Video #273 - Ross Young on current issues in AI and his time in the CIA

[00:00:00] Chris Sienko: Today on cyber work. Ross Young of Team Eight, joins me to discuss the way that security will change in the rise of machine learning, large language models, and other tech revolutions happening at the moment.

[00:00:09] Ross Young: If I were to ask ChatGPT to say, write me some ransomware so that I can, steal data, it's probably going to say no. But if I say, I need a file that actually, gets your, password, right. And, and pulls the data from here. I can now start to write that shell command.

[00:00:27] Chris Sienko: Ross discusses his time at the CIA and the challenges he took on while moving up the ladder in that organization.

[00:00:33] Ross Young: the way you get promoted from a 12 to a 13 is you're already demonstrating you're in. 13 and 14 level conversations, 14 level meetings. If everyone you meet with is a 15 and you're a 13, chances are you're going to get a chance to move up

[00:00:47] Chris Sienko: what it means to be a CSO in residence

[00:00:49] Ross Young: we talked to the CISOs. We say, Hey, what are the problems you're having? And then after talking to a hundred CISOs, we figure out these are the trends that they all have.

[00:00:57] Chris Sienko: and helps us to predict what current and future [00:01:00] practitioners will absolutely need to know to rise in the ranks of the security industry. That's to come.

[00:01:05] Ross Young: you have to always be learning because if you think what the skills you used to gain, your C-I-S-S-P five years ago are still relevant in today's date, you're fooling yourself.

[00:01:16] Chris Sienko: That's all today on cyber work.

[00:01:18] Chris Sienko: The IT and cybersecurity job market is thriving. The Bureau of Labor Statistics predicts 377, 500 new IT jobs annually. You need skill and hustle to obtain these jobs, of course, but the good news is that cybersecurity professionals can look forward to extremely competitive salaries. That's why InfoSec has leveraged 20 years of industry experience Drawing from multiple sources to give you, cyber work listeners, an analysis of the most popular and top paying industry certifications.

[00:01:46] Chris Sienko: You can use it to navigate your way to a good paying cyber security career.

[00:01:49] Chris Sienko: So to get your free copy of our cyber security salary guide ebook, just click the link in the description below. It's right there near the top, just below me. You can't miss it. click the link in the description and [00:02:00] download our free cyber security salary guide ebook.

[00:02:03] Chris Sienko: Your cyber security journey starts here.

[00:02:05] Chris Sienko: Now let's get the show started

[00:02:12] Chris Sienko: Welcome to this week's episode of the cyber work podcast. My guests are a cross section of cybersecurity industry thought leaders, and our goal is to help you learn about cybersecurity trends and how those trends affect the work of InfoSec professionals, as well as leaving you with some tips and advice for breaking in or moving up the ladder in the cybersecurity industry.

[00:02:32] Chris Sienko: My guest today, Ross Young has been the CISO of Caterpillar Financial, a Johns Hopkins University instructor and the creator of the OWASP Threat and Safeguard Matrix, or TASM. Previously, he was a divisional CISO at Capital One and has over a decade's worth of cybersecurity experience across CIA, NSA, and the Federal Reserve Board.

[00:02:52] Chris Sienko: His expertise ranges from attacking financial services for the federal government to defending organizations by [00:03:00] automating defenses in cloud security and DevSecOps pipelines. Now, Ross holds a master's and bachelor's degree from Johns Hopkins University, and he's ready. Idaho state university and Utah state university.

[00:03:11] Chris Sienko: Ross is also a, is also designated as a boardroom certified qualified technology expert and a certified information security professional, or CISSP, one of the biggies. Uh, Ross is married with four kids and lives in Las Vegas, Nevada. And when he isn't fighting cyber criminals, he can usually found rock climbing, kayak fishing, or watching anime.

[00:03:31] Chris Sienko: So, uh, Ross and I are going to talk today about some current issues around AI and about some of his interesting, uh, Job roles to this point. So Ross, thank you for joining me today and welcome to cyber work.

[00:03:41] Ross Young: Well, thank you so much for that nice intro. I really appreciate it. And it's a pleasure to be on the show.

[00:03:47] Chris Sienko: Excellent. Excellent. Glad to have you, Ross. So, um, let's start out with where you originally got interested in all this stuff. Our, our guests always are. Our listeners always like to know kind of what the initial spark was that got you [00:04:00] interested in cybersecurity. I'm guessing you were kind of a tech person from the way back, but what, what specifically got you into the cybersecurity space?

[00:04:06] Ross Young: You know, I always knew I wanted to do something computers. And when I was a junior in high school, I went to UNLV. I got to tour the two labs of the computer science, computer engineer and new software was the way for me. And then along the way. You know, and, and this is right around, let's call it 2002 was one of the classes I got to take.

[00:04:27] Ross Young: And I just really knew that that was for me. You know, I always thought it was, uh, being like a magician growing up here in Las Vegas. It's like amazing if you know how to do the tricks and you can see all the practice and, and a lot of the trade craft that comes with learning that. That practitioner. And if I'm being honest with myself, I wasn't a stellar programmer.

[00:04:47] Ross Young: I was a B level programmer in a comp sci program. So I found this niche and really just loved it.

[00:04:54] Chris Sienko: Can you speak more about that? Because again, I think there's always that concern with [00:05:00] students, especially in terms of their blind spots. And if they feel like, well, if I can't code well, or if I can't do this quickly enough, or if I'm not the absolute pinnacle of a certain skill set, like, you know, I can't get into security.

[00:05:11] Chris Sienko: So talk about where, uh, you know, you said you're sort of mid level coding skills, but how that you can also Uh, strengthen your other skill areas to still get very successful and, and, and, um, satisfying career roles like that.

