Rethinking Cybersecurity: From Awareness to Empowerment
In this episode, host Raghu Nandakumara sits down with Kyla Guru, a Stanford University student and passionate cybersecurity advocate. Kyla's journey started at the age of 14, leading her to found Bits N' Bytes Cybersecurity Education. She shares the importance of proactive cyber education, insights from her work with government and private sector organizations, and the role of AI in cybersecurity defense. Kyla also emphasizes integrating security into product development and the significance of grassroots community engagement in fostering cybersecurity awareness.
Transcript
00:00
So, again, another episode of The Segment. This time, I'm super excited to welcome Kyla Guru. She has the most incredible background and incredible story. So, without further ado, I want to just get straight into that. Kyla, welcome to The Segment.
00:19
Thank you. Thank you, Raghu. And thank you for having me, Illumio.
00:23
It's our pleasure to have you on this podcast. And I mean, normally, we have a little intro that I generate about our guest, but I think only you could do it justice. So, tell us about your background. I'll leave the question at that.
00:42
Yeah, I can take you back to where it all began. So, I'm Kyla, and I am a student right now at Stanford University. I studied Computer Science and International Relations. And I am now a Master's student. But back in the day, way back when I was 14 years old, that's when my journey in cyber really began. I was entering high school, I think it was the very beginning of freshman year. And I was starting to get interested in cybersecurity. I did a couple of summer camps in cyber. I just, I got super interested, and I just Googled summer camps near me in cyber. And I found the nearest one, and I went to it. And from that that's really what kicked off this larger journey. And the journey kind of came, when I came back from the summer camp, I realized that these were lessons that I learned that were not just isolated or should not just be isolated to one week of learning at a summer camp. It felt to me that this is the kind of common knowledge that people should have in mind as they're going through the internet. And it really was just that one thought that occurred to me, and from then I started looking at, okay, how can we actually educate individuals about this kind of cyber threats, these cyber risks in their own lives and empower them to feel like when they're on the internet they can exercise their skills that they've learned. So, I looked into existing cyber education programs in my area and NGOs (non-governmental organizational) that existed. And at the time, a lot of the things that I saw online were very reactive and not proactively educating individuals, just for the sake of educating them. And when I talked to my local CIO and CISO of my neighborhood, they also mentioned that a lot of the efforts that they took were reactive. And that's when I was like, okay, maybe it's time that somebody did something a little bit more on the proactive side. So, I started looking at how could I spin up a cyber education program on a very local level, just biking to my local elementary school and providing them 5- or 10-minute lessons whenever the kids were free. And that really snowballed into what is now today, BitsNBytes Cybersecurity Education nonprofit. Which is, I'm happy to say an international nonprofit that's dedicated to working on cyber education and making cyber education more accessible for all populations across the board. So long story short, is I have been leading these education efforts for quite some time now almost eight years. And I along the way, I also started a women's tech conference called GirlCon conference. That was because I somehow realized, like, whenever I would go into these rooms of cyber professionals, there was a jarring imbalance between the men and women in the room. And the gender imbalance was pretty prominent, especially in rooms as I escalated the levels and went to levels of like board levels or CEO level C-level conversations. I noticed just this like very jarring shift. So, from then I started a women's tech conference. So that is also running today. We just had our seventh annual event, so continuing to grow in the community, and I myself personally continuing to grow as a leader and a learner. So very exciting journey.
04:15
Okay I'm just, I'm just in awe of all of that. So let me just take a moment to just sort of let that sink in. I want to go back, because I want to explore lots of what you just said in a bit more detail. But let's go back to 14 and you said you got interested in cyber. So, I have young kids and my and our oldest is not much younger than 14. And he's not particularly interested in cyber. So, what got you hooked, like what attracted you to it?
