Reciprocal and Cross-functional Cybersecurity Learning and Engagement
KITECAST - BILLY SPEARS
Billy Spears, who has served as the CISO at Teradata since 2021, is an award-winning cybersecurity technology executive, author, speaker, and podcast host. In this Kitecast episode, Spears emphasizes the importance of reciprocal learning and community within the cybersecurity field. He values his engagement in the industry, stating that personal investment and the potential for mutual benefit guide his decisions on where to volunteer his time. According to Spears, every interaction offers opportunities for feedback and learning about new technologies or approaches to common cybersecurity challenges.
Beginning with his tenure at the Department of Homeland Security, Spears discusses the growth and increasing complexity of cybersecurity standards. He emphasizes that while initial efforts involved creating policies and frameworks from scratch, the current challenge lies in managing an overabundance of frameworks and a lack of consistency. He explains that companies must navigate from the least restrictive to the most restrictive frameworks based on their specific needs and the risk tolerance threshold they are willing to accommodate. Further, these requirements can vary depending on global economic factors, regional regulations, and data handling practices. Spears underscores that while compliance is a useful baseline, it is not the ultimate driver of robust security due to the many additional factors that need to be addressed outside of basic compliance to ensure data is appropriately collected, used, and protected.
When it comes to implementing new cybersecurity technologies, management of resources and costs is a crucial aspect according to Spears. The role of the CISO is not simply about solving an immediate need for the security team; cross-functional thinking is vital across all IT systems, including product, engineering, and even marketing systems. The impact of a technology solution on various business decisions and processes up and downstream must be carefully evaluated. Spears argues that one must take a holistic approach, as decisions made in the realm of cybersecurity can have wide-ranging implications. These considerations are taken seriously, and there are established criteria, including financial aspects, partnered with procurement teams to ensure a comprehensive evaluation of the technology’s impact.
The cybersecurity skills shortage remains unabated, and Spears lists three things that security leaders can do to lessen the impact. First, hiring managers tend to recruit candidates who mirror themselves, often neglecting junior candidates who may lack certain tools but have the potential for growth. Second, there is a misconception about the nature of cybersecurity jobs, with many falsely assuming it’s a field dominated by technical roles. Spears argues that the industry needs non-technical business thinkers such as auditors, project managers, and governance professionals in addition to technologists. Finally, with many senior cybersecurity leaders reaching retirement, organizations must think outside the box in finding and recruiting new cybersecurity professionals. Spears recommends solutions such as promoting cross-training, giving back to the community, engaging with universities, and developing succession plans to address these challenges.
Spears highlights the need for people to understand the different types of AI. It isn’t simply a product provided by a single company; instead, it represents a broad array of algorithms and models used for a variety of outcomes. AI technologies have different learning methods, data compilation techniques, and models. Comprehending these differences is crucial, particularly for individuals involved in cybersecurity, as it helps them identify the benefits and potential risks of each AI model. It’s analogous to understanding technologies such as blockchain; education plays a pivotal role in discerning the advantages and hazards associated with AI.
AI, along with the proliferation of big data and advancements in cloud computing platforms, has led to notable business innovations. However, the road to implementing these advancements is not without challenges, and it’s important to consider the potential for miscalculations, mistakes, and unforeseen adverse impacts. In response, Spears emphasizes the need for ongoing education and a robust understanding of AI’s complexities and potential risks to ensure secure and effective usage.
Transcript
Patrick Spencer 0:00
Welcome to Kitecast cohosted by Tim Freestone and Patrick Spencer, that features interviews with IT security, compliance and risk management leaders and influencers. Everyone, welcome back to another kitecast episode. We have a real treat today. Billy Spears is joining us. We’re going to cover a number of different topics with him and he has 20 plus years in cybersecurity. Billy, thanks for joining us today.
Billy Spears 0:26
Thanks for having me, Patrick.
Patrick Spencer 0:43
Well, Tim, Billy is an award winning technology executive author, speaker podcast host, you name it. He currently is the CISO over at Teradata, where he leads all efforts related to cybersecurity. Previously, he served as the CISO or held senior leadership positions at places like Alteryx, loanDepot, GE Aviation, Dell, Hyundai Capital America, among other places. Before his foray, or before his foray into the private sector, Billy served as the director of privacy and information security in the US Department of Homeland Security was one of the first folks over there I think, in that role, and before that, he was a staff sergeant in the US Marine Corps. I don’t know what it is about Marines, Tim, we’ve been interviewing a lot of
Tim Freestone 1:27
a lot of Armed Forces professionals.