[00:05:26] Ross Young: Yeah, so at, at this point in time, cybersecurity was most or mostly master level classes. So while I was able to limp through and get my, uh, bachelor's in computer science, I had a very tough choice of where do I wanna go to do a master's degree in cybersecurity versus going straight into the job force.

[00:05:46] Ross Young: And, and I found I wasn't very competitive winning those jobs. So the best thing I thought to do was to go and get more school. at this point in time, uh, there was a couple of really good universities. Uh, Naval post grad was probably the most [00:06:00] famous one for doing very detailed comp sci programs. But I also found another program from Idaho State University that had an MBA in cybersecurity, which was really rare.

[00:06:10] Ross Young: At the time, right? Most people, it was the, the heavy comp sci focus, not how do we build the leaders of tomorrow, the people who are going to oversee these things. And so it took a higher level program because it came from a college of business and I found that niche was perfect for me because I always wanted to be in a leadership role. So I went there. I found something amazing called the Scholarship for Service. And so if you've never heard of it, you can go to sfs. opm. gov. And they're in about 200 universities now. And they paid all of my college and paid me 1, 100 to go to school per month, which covered, you know, food, room and board and all those things. So I got a free master's program. And all I had to do was commit to working for the government for two years upon completion of my degree. Well, if you were [00:07:00] like me, you always wanted to go to NSA or CIA and do offensive hacking. So that was like, Hey, they're going to pay for my college. And I get a college, get a Ford program after that makes perfect sense.

[00:07:12] Ross Young: So that's how I took my route to getting in a cyber.

[00:07:15] Chris Sienko: Yeah, I was going to say, I feel like that's, uh, that's like finding out that, uh, you know, I, I love chocolate and they're going to pay me to, you know, eat chocolate and also teach me how to make chocolate. And yeah, I mean, that's just, it's too, it sounds too enticing and, and, and definitely worth something.

[00:07:29] Chris Sienko: I hope people, uh. bookmarked the, uh, the org you mentioned there. But, um, yeah, and I want to talk to you about, uh, a little bit about NSA, CIA. Obviously, I know there's a lot that you can't talk about, but, um, but, you know, you spent nearly 11 years in the CIA rising through the ranks starting as an IT project manager until you moved up to division management.

[00:07:49] Chris Sienko: And so I want to not necessarily talk about war stories or, uh, you know, behind the scenes things, but, but sort of how you moved. Through the organization like this, can you tell us about the [00:08:00] evolution of your role at the CIA over these 11 years? Like what did each new title change bring in terms of experience or requirements?

[00:08:07] Chris Sienko: And how did you, how did you make that, that sequential move?

[00:08:10] Ross Young: Yeah. So CIA is very much like the military. You go into a role and every two to three years, you're, you're basically expected to take a new role to kind of increase your, your capabilities and experiences. So I came in through the directorate of the support, uh, directorate of support, who is really the, the administration, the it departments.

[00:08:32] Ross Young: And I was a project manager there. But really, I'd always had ambitions to do the offensive arm of CIA, which at that time led me to the Directorate of Science and Technology to do offensive technical. Back in the day, that's where the offense of cyber lived. Now, they've created a fifth directorate called the Directorate of Digital Innovation, which is where that lives.

[00:08:56] Ross Young: So, I, I, I, I, I. I went, did two, two and a half, [00:09:00] maybe three years in that first IT project manager role. And I began applying for other roles where I could do offensive cyber and really chase my ambitions because it's one of these places you can't do it anywhere else in the world, right? So yes, you can do pen testing, but if you want that flavor, that's the special reason why you come and take the pay cut to work at a government agency.

[00:09:21] Chris Sienko: Yeah, no, absolutely. Uh, so that's interesting. So there is, there is a pay cut element to it. You're, you're doing it because you're getting the experience, not because it's, uh, you know, quote unquote, uh, a cushy job or whatever.

[00:09:35] Ross Young: Yeah, and I did that role for five years on the offensive side. Then afterwards, uh, you know, I found I needed to up level my skills. We had this thing which was, hey, we got you trained and you're an expert in one area, right? Which was offensive cyber. But now I needed to do other things. So I ended up going into this other place. And really got to do a lot of cloud security. So I got to do AWS [00:10:00] security back in, uh, think of 2014. So in the early days of AWS security, really rising through the ranks. And that was so helpful for my career because I learned a lot and I got into data science, I got into ETL. So all of the data engineering extracts.

[00:10:17] Ross Young: Transform loading type stuff. And then later on, that gave me the opportunity to actually run the DevOps team. So now I got to learn a lot of really cool technologies, learn cloud, learn DevOps tools, learn offensive cyber, and really be on that forefront of DevSec Ops of putting security into the developer pipelines. then I got to a point to where, you know, I needed a little bit more money. So I decided to go over the commercial sector and then went to Capital One.

[00:10:47] Chris Sienko: Okay. Yeah. Um, sorry, I, I, we'll, we'll get to the capital one and the later period, but I, I had just a couple more questions, uh, regarding this because again, I think, uh, it's easy to imagine that, [00:11:00] uh, you know, um, promotions like this are sort of, you know, you're, you're there long enough, or you have certain experience.

[00:11:10] Chris Sienko: And then they say, Hey, it's time for you to become this now. But it sounds like you really put a lot of hustle into making sure that you were making these moves yourself, that there were, you could have very well just have been in it project management for a long time, had you not been looking for other opportunities.

[00:11:26] Chris Sienko: So I guess, which, which came first, were you learning sort of cloud stuff in advance of this cloud opportunity, or did that allow you to sort of learn. In the moment, what were you doing to, at each point when you were about to make one of the, these big transitions in terms of, of learning or prepping or sort of showing your aptitude for, you know, your next boss, I guess.