04:50
Yeah, that's a great question. I think it was honestly these dinner conversations that my family would have. And my dad used be a fraud investigator in Canada. He is not a cyber professional, but he is an accountant by trade, by training. And just because of that, he is privy to things like money fraud and financial crime. So, he used to start to talk about these things and he one day took me to one of his professional events where they brought in a speaker and the speaker was an ex-financial criminal, and he was kind of discussing his way of working and why he did what he did. And he was informing all under a room of accountants about okay, here's how you do due diligence and do auditing for next time. That like, it was conversations like that, that made me initially kind of interested in, what is this space? Who are the people that try and defend against these things and understand these, these individuals? And I really think it could have gone the other way where I wasn't interested in cyber, but it was something about that first camp that I did at GenCyber. And I think a part of it was that they just showed us professors, for example, professors who were doing digital forensics and professors who are looking at the psychology behind cybercriminals, just very cool parts and it just seemed very interdisciplinary to me. Like you didn't need to just be a computer science professional to understand this field or to be an expert in this field. And that was exciting that it was it seemed like a little bit of everything. And, yeah, but I think it, it varies for everyone. I would say like, maybe having kids watch more like movies, like the spy movies also helps. Oh, one of the things I did do when I was younger, was I watched the show called The Arrow. And in The Arrow, there's a hacker woman who helps the superhero. And she's kind of the savior underground who saves the day doing all the little like logistics, like go here, tag this man, like things like that. And so I saw Felicity Smoke, and I really could see myself like that was the first time that I could see myself represented through a media. And that's when I was like, Okay, maybe this is something that I could actually do. And this would be really, really cool. So that's, that's also a part of it, I think.
07:22
I think, definitely, I think cyber could do with a lot more, the image of being cool. In a way that to some extent, sort of the startup culture has made becoming a developer be cool, right? Which it definitely wasn't a cool profession 30 years ago. But now it's kind of everyone wants to be, wants to be a developer. That that's, that's incredible. So, and then you spoke about how you sort of went down and you spoke to the CISO, or the CIO of your local, your local community. And their reaction was a lot of about cyber education. How we talk about cyber is very, very reactive. So, something bad happens and then we react to it and say, “oh, like let's avoid this the future”, let's use passwords, as an example. Yes. Don't use your pet's name as a password, right, go and change it, and et cetera. So, what were the things that you started to introduce that, that got on that sort of proactive approach to cyber education?
08:28
Yeah, and initially, it was, it started super small, right? The thing that the school agreed to, and obviously along this path, it was a partnership with this first school and the school kind of had to agree when I proposed some things. So, the first thing was a five-minute informational video that was animated for the students. And so, I made this video, I think it was on like this very old animation software that I went into the schools were present it. And it was that like, reaction to the presentation that I think kicked off a lot more dominoes. Like the first reaction, the students were just very engaged, interacting, asking questions like, “what kind of passwords are you talking about?” “Should I care about my email password; I have an email account with the school,” like very critical thinking questions. You could tell that they were starting to think about how security fit into their lives. And that's when I was like, okay, you know, maybe this could be something that's relevant to other schools, like not just these students in my own community. Because my community was pretty forward leaning, like we had Chromebooks and devices, one-to-one for students. And I just imagined, like, all the different communities on the spectrum of tech accessibility. I figured if we're not doing much cyber education, then I can't imagine, you know, broadly what cyber education looks like. So, at the time, we didn't have a K12 standardization, standard curriculum for cyber. So that is what kicked it off. And then from then I started a website; I started pushing out more resources. It was really the first domino, I would say.
10:11
And I'd say that the cyber education is so so important. And in the corporate world, like every organization, large and small, has some form of security awareness training, right, that you test on an annual basis. And it's great. And I've seen it in my kids' schools, where, from a very young age, there's that talked about being safe online being secure online. But my question is always, and awareness is so important. But how do we measure the impact of that? So yes, we all know that, like, we should have strong passwords, for example, or in this case, we sort of talked about, like, moving to pass phrases, or even with password lists, which is a big movement at the moment. But how are we measuring the effectiveness of awareness? And how do we know it's actually having an impact and improving cybersecurity?