Patrick Spencer 1:31
They’re keeping us on the straight and narrow. Billy’s as I noted, has received a lot of awards in the leadership positions he’s held in cybersecurity data privacy. He’s an active leader, in addition to his full time job in the technology sector ecosystem, serving as the as a Gartner peer community ambassador advisor for A-SCEND customer advisory board and he’s also an advisor for Cyvatar. Billy, I don’t know you’re busy. Every time Tim and I interview folks for a kitecast episode, it seems like we just aren’t busy enough because everyone we interview like yourself, man, you guys are involved in a lot of different things.
Billy Spears 2:11
Yeah, I appreciate it. Guys, there’s that the community is, it’s important to me, I think giving back is equally as important as what you consume from it. In the many, many years ago, as, as a lot of folks have been in this business a long time, when we came up, there weren’t a lot of places to go. Now, I think there’s ample opportunity of technical learning on the job sort of learning, but also learning from your peers, which I which I find really, really useful.
Patrick Spencer 2:37
How do you get how do you? I mean, there’s tons of things to do out there as a CISO. How do you weigh in, evaluate them to decide, you know, this is worth my time, this isn’t this is something where I can contribute, I may not be able to make that big of an impact here? I’m going to punt, you know, how do you make those decisions? And where do you find the right opportunities?
Billy Spears 2:56
I think it’s a combination of how much your personal time spent in the area, but also the benefits. Attend to the volunteer mode, where, where there’s for human receiving the information on the other side, but inversely, so I’m willing to share my information if the other person across the table is willing to share their because in every conversation, a feedback is such a privilege. And I always find something that I can learn better, more efficient, some new technology, some combination of things, some different approach to solving the age old data protection sort of regimen, I find that a lot of fun. So that’s where it is when we need to talk to people. I’m more connected less people; I’m probably less involved.
Patrick Spencer 3:43
The Gartner thing that you I think it was relatively recent that you became an ambassador are there in the peer insights program? How often do you as a technologist, I don’t think this is something we’ve covered in a previous podcast? This is interesting to me. But how often do you turn to those reports to see what vendors are ranking in a particular space? And you’re doing a bake off? You take those into consideration? How do you use those reports from Gartner and Forrester and others in the marketplace?
Billy Spears 4:12
I think they’re really helpful. You know, those are point in time reports. So they’re typically in the past because just all the research that goes into them, but I find them useful because it’s sort of like an impartial set of footprints or details that you can draw some conclusion from based on experiences, other people’s interactions, etc. But I try to look at them all the time. So some of them change annually. Some of them change every six months, but at the pace and the flow of our business. I use them as a strategic sort of marker or barometer when making the next big decision.
Patrick Spencer 4:44
Most of the ones in those reports are established vendors and I’ll let Tim jump in as few questions here. How do you the ones that are up and start you know bleeding edge brand new the market startups and so forth? They may not be ranking as high. How do you find Those type of technology providers in the cybersecurity space?
Billy Spears 5:04
Yeah, I think a couple, a couple of good places to start, you know, there’s, there’s a lot of VCs that will invite you to start, here’s their portfolio of companies. And then there’s a few industry partners that will invite you out to some of the geographical spaces that will have, you know, small niche companies. But also you have, you know, the big conferences, this is too much in this cockpit. You have your RSA and your Black hat whatnot. Conference, and, and I think there’s a lot of value. It’s not just the networking of your partners, but spend time go through all the vendors and figure out what works, what’s new, what, what hasn’t been done, or maybe what’s a specialty, that you’re missing inside of the platform that you’re using, or maybe many platforms in some cases.
Tim Freestone 5:46
So your role is as CISO at Teradata. Teradata is a technology vendor. How much of your role is evangelism versus internal cybersecurity? Or is there no event? Can you tell us a little bit about how the dynamics change? Have a see. So based on where you are, and maybe you can use a couple of different life experiences where that CISO role has changed?