[00:11:50] Ross Young: So there's a couple of things. Sometimes it's who you know. Sometimes it's just doing the grunt work and applying, right? So what I usually did is I spent a [00:12:00] lot of time reading all the internal org charts, reading all the internal wikis to find the coolest places of where I wanted to work. And then afterwards, it was going and talking to people who were in those roles, talking to the managers so that the next time they had a vacancy, they would think of me.

[00:12:15] Ross Young: Right? And so I did a lot of informal networking to make those things happen. then the way you get promoted is by the impact you make. Right? So if you're in a targeting role, you need to find people of interest. If you're in an operations role, you need to conduct successful operations. And so that's the things, the impacts that you make that lead to those.

[00:12:37] Ross Young: And

[00:12:37] Ross Young: the way you get promoted from a 12 to a 13 is you're already demonstrating you're in. 13 and 14 level conversations, 14 level meetings. If everyone you meet with is a 15 and you're a 13, chances are you're going to get a chance to move up

[00:12:51] Ross Young: in these, uh, GS, uh, pace grades and levels.

[00:12:55] Chris Sienko: That's as, as good a summary is of this as I've ever heard. We're definitely clipping that to [00:13:00] let, make sure people absolutely, uh, memorize that advice because that is superb advice, uh, in terms of, I think probably any kind of job, whether, uh, you know. military government or, or outside of it. So, um, I want to move to your current title.

[00:13:15] Chris Sienko: You are CISO in residence for a company called Team 8. Uh, and before this, you were also Chief Information Security Officer for CAP Financial. Uh, and before that, Divisional CISO for Capital One. So, how does the role of CISO in residence differ from a standard CISO? Are your responsibilities different or is it, uh, a different role in some way?

[00:13:34] Ross Young: Yeah, completely different. So the CISO role I had at cap financial, very much a traditional CISO role. You know, I oversaw third party risk assessments. I did vulnerability management, everything that you think a normal CISO does. I did that. And then I took a role. At a venture capital company. So think of we are at the forefront of innovation.

[00:13:54] Ross Young: We are investing in companies, uh, from the, the startup, [00:14:00] like two people, we find the two people who are going to found the company and what my role is really the following one, I meet with hundreds of CISOs and I build large CISO networks, we call them villages. And then I do a lot of thought leadership providing, you know, webinars, content, position papers, all these things and conferences to help CISOs do better in their role.

[00:14:22] Ross Young: we talked to the CISOs. We say, Hey, what are the problems you're having? And then after talking to a hundred CISOs, we figure out these are the trends that they all have.

[00:14:30] Ross Young: Uh, they, you know, maybe AI security sucks, or there's not a good GRC tool that meets their needs. And then I go to the RSAs and the Black Hat conferences to see what's the latest, greatest emerging tech from the industry. And I look where the gaps are, and then we found those companies. So my role right now is about understanding the needs of the CISO and understanding the capabilities of the market, finding the gaps so that we build those companies from a portfolio, uh, venture capital point of view. [00:15:00] Yeah,

[00:15:02] Chris Sienko: like you're the, you're, you're sort of imparting the knowledge sort of from the background. And it also sounds like you're a CISO that's managing multiple other CISOs, is that right?

[00:15:12] Ross Young: yeah, I'm a CISO influencer, if you will, or a CISO leader in some ways where

[00:15:17] Chris Sienko: Yes.

[00:15:18] Ross Young: help CISOs in the industry and take that feedback so we can build products that address their needs.

[00:15:25] Chris Sienko: Okay. And, and so how does that relate to like what Team eight does? Are, are, are these other CISOs, these are teammates clients? Is that right?

[00:15:33] Ross Young: Yeah, so do a few things. TeamAid, at its heart, is a venture capital company. We

[00:15:39] Chris Sienko: Okay.

[00:15:40] Ross Young: in startups, and when those, you know, sell or are merged and acquired by large companies like Palo or Wiz, we make money off of that. Right. and what we do, which is our not so secret sauce. That's what I said.

[00:15:54] Ross Young: It's a very well known proven model is we build the best CISO networks. So we talked [00:16:00] to hundreds of CISOs to get their feedback. We find design partners who want to pioneer our technology. To help with their needs. And we make that really, really successful, successful for the CSOs, successful for the startups, and then everybody wins and CSOs like this, because, you know, they have these old technologies and they're looking for better mousetraps to solve their problems.

[00:16:23] Ross Young: And if you know, there's a new emerging thing that can do that, that can be a huge time saver resource saver for them.

[00:16:30] Chris Sienko: That's, uh, yeah, that's, uh, yeah, that's a valuable job. And, and, and again, uh, as you know, a podcast that people, a lot of people listen to, it's just sort of window shop their future careers. Uh, I think people will be interested to hear that there is, uh, not something above CISO, but something above CISO.

[00:16:46] Chris Sienko: Let's, let's, let's put it, put it plain there. And, and I think that's a, that's a really interesting variant on, on a thing that you would want to work toward.

[00:16:52] Ross Young: Yeah, it's a lot of fun. You know, I can. One of the things I didn't realize when I was a CISO is how much time I would spend my [00:17:00] time not doing what I thought was CISO relevant work. Like you will spend a lot of time in procurement meetings, even though you have the money. You can buy the tool. You have to spend a year going through a procurement process.

[00:17:12] Ross Young: That's a painful thing because the lawyers don't like the language of the contract and they have to negotiate terms, right? Things like that, that just take a lot of time. You know, you're in HR meetings and doing promotion planning and all these things that you don't think of as. As cyber, but it's absolutely essential if you are running a program, having a lot of people report to you, right?