11:09
Impact is hard to measure. It's, it's probably the hardest question that NGOs and nonprofits deal with too, is, how do you know that what you're educating about really doesn't happen? Because the ultimate measure of success is a reduction in cybercrime or reduction in cyber threats. And that's even for folks in industry, that's a very hard thing to measure. So, I would say, a couple of ways that we mitigate that is, we have immediate measurements. So short term measurements, for example, we send out a survey right after our programs, and that captures a lot of the immediate, like, do you feel more safe after the session? We do like to see more of this content, that sort of immediate reaction. And then we also, in that we ask them questions that are sort of getting at like, what did they actually learn through the session? Sometimes we do some multiple choice to just see, are they picking up on the content and are they having an awareness of it. And then we also do kind of longer-term programming where we can see students multiple times or we see students the next year, the following year, and we also see, okay, like longitudinal studies of like, do they feel like, they are more likely to go into cyber because of these programs. And that part is, like, through qualitative and quantitative measures. Like talking to them and chatting with them about how their year has been in what is what how has BitsNBytes impacted them. And then also quantitatively through those surveys. So, it's a little bit of both, I would say, in general, a lot of the impact for NGOs broadly. And for BitsNBytes is through the narratives and stories that students share. And a lot of them have been really powerful. For example, students who've been able to get shadowing opportunities based on the conferences that we host in the events that we host. And then we also have had students who share that their sister had experienced like a similar scam or a similar data, like data breach situation, and they finally understood what exactly happened during the session. Like they'll share those kinds of like story things like in the survey as well. And those are really interesting to read, because they make you feel like they've actually connected something. And yeah, I think the real, ultimate impact or the vision would be that, you know, 5-10 years down the line, when these folks do enter industry, they are highly security-minded professionals.
13:53
Yeah, absolutely. Right. And, and I think what you said at the beginning of that particular segment, around measuring the impact of any of these programs is difficult. We can measure attendance, we can measure engagement in the program, which are all important measures, but then actually measuring have we improved our cybersecurity clusters result is really difficult. And you see the data and you look at number of cyberattacks that were successful. And that number or even number of cyberattacks attempted. That number is just going up and up and up. Right? It's definitely not trending downwards. And then you look at what was the initial attack sort of vector, that initial sort of wave of intrusion and it's pretty much always some kind of like phishing social engineering attack, a phishing email. And I remember a sticker on my former manager’s desk, and what it said was, “There is no patch for human stupidity.” And I kind of think about that, when I when I think about cybersecurity is that we're always we're almost what we're doing in many ways is essentially building controls that mitigate what a human will ultimately do. Right? Not out of not because they intend to, but often out of ignorance. So, like, how I know all the awareness that programs like yours are bringing it’s important to sort of up level that I'm just sort of being sort of joking around with that type of human stupidity. But like, what is the impact you have seen?
15:41
Yeah, great question. And that is, I feel like a very common mindset in security, I think there's actually been like, papers and studies done around it about, especially in the design field of when do we blame the user versus when do we blame the designer. And I think insecurity, there's this mindset that, like, we're trying our best, like, it's all on the end user, you know, after we develop it, it's out of our hands. And they, they're the ones clicking the links and doing all these things. But at the end of the day, like even developers are human. And some of these threats and attacks are, if you look at them, they're getting so real, and they feel so emotional. And that's the whole point of them, right? They're trying to kind of make you emotionally stimulated, such that you do something that you normally wouldn't. And as humans, like, we all have that tendency. And it's just about like, I think, especially with this generation, we're already kind of savvy to it, we've grown up around these threats, we know about creepy Instagram DMers, that's like the back of our hands at this point. It's just a matter of, putting names to those situations. And teaching it as like, this is actually a matter of national security. Like you're, you're actually a part of this whole circle of security that we have. And so I think that's the biggest piece is the empowerment piece. It's less about I think, the awareness, I find, like comes really easy, because they're almost already aware. It's more about empowering them to know, like, this is how to answer your questions. A lot of them have a lot of questions that just need answering, like, what is like, you know, what, is this privacy policy really mean at the end of the day? Or what is Snapchat doing with my data? Like, does it host it on, on device or in servers? Like they have complicated questions that even developers, you know, would be like, double think, like thinking again, to answer. So, I guess it's a long way of saying that empowerment is really important, even beyond awareness. And I find that like, I'm constantly amazed by things that students and kids know, so it makes my job really easy as I'm going into talk about security, because oftentimes they create the conversation already by so many questions.
