and some best practices around that. And we can sort of talk about some details, but.

things that people should be doing and thinking about and wish they had known, people who thought they were ready, but wish they had known before ransomware hit.

Patrick Spencer (03: 44.898)

Hmm.

Tim Freestone (03: 45.668)

So let me just ask a couple questions, Patrick, especially the subtitle, the part from inevitable business disruptions. And my question is more around, first of all, what’s the tenor of CISOs essentially going into a profession where they’re all eventually going to have a really, really bad day at some point?

Could be catastrophic. It’s like degrees of bad days. And knowing that even if they’ve put all of their budget to the most effective use they possibly can to defend against cyber threats, it’s still probably going to happen. And what’s the narrative that CISOs have on that day that they can prop up? Look, we did everything we can. Now we’re in resilience mode. And here’s what we have for resilience mode.

And I heard a quote once, boards of directors care about three things, money going in, money going out, and someone to blame. And oftentimes the CISO, even though it has done everything they can, is the one to blame. So how do you thread that perspective in your book or even as you talk to CISOs in your network?

Dan Lohrmann (05: 01.925)Yeah, that’s a great question. Really good question. You know, I think from a mindset perspective, I’d start off by saying, you know, guys, I do blog a lot, I’ve read a lot. I’ve read a lot about the intersection. I love football and I love sports and how cybersecurity is like football. And I throw that out and say, what does that have to do with the book? Well, you know, there’s gonna be games, there’s days you’re gonna lose football games. You know, you’re not gonna win every game. You know, you’re not, you can do all the preparation in the world and you know,

but you do scenario based planning. You know, in this situation, here’s how we’re gonna do it. You know, we’re down by five, you know, Patrick Mahomes with two minutes left, what are we gonna do? You know, and you practice, you practice different scenarios, you practice with different formations, different situations. And that’s really, I think, where you start with, you know, just most people, men and women, know sports analogies, but I think for CISOs, you really need to practice. You need to have a good plan, you need to be thinking through your strategy.

And we talk about tabletop exercises. You talk about, you know, people have incident response plans that people, you know, but then you got to throw curves at people and you’ve got to know, you know, I’ve been, we tell stories in the book where, you know, from my experience, going back almost 20 years now, actually it was 20 years ago, for the blackout of 2003 in Michigan, I was the CCO of Michigan when the lights went out. And, you know, one thing we learned right out of the gate,

day one, half the people didn’t show up. When, you know, they were supposed to show up at the coordination center for state police, half the people didn’t show up. So, for example, knowing that, you know, prepare, you know, you have a tabletop exercise, give you one tip right on the gate, you know, walk around, tap a third of the people on the shoulder. Over the next 24 hours, by the way, it was down to about a third, but a lot of people were on vacation, they were gone, they, you know, all these different reasons why they didn’t come.

Tim Freestone (06: 37.447)

Yeah.

Dan Lohrmann (06: 59.269)

But are you prepared for that? Are you prepared for the unexpected? You think it’s so easy for a tabletop exercise, for example, or for scenario-based planning, if everything goes perfect and it’s Tuesday morning and the coffee’s hot and the donuts are cold and everybody’s happy, it’s great. But in real life, that’s not the way it works. And so, what are you gonna do now when a 30-year-old people don’t show up? So practice that way. Tap a 30-year-old people on the shoulder and say, go home or walk from the outside. You’re not a part of this.

Now what’s the team gonna do? Throw curves at people, be prepared for the unknown, and know that you can also learn, I’ll just say one other thing, inevitable business disruptions, you can learn from your peers. You can learn from what other people have gone through in your industry, what are the best practices, what really happened, and having those conversations in advance. All those things can help you really be ready for when that day does hit.

Tim Freestone (07: 58.424)

And assuming they have all of these pieces in place, you know, I guess it comes down to the organizational culture is, you know, are we getting together to, to be resilient and recover, or are we going to blame and try to cover our asses, so to speak, right? So there’s it’s CEO down I’d imagine in terms of how a company recovers.

