Cybersecurity in the age of AI

In this episode of the Corporate Director Podcast, Nick Shevelyov discusses the rapidly changing cybersecurity landscape driven by generative AI, highlighting its dual role in empowering both threat actors and defenders. The conversation covers emerging threats such as sophisticated spear phishing attacks and deep fakes. Nick also discusses effective cyber defense strategies, emphasizing the need to balance investment in AI-native technologies with good cyber hygiene practices.

Please see below for a transcript from this episode:

Narrator

Welcome to the Corporate Director podcast, where we discuss the experiences and ideas behind what's working in corporate board governance in our digital tech fueled world. Here, you'll discover new insights from corporate leaders and governance researchers with compelling stories about corporate governance, strategy, board culture, risk management, digital transformation, and more.

00:00:34:00 - 00:00:53:07

Dottie Schindlinger

Hi everybody, and welcome back to the Corporate Director Podcast, the Voice of Modern Governance. My name is Dottie Schindlinger, executive Director of The Diligent Institute, and I'm joined once again by my amazing co-host Meghan Day, Strategy Leader here at Diligent.

Meghan, how are you doing today and how are you surviving the heat?

00:00:53:07 - 00:00:55:04

Meghan Day

Well, I'm

00:00:55:03 - 00:01:00:22

Meghan Day

have really good air conditioning, so that helps. Afraid for my con ed bill in a couple of weeks.

00:01:00:21 - 00:01:15:20

Meghan Day

you you caught me. I would say this episode a little bit deep in thought. I am coming out of a conversation I just had with my boss about how fast I is driving the pace of change inside companies right now.

00:01:15:22 - 00:01:24:18

Dottie Schindlinger

Yeah. And what's your take on that, Megan? Because I know it certainly is driving, a very brisk pace here at diligent. We are all in on AI as a company.

00:01:25:02 - 00:01:54:15

Meghan Day

Well, I saw a survey the other day that really stopped me in my tracks. It was from Adecco, where they interviewed about 2000 C-suite leaders across 13 countries. Only 10% of the companies surveyed globally are considered future ready when it comes to AI. And I don't know, it just paints a pretty stark picture of where we are with AI readiness and this like, hurry up, we got to get there vibe happening right now.

00:01:54:14 - 00:02:13:15

Dottie Schindlinger

Yeah. You know, Megan is reminding me of some conversations we had last fall with Florian Rotter, who's the chief AI officer at, avant garde, and he had this great line that he used, which is, you know, he thinks we have grossly overestimated the impact of AI in the short term and radically underestimated AI's impact in the long term.

00:02:13:15 - 00:02:30:15

Dottie Schindlinger

And I think that's the right way to think about it. And and one of the things I know, we're excited about trying to do it Diligent, is not just provide AI field tools to our customers, but also education to wrap around that and that that I think is really important to, you know, we think about our our what Directors Think survey that we did

00:02:30:15 - 00:02:32:11

Dottie Schindlinger

and published in January.

00:02:32:12 - 00:02:44:07

Dottie Schindlinger

The number one risk that board members were telling us they were seeing as it relates to AI is whether or not they've got leadership that's ready to handle it. And, you know, I think that's a big issue. I think education is part of that. What do you think about that?

00:02:44:07 - 00:03:11:23

Meghan Day

I definitely agree. And when you look at the companies that are the, so-called future ready, it's not just about throwing money at the technology. It's about investing in people. It's about aligning their strategies with talent development, training their leaders, making sure employees aren't left to figure it out on their own. I mean, one of the most surprising stats was that while 60% of companies expect their employees to adapt to AI,

00:03:11:22 - 00:03:18:01

Meghan Day

a third don't even have a policy in place. It's it's like handing somebody a parachute and saying, good luck. Like, hope you land. Don’t break a

00:03:18:13 - 00:03:28:06

Dottie Schindlinger

Right. Yeah. I mean, seriously and so. Okay, so let me just share with with our audience, in case you're curious, some of the things that we've been doing because we we really started on this,

00:03:28:06 - 00:03:40:06

Dottie Schindlinger

fairly early. I, we, we began putting together a certification program for board members and senior executives on AI ethics and board oversight. We launched that, you know, really at the end of 2023.

00:03:40:08 - 00:03:58:18

Dottie Schindlinger

And so that was just, you know, the beginning of 2024. So that was just really kind of getting in on the early stage to provide education to leaders about how to do this. But since then, we've gone a lot farther. So now there's actually this robust education and templates library within the Diligent One platform.

