AI in GRC: Dr. Shayla Treadwell on balancing innovation and risk | Cyber Work Podcast

Get your FREE 2024 Cybersecurity Salary Guide: https://www.infosecinstitute.com/form/cybersecurity-salary-guide-podcast/

Today on CyberWork, Dr. Shayla Treadwell, vice president of governance, risk, and compliance (GRC) at ECS, discusses the role of AI in the GRC space. She breaks down AI applications for GRC, the importance of AI governance and the significant roles in performing compliance on AI tools and software. Dr. Treadwell also shares her unorthodox journey into cybersecurity, emphasizes the importance of critical thinking, and offers career advice for aspiring professionals. Additionally, the episode highlights the impact of AI on the cybersecurity landscape and strategies for effectively integrating AI while mitigating risks.

00:00 - Introduction
00:33 - Cybersecurity salary ebook
01:27 - Welcome to the Cyber Work Podcast
01:45 - Meet Dr. Shayla Treadwell
03:36 - Shayla's journey into cybersecurity
07:24 - The role of governance, risk and compliance
13:15 - Daily responsibilities of a GRC professional
15:40 - Challenges and skills in GRC
23:10 - AI in governance, risk and compliance
31:11 - Leveraging AI for efficiency
31:46 - Balancing compliance and innovation
32:44 - Understanding compliance beyond regulations
34:00 - The VUCA concept and its relevance
35:22 - AI's humanistic and ethical considerations
40:10 - Skills for AI governance careers
43:49 - Global AI governance community
47:24 - Opportunities and challenges in AI
49:07 - Optimism in AI's future
53:05 - Career advice and ECS overview
57:29 - AI and GRC

– View Cyber Work Podcast transcripts and additional episodes: https://www.infosecinstitute.com/podcast/

About Infosec
Infosec’s mission is to put people at the center of cybersecurity. We help IT and security professionals advance their careers with skills development and certifications while empowering all employees with security awareness and phishing training to stay cyber-safe at work and home. More than 70% of the Fortune 500 have relied on Infosec Skills to develop their security talent, and more than 5 million learners worldwide are more cyber-resilient from Infosec IQ’s security awareness training. Learn more at infosecinstitute.com.

[00:00:00] Chris Sienko: Today on CyberWork, I'm talking with Dr. Shayla Treadwell, VP of Governance, Risk, and Compliance for tech and cybersecurity integration firm ECS. Shayla spoke at this year's ISACA Digital Trust World about the integration of AI into the GRC space and in this episode we go deep on AI applications for GRC as well as the roles for performing GRC compliance on AI tools and software.

Shayla gives us a great breakdown of what a day in the life of a GRC professional looks like and teaches us how to not give a no without a but as a conditional. And that's all today on CyberWerk.

The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

You can use it to navigate your way to a good paying cyber security career. 

So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and download our free cyber security salary guide ebook.

Your cyber security journey starts here. 

Now let's get the show started 

 

[00:01:27] Chris Sienko: Welcome to this week's episode of the cyber work podcast. My guests are a cross section of cyber security industry thought leaders, and our goal is to help you learn about cyber security trends and how those trends affect the work of infosec professionals while leaving you with tips and advice for breaking in or moving up the ladder in the cyber security industry.

My guest today, Dr. Shayla Treadwell, is an executive. experience in overseeing risk management and information security programs. Her expertise oversees information technology assurance and cyber risk and compliance issues. Uh, she's known for establishing cyber risk management practices and corporate responsibility and sustainability programs.

Dr. Treadwell's most recent research has been nested in AI governance. And assurance strategies. Her postgraduate studies are focused on organizational leadership and examine the correlation between information security and leadership practices. She is the vice president of government risk and compliance at ECS, a large scale technology and cybersecurity integration firm located in Fairfax, Virginia.

Additionally, she is co founder of Treadwell agency, a consulting firm dedicated to advising businesses on cybersecurity and digital experiences. So I met, uh, Shayla at the, this year's iSoccer conference. She did a great presentation about GRC and AI, and how they will intersect in the future, and how they will not.

And I wanted to have all of you meet her, and be just as excited about her as I was on that day. So, uh, Shayla, thanks for joining me today. Welcome to CyberWerk.

[00:02:50] Dr. Shayla Treadwell: Thank you very much. I appreciate the invitation.

[00:02:54] Chris Sienko: pleasure, my pleasure. So, uh, so Shayla, for a bit of Context for our listeners. Like I said, uh, you were at this year's ISACA digital trust world, uh, and you co presented along with William Rankin on a session titled, Oh, the possibilities, balancing innovation and risk with generative AI. So, as I said, I had a, my, my recent guest was also a fellow ISACA speaker, Alex Sharp.

Uh, and it seemed. Based on what we saw at ISACA this year, like a full 50 percent or more of the presentations had AI in the title. And as you say in your synopsis, uh, quote, the AI genie is out of the bottle. Uh, whatever we're going to do with or with, uh, about AI now, ignoring it just isn't an option anymore, I think we can agree.

So, we got a lot to cover today, but I want to get our listeners to learn about you first. So where did you first get interested in tech and security and especially like compliance and things like that?

[00:03:41] Dr. Shayla Treadwell: absolutely. I actually had a very unorthodox pathway to this.

[00:03:44] Chris Sienko: Really?

[00:03:45] Dr. Shayla Treadwell: Initially, I was in digital marketing

[00:03:47] Chris Sienko: Oh, okay.

[00:03:48] Dr. Shayla Treadwell: I found myself in a space where I was the intermediary between back end developers, front end developers and marketing and trying to make sense of everything for everyone. So I've always worked in tech. Um, and then, uh, I ended up making the switch in order to, uh, get into information security and cybersecurity. Um, when I made that switch, uh, it wasn't deliberate. Um, I actually had a interview with, uh, former chief information security officer of Discover Financial, um, Jim McJunkin. He's a phenomenal gentleman. Uh, he asked me, Hey, do you think you can write my speaker notes and my, my PowerPoint decks, um, for the board?

[00:04:23] Chris Sienko: Hmm.

[00:04:24] Dr. Shayla Treadwell: initially I was like, that's all you want me to do. Uh, and he

[00:04:28] Chris Sienko: Yeah.

[00:04:29] Dr. Shayla Treadwell: you

[00:04:30] Chris Sienko: Oh, wow.

[00:04:30] Dr. Shayla Treadwell: do

[00:04:31] Chris Sienko: Yeah.

[00:04:32] Dr. Shayla Treadwell: and when I entered that world, I had no idea what I was getting myself into.

[00:04:36] Chris Sienko: Mm hmm.

[00:04:37] Dr. Shayla Treadwell: it was a beautiful nosedive into

[00:04:40] Chris Sienko: Mm hmm.

[00:04:40] Dr. Shayla Treadwell: that I actually fell in love with. Um, understanding every single domain I could, um, I was the person that would buy books, I would study, get searched, figure it out because I really wanted to make sure I understood what I was talking about. And the thing that really mattered to me the most is making sure that the alignment between cybersecurity and the business actually made sense.

[00:04:59] Chris Sienko: Yes.

[00:05:00] Dr. Shayla Treadwell: driving the mission forward collectively. And, um, from there, I think it's been, gosh, it's been some time now, well, over a decade.

[00:05:08] Chris Sienko: Mm-Hmm.

[00:05:10] Dr. Shayla Treadwell: to do that and I never look back. So I always tell people it doesn't matter what path you're on. You can always pivot and join the dark

[00:05:18] Chris Sienko: There are . Yes. There are a lot of, a lot of forks in the road. And, and all of them are available. If you wanna, if you, if you want to go through a little underbrush now and again, but, uh, yeah. So, uh, so can I ask about, um. Like say like the first couple of months of, of, of the job where you were writing, uh, speeches and decks for, uh, you know, your boss for the, for the, for the board.

So obviously that was a huge ramp up. Cause you said, Oh, this is easy, just writing and PowerPointing. And then you were like, Oh, this is a lot of research. Like, what was, what was the process of, of doing that? Sort of getting those basics in place. And how long, how long of a ramp up time was it before you felt like you knew the stuff well enough that you didn't have to sort of like, you know, learn an entire college class on every single topic each, each time?

[00:06:00] Dr. Shayla Treadwell: I will say the ramp up, um, the ramp never ends.

[00:06:04] Chris Sienko: Of course. Yeah.