[00:17:36] Ross Young: So things I traded for meetings with CSOs, meetings with technology, startups, and vendors to be on the forefront of innovation. So it's a little bit more like a traditional CTO role than a true CSO role, but I think you're going to see this, this change. People thought the CISO role is one way, and when you have that role, sometimes [00:18:00] you love it, sometimes you want other things, and depending on what your preferences are, that, that determines if you're going to stay in the role or not.

[00:18:08] Chris Sienko: Okay. Can you talk a little more? You, you, you basically said that your, your role now is, is speaking to CISOs and taking meetings with CISOs and sort of, uh, going to conferences and learning about this. Can you sort of talk about like an average week and, and sort of what you're not or what you are doing instead of procurement meetings and so forth?

[00:18:27] Chris Sienko: Like what is, what does the CISO in residence average week look like?

[00:18:30] Ross Young: Yeah, so imagine I'm going to be meeting with a lot of folks, let's, let's just start with the beginning. I'm going to start with meeting with lots of folks that I find on LinkedIn, CISOs of large medium sized companies who are likely to buy products. So I send them meeting invites and some of those people are going to come back saying, Hey, I'd love to, you know, learn more about your company. then after that I spend, you know, 10, 20 hours of my week meeting with new CISOs I've never met before. And I'm also going to meet with CISOs who are already in the village, you know, [00:19:00] on a quarterly basis, just to see, hey, have their needs changed? That way, if I talk to a CISO, I get to say, okay, here's this problem.

[00:19:08] Ross Young: Is this just John's problem, or is this a problem across the industry? Because 50 other CISOs have said, I have the same problem as John. And now when I do that, and I've, you know, done that 20 hours, the other thing I'm also doing is meeting with hundreds of new startups. Every startup wants feedback on the product, what they're building to figure out, is this going to be a good market fit? And so they talk to CISOs and because my title is CISO in residence, it looks really close to a CISO. So oftentimes they think they can sell to me, uh, by mistake, which,

[00:19:41] Chris Sienko: Right.

[00:19:41] Ross Young: I don't buy products, you know, I build companies, right? And so I meet with hundreds of companies and I figure out where this space is evolving, right?

[00:19:51] Ross Young: So take a topic like AI security. Is this data loss prevention and AI security is this, Hey, we're going to pen test our AI [00:20:00] solutions. Is this AI governance? And I meet with, you know, five different companies in each of those little nuance areas. And now I become a little bit smarter. On AI security opportunities, and then if we say everybody really wants this AI pen testing platform, I can say, Hey, there's already five companies in this space, and it's too crowded or nobody's in this space.

[00:20:22] Ross Young: This is actually really interesting. So that's what I do. I meet with a ton of companies to learn what's coming out of the emerging startups and meet with a ton of CISOs to figure out where their pain points are not being addressed.

[00:20:34] Chris Sienko: Interesting. Yeah. So there's a lot more and I think you sort of said this already, but just to clarify, like there's a lot more element of sort of being a startup person or a sort of venture capitalist person or like you're, you're really doing the tech with the intention of putting new companies into the ecosystem, right?

[00:20:54] Ross Young: Yeah, and one of the biggest pieces is startups are really good at building tech, but [00:21:00] they haven't done all the other things that you have to do to be successful. So take an example of you have the world's smartest pen tester. They may absolutely know how to build pen testing tools and great. We need more of those things, especially if it's better than what we already have.

[00:21:14] Ross Young: So they go and they build this company that builds the best pen testing automated software that uses LLMs, AI, and all the other buzzwords. These people have probably never spent time in a marketing role, which means they have no idea how to build a go to market strategy of how are we going to talk to hundreds of CISOs? Are we going to just set up a booth at Black Hat and RSA and pray everybody walks through like trick or treaters to find us? Or are they going on podcasts? Are they going to do dinners? Are they going to do webinars and podcasts? Like, what does that strategy look like to get in front of more CISOs so they get paid?

[00:21:51] Ross Young: More sales opportunities that end in revenue for their company. And so part of it is helping companies to understand how to get in front of [00:22:00] CISOs because I was a CISO. I know where I find my vendors and, uh, using that information to help companies be successful.

[00:22:09] Chris Sienko: Excellent. Excellent summary. Thank you very much for that. So, uh, moving on to our main topic today, we're gonna be talking to Ross because, uh, as we probably are going to with many guests in 2025, if we're being honest, uh, we're gonna be talking about the influence of artificial intelligence technology on the cybersecurity landscape.

[00:22:25] Chris Sienko: And now Ross has a lot of experience speaking about current topics. around AI's usage and security, everything from practical to ethical to economical. So, so jumping in, uh, Ross, I want to start by asking you to kind of summarize the past couple years in terms of the way you've seen AI related technologies aggressively splash into the cybersecurity space.

[00:22:43] Chris Sienko: Cause as past guests have noted, AI as a notion has popped up about every five, seven years on a, as a possible next thing for a bunch of years there, but it usually kind of receded into. Some other tech becoming dominant So what was that was there anything about this particular explosion that surprised [00:23:00] you or or did you see this coming?

[00:23:02] Chris Sienko: The way the way it sort of shook out

[00:23:04] Ross Young: So, I think that we have to pull back the terminology of AI to be very specific. We've had artificial intelligence and machine learning for well over 20 years, right? It may not have been publicized and well known, but absolutely, people were using machine learning algorithms and AI algorithms to automate things for years. What's really new is that, Is generative a I the ability of using vector machines and databases to be able to identify things that we didn't know. And the classic example of this is chat GPT or Claude, where I can ask a question, and it's a much better search than traditional Google search. So when we hear a I, I would really say what we're. looking at is generative AI, because it challenges a lot of the things we didn't have to have before. So, for example, if generative AI makes [00:24:00] up new things, who owns the copyright for that? That's things that when people wrote our, uh, Our constitution and, you know, the they had no clue about computers, about machines being able to make up things and the laws are just not there yet.