And so basically, if you're a Diligent One platform customer, you have access to it.

00:03:58:18 - 00:04:28:20

Dottie Schindlinger

And if you are a customer and listening to this show, and you don't know this, reach out to your customer service rep, talk to your corporate secretary, talk to whomever in your company manages your contract because you should have access to this.

And what's in that library are many things, including templates for things like usage policies, um, short courses that might take you. Somewhere between 10 minutes and a half an hour to go through, just to get yourself a little bit better versed on things like the regulatory landscape or just some of the basics of how AI technology works within companies.

00:04:28:22 - 00:04:55:18

Dottie Schindlinger

And there's also, um, quite a lot of expert led content in there. It's not just stuff that we wrote on our own. It, you know, we go out, uh, what we always do, we put together educational programs. We try to find the brightest minds out there, ask them to help us think about how should we do this, and have, have them on camera, you know, get them on camera talking about the issues, and really breaking down these complex topics in ways that are accessible for leaders, for frontline workers, for everybody.

00:04:55:18 - 00:05:06:22

Dottie Schindlinger

So I think it's really important to take a look at that. You know, we try to make sure everything is done, accredited with continuing legal education and CPE credits, and just try to help people get, you know, ahead of the curve. So,

00:05:06:22 - 00:05:11:03

Dottie Schindlinger

you know, if you haven't taken a look at it, sorry for the shameless plug, but I'm really proud of it.

00:05:11:03 - 00:05:22:17

Dottie Schindlinger

You know, it's really good work, and it feels very important to me because I think so many companies right now are just providing technology and saying, good luck. And that's not enough. That's not enough. We're trying to do more than that.

00:05:22:17 - 00:05:40:10

Meghan Day

would like to correct my, my metaphor before my analogy. I, the English major. Me can't remember which which one is which at this time. I said parachute, but it's not really a parachute. We're giving people like putting them on a rocket ship, giving them a jetpack and saying like, good luck, see ya in outer space.

00:05:42:12 - 00:05:43:04

Meghan Day

Like, it is the brave newworld.

00:05:43:04 - 00:05:46:22

Meghan Day

And we're just sort of throwing people out into the great unknown.

00:05:46:21 - 00:06:09:19

Dottie Schindlinger

Yeah, so listen, um, definitely check it out just to kinda give a couple of specifics, right? You can get in there, you can find, um, content from governance experts like GEC Risk Advisory, Global Data Innovation, Numerati Partners, a number of others. Short video content as well as written content, interactive exercises. There's thought experiments to help you apply what you're learning to potential scenarios.

00:06:09:21 - 00:06:15:18

Dottie Schindlinger

Okay, that's it Megan, I swear that's the plug over. I just really wanted to make sure to tell people about it in case they weren't aware.

00:06:15:18 - 00:06:19:14

Meghan Day

we bring all of this up because we have a great conversation today with, friend of

00:06:20:00 - 00:06:39:01

Dottie Schindlinger

Right. Nick Shevelyov, um, he's the Founding and Managing Partner at vCSO AI, which is interestingly a cybersecurity executive advisory firm that really focuses on the, the sort of confluence of cyber and AI, which I think is a really perfect topic for us to talk about today. So why don't we give it a listen and come back and talk about it after.

00:06:39:05 - 00:06:40:02

Meghan Day

Great.

00:06:47:20 - 00:07:11:01

Dottie Schindlinger

Joining us on the Corporate Director podcast today is Nick Shevelyov. Nick is Founder and Managing Partner at vCSO.AI, a cybersecurity executive advisory firm. Nick is also a board member at Cofense and the Bay Area CSO Council, and he's also the author of “Cyber War...and Peace.” Nick also served as a former Global Bank CSO. Nick, thank you so much for joining us on the show.

00:07:11:05 - 00:07:13:03

Nick Shevelyov

Great to be here, Dottie. Thanks for having me.

00:07:13:12 - 00:07:26:00

Dottie Schindlinger

Well, you know what? I just ran through a couple of highlights of your career. You've done a lot of interesting things, and I wondered if you could start by giving us a little more context and a little bit more background about some of the things that you've done in the cybersecurity space.

00:07:26:02 - 00:07:54:19

Nick Shevelyov

My pleasure, Dottie, 30 years in cybersecurity, the first seven technical in nature building networks, and then ultimately breaking into them with a, uh, US secret clearance working, uh, for US government agencies. Five years at Deloitte doing strategic management consulting for financial services and technology companies. And then from 2007 to 2021, I was the Chief Security Officer for Silicon Valley Bank, the global bank of the innovation economy,

00:07:54:19 - 00:08:16:08

Nick Shevelyov

and at one point we banked 80% of the top tier venture capital and private equity intellectual property around the world. We were the only US bank with a joint venture with China.