Billy Spears 6:13
Yeah, sure, you know, my rolling, you’re tearing you down first. I’m so grateful. To me, that’s such a strong company, right? And I’ll probably drop some more Teradata, things along this this conversation for everyone. The idea of the role here is, I think it’s equal parts of evangelism and practical development. What I mean by that is territory, the structure of the company itself, the product we sell, and then there’s the equal parts of getting people comfortable with who we are, or what are their purchasing. And sometimes, you know, we have amazingly technical representatives and other people to assist, but sometimes they just want to hear it from the head of security, or our CIO or other folks in the backend, that sort of are keeping the factory moving from the security standpoint. So my role is definitely a balance. I get to come on shows like yours, and kind of tell about what we’re doing and talk about some of the things that I’m seeing that security.
Tim Freestone 7:14
Good and, you know, as your kind of craft what you see, and as you network with CISOs. You know, the one thing, one question, I tried to ask what I remember, is other than Gartner and maybe if you rank it in the top three or four, what are CISOs? How were CISOs, finding, evaluating and making a decision? What are those sources that they’re coming together, or bringing together to help make the make the decisions? Let’s assume Gartner’s in one of the three or four.
Billy Spears 7:48
I think it goes back to your evangelist question, right. So, you know, how does the role where was it where it is? And sort of what are we doing to think about the current sort of challenges plus, you know, strategize towards the future. Traditionally, CISOs, were primarily focused on just the technical aspects of information security, which I think is it’s rewarding, but in today’s complex, and maybe the rapidly evolving landscape CISOs are increasingly taking on more of a role as the evangelist inside the company, which I’m talking about a little bit. Last question, but also externally, because when, when you’re thinking about making decisions, you have to first have business alignment. So it’s, you know, we’ve talked about this a lot and the landscape of saying, hey, cybersecurity is just a technical issue. I disagree. I think it’s a full-fledged business issue and has its own risk, sort of vectors and tolerances, and so has to be a stable communicator, so that, you know, when you speak, you just don’t, don’t champion fear, uncertainty and doubt. But you’re championing the importance of what you’re seeing around security to other executives and board members, helping them understand how to tie security into the business, objectives of risk management, you have to think about the culture itself. And this goes into decision making, too. And then I’ll get into more how we evaluate specifically, but you have to think about the culture. Do you have a cyber-aware culture? Or do they just know what they’re reading? So they’re making their own choices. I’ve talked about this in the past a lot. It’d be interesting, if you were back in the office full time, if you could just see people stealing the chairs and the elevator with the chairs above their head and leaving, consuming that data or not knowing that’d be cool, it’d be easy to spot them up. But really, people don’t go to work to do bad things. People go to work to get their job done when there’s impediments in the way stopping them from getting their job done. more commonly than not, they’re just reacting and creating a process. So they’re using innovation, for their best judgment. So if you don’t have this cyber aware or security work culture, sometimes that innovation creates other risks. So it’s really important to evangelize there. You have to consider things like regulatory compliance changes all over the world and wish there was a one size fits all and probably Not in the boat alone there. But the reality is, it isn’t a one size fits all. There’s Uber regulations like GDPR, or CCPA, or others that you have to take into account. And then you have frameworks and you have customer requirements. And people are always trying to get hardened security postures. So when you’re a company like Teradata, it’s important that you take the highest common denominator and put that into the product, or internalize those practices. So people can really have that faith in you that you can deliver what you say, we have to consider vendor and partner relationships, public relations, and also recruitment and retention, you know, I always tell my team, the longer we stay together, the better we’re going to get. And with the global shortage of cybersecurity professionals CISOs, that constantly find they’re drawn towards evangelization inside the field of security, sometimes just to retract, or excuse me attract and retain. Now, if we take all of that stuff, and fundamental, what I’m saying is, how do you evaluate what’s happening? If you start with the company’s reputation, that’s true. Because what happens is you can have a startup with the best intent. And they’ll come in and say, here’s all the things we can do. And they haven’t thought about how to package in the ecosystem, they haven’t thought about resiliency for their own company, are they going to be bought? Are they going to be out of business in a year? Now? What happens if something goes wrong? Those things have to be evaluated? You have to think about implementation costs and onward, management of those costs. So what’s the operational cost? Once it’s implemented? How does it affect other systems? It’s really easy to say, hey, security, folks, this is going to solve an immediate need. But you have to think cross functionally across all the IT systems, all the product and engineering systems, all the systems marketing system, how does this one technology affect all of those business decisions up and downstream, if you’re not taking those things into account that doesn’t see so you have to kind of step back and consider all those other things that I talked about before. So we take those very seriously. We have criteria, some of its weighted behind the scenes, and that’s just simply solely stay as sort of agnostic as possible through the process, and that we partner with, you know, procurement teams and such for the financial side. Hopefully, that was a decent answer.