[00:06:06] Dr. Shayla Treadwell: it never

[00:06:06] Chris Sienko: Right. Right. Right. Oh

[00:06:18] Dr. Shayla Treadwell: let me just watch what you're doing or. I know I have no business in this meeting, but can I just be a fly on the wall to see what's happening in this space? Um, through that observation and building relationships with people, that is what really got me through. And I would marry that with going out and getting literature and figuring out what's happening, whether it was getting a framework and saying, okay, let me understand what the heck this NIST CSF thing is, or, you know, let, let me figure out what COVID is. Um, and marrying that up with the way that a program actually looked that is what helped me. And I will also say that, um, having the ability, not only to see what happened in the program and to watch the people there who were doing the jobs of each one of those domains. It was taking that back and saying, okay, what does that mean to the company that I work for? Because every company is different and the risk appetite of every organization is a little bit different

[00:07:13] Chris Sienko: yeah.

[00:07:14] Dr. Shayla Treadwell: the application of that. So it really was a big nosedive into a lot of literature, lots of questions, um, lots of being a fly on the wall, but I helped that helped me bring it all together.

[00:07:24] Chris Sienko: Now, was that, uh, specifically, uh, around the, the governance risk and compliance space, or was it other things as well?

[00:07:31] Dr. Shayla Treadwell: No, it's interesting. It was about security holistically. It

[00:07:34] Chris Sienko: Okay.

[00:07:35] Dr. Shayla Treadwell: higher

[00:07:36] Chris Sienko: Big, big picture. Yeah.

[00:07:37] Dr. Shayla Treadwell: Yeah. Yeah. I will tell you this. Um, I did not start in governance, risk and compliance because after I left, uh, the arena of, you know, helping the chief of staff office and things of that nature, um, they actually ended up putting me in a training and awareness space.

[00:07:51] Chris Sienko: Hmm.

[00:07:52] Dr. Shayla Treadwell: Traditionally, training and awareness to everyone's like, Oh, that's the easy security stuff over

[00:07:57] Chris Sienko: Yeah, sure.

[00:07:58] Dr. Shayla Treadwell: It absolutely is not

[00:07:59] Chris Sienko: No

[00:08:00] Dr. Shayla Treadwell: you have to know all of the policies

[00:08:02] Chris Sienko: Mm-Hmm.

[00:08:03] Dr. Shayla Treadwell: that space in order to translate it into digestible chunks for the audience that you need to serve.

[00:08:09] Chris Sienko: Yeah.

[00:08:09] Dr. Shayla Treadwell: I will say Working in training and awareness actually prepared me for the job that I have now because I had to know the policies and standards and procedures just as well as the people who were writing them.

[00:08:21] Chris Sienko: Yeah. Well, okay. I asked that because I specifically wanted to know about how you got into the. The cybersecurity niche space of governance, risk, and compliance. Because, you know, that, like I, when I think of things that like people, you know, aspire to be within cybersecurity, like I don't think until recently, I don't think GRC is something people thought of as being a thing, let alone, you know, as big of a thing as it's becoming.

So like, how did, what, what, how did you get bit by the bug?

[00:08:46] Dr. Shayla Treadwell: So I got bit by the bug because once I wrapped up doing training and awareness, what ended up happening is the policies and standards ended up being under my team as well.

[00:08:56] Chris Sienko: Okay.

[00:08:56] Dr. Shayla Treadwell: So when I'm writing enterprise wide policies and standards, tracking that, understanding regulators are looking at these things, auditors are looking at these things, then suddenly I was like, wait a minute.

That means that the stuff that's written on this paper that nobody reads is actually really important. it is. Uh, so with the governance, risk and compliance bug, it started with policies and standards because I needed to understand the governing documents and also understand the people who are responsible from a governing body perspective. From there, what I really realized is that I was dealing with a chicken or egg situation because in order for you to have policies and standards, you have to have things that feed into that, whether that is the baseline framework of your organization, I'm looking at your contractual obligation. What does the threat landscape tell me is going on?

There are multiple components that feed into why we have the policies and standards we have.

[00:09:50] Chris Sienko: Right. Yeah.

[00:09:55] Dr. Shayla Treadwell: to understand from a risk perspective where the gaps of the organization, why are they gaps? What's the appetite of the organization? What are we okay tolerating? And it started asking those questions. And what I found is that it ended up being a cyclical circle. And I said, Wait a second. This this is a space that I think I can thrive in. Um, it really became very, very clear. And you're absolutely right. More recently, governance, risk and compliance is actually a really, really big topic, considering the amount of tech debt that we have, um, in the traditional operational spaces. Uh, companies are looking to become a little bit more lean in that space, but they have to understand. Okay, what must we do and what am I okay with? 

[00:10:36] Chris Sienko: Yeah, okay. Yeah, you said that you, you could see in the sort of circular nature of it, that it was something that you could thrive in. Was there a particular aha moment or a moment where you really felt like you were kind of like, you know, on top of the mountain and you're like, I can see it all from here.

Did you have like one particular task or project or was there even a day where you're like, I'm really good at this, you know, or did it just sort of happen, you know, steadily over time?

[00:10:59] Dr. Shayla Treadwell: It, you know what? It happened over time

[00:11:01] Chris Sienko: Mm hmm.

[00:11:02] Dr. Shayla Treadwell: um, whether it was FSMA, Sarbanes Oxley, High Trust, um, NIST, CSF, COVID, I can name a whole bunch of frameworks.

[00:11:11] Chris Sienko: Sure. Mm.

[00:11:13] Dr. Shayla Treadwell: but it wasn't until I want to say, um, were murmurs about this thing called CMMC

[00:11:20] Chris Sienko: Mm hmm. Sure. Oh, yeah.

[00:11:23] Dr. Shayla Treadwell: And in that moment, I said, wait a second. is what I've been doing, you

[00:11:27] Chris Sienko: Mm hmm.

[00:11:28] Dr. Shayla Treadwell: career in security.

[00:11:30] Chris Sienko: Yeah.

[00:11:30] Dr. Shayla Treadwell: started reading the controls, I'm like, wait a second, that's the same requirement as ISO 27, 001. And I can name the domain

[00:11:37] Chris Sienko: Mm hmm.

[00:11:38] Dr. Shayla Treadwell: you actually go through a process, you start to map stuff in your head.

And it's like an aha. So when I'm building a framework, it's not just one of these frameworks. It's the organization's

[00:11:51] Chris Sienko: Mm hmm.

[00:11:52] Dr. Shayla Treadwell: and its application. And I really think that's when I had a light bulb, bulb moment to really

[00:11:58] Chris Sienko: Yeah.

[00:11:59] Dr. Shayla Treadwell: a second, this thing is. It's growing. It's getting bigger.

[00:12:02] Chris Sienko: Yeah, I wonder about that, if it's kind of like someone who's, like, multilingual. Like, once you start learning a bunch of languages, you start to see the commonalities. Is that sort of the case here, where You're, you're almost kind of thinking in different, uh, you know, d different, uh, frameworks, or like, Oh, well, this matches to this, and I can see the patterns in here, and stuff like that.

Does it all sort of, yeah.

[00:12:23] Dr. Shayla Treadwell: know there's a million tools out there that can help people map them. And

[00:12:26] Chris Sienko: Okay.

[00:12:27] Dr. Shayla Treadwell: trust me, they're useful.

[00:12:28] Chris Sienko: Yeah.

[00:12:29] Dr. Shayla Treadwell: very useful. But I will say that once you get into this industry and you start to look at multiple things, you start to realize, wait a second, we're asking for the same thing over and over again in different ways. How do I streamline this?

[00:12:45] Chris Sienko: Mm hmm.

[00:12:45] Dr. Shayla Treadwell: sure that, uh, once I put together these documents and how I bring awareness to the company, there's one message.

[00:12:52] Chris Sienko: Yeah.

[00:12:53] Dr. Shayla Treadwell: just one message. I don't have to say, we're doing this because NIST 800 171 said da da da da. I don't have to do

[00:12:59] Chris Sienko: Mm hmm.

[00:13:00] Dr. Shayla Treadwell: our passwords are what they are because I've looked at all these elements and that's the conclusion.

That's what

[00:13:05] Chris Sienko: Yeah.

[00:13:06] Dr. Shayla Treadwell: So it is kind of like that.

[00:13:08] Chris Sienko: It's, that's really cool. So, um, I guess, uh, in a practical sense, can you talk our listeners through your role as VP governance, risk compliance for ECS? Like what's a, what's an average day or average work week look like in terms of like tasks and obligations, projects.

[00:13:22] Dr. Shayla Treadwell: uh, you said average, uh, which is difficult, by the way,

[00:13:25] Chris Sienko: Mm hmm.