And I served in that capacity for 15 years. For a couple years, I was also Chief Information Officer to adopt public cloud and agile software methodologies safely.

00:08:16:10 - 00:08:38:08

Nick Shevelyov

I stepped down in 2021 to publish a book, “Cyber War...and Peace: Building Digital Trust Today with History As Our Guide.” Takes lessons from history and behavioral science and translates them how to think about cyber risk, and I started vCSO AI and we're a boutique cybersecurity consulting firm. We help executives think through cyber strategy and we help cybersecurity product companies build better products.

00:08:38:08 - 00:08:52:07

Nick Shevelyov

Something I did for many years at Silicon Valley Bank, early days of Palo Alto Networks, Zscaler and CrowdStrike. I was there as a design partner and use those products, and now I do that independently within my own, uh, company. So glad to be here. Dottie.

00:08:52:15 - 00:09:07:00

Dottie Schindlinger

Well, Nick, I'm delighted to have you back on the show. I know you joined us pretty shortly after you had published “Cyber War...and Peace,” and we had an opportunity to talk about your book, which is by the way, folks, a really good read. So you should absolutely check it out. It's a really, really good book.

00:09:07:00 - 00:09:15:04

Dottie Schindlinger

But I was eager to have you back on the show, because I feel like a lot is changing in the world of cybersecurity, in large part because of generative AI.

00:09:15:04 - 00:09:32:13

Dottie Schindlinger

And so I want to focus a little bit of time today with you on, you know, this this idea that there's rapid adoption of AI, it's changed a lot about the business landscape already, and yet it feels like we're still at the very beginning stages of how it's going to change the business landscape. But I think it's also had a pretty profound,

00:09:32:13 - 00:09:42:17

Dottie Schindlinger

contribution to the cybersecurity landscape, both in terms of what the threat landscape looks like, but also in terms of our ability to fight would be attackers.

00:09:42:18 - 00:09:50:15

Dottie Schindlinger

So talk to us a little bit about what are some of the things we need to know about how AI is changing the cyber world.

00:09:50:22 - 00:10:15:02

Nick Shevelyov

Yeah, great question. Very topical. So, as part of my practice, as I host, uh, Chief Security Officer dinners on a regular basis, uh, and I ask this very question of the operational practitioning CSOs, and, uh, the common themes that come out, uh, from CSOs from large organizations is that generative AI

00:10:15:02 - 00:10:27:23

Nick Shevelyov

empowered everyone. It made developers be able to develop faster and in parallel with gen AI, but it also made the bad guys, the threat actors be able to scale.

00:10:28:01 - 00:10:58:14

Nick Shevelyov

So think about it in the past where someone who wasn't necessarily a native English speaker, uh, they would have to do research., they'd craft a targeted spear phishing attack, and they target an individual. Now with gen AI, you can have all that crafted for you at scale, and you can target individuals at scale. And so one of the top threats that organizations are seeing today are really well crafted spearfishing attacks at scale.

00:10:58:14 - 00:11:04:16

Nick Shevelyov

So that's one of the things that they're seeing. And the other are the deep fakes. It's

00:11:04:16 - 00:11:17:10

Nick Shevelyov

sort of the imitation of someone's voice or the, uh, their face or something to, uh, build trust for you to authenticate them and then commit some sort of malfeasance and, uh,

00:11:17:10 - 00:11:24:22

Nick Shevelyov

that is happening on a regular basis. And so. You're seeing, uh, the increase in targeted spear phishing attacks,

00:11:24:22 - 00:11:36:21

Nick Shevelyov

and phishing remains the number one cyber threat and an increase in deep fakes used to, uh, trick organizations typically into moving money.

00:11:36:23 - 00:12:03:13

Nick Shevelyov

We faced business email compromise for many years where someone with the authority to move money outside an organization got an email from someone that pretending to be the CFO or the CEO. Now you're seeing video transmissions, Zoom calls requesting those money transfers and they're really fakes. So those are some of the top threats that organizations are seeing today and need to prepare themselves against.

00:12:03:13 - 00:12:04:14

Dottie Schindlinger

I mean, those threats

00:12:04:14 - 00:12:22:15

Dottie Schindlinger

are going to keep me up at night. Of course. I mean, you know, they seem so easy now. I mean, there's so much of the technology that has come so far. These things are able to be launched by really anyone. To your point, you know, to even be a native English speaker in order to launch an attack among a company that speaks English.