[00:24:18] Ross Young: So it's very challenging from a legal perspective. And that's where a lot of the risk and other things starts to arise.

[00:24:25] Chris Sienko: Yeah. Now, um, one of the topics we discussed, and I think this relates to that, uh, is that as you, as you put it, solving one problem often leads to another. Uh, and you notice that you noted that AI's ability to do massive data analysis and other repetitive tasks, you know, can help to strengthen defense postures, but that the AI itself can also be the target.

[00:24:47] Chris Sienko: Uh, so can you talk more about this idea of AI having a hand in both providing additional defense while also being. Sort of a vulnerable point in the system. Can you clarify that for me a little bit?

[00:24:55] Ross Young: Yeah. So I think there's going to be trends of things we know we need to look at. [00:25:00] Take fishing. It's been around forever. It's not going anywhere. We're always going to target people from a fishing perspective if we're trying to get into an organization, right? there's going to be tools, think of, uh, email security solutions that are going to use the tone, the, the way the sentiment of our natural language in our text to say, Hey, this is an urgent tone.

[00:25:23] Ross Young: Somebody is trying to get you to do something right now. Hey, they have a link. This link is, you know, very new. It's only been, you know, registered a week ago and they're going to use all those indicators. based on different models to train and say, this looks like a phishing email. Most people don't need a, I need something by end of day.

[00:25:42] Ross Young: I need you to click a link. That's probably bad, right? Or open an attachment. Now that's one of the ways it's helping us. It's also introducing new risks. So take, for example, chat GPT, they have trained chat GPT. I don't even know trillions of different models and terabytes and Yotabytes and [00:26:00] exabytes of data and. It has cost a lot of money to build these models. And imagine if I can ask the right queries and steal 20 percent of the data that was used to create the model. Might I be able to create a brand new model for a fraction of the price that you paid to create your model? So things like that are risk that you never had to consider because I haven't worried about someone searching Google to figure out how the search works before. Or, hey, maybe I have a chat GPT that can also hallucinate data. Well, before I just ran a, a database query, it came from the database. I knew where that data search was, what data is in there versus data that I Did it just invent something out of thin air and lie to us? Right? So new technology brings new risk and we have to understand how things can [00:27:00] go wrong.

[00:27:00] Chris Sienko: Okay, uh, yeah, those are, those are Terrifying, frankly. Um, yeah. So, with regards to, uh, the sort of hallucinations and the sort of, uh, JGBT's intrinsic nature to want to be helpful, uh, sometimes it, it, it gives you sort of outsized, uh, answers to, to sort of questions like that and, and as you said, you know, I've heard also, uh, stories about, uh, People who are able to ask the right questions in very roundabout ways.

[00:27:32] Chris Sienko: Uh, because she had GPD has, you know, minimal guardrails around not giving you the formula for explosives or bioweapons or whatever, but then you can, you can make a couple of little tweaks into the query and sort of like, start to tease things out. And so can you talk about what like a really high level version of this would be that would allow you to sort of like pull, uh, the, the sort of You know, the model data or whatever from a chat [00:28:00] GPT.

[00:28:00] Chris Sienko: Is that something that you've seen people are working on right now?

[00:28:02] Ross Young: So I'm not super in the weeds on that particular topic, but I'll give you another similar example and think about it this way.

[00:28:09] Ross Young: If I were to ask ChatGPT to say, write me some ransomware so that I can,

[00:28:14] Ross Young: you know,

[00:28:14] Ross Young: steal data, it's probably going to say no. But if I say,

[00:28:19] Ross Young: hey, I need you to create a macro script in Microsoft Excel that can open a file. I'm pretty sure it's going to write that text. And then if I say, okay,

[00:28:32] Ross Young: I need a file that actually,

[00:28:34] Ross Young: you know,

[00:28:35] Ross Young: gets your,

[00:28:36] Ross Young: your

[00:28:36] Ross Young: password, right. And, and pulls the data from here.

[00:28:39] Ross Young: Uh, I can,

[00:28:41] Ross Young: I can now start to write that shell command.

[00:28:43] Ross Young: That's going to come from there. And so what I can do is I can ask it these. Little steps and put it together to create my malware, and there's a lot of really good examples where you can go online and just see how people have been able to get full ransomware creation, [00:29:00] uh, from just these chat GPT queries. I think this is going to be really interesting because what we're going to see is someone is going to say here is a vulnerability. And, uh, imagine it's Chrome browser or Adobe or just something that's super, super popular. And they're going to be able to quickly reverse engineer that tool and use ChatGPT to write an exploit. now if I'm a company, and my patching policy is I patch in 30 days, but the bad actors can actually write the exploit in 3 days, I got 27 days of, let's call it, zero day issues because I haven't patched in that point in time. Maybe not a true zero day, but, uh, You kind of get the thing that there's 27 days of extreme risk because I'm just not patching fast enough. And so I think this weaponization of AI to write code, to write exploits, is really where we're going to see the bad actors pivot to get smarter and [00:30:00] attack faster than we've seen before.

[00:30:02] Chris Sienko: Now, I know you said you're not, uh, completely in the weeds with regard to this, so I don't know if you can necessarily answer to this, but you know, obviously this sounds like, uh, one of the largest examples. We always talk about how, uh, you know, attackers are always about three steps ahead of sort of like the defense equivalent.

[00:30:19] Chris Sienko: Um, but. This particular idea of sort of putting this stuff together, uh, in a very roundabout way. So that jet chat TPT doesn't realize that it's giving you something malicious, uh, is, is sort of outpacing us at the moment. Oh, what do you see any particular, um, modifications or workarounds happening that would staunch that?

