Speaker 1: 0:00

Very good question. Let's make sure that we are aware of those decisions. We do need to recognize that if we're going to let computers make some decisions, the first impact with AI is it increases the valuation of startups.

Speaker 2: 0:16

Welcome again to another episode of Sell Me this Podcast.

Speaker 2: 0:19

Today we have another episode exploring one of the most critical and evolving fields in business today cybersecurity.

Speaker 2: 0:26

I'm thrilled to welcome Alex Dow, the Chief Innovation Officer at Mirai Security.

Speaker 2: 0:30

Mirai is dedicated to helping organizations protect their digital assets with cutting-edge proactive security solutions. Alex not only brings a wealth of expertise, also leads innovation at Mirai, driving forward new ways to stay ahead of evolving threats Without too much more buildup. I'd like to officially welcome Alex. Welcome again to another episode of Sell Me this Podcast. Today we have another episode exploring one of the most critical and evolving fields in business today cybersecurity. In a world where digital threats seem to be growing day by day, cybersecurity isn't just a necessity. It's a strategy for survival and to help us navigate this complex landscape.

Speaker 2: 1:13

I am thrilled to welcome Alex Dow, the Chief Innovation Officer of Mirai Security. Mirai is dedicated to helping organizations protect their digital assets with cutting edge proactive security solutions. Alex not only brings a wealth of expertise in cybersecurity, but also leads innovation in Mirai, driving forward new ways to stay ahead of evolving threats. This different perspective will hopefully help you make noise of all the choices in security, understand what to prioritize and how to make the most of the investments that you make in securing your business Without too much buildup. I'd like to officially welcome Alex. Thank you, keith, for having me Awesome. Thank you so much for being with us today, alex. I'm going to jump right into things and can you tell us a tiny bit about your journey and how you arrived in the wonderful world of cybersecurity and what led you to becoming the chief innovation officer at Mirai Security?

Speaker 1: 2:10

Yeah, thank you. In 1996, the movie Hackers came out.

Speaker 1: 2:12

And as a teenager that could turn on the sprinkler system of a school and impress a young Angelina Jolie, assign me up to hacking. So I got on the internet around 1996 as well, and as a kid didn't have a lot of access to a credit cards, had to figure out how to access the internet my own way, went to school for it. Really just gotten involved in cybersecurity at an early age. Joined Bell Canada to work in their security operations center, moved out west to build out a security operations center for the Olympics and then got into consulting and that really is where I really hit my passion of exploring solutions and trying to innovate. On the side, I helped co-found B-Sides Vancouver and various other events in Vancouver and in 2017, took that community that I built to form Mirai Security, and really I love building. I'm a very curious person, so innovation is just right up my alley.

Speaker 2: 3:04

So I'm going to quickly take a step back to the movie that I feel like was pivotal for a lot of our generation. Right now that's in IT Favorite moment in Hackers.

Speaker 1: 3:13

You know, I'm always very fascinated by the telecom networks and how phone systems work, and so when they were all at the payphone booths connecting in with the modems where you put the handset in, I always thought that was really fascinating. And I'll give one sidebar story. On the internet, with dial-up, you're always craving just a little bit more bandwidth, and that's when you started learning about telecom services that were not accessible to residents the residential and whatnot. So the T1, the 1.44 megabits per second, that was just so fast. And in my hometown there was a hotel being torn down and as kids we broke into it to check it out, and I remember going to the basement and finding this massive bundle of twisted pair and I was like this must be the T1 because it was just so big.

Speaker 1: 3:58

Turns out it wasn't. That was just a bunch of phone circuits. A T1 is actually just twisted pairs.

Speaker 2: 4:04

That makes sense, and so hopefully you haven't implicated yourself in too much there. Statue of limitations there you go. So it's it's in the past, we're good to go. So the role of chief innovation officer, I think, is a very interesting one in the world of security, and this is a space that is evolving incredibly quickly. What does your role entail and what does it look like on a day-to-day basis?

Speaker 1: 4:26

I like to solve complex problems. I challenge clients. When they say they want X, I ask why? And really I try to help them zoom out and say what problem are we trying to solve here? How does your business operate? And I had a recent conversation with a client that was really adamant on network security and I said tell me about your environment. And they're using mostly cloud. So is network security really a thing anymore? And it pains me to say that that was what I cut my teeth in this industry on big iron environments, big networks, packet inspection, all that stuff. But at the end of the day, everything that travels over a network now is encrypted. It's all going out to the cloud and we've lost our visibility for the most part there. So really I challenged them to say we need to ascend that layer to where we can actually see what's going on, and really it's about the data. So how can we help better detect and respond to threats at that data layer where the business actually needs?