00:12:22:15 - 00:12:40:19

Dottie Schindlinger

Right. It's really gotten so easy. But I also wanted to ask you about some of the ways that AI is also helping to fight some of these new kinds of threats. Right? Because I think that there are AI fueled tools that can also give you a little bit of an advantage over some of the traditional methods of fighting cybercrime.

00:12:40:19 - 00:12:43:23

Dottie Schindlinger

So maybe you could talk a little bit about some of the pros or some of the,

00:12:43:23 - 00:12:47:16

Dottie Schindlinger

the less scary aspects of AI when it comes to the cyber landscape.

00:12:47:20 - 00:13:11:12

Nick Shevelyov

You know, absolutely. And there's new technologies being invented in this AI era. So we kind of came through the cloud era where everyone was migrating to the cloud and now we're in the AI era where organizations are trying to figure out how can they adopt AI, uh, to be more effective in many different ways, one of which is in cyber security.

00:13:11:12 - 00:13:12:13

Nick Shevelyov

Um, and, and so. Uh,

00:13:12:13 - 00:13:12:19

Nick Shevelyov

the

00:13:12:19 - 00:13:28:20

Nick Shevelyov

very technology that empowers us may also imperil us. And we have to think about the trade-offs and the AIs that companies are deploying are typically only as effective as the data they have access to. So you need to have,

00:13:28:20 - 00:13:36:14

Nick Shevelyov

clean, uh, labeled data that your AI can source in order to produce some sort of outcome

00:13:36:14 - 00:13:38:19

Nick Shevelyov

and produce some sort of workflow.

00:13:38:19 - 00:14:10:20

Nick Shevelyov

And so, uh, what's interesting is that the architecture of certain solutions have greater advantages than others. So, for example, Endpoint Detection and Remediation. EDR is the next generation antivirus. It's on our endpoints and it has direct access to the activity on that endpoint making EDRs much more effective in the age of AI. So that's based on the architecture.

00:14:10:22 - 00:14:33:21

Nick Shevelyov

Uh, but there are other architectures such as cloud native architectures that are, uh, application programming, interfaces, APIs, connections, which are point to point that block access to certain data points, depending on your privileges, making it much more difficult to leverage AI solutions in the cloud. So I would say that there's,

00:14:33:21 - 00:14:40:07

Nick Shevelyov

lots of use cases that organizations can leverage AI to be more effective.

00:14:40:07 - 00:14:50:17

Nick Shevelyov

Especially, uh, in including cybersecurity. You have to analyze the workflows that the AI is producing and the data that

00:14:50:17 - 00:14:56:12

Nick Shevelyov

it has access to. Make sure that you have the right controls in place.

Uh,

00:14:56:12 - 00:14:58:16

Nick Shevelyov

and when I think about cybersecurity. Um,

00:14:58:16 - 00:15:08:02

Nick Shevelyov

I think about the, the capability that you have, the configuration of the capability, uh, and then the coverage that it has.

00:15:08:04 - 00:15:27:03

Nick Shevelyov

And so if you use those three Cs and you analyze how you're leveraging AI native cybersecurity solutions, then you can start to gauge how effective those solutions are, um, in parallel with adopting it through other workflows within your organization.

So those are simple ways to think about it.

00:15:27:03 - 00:15:47:11

Dottie Schindlinger

I think it's also really helpful to provide some examples. Right. I'm thinking about the the directors that listen to this show. I think a really helpful example and illustrative example could be really useful. So could you give a specific example of, you know, one one situation where I successfully detected or prevented a cyber attack that a traditional method might have missed?

00:15:48:06 - 00:16:02:11

Nick Shevelyov

I think that, um, you're, when you have sims, right, these are large pools of data. What you're seeing is that once you gather these logs in a centralized location,

00:16:02:11 - 00:16:35:04

Nick Shevelyov

um, having. Um, an effective AI system. Access those, uh, and respond faster are use cases that you're seeing within organizations. And so here, here's an example, is the legacy security operation center, where a human sits in front of a screen and looks at lots of different alerts, and then takes their mouse and their keyboard and acts and responds to an attack that has been augmented with AI that monitors those alerts.

00:16:35:06 - 00:17:07:06

Nick Shevelyov

I mentioned EDR earlier. Your EDR sends off an alert that used to be that a human would then respond to it, and that could take minutes and hours. And so that's your mean time to detection, your mean time to response. That's typically in the minutes and hours. You're now seeing AI technologies called manage detection and response, auto monitor these EDR alerts and auto respond in seconds, not minutes and hours.