Dan Lohrmann (08: 21.349)

Yeah, I mean, blame is a hard thing because no one’s going to talk about that in advance. I think it is a challenge. It does kind of come with the territory in sports and in data breaches. I think the reality of it is it is a huge challenge. On the one hand, we want to have accountability and responsibility. But I think to your point and the premise of the question.

Tim Freestone (08: 34.535)

Right.

Dan Lohrmann (08: 50.801)

is everyone wants to know that they have done everything they possibly can to be ready. And I’ve written a lot about sometimes you’re going to be outgunned. If the Chinese decide they really want to come after your company and they’re going to put millions and millions of dollars into hacking you, it’s going to be hard to win that game. But I think what is

more common and I think what people, leaders need to be prepared for is oftentimes it’s not that. It’s not you’re going up against the Russian army or the Chinese. Many cases you’re just, you know, you have to be better than the guy next door, right? You have to be, you know, you’re not doing the blocking and tackling and throwing and catching. You’re not doing that 80, 90 percent of the things that need to be done and you want to make sure that those things are really done. The due diligence is there.

And there are ways you can find that out. You can find that out in risk assessments. You can bring in teams that do pen testing. You can practice against the best and say, I really know we’re prepared, the best we possibly can be. And it’s hard, it’s hard because a lot of times organizations are ready at one moment in time, and today or tomorrow, but the next day they’re not, right? So being ready every single day in an ongoing way with vigilance and perseverance is hard.

It’s really hard. But yeah, you wanna have a checklist and make sure you’re doing what you can that would stand up to the scrutiny when and if you do get hacked and they come in afterwards and say, did you really have all these things in place? Okay, now we’re gonna pay the cyber insurance or whatever it might be. If you don’t have that in place, they may not pay the policy, for example.

Tim Freestone (10: 40.384)

Yeah. So you’re, you’re just wanting more here to close off. You’re a field CISO and my experience with field CISOs is you’re out talking all day long to customers and the industry. Um, uh, what are you hearing right now? And how does that inform what you do from a authorship standpoint? Do you, you know, do you kind of take lots and lots of inputs in the field and kind of understand where the.

Patrick Spencer (10: 40.878)

We’ve seen… Got ya.

Tim Freestone (11: 10.896)

the ship is going and then map out a book to that. So it’s a two-part question. What are you hearing and then how does that translate into what you’re gonna do next?

Dan Lohrmann (11: 20.301)

Yeah, so just real quickly, I wear three hats. So I do a lot of thought, speaking, blogging, writing, a lot of thought leadership. I do some deeper dive projects with a couple clients where I’m helping them build their strategies, and that kind of thing. And then, like you said, throughout the whole process, another third of my job is executive briefings, really throughout talking, having great relationships with CISOs, I focus mainly on the public sector. I have an 80-20 public sector, private sector.

Tim Freestone (11: 49.04)

Mm.

Dan Lohrmann (11: 49.061)

But yeah, working with CISOs around the country and really somewhat around the world and what’s going on. And so what am I hearing? I mean, I’m hearing, I mean, right now, I think AI is sucking all the oxygen out of the room. I just published a blog a couple of days ago about the story of 2023 is how Gen.AI stole the show. And I think that’s playing out in a lot of ways.

I’m certainly talking about data breaches, we can talk about nation-state attacks and threats and ransomware. But I think a lot of CISOs and how does it influence my writing, I mean, I’m saying I can’t give away any confidential information, but if I’m seeing trends across multiple organizations that I am, you know, like right now, everyone’s struggling with governance around JAN AI. I think a big theme at the moment in December of 23 is how are we going to deal with this

as an organization, the CISO security offices, certainly in government, are getting inundated with requests. I think Gen.AI is real, and AI overall is really changing the game. But that also is, if you’re a CISO of a large state, and you’ve got 20, 30, 40 agencies who all are sending in their Gen.AI projects and how they’re going to redo, fill in the blank, transportation systems, tax systems, police systems.