18:03
That's awesome. So, I want to explore that, that human element and cybersecurity a bit more, because one of the trends that we're seeing in cyber within organizations in terms of the strategies that organizations are adopting. Is one around one around Zero Trust. And, and specifically, and by Zero Trust, we don't mean removing trust completely, because if that was the case then you might as well disconnect everything from the network and be done. Right. So, it's about removing sort of implicit, freely available trust, but then on the human side, so much of what we do on a day-to-day basis depends on implicit trust. Right. And, and I've, I know, I've had conversations, and this is particularly sensitive in particular geographies where just hearing the word Zero Trust causes offense because, oh how can that be? Right? It means that you don't trust me as a user. And you don't trust what I do. How does and you may not have had conversations specifically around Zero Trust, but how do you balance that in, in the education programs around don't have such implicit trust with what you do online? But that doesn't mean that you compromise your ability to trust individuals.
19:25
Yeah, I feel like Zero Trust is tricky for that reason. It's because you don't want to give the notion that you shouldn't trust others completely or that you shouldn't, that you shouldn't trust yourself online. It's more of a less empowering note. I think, like trust but verify is a good stance that I usually teach in terms of disinformation and information warfare. Is like verification is incredibly important. And then also, I think just changing the terminology to be like, yes, Zero Trust is incredibly important, but it's scaffolded. Within these, like many things, there's a reason why we don't trust immediately. And there's these, all these case studies for when we did trust immediately. And like scaffolding it within a greater lesson to then brand it as Zero Trust. Like, I think Zero Trust is a loaded statement. It's not just nothing, no trust at all. It's trust but verify is generally the idea behind it, we just say Zero Trust because that makes you feel like, okay I have to start at ground level. But I think in terms of an education aspect, meeting students where they're at, and bringing them these case studies, or these instances of like, this is what we mean by Zero Trust. Because at that time, they might not have seen the real-world use case of like Zero Trust in terms of like authentication or giving privileges to folks. So, giving them examples that make it feel more real. It's definitely one of the mitigations to that.
21:12
Yeah, I really like what you said there about sort of starting at ground level, and then building the scaffolding, right? It's, it's again, and you make it you make it very real, because let's just let's just say that you're meeting a stranger, right? You don't associate, like you don't associate a high level of trust necessarily, till you have validated like who they are, et cetera. And multiple factors. If it's been, if you've been sort of connected through a friend, then there is some level of okay, there's some level of initial verification that's been done to kind of move that up a notch. Versus let's say, someone that you may have just connected together on LinkedIn, but no sort of really formal referral, or validation. It's kind of, it’s sort of, okay, maybe I'm sort of a slightly notch lower. And I think this is and applying that same principle to how you deal with technology and systems. Yeah, that same common sense approach, because ultimately, you get to a point where you where you say, you've established enough validation that you say, okay, I can trust this this person or this tech technology to a certain extent. And I think, yeah, the grounding in that common sense is absolutely right.
22:22
Yeah, absolutely. I love that. Like, I think mirroring all the things digitally, physically, always helps with education, because people generally understand like, okay, I have to lock my car before I leave, or I have to lock the door before I sleep. Like those are very important elements to us, like values that we hold close. But just translating that to cyber is that key piece of education that, “Oh, this is the same digitally.” Imagine if somebody had access to your physical location, or your GPS coordinates that every time like, that is the sort of mindset that you should have in terms of thinking about your threat model.
23:01
That's, that's a great thing. Let's come on to threat modeling in a second. But that analogy, I think, is really important is that for your own precious things, physical objects that you want to protect, you're very, you're very wary, right? You lock your doors, you may be put, so let's say precious things in a safe, or you put them in a lockbox in a in a vault or something like that, right? So. But when it comes to how we interact online, it's almost like what we want is ease of use, ease of access, and to be able to do something quickly just because it's online and it's electronic. The barriers to doing to being productive, suddenly seem to need to be reduced. And I think we need to, again, apply that same level of sort of inspection and care that we would to physical objects.