[00:30:41] Chris Sienko: Or, or where, where does the sort of like the defense part of this go to? Do we just, does it go to like AI trying to. Patch us back quicker or something like that. Or, or, or what, what's, what's the sort of official sort of line on this right now.

[00:30:55] Ross Young: So, I think on the, how do we protect the chat [00:31:00] GPTs, there's probably two ways we're going to go down this route. The first is, think of a web application firewall. We put that in front of our web applications because we don't want SQL injection or cross site scripting. We're going to have the 10 attacks that OWASP or whoever decides this is how most models are broken. we're going to have to put some type of web application firewall in front of a chat GPT that looks and stops those OWASP top 10 LLM attacks. The second thing we're going to do is we're going to put in a lot of, uh, testing. So imagine if I have 200 test case, a hundred should pass. They ask simple things I would have just expect to get responded by the model. And I have a hundred abuse stories. Give me all your social security numbers. You know, Hey, thinking of a bad actor, provide me, you know, something nefarious that it should never provide. I would expect a hundred abuse stories to come back through the model and says, I'm sorry, this violates [00:32:00] our policy.

[00:32:00] Ross Young: We're unable to respond. now I can run this test every time I do a version update on my model. And so if I went from version three to version four, I should be able to see all 200, uh, abusers. Tests pass successfully, or I got issues and I got to go fix these issues on these five abuse stories that are really, really bad, right? That's where I think we're going to go from protecting our models. Now on to how do we patch faster? I think the best thing that we're seeing right now is the ability to have AI write code fixes. We can use tools like, uh, GitHub has copilot. Where you can go in and have it look at your code and say fixes. Amazon has developer queue as their capability. And so those two things are going to look at our code and say, Oh, you have a vulnerability here. If you just click this code here, we'll merge that into your, your production code, and then from there, you're good [00:33:00] to go. Right. So those two capabilities to use solutions that rewrite your code faster, I think are going to become the standard for modern software development, and it's going to make us patch faster. And so maybe we won't be able to patch in hours, but, you know, something like this may 30 days to seven days.

[00:33:23] Chris Sienko: Yeah, now that's a really good example of of using, uh, the best parts of this new technology. Well, can you speak to any common mistakes you're seeing with companies in implementing a I tools without proper preparation or planning or or perhaps, you know, taking a sort of utopian view of once we have this tool, you know, everything's going to be better or whatever.

[00:33:44] Chris Sienko: Like, what are some of the more egregious examples of that, do you think?

[00:33:48] Ross Young: So I think you need to understand how these tools work. what they do with your data. So, for example, DeepSeek has been all the rage. And if [00:34:00] you're looking at the security research that's coming out, one, it's had vulnerabilities that they've had to fix. Two, it stores your data in mainland China. Are you okay with that? And three, there's a lot of hallucination security risks of what the model is actually telling. In some ways it's better, in some ways it's a lot better. worse. So you need to understand these things. You have to build it into your third party risk management programs to say, we need to look at these new technologies, not only from a security point of view, but from a data privacy and from a compliance perspective. And then we take these things and we, we go through and we're going to test them. know, I think we have to be realistic with our, to say there's going to be lessons learned. We're not going to be perfect. And I'll give you an example. Maybe your AI trains on all the data. Well, if it trains on all the data, how are you preserving your role based access control? Or does someone who queries this, this, this [00:35:00] thing get access to all the data far superior than their limited role within the company today, right? Those little things are things you're not always going to, right? No upfront, but you're going to be like, holy crap. I can't believe I can now see these files.

[00:35:14] Ross Young: I shouldn't see, we got to figure out a way to scale this back so that it doesn't become one person gets fish in the company and they can get access to our crown jewels.

[00:35:26] Chris Sienko: Yeah, I feel like you've just, uh, explained what a CISO in residence is supposed to be doing here. I mean, you know, I'm hearing a role in my head at these companies of someone who maybe is not in the full CISO role, but maybe further down who is able to explain something like that to a board that is getting ready to, uh, you know, try one of these new GIGAs that they think is really gonna change everything, and if you can be the person who can be the voice of reason and say, like, Oh, CISO.

[00:35:55] Chris Sienko: Have you thought of this? Have you thought of this? And let's not implement it that way. And so forth. I think that's always [00:36:00] going to be a sort of value to a company.

[00:36:01] Ross Young: Yeah, it's like basic threat modeling, right? You know, here's some desired states. We want to make sure that only approved users get access that they're already approved for. How do we test against it? Well, people who don't have access shouldn't be able to get in. People who have access should only see these types of data sets.

[00:36:21] Ross Young: So those are the things you're going to have to look through, you're going to have to test, and you're going to find some things like a pen test report. And With any pen test, it's only as good as the tester, right? So some companies are going to find really good things, and that's why you're going to change companies to get different perspectives. And as you do this, you'll make smarter decisions and better educated risks. It won't be perfect up front, but is it good enough that you can still make money while preventing material loss?

[00:36:53] Chris Sienko: Yeah. Yeah. Now, uh, that's a, yeah, a great point and worth, uh, keeping in mind here. Now I want to [00:37:00] talk, uh, one more sort of speculative thing before we get into the nuts and bolts of, of, uh, job roles and so forth, but you mentioned previously a report from IBM in 2024 that noted that organizations using AI automation.

[00:37:13] Chris Sienko: Save an average of 2. 2 million on breach protection, which you suggested could quote reshape investment priorities and downscale the possible need for security insurance. So can you talk more about this? Like, what do you see? Uh, organizations reallocating this money to further strengthen security on because, you know, I think that was the, the, the story for a couple of years there is that a lot of C suites got into the mindset of it's not if, but when you get breached and taking that in kind of a, uh, almost a nihilist or defeatist point of view of like, well, if we're going to get breached anyway, let's just throw all our money into cyber insurance and, you know, let the chips fall where they may, but if AI automation reduces breaches, Okay.