You know, and they all want to use new tools, and then they want you to tell them that these tools are safe, that they’re secure. You know, it can be overwhelming. Meanwhile, you’ve got all these free tools out there. So I call it the shadow IT or shadow AI problem, which we’ve known for seven, eight years. We’ve talked about CASB, you know, back in 2015, 2016, 2017, but now it’s happening with shadow IT. So with shadow AI and artificial intelligence, all these new free tools, free…

quote unquote, Gen.ai tools, everything from Bard and ChatGPT to hundreds of others. And people want to use them. Now Google just came out with Gemini. These free tools, but you know, what data is going into them, ownership, intellectual property, all of the governance issues around data and control and code is just, it’s just really, I think it’s going to be a great thing. I’m a Gen.ai positive person.

Dan Lohrmann (14: 14.885)

But in the meantime, right now, it’s really hard for security shops, because I think they’re getting inundated, not just with attacks from Gen. AI bad guys, but even their own internal systems and their own internal needs are just, you know, their systems and processes and procedures and policies around governing Gen. AI is a huge challenge right now. I think that’s top of the list right now for people.

Tim Freestone (14: 44.718)

Interesting.

Patrick Spencer (14: 44.994)

The GEN.AI stuff is absolutely something we want to talk about. Before we jump into that side of the pool, I thought I’d close out the earlier discussion. I had one follow-up question. We had Charles Carmichael from Mandiant, or Google Cloud, Google Security, whatever they’re called nowadays, on a webinar earlier this year, talking about the supply chain attacks, and specifically MFT and the antiquated tools. And we looked at the latest one on Move It.

Dan Lohrmann (14: 55.568)

Yeah.

Dan Lohrmann (15: 06.599)

Nice.

Patrick Spencer (15: 14.322)

And he noted that the attack method, they actually clopped the criminal gang in Russia, which you’re familiar with, was overwhelmed by the amount of response or success that they had to the point where no longer were they notifying those who had been hacked, that they had been hacked and they were demanding a ransom from them. They’re actually wanting companies to go to their website to determine if they actually had been breached. I assume that changes the process

You know, all the evolution that’s taking place in terms of, you know, the introduction of AI that will make these attacks faster and more malicious and more complex and so forth. But just, you know, in the case of the move it hack or some of the others that are similar in nature, it changes the dynamics in terms of how you write that incident response plan and practice ahead of time, I assume. And maybe that’s version two of the book that you’ll be publishing next.

Dan Lohrmann (16: 10.726)

Yeah, no it is. I mean, I think everything is going to change. I mean, we’re reinventing, and it’s funny because I see a trend right now, you know, I would just say a couple things on this. One, you know, Gen. AI is going to totally radically transform the industry over the next five years. I mean, it’s completely changing. And yet at the same time, let me flip and say,

history is also repeating itself. And so there’s other things that are happening. Like for example, I just mentioned CASB and Shadow IT. You know, that was a problem we faced, you know, what, seven, eight, nine years ago, and now the same vendors, Netscope, Zscale, a lot of vendors, but a lot of, I’m not naming vendors, but a lot of different people are facing the same problems. New sets of challenges around that. But like, I think for CISOs, to your point,

It’s a constant learning challenge for all of us. And I won’t go into the whole long story, but if anybody reading my blogs or know my background that’s probably heard the story already, I almost got fired in 2004 for opposing Wi-Fi. I don’t know if you guys wanna hear that story or not. I could tell it again. I’ve told this story many times. It’s a long story. There’s a lot of reasons why. I was the NSA guy. I was against it. I had all these white papers saying, have you guys heard the story by the way? Do you know this story? Have you heard that? No.

Tim Freestone (17: 33.153)

No, I haven’t heard it. Go ahead.

Dan Lohrmann (17: 34.277)

Yeah, okay, I’ve got to give you a real quick, I mean, I’m going way off the script, but I, you know, so I came from NSA, and I, all these white papers, you know, from FBI, NSA, CIA, DIA, said Wi-Fi was a bad idea. People were doing war driving, they were going around, they were hacking in the systems, you could, you know, literally, the headlines in Michigan, people were getting into Home Depot, and Lowe’s cash registers from the parking lot because the Wi-Fi wasn’t secure. All these stories, you know,

Patrick Spencer (17: 34.947)

Let’s go and tell the audience, they may not all be familiar with it.