Speaker 2: 5:19

it. So is that where the innovation comes in, then? Because I feel like the world is evolving so quickly, especially in cybersecurity. When you think about the tools and the methods that some of these bad actors are using, how are you using innovation to stay ahead of the curve, and how are you taking some of that knowledge for yourself to build out your own perspective, but also then imparting that to your customers?

Speaker 1: 5:41

Innovation very much is how can we do things better, how can we do things more, how can we do things more efficiently?

Speaker 1: 5:45

And it's both an internal function but also an external. So, of course, helping clients see what the future looks like and helping make sure we're managing the threats of the future and not just doing what our CISSP book told us to do 10 years ago. And if I step back for a second, like my journey was working in Ottawa, working with federal government environments, high security and then moving out west to a market that, for all intents and purposes, didn't really care about security all that much, and arguably they still don't, but they need to be compliant. So now they do. But it is a very forward looking market. In terms of the technologies they use, they were very aggressive at moving out of the data center and into the cloud and thus the technologies that they use are different. The technologies they use to help prevent, detect and respond to threats is different. So one of the things I do internal with Mirai is help make sure that our services really align to how we're addressing threats of the future.

Speaker 2: 6:40

So let's not just keep on doing the same thing, particularly if it's not really addressing the modern ways we're using technology and how those threats are now existing in those infrastructure does have some challenges in terms of security adoption, in terms of maybe some of the security maturity, even to the point where some really sophisticated platforms Canada, or even Western Canada is a little bit of an afterthought because the organizations are a little bit smaller the digital maturity isn't necessarily there yet, and so there's such a role of education before they can even get started. How much of your world is education and how much of it is actually implementation of those different platforms?

Speaker 1: 7:28

Again, we're mostly a consultancy, so we're there to advise and really help very similar to yourself, like help the buyer understand. Is this the right product for me? Beyond the market texture of the PDFs and PowerPoints, is this a tool that is going to solve the problem technically and can we operate it people and process wise? And that's where I see a lot of challenges.

Speaker 1: 7:49

My background being in Ottawa, I got to play with all the cool tools and when I moved out West I had a security clearance. I had so much experience with government networks, Olympic networks, and that was actually a bit of a detriment because many companies were like Ooh, you're too good, you're really going to call our baby ugly and I had to pivot really quickly to meeting them where they are. And that was a lot to do with cloud. For a long time, I was very opposed to cloud, thinking banks will never, ever use cloud, but it turns out it was totally wrong and actually I've come to realize that, like moving out of the data center and into the cloud actually can enable better security as long as you let the cloud be secure, and cloud can be very insecure if you let it as well.

Speaker 2: 8:33

Yeah, I guess so can. Data centers can be insecure too, right? It's really about the controls and mechanisms you put in place. Are there any recent innovations or breakthroughs, specifically in the security market, that you're particularly excited about, and what difference are they making for your customers?

Speaker 1: 8:51

Very good question and it's not going to be one answer to that, but what I will say, and going back to, as I mentioned at your event last night, we're not going to solve cybersecurity. It's always going to be a problem. Just, we're not going to solve car crashes Like we've tried. We can't do it. So it's really a matter of minimizing the impact of when something does happen, when it does and it will.

Speaker 1: 9:12

So many companies have built up very large sets of IT infrastructure and their data centers and whatnot, and patchwork quilt of different configurations and et cetera, and when I was consulting, I was very much assessing a lot of this and the conclusion I came to is we're never going to be able to secure this. It's too complex. So going to cloud provides the opportunity this arguably greenfield opportunity as long as you let it build it better, build it simpler and build it so that you can secure it. Particularly with cloud adoption and very much how we're codifying everything, it gives us an opportunity to have better consistency and that gives it better auditability so that we can actually validate that this environment is actually aligned to the standard that we say we're using or the policy that we've defined on how we're going to do things. You just can't do that in an affordable and economical way in traditional IT.

Speaker 2: 10:07

Amazing. So when you think about some of those advancements, then and I know that you're a huge proponent of the idea of taking some of those proactive steps to secure environments, and not necessarily just from a security perspective but also from a resiliency perspective could you explain what that approach might look like in practice, when you think about those technologies, when you think about those philosophies and why that's important for a business?

