Separating AI Hype From Reality in Cybersecurity

Patrick Spencer (00:00.337)

Tiger time.

Alan Shimel (00:03.495)

Okay, go ahead.

Patrick Spencer (00:04.752)

Alright, perfect. Hey everyone, welcome back to another Kitecast episode. We’re in for a real treat today. Alan Schimel is joining Tim and me today. Tim, how are you doing today?

Tim Freestone (00:15.223)

I’m good, how you doing Patrick?

Patrick Spencer (00:16.984)

Doing well. It’s Friday. Uh, super bowl. It’s right around the corner, right? Um, Alan, thanks for joining us.

Tim Freestone (00:19.15)

Yay.

Go Niners!

Alan Shimel (00:26.646)

Thank you, it’s great to be here guys. And you know, I don’t have a horse in the race in the Superbowl this year. I’m looking forward to it. Sometimes it’s better to watch a football game that way.

Tim Freestone (00:32.039)

Yeah.

Patrick Spencer (00:32.868)

Yeah.

Tim Freestone (00:37.525)

Yeah.

Patrick Spencer (00:37.728)

Yeah, that’s very true. Well, everyone, many of you may be familiar with Alan as you listen to his various podcasts, his webinars, you read some of the stuff he writes. He’s been in the industry for many, many years. He’s the CEO and founder of TechStrong Group. It’s a global platform that powers tech innovation and transformation and empowers experts and professionals to create content across various media research and consulting brands. These include.

Devops.com security Boulevard cloud native now tech strong AI Tech strong TV I could go on there’s others that then Alan’s constantly adding to the portfolio He also is the editor-in-chief and founder of devops.com Was the co-founder of devops Institute which I think you guys recently sold a few years ago, right Alan?

Alan Shimel (01:29.371)

About a year ago now. I think the end of this month will be a year.

Patrick Spencer (01:33.136)

Yeah, and we can talk a bit about that. I could go on and on. He’s, you know, he has a Juris Doctorate, so we got to watch what we say to him today. New Yorker, he’s a graduate of St. John’s University.

Alan Shimel (01:45.642)

Absolutely. Go Redmond. Actually, that shows you how old I am. I won’t say Redmond. It’s not Redmond. It’s the Red Storm.

Patrick Spencer (01:48.004)

So I don’t know, maybe.

Tim Freestone (01:51.573)

Yeah.

Patrick Spencer (01:55.188)

Well, I think all of us have some white and gray hair, unfortunately.

Alan Shimel (01:58.238)

Yeah, no, but politically correct, they changed the name. It used to be the Red when I was there.

Tim Freestone (02:00.831)

Yeah, they do, yeah.

Patrick Spencer (02:05.003)

So Alan, not everyone in our audience may be familiar with what you guys are doing over at TechStron. Maybe a good starting point would be to talk about what the organization does. You’ve been around what, nine years? It’s evolved over nine years.

Alan Shimel (02:16.618)

Yeah, this is actually March 14th will be 10 years. It’s been published for the first time at DevOps.com. So TechStrong and TechStrong group is, uh, you know, we use the word omni channel, we, we produce and distribute content, right? But our content is very, very focused in the areas of DevOps, cybersecurity, a cloud native, um,

Patrick Spencer (02:20.248)

Hmm, wow.

Alan Shimel (02:45.922)

digital transformation and now AI, right? Because everything’s AI. And we have plans, actually, I can’t announce it yet, but I think we’re gonna have a new site within the next 60 days. And another, same kind of thing though, an adjacent area of technology.

Patrick Spencer (03:01.017)

Oh wow.

Patrick Spencer (03:07.02)

Interesting. So you guys do cover just a broad breadth of stuff, but you’re as a you’re a media company as well. I don’t think Tim and I have interviewed or done that.

Alan Shimel (03:15.926)

Right. Well, that’s the distr… Well, it’s creating content and then distributing content. Now, we distribute content that we didn’t necessarily create, right? That’s part of that media thing. But, I mean, at the end of the day, our mission is to educate and inform our audience, which it’s a worldwide audience. I mean, I could go through numbers, but we, you know, we serve up.

to millions of people over the course of a year. And about 52% of those people are managers or above at their organization, which means 48% aren’t, right? And so it’s a good mix of practitioners, managers, C-level, et cetera. And those are our, I call them our eyeballs, though now they’re more ears as well as eyeballs. And

They listen, they watch, they read, but it comes out great. And we just produce a lot of content. We have TechStorm.tv that produces, I don’t know, 12, 15 hours a week of video content. Not to mention how many articles get published on the various sites. It’s a lot.

Tim Freestone (04:33.483)

So you, um, just to have an insertion question before we get into a lot of tech stuff, just around your business, you mentioned you’re, uh, starting or recently started AI, probably AI and tech, but you’re a content business. Are you, are you guys exploring twofold? One, how AI can help you generate more quality content. And then the B part of that is, are you seeing an impact from all the non-quality content that other companies are?

jamming into the website because I imagine SEO is a big hook to your readership and exposure.