[00:13:26] Dr. Shayla Treadwell: in my role, um, there are some interesting spaces. The first space I'm gonna talk about is governance from a governance perspective that is looking at some of the committees we have, whether it's the ethics committee, um, architectural review, things of that nature to make sure that you have the right people in the room making decisions that need to be made. Also, with governance, it really comes down to our policies and our standards and what that looks like as well. Um, and making sure that they're written and they're documented because the reality is it helps guide what we're doing. Um, and then from a compliance perspective, that is when I have my team of assessors that are doing internal audits. Um, they're looking at whether or not we're compatible with the things that we're supposed to be compatible with. Um, and it's, it's looking at those assessments and then telling me the plans of action. And milestones that we have for the gaps that we need to, um, probably fill to make us a more fortified organization.

[00:14:21] Chris Sienko: Okay. Mm hmm.

[00:14:24] Dr. Shayla Treadwell: interesting because risk has assessments as well. You have a risk assessment, but additionally, risk emerge in very interesting ways. um, you can make sure that we have things in our risk register that we can manage it, understand what we're doing with it. Are we transferring the risk?

Are we mitigating the risk? Are we just going to accept it? Because our organization is okay accepting it. The money putting in to fix it is actually more money than it would be to just, you know, what happens.

[00:14:50] Chris Sienko: Yeah, sure.

[00:14:51] Dr. Shayla Treadwell: it's making those decisions. Uh, along with that in my role, I'm responsible for some of our resiliency activities. So my team conducts tabletop exercises to see if we can fortify some of our policies and standards and procedures in that space. And lastly, I'm in very interesting situation that, um, I also help manage some of our ESG. Um, activities as well for

[00:15:17] Chris Sienko: Okay. Hmm. Mm

[00:15:18] Dr. Shayla Treadwell: because one of the key components of that is privacy and cyber security.

[00:15:23] Chris Sienko: hmm. Okay.

[00:15:24] Dr. Shayla Treadwell: is reporting that is important in that space. And additionally, when I'm working with the I. T. team or our cyber team on the ground, this first line of defense thinking about energy usage and how do we create a more sustainable future while not blocking innovation.

[00:15:39] Chris Sienko: Nice. Now, um, uh, to, uh, for people who might want to do the kind of work you do, or might be just kind of on the, taking the first steps, what are some, some things that you would have to be really good at or excited about, or, you know, even in a repetitious sense, like willing to do lots every single week?

Like, you know, cause I think everyone thinks, Oh, it's going to be fun. I'm going to do this and this, but it's like, also you have to be ready to read. Eight million documents, I imagine, and just be reading constantly and upgrading things constantly and stuff.

[00:16:11] Dr. Shayla Treadwell: Absolutely.

[00:16:11] Chris Sienko: Yeah.

[00:16:12] Dr. Shayla Treadwell: I will say you said it right there. Reading is huge.

[00:16:14] Chris Sienko: Mm hmm.

[00:16:15] Dr. Shayla Treadwell: you ingest a lot of documents,

[00:16:18] Chris Sienko: Mm hmm.

[00:16:19] Dr. Shayla Treadwell: just reading. It's that sense making activity associated with reading. You're going to have to, trust me, frameworks are not the easiest thing to read. Um, so you have to also take some time to really digest.

What does this actually mean? So there's a lot of strategic and critical thinking that happens in that space. Um, I think the other thing is that you have to be able to have a temperament where you can build relationships and exercise influence in situations that you are not the decision maker. people all the time.

I tell people what to do. You tell me how you're going to do it.

[00:16:52] Chris Sienko: Mm.

[00:16:53] Dr. Shayla Treadwell: responsibility to tell you how you're going to get it done.

[00:16:56] Chris Sienko: Okay.

[00:16:57] Dr. Shayla Treadwell: recommendations because I've been around long enough.

[00:17:00] Chris Sienko: Yeah.

[00:17:00] Dr. Shayla Treadwell: at the end of the day, you have to respect all those entities to tell you how they're going to do it.

And then you have to ascertain if the way they're going to do it is going to fulfill that what.

[00:17:10] Chris Sienko: Okay.

[00:17:11] Dr. Shayla Treadwell: I think the, the other, well, the last big thing is communication, communication, communication. Uh, you have to be comfortable having uncomfortable conversations.

[00:17:19] Chris Sienko: Mm. Yeah.

[00:17:23] Dr. Shayla Treadwell: art of saying no.

Sometimes you, you have to make sure that you say it in a way that is not offensive, but remember we enable the business. My job is not to be a gatekeeper.

[00:17:35] Chris Sienko: Mm hmm. Mm

[00:17:37] Dr. Shayla Treadwell: So it may be a no, but.

[00:17:39] Chris Sienko: hmm.

[00:17:40] Dr. Shayla Treadwell: explore this and critically think through that exploration process. So if you have great writing skills, great critical thinking skills, if you're okay reading and you don't mind looking at policy language and the legalese of things, this is a really, really good space.

[00:17:54] Chris Sienko: So scrubbing away any like specific example details or anything like that. Can you give me an example of a difficult no, but that you've, you've had to do? Like, like, what are some of the sort of archetypal? No, we cannot do dot, dot, dot. Kind of things.

[00:18:07] Dr. Shayla Treadwell: So in the governance risk and compliance space, traditionally, you may own an exception process or risk acceptance process. Um, what will end up happening is I'll see one come in the queue. And they may be requesting a tool set, um, that unfortunately you can't use. Now this is where it gets interesting where you kind of have to know the legalese of things. If I'm requesting to use a tool set and let's say my customer is a part of the Department of Defense. Okay. That means that they have to follow DFARS clause 7012 most likely. If they have to follow DFAR clause 7012 and it's Department of Defense and, um, some other FAR clauses, that means that the tool set that you're going to be using needs to be FedRAMP moderate. Or ATO at the minimum, and if I have someone coming to me saying, Hey, Sheila, I want an exception to use this tool. and I don't see that compliance level and now, mind you, this is where you kind of cross over to working with your contracts team a little bit too.

[00:19:06] Chris Sienko: Okay.

[00:19:07] Dr. Shayla Treadwell: Um, I can say, no, unfortunately, this is not the best tool.

However, tell me a little bit about what, what problem you're trying to solve. If I find out what problem you're trying to solve, I can say, you know what, you may not be able to use that one. However, check these out and you know, let's work with the IT team to see if we can get you access to this. This may be able to solve your problem. then I'm in a situation where I had to say no, unfortunately, and it's not always fun to say no, but at the end of the day, I'm not going to keep you hanging out there. We're going to figure out something to satisfy the problem that you're trying to solve. 

[00:19:44] Chris Sienko: Yeah. Now, um, uh, I'm sorry. I keep going on it because now you got me fascinated because I think this is like the most concrete that I've heard someone discuss like the, the day to day Nuts and bolts of GRC. Uh, like, do you have, uh, like, are there a bunch of like sort of projects in the air or are you kind of answering these questions quickly as they come in and there's just like a fire hose, like a million of them, or do you have things like, Oh, this is a bigger problem.

It's going to take us four months to sort of untangle. And meanwhile, no, you can't use that tool, you know?

[00:20:14] Dr. Shayla Treadwell: It's, it's, it's, it's both.

[00:20:16] Chris Sienko: Yeah.

[00:20:17] Dr. Shayla Treadwell: uh, this, that's why I said this space is not boring at all.

[00:20:20] Chris Sienko: Okay.

[00:20:21] Dr. Shayla Treadwell: like it, it's not boring.

[00:20:22] Chris Sienko: Yeah.

[00:20:23] Dr. Shayla Treadwell: know what's going to happen day by day. Um, we, we do have some situations where we have bigger needs.

[00:20:28] Chris Sienko: Mm hmm.

[00:20:29] Dr. Shayla Treadwell: use another example.

[00:20:30] Chris Sienko: Please.

[00:20:31] Dr. Shayla Treadwell: I'll piggyback on the example I just

[00:20:33] Chris Sienko: Do it. Do it. Yeah. Yeah.

[00:20:44] Dr. Shayla Treadwell: In the cloud. However, they have an enterprise version that, um, is fully acceptable. Ah, it's okay. Um, how much does that cost? Now? This is where the business comes into play.

How much does that cost? It will cost this much. Okay, our budget from an I. T. Perspective does not allow for that at this point in time. However, what we can do is start looking at the next fiscal year. We can try to get that in budget. And that means that, you know, um, the enterprise version, if the senior executive staff agrees is something that we can look into.