23:52
Yes. And I think it's not only a user thing. I think the internet was almost designed such that there's this trade off, or this seeming tradeoff between convenience and security. Yeah. And it's sometimes it's not even just a user decision. And we make it really hard as designers to incentivize the user to choose to be secure. So, I think what I'm seeing now is I'm liking all these movements towards building in security or baking in security into the product. So that the user either a doesn't even have to think about security, or security is something that they can toggle on and off like or toggle from, like a crazy, like locked up setting to like, oh, just secure by default. Like, I don't know if you've looked at Apple's lockdown mode, but that is Apple's products are obviously secure by design, but they have an additional layer of security if you're a high-risk individual. So, it's designs like that, that really push the needle forward in terms of the user doesn't even have to make that decision at the end of the day, which is in physical security when we're locking doors or locking cars. When we're doing like that cost benefit analysis, the calculus makes sense in our head, like we're not losing anything by taking extra precautions. And I think that's how we should try and build devices on the internet product devices that users are using, is thinking about security as something that shouldn't have to leave anything else behind.
25:26
Right, and it's second nature. And just going back to your car analogy, when you walk away from your car, you don't you don't say, “actually, I can't be bothered to lock the car” because that's one more button flick. Right? Yeah, just do it, you, subconsciously you do it. But I just want to go to you started talking about secure by design and incorporating security into the product development lifecycle. Right. And I think that this is a this is an interesting evolution. Because if we, if we think about sort of historically, the security function and the role that security has played, and again, like simplifying it significantly. A lot of for a very long time, and it's still largely today, security plays the role of being an approval function. So it's like, you come and ask the security team, can I do something? And they say yes or no. And often you come to them, once you've got to the end of whatever it is you're building, and then you want the “Can you can you bless it, please.” Right? Whereas I think if, and that's always the challenge, that then let's say Security says no, right? And and then you say, oh, then you go back into that really hampers productivity? Or Security says, Well, no. And here are all your risks. And you say, “Well, okay, well, I'll just accept the risk, right?” Because I need to be productive, and you put something out, that's insecure. But I think what you're saying what you said about incorporating security into the, into the process much early on, I'd say almost at the beginning, make security and assurance function. Then which means that because you've already incorporate security into the entire design and build process, when you deploy something, you know that it's secure. So that and it's almost like if I deploy it back to the same pattern, I know that's going to be secure. Because only I can only do things that are secure. I think that is the larger cultural shift that we kind of need to push towards.
27:26
Yeah, no, I love that. I think I had a professor once who said, this one quote that I've always remembered in this in this context, it's he said, “security is always thought as part of the plumbing, but security really has to be thought as part of the problem, and part of the initial problem statement.” So, it's not only how can we do this, but how can we do this safely? And how can we keep our users safe and secure. So, I think when I look towards good design practices and good design values, I think that's going to be something that customers hold companies accountable for. And I think you see that kind of through Apple products in what they do and live and breathe, but also through a lot of different design solutions now. Like especially two factor apps that make it super easy for you to do two factor without even thinking like you just open the app, and it already verifies you. And that's the sort of design changes that I think, are both secure and safe. But they're also well designed, very convenient, easy to use, beautiful looking. So that is I think that's the next generation of, of design and security. And I really wish that more schools who teach design, have some sort of class for designing for safety and security. Because I'll say like, even in a CS program at my school, you kind of have to build your own path and figure out how exactly am I going to learn about this in a classroom setting so that I have the skills required. There's all sorts of other classes like designing for accessibility and designing for game design, but I think designing for safety and security is really the next generation.
29:14
Absolutely It's also good to know that in 25 years, computer science courses, while they continue to teach security, they haven't yet fully incorporated security into all aspects of the course. And it's very much a standalone, standalone discipline.
29:33
Yeah, I could go on about this forever. And this always makes me want to become a policymaker to change this fact. But there's some crazy statistic out there that says that out of the top 14 computer science programs in the country, only one of those programs requires developers to take a security class. In the other schools, mine included, security is not a required class, you can take it if you want to learn more about it. But oftentimes you can graduate without having taken one at all.