Alan Shimel (05:08.178)

Yeah. So number one, are we looking at using AI? Absolutely positively. I use AI every day. Okay. So, and anyone who tells you knows lying. That being said, you know, we actually, I recorded a segment for Textron TV today about an article that was in, I think Textron AI this week before, which is.

Tim Freestone (05:16.587)

Yeah. So do we.

Tim Freestone (05:23.936)

Right.

Alan Shimel (05:36.494)

AI generates crappy code for the most part. It generates a lot of code. They’re saying now, what is it? 60% of all the code being done on the internet has AI fingerprints on it. Doesn’t mean it’s good code. And it’s the same thing with content. Just cause you can, doesn’t mean it’s good or you should. Um, we’ve instructed our writers and then even people who submit, you know, bylines and so forth.

Patrick Spencer (05:48.173)

Yeah.

Alan Shimel (06:06.486)

that if it smells kind of AI-y, like AI wrote it, because you know, I’m not claiming I can spot AI generated stuff, but generally, when it gets too flowery and stuff like that, you could see it. And we’re trying, you know, we’re telling people we don’t want AI generated. It’s okay to, I think.

Tim Freestone (06:24.177)

Mm-hmm.

Patrick Spencer (06:29.776)

Mm-hmm.

Alan Shimel (06:35.362)

The state of AI, now there’s two things you do here. One is you ask it to start your content. So it gives you sort of a base and then you add your special sauce and edit it and change it, but at least you got something to start with. Or the other way, you write it and then give it to AI to kind of polish up maybe a little bit, make it more persuasive, make it shorter, longer, or whatever you wanna say.

Tim Freestone (06:50.195)

Yeah. The other way.

Alan Shimel (07:04.21)

You know, but I’m not naive enough to think that people aren’t using AI and trying to game the system. Again, that was a discussion we had on Textron Gang today that supposedly there was a recent announcement, I think from Google and some others, that they’re gonna have a service now that will spot AI-generated content out there. The Dali project, which is through OpenAI, their graphics.

Tim Freestone (07:27.055)

Mm-hmm.

Alan Shimel (07:32.366)

process, a generator, a sugar generator, is now starting to put watermarks in to what they generate that says, hey, this was generated by an AI tool. I think there’s always a gap. I actually learned this in law school. There’s always a gap between technology and society catching up to it. We’re in that gap right now.

Tim Freestone (07:33.661)

Mm-hmm.

Patrick Spencer (07:34.285)

Yep.

Patrick Spencer (07:44.282)

Yeah.

Alan Shimel (07:57.19)

AI, the technology is racing ahead. And we haven’t caught up to it from a legal point of view, from a societal usage point of view. Because people run as fast as they can with stuff, right? And it takes… But I think that’s a…

Tim Freestone (08:11.042)

Yeah.

Patrick Spencer (08:13.436)

You’re a CISO, Alan, or a CIO, or risk officer and so forth. You’re just inundated with all this content because as you point out, AI, there’s a bunch of folks who are using it. Some are using it in good ways, you know, that are making their content better. Uh, more readable, they’re getting more research. Uh, you know, it’s beneficial for them as well as the actual, uh, listeners or the readers, but you also have a bunch of stuff that’s just inundating their ways. That’s fluff.

Alan Shimel (08:29.419)

Yup.

Patrick Spencer (08:41.976)

doesn’t add a whole lot of value. Where do you go if you’re a seasoned, there’s all this stuff out there. I mean, there’s places like TechStrong and what you’re doing that has quality content, but how do you, there’s only so much time of the day. How do you find those sources and then stay up to speed?

Alan Shimel (08:58.23)

You know what, this is a problem. It’s a problem in tech, but it’s a problem in society and in the world. How do you ascertain quality content? When the three of us were younger, I remember when cable first started coming out. Before cable, I lived in New York. I had, I think, five channels, maybe six channels. Right?

Tim Freestone (09:05.643)

Right. Yeah.

Patrick Spencer (09:06.692)

You know.

Tim Freestone (09:25.773)

Mm-hmm.

Alan Shimel (09:26.462)

And the news was the news was the news. You could have, you know, Uncle Walter or Dan Rather when he left and, you know, Tom Brokaw and whoever was on ABC and then. Yeah, but it was easy. You didn’t, you know, you didn’t have the dilemma that you have now, which is how do I know what’s real? How do I know what’s true? How do I know what’s quality? And it’s a deficit, not just in America or in the world.

Patrick Spencer (09:37.009)

or contract, right? We’re dating ourselves, Alan, now.

Alan Shimel (09:58.226)

of all the riches that we have with all this content, separating our quality is hard. And I think that leads to a lot of the problems that we have in this world.