Speaker 1: 10:30

So, if you look at like traditional IT, if you had a catastrophic problem cyber or IT or hardware failure or whatnot what's the time to bring those systems back online and bring and thus the business operational again? It's not minutes, it's probably not hours, right? So, looking at how we want to have more resiliency, and when we're talking about resiliency it's what's your threshold for being offline? Is it a day, is it an hour? And based off of that criteria that the business defines, not us IT folk, the business defines what's their tolerance. That way, we start saying, okay, this is how we could do it. And when we start looking at using cloud, it affords us the ability to codify their infrastructure and thus that one's broken, spin it up in parallel, almost identical within seconds, minutes. That's something that we could never, ever do in traditional infrastructure, and that's not to say that's the like, the panacea of all things. Businesses are complex and their IT systems are complex, but every time we're doing an incident response that we're in the recovery phase. If it's a traditional environment, we're talking weeks of recovery. If it's cloud environment, we're probably able to wrap up that same day, as long as they're prescribing to the infrastructure's code principles and code revisions of that code, being able to roll it out and bring it back up in short order.

Speaker 2: 11:55

So is Mirai's approach and philosophy to that. Would you say it's unique or different, or really it's just been really disciplined in applying those different philosophies.

Speaker 1: 12:03

Founding Mirai, I got to work for large consultancies, vars and whatnot, and my frustration was always a tools first perspective and what that's resulted in is a technology rich company that is people and process poor and coming moving out from Ottawa to the West Coast. I brought a unique set of skills over the course of my career with very high-end products that were sold as you want military-grade security, buy this. The problem is that all these companies bought it, burned their entire budget buying that and didn't have the budget to even have internal staff supporting it. So after three years they were ripping out these technologies and that was a frustrating part for me because I really saw a lot of potential in these technologies if they spent the time to build it out properly, build the processes around it. When founding Mirai, it was really always about solving a problem and understanding the solution and then figuring out the technology pieces that will fit in, because it is that trifecta of people, process and technology. It can't just be a technology solution.

Speaker 2: 13:05

So do you think that's one of the problems of the industry right now? Because I feel like there's so many different cybersecurity organizations. The market is growing at an incredible rate. There seems to be a new startup popping up every three days that solves some particular angle of cybersecurity, and I feel like people are buying them right. There's a market for it. Do you think there's bloat in the market?

Speaker 1: 13:30

It's the human condition. We believe we can solve problems by buying stuff and it's simple, right. I give the Home Depot analogy. It exists because a bunch of people that own homes think that they can fix everything and a lot of times they do, but a lot of times they're calling the plumber afterwards because they've actually made it worse.

Speaker 1: 13:50

I'm not anti-technology Certainly I love technology but I've seen so much technology get mothballed or deracked because it was sold as a panacea and the inconvenient truth of you're probably going to need to hire another person this is the actual total cost of ownership was obfuscated and that is that technology. Rich people process problem. People process poor problem. On my mind, the hill I'm going to die on is trying to increase awareness to the buyer of what it actually takes to get something to work, and a lot of times I am a strong proponent on the people and process side. It's actually arguably cheaper and you can get more value out of your technology investments when you got the people using the tools properly and having defined process of how the tool should work. Buying the tool and hoping it works is not the strategy I would recommend.

Speaker 2: 14:41

So if you were giving advice to a business leader then that is looking to bolster their cybersecurity posture, would you then say start with the people, start with the process. And where do they even start? In this world that is growing quickly, that is evolving quickly and for most business leaders is an overwhelming topic, so where do they start?

Speaker 1: 15:03

I hate to be so cliche, but what problem are we trying to solve here? And when I hear a technology leader looking to buy a product, I'm generally asking like, what's the threats that you're addressing with this? What do you think the efficacy of that product or technology will be to resolve that? And it's merely to push back to say is that the biggest problem that you need to solve right now? And we tend to focus on the scary things that we read in airports, what we hear on the podcasts and blogs, and those are all things that we need to address, but we fail to understand some of those threats that are from within.

Speaker 1: 15:36

Again, human error, janky IT can really impact a business's ability to operate. Doesn't need Vlad from Russia to attack like it can actually be because of our sort of ignoring some of the less sexy parts of IT that are problems, and that's why I don't think we can really fix our legacy, and we really shouldn't, because that is very expensive and doesn't actually move the needle forward too much. There's legacy IT and then there's heritage IT, and one thing I'm seeing a commonality of is VPNs, which we used to use quite a bit, and all those VPN providers have been acquired after acquired, it's like the third owner of this product. I can assure you that the brain trust that built that VPN has retired. They've driven their Porsche off to the sunset.