Dan Lohrmann (18: 03.557)

war driving. So I told my boss who was uh Terry Takai at the time who became CIO uh it was CIO in Michigan, she was CIO in California, would become CIO for US Department of Defense, DOD, very accomplished woman um she said why won’t Wi-Fi in all of our state conference rooms and I’m like well I’m against you know we can’t do this not secure I’m canceling this project. Well

You know, Terry, like literally in the middle of a government meeting said, I want everyone to leave the room, but Dan, they all get up and run out of the room. Terry comes down, looks me in the eye. And I mean, I was shocked, right? I had all these reasons why we shouldn’t do this. And she’s like, if that’s your answer, you can’t be the CCO in Michigan. And I’m like, Terry, let me explain. You know, things, Dan, don’t stop. You know, I’ve read those white papers. I know the headlines.

Tim Freestone (18: 35.484)

Hehehe

Dan Lohrmann (18: 54.161)

But I’ve been to Dow, Ford, Chrysler, and GM, they all have Wi-Fi in their conference rooms. What do they know that you don’t know? I’m giving you one week to figure this out and come back with a plan or I want your resignation. So for me, this was like a shocking moment to see so in Michigan. I was lost my job, right? I’m like, whoa, you know, my team’s like telling me not to do this. I mean, long story short, we did Wi-Fi, we put a plan together, we rolled it out, we put it in all of our state conference rooms.

Two years later, we win the award for top Wi-Fi in the nation for all 50 states. It was a huge success. We said, what is Dan telling me this 20 year old story for? Well, guess what? The same thing became true for cloud. The same thing became true for bring your own device to work. Same thing became true for IOT, internet of things. Now it’s true for AI, which is, CISOs are known for saying what? The answer is no, what was the question? The answer, and so CISOs are known for, no, we can’t do that. The answer is no.

Tim Freestone (19: 42.289)

I think.

Tim Freestone (19: 48.337)

Yeah

Dan Lohrmann (19: 51.877)

You can’t do Wi-Fi, you can’t do cloud, you can’t do IoT, you can’t do BYOD, you can’t do AI. Why? Because it’s not secure, it’s all these problems. And so the challenge is how to see so as get to yes on time, on budget with the right level of security. That’s our challenge. And so we got to look at our peers, we got to see how other people are doing it. Same thing with supply chain, to answer your question Patrick, this is the challenge of our day. So at one level, everything is changing around us.

Tim Freestone (20: 09.021)

Mm-hmm.

Dan Lohrmann (20: 21.073)

At another level, this is just another rendition of the same, you know, CISOs can’t just be doctor, no, they’ve got to get to yes, but how can they do that in a secure way? And I think with, you know, yes, the supply chain, the attacks, the challenges are going to get faster and faster and faster, and we just have to, you know, be able to adjust to that and continue to learn and grow. And that, in a sense, like I said, history is repeating itself.

At the same time, it’s all new and it’s all different.

Tim Freestone (20: 53.492)

So with generative AI, that’s the one that has blossomed in the last year and everybody’s talking about, right? With that, there’s the in the wild AI, generative AI, which you talked about like chat GPT and things like that. But a lot of companies, at least I hear, I haven’t seen it yet other than here at Kiteworks where we’re driving an initiative.

Dan Lohrmann (21: 00.261)

Yep, absolutely.

Tim Freestone (21: 18.576)

are spinning companies are spinning up their own internal enterprise AI systems that is trained and fine tuned on their data. A lot of it private, a lot of it personal, a lot of it confidential. How, how are you hearing or are you hearing that they’re insuring? Cause at the end of the day, it comes down to the data layer. Can you control the data that goes into the machine? And can you control the data that goes out of the machine? And then can you track who did what in between the two? Right? It’s as simple as that. But.

Applying that simple practice to these AI systems, what are you seeing people do tangibly? They’re executing this security system in order to protect their enterprise AI, or is it too early?