Tim Freestone (10:11.923)

Yeah, I think one of the things, um, not to go down too far in a rabbit hole, but I’ve thought about this quite a bit recently from a w how do you know what you know, and I think there’s a couple of layers here, content without supporting data points, it’s just words in the world. You know, there’s no, there’s nothing, there’s no reference point to the, let’s say, call it the perspective. But if you have content, I don’t care who creates it.

and then supporting data points that validate it, then you’ve got trustworthy information. And then it’s just, well, where the data points come from. And then if you find where the data points come from and it’s a reputable source that does, you know, surveys across different dynamics of whatever that data point is related to, then you’re good. But the problem is it takes work. You know, you can’t just be one of those.

people that just sort of let the world wash over you with information and assume everything’s okay. You’ve got to make it a point, you know.

Alan Shimel (11:19.187)

Oh my god. And honestly, I think kids coming up today, I look at my kids who recently graduated college and stuff, maybe because they’re digital natives, they do that better than we do. They tend to, they don’t just blindly believe everything they hear, see, or read. And for the most part, I think they just

Tim Freestone (11:31.663)

Mm.

Tim Freestone (11:39.895)

Oh, that’s good.

Alan Shimel (11:44.534)

They don’t take it for granted where a lot of us do, I think.

Tim Freestone (11:49.708)

Yeah, me maybe.

Patrick Spencer (11:49.836)

Our sources are limited. They have a lot more sources to look for and evaluate.

Alan Shimel (11:53.453)

Yep.

Tim Freestone (11:53.503)

Yeah, there also might be generation gaps there that kind of swap, generation, my kids are 13 and 11. And so, you know, we have the, our iPhones are toggled to parental controls and things like that. But man, when they get that one hour of social, it’s just a flood of absolute facts that from their perspective.

Alan Shimel (12:15.254)

down the hatches. Well, here’s the thing. They’re 13, 14. By the time they’re 18 and 20, they will have had the opportunity to say, you know, that’s not, it’s hokey. Now, I think AI is going to screw with that in a bad way because

Tim Freestone (12:29.96)

True. Yeah.

Alan Shimel (12:41.162)

You know, with AI, you can make stuff look pretty real with deep fake. I don’t know. We had an article in security Boulevard last week. I don’t know if you heard this story about some bank branch manager. I think it’s Singapore or Asia anyway. Gets a video call from the CFO of a client of theirs, of the bank.

And it’s the CFO and two other people from the company. And they tell them they’re doing a big deal and they need to transfer $20 million. The way they were transferring was a little out of the ordinary. That’s why the CFO was zooming in. Well, it was him and why they were doing it that way. Cause otherwise the bank wouldn’t do it. And the bank manager was the CFO talking to him. He saw him in the zoom and everything. He sent the 20 million. Well.

Tim Freestone (13:15.941)

Mm-hmm.

Patrick Spencer (13:17.892)

Hmm.

Alan Shimel (13:31.422)

It wasn’t the CFO, it was a deep, right? Made up.

Patrick Spencer (13:32.896)

Artificial avatars. Yeah.

Tim Freestone (13:36.299)

No, I hadn’t read that. I will look for that though, because that’s incredibly scary.

Alan Shimel (13:39.338)

Well, look, you know, 20 million, and 20, and you know, once you wire money, good luck getting that back. $20 million.

Tim Freestone (13:44.439)

Done. Yep.

Patrick Spencer (13:44.632)

That’s gone.

Tim Freestone (13:48.585)

Jesus.

Patrick Spencer (13:50.36)

Hey, Alan, you probably saw the announcement yesterday, and then there’s sort of been a series built, building up over the last three or four months from the government. We have the NIST, I forgot exactly, that’s focused on safe AI that was just announced yesterday. Do you, we’re gonna try to regulate this stuff. You’ve been in this space a long time. Is this gonna work? Is it gonna partially address the problem? You have an opinion there?

Alan Shimel (14:10.07)

Yeah.

Alan Shimel (14:19.522)

Do I have an opinion or a wish? Yeah, I wish it would work and we could. But let’s look at the history of compliance and security and stuff like that. Let’s take PCI. I mean, PCI did a lot of good things, but around keeping credit card numbers safer. But how much? Yeah.

Tim Freestone (14:41.912)

Mm-hmm.

drove the WAF industry.

Alan Shimel (14:47.934)

Well, it probably did even better. It did even more. Now with APIs, we bypass it. But.

Alan Shimel (14:56.938)

You know, I always think of compliance as lowest common denominator security, right? It’s the minimum of what you should do. Maybe it’ll pass the reasonableness test when you get called into court that I didn’t, you know, by following the minimum of what I had to do on for compliance, I wasn’t negligent or criminal negligent or something like that. But it certainly doesn’t represent best practices.

Tim Freestone (15:05.379)

Mm.

Alan Shimel (15:26.058)

And I think that’s what you need to remember when they pass these kinds of things like oh, safe AI or the S-bomb stuff for software supply chains, stuff like that. That’s the low bar, not the high bar, guys. Right? And we need to shoot for the high bar.