[00:37:52] Chris Sienko: In this way, it reduces losses by containing breaches. Uh, will this, you think, reshape the way security priorities are thought about from the [00:38:00] budget line?

[00:38:01] Ross Young: I think AI is drastically going to change security. And I'll give you a couple examples. Agentic AI is kind of the hot new buzzword of the day. If you never heard of it, just think of it this way. tools like IfThis, ThenThat, and Zapier that have triggers. If these things happen, then make these things happen.

[00:38:23] Ross Young: Right? And so, it's pretty cool. we start to add automation and LLM capabilities, that's where the magic happens. So think of it this way. I might have had an incident response team who would have to respond to every incident. Right? They would have to look at, Oh, I got this log that, you know, CrowdStrike says is nefarious. Well, people work in people time. Right? They're not instantaneous, which means we take lunch breaks, we take coffee breaks, we have weekends, and not only that, but I can have 10, 000 alerts per one person. [00:39:00] I'm sorry, that one person is probably only going to look through 100 alerts in a day. So there's a lot of alerts we're not looking at. Now, if I can start to automate what that person does, and you can think of tools like SOAR, right, that the security orchestration and automation response that do this. And now I add some AI capabilities where I'm automating even further and learning a little bit smarter. Now, this one person who could only look through 100 alerts per day, maybe now they can automate their things so they can actually, you know, do 7, 000 alerts per day. And now we're much better at actually responding to those 10, 000 risks than we were previously when we only had 100. So that is going to be huge, huge, huge in our industry. Of how do I make things faster and it's not just incident response, it's third party risk assessments. Hey, I don't actually need humans to look at, uh, all the documentation [00:40:00] anymore.

[00:40:00] Ross Young: I can have a machine read everything that was submitted in these word docs and PDFs and then automate those things and everything where we look at these manual processes. That took humans a long time, 40 hours to do, you know, a security code review, uh, five hours here to do a network diagram review as part of security architecture, all of these things, we're going to see machines being able to do it faster.

[00:40:30] Ross Young: more consistent and scalable. And so I think this is going to be a huge opportunity for reducing the labor costs from humans so that we can scale at a, at a place we've never done before.

[00:40:44] Chris Sienko: So, uh, can you sort of extend that into the future here? Because you're, you're, you're definitely looking at, uh, Uh, considerably restructured, uh, security org in, in most, in most, uh, companies here, what do you think, uh, the influence of [00:41:00] AI tools and models and, and generative AI and stuff will change, uh, the sort of day to day work of cyber security professionals, say in 2030, what's, what's, what does security look like, you know, five years down the road, 10 years down the road.

[00:41:13] Ross Young: So I think security is going to look a lot more like developers. And I'll just give you a couple examples. Today, a security architect has to look at a network diagram and says, Oh, this line shouldn't be here. And that takes humans. I think tomorrow is the security developer or the security architect is writing the security policies are going to be tested. And so we if you just think about. How DevOps transforms software development. If I was an admin, I had to log in 200 machines and update these scripts manually and through an SSH. That took a lot of time. So what did I do? I started getting into Chef or Puppet or Ansible and I would write a little configuration [00:42:00] script that says do this thing and I would apply it to these 200 machines.

[00:42:04] Ross Young: And now I don't have to log in in 200 machines. I hit play on my cookbook or Ansible script and it does it for me. I think we're going to see the same thing in cyber. We're no longer going to do manual activities. We're going to be the ones writing these automation playbooks. And from that, then the AI is going to work its magic and we're going to look at the dashboards to figure out where things are falling through the cracks or having issues, right? So if I have AI writing my code. Perfect. And if I have my code already having, here's the five tests to make sure it's good before it goes into product. Amazing. Now I can hit play and almost auto update. And by default, that's going to fix software faster than ever by auto updating. And if I have a test script that says, Hey, if it doesn't work, break the auto update. Well, by default, I can learn as quick as [00:43:00] possible, and I think that's going to be cheaper, faster, better going forward. So it's really about does everybody start to become automation experts that understand these technologies and how to apply them that we become faster as an organization?

[00:43:17] Chris Sienko: Okay. Well, uh, I want to build on that and and get your advice both for veteran security professionals who are currently working and also for students and entrance to the industry. Now, this is going to be a pretty huge change. What types of projects or learning or skills should they be engaging in right now to sort of keep up with the pandemic?

[00:43:41] Chris Sienko: This particular pace and change like if you were to give someone advice who is just getting out of school Getting into security What should they be really sort of putting all their chips on and if you're still in the industry and you don't want to be uh, one of the uh, the labor that's being uh, Downsized and so forth.

[00:43:58] Chris Sienko: What do you how do you sort of [00:44:00] keep yourself in this this space through from a knowledge and skill perspective?

[00:44:04] Ross Young: So I think that's it. If you're going to look at this information, some of the best technical content is going to come out from certifications. think you wouldn't go wrong by choosing the big players, Amazon and Microsoft. So they're going to have certifications, AWS Solutions Architect, for example. And in that, it's going to give you a good overview of all of their technologies. They're also going to have a DevOps Professional one where you're going to get a good view of these things. I think we're going to see more and more certifications in the AI expert, uh, from these providers. It may already be there, so I apologize if I haven't seen the latest standard and it already exists. But I would start there. Look at those cloud providers because they're going to have the latest technologies and they're going to train people on those technologies. next thing I would say is you need to understand what's changing and [00:45:00] you understand what's changing when you stay on up to date on current events.

[00:45:04] Ross Young: For me, that's likely in LinkedIn. Are you watching what the communities are saying? way I do that, Is I go to LinkedIn and I subscribe to people who are interesting, who are thought leaders in the industry, and then I also go to newsletters. So there's newsletters like the new stack where they're always teaching about how new technologies look like and what they look like.