Tim Freestone 12:20
Yeah, they actually gave me helmets. Right, Tim? Just gave me another question. You talked about the challenges with recruiting. And I just, you know, it seems like an incredible career path to me, you get to make a difference, your work is incredibly meaningful. But it’s still just a challenge for the industry to train and fill cybersecurity positions. And I’ve heard it now for 10 years, maybe longer. What’s your take on this? What’s your read on? Why this is continuing to be a challenge?
Billy Spears 13:02
I think there’s a, it’s a three-part answer. Some of it won’t be very popular. So the first part is the same when you’re recruiting for talent. What typically happens is managers recruiting image of themselves, they want the experience, they want the way they speak and receive information and steal information. And that’s hard. So if you’re a 12 to 15, year seasoned professional inside of security, and you want to you just get promoted, and you want to backfill with your mirror of yourself, that’s why you got promoted, like, you have to start a little bit Junior. And then the other part is the problem. If you go Junior, they’re probably not going to have all the tools you have inside of your toolbox. So you have to find something that’s really, really important that your company needs and be willing to teach and grow and be patient as people come up the same way that you and I did over the years. And that’s tough. Second part is people assume that because we’re hiring in cybersecurity, that it’s only these technical engineers, and only people that can code and only this, this deep experience. And I’m going to give you kind of a false statistic. But one that I’ve used for a while, I think the technical side of security is about 20%, which means 80% of what we do is non-technical business type thinking, people. Now we audit people, we have governance people, and you have project management people and all these other people that are very, very important and critical to the success of a security department. And we don’t really think about those kinds of thinkers, we’re only focused on things like engineers, vulnerability management, people, security operations people, right. And that’s what folks think about. So what I challenge everybody to do is just take a step back, find something, find the next generation, go to universities, do talks, give back to the community, build a cadre of the next level of folks so that you can you can thoughtfully clap people out when they get promoted or move on to other companies. That’s okay. You have succession in place. And so the companies that you may not have a very large bench of cybersecurity professionals, maybe 810 1215 people on your team. And you say, Hey, Billy, there is no succession here, one over one, it’s really important to take a breath, and cross trends and foe. So maybe architecture and the engineer across training just in case, maybe you’ll have a cybersecurity auditor and risk professional cross training just in case. And I think that’s helped take away some of that anxiety. But the large wind milling effect is more and more companies are building technologies, they did things, they don’t have enough bodies to hire, and you have boomers and other people retiring. And the reality is you just have less people to fill the need. So we have to get more innovative, in order to be around and sustain over what’s inevitably going to happen.
Patrick Spencer 15:50
You pick certain people on your team, to mentor you know, if you have 1520 people on your team, you probably don’t have time to do hands on mentoring with them on a regular basis, all of them, but you, you have the ones who are the superstars, the ones who have the most promise, the ones you can see, filling your role from a succession plan to your point in two or three years. How do you decide who that is? And then you probably mentor some folks outside the organization as well, Tim and I had an interesting conversation on a recent podcast in regards to this issue with Rebecca, when, you know, you probably get inquiries, because of your background, you know, as the previous director of the secure cybersecurity, for Homeland Security, you get folks who approach you and say, Hey, Billy, you know, I’d love you to mentor me, you know, can you coach me on? You know, this proposal that I’m putting forward to our board of directors, you know, how do you, you get a lot of those? How do you decide which ones to accept? And which ones you decline?