Tim Freestone (15:36.589)

Yeah.

Tim Freestone (15:45.615)

But yeah, people still seem to struggle people. Um, it professional side, struggle getting the low bar then. Right. It’s.

Alan Shimel (15:56.49)

Well, yes, they do. They do.

Tim Freestone (15:58.411)

Yeah. And that’s not, uh, I don’t know. That’s not saying a lot.

Alan Shimel (16:02.774)

No, it’s been, I’ve been in security 25 plus years. It’s been that way the whole time, unfortunately. Though I think we’re better. I think we do, I think we’ve done a good job. Things like DevSecOps and stuff have made security like we always wanted to say, security is everyone’s responsibility. I think we do have that now. People are more security conscious, but they’re not security admins. They’re not security pros. Don’t expect them to be.

Tim Freestone (16:26.755)

Yeah.

Tim Freestone (16:32.179)

Yeah. I mean, that’s part of that is, you know, obviously the, um, lack of skills and professionals to do the job.

Alan Shimel (16:33.474)

So, thank you.

Alan Shimel (16:40.478)

Well, that’s a whole other thing, the skill gap. But yet, you know, the biggest thing I hear from kids, I call them kids, from people breaking in, then these are people who, like, not like us. They went to school and took cybersecurity classes at an area concentration of majors in cyber.

Tim Freestone (16:52.939)

Right.

Alan Shimel (16:58.05)

They can’t get jobs. They’re like, yeah, the biggest question we hear from people like that is, how can I get into, how can I gland my first job? Because every job wants three to five years of experience. Right? So they say we have a skills gap, but they don’t give people the. So, I’m gonna go ahead and say,

Tim Freestone (16:59.617)

Yeah, really.

Tim Freestone (17:09.757)

Oh, I see, yeah, yeah.

Alan Shimel (17:16.578)

the opportunity to on ramp those skills. You’re not born with three to five years of cybersecurity experience. It’s like the old, when I first launched devops.com, that was around for two or three years, the whole DevOps thing, and all these jobs for DevOps engineers wanted five to 10 years of DevOps experience. It was not five to 10 years, but anyway, I think that is a big part of our skills gap.

Patrick Spencer (17:36.557)

Yeah.

Tim Freestone (17:39.666)

Yeah.

Patrick Spencer (17:47.332)

Our daughter’s about to finish her MBA in a couple of months. And I’m seeing a few of the jobs that she’s applying for in there. They’re just as you described five, six, 10 years of experience. Your job, you know, 10 years ago, it was an entry level position, but people like Tim and me were demanding. We want to hire people who are experienced. If the marketplace supports it, we’re going to ask for it. And the same thing applies in cybersecurity.

Alan Shimel (18:09.294)

Absolutely. But in cyber, I don’t know, you know, this is why we have a skills gap. That’s why we can’t fill the jobs until we, I think, get real about that.

Patrick Spencer (18:22.728)

Speaking of AppSec in past years, you and I’ve talked about AppSec, with AI, AI is sort of transforming how AppSec is done. It’s made it a lot easier, a lot faster. It lowered that bar in terms of the entry point, but is it improving security? What’s your opinion on that front? Where are we headed?

Alan Shimel (18:46.734)

So quick plug, this year at RSA conference for the, I think eighth or ninth year, we’re doing the DevSecOps event on Monday at the Moscone Center with RFA. And of course, this being the year of AI, this year our focus is DevSecOps and AI. And to a large degree, DevSecOps is AppSec, right? It’s about securing that application, maybe further left.

Tim Freestone (19:02.829)

Mm-hmm.

Alan Shimel (19:14.154)

and all the way through deployment and post-deployment. So AI is having a huge impact there.

Tim Freestone (19:20.579)

Do you think it’s going to take out some businesses who have created non AI based, um, you know, antique coding approaches to, uh, finding and fixing vulnerabilities. And you know, when, what do you think is going to do the industry? Yeah.

Alan Shimel (19:38.358)

So the simple answer is yes. Look, again, it’s about low bars versus high bars. If you do a basic code review sort of analysis.

Tim Freestone (19:51.747)

like sassed and stuff like that.

Alan Shimel (19:55.37)

I think AI is going to do that really easy. It, you could do it now. You take, I don’t know if you ever played taking code and putting it in the AI and say, show me vulnerability, show me what every syntax here means and does. It’s probably the greatest way to learn a code I’ve ever seen in my life. And it’s the same thing with finding kind of rudimentary stuff.

Tim Freestone (20:02.572)

Yeah, yeah, I have.

Tim Freestone (20:12.915)

Agreed. Yeah.

Tim Freestone (20:18.503)

Yeah. We have an old colleague that we used to work with, Sarag Patel. He started a company called Pixie that is basically just springboarded off of, they got in at the right time, I think. And, and it’s all AI driven, you know, uh, find and fix. Um, it’s incredibly fast. And there’s just a lot more of those happening. So if I look back at, you know, the impervas and the synopsises and things like that, that have kind of these.