[00:45:25] Ross Young: Is it kubernetes? Is it serverless? Is it a I whatever? Read those newsletters. They're all free to sign up for, and you just get them in your inbound box. And you're going to look through and be like, Oh, here's the five new GitHub projects that just got stood up that does this thing. Interesting. Hate these four, but this fifth one is really cool.

[00:45:44] Ross Young: Let me go read it and learn about it. And as you learn from the newsletters, as you stay up to date on the current technologies from LinkedIn, as you go to conferences, then you get smarter. And I think that is the key. Like in cyber,

[00:45:58] Ross Young: you have to [00:46:00] always be learning because if you think what the skills you used to gain, your C-I-S-S-P five years ago are still relevant in today's date,

[00:46:08] Ross Young: you're,

[00:46:08] Ross Young: you're fooling yourself.

[00:46:09] Ross Young: You

[00:46:12] Chris Sienko: a great place to wrap up. So before we go and I let you go, Ross, I want to ask you what I ask all of our guests. What's the best piece of career advice you ever received, whether from a peer or a boss or your family or anything?

[00:46:28] Ross Young: know, what I would say is I didn't realize how much I had to learn, uh, and a lot of times I look to leaders to teach me and some of them were helpful and a lot of them weren't. But what I didn't realize is how much I had to learn. so if you want to get smart, don't just look for the people who are in your. Physical proximity. for people online. [00:47:00] If you wanna learn from Donald Trump or Elon Musk, go read their books. It's like having them virtually mentor you. it doesn't just have to be those people. It can be any person that you want to learn from, So find the people who are really smart and cloud security, and you're gonna read their books from O O'Reilly and Wiley and all these major publishers, and you get smarter The longer I've been around, the more I realize if I spend 80 percent of my time thinking about how best to solve the problem versus going straight in, I build a much smarter solution and there's things I'm never going to be an expert on, and that is okay. Do I have a friend who is the expert that I can call for a consult? So build the networks and build your own industry knowledge and realize that most of it's going to be virtual these days. And then I think you're going to be a much smarter CISO or much smarter cyber [00:48:00] professional than you, than you were a year ago.

[00:48:02] Chris Sienko: Yeah, I think that that's a very, um, all world version of, like you said, if you're a level 13 in the company, be hanging around the level 15s and sort of learning from like one, one level above you. Because yeah, you said there's always. Someone that you know, that knows more than you on all these things. So yeah, absolutely.

[00:48:21] Chris Sienko: Keep, keep learning and, and keep being around people that maybe intimidate you a little bit with their knowledge, but, uh, uh, it's, it, it can only help. So, um, as we wrap up today, uh, we talked about teammate a bit at the beginning, but if you wanna tell our listeners more about what teammate does, uh, here's your chance to do so.

[00:48:38] Ross Young: Yeah, so Teammate is a, it's a fantastic place. We are the latest, greatest in cyber technology, and we're building a lot of cool things. So if you want to learn, please reach out to me, especially if you're a CISO. We have a village for CISOs to help, you know, CISOs at medium and large scale companies, uh, and get involved with our, our [00:49:00] technologies.

[00:49:00] Ross Young: I think it's, it's really interesting. I did not realize that if you were to look at the top 18 technologies that got merged and acquired in cyber in the last year, 14 of those had an Israeli tie. Israel is really where cyber technology is being built. And if you look into it and you learn from it, I think you're going to be a little bit closer to the cutting edge of cyber technology.

[00:49:27] Chris Sienko: Now, if people wanna know more about a teammate or, or, or you, Ross, for that matter, where should they look online? I know teammate is. Spelled with a numeral eight. How do you what's what's the website? Where should it? Where should they go?

[00:49:39] Ross Young: Yeah, our website is T. E. A. M. The number eight dot V. C. As in venture capital, right? So if you

[00:49:46] Chris Sienko: Got it

[00:49:47] Ross Young: dot V. C. You'll see our website or you can just reach out to me on LinkedIn. Ross Young. I'm happy to help.

[00:49:54] Chris Sienko: great. Well, thank you so much for your time and insights today Ross. This is a lot of fun. I really enjoyed it

[00:49:58] Ross Young: No problem. [00:50:00] It's been a pleasure. And, uh, thanks again to our listeners. Wish you best in your cybersecurity career. And if you want to learn more about how to become a CISO, check out the CISO Tradecraft Podcast. It's something I started a few years ago,

[00:50:12] Chris Sienko: Thanks

[00:50:13] Ross Young: got a lot of good content to help people on their way.

[00:50:16] Chris Sienko: Absolutely, we'll include that in the description as well. Then I really appreciate that. So before we go Thank you to everyone who watches listens and writes into this podcast with feedback If you have any topics you'd like us to cover or guests You'd like to see on the show drop them in the comments below Before we go don't forget to go to info sec Institute comm slash free where you can get a whole bunch of exclusive stuff for cyber work listeners including info on our new career immersives Which will take you from complete beginner to job ready in six months time via a combination of live instruction Hands on practice and personalized career coaching that can fit any schedule You can also look at our free cyber security talent development playbook where you'll find in depth training plans and strategies For the 12 most common security roles including sock analyst Pen tester, cloud security engineer, [00:51:00] information risk analyst, privacy manager, secure coder, ICS professional, and more.

[00:51:04] Chris Sienko: One more time. That's InfoSecInstitute. com slash free. And yes, the link is in the description one last time. Thank you so much to Ross Young and to team eight and thank you for watching and listening until next time. This is Chris Senko signing off saying, keep listening, keep learning, and don't forget to have a little fun while you're doing it.

[00:51:21] Chris Sienko: Bye for now.

[00:51:22] Ross Young: Bye.