Dan Lohrmann (22: 01.765)

I mean, largely in the world that I’m working right now, I have a lot of anecdotal stuff like you guys mentioned, Tim, with Fortune 500 companies, Fortune 100 companies that are doing exactly that. I know of states, I’m not gonna name names, that are piloting stuff. I haven’t seen a lot of POs being cut to Microsoft or Google or OpenAI and others to actually do that yet. I think we’re going to be there 24 and beyond, 25, 26.

Tim Freestone (22: 09.659)

Yeah.

Tim Freestone (22: 28.144)

Hehehe

Dan Lohrmann (22: 31.269)

I think that’s the goal. I think that is the answer is, yeah, you need your own data, your own control. If I can, you know, ring around my state, my data, I control the inputs and the outputs and all of it. What I, like I said, I know number of governments that I’m working with that are in the testing phase is now, they’re doing pilots, proof of concepts, and they’re.

just, you know, and that’s clearly what Google and Microsoft and others want you to do. I mean, they, you know, kind of almost like the free, the free slice of chocolate is chat GPT or, or Bard or, or Gemini. You know, that, and that’s, and the goal, the, the Fudge Shop doesn’t, doesn’t make money if all you do is eat free samples. Um, you know, they gotta get you to the full paid version of it, which is where they really, where this thing is going. It’s just getting there.

Tim Freestone (23: 12.361)

one three.

Dan Lohrmann (23: 29.265)

is going to take time. And I think, as I said in my prediction report, I put a new prediction report out every December and for government technology magazine in my blog. And, Gen.ai wasn’t even on the top 10 list last December for 2023. It was not even there. Now it’s like the top of everything for everybody’s list. So it really, it wasn’t like, oh yeah, we had $2 million in our budget identified for 23 to go buy Gen.ai tools.

Nobody had that. Nobody that I talked to. Now if you did it, they’re rushing out and they’re getting that money and they’re building the budgets now and they’re doing the proof of concepts. And I agree with you on your premise 100% Tim. I think that’s where we’re going. And if I can control the data and I can control, you know, I mean all these examples being shown to governments around the country and the world about, you know, totally redoing people, processing technology around Medicare and Medicaid taxes.

Tim Freestone (24: 01.126)

Right.

Dan Lohrmann (24: 25.809)

road systems, you name it, I think it’s gonna revolutionize it, but I think these are very early days for them.

Tim Freestone (24: 29.061)

Yeah.

Tim Freestone (24: 34.684)

Hmm. Okay.

Patrick Spencer (24: 34.95)

Do we really understand the risk? Tim and I had a conversation with CISO a few months ago, I believe it was, who put GEN.AI risk down near the bottom of his list of priorities. Should that be the case? Or is there just a lack of understanding as to, you know, the risks that actually exist when it comes to GEN.AI and, you know, employees ingesting, you know, IP, personal data, PHI, you know,

manufacturing schedules, I mean, the list is almost endless, right? When it comes to confidential information.

Dan Lohrmann (25: 07.085)

I would put Gen.ai at the top of the security risk list right now. A lot of people, I did a poll with Gartner’s, I don’t know what they call it, their ambassador program. We put a poll out and the number one thing was still fear of cyber threats from ransomware and from zero days and malware. But number two was Gen.ai out of like seven items for next year. So I mean, clearly, the zero day that hits you that brings you ransomware to your enterprise.

is probably still at the top of the list. But I think the people that are saying that GEN AI risk is low aren’t doing GEN AI. And or they don’t have a governance in place. They don’t know what they don’t know. I’m sorry to say that, but that’s just the… So the first thing I say to CISOs around the country in the public and private sector,

Tim Freestone (25: 48.264)

Thank you.

Dan Lohrmann (26: 01.585)

Do you have visibility into what your staff is doing? Whether you have 100 staff or 100, 000 staff. Do you know what your end users are doing when your networks? Do you have any visibility into where they’re going, what they’re uploading, and you better care if they’re uploading all your code and testing it out on some website. That’s your intellectual property, that you better care about your data, you better care about bias and all of these things. And then even the outputs.