30:09
Yeah, and that's under someone who's worked in cyber for almost 20 years now. And just thinking about the number of graduates who are coming out wanting to enter technology in whatever industry, but essentially, in technology and develop incredible products. The fact that they don't necessarily have a solid background in cyber, I'm not saying being experts, but awareness and like, that sounds like key skills, which is going to be important for their role. That's quite scary, because it's, again, goes back to what is what are those things that we are that we are developing, and using and sort of how much security grounding isn't. And I know, organizations put a lot of effort into sort of making up for that. But it's, it's it feels like in the same way that you are, you're addressing the challenge of cyber education at such a young age at sort of the school, the school age, that this is something that that at higher education, it's something that could be fairly easily addressed, and is pretty essential. If we're saying that everyone needs to be able to learn to code, because it's essential for whatever job they're going to do. Well, let's, let's ensure that they can code securely
31:29
Yeah, I do think that that's going to be a massive change in the education system. And I really hope that it happens. And that it, I think we bring up upon the right tools. Like I think there are quite a few startups and emerging companies working on how do we get tools to developers, such that it makes security, like really easy to understand, like, especially in documentation that you don't know as well. So I think that with the right tools, and with the right foundation of education, and just having like a mere interest, and like wanting to know about this, like, I think it goes back to what you were originally saying of like, developers not having the stereotype or this perspective that security folks are always going to come in and be like, “You can't do that, so sorry.” Like you couldn't like you can't develop you can't. That's generally the sense that people get, especially with this whole AI revolution, that, oh, if I bring in security personnel, or if I become security minded, like maybe I will not develop as fast, I won't innovate as quickly. But I think knocking down that stereotype that you can be developing just as quickly, but also with safety in mind. And there's so many examples of that. That is really the key piece.
32:50
Yeah, absolutely. And I think one part of it is obviously changing that, that mindset, and, and kind of really making and this is the oldest one, this is very much on the on the cybersecurity industry, is make yourselves a partner. Right? Make yourselves, don't feel that you have to be this yes/no police. But much more about a partner, because that's what's going to drive more engagement and more adoption. But also, I think the onus is also on like security vendors, those who develop security products and security technologies to make them as easy to leverage as possible by those who are creating applications by the end user. So that adopting security becomes a joy. I mean, I see your point, right? We're so obsessed about user experience. It's so important if you're designing a consumer product, and the user experience is poor, right? That product is not going to go far. Right, it will get it will get slaughtered. So, we should take the same approach to security products, which okay, maybe enterprise products, maybe end-user products, but let's make security a joy to adopt.
34:10
Yeah, and also easier to adopt. I think one of the things that I struggle with sometimes is advising when small medium sized businesses come and they're like, “Oh, we're looking for security product,” like they do want to be secure or adopt something. There's just so many tools out there. That it's hard to parse now like okay, what exactly, like what are you actually doing? So I think there's, I think just getting a general understanding of the communicating your product, according to what it does, and then who you want to serve. That's also a big thing because there's so many products out there right now.
34:56
So, I want to talk about AI with you for a, in a bit, but I mean, you're not just a cyber educator, right? You're not just someone who's focused on building awareness; you're also a threat hunter, you're deep in the weeds of the technology. So, let's talk a bit about that. Like, what is like, what is that aspect of your day-to-day life?
35:28
Yeah, I would say it really spun out of my interest in this education component. So, I was doing education, all throughout high school, education and advocacy of cyber. And then when I got to college, I started getting more interested in, okay, who are these actual threat actors and why are they doing what they do? And how are they doing what they do? Like what are their tactics and techniques? And so that's when I started getting into threat intelligence. And threat intelligence, I worked at the MS-ISAC for a year. And then I moved over to Apple to do security operations there and do fraud detection using AI and ML. And then I moved to government and did work at CISA that was totally centered around international cyber build capacity building, and helping our partners and our supply chain partners with their security. And then I then moved back to Apple did product security with civil society partners, so protecting journalists, dissidents, and human rights defenders. And I got really interested in government back to tax. And that's also what I'm doing this summer at SpaceX, working on government attackers and government attacks to our products. And that is also what I research on. So, it's just a lot of passion just built up because of the education side, seeing the actual victims, seeing people who had been through things like this, we've done a lot of sessions with victims of online exploitation as well. And so just generally, having exposure to the people on the other side of the attacks, I think, has fueled a lot of this interest of mine to get to know this field so well. And I think it's just brought me deeper and deeper into these rabbit holes of cyber, but I wouldn't have it any other way. It's, it's a lot of fun to do the research and do the education component together.