Speaker 1: 16:24

It's not a supported platform anymore, and that's why we're seeing so many vulnerabilities popping up with VPNs, because the companies that are owning them are just looking to keep profiting from the licensing. They're not innovating those things, and that's really bad, because we're seeing pretty catastrophic ransomware attacks, not by people clicking on emails for once, but actually by a VPN allowing them into the soft Yoki center of their IT environment, and that's where we have to start looking at. We should not be thinking that the IT that we have today is working that dogma of it's environment. And that's where we have to start looking at. We should not be thinking that the IT that we have today is working that dogma of it's working. Why are we fixing it Like it certainly is doing its job, but it is actually costing us a lot more money because it's more complex, it's more hard, it's harder to support and there's a likelihood it's going to be. It is vulnerable and it will impact us in the future.

Speaker 2: 17:13

So you've mentioned a little bit of that shift, which is really interesting, from the, I think, the bad guy that everyone always imagines, which is I'm being clicking on a link personally targeted for ransomware of some of these malicious attacks through traditional means. But there's other things that are now starting to pop up. You mentioned the VPNs, which is a really interesting example. What are some of those other kind of macro trends that you're seeing that are different from the perception of the traditional cybersecurity threats that are out there that people really need to be aware of.

Speaker 1: 17:43

We like to buy toys and I'm one of them. Black Friday is tomorrow. I'm excited, but the problem is that we buy toys and then maybe we don't roll them out properly. And while I certainly strongly advise anyone operating an exchange server on-prem to move away from that, because it is impossible to manage that without a team of experts and those experts are retiring.

Speaker 1: 18:09

Moving to something like M365 is a really good idea. It provides a much more reliable service of a fairly important technology. In most businesses Turning on M365, depending on the year you did it is how insecure it is, and we see that with so many different technologies that we bring it in, we turn some things on and up until recently most vendors really weren't prescribing to the secure by default principle and M365 is no different. When we do pen tests as an example, that's our bread and butter is finding misconfigured technologies that everyone thinks is working properly and we exploit and we get on to a SharePoint site and realize a friend actually mentioned regarding the insecurities of SharePoint is like, well, it's in the name share and I was like, okay, that's pretty clever, but it's hard to harden SharePoint.

Speaker 1: 18:59

Sharepoint's a bit of a monolithic beast anyways, but access control can be tough. Identity and access management is way more complex than just thinking it's just usernames and passwords and what they have access to, and many organizations don't have that built into the culture of this least privileged principle. If you are a user on the environment or a hacker has obtained user credentials, you're usually very trusted. It's that soft yolky center of the egg, hard on the outside, great. But if you have an untrusted user, like an insider threat, or a user account that's been compromised by an attacker, attackers are- just going to walk all around that organization and pulling lots of sensitive data out Interesting.

Speaker 2: 19:42

And so, when you think about the risks that you're talking about, which is, the business owners and leaders that are having trouble even comprehending some of these things and they're investing in the wrong areas. But you also mentioned that, from a skillset perspective, it's challenging for them to be able to even find the people to do these things, and so, if I'm a small business, you're hearing all over the news on the media that there's shortages in some of the skilled talent, specifically in cybersecurity. How do I even start to tackle these problems and how do I even compete with organizations like Mirai, like with some of the other organizations, and that's all they do is hire these security folks? How do I even keep up in this world? What's your advice to them in that scenario?

Speaker 1: 20:23

So I think there's two parts to that. So I'll break up. The first is I think buyers are challenged finding good data and good knowledge and they rely on sales teams and marketing teams to provide that. There is obviously incentive to any information you receive from those teams and I do find that some buyers get misled the promise of a utopian solution that will solve all problems. We've bought into that and it's our human nature to believe that we can do that. I do believe that, like I run roundtables in Vancouver and that was one thing. I asked this roundtable of CIOs like where do you get your information, and it didn't have a really good answer. The roundtable it was like Google it.

Speaker 1: 21:01

I attend webinars. I do this. I think it's good, but there's a signal-to-noise problem there. The webinars are quite biased. So these roundtables that I host is really about an unfettered view of solutions by practitioners. We actually have a pitch jar that if anyone pitches it's $20 in that jar, because we don't want it to be about the technology. We want it to be about solving those problems.

Speaker 1: 21:25

Now, the skill set problem the buyer has a knowledge gap issue and doesn't really have a really good source of truth on that, the skills gap. I'm on the fence on that because it is a problem and when we hire it's hard to find good talent. But that's also because a lot of the bar set quite high. Like we would like our entry-level role to have 10 years of cloud experience, like, okay, like cloud hasn't been around that long and certainly a junior has not had that much experience. But there's a bit of a mix match of those requirements and that's making it more challenging for the students that are coming out of school with some decent lab experience but no real world working in a corporate environment and securing those environments. But there's certainly a lot of smart kids out there that are eager to get those roles. But you can't just hire somebody and expect them to land and execute. Those are called consultants and that's what consulting is.