00:17:07:06 - 00:17:23:00

Nick Shevelyov

So these are examples of real technology that's been deployed now for a couple of years that is bringing down the mean time to detection and the mean time to response on attacks in your network.

00:17:23:07 - 00:17:43:02

Dottie Schindlinger

That is a great example. Yeah. Thank you for that. I wanted to also just have you. Look, this is something you spend all day, every day thinking about, right? The cyber landscape and what's changing. What's what's evolving. So speaking to board members, what are some of the things that you see as the biggest opportunities and challenges in the cyber threat landscape right now?

00:17:43:02 - 00:17:46:18

Dottie Schindlinger

What are some of the things that board members should be paying attention to?

00:17:46:18 - 00:18:00:10

Nick Shevelyov

do we have someone on the board that understands this technology? Do we understand what is being shared with us in terms of the risks and the rewards?

00:18:00:10 - 00:18:19:11

Nick Shevelyov

And do we have a plan? Like, are we adopting this and are we learning from adoption because there are, features in these technologies that are going to give you more accurate forecasting, more effective predictive, analytics.

00:18:19:11 - 00:18:34:06

Nick Shevelyov

And once you have these new insights, how do you ingest them? How do you think about them? How do you incorporate them into your decision making process? So I think those are

00:18:34:06 - 00:18:38:15

Nick Shevelyov

points for boards to think about is having someone,

00:18:38:15 - 00:18:56:06

Nick Shevelyov

who understands the technology on the board having, good discourse on how they're going to measure the effectiveness of the adoption of the technology, how they're going to receive reporting, and how are we actually going to improve our effectiveness.

00:18:56:08 - 00:19:17:22

Nick Shevelyov

And have greater insights and make better informed decisions? I think that's a healthy dialog and also a healthy way to adopt a very rapidly changing space, right? It seems like the space is changing at a rate faster than any other technology that we've experienced. And something I mentioned in the book,

00:19:17:22 - 00:19:29:22

Nick Shevelyov

years ago, Dottie, and I'll repeat today, is that the rate of change that we are experiencing today is likely the slowest rate of change that we will ever experience again.

00:19:30:00 - 00:19:31:07

Nick Shevelyov

It's just compounding

00:19:31:20 - 00:19:37:06

Dottie Schindlinger

It makes me want to retire right now.

00:19:37:08 - 00:19:41:14

Dottie Schindlinger

I love it. We're just getting warmed up. Well, listen, you know, I know that

00:19:41:14 - 00:19:46:12

Dottie Schindlinger

some organizations hopefully fewer these days, but some organizations have some concerns about

00:19:46:12 - 00:20:02:11

Dottie Schindlinger

overreliance on automation for security, right? They want to make sure there's a human in the system and keep the human being at the center of the system. So what are some of the key limitations or risks for companies that are incorporating AI and machine learning into cyber security programs?

00:20:03:01 - 00:20:19:01

Nick Shevelyov

I think you want to understand what processes that you want traceability and explainability for, right? And why? Why do you want traceability and explainability? And then you probably want to establish,

00:20:19:01 - 00:20:37:15

Nick Shevelyov

thresholds for when intervention is required. So that which may be automated should be automated, but then controls should be put into place to measure deviations from means that we decide to be critical.

00:20:37:15 - 00:20:48:07

Nick Shevelyov

So, if there is a process that needs to execute and it needs to be done in an automated fashion, we want to establish controls,

00:20:48:07 - 00:21:06:02

Nick Shevelyov

that monitor deviations from the mean of that process. And establish a measurements program so that which, you know, you should think about measurements in terms of managing effectiveness. So, I can't manage something I don't measure.

00:21:06:03 - 00:21:36:22

Nick Shevelyov

And I would argue I can't measure something I don't know how to manage. So determining what should be measured, why it should be measured, and how it should be measured in order to have reporting to the board to understand are we adopting new technology effectively and safely and where we need traceability and accountability? We have it right. And having that critical discourse internally, I think those are all healthy discussions at the board level.

00:21:37:07 - 00:21:52:23

Dottie Schindlinger

I want to pick up on that last thread there, Nick. Because, you know, the idea of having the CSO do better reporting to the board. It's something I know you and I have talked about before and how incredibly important that is. And I know certainly it's important in large part because you've got a lot of board members who don't come from a technical background.