Alan Shimel (20:28.252)

Mm-hmm.

Tim Freestone (20:47.399)

older models and older businesses around that, I think are going to be a little bit in trouble, to be honest.

And we’ll see.

Alan Shimel (20:54.906)

I don’t doubt it. And I think that sort of outlook goes beyond security companies. I think there’s a lot of companies in observability and what we used to call APM, application performance, monitoring, and management. SIEM stuff is another one. Because I think what’s going to happen, you’re going to see, is what we were calling AI ops and machine learning.

Tim Freestone (21:02.838)

Yeah.

Tim Freestone (21:11.797)

Mm-hmm.

Tim Freestone (21:15.808)

Yeah.

Alan Shimel (21:23.434)

is getting better every day. And that becomes a driver that then generative AI, it’s sort of like how you need a fission nuclear device to set off a fusion nuclear device, right? You need a regular driver. Yeah, well, I did. But.

Tim Freestone (21:25.551)

Mm-hmm.

Tim Freestone (21:40.108)

Yeah, you must have just watched Oppenheimer.

Alan Shimel (21:46.73)

You know, it’s the same thing. I think when you take the output of, of machine learning kind of AI ops, and then, you know, put some generative AI on top of that, it gets awful smart.

Tim Freestone (21:59.775)

Yeah, that’s a good way to end up.

Patrick Spencer (22:00.524)

Yeah. Are these companies, what’s the hope for them? Do they have these old code bases that didn’t necessarily leverage AI to the extent they needed to? Now AI is going to pass them by. Can they bolt AI on those or is it easier to start from scratch or it depends?

Alan Shimel (22:19.182)

I think it’s going to depend. Look, everybody and their mother is making a co-pilot. And I think making a co-pilot to enhance your product service isn’t necessarily rocket science today. You can go grab all your data, create your own LLM, and plug it into that AI.

Is that going to fundamentally make you AI powerhouse? I don’t know. I think it depends on how well they do it. I mean, even you take a thing like Stack Overflow. We all love Stack Overflow. That’s basically what they did. They took all of their knowledge base of answers, questions, and answers over the years and created a.

Tim Freestone (23:04.472)

Hmm

Alan Shimel (23:17.598)

another LLM that sits on top of the general LLM that powers many of the AIs today. And so when you do an AI query on, I forget what Stack Overflow calls it, they have a name for the offering. And actually is pulling from there first before it goes to the general AI one. So we’ll see.

Patrick Spencer (23:39.056)

Interesting. AI would theoretically, if organizations will use it correctly, all that open source code that’s out there, you don’t know for sure if it has vulnerabilities in every instance. It should improve that process, I would think, in terms of ensuring that code’s cleaner when you bring it into your environment, if you can leverage AI in the right way.

Alan Shimel (24:00.054)

You know what, the Linux Foundation actually just, I think Linux Foundation Open Source Security, OSSF, actually they came out with a research report on that recently. Something like, this was a survey of the maintainers of open source projects. And like 70 something percent said exactly that. They think, you know, it could help with.

Tim Freestone (24:23.055)

Mm.

Alan Shimel (24:27.854)

the security of open source projects, making more secure code. I’ll see it when I believe it, or I’ll believe it when I see it, excuse me. I believe it when I see it. Yep.

Tim Freestone (24:36.715)

Yeah, yeah, we understood.

Well, we have, we’ve talked so much in the past year about AI. I think I’m all set. Yeah. But one, one thing that, um, it’s probably not a tomorrow thing. I mean, we’ll see, but it’s certainly a 10 year thing, but do you, have you started in your, um, media outlets and, uh, your, your TV station, um,

Alan Shimel (24:48.677)

We’re all a little AI down, I guess, right?

Tim Freestone (25:09.475)

Computing vendors quantum cyber security stuff that’s popping up and like, what do you see in there? I’d be interested if that’s Now starting to get more top of mind

Alan Shimel (25:19.542)

So I’ve been following that subject for the last three or four years. Want to know something? This is one area where the government and the regulatory bodies actually got out ahead of it. Right? NIST and MITRE have worked on it. I’ve spoken to folks at both of them, as well as at the leading certificate companies. They’ve published.

Tim Freestone (25:24.132)

Mm-hmm.

Tim Freestone (25:33.06)

Hmm.

Alan Shimel (25:46.538)

They’ve already published quantum proof algorithms. Cause you know, the big fear here was that quantum computers bust RSA encryption or SSL encryption, you know, in the blink of an eye, but they now have come out with quantum proof algorithms. And they’ll be issuing, you’ll be able to get quantum proof certificates to encrypt.

Tim Freestone (25:54.263)

in the kitchen.