Speaker 1: 22:18

You hire somebody that you don't have to worry about. But if you're going to bring somebody in as a team member on your cyber side, you do need to have a little bit of a foundation for them to be working on and governance is a bit of a snooze word a lot of times, but like having the framework that when we bring somebody in, they have a knowledge base of how we work, define process, of how they need to work, it's going to enable somebody that doesn't have all the experience to land on their feet and really provide value to those organizations. Like the shortage is it's. I think it's a little overblown because we're not necessarily we're expecting everyone to be experts in technology. That hasn't been around long enough for people to be experts in Certainly the population of technologists out there that want to do security but also can't even get their entry level job to get the experience.

Speaker 2: 23:06

Right. So I'm going to open a little bit of a can of worms and that is the kind of worms of AI right now, and I know that there's kind of two different conversations around AI, specifically when it comes to security. When we think about, first of all, ai being used as a tool for both, as we'll say, offense and defense, what are your perspectives on how AI is changing the world of security and, as an organization, how are you incorporating it to keep up and what are, how is that impacting, some of the threats that are out there?

Speaker 1: 23:35

first. The first impact with ai is it increases the valuation of startups and what's. I remember years ago being in san francisco and, like the first wave of ai, well before open ai, and there's billboards all over with pumping up that ai was everywhere. It really was machine learning, which is really good and important. We as humans suck at the more data we have, the terrible. We're just way more challenged at understanding and synthesizing it. So ML is a great tool for that. In the world of generative AI, I think that it amplifies the good, but also amplifies the bad, and on the good side, it really does help synthesize large data sets and converts it into human readable. The bad side is some people do think it's a cheat sheet or a cheat code to not have to do their own work and went on.

Speaker 1: 24:23

You can certainly tell who's using the unpaid version of chat, GBT in emails and documents and stuff like that. I use it all the time. I've taken prompt engineering courses. My prompts are one to two pages long, right, Like I want to get. I want to get as close to that 80% mark on my outputs and if you put the time in to really train your AI on what you want, you'll get some decent results. It won't be perfect and that's why it's. It's a co-pilot, not marketing Microsoft or anyone else's version of co-pilot with AI, but that's really what it is. It should not be the driver ever, but we should be able to rely on it Now.

Speaker 1: 24:58

From a security perspective, working in a SOC, I always described when we were monitoring screens is that I had like the littlest cup sticking in a waterfall trying to catch a fish, and I think AI really does help reduce the noise to signal ratio.

Speaker 1: 25:15

So I think that is definitely a huge benefit. Whether that is ingrained in the products and technologies you use or you're using it as a sidecar. There's a lot of opportunity to synthesize a lot of large data and be able to now use our natural language to ask that it used to be. You needed to know Python for that On the threat side, I've got this behemoth server at home that is my AI server, and I pulled down the recent meta model and I started stress testing it to see like what I could do and ask it for the, the illicit things. And one of the things that I couldn't get, even with the jailbreaking that, the techniques that are out there, was to write me a phishing email. So they're building it into all these models to not create phishing emails because certainly that's going to be a problem.

Speaker 1: 26:01

We've had clients that have actually been targeted with deep fakes and doing the please move this money over to this new bank account for us, and stuff like that, and that is becoming a bit of a problem. Now, is technology going to solve that? Ideally, we should have some sort of authenticity technology that helps us understand that you're real and I'm real. That is a bit of a problem right now, and certainly technology can help with that. We've got tons of cryptographic technologies that can help support that. But I'm going to have to go back to the human side of it is that most of these attacks are still attacking a human and manipulating social, engineering them to do something that they shouldn't, and in my mind it's. We need to empower our people to recognize that the picture on the screen, the image on the teams, could be fake, and if something's going outside of what we consider normal operations, you should question it and it's okay to say no, even with all the pressure that they're pushing. It's okay to say no If it's if you're starting to recognize red flags.

Speaker 2: 27:04

So how much of that needs to be trained, how much of that needs to be built into process, like one of the conversations that I seem to be having a lot of these days, as well as around trust and how can you? I can trust you right now because I'm sitting three feet away from you, but if you're exchanging an email video used to be the source of trust Video no longer is as a person that is deep into the cybersecurity landscape, what advice would you have for people around trust?