If the money's there that's a situation where if they say yes, that means that's a project. We're onboarding a new tool set. We got to work with our I. T. Team. We got to make sure that from an active directory perspective, we got single sign on going on. It has to go through third party risk management.

That takes time. That takes a lot of time. However, in the immediate it's no, we can't do it. Here's another option. But in the future, it is a possibility. So a lot of times you'll you'll find tangential projects that will happen like that.

[00:21:53] Chris Sienko: Got it.

[00:21:53] Dr. Shayla Treadwell: happens Still in the midst of got to get through this ISO 27, 000 audit high trust comes in summer CMMC

[00:22:00] Chris Sienko: Yeah.

[00:22:00] Dr. Shayla Treadwell: audits coming at this time.

It's. It's a cyclical process while you're answering those fires immediately.

[00:22:07] Chris Sienko: So in addition to needing to be able to read a lot of pages, you also, I imagine you need to have a good project manager's brain for keeping a lot of plates in the air at the same time.

[00:22:17] Dr. Shayla Treadwell: do, you have to keep a lot of plates in the air, but again, you're gosh, you're not the arbiter

[00:22:24] Chris Sienko: Right.

[00:22:25] Dr. Shayla Treadwell: or the accountable party for whatever that project is.

[00:22:28] Chris Sienko: Mm hmm.

[00:22:29] Dr. Shayla Treadwell: are a consultant and informed party.

[00:22:31] Chris Sienko: Got it.

[00:22:32] Dr. Shayla Treadwell: even though those plates are in the air, recognizing what your role is in there, um, can be challenging sometimes. Um, even when you think you know the answer, but the reality is, is that it's about the business and it's about what's going to drive the business forward from a visionary perspective.

[00:22:48] Chris Sienko: Great. I hope, I hope people who are listening here, I feel like you, you just got a really good primer on, on what, what GRC is going to be like for you in the next couple of years. So, so clip this section and, and, and listen to it while you're studying. But, uh, uh, so as I mentioned at the top of the show, um, the presentations at ISACA that most caught my attention were those that dealt with AI and all of its complexities and, and not just the fun, cool stuff.

But the ambiguous stuff the ethically dubious stuff and the potentially dangerous stuff So without you getting you to recap your whole presentation Can you give our listeners a brief summary of how ai is currently operating specifically in the grc space? But also your impressions on its current blanketing of the entire tech sector Yeah, yeah,

[00:23:31] Dr. Shayla Treadwell: like this new stuff is so new concept of artificial intelligence has been around forever, forever and a day. Even if I go back to the inception of the Jetsons, I tell people

[00:23:41] Chris Sienko: yeah Yeah, absolutely

[00:23:49] Dr. Shayla Treadwell: helpful mechanism that was technology. We've always envisioned that. Now, where things got interesting is when we started to see the, um, GIA, uh, really take off in large language models in the early 2000, 2010 and stuff of that nature. And it's gotten better over time, which is phenomenal. And the thing about it, it is a beautiful balance between innovation and risk. At all times. I think that most organizations are dealing with the fact that right now, and about 85 percent of their tech stack suddenly just turned AI on and they probably didn't even ask you if it's okay,

[00:24:24] Chris Sienko: Mm hmm. Mm hmm.

[00:24:25] Dr. Shayla Treadwell: it's not a bad thing. I do feel that with the right governance structure. Um, to accompany it. It can be a phenomenal thing for any organization. And when I say governance, governance is happening in, uh, two specific areas.

[00:24:40] Chris Sienko: Okay.

[00:24:40] Dr. Shayla Treadwell: it's with the creation of AI, looking at the algorithms and understanding the data sets they were training and off of and the ethical considerations around that. And then I think the other area is looking at the governance perspective when it comes down to the risk and cultural alignment of organizations and if I'm okay with that as a company. And when you start to look at AI ethics committees or boards and things of that nature, it's really managing that oversight from a governance institutionalization and operations perspective so that it can be cyclical so that you're constantly looking at

[00:25:14] Chris Sienko: Yeah.

[00:25:14] Dr. Shayla Treadwell: to improve. Um, the distribution of it in your organization, whether it's through, um, ensuring that you have policies that are written appropriately to talk about the, um, usage of it, integrating it into your D. O. P. programs and things of that nature. You gotta write that into place.

[00:25:31] Chris Sienko: Oh, yeah.

[00:25:32] Dr. Shayla Treadwell: leadership has to agree on it. It has to be there, but once you get that governance when you're trying to institutionalize, what are you going to tell your people about it? How is it going to help their lives when they're doing their jobs? And even if you allow a large language model, are you teaching them the best way to prompt? Are you teaching them what information should go in there and which should not go in

[00:25:53] Chris Sienko: Mm hmm.

[00:25:54] Dr. Shayla Treadwell: there are some tool sets out there that do sit in between the human and whatever large language model they have. Um. So that can help as well. And then lastly, uh, thinking about how do I audit that? How do I check that? Um, what does it look like? Uh, and you can use either your technical teams to do some type of red team activity when it comes down to, um, prompt injections and things of that nature. And You can also get some good readout as to understanding how your people are using it in ways to improve it. Um, holistically, it's about getting the right people at the table. when you get the right people at the table, it does not mean that they are more senior. That's the biggest thing we said in the talk. Me and,

[00:26:37] Chris Sienko: Yeah.

[00:26:38] Dr. Shayla Treadwell: you don't know William Rankin, please look William Rankin up on LinkedIn.

[00:26:41] Chris Sienko: Yeah. Also great. Yeah. Absolutely.

[00:26:43] Dr. Shayla Treadwell: guy. Um, that that's the that's the big thing. You have to understand that it may mean that endless is at the table, that that marketing, um, junior writers at the table that uses chat to help write things. You have to get the right folks at the table to have the conversation because that's how you're going to make sure that you understand how your organization is going to use it.

[00:27:06] Chris Sienko: Yeah. Now, um, to give us some practical ideas, I want to talk about it. Sort of attached directly to GRC elements. Are there, you know, cause you talked about being able to sort of like, sort of see through all of the different, uh, uh, you know, programs. And I imagine this is sort of a thing that, uh, you know, that would, could be really beneficial with large language models and AI and, and I, and all this, is this something.

Uh, that you think, um, is, is is something that can be really useful in the GRC space or I, or, or are there, I mean, I'm assuming there's also like issues or things, you know, guardrails around it, but what, what, what's, what's, what's the, uh, the, the, what's the playing field look like in that regard?

[00:27:46] Dr. Shayla Treadwell: For the GRC space, I'm going to talk about it from two perspectives. as a GRC professional, how is this going to impact our work? B, how we can leverage AI in order to make our work a little bit more productive.

[00:27:59] Chris Sienko: Mm-Hmm.

[00:28:00] Dr. Shayla Treadwell: So the first thing I would say is we've seen evidence that, um, Folks didn't believe it, but you're starting to see people get fines from regulatory findings, um,

[00:28:11] Chris Sienko: Okay.

[00:28:12] Dr. Shayla Treadwell: AI in other countries.

If you have an international organization, you'll probably see it more when it comes down to Asian specific organiz countries, as well as the European Union. have a lot more teeth in this space.

[00:28:24] Chris Sienko: Sure.

[00:28:25] Dr. Shayla Treadwell: I believe, gosh, I think it was China that ended up suing OpenAI, um, because

[00:28:29] Chris Sienko: Hmm.

[00:28:30] Dr. Shayla Treadwell: of like 600 plus users information.

[00:28:32] Chris Sienko: Wow.

[00:28:33] Dr. Shayla Treadwell: and it was against

[00:28:34] Chris Sienko: Mm-Hmm.

[00:28:35] Dr. Shayla Treadwell: regulations for the country, and they won. Um, additionally, I know Yum! Brands just got done dealing with this situation. They actually had a, um, a, uh, um, bad actor, uh, attack their organization using Aon. So we're starting to see it more in this space. So we have to pay attention to it because it is embedded in regulation.

And that's something that, um, GRC professionals have to be mindful of. Now, at the same time as a GRC professional, uh, leveraging AI to help us do our jobs is something that's starting to emerge more as well, whether it is, um, being able to, uh, use some of these API connections with these tool sets to understand the posture of where the organization is, um, so that from a risk perspective, we're able to garner what's happening. That's, that's something that can be used. I've seen tool sets that help you write policy, um, and help you write, um, um, SSPs and things of that nature. Um, so we're starting to see people starting to use those large language models to help bounce ideas off of,

[00:29:39] Chris Sienko: Right, okay.