00:21:53:04 - 00:22:09:21

Dottie Schindlinger

But it's also important from the perspective of the CSO being able to report things in ways that mean something to the board. Meaning, how does this tie to what the company does for a living, right? So really making sure that it's tied into business strategy when they're talking about the cybersecurity program. So do you have any,

00:22:09:21 - 00:22:22:04

Dottie Schindlinger

kind of specific recommendations you would make, either to board members or to CSOs about how they can do a better job on, you know, asking the right questions and reporting on on these really critical issues at the board level.

00:22:22:08 - 00:22:48:01

Nick Shevelyov

I'll. I'll tie this into more modern software delivery methodologies. So I mentioned for a couple of years I was also CIO and as a CIO and agile software delivery methodology is just a more modern, iterative way of producing software. And I thought about the world as the planned business projects that I was delivering on, the planned technology in support of those business projects.

00:22:48:03 - 00:23:10:06

Nick Shevelyov

The third type of work is planned change in the organization. And the fourth type of work was unplanned work, also known as anti-planned work. The more unplanned work I had, the more it erodes my ability to deliver on planned work and security should be protecting to enable planned work outcomes.

00:23:10:06 - 00:23:18:03

Nick Shevelyov

And so boards can ask themselves is how well are we delivering on planned work, how much of it is,

00:23:18:03 - 00:23:20:08

Nick Shevelyov

unplanned or anti planned work?

00:23:20:13 - 00:23:50:02

Nick Shevelyov

Where can we use new technologies to reduce our uncertainty on delivering on planned work? How do we make people more effective? How can we create automation loops and have humans overseeing the loop and intervene as needed with the appropriate abilities and privileges? So those are more broad strategic discussions that can have the tie in to really credible methodologies.

00:23:50:02 - 00:24:20:19

Nick Shevelyov

And agile has been around now for 20 plus years. A lot of more modern software delivery organizations have adopted it. Agile lets you build software in a more iterative fashion and you can tie in. There's a lot of new tools, in AI, that help you deliver on software faster. In fact, this is one of the most intriguing elements today is that you've got AI solutions that you can you can verbally just share what you want to build.

00:24:20:19 - 00:24:37:17

Nick Shevelyov

They'll build the policy. You can convert the policy into code. You can take the policy as code and put it into a new AI software development platform. It will create the software for you, and then you can have a separate AI to QA it.

00:24:37:17 - 00:24:45:14

Nick Shevelyov

And so there's different ways to, you know, take these new technologies and daisy chain them together to be more effective.

00:24:45:16 - 00:25:10:20

Nick Shevelyov

I like to take, two different, phones. I have one running one AI and one running another, and I give them each a role to play. I have one being a product designer, one being a software developer. And I give them the roles and I tell them the problem that they're trying to solve. And I put the two phones away and I let them problem solve overnight, and then they come back with a solution the next day.

00:25:10:20 - 00:25:16:09

Nick Shevelyov

That's that's one way of doing it. But there's lots of different others new ways of working today

00:25:16:09 - 00:25:18:07

Nick Shevelyov

leveraging these new technologies.

00:25:18:13 - 00:25:35:15

Dottie Schindlinger

Well, you just gave us a great list of discussion points at the board level. But just in that last example you were giving, you know, having the two phones sort of teaching each other. I mean, it goes back to something you said earlier, which is now cyber criminals have access to this technology, too, so they can just, you know, plain language, speak what they want to do to your system.

00:25:35:15 - 00:25:51:12

Dottie Schindlinger

And I can go build that software and go launch an attack. So what would be some things you might recommend as effective cyber defense strategies, given, you know, the state of AI technology investment and where we're heading? Well, what should boards be thinking about? What should they be doing?

00:25:51:12 - 00:25:58:19

Nick Shevelyov

They should be thinking about. It's a it's a combination of what's the latest generation technology that we should be exploring

00:25:58:19 - 00:26:11:20

Nick Shevelyov

that's been created in the last 2 or 3 years? That's AI native that moves at the speed of the AI threat actors. But it's also good old fashioned cyber hygiene. So ransomware is just,

00:26:11:20 - 00:26:16:11

Nick Shevelyov

disk encryption that you don't have the key to, but it's still plaguing organizations.

00:26:16:13 - 00:26:20:23

Nick Shevelyov

And organizations are paying hundreds of millions and billions of dollars in

00:26:20:23 - 00:26:23:18

Nick Shevelyov

ransomware or, related costs.