Billy Spears 16:47
Well, I never say now, I think it’s, it’s, that’s why we’re so busy, right? I think anyone lives, gracious enough to ask me for help, I’m going to find a way to help. I think there is some qualifiers there. So who do you know can’t do your work for you, and they can’t fulfill the terms of your project or request, which does happen sometimes. But I can guide and say, here’s, here’s some general things that I see. Here’s some other folks that you might want to talk to you so you can grow your grasp of intention and knowledge and understanding around, you know, maybe why decisions are made or how we communicate in different how do we communicate through different levels in different parts of the organization at different times. Going back to internal in the org, I do actually spend some time mentoring with every single person who might work. But it’s not every week, right? So I do these things like we all have breakfast meetings, or then have dinner, depending on where you are in the country. And we’ll do a random six or seven folks. And we get together for 45 minutes. For me, it’s every week, but it’s a different group of people on my staff every week. He has to talk through literally anything they want to talk. Sometimes it has to do with business. Sometimes it has to do with career. Sometimes it’s restating questions or observations and have it throughout the day to day, but we want to clarify the message. And we want to make sure that we give them the amount of time that they feel like they need to, to fulfill their own career aspirations. Otherwise, engagement tends to drop. Now with the first part of your question, with the high potentials, we again, we have an impartial system of me directs, which is the leadership team of security we get together. And we’re always talking about folks that want to grow or prove or take on new challenges. So we do that. And we incorporate that through lots of methods like stretch assignments and goals. And sometimes we challenge them to do some other things like mentor their own team or grow their team or, you know, provide some training, whether it’s technical training, leadership, training or otherwise, for their folks that they feel like are deserving. For us, we evaluate them on an annual basis, we follow the company kind of structure there. But we never really lose sight and my team have the opportunity to connect, mentor and help people improve because I feel like it’s our job to help people see the path ahead, no matter what. And no matter what sometimes is a dangerous statement because we have people who will say hey, listen, I’ve been with your company for a long time. Love the company, love the people, but I want to try something new. And sometimes the feeling is it’s it can get very disheartened, because you feel like people are leaving. And I think that’s not true. We should really congratulate folks, if their journey stops with us today. We should congratulate them and continue to mentor them no matter where they go. We are a small industry, the likelihood of us working together again is really high. So just because they try something different. It’s not a personal attack on us.
Patrick Spencer 19:45
Yeah, I completely agree with that approach. That’s when I’ve employed in the past. I tell folks, you’ve been doing this job too long. You need to go to something different. Even not on my team. You need to work for someone else who will give you a different perspective
Billy Spears 19:59
at I think that the idea of trying different jobs out only creates a more robust view when you’re in the leadership role someday. And some people are going to listen to this podcast, and they’re going to say, I don’t want to leadership, well, you know what, for the folks that are out there like that we need you to. So either way, there’s folks that are going to want to have people, management positions, people who don’t really want to remain individual contributor. Either way, there’s growth potential, we just need to know, I tell people all the time, if you’re expecting me to guess what your career aspirations are, then I’m going to be wrong every time. It’s better to just tell me and then I’ll work with you to map out some progression. And we can figure out what works and what doesn’t for you to find that that successful journey.
Patrick Spencer 20:43
Speaking of journeys, how in the world did you go from staff sergeant in the Marines, to Director of what I forgot the exact title you held over the US homeland, homeland security department, but you know, to that role, that’s a big transition.
Billy Spears 21:00
Yeah, by accident, I think your career kind of takes off. And I think it’s really about, it’s really about what you do when the door opens, right. And I was really fortunate, especially early in my career, when, when a door opened, what would happen, and I was a person who would walk through the door, and kind of figure it out, I can learn from those around me. So from the military, when I first got out of the military, it was tough to get your big, four type jobs. Because we spoke heavy in acronyms. We came from battle driven areas, the regular part of society in the United States didn’t really cultivate towards who we were when we came back. So I stayed with the federal government. And the idea behind the federal government is they speak in acronyms, and they still, they helped me transition and give me a little bit more confidence, I was a lot younger and needed that time to really transition really develop as a regular worker in society, but also as a leader in inside of Arizona was technology which evolved in US security. So when, when the US Department of Homeland Security form, that was my opportunity to go up to, to Northern DC, Washington area, and really help take shape to what has become now of course, the things the CISO, and all the things that are here now didn’t exist back then. And but it was really an opportunity for me to get back to my government and say, you know, what can I do to help make this a better place. And what it really was, for me was a great learning opportunity, and a whole lot of hands on experience from people who were way more technically evolved, and way more business savvy, but also took the time to mentor me and help me grow. Now, some of that advice I didn’t always take in the kindest way. And what I’ve learned as I’ve gotten older, and continued to progress in the head, is again, that stuff is a gift. And sometimes when it when it stings the most is when you really need to listen to I think that if I give myself advice as a younger person, it would be to digest that, that sort of very candid feedback that I received as a younger person, because it’s helped me all the way through my career even now.