[00:29:40] Dr. Shayla Treadwell: to be able to be some, something they can walk along with to make the most robust policy possible.

[00:29:46] Chris Sienko: Yeah.

[00:29:47] Dr. Shayla Treadwell: I've, I've, I've seen it where. Um, a lot of organizations may automate

[00:29:55] Chris Sienko: Mm hmm.

[00:29:56] Dr. Shayla Treadwell: if you're doing, uh, ATOs and if you're, you're doing assess, assurance activities. Uh, it is, it is possible. Um, however, I will say, and this is just a Shayla ism, always have a human in the loop, go back and check it,

[00:30:09] Chris Sienko: Mm hmm.

[00:30:10] Dr. Shayla Treadwell: Because the one thing about AI is that if the data is dirty, then the output is dirty too. So you got to make sure that that data is clean if you're going to be doing things like that.

[00:30:19] Chris Sienko: Well, that goes into my next question, because I was going to say, I think, uh, you know, from a use perspective, AI is amazing, and from a, um, certain people who want to save money perspective, it could be potentially dangerous. So, what are some aspects of GRC that companies might be tempted to use AI and ML tools to cut corners?

With, but you're in your opinion really shouldn't be. I think when you said keep a human in the loop, but can you give other examples of the ways that like,

[00:30:45] Dr. Shayla Treadwell: absolutely.

[00:30:45] Chris Sienko: that just, just run the numbers.

[00:30:47] Dr. Shayla Treadwell: It sounds easy to say, well, AI can write my policy.

[00:30:50] Chris Sienko: Mm hmm.

[00:30:51] Dr. Shayla Treadwell: have to actually do what that policy says,

[00:30:53] Chris Sienko: Mm hmm. Mm hmm.

[00:30:55] Dr. Shayla Treadwell: you know, a large language model might write you the best policy on the planet.

[00:30:59] Chris Sienko: Mm hmm.

[00:31:00] Dr. Shayla Treadwell: actually do that?

[00:31:01] Chris Sienko: Mm hmm. Yeah.

[00:31:02] Dr. Shayla Treadwell: that is a key example to say, no, you cannot get rid of your staff.

[00:31:07] Chris Sienko: Mm hmm.

[00:31:07] Dr. Shayla Treadwell: me,

[00:31:08] Chris Sienko: Mm hmm. Mm hmm. Yeah. Right.

[00:31:11] Dr. Shayla Treadwell: Additionally, I always tell organizations instead of trying to cut corners in this space, and this is where I think AI is beautiful, um, AI take care of the low hanging fruit.

[00:31:23] Chris Sienko: Okay. Mm hmm.

[00:31:25] Dr. Shayla Treadwell: hanging fruit, you can definitely, um, finesse the language that you're using, making it sure that it's more readable to people, things of that nature. But what ends up happening is that you've now freed up that professional's time To really dig deep and to make sure you're covering off on all the things that you need to cover off on.

[00:31:45] Chris Sienko: Mm hmm.

[00:31:46] Dr. Shayla Treadwell: for more innovation, um, with the possibilities of the way that you can govern an organization in a seamless way. So you, you gotta kind of balance those two.

[00:31:56] Chris Sienko: Mm hmm.

[00:31:57] Dr. Shayla Treadwell: it, it's It's very, very helpful. But like I said, at the same time, make sure you get your eyes on that stuff. I mean, you don't

[00:32:05] Chris Sienko: Right.

[00:32:06] Dr. Shayla Treadwell: come back with something phenomenal. And then you get an auditor come in saying, okay, it looks like this policy said that you have this committee.

And you're like, uh,

[00:32:15] Chris Sienko: Mm hmm.

[00:32:17] Dr. Shayla Treadwell: may be a phenomenal best practice, but you don't do it.

[00:32:20] Chris Sienko: Yeah.

[00:32:21] Dr. Shayla Treadwell: yeah, you got to make sure you get it done.

[00:32:22] Chris Sienko: That gets, that gets to the sort of, uh, uh, yeah, to the, the core issue of whether, uh, the C suite even knows what you're doing down there. If they, they think that you all are just a stack of paper that, uh, you know, that, that says, that says we're, we're okay here. We don't have anything to worry about kind of thing.

[00:32:39] Dr. Shayla Treadwell: It's not like that. It's

[00:32:41] Chris Sienko: Yeah.

[00:32:41] Dr. Shayla Treadwell: those T's dot in those eyes.

[00:32:43] Chris Sienko: Yep.

[00:32:44] Dr. Shayla Treadwell: really is. Because I think another thing that people think is that with compliance, you're just looking at frameworks and regulations.

[00:32:51] Chris Sienko: Mm hmm.

[00:32:52] Dr. Shayla Treadwell: you're looking at contractual obligations as well.

[00:32:54] Chris Sienko: Mm hmm.

[00:32:55] Dr. Shayla Treadwell: at what your organization has promised some other people.

[00:32:59] Chris Sienko: Right.

[00:32:59] Dr. Shayla Treadwell: And you'll find a lot of times that after an award is given or a, that organization may come in, they may have a clause that says, Hey, we can audit a couple of things. Um, can you give me evidence of this, that, and this? That looks a little different to be able

[00:33:15] Chris Sienko: Mm hmm.

[00:33:16] Dr. Shayla Treadwell: churn up evidence in that space. So

[00:33:18] Chris Sienko: Right.

[00:33:19] Dr. Shayla Treadwell: no, no.

Don't think it's just about a framework or a regulation.

[00:33:22] Chris Sienko: Yeah.

[00:33:23] Dr. Shayla Treadwell: you told other people you're going to do?

[00:33:25] Chris Sienko: Exactly. Okay, that's awesome. Thank you. So, um, speaking more philosophically about the concept of it, we had a great conversation before recording this episode to sort of tease out some things, and one of the metaphors you used for AI as it's currently being discussed was a certain volcano that erupted back in 2004.

Can you tell me more about that story again? Mm hmm.

[00:33:43] Dr. Shayla Treadwell: can. I can. So, um, uh, it was a volcano in Ireland, I believe, um,

[00:33:48] Chris Sienko: Mm hmm. Mm hmm. Mm hmm. Mm

[00:33:53] Dr. Shayla Treadwell: They didn't know what to do about this volcano that never erupts erupting. And it, it, it. It really shows a situation where you're dealing with this concept called VUCA. is Volatility, Uncertainty, Complexity, and Ambiguity. And its term was coined, um, by one of the military colleges after the Cold War ended. Um, with them not being focused on the Cold War, they had no idea what to be focused on.

[00:34:21] Chris Sienko: hmm.

[00:34:22] Dr. Shayla Treadwell: it was like, okay, so what do we do

[00:34:24] Chris Sienko: Now what? Yeah. Yeah. Mm hmm.

[00:34:31] Dr. Shayla Treadwell: compliance and risk and things of that nature, we live in VUCA situations every day. our roles evolve rather quickly, especially when you look at them against the wall. Staple roles like HR, accounting, marketing, things of that nature. Do they have change? Yes, but the core concept of what they need to focus on is the same. When you're dealing with cybersecurity, would we have ever imagined that we had to deal with something called a prompt injection?

No. Like, okay, where did that come from? Let me go tackle that now.

[00:35:01] Chris Sienko: Right.

[00:35:02] Dr. Shayla Treadwell: world is ever changing and, um, being on your toes to anticipate those changes when it comes down to a futuristic perspective where you're looking for signals of change,

[00:35:14] Chris Sienko: Hmm.

[00:35:15] Dr. Shayla Treadwell: we just got to catch them faster. We just have to catch them.

[00:35:18] Chris Sienko: Yeah. Yeah. Okay. Um, well, good, because that, that goes into my next question as well. We were discussing this quite a bit today, but I want to use another one of your terms of phrase from our previous conversation. And you said regarding AI as, as something that's Being mixed with both tech and humanities.

You, you asked hypothetically, what are humans? What as humans, are we okay signing off with? And I think this is a really great framing because both the utopian and dystopian views of AI emphasize its relationship to humans, but a lot of the points in between really don't. So what are your thoughts on what we should and should not be okay with signing off on regarding these AI integrations? 

[00:35:54] Dr. Shayla Treadwell: Sure. Absolutely. And I, and I think that, uh, just to piggyback on that, there is a humanistic, um, this is my sidekick hopping on. There's a humanistic concept. That humans tend to attribute a human characteristic to inanimate objects.

[00:36:12] Chris Sienko: sure. Mm hmm.