Alan Shimel (26:16.774)

to encrypt your data at rest and transit etc. And the funny thing is, you know, I don’t think we’re gonna see true quantum computing available probably not till maybe 2030.

Tim Freestone (26:33.695)

Yeah, that’s about right. I was thinking, you know, kind of 10 years out just cause they’re still, they can’t, the smartest minds and the most money in the world still can’t get them stable for more than a few seconds or whatever it is now.

Alan Shimel (26:44.53)

Look, they’re making, you know, the quantum computers work on what they call qubits, right? And what’s the thing that I, and if I get it wrong, I apologize. To have a stable quantum machine, I think you got to have a thousand qubits, and we’re up to a hundred or a couple hundred. And, you know, we’ll see. But, you know, again, we have quantum proof algorithms there. Now, how many people will adopt that?

Tim Freestone (27:01.635)

That’s what that sounds about right, yeah.

Alan Shimel (27:14.902)

that route, you know, I learned a lesson about 15 years ago. I remember doing a podcast interview actually with the CEO of, of couch base and D bill, you know, at the time, no SQL databases were the cool thing. And I asked them, I said, you know, a lot of people say no SQL stands for no security.

Tim Freestone (27:28.568)

Mm-hmm.

Alan Shimel (27:40.354)

How come you guys aren’t doing a better job around security with your databases? And they both said the same thing. They said, Alan, we’ll put better security in when our customer’s demanding.

Patrick Spencer (27:51.364)

Hehehe

Tim Freestone (27:51.775)

Yeah, that’s usually the case. Yep.

Alan Shimel (27:54.126)

right? Right. So when the market says I need some quantum proof technology it’ll be you know developed but not before.

Patrick Spencer (27:55.02)

it drives it.

Tim Freestone (28:08.843)

Yeah, well, what we’ll see, but what might drive that is, you know, back to the compliance, the regulators, they might just like PC, you have to have it.

Alan Shimel (28:16.086)

Well, that’s still the market, right? That’s still the market driving.

Tim Freestone (28:19.775)

Yeah, you just have to have it.

Patrick Spencer (28:21.284)

Yeah, something more prompting to make that decision.

Alan Shimel (28:21.622)

And you can go with anything. Yeah, that’s what you’re dealing with.

Patrick Spencer (28:26.7)

Allen, with your law degree, you probably have a unique perspective in terms of organizations, do they underestimate the negative impact of a breach? You have the IBM reports, 4.5, 4.6, or whatever it is, the average cost of a data breach. Do organizations often forget the long tail effect of a breach where, whether you’re a software vendor and you’re hacked in your supply chain?

or you’re an actual end user, school district, healthcare organization, you’re breached, the class action lawsuits, all the legalities that happen. Is that factored in that 4.5? I think often it isn’t. It’s actually bigger than, the hairball’s bigger than we realize.

Alan Shimel (29:13.222)

4.5 goes up to like credit monitoring. You know, like it covers all the way up to that. But you know, here’s the fact, when I first got into security, they used to say that the reason why like retailers didn’t do more in security is because they had to build into their model. They called it shrinkage. And it was, you know, generally less than 0.5%.

of their revenue. So a 0.5%, it was cheaper to write that stuff off than it was to do something about it. I think when it comes to breaches, the facts are, you know, especially for large public entities.

that breach becomes a small blip on their stock price and operations. As a matter of fact, some use it as a red badge of courage and do even better with it. Now, for a smaller company, though, it could be catastrophic, put you out of business. You get hit with a ransom attack and your website doesn’t pull up, or you lost all your customers’ data and it was exposed on the internet publicly.

You know, it could be lights out. But the bigger companies, you know, they get through it. Look at Target, if you remember the Target, Breach, Equifax.

Right. They turn around and say, Hey, you know, it’s kind of like, you know, in America, if you, it’s okay to be an addict, if you, an addict, if you go into rehab. Right. That’s like the right thing to do. And I don’t care whether you’re addicted to drugs, sex rock and roll. Right. If you go into rehab, you, you come out and you’re cleansed. I think a lot of times it’s the same thing with these breaches. Right. Mea culpa, we messed up. We got a new season. We got.

Tim Freestone (31:15.251)

Right. If they do it right. Yeah.

Alan Shimel (31:17.85)

Right, and we’re putting in new processes and policies and training and this won’t happen again. Well, unless you’re like last pass or one of these repeat offenders that seem to get breached every three months. Six months. But that’s the reality of it. Yes, the legal cost is a pain in the butt, but much like the 0.5 percent.

Tim Freestone (31:31.597)

Eh.

Alan Shimel (31:48.59)

surrounding ours on bigger pictures for some of these companies.

Patrick Spencer (31:49.839)

Yeah.

Tim Freestone (31:56.143)

The, um, yeah, we, and I think it’s probably more when you get into midsize, smaller. Yeah.

Alan Shimel (31:56.258)

We should what? That’s it.