Tim Freestone 23:17
So you’ve come up against, you know, just with a military background, and then of course, being a CISO. A lot of threats, a lot of sleepless nights, all across that whole board. Recently, Sam Altman, the co-founder of open AI was testified in front of Congress. I don’t know if you caught that or not. It was pretty interesting. But one of the things they asked him and the other two folks who were testifying was, what is your biggest nightmare? Which is another way to say what keeps you up at night, but I think it’s a little stronger. So right, you know, I’ll ask you, what is your biggest nightmare in your role and that you see, could happen in your profession? Yeah, that’s it full stop. What’s your biggest nightmare?
Billy Spears 24:06
Not knowing? Simple. I didn’t once you once you know, and understandings, there’s, you can just process right, if you don’t have process, your creative process, I think not knowing is probably the thing that keeps me on the most. Because if you don’t know, then you can plan you can drive something to improve a candidate get across the goal line. And sometimes that’s a little frustrating.
Tim Freestone 24:29
So a lot of what you have I paraphrase it down to action, a lot of what you do in your role is the pursuit of knowing what’s going on.
Billy Spears 24:36
Well, I think that’s the first part. Yeah, I think a big chunk is discovery. So if you can get to discovery and consistent discovery, right? Because I think with anything for the listeners out there, you just get to discovery say well, Billy said That’s good. We don’t We can sleep now. The idea is you have to dial that in and you have to tune in, you have to make sure it’s very consistent the message that you’re getting back so that you can make data driven decisions instead of Making qualitative decisions. Because sometimes in our brains, we will look at a set of numbers. And because of our experience, we just push us in one direction. And I think it’s really important to step back and logically look at the information, bounce that across some counterparts and validate the way you’ve seen is, is reality. And then you’re making an informed decision with a consensus of leaders instead of an individual one that could actually drive more risk.
Tim Freestone 25:28
So let
Patrick Spencer 25:32
me I suspect, yeah,
Tim Freestone 25:33
the close, I kind of lead myself into that question, what is your topic du jour? Which is AI? How do you see that playing into some of your decision making? How have your colleagues that you’ve been talking to been thinking about it? And even what’s Tara data’s position on it? And are there any proactive measures that you’re seeing happen that you want to mention in this podcast around cybersecurity and AI?
Billy Spears 26:04
Yeah, that’s a lot to unpack.
Tim Freestone 26:05
Yeah, it is. I like to throw it out there.
Billy Spears 26:09
So the idea around tardiness, formerly known position. So we are working together as a group of senior leaders and others, to figure out all the details behind where we want our position to be. On the other side of the industry, AI is something we are two schools of thought, right? One school that says, hey, put it back in the box, we’re not ready for it, we have another part of society that says let’s go foot on the gas, we have no brakes. And let’s just keep going. I think there’s a lot to consider when you talk about AI. And the first being, you know, what, what are the company’s sort of productive outputs from using AI. And I think there’s, there’s a lot of those to be had, right? Companies can think about new performance, new innovations, something that scales better, faster, whatever. There’s also equally some ethical considerations. There’s bias considerations, there’s privacy considerations. So depending on where the data is coming from, it’s no different. It’s, if you can’t rely on it, when you’ve collected it, you probably can’t rely on it as an output. So it’s really important that the collection comes from a pure place that’s unbiased, and has the benefit of what you need. We also have to think about using AI to get smarter, faster and more agile, like the attackers, if you’re an avid village hacker, an Ivan’s your best friend, because you can go find things you didn’t know you had, you can create kits that you didn’t know how to do before, and you can push them on unsuspecting companies or code bases, that probably wouldn’t have been an unintended consequence before the malicious use. So taking these high powered tools and algorithms could potentially be exploited for malicious purposes. For example, attackers could use AI to automate and scale their attacks, things like sophisticated phishing or social engineering, I think it’s been around forever, they just keep getting more realistic. But having stringent protocols, and to prevent the unauthorized access to systems or AI systems, and ensuring high levels of integrity to your infrastructure, whether it be cloud or on-prem or whatever, that’s really important. And then I think, again, going to the education of insider threats, because if you can configure AI to convince a human or talk, right, some of these AI tools have voices that can talk to you like we’re having a conversation here. If you if you really got to educate people to challenge something that’s a little different or use to, to further enhance them, like fraud detection and whatnot for our company. And there’s probably infinite use cases, I’ve been on no less than three or four groups that are developing all these sort of answers and thinking about all the different use cases and problems to solve for, I think, for the betterment of the community. It’s not just company. So that’s been really exciting for
Tim Freestone 29:06
And I think it will also just, I mean, good or bad, it will make the need for cybersecurity professionals that much greater with specialized costs. And again, I know what you’re talking about some shortage, but you know, this is this is a domain of expertise that’s only going to become more and more in demand as these AI engines make threats more sophisticated.