Speaker 1: 27:31

Yeah, generative AI has certainly made that a problem, and I do S sauna talks at my home with a few technologists as well, and we were talking about this last year on the like, the authenticity problem that, like everything we see online, whether it's written or images now could be generated, could be not from who we think it is, and that's going to be a problem and I don't necessarily have a solution for it. Beyond solution, I will say, is that cybercrime is a business. It operates like a business. There are literally office towers that have floors of criminal activity happening in various parts of the world Eastern Europe, india, it happens so and they have CRMs and they have processes and all this like it's a mature business. It's a multi-billion dollar business.

Speaker 1: 28:15

So, if you want to like, avoid again, we're not going to be able to stop this at all. So it's really a matter of you don't have to be faster than the bear, you just have to be faster than the slowest person. So in that sort of dire situation, it's really about breaking their process. So they're going to use automation to do a lot of the targeting, at least the initial, if you think of like a sales process of discovery, opportunity, intent to buy, et cetera. There's a process that they follow for targeting people, and the first part of that's going to be automated. It is they're trying to manipulate you emotionally to click something, do something, share something. As soon as you get a little whiff of that's a bit weird, break their process. So don't do what they're saying. So a good example is oh, siri's emailing you, you're in trouble. Click on this to do that. Cool call Siri. Break their process, go out of band. And now you've avoided being a victim.

Speaker 2: 29:10

Interesting. So we've talked about a lot today. I want to turn our lens a little bit to the future. So, with all the things that are happening right now, where do you see the industry going? What are some of the trends that people should be watching out for, and what do you think the future of cybersecurity looks like?

Speaker 1: 29:30

If I knew, I guess, if you have a crystal ball, yeah, and, as I mentioned, like last night at your event, we're bad at managing risk, particularly novel risk, and these novel risks of using AI and cloud in terms of our data is proliferated across the internet to all these different startup sasses and whatnot. That's going to be a problem, right? Our data, whether it's personal or business, is no longer ours, like it's no longer in our walled garden, so that's a bit of a problem. And so we have to recognize, like the cat's out of the bag, that we're not really going to be able to get to where we were with being able to be very confident that our data is protected. So we have to recognize that it's out there. It may be used for unintended purposes. What are those consequences? And that's where it goes back to resilience.

Speaker 1: 30:15

The business isn't a business to stay operational and, in business, making money. So we should always be focusing on recognizing that we will have issues, we will have outages, and how can the business stay somewhat operational? When we look at some of the recent ransomware breaches with retailers and grocery stores, they had to shut down fully, meaning that they were losing millions of dollars a day because they didn't have an ability to operate, for lack of a better description by pen and paper. So businesses do need to consider those worst case scenarios that if you've built your entire business on technology, your business is entirely dependent on that technology working all the time and we should recognize that it won't and putting processes and contingencies around. How you can operate at least in a degraded state, but at least be able to operate somewhat, is something a lot of businesses need to consider.

Speaker 2: 31:10

So, as you see more businesses operating, integrating AI into their operating models, integrating agent-based service into their operating models and more and more technology into how they actually even deliver and run their business, do you see people getting further away from that idea of understanding how their business could run without electricity, without some of these things that are now becoming critical to how they actually even deliver their business? Even if you think about decision-making, as AI starts to take on different decision-making capability, how, what advice do you have for businesses and balancing that security and risk component as they continue to innovate?

Speaker 1: 31:48

Let's talk about that, ai integration so beyond the chat bot, but doing things, making decisions I don't see that as necessarily a bad thing. Like many things, we adopt and figure out the bad as we go hashtag Chernobyl but like when we look at, when we look at like this opportunity, we have an opportunity to actually document our processes. So if we're building out workflows and using AI, this may be the first time a company's written down how something works before it was in Bob's head of how something operates, and this is well beyond just how it operates, but how the business operates, how accounting operates, et cetera. I see that as a great opportunity to document your process and actually standardize it. I'm a big fan of the capability maturity model, like you're going from a level one, level two, up to a level three or four, because AI and building out workflows with AI gives you the ability to have a very standardized way of doing things that no longer has deviations and as long as you build it, it now logs it, so you actually have a paper trail.

Speaker 1: 32:49

Now the scary part is that some AI is very black box on how it returns data. So you know we there is a concern where it's making a decision, we don't know why it's making that decision and sidebar even open AI. Engineers are somewhat confused of how AI operates and returns. Sometimes They've mentioned that they've noticed that AI has a bit of a personality that they're not coding in and that surprises them, and in my mind it's just an amalgamation of billions of Reddit posts has turned into the personality of humanity for better or worse.