00:26:23:18 - 00:26:45:08

Nick Shevelyov

And but you know, what gets you out of that trouble is effective backups, right? If you take what's really important for your organization and you back it up effectively, and you keep it in separate environments with separate credentials, and you validate it and you do recovery on a regular basis, that'll save you in a ransomware attack.

00:26:45:08 - 00:26:53:12

Nick Shevelyov

And and so we're seeing a lot more of these AI fueled ransomware attacks leveraging the attack vectors we talked about earlier.

00:26:53:12 - 00:27:08:10

Nick Shevelyov

But, good old backups and good hygiene, are what's saving a lot of organizations. So I would say it, think about the latest and greatest, and newest technology and have that as part of the discussion.

00:27:08:12 - 00:27:20:17

Nick Shevelyov

But also good old fashioned cyber hygiene, needs to be front and center, you know, excellence in the basics, right? What are the basics and have excellence in those basics is key.

00:27:20:19 - 00:27:21:16

Dottie Schindlinger

I love that.

00:27:21:16 - 00:27:28:23

Dottie Schindlinger

Well, Nick, it's been so great to catch back up with you and find out what you're up to these days. And thank you so much for providing so many practical tips for our directors.

00:27:29:03 - 00:27:33:11

Nick Shevelyov

My pleasure. Dottie. Glad to be here. Thank you for having me. Great catching up with you again.

00:27:33:19 - 00:27:44:08

Dottie Schindlinger

We've been joined today by Nick Shevelyov, who's the Founder and Managing Partner at vCSO AI, a cybersecurity executive advisory firm. Nick, thank you so much for joining us on the show.

00:27:44:17 - 00:27:46:05

Nick Shevelyov

Thank you. Dottie.

00:27:54:22 - 00:28:06:06

Meghan Day

Great food for thought, Dottie. I mean, it brings up this question that I feel like we're starting to have again, do boards need to have an AI expert at the

00:28:07:02 - 00:28:25:02

Dottie Schindlinger

Boy, we've wrestled with that one a lot, have we, Megan? And you could have put in fill in the blank expert at the table. Right? We talked about this so many times, and and I don't know if my thinking's evolved on this over time. Here's what I sort of think, right? I always go back to the research that Doctor Peter Wheel did at MIT on digitally savvy board members.

00:28:25:02 - 00:28:46:19

Dottie Schindlinger

Right. And and that research was just so clear. Once you have three digitally savvy board members in the room, everything goes better. Your growth goes off the charts. You know, your risk goes way down, the company explodes. And so I don't know whether it's having a specific expert and fill in the blank topic, or whether it's just making sure that the people that you are bringing on your board are digitally savvy.

00:28:47:01 - 00:29:07:17

Dottie Schindlinger

Like, do they have sort of that basic grounding and understanding? Do they have that that pedigree in that background, not just of having been any type of CEO or any type of CIO, but really kind of thinking and, you know, sort of these future ready ways and having that skill set. And I just think it's become critical for every executive now to be digitally savvy.

00:29:07:17 - 00:29:16:08

Dottie Schindlinger

I don't think you can really be a successful executive if you're not these days. That's a bold statement, but I think that might end up being true. What do you think?

00:29:16:08 - 00:29:23:19

Meghan Day

completely agree with you, Dottie. And I think, you know, we have seen this. As you said before, the fill in the blank with the cyber with,

00:29:23:18 - 00:29:30:05

Meghan Day

H.R., with any sort of, I don't want to say niche subject matter, because it's much more than that.

00:29:30:04 - 00:29:31:16

Meghan Day

is,

00:29:31:15 - 00:29:35:00

Meghan Day

this idea of of a board member being a generalist versus a specialist.

00:29:35:00 - 00:29:54:11

Meghan Day

So I it just again comes back to the balance that you need to strike on your board. And increasingly, as executives get more experience with technology, with AI, with cybersecurity, that I think naturally the boardroom will start to fill up with people that have a much, stronger grounding in all of these topics.

00:29:54:17 - 00:30:15:05

Dottie Schindlinger

And here's the difference, right? Okay. If you've got someone on your board who has a grounding in some of these topics. Look, you're still going to bring experts in the boardroom, right? You're still going to bring in outside consultants to handle specific issues that your company is dealing with. But if you have someone in the boardroom that understands that subject matter, first of all, they're going to have a network of really good experts you can draw from, right?

00:30:15:05 - 00:30:24:13

Dottie Schindlinger

So they're not just going to call up, you know, the garden variety consulting firms and say, send us your best. They're going to they're going to know people and they're also going to know how does that the quality of the

00:30:24:13 - 00:30:34:15

Dottie Schindlinger

consultation that you hire, right? Because sometimes and I hate to say it, but I don't know if you noticed this, Meghan, suddenly last year, did you notice everybody was an AI expert?