Do you control that intellectual property? Can you use that as an output if it’s from a free site, from a free website? I still think the current, my view today, right now, December 23, the biggest risk from Gen.AI is all the free apps that all your staff are using right now all over the world. That’s, to me, the shadow IT issue is not getting enough attention.

and CISOs don’t understand even what’s happening. And so how you’re gonna govern that, how you’re gonna manage that, and not just say no, you can’t do it, because unfortunately that’s gonna get you fired as well. So how do you manage it, how do you govern it, how do you control it, and then getting towards what Tim just mentioned a few minutes ago, which is towards an enterprise version where we control the data, we control the perimeter, we own the intellectual property, we like…

the licensing agreement that we have with Google or Microsoft or whoever it is, and our lawyers agree that this is all legal, etc., etc. That to me is the big challenge and the risk in December 23rd.

Tim Freestone (27: 41.444)

Good, interesting. I could talk honestly for 10 hours just on this one specific topic and have. Because it’s, I actually, yes, it’s a security issue and enterprises can.

Dan Lohrmann (27: 46.589)

I’m going to go ahead and turn it off.

Patrick Spencer (27: 52.298)

Don’t get him started, Dan.

Dan Lohrmann (27: 55.613)

I’ll be here as much. I mean, guys, feel free to disagree. That’s what gets your audience excited, you know? I’m sure there are people out there that disagree with me.

Tim Freestone (28: 01.624)

No, no, yeah. I agree with you. I’m just concerned that the government, generally, is a little bit behind, not by any lack of capability, just because of bureaucracy. And the mainstream. But even the mainstream I’m looking at, thinking, you don’t really understand how truly transformative

Dan Lohrmann (28: 14.501)

No.

Tim Freestone (28: 28.208)

Gen. AI is. If it isn’t your number one priority as a business, ergo your number one priority is from a cybersecurity standpoint, you just don’t get to your point earlier about the other CISO we were talking to. And I don’t even think it’s early adopters. Like you’re starting now, you’re a late adopter in terms of consuming what can happen. So it’s got to be what 2024 is about from an enterprise security standpoint.

Dan Lohrmann (28: 47.326)

I totally agree. 100%.

Tim Freestone (28: 56.644)

Or 2025 is gonna be so painful for everybody who doesn’t prioritize it. That’s all.

Dan Lohrmann (29: 01.205)

I agree, Tim. I mean, and I think, you know, but I think a lot of the questions that people are asking about closed systems and what about this and what about that is like, I would just say, if you cut a PO for multiple millions of dollars, I’m dealing with large enterprises now. I’m not talking about, I don’t know any small enterprises or small, you know, local governments with 30 employees that have the money to go buy their own, you know, LLM or whatever.

I mean, I, it’s just good luck with that. I mean, not currently. And I do think there’s some, there are models that the big tech companies are coming up with, you know, whether that OpenAI and others, whereby you can have like a government LLM or, I think those things are coming. I think there’s new models coming, but I don’t think we’re there right now.

Patrick Spencer (29: 34.182)

are filled with themselves.

Patrick Spencer (29: 54.878)

You think we can regulate? Good Tim. No, I was about to ask Dan if-

Tim Freestone (29: 55.9)

So how much time do we have left, Patrick? We… Go ahead. No, I just wondered how much time we have left. By the way, we edit these and we clip stuff out and stuff.

Patrick Spencer (30: 04.974)

there, which we’ll do to this piece.

Dan Lohrmann (30: 05.149)

Sure, yeah, I’ve got another 10 minutes, guys, if you wanna go further on some other topics and talk about my career or other things you wanna talk.

Patrick Spencer (30: 11.049)

Okay.

Patrick Spencer (30: 16.43)

Well, I have one more question for you, Dan, on the AI front. What opportunities exist and how successful do you think we will be in terms of regulating AI and the risk associated with it?

Dan Lohrmann (30: 34.541)

Yeah, I mean, not very in my opinion. I mean, I think we do. I think we will try. And I agree with Elon Musk and others that, you know, it’s needed and we need guardrails. I just, I think that there’s a number of different moving parts. You know, we’ve talked about, we need a GDPR in the United States and

Tim Freestone (30: 41.685)

Next question.