[00:36:13] Dr. Shayla Treadwell: with

[00:36:14] Chris Sienko: Mm

[00:36:15] Dr. Shayla Treadwell: way that we view it truly is in a human way, when the reality is, is that we're dealing with predictive analytics over and over in stats. At its core. I know I've

[00:36:27] Chris Sienko: Yeah.

[00:36:27] Dr. Shayla Treadwell: completely by

[00:36:28] Chris Sienko: Yeah. Yeah. No, absolutely. No, it makes a

[00:36:30] Dr. Shayla Treadwell: what we're

[00:36:30] Chris Sienko: good point. Yeah, absolutely

[00:36:32] Dr. Shayla Treadwell: And, um, when you start to think about the humanities and you think about technology, and I know that, you know, out there, this concept of the singularity when I will overshadow beings and

[00:36:44] Chris Sienko: hmm

[00:36:45] Dr. Shayla Treadwell: will. Not be able to distinguish the two and one will win. Um, when we start thinking about that, do I think we're there right now? No, I don't think we are. Um, I do think that the way that we utilize AI and it's expect the expectation that we have upon it, really got to reconsider it humans, if you start to think about what we train these things off of and all these algorithms, we have made a ton of mistakes as humanity.

[00:37:15] Chris Sienko: Yeah

[00:37:16] Dr. Shayla Treadwell: And over time, we've recognized our mistakes and we continue to do that. But that's how we're teaching the AI.

[00:37:23] Chris Sienko: I was just gonna say that. Yeah, you're we're we're giving it all of human history and it's gonna keep it's it's it doesn't differentiate It's not a differentiation engine. So yeah

[00:37:32] Dr. Shayla Treadwell: doesn't.

[00:37:33] Chris Sienko: Yeah

[00:37:34] Dr. Shayla Treadwell: where I tell people that AI, as much as we talk about bias and stuff, it's inherently biased. Even the creation of it.

[00:37:43] Chris Sienko: Mm hmm,

[00:37:43] Dr. Shayla Treadwell: to be biased because if I want to use it for a certain tool set, I wanted to be more biased to, um, the mission that I'm trying to achieve.

[00:37:53] Chris Sienko: right.

[00:37:53] Dr. Shayla Treadwell: I say it this way, you know, if, if, if I am using AI to, um, rate people's credit. Right. And I rate their credit. Is the AI going to naturally say, you know what, let's use the credit score that's the best so that they can get a lower APR.

[00:38:12] Chris Sienko: Mm hmm.

[00:38:13] Dr. Shayla Treadwell: No, if that's the morals and values of the organization that's trying to use AI to help. You gotta actually tell it that. You

[00:38:21] Chris Sienko: Yeah.

[00:38:21] Dr. Shayla Treadwell: don't make me more money. I want you to

[00:38:24] Chris Sienko: Yeah. Oh, yeah. Yeah Right Yes

[00:38:28] Dr. Shayla Treadwell: to help my customer. 'cause I care more about customer loyalty and, and people than I do about making money in that space. I'm all of a sudden injected a belief system or a a, um, a notion that is not normal. Um, to the way the A. I.

Wants to please its its owner

[00:38:47] Chris Sienko: Right, right.

[00:38:48] Dr. Shayla Treadwell: please us. So, um, we have seen instances where, for example, I can't go off and ask Jim and I or chat GPT. Hey, give me some malicious code really quickly. Like, I want to go over here and hack somebody,

[00:39:00] Chris Sienko: Yeah, right, right.

[00:39:01] Dr. Shayla Treadwell: Give me some code.

[00:39:02] Chris Sienko: Give me some code! Help me up!

[00:39:05] Dr. Shayla Treadwell: it actually would give you a response back that it can't do that.

[00:39:08] Chris Sienko: Right, right.

[00:39:09] Dr. Shayla Treadwell: However, when we start to look at how people maliciously use these tools, they'll say something like, Hey, I'm a professor and I want to teach my class about, you know, some bad code to look out for. And what's the A. I going to say? Sure, because it because it's programmed to want to help you.

[00:39:28] Chris Sienko: Yeah,

[00:39:29] Dr. Shayla Treadwell: that interaction.

[00:39:29] Chris Sienko: exactly.

[00:39:30] Dr. Shayla Treadwell: It's like here goes something you can use. That's a completely different question. So we have to be very careful as we continue to roll out AI, especially in the deep learning space where we're starting to look at, um, neurologically trying to get those A. I to work the same way as our neurons in our brain. got to be careful with what we're okay with. And what we're not okay with because it starts to ask questions about our moral compass. Um,

[00:39:55] Chris Sienko: no, completely. I think that's a, you know, because again, like I said, it's real easy to go either, this is all going to be great, or this is all going to be terrible, and neither is true, but both of them require us to be extremely vigilant, I think. Right. Right. So, um, I want to talk about, um, any listeners who might be wanting to work directly in AI governance.

And I think this is, you know, maybe this is not something you do as much directly because you're sort of working in GRC with AI, but, uh, in terms of like a job search term, that's just starting to get traction and is, is working with maybe the creation of the AI within GRC, like what are some skills or degrees or certifications or experiences that they should be prioritizing now to sort of.

Um, be ramped up into being able to do, to sort of, like you say, steer the AI to do this type of work.

[00:40:46] Dr. Shayla Treadwell: with AI governance, there's a couple of paths that you can go down because when you start to look at the, um, the, uh, job title and then the descriptions after it, AI governance could mean understand the governance meaning. A committee and a group within the organization

[00:41:02] Chris Sienko: Yep.

[00:41:03] Dr. Shayla Treadwell: down

[00:41:03] Chris Sienko: Mm

[00:41:04] Dr. Shayla Treadwell: how they're creating AI and ethical principles that you can probably find in the NIST AI document that they have out there when it comes to development, uh, that that's gonna be really important.

And how you train the AI and things of that nature. You can go down a very technical path, especially if you have a development background, and that's something that you're interested in, and you want to make a pivot. That's a beautiful pivot point. Um, another area around AI governance is really, really critical is when you start to look at commonly used technologies, um, whether it's a SAS solution or a cloud environment, things of that nature. And understanding from a regulatory perspective, what are those inherited controls that they can pass on to their customers?

[00:41:48] Chris Sienko: hmm.

[00:41:49] Dr. Shayla Treadwell: that's something that's quite critical they're, they're attempting to pull humans out. So there's automated a little bit more and being able to answer some tough questions when organizations come to them and say, Hey, can you tell me a little bit about the data management of all of this stuff and how you're using this data? This is really, really critical when you start to view the privacy lane,

[00:42:12] Chris Sienko: Hmm.

[00:42:13] Dr. Shayla Treadwell: GDPR, CCPA, things of that nature.

[00:42:15] Chris Sienko: Yep.

[00:42:16] Dr. Shayla Treadwell: There's a beautiful opportunity for people who love that space to work with organizations to understand what's happening to the data and how it can be viewed and used in the future and understanding similar to the way that we do some of our, um, bigger frameworks, how those controls could be inherited by companies.

So if they're going through a certain certification process, they can inherit those things. Last thing, when you start to look at AI governance, I would tell, I would tell folks that you, you really need to not necessarily understand how AI is created. I'm not telling you to go off and create your own algorithm

[00:42:59] Chris Sienko: Right. Yeah.

[00:43:00] Dr. Shayla Treadwell: You know what I mean? That's

[00:43:01] Chris Sienko: Yes.

[00:43:02] Dr. Shayla Treadwell: the key. But from a governance perspective, you really have to think about what are some of the risks. you wanna help organizations thwart through the usage of ai and do you truly understand what's happening in that space? So it's really, really big when it comes into data and data normalization, um, data, um, when it comes down to how organizations use that and how do you build information and how it's being parsed and used, those are some critical areas that you may wanna. Start to understand a little bit more. 

[00:43:36] Chris Sienko: Yeah, that's, uh, that's, that's, boy, that's like a masterclass right there in terms of coming up with a, uh, you know, a laundry list of what, what, what the, the, the thoughts are going to be in the space in the coming years here. Now, uh, one thing you mentioned again in our chat was that there's a lot of women in AI governance, but that a lot of the big chapters are not in the US.

Can you talk a bit more about this? What does the global AI governance community look like? Hmm.

[00:44:03] Dr. Shayla Treadwell: is actually quite new Even

[00:44:05] Chris Sienko: Hmm.