00:30:34:17 - 00:30:54:06

Dottie Schindlinger

I mean, and I can tell you this from my own experience, I can't tell you how many speaking gigs I turned down because I was like, guys, I'm not an AI expert. Like, just because I've written a couple of reports on surveys that we've done does not make me an AI expert. Stop positioning me this way. And the truth is, I think people are just so desperate to get information on this hot new topic.

00:30:54:08 - 00:31:14:20

Dottie Schindlinger

They're willing to listen to anybody who sounds vaguely intelligent and interesting. And that's not that's not a bar high enough for boards. And so I think that's where the difference happens. It's when you've got someone who actually knows how to how to qualify the level of expertise you're bringing in the boardroom. You know, that requires some experience. It requires you to have a basis of knowledge to be able to make that judgment call.

00:31:14:20 - 00:31:19:02

Meghan Day

Yeah. And I honestly, I I'm to backpedal for the second time in this episode

00:31:20:07 - 00:31:25:11

Meghan Day

recant what I said. I mean, I actually want to stop calling it a topic or,

00:31:25:10 - 00:31:33:18

Meghan Day

an area of expertise in some way, because what AI is doing is it is upending business models.

00:31:34:16 - 00:31:39:05

Meghan Day

is like the conversation we had ten years ago around digital transformation in the boardroom.

00:31:39:05 - 00:31:42:22

Meghan Day

And it's that conversation on steroids

00:31:43:00 - 00:31:45:23

Dottie Schindlinger

Yeah. It's. Yeah.

00:31:45:23 - 00:31:57:09

Meghan Day

company operates. And in ten years from now, all companies will be AI companies. And so how do you equip yourself for the right people around the room to have that conversation?

00:31:57:08 - 00:32:16:03

Dottie Schindlinger

Yeah. I mean, it's it's the best. The best equivalent that I can think of is the internet. You know, there's there's literally nothing that you do. Doesn't involve the internet. And that wasn't true in, in 1990. And, you know, some of us remember working back then and it was a different world. It was a different world. But we all came around.

00:32:16:03 - 00:32:31:08

Dottie Schindlinger

It took us some time. It took some longer than others, but it took some time. And those that took too long, they're not around anymore. Those companies are gone. I think it's the same thing. You know, AI is going to very quickly become technological DNA. In fact, I think it pretty much has at this point. It is there.

00:32:31:08 - 00:32:53:09

Dottie Schindlinger

It's it's not necessarily in every single system, but I think you'd be hard pressed to find a single piece of code that hasn't been written partially by AI these days. I mean, why would you why would you write code manually anymore? I mean, why, you know, it would take you several times longer and be full of errors. So it's, I don't know, it's it's interesting, but but with that said, I do think,

00:32:53:09 - 00:32:59:00

Dottie Schindlinger

talking to people like Nick, it's so important because there are all these things that can go dreadfully awry.

Dottie Schindlinger

And you do have to think about the implications of all of these changes, all these rapid changes and all the hype and all the excitement, which is really easy to get swept up into. But you still have to have guardrails, you have to have guardrails. Things can go so badly wrong so quickly anyway. How do our conversations always turn to like, doom and gloom?

Dottie Schindlinger

I think it's my fault. It's not my fault. I'm sorry about that, Meghan.

Meghan Day

Despite your peppy voice, you are just full of doom and gloom.

Dottie Schindlinger

All right. Like the Pollyanna for the apocalypse. Well, that wraps up another episode of the Corporate Director Podcast, the Voice of Modern Governance, like to say a few special thank yous, first and foremost, to our cyber and AI expert, Nick Shevelyov, podcast producers, Kira Ciccarelli, Steve Claydon, and Laura Klein.

Our sponsors for the show, PwC, KPMG, Wilson Sonsini, and Meridian Compensation Partners.

Dottie Schindlinger

And most especially, thank you to Diligent. If you like our show, please be sure to give us a rating on your podcast player of choice. Five stars only, please. You can also listen to our episodes and see more from The Diligent Institute by going to diligent.com/resources.

Thank you so much for listening.

Narrator

You've been listening to the Corporate Director podcast to ensure that you never miss an episode. Subscribe to the show in your favorite podcast player. If you'd like to learn more about corporate governance and tools to help directors do their job better. Visit www.diligent.com. Thank you so much for listening. Until next time.