Patrick Spencer (30: 42.39)

That’s our thoughts.

Dan Lohrmann (31: 04.293)

We can’t get Congress to agree on that. You know, again, I work a lot in the federal, state, and local government markets. And we’ve been talking about one privacy law in the United States since GDPR came out, right? And that still hasn’t happened. And I don’t have a lot of hope it’s gonna happen in 24 because of the election year and the politics. Just on any range of issues, can’t agree on the border. We can’t agree on funding for different, you know, Ukraine.

Israel, I mean, all those different issues are out there. And so I think the politics of it, although I think generally cybersecurity does tend to be a bipartisan issue that no one wants to get hacked. I think the challenge of agreeing to regulation on this and is difficult. And so clearly the EU has come out with regulations around AI, which are much more stringent than ours. And I think the challenge there of course is

A lot of the companies are pushing back on that and saying it’s too much and it’s gonna stifle innovation, etc. So um, I Guess I just you know Some people also say regulation is for the people that are played by the rules and the bad guys aren’t playing by the rules And so I think the challenge around that is going to be huge and I really I think we’re gonna have regulation. I think it’s gonna come I’m not real

Dan Lohrmann (32: 30.07)

optimistic that it’s gonna be effective.

Tim Freestone (32: 33.496)

A lot of times I think it can be useful in terms of helping people understand where to think and what to think about in the least, the regulations, people being corporate leaders and CISOs and things like that. But actually applying them, managing to them, I’m glad I’m not on that committee. That’s just…

Patrick Spencer (32: 33.667)

now.

Dan Lohrmann (32: 58.657)

Yeah, it’s a challenge. I mean, listen, I’m not saying I’m against regulation. I think we absolutely need, you know, as people have said, this is, you know, it’s been, you know, you’ve, you’ve heard all the quotes guys. You’re really smart. I mean, I, it’s been compared to, you know, nuclear bomb. It’s been, you know, it’s being compared to, you know, regulations we have on roads and, and cars and automobiles and planes and trains and, and certainly that those are all fair.

Tim Freestone (33: 02.632)

W H A T

Dan Lohrmann (33: 27.993)

And so do I think we’re gonna have to have regulation around it? Absolutely. I do think that the bad actors are gonna really push the issue.

Patrick Spencer (33: 41.774)

They’ll find their way around it like they always do, right? We have a couple of minutes left here. Dan, you referenced your predictions report. I think it would be helpful for the audience to hear about a few of your predictions beyond AI that are contained within that report.

Dan Lohrmann (33: 57.741)

Yeah, it’s coming out soon here and just so people understand, these aren’t Dan Lorman’s predictions, what I do every year, I started doing this just over a decade ago, is I started realizing that a lot of the vendors out there were putting out amazing reports that certain organizations, which again I like Gartner and Forrester and a lot of them, but they charge a lot of money to get their reports and their predictions and there’s a lot of other great companies out there that do a great job.

And I’d often say that it’s worth the money, but many, many companies going back, you mentioned Symantec, Patrick, way back when, but Symantec and McAfee, but now even all the way down the list, Trend Micro, WatchGuard, Google Cloud, all these vendors come out with these really comprehensive reports. And it’s not just kind of like wishing in the wind and sticking your finger up and predicting the weather. I mean, a lot of research goes into these trends, what they’re seeing out there globally.

You know, reports can be very comprehensive. Some of these reports are 15, 20, 30, 40, 50 pages, which are like free white papers on very in-depth views on these topics. And so what I’ve done is I started putting together, you know, what are the top reports, you know, based on research. And again, we can’t, we’re predicting the future. So you can’t necessarily know who’s gonna be right. Sometimes, you know, the novice is right and the expert is wrong, but.