37:36
I mean, that's pretty much a who's who of public and private sector organizations that you’ve done cybersecurity work. And can I just say that most people who work in who make a career in cyber, haven't done anything cyber related till they're in their 30s. So, you've got like, you've already got like a 15-year head start on the rest of us. It's not fair. But it's interesting, you're sort of looking at, like nation state actors. And so, if we tie something that we were speaking about earlier, about how the rise of cyberattacks. Right. So, on one side, looking at the rise of nation, state actors, and just kind of the general narrative is that attackers are getting more and more sophisticated.
38:21
Yeah, that's a great question. I think even having been on the pentesting side, too. It's interesting, because I feel like every time I did one of those learning experiences, and I was on a pentesting assessment, or I kind of saw it from start to finish. I would always go back to the education piece, and I think that a part of that was because like, every time I realized that the, the initial vector that was used, like 80% of the time is through humans. And so regardless if it's an attacker who has access to AI, because then it only makes their job easier to generate some sort of email, through AI, or generate a voicemail that's AI generated or a voice that's AI generated and conduct that initial vector of the attack. I think, every single time, I just found myself going back to the education piece, which I think is a big reason for why I haven't stopped doing that ever since I began when I was 14. So, I would say that, you're right that even with artificial intelligence, we should just think about how our defense in depth, our security posture hasn't necessarily changed that much. It has changed in terms of improved, but it's a cat and mouse game and the threat actors are also improving. So, we have to adapt. It's not just a one and done. I've done my security. I'm done with it. I'm not going to think about it. It's more so Okay, can we revise this now that the threat actors are evolving? What can we do to just stay ahead of the needle. And I think as designers, so that's a big thing to think about when you're thinking about designing a product is like, okay, if I build this, if I design this this way, how would attackers try and go around it? And what is their next move?
40:13
That's, that's brilliant, right? Because that's very much a, like a threat centric approach to building product or like we talked about when we're talking about Zero Trust we talking about it as sort of assume, intrusion, assume the attacker is inside, how would you then how would you then build your controls? Build your security so that they can't actually get any further? Right. And I think that that's, that's absolutely the case. Because when I, when I think about this was relation, let's say to AI powered attackers, it's ultimately, what is what is the fuel for, for the AI model. It's data, it's information about, about what it is about you about your organization, about the infrastructure that you have. So, the less of that, that you make freely available, right? The more, the less the attacker has to work with. So, it's, it's kind of starving, like we talked about, like, we talked about reducing the attack surface, right, or managing our attack surface, but it's also like managing the learning surface, like what like, what is that surface that it's exposed that the attacker can learn from?
41:24
Yeah, yeah, I totally agree. And I've spent the last year looking at the use of large language models to conduct cyber defense and to extract or identify tactics and techniques, after an attack. And the things that you learned in terms of using artificial intelligence, fine tuning it to be a productive tool is, is just that our AI is, is definitely developed, but it it's definitely has its nuances, right. Like, when you interact with an LM, you can definitely tell that it's hallucinating quite a bit, and things like that. So I think everyone is on this, like, on the playing field is level in that sense that like they're operating with the same level of tools that we are, let's just try and build faster. Let's build defensive tools faster. Let's evade these, these potential risks faster than they do.
42:24
So how do you see AI transforming the cybersecurity landscape? Like what do you think is the key thing that it can be used to address?
42:38
There's, there's so many little sub tasks, I think. But I think the way that AI engineers are looking at it, as well as cyber professionals is, again, it's this idea of like, how can we meet each other where we're at? Right? It's not that AI is going to be used to replace cyber professionals. But it's rather how can we find those like small sub tasks that actually, if an analyst, if a human analyst wasn't spending so much time on this, they could actually put their human analyst efforts into a harder task or into a harder human required subtasks? So, I think that has been my focus is how do I find these smaller sub tasks that we could actually create benchmarks? And then that's the second thing is, how do you actually scientifically, rigorously test this so that we know that an LM model would be useful for a task? Or would be good for a task? And that is the huge like, I think academic research question right now is, yes, there's like all these tools coming out every cyber vendor claims to have an AI powered product. But at the same time, if you look at the research, there's not a lot of like LLM benchmarks for like, Okay, this is how humans perform at this task. This is how the LLM performs; let's actually do a side-by-side comparison. And let's do that at scale hundreds of times to see actually, would this be a potential tool? So, I think that is the next stage of academic research is, can we produce benchmarks that provide scientifically rigorous evidence? Because, again, this is the cyber industry we're talking about, we need evidence for something like high stakes decisions, right?