Alan Shimel (32:05.306)

You go one way or the other right now and also the other thing that’s come on the scene You know over the last few years is cyber insurance Right is your insurance going to cover that?

Tim Freestone (32:18.063)

So I have a question about that. I was at Contrast. We’re at Kiteworks now. We were at Contrast before, Ford and it. Patrick and I have been hanging out for a while. Every one of these cybersecurity companies, I’ve been in the room where we talk about, how do we influence the insurance carriers to demand their customers use our solutions to lower risk and lower their policy? Every one of them.

Patrick Spencer (32:28.32)

it

Tim Freestone (32:47.755)

Do you have any insight on that? Because there are 3,500 or more.

Alan Shimel (32:51.694)

So what are the cyber insurance companies are? Some of the cyber insurance companies now are saying, hey, because what took place, I think, over the last three years is some of these kinds of purpose-built cyber insurance companies, right? They became the new PCI counsel.

Tim Freestone (32:55.032)

What’s that?

Alan Shimel (33:14.65)

They were the ones who are establishing what your lowest common denominator bar is for security. And they’re also the auditor. You want to make sure you’ve got a good vulnerability management, that you’re pen testing your code, that you’re got endpoint security, you’ve got IAM, whatever the case may be. So these insurance companies are becoming the…

Tim Freestone (33:24.44)

Mm-hmm.

Alan Shimel (33:39.566)

security architects and auditors to make sure they won’t give you insurance unless you meet that. And some of them have taken it a step further that said, hey, you got to have one of these three firewalls. And if you don’t, you know, we’re partnered with Firewall B and we can, you know, put that in there as part of your premium and everything. So I think you’re all.

Tim Freestone (34:03.951)

Mm-hmm. So you are seeing that actually happen.

Alan Shimel (34:07.282)

Oh yeah, I think the security insurers, the cyber insurers, are becoming the enforcers of cyber policy. It’s not necessarily a good thing all the time though. Right? I think, because part of them giving the insurance is they call the shots. Then they settle the case, of course, from a business decision. It’s easier for them to settle.

Patrick Spencer (34:19.886)

Hmm.

Patrick Spencer (34:27.651)

Yeah.

Alan Shimel (34:33.942)

without admitting liability, but you may feel, you know, I didn’t do anything wrong. Those guys are idiots, but you know, they, it’s their, it’s their dollar and they get to call the shot.

Patrick Spencer (34:46.98)

They become the arbitrators. Does that supplant things like FedRAMP or do they rely on FedRAMP and ISO?

Alan Shimel (34:54.871)

Again, they rely on FedRAMP and those things as the lowest common denominator, but they’re making decisions on actuarial tables on what their risk is, right? And you know, insurers are good at managing risk. That’s what, I mean, the biggest place you see this is in ransomware.

Tim Freestone (35:03.443)

Yeah, it’s all money. The balance sheet.

Alan Shimel (35:14.154)

Right. There’s a lot of people, the ransomware, the insurance company will tell you, you cannot negotiate with the ransom people will negotiate because we already have a database based upon what ransom is and what gang it is, what they’ll take to go away and unleash, whether they are there trustworthy to on encrypt stuff once we pay them. Yeah. They pay, make, they make those calls. They don’t want you in those calls.

Tim Freestone (35:14.158)

Yes.

Patrick Spencer (35:25.956)

So do I, right?

Tim Freestone (35:35.743)

Isn’t that wild? It’s so wild.

It, yeah. And if you’re a ransomware company, which is a thing, um, uh, you, uh, you want to be in good standings with your word that you’ll decrypt at a certain payoff level. Right. So you can continue doing your business. Right.

Alan Shimel (35:57.019)

And so they don’t. So you don’t. And then what do you do? You know what I mean? Go to the Better Business Bureau for ransomware providers, right?

Tim Freestone (36:03.375)

Thank you.

Patrick Spencer (36:05.776)

Well, you had the clock, right? The Klops attack on the NFT provider this past year, Groovit, you know, they were so successful. They were over, you know, this overwhelmed the point. They couldn’t do the typical functionary call, you know, the functionary calls out to the, those who had been hacked. They had to tell them, go to the website to find out if you’re hacked.

Alan Shimel (36:28.066)

Right. I mean, you know, but again, we laugh knowingly, but people who aren’t in cyber are amazed at the sophistication and skill of the dark web, of the bad guys. They, you know, talk about AI. They’re using AI like mad, probably more and better than the white hats are.

Patrick Spencer (36:49.92)

Yeah, very true. Well, we know your time is sensitive. We probably better wrap it up. For folks who want to go to… Yep.

Alan Shimel (36:52.566)

Yep.

Tim Freestone (36:58.115)

Hey, wait, Patrick, sorry. I actually have, I’m surprising the podcast here with a rapid, you got a couple minutes?

Patrick Spencer (37:04.761)

But Alan, you’re OK timewise? Go ahead. I was worried about this time since we were at the top there. Go ahead, Tim. I’ll be fine.