What are the trends across industry, across vendors? What are people saying are coming next? You know, and like I said, last year, we didn’t have anybody predicting Gen. AI was gonna be top of the priority list, and this was the year of Gen. AI, in my view, in the cyber industry. So, certainly things could be coming, things like around quantum computing and encryption could hit. There’s lots of things around that, a lot of discussion around space vehicles and attacks.

a lot around the wars that we’re facing in Ukraine and Israel and around the world, the challenges with that. But the report really kind of ranks and lists a lot of, and it points you to a lot of great reports that are out there and the predictions that people are making. And it’s called the top, this year’s going to be the top 24 security predictions for 2024. Every year that goes up one, next year it’ll be 25. But it’s fascinating. The numbers keep going up.

Dan Lohrmann (36: 20.341)

And I just encourage readers, you know, that’s more important than any individual prediction. Learn, read the reports, learn from them. These are free. They literally, I know, tens of thousands and hundreds of thousands of dollars are poured into this research. It’s available. I do it every year because I love to learn about what’s coming. Sometimes they’re wrong, sometimes it’s not the next year, sometimes it’s two years out, three years out. Sometimes it’s, sometimes they totally blow it.

Other times, you know, it’s amazing though how they miss things like I said Nobody was predicting this gen AI chat GPT going crazy like it did this year a year ago So, um, I do think we can learn a lot we can grow and as security one thing I’ve seen People I’ve had different over the years people say to me. This is a waste of time. It’s a waste of money Why are we doing this and yet people have been making predictions for thousands of years and it’s not going away anytime soon

So get on board the train. I mean, people will keep predicting the new year. There’s a fascination with predictions in our country and around the world. And there’s a lot of really great reports that you can read and learn from. So I just encourage people to read your report, other people’s reports, read the predictions. And even if you disagree, that’s fine, but you’ll learn through the process. And that’s why I go through this every year. And I really…

Tim Freestone (37: 19.356)

Thank you.

Dan Lohrmann (37: 44.325)

Publish it at loramandoncybersecurityatgovtech.com.

Patrick Spencer (37: 48.886)

That’s great. I’m sure our audience, they will definitely want to check that out. Now your, your background, so they just go to LinkedIn to engage with you, Dan, or what’s the best way to get in touch with you.

Tim Freestone (37: 49.137)

Awesome.

Dan Lohrmann (37: 59.613)

Sure, that’s absolutely, you know, you can. Just real quickly, I was in NSA, I was in England with Lockheed and Manzac in the 90s, and then 17 years in Michigan government. And a lot of different roles, as you mentioned, in the private sector now with Presidio and Field CISO, but happy to engage with people on LinkedIn. Please reach out, connect with me. And also you can, again, at GovCSO and Twitter or X. Now I’m out on that platform as well.

Patrick Spencer (38: 30.754)

Dan was a CISO before it was cool being a CISO. Dan, it’s always great to talk to you.

Tim Freestone (38: 31.569)

Great.

Tim Freestone (38: 35.003)

Hehehehe

Dan Lohrmann (38: 36.805)

Yeah, I mean it’s been a ride. It’s been a ride. And I was the first state government CISO of all 50 states back in 02. So it’s been 21 years I became a CISO and yeah, so I think there were some private sector ones before me and maybe even a Fed or two, but in the state government world that was kind of groundbreaking at the time as we became the Michigan Chief Security Officer and Chief Technology Officer in Michigan as well.

Tim Freestone (38: 45.829)

Oh well.

Patrick Spencer (39: 04.114)

I remember that. Well, we got to make sure that much time doesn’t pass before you and I speak again. It is a pleasure to reconnect with you, and we appreciate your time today.

Tim Freestone (39: 14.885)

Yeah, thanks, Dan.

Dan Lohrmann (39: 15.013)

Thank you so much for having me guys, and I’ll make sure I link to this, and also make sure you link to your predictions for 24. Thanks.

Patrick Spencer (39: 23.214)

That’d be great. Well, for our audience members, you can check other Kitecast episodes at kiteworks.com slash kitecast. Thanks for joining us today.

Tim Freestone (39: 23.459)

Awesome.

Dan Lohrmann (39: 35.717)

Thank you.

Patrick Spencer (39: 37.803)

Perfect.