44:25
Absolutely. I was talking to a former colleague last night. We were talking about this because he's in the middle of sort of building out a startup that’s heavily leveraging AI for the technology that we're building. And we were talking about, okay, well, what's AI like, convince me that AI is really useful, right. And then I think what we nailed down to it summarizing what you said is, what are the day-to-day tasks that I hate doing, but I have to do? And if I can use AI, if AI can understand what those tasks are, and do those for me, that's really useful. Because then I can focus, to your point, on things that I really want to do. That I can't because I'm spending so much time on these things that I have to do, but I hate doing.
45:24
Absolutely, yeah, I think that's a great way to put it. And I think when I talk to people in the public sector to in terms of, what are the adoptions that the government is looking towards in terms of AI? It's kind of the same thing. It's all these little, it's not the sexy problems that they're looking at. It's everything, you know, from hiring an HR to figuring out how to onboard somebody that like a new employee, how to onboard them without, you know, spending too many resources and, and human effort. Like, how can we use these tools to actually better what we do and augment what we do? And yeah, I think one of my professors put it very interestingly, it's, it's about intelligence augmentation, instead of automation.
46:13
Yes, absolutely. Right. And when go to one, it's not the sexy problems you're trying to solve for. It's the shit problems they're trying to solve. Right? And the ones but the ones that you have to absolutely solve on a day-to-day basis? Yes, I completely agree. And I think that's why the AI age, the revolution has so many parallels with those other leaps in, in, in sort of technology that we've seen over the last few 100 years, right? It's, it's not, it's essentially enabling, or taking away some of those very manual things. That's awesome. So, let's think about when you look into your, into your crystal ball about cyber, about policy, about the human element about AI. What do you see as the future?
47:09
The million-dollar question.
47:12
Billion-dollar question! You get the idea, right?
47:17
Dang, I got to build my startup! But I think it's a number of things in the cyber industry. There. I feel like there's so much going on right now, it's hard to pin down one thing, but I do think, If I could sum it up, it's going to be, as you said, this fine balance of where do we draw the line between human analysis and intelligence augmentation? And if somebody gets that, right, I think that is going to be the billion dollar tool is, can you build something that augments intelligence that makes us smarter defenders, but also leverages what humans do best, which is anomaly detection, or figuring out that something is just a little bit off or weird that a machine might not be able to pick up on. And it's fine tuning that problem statement that's going to I think push the needle far.
48:16
So, when is your startup coming out?
48:22
This is a soft launch for it. It's a soft launch. And I'm auditioning for a role in it as well.
48:32
Fantastic. So like that. Let's bring it back to education and awareness as we wrap up. And like there’s going to be so many security professionals that will be listening to this podcast, right. What is the message that you have, like your connection to sort of those who are still coming through their high schooling, coming through college. But also you've had all of that exposure in high-end public sector, high-end private sector? What is your message to the cybersecurity professionals of today that they should be aware of about the cybersecurity professionals of tomorrow?
49:20
Yeah, I think a couple of things. So one is that it all starts, it's very grassroots. If there's one message I could send to cyber professionals in the working industry, that it all comes back to your community, to your impact to the message that you send. So, I always recommend, get out into local schools talk about what you do, and bring that image that we were talking about in the beginning, right, that cyber is not just this one type of person or this one background that's required. It's everywhere, and it's everything. Yesterday, I was talking to a friend I was like, you don't choose cyber, cyber chooses you. like that's the thing is, is get out into the community share about what you do present this fact that there's, you know, present a panel of folks from you know, Illumio or wherever it is that you work of people that come from various different backgrounds that are looking at this problem from various lenses. So, that's the one thing is get into the community. And then the second is to know that this generation is not just apathetic to these issues, we're very aware, savvy, we want to know the answer. We're going to ask the hard questions. So just be ready and be excited and understand like we have to meet each other where we're at in terms of cyber education.
50:49
Amazing. Kyla, it's been such a pleasure speaking to you, right. I wish we could have longer, but I know your time is precious. So again, thanks so much for your time. Really appreciate it. It's been fantastic.
51:02
Thank you, Raghu. This has been so much fun. Thank you.