[00:44:06] Dr. Shayla Treadwell: talking about the roles, I think when you start to talk to someone that's seasoned in this space they may have five years experience like

[00:44:13] Chris Sienko: Mm hmm. Mm hmm. Yeah. Yeah. You're a vet. Yeah. Ha ha

[00:44:21] Dr. Shayla Treadwell: AI is new application, especially with the G.

A. I. And things of that nature, um, is new. That's the new part. So you get someone says, yeah, I've been doing a governance for the last 20 years. It's like, what kind of robotics project you're part of?

[00:44:37] Chris Sienko: ha. Right. Right. Mm

[00:44:41] Dr. Shayla Treadwell: with that, with your findings that representation, and specifically for women in the AI world, the Western world, we'll say the U.

S. primarily, we're not, um, as current in this space. What you find, especially because of the EU and the privacy things they do with GDPR and the new AI act, especially when you start looking at the Middle East, they actually have a lot of women, a part of communities over there that do

[00:45:08] Chris Sienko: hmm.

[00:45:10] Dr. Shayla Treadwell: We are starting to see some chapters being formulated in the U.

S. with women and governance capacities. There's some women that are coming together in this space because representation is very, very important. And

[00:45:24] Chris Sienko: Mm hmm.

[00:45:24] Dr. Shayla Treadwell: when you start to, um. um, hackathons, pen test, these kind of things to truly understand what's happening in the world. You'll see that some of the

[00:45:33] Chris Sienko: Yes.

[00:45:33] Dr. Shayla Treadwell: you have on underserved communities is probably not the same data that they want AI to think about them with

[00:45:39] Chris Sienko: No. Yeah. Good point. Yeah.

[00:45:41] Dr. Shayla Treadwell: Yeah, and I will even say I have a wonderful colleague out at Berkeley University. He's he's absolutely awesome. And they did some work. I want to say, um, A few years ago, maybe, uh, or so where they were looking at, uh, AI in healthcare. And, um, what they ended up doing is, uh, allowing, uh, some AI tool sets to triage patients as they came in to understand the criticality of the care that they needed. And what they found is that, uh, women particularly and people of color, were not served as quickly by the AI based

[00:46:15] Chris Sienko: Mm hmm.

[00:46:16] Dr. Shayla Treadwell: and.

[00:46:17] Chris Sienko: Wow.

[00:46:18] Dr. Shayla Treadwell: It wasn't because the A. I. was trying to be inherently biased. But it's all based off of the data sets that we give it and, um,

[00:46:26] Chris Sienko: Mm hmm.

[00:46:27] Dr. Shayla Treadwell: know, you know, when it comes down to underserved populations and pain tolerance. So that was an area where, you know, they flat out said, no, we can't instantiate this in our hospitals because if I had a person evaluate that person, they would have never said that.

[00:46:43] Chris Sienko: Yeah. Yeah.

[00:46:44] Dr. Shayla Treadwell: it goes back to our previous, you know, conversation to talk about. some stuff that we're going to have to inject into AI for the future that we actually want to have.

[00:46:56] Chris Sienko: Yeah. No. I totally agree. And I think it really does sort of speak to Uh, you know, the, the, the falsehood that, that, that facts or, you know, stats are inherent, inherently neutral. You know, that you just have the numbers and the numbers don't lie. It's like the numbers can do a lot of things. The numbers can, can dance and stand on their head and, and zigzag back and forth and this way and that way.

So, um, yeah, no, I think that's, uh, I think that's a really, um, a vital part of, of, of this whole discussion.

[00:47:24] Dr. Shayla Treadwell: Now, I do want to turn it on his head. Now, this is another aspect of it. Um, there is,

[00:47:30] Chris Sienko: Hmm. Mm

[00:47:32] Dr. Shayla Treadwell: uh, Maryland, um, where she is working, um, identifying skin cancer on individuals. Yeah, absolutely. Okay. And AI has been proven to identify a lot of things actually before medical providers because they, they have the

[00:47:51] Chris Sienko: Great.

[00:47:52] Dr. Shayla Treadwell: able to do it.

So there is a way that it's extremely helpful. That's why I

[00:47:56] Chris Sienko: Yes, for sure.

[00:47:57] Dr. Shayla Treadwell: to this coin.

[00:47:58] Chris Sienko: Yeah, yeah, yeah, absolutely.

[00:48:00] Dr. Shayla Treadwell: what they found is that the more melanated the skin, the less the AI have the ability to catch the skin cancer.

[00:48:08] Chris Sienko: Mm hmm.

[00:48:09] Dr. Shayla Treadwell: because, you know, um, people in this demographic didn't get skin cancer.

It was because they didn't have enough data sets.

[00:48:18] Chris Sienko: Mm hmm.

[00:48:19] Dr. Shayla Treadwell: was just like, oh, we have to go get more data so that we

[00:48:23] Chris Sienko: Yes.

[00:48:24] Dr. Shayla Treadwell: this project. And there's funding

[00:48:25] Chris Sienko: Yeah.

[00:48:26] Dr. Shayla Treadwell: everything. So that's another situation where it's just like, we just need more data. If we have more, if we have more data, this could be a phenomenal thing. So

[00:48:36] Chris Sienko: Yes. And then, yeah. Yeah, no, it's, I would say it's, but that also means that it's up to us as the, uh, the sort of human inputs into, into this, that we need to actively seek out those data sets and not just say, well, I'm sure it's fine, you know?

[00:48:50] Dr. Shayla Treadwell: Yeah. Yeah. So that's why I say there's there's beautiful opportunities on both sides of the house. Um, but either a we have to say yay or nay to certain things that I may draw a conclusion to, or we just haven't given it enough data to do its thing. That's all.

[00:49:06] Chris Sienko: Yep. Yeah, no. And well, let's, we think of this as all doom and gloom. I mean, you also said in our conversation, I know in certain terms, I'm an optimist in this space. And I, one of the, one more example you mentioned, and this is, um, Not medical related, but was one of the things that chat GPT could be a great equalizer with was, uh, when it comes to helping young people with less financial resources to start putting together, say a college application or things like that.

Can you speak of some of the, the less seen, but very exciting opportunities that tools like chat, chat, GPT can provide to communities that didn't previously have access.

[00:49:38] Dr. Shayla Treadwell: Absolutely. I think that this is a phenomenal time for small business owners. Suddenly

[00:49:43] Chris Sienko: hmm.

[00:49:44] Dr. Shayla Treadwell: this tool set that can help you get things done faster. Um, you have a companion that walks with you that you can bounce things off of. You can use it as a tutor. Um, a lot of times for students. So I actually

[00:49:56] Chris Sienko: Mm hmm. Mm

[00:49:57] Dr. Shayla Treadwell: students using a I tool sets. I just think that the learning process might have to change ever so slightly because what I'm finding, even with, you know, my own god daughter, brother, whomever it may be. Um,

[00:50:10] Chris Sienko: hmm.

[00:50:11] Dr. Shayla Treadwell: mind you using that the tool set to get an answer. However, I might ask you afterward. Okay. Um, it gave you the answer.

Where's some other ways you think it could have got the answer? That's critical thinking. That's okay. That's

[00:50:24] Chris Sienko: Yeah.

[00:50:26] Dr. Shayla Treadwell: And I really, and I know the conversation we had, I really look at the underserved population for college students. A lot of

[00:50:33] Chris Sienko: Mm hmm.

[00:50:34] Dr. Shayla Treadwell: um, have access to more wealth, they're able to hire tutors, they're able to hire people to help them write college

[00:50:41] Chris Sienko: Yep.

[00:50:41] Dr. Shayla Treadwell: and things of that nature. If you come from an underserved community, you, you can't do that. But you know what you can do if you learn how to prompt the right way, you can get on chat GPT and say, not

[00:50:53] Chris Sienko: hmm.

[00:50:53] Dr. Shayla Treadwell: essay for me, but help me understand some things to put in here to make

[00:50:59] Chris Sienko: Yes.

[00:51:01] Dr. Shayla Treadwell: a better essay for me. So I don't

[00:51:03] Chris Sienko: Yeah.

[00:51:04] Dr. Shayla Treadwell: should be necessarily penalized for using these tool sets. I just think that we may need to ask the question differently because learning can still happen.

[00:51:13] Chris Sienko: Yeah. Yeah. And, I mean, I want to, you know, I feel like the last thing that we were really scared of was Wikipedia in the same way. There was this notion that no one's going to remember anything anymore because they're just going to Wikipedia. And I know that it gets abused a lot, but like You know, as time goes on, we're finding that like large, large percentage of Wikipedia is like stunningly well preserved in terms of its knowledge.