Billy Spears 29:35
Yeah, I totally agree. I think people should also consider the type of AI. So when we especially right now, people are thinking about AI and they might think, one company over the next or, or whatever. But still AI is a set of algorithms that you will use for an intended output. There’s different ways of learning. There’s different ways of compiling data. There’s different models of entities. So it’s really going to be weren’t for security readers to understand that as much as they’ve understood things like blockchain in the past or others, got to educate yourself so you understand what the benefits and risks are.
Patrick Spencer 30:13
you foresee I was about to ask, I actually thought this was a question Tim was going to ask, as you look at the threats, and, you know, the ability to govern those, and actually, you go back to your days at the Department of Homeland Security, I assume you began to see during that time, which is 1520 years ago, the early indications of the cybersecurity standards that exist today, right, go back to sort of that timeline, and their development to drive, you know, that data driven approach that you just spoke about, from a security standpoint, do you see compliance is the means for gaining that visibility, and in driving adherence to securities that you put in place that help lower your risk factors? You know, can you speak a bit about what you’ve seen take place over the last 15 years along those lines?
Billy Spears 31:07
Well, I think the journey is more exciting, I don’t remember the specific use cases all the way back to the government days. The idea here though, of saying you have nothing in this space, and then you formulate some opinions and ideas to create policies, frameworks, etc. That’s important. I think the challenge you have in our space is you have too much right and not enough consistency. So the different frameworks and depending on which one you’re looking at, you can start from least restrictive, Galway to most restrictive. And companies really have to comply with each subset and increasingly get improve the barometer, if you will, in order to get to that risk management factor that’s, you know, hits the tolerance vector of every company, right? Or the following this threshold, but the idea here is, which one is the one, and then that changes based on regions that Chase based on, you know, the global economy that changes based on where the data is coming from, and going in tune and sitting at rest, etcetera. And as they get continues to be more complicated, so for do I think compliance is the driver, I think compliance is a driver, for some, it gets you to basic, I don’t think compliance is the driver, you have great security, because there’s so many things you have to deal with outside of basic compliance, and to be reasonably assured that the data is going to be collected for the main purpose, user data into purpose safe, resilient, etc., that those thresholds don’t specifically call out.
Patrick Spencer 32:36
And the protections that are in place Steve received, we’ll be adding some to the conversation we just had about AI, you see AI making its way into some of the cybersecurity standards that exist to how, how long do you foresee before that takes place?
Billy Spears 32:51
I think it’s going to take a while. I think it takes a while because the standards are, are governed by large bodies of people with disparate personalities and different opinions on everything. So and that’s not a bad thing, either, right? So people are going to put some things on the table, people are going to debate about them, some things will fall off, and I think the route will stay again, the route in the beginning, you know, the basics that I hear the most aren’t really around? How do you protect intellectual property from being inserted in one of these models? Or how do you protect the data privacy and confidentiality of whatever volumes or search history or whatever you’re doing inside the models? And if you attach that to any of your company models, or whatever you’re doing, how does that affect that and sort of the competitive nature of your company versus others? I see that a lot. It’s really a fancy way of saying fairness in the involvement of AI. And I don’t know that there’s any of that documents today. However, there’s tons of companies building, maybe the backbone of their company off these AI models and connecting them to other things to help people really realize the value of their data. A little bit quicker.
Tim Freestone 34:05
Yeah, it’s almost like that’s absolutely happening. And it’s almost like Y-Combinator became overnight, not just a startup incubator, but a, an AI startup incubator. And so all of these companies have exploded, that are going to help other companies do more with their data, but all their data is going someplace else, so to speak. And I think the urgency around data privacy, and data protection and the security of your information in the hands of these third parties will just it just it has to happen fast, or it’s going to get out of control.