Speaker 1: 33:24

It's terrifying yeah it is, but I see that as a really good opportunity. But recognizing there's a black box Is there in the proverbial example of Chernobyl. They were operating and doing some risky things with a very new technology nuclear but they always were operating under the impression that, a, the design of the reactor was really good and, two, that they had an emergency stop button that could stop everything and while maybe wreck the reactor would not result in anything terrible, catastrophic. And we have to recognize that. If we are going to start letting AI making decisions like that, let's make sure that there is a bit of a red button, there's some oversight, there's some guardrails of how it's operating, but we can stop it. And a prime example of that is Air Canada got sued because their chatbot gave bad advice to somebody and that person was out a bunch of money because of that bad advice. And they said oh, it's computers, it's not us, it is your computers. And the court awarded the win to the victim of a bad AI advice. So we do need to recognize if we're going to let computers make some decisions, let's make sure that we are aware of those decisions. Let's make sure there's some guardrails, parameters around how those decisions are made. So we're not having a big my culpa on oops.

Speaker 1: 34:35

We used really novel technology and didn't really understand what we were doing. Quantum computing is pretty interesting and I will say that that is something that is because it's so far down. It's like fusion energy production. It's so far down the road as far as I'm concerned that I'm less concerned about it. Now to your question of hey, all these people are harvesting our data and they're going to use quantum computing. Let's rewind our data and they're going to use quantum computing. Let's rewind. That's how OpenAI and that's how Google, gemini and Facebook or Meta's llamas are built. It's off of all the things we've done on Reddit, facebook, gmail. It's already happened and that's creepy. And that's why I don't use a lot of those services is because I do feel that I don't want my data being used in unintended purposes and we had no idea right Like when we started signing up for Gmail and using Facebook and all that we had really no idea. Back in like 2015, I spoke at some privacy event and I was demoing some like scary bar tricks and the privacy commissioner at BC at the time was there and I was able to demonstrate that his phone was beaconing a bunch of data about all the wireless networks he connects to and, oddly enough, his Wi-Fi for his home was his actual address. So that was awkward. But I've always said that it's very concerning of what we are doing. That we can't undo, and I give the example that on Instagram it was very popular to take pictures of very gluttonous food that you're buying. That's still a thing.

Speaker 1: 36:00

The problem is that insurance companies are quite interested in not paying out. So if they have an ability to know that you tend to eat butter way more than most people, your life insurance is going to be affected, and we're seeing that with bits and smartwatches now being, you're getting a discount for life insurance, but they're also now monitoring your health and if there's any deviation from what you claim you are and how they measure you, they can easily reduce payments and things like that. I read in South Africa that people were gaming it by putting their smartwatch on their dogs to show that they were doing so much. They were doing so much. Exercise in my mind, but the inevitability is same thing with, like, plugging the little thing into the car. We are going to be giving more data than we are today. I am a bit of a Luddite there. I want to reduce that attack surface until they say if you're not sharing, then you're definitely paying more. Then I'll probably be pressured to share a little bit more. But think about people for the last 10 years that have been sharing bad habits drinking, smoking, eating delicious but gluttonous food. Insurance companies are very interested in that, and now, with AI being able to synthesize all that data, it's a little bit scary.

Speaker 1: 37:16

Now back to the quantum computing thing.

Speaker 1: 37:18

In 2015, for one of my hacker conferences, I reached out to D-Wave, one of the quantum companies, and said hey, let's do a hackathon with quantum computing, which I didn't really have much understanding of quantum computing then and arguably don't now.

Speaker 1: 37:31

And he said here, that's really cool. But here's the thing Developers for quantum computing aren't software developers, they're physicists. There's no actual programming language. It's still just a bunch of crazy math to do very simple computing at this point. So we're so far ahead of. There's still such a long runway before we get to a point where we've ascended the layer of abstraction, where there's an actual programming language for general purpose use. But to your point like, theoretically, quantum computing could do things like cracking encryption, and that's a scary future because we do need encryption. It's not just to protect our pictures and stuff, but our entire economy and our total society relies on the trust of our financial systems and if we affect that integrity by having a technology that can crack that encryption, society falls apart really quick. Yeah, yeah, I am very concerned by that. I don't really know much more about where quantum is today beyond that.

Speaker 2: 38:28

It is scary, but probably down the road so we don't have to be concerned tomorrow, but it's definitely something to keep our eyes on, definitely for our kids. Amazing. I feel like we've talked a lot about today and I want to transition a tiny bit towards some practical advice for someone that is looking to get started. Maybe there's a business owner or leader that isn't quite sure where to take these first steps. I can't imagine there's a scenario where a business hasn't invested in some form of cybersecurity, but let's say that there's a business, that they have experienced some growth and they want to take it more seriously. What are some of the first steps that you can practically suggest that they take to get started on that journey, without getting caught up in the wave of all of the kind of fear, uncertainty, doubt and all of the platforms and tools that are out there?