Alan Shimel (37:06.89)

Yeah, no. Go ahead. Yeah, no.

Tim Freestone (37:10.923)

No, I have an idea. It’s a rapid fire, Alan. So five questions. And it’s an agree, disagree. I say a statement, you agree or disagree. OK, I have five, I think. OK, so number one, the pace of technology innovation is outstripping our ability to ethically manage its implications. I agree.

Alan Shimel (37:16.256)

Okay.

Alan Shimel (37:22.242)

So I disagree or disagree.

Alan Shimel (37:37.726)

agree and that’s for a long time

Tim Freestone (37:41.368)

Good. Cyber security risks are now a bigger threat to global stability than military threats.

Alan Shimel (37:51.414)

disagree. It’s getting close, but in an age where we got a war in the Ukraine and one in the Middle East and drones and all this crap, the military still is… Yeah, but it’s almost you can’t have one without the other two today. They go hand in hand.

Patrick Spencer (38:01.856)

And they’re all intertwined.

Tim Freestone (38:09.343)

Yeah. I just wonder at what point the, you know, cybersecurity will, you know, you don’t need to drop a bomb over there. You just drop a virus and all of a sudden their entire critical infrastructure goes down and they can’t be huge.

Alan Shimel (38:21.89)

No, no, it reminds me of Star Trek, the original series. I don’t know if you guys are Trekkies, but that was an episode.

Tim Freestone (38:27.359)

I do, I remember I watched every episode.

Alan Shimel (38:30.058)

two worlds were fighting with each other, they wouldn’t actually blow up bombs. They would have computer simulated missile attacks. And if you lived or were in a place where a computer simulated missile attack happened, you had to report like to the death chamber where they would vaporize you. And the Star Trek, Kirk and the team were down there on a shore visit or whatever, and they were victims of the missile attack.

And of course they wouldn’t walk into the chamber and get vaporized and that set off a whole war because now after 200 years, they were gonna have to use real bombs, right? And real people would die, not just shut down critical infrastructure or something. And that forced them to find the peace, right? So everything you need to know in life, you can learn from Star Trek.

Tim Freestone (39:17.751)

Yeah. Interesting. Okay. Came full circle. Yeah. Came for a third.

Star Trek, right, exactly. All right, a couple more, a couple more. The rise of remote work will eventually lead to the end of large tech hubs in Silicon Valley.

Alan Shimel (39:36.91)

strongly, strongly disagree. You know, Dell just sent out an email this week to all 125,000 employees. It’s time to come back to work at least three days a week. If you don’t want to, you don’t have to, but you’ll never get a promotion. And I think Google’s done this, Apple’s done it, Meta’s doing it. Everybody’s doing it around the world. People are realizing that remote work…

For some professions, it’s okay, but you’re a much more productive company when your people are in the office.

Tim Freestone (40:16.759)

You know, I hope that’s the case for sounding off from someone who has a house in Silicon Valley that, um, all right, good. Final one. The biggest threat to cybersecurity in organizations is not the sophistication of the hackers, but the negligence of the employees.

Alan Shimel (40:23.243)

Yeah, no, it’s not going.

Alan Shimel (40:36.478)

agree and that hasn’t changed. It’s still the weakest link. And I don’t know, you know, training. Yeah, I don’t, you know, I think it’s talking about changing human nature and I don’t know how you change human nature.

Tim Freestone (40:42.935)

Rich will be the company that figures that out, right?

Tim Freestone (40:53.517)

Yeah. Alright, I’m done Patrick. That was fun.

Alan Shimel (40:55.217)

All right.

Patrick Spencer (40:57.44)

Now that’s been a fascinating conversation, Alan. We need to do this again. We need to talk about data, data security. We can do it.

Alan Shimel (41:01.62)

Anytime.

but we never even got to the data security piece. But hey, just let me know, happy to do it. Thanks guys for having me on, it’s a pleasure.

Tim Freestone (41:04.535)

Yeah.

Tim Freestone (41:12.707)

You got it.

Patrick Spencer (41:13.32)

How do folks find out more information on your organizations?

Alan Shimel (41:17.842)

Textroomgroup.com is our umbrella kind of thing, but you can go to textroom.tv or devops.com, cloud native now, security boulevard for most of your audience will find. If you’re into the AI stuff, textroom.ai, digital CXO for transformation for leadership. Just, we’re not hard to find. All righty.

Patrick Spencer (41:39.728)

You’re all over. They’re not gonna have a hard time finding you.

Patrick Spencer (41:45.284)

Well, thanks to our audience. You can get more Kitecast episodes by going to kiteworks.com slash kitecast. Thanks for joining us for another podcast.

Alan Shimel (41:56.258)

Thank you. Guys, that was fun. All right, let me know when it’s up.

Patrick Spencer (41:59.159)

Thanks, Alan. Yeah, it was good reconnecting with you.