Billy Spears 34:46
Yeah, Tim, you know, on that, you know, just a question that I’ve been mulling around my last few counterparts in the business is really around intellectual property rights. The question around surrounding who owns AI generated content? It’s pretty complex, right? Okay, so if you put your question or you put your data or you put your whatever and say, Hey, do something with all of this, because you put it in. Where’s ownerships? Where does that go with your company? Does it stay? Did you not give it out to your model? Like, I think that’s a careful thing that that folks are going to have to navigate. I’m not an attorney, we’re going to need some attorneys to weigh in and kind of guide the way that we think here. But I think that based question is just one of many that will help security leader’s kind of figure out, okay, depending on the output there, here’s some controls or some security considerations that we need to have before saying, Yep, just let’s just open our companies up to his model.
Tim Freestone 35:40
Yeah. I mean, Microsoft is doing a lot of work there. In terms of ring fencing data, and, I mean, obviously, they have a big vested interest in the success of open AI. But again, I think I think the corporate entity will drive their own regulation for the time being, I just hope it happens faster, sooner, rather than later out of some government organizations.
Billy Spears 36:10
Yeah, for sure. I think Microsoft’s awesome. You know, me, for one, I’m pretty grateful to be working for a connected multi cloud data platform company. And we, you know, we by the very nature of what we do, we help companies, you know, transforms, many of which are the world’s largest and most innovative companies turn their data into their greatest asset. So a lot of other things that I’m talking about this so one, that one opportunity for Terry, are companies like 30? Yeah, I can see that.
Patrick Spencer 36:39
The, the ideal scenario would be they would keep their data within your platform for analysis. And they’re not taking it out into the public cloud, where some of those intellectual property issues begin the lines blur to your point. I assume that would be your argument. And that’s one way you can ensure that your employees aren’t dumping code that’s intellectual property into a public cloud that then could be accessible by millions of people literally.
Billy Spears 37:07
Yeah, I think we’d love for folks to use our platform and allow the platform to do the heavy lifting. So they can they can, you know, have the results at their fingertips and make informed decisions for their competence.
Patrick Spencer 37:22
Makes a lot of sense. What’s your concept of structured unstructured data? You know, how do you how do you control access to it? Does it differ as a CSO? And that’s sort of the heart and blood of your business as well?
Billy Spears 37:37
Yeah, I think it’s important to go back for you have any sort of structured and unstructured data qualifications, and I think the, they’re different. And they present unique challenges when it comes to data protection. For example, structured data is typically stored in highly organized manner. It’s often in things like relational databases, where it can be easily sorted and searched and whatnot. Some of the examples there could be customer records, transactional data, or anything else that can easily be categorized in rows and columns. If you’re a person that looks at things like that, that’s amazing. Unstructured data, on the other hand, includes things like emails and documents, multimedia, social media posts, right things that doesn’t easily fit in to what I’ve just described before. So if you think about structured access control is usually easier. Because you can implement at the database level, prevent unauthorized access. Implementing that same access control for unstructured data can be much more challenging, because it’s data often resides in multiple places, various formats, etc. Things like data classification, classification, in an unstructured system, it has to be classified and determined sensitivity level of protection require that can be complex and time consuming often require the use of AI or machine learning tools to kind of help sift through it. On infrastructure data, things like data masking, techniques become prevalent. Encryption, auditing and monitoring. Like these are all typical things. And I could probably talk forever, in unstructured system. Some of those things like encryption are much more complex because it’s distributed across various systems and format. So you go from one to many. And when we when you evolve into many it becomes a little bit more complex, but not impossible. Interesting
Patrick Spencer 39:29
ability we really enjoyed this conversation. This has been enlightening, and hopefully we get a chance to talk to you again and you know, a few months about some of the new permutations that we talked about that are taking place today AI will have rising as we spoke about before the call started there a data breach investigations report will be out in the marketplace. Be interested to get your insights on those. So for audience members who would like more information on Teradata, I assume they simply should go to your website any other directions that you’d like to provide them.
Billy Spears 40:00
Check out our website teradata.com. If you if you need more, reach out to me directly on LinkedIn. You can find all my details there and I’d be happy to point you in the right direction.
Patrick Spencer 40:11
That’s great. Billy thanks for your time today. Thanks to our audience. As always, if you’re interested in other kitecast episodes, go to kiteworks.com/kitecast. Look forward to having you on our next broadcast. Thank you for listening to another type cast Show. Check out other kitecast shows at kiteworks.com/kitecast. Rate, comment, subscribe and listen. Wherever you get your podcasts