Speaker 1: 39:15

Understanding your business, what data is really important and how computers really support the operations of the business. So really understanding that is going to be crucial. Most organizations have adopted inherited technology over time and it's working. But it may be overly complex and they may experience a near miss on cybersecurity and that's probably a little bit of a fire to do more and like where do you go? But in my mind, since most organizations are sitting on top of M365 or Google workspace, it's that's is your business Now. Your business is running off this tool. Let's make sure that's foundationally protected.

Speaker 1: 39:56

Second is the people. Your people are your human firewall and I don't want to say the weakest link. It's. They are your business, both how the business operates and the users of technology. So making sure that they're enabled to do things safely and appropriate is really important. And again, that's both awareness of hey, if you get an email that looks like this, be a bit suspicious, but also making sure that there's a paved road of how they should be using technology and there's guardrails to catch when they're starting to deviate, when they're starting to break rules, do something that's a little bit less secure and things like that. And that goes from SMBs all the way to enterprise. I strongly believe having those foundational things of making sure the important pieces of your business are working and secured and and resilient and redundant, ideally is going to be really important. Then you can expand out to start addressing those other threats. There's an infinite list of threats which are the ones that are likely to materialize the quickest.

Speaker 2: 40:54

We need to start prioritizing that way amazing, and so I think this is a great opportunity and I don't have a swear jar with the 20 bucks for pitching, but I'm actually going to ask you if you want, if you were to pitch Mirai services and the in an elevator pitch style, like why would someone want to work with Mirai and what exactly is the work that you're doing every day?

Speaker 1: 41:12

Yeah, we do a few different things, but you know why we have the clients we have and and, and why they keep coming back to us is that we are helping them manage the risk and help them sleep better at night. Our capabilities start at the governance, risk and compliance. I say that's our why you need to have that North Star of why the organization is doing cyber security anything, and then the more tactical things understanding that once you've hardened something, let's test it out, let's test our assumptions. But the biggest push for me is the people side, and I'm a big fan of tabletop exercises and it's because it's the cheapest bang for buck you can get, because it's a safe space to explore how things can go south and what your organization and your people will do in that regard. A good tabletop has a lot of jaw dropping, aha moments and a lot of we really need to fix this and that's perfect because that gives the motivation from the business level all the way down the tech team to figure out what they can do better.

Speaker 1: 42:13

And I'm a strong believer in frequency. We we definitely will evacuate office towers at least once a year. Who's been involved with an office fire in the last 20, 30 years. It's a fairly low occurrence, yet a very high occurrence is being impacted by a cyber threat or an IT failure. We've all been impacted one way or the other, either directly because something we own got hacked, or our suppliers got hacked. They lost their data or something along those lines. So having higher frequency tabletop exercises maybe a big one annually and then smaller incremental ones really will help an organization really understand what they need to do differently to make sure that they can weather the storm and continue to exist. And I'm a cyber guy, but I also have to recognize that tabletops don't always need to be addressing a cyber attack, because there are plenty of other ways that your business can stop working, and it doesn't have to be Vlad out of Russia.

Speaker 2: 43:11

Amazing. So if you had one final piece of advice to give to our listeners around cybersecurity, around staying secure, what would that be?

Speaker 1: 43:19

How much time do?

Speaker 2: 43:19

you have.

Speaker 1: 43:20

Yeah, again, like I think there's a lot of great technologies out there, but we have a human nature to think that we can solve complex problems with simple tools and really trying to understand and talk to either peers or professionals that don't have to sell you something on what works, what doesn't. This is a great technology. What are the caveats? What do I need to know that I don't know about those technologies? I think that is the unknown in our industry. That is either the dark art of practitioners. Having a better understanding of how this stuff works and how it can benefit the organization and seeing those success stories is probably a really good way to inspire better business resilience business resilience Amazing.

Speaker 2: 44:00

So we've talked about a ton today. I feel like we could probably talk for another three or four hours. If someone wanted to continue this conversation, get in touch with you. What's the best way to reach out to Alex here?

Speaker 1: 44:08

Yeah, I've got a few avenues Again professionally through Mirai I've got we've got a contact form. You can track me down on LinkedIn. I'm also doing some creative article writing and some videos on my new sub stack and I run events about quarterly in the Vancouver area. So, yeah, find me out on LinkedIn. That's probably the best way and love to have that chat.

Speaker 2: 44:26

Amazing. Thank you so much, Alex. This has been a blast and I really appreciate you coming on the podcast today. Thank you for having me. It's great talk.