And I feel like chat GPT is going to go through those same kind of growing pains where we don't trust it. And then it's going to, we're going to be able to sort of lock it in, in a way. And again, I think it's going to be that oversight. It's going to be that human oversight element. That's going to make it like that.

But, but the parallels are, are hard to miss. I feel like in this case. Okay.

[00:51:53] Dr. Shayla Treadwell: agree with you 1000%. That's why I tell people I'm definitely an optimist in the space. I think

[00:51:59] Chris Sienko: hmm. Hmm.

[00:52:01] Dr. Shayla Treadwell: the world. We have so much knowledge and to be able to aggregate that is a wonderful tool for us. Um, I do think that, um, and I know the Institute for the future did a research study back in 2018 for the 2020 workforce, and we were four years past that, and it's It seems to be pretty accurate, but one of the, um, areas of that study was understanding that the future works force had to be able to, um, engage in more sense making.

And I thought that was fascinating the first time that I read that. However, when I start to look at sense making, we can use chat GPT, we can use Gemini, we can use all these tools to help get some information aggregated to us from multiple sources. But do we understand what that means? as a human, how do we go through a sense making process in order to make things better?

So I'm extremely optimistic for the future. I think that we can leverage these toolsets to do some phenomenal things if we want to. It just means that we have to refine it a little bit. That's all.

[00:53:03] Chris Sienko: yeah, I totally agree. Now, um, we're, we're coming up on the hour, but before we go, Sheila, I want to ask you something. I asked all of our guests. Do you have a piece of career advice that you've received? That's been influential to you? Whether it was a parent or a mentor or a colleague or just something you read somewhere.

[00:53:18] Dr. Shayla Treadwell: Yeah. Yeah. Um, I think the greatest advice that I've ever gotten is to fail forward. And

[00:53:25] Chris Sienko: Hmm.

[00:53:26] Dr. Shayla Treadwell: fail forward, it means it's, it's okay if you don't hit the mark all the time. however, you can't let that keep you down. If you're going to fail at something, then by golly, you better learn something from it and keep it

[00:53:39] Chris Sienko: Yeah. Yeah. Yeah. Right. Makes sense. Yeah.

[00:53:42] Dr. Shayla Treadwell: have to, and you have to be okay with that learning process. Um, if I'm the smartest person in the room, means that one, I'm not looking at who I have in that room and the expertise that they bring to the table. And

[00:53:56] Chris Sienko: Hmm.

[00:53:57] Dr. Shayla Treadwell: not being the leader in person that I need to be in order to create environments where answers can be found. So I don't care if you're looking at a career change. If you're new to this coming fresh out of high school, I don't care if you are 60 years old and you're retired and you want to get back in the workforce. There is a spot for you because the attributes and knowledge, skills and abilities, KSAs that we're looking for. It's not about who can hit a keyboard. It's about your critical thinking skills and how you're

[00:54:30] Chris Sienko: Hmm.

[00:54:30] Dr. Shayla Treadwell: to contribute to the body as a whole. So never think that there's not a space for you. If you mess up, it's okay. Get back up and let's keep going.

[00:54:38] Chris Sienko: Yeah. If you're going to fail, fail big. And then like you said, take notes.

[00:54:42] Dr. Shayla Treadwell: Yep. There you

[00:54:43] Chris Sienko: Yeah, uh, so it's about time to wrap up here, but before we go, you tell us a little bit about, but tell our listeners about ECS and the work they do as well as if you want your own consulting business, the Treadwell Agency.

[00:54:58] Dr. Shayla Treadwell: federal work. However, we do some commercial work as well. We work with all the big agencies, whether it's DOD, DHS, House of Representatives. We do a lot of fun stuff. Overall, from a size perspective, we're, we're kind of midsize. We got roughly 4, 000 employees, but what I will say about ECS, we get to do some really, really, really, really cool projects.

If you love, Fun projects like that. We're definitely always hiring. Please look our

[00:55:25] Chris Sienko: Love it.

[00:55:26] Dr. Shayla Treadwell: You'll see a bunch of jobs. And if you have questions,

[00:55:29] Chris Sienko: Cool.

[00:55:29] Dr. Shayla Treadwell: email and ask. I have no problem answering any questions because we're we don't only look for people who, you know, are innovative and smart.

We also have a company value that we need to make sure we have people who are innovative and have grit. Um, if you have grit and determination, it's probably a good space. for you to come to. Um, and overall, um, I will, I will say that, uh, ECS has been a very, very fun place to work this over five years. And then for travel agency, um, very, very small organization, um, very boutique.

However, an opportunity to do some really, really fun stuff when it comes down to mitigating the human risk in organizations. And when it comes down to making awareness and training and digital transformations fun for folks. So, um, I get a chance to work with two very, very cool companies.

[00:56:23] Chris Sienko: Oh, that's awesome. Uh, well, you've opened the door open to people, uh, emailing you. So if our listeners want to learn more about you or contact you or whatever, where should they look for you online? Where should they, uh, write you?

[00:56:34] Dr. Shayla Treadwell: So definitely find me on LinkedIn. Shayla Treadwell, you'll find me there. Um, and send me a message. I'm okay with that. Um, I'm always game to try to help some folks. Um, if I don't have an answer, maybe I can hook you up with somebody who does have an answer. Uh, but

[00:56:50] Chris Sienko: Love it.

[00:56:50] Dr. Shayla Treadwell: very open because I, I do know the cyber secure path, cyber security path is not a very easy one. And, uh, data shows that we get a lot of people that are entry level that join cyber security teams and they leave after a year. because it's a culturally challenging space sometimes with some of the transformations that we're

[00:57:09] Chris Sienko: Yeah.

[00:57:09] Dr. Shayla Treadwell: within cyber security holistically. Um,

[00:57:11] Chris Sienko: Mm hmm

[00:57:12] Dr. Shayla Treadwell: that is changing. Um, the breadth of the work that we're doing is very, very important and it's changing over time and we need some good folks.

[00:57:20] Chris Sienko: Love it. Well, thank you again for your time and insights today shale. I'm so glad we got to reconnect. This was a great

[00:57:25] Dr. Shayla Treadwell: I appreciate it too. Thank you for very much for having me.

[00:57:29] Chris Sienko: My pleasure and as always thank you to everyone who watches listens and writes into cyber work with podcast With feedback if you have any topics you'd like us to cover or guess you'd like to see on the show drop them in the comments And we shall do our best to accommodate. Uh, before we go, don't forget, infosecinstitute.

com slash free is the place where you go to get a whole bunch of free and exclusive stuff for cyborg listeners, including the trailer for our security awareness training series, WorkBytes, a smartly scripted and hilariously acted set of videos in which a very strange office, staffed by a pirate, a zombie, an alien, a fairy princess, a vampire, and others, Navigate their way through age old struggles of yore.

Whether it's not clicking on the treasure map someone just emailed you, making sure your nocturnal vampiric accounting work at the hotel is VPN secured, or realizing that even if you have a face as recognizable as the office's terrifying IT guy, Bone Slicer, you still can't buzz you in without your key card.

So go to the site, check out the trailer. Also, don't forget to download our free Cybersecurity Talent Development ebook. You'll find in depth training plans and strategies for the 12 most common security roles, Including stock analyst, pen tester, cloud security engineer, information risk analyst, privacy manager, secure coder, ICS professional, and more.

One more time, infosecinstitute. com slash free, and yes, the link is in the description. One last time, thank you to Dr. Shayla Treadwell, and thank you all for watching and listening. This is Chris Senko signing off. Until next time, keep learning, keep developing, and don't forget to have a little fun while you're doing it.

Bye for now. 

How does your salary stack up?

Ever wonder how much a career in cybersecurity pays? We crunched the numbers for the most popular roles and certifications. Download the 2024 Cybersecurity Salary Guide to learn more.

placeholder

Weekly career advice

Learn how to break into cybersecurity, build new skills and move up the career ladder. Each week on the Cyber Work Podcast, host Chris Sienko sits down with thought leaders from Booz Allen Hamilton, CompTIA, Google, IBM, Veracode and others to discuss the latest cybersecurity workforce trends.

placeholder

Q&As with industry pros

Have a question about your cybersecurity career? Join our special Cyber Work Live episodes for a Q&A with industry leaders. Get your career questions answered, connect with other industry professionals and take your career to the next level.

placeholder

Level up your skills

Hack your way to success with career tips from cybersecurity experts. Get concise, actionable advice in each episode — from acing your first certification exam to building a world-class enterprise cybersecurity culture.