Hello everyone. Welcome back to another episode of the 401 Access Denied Podcast, brought to you by Delinea. I'm the host of the show, Joe Carson, Chief Security Scientist and Advisory CISO. It's a pleasure to be here and we're always excited about bringing you interesting ideas,
things that can really help you to secure your organization, become more resilient. I've got a fantastic guest who's returning today for this very special episode. So Frank, welcome to the show. Maybe for the audience, do you want to give the audience a bit of background about yourself? You've been on before, but sometimes it's just good to give the audience a bit of an update.
Absolutely, Joe, and happy to be on again, as you mentioned. Frank Vukovitz, also Chief Security Scientist with Delinea, been a part of Delinea now, hard to believe it, Joe six plus months. Previously worked for a company by the name of Fastpath that Delinea acquired earlier this year. Fastpath was a security on compliance provider solutions in the business application space, so think internal threats and frauds and your accounting and financial systems. I was there for nine years and I've been doing security on a compliance and cyber and identity security now for 30 plus years. And love chatting with folks like Joe and sharing knowledge and experiences,
and we got some neat stuff to talk about what we've seen in 2024 and what's going on in 2025 for sure. So happy to be here for the holiday edition in the year review. Absolutely. And that's the exciting thing is just for the audience, just to give the audience a bit of perspective and which is great, is that this is the holiday special. This is the Christmas
edition of the podcast just from, we've been doing this for four years now at Delinea and the amazing thing is that this is only possible because we have such great listeners who come in and they listen to the episodes, they subscribe and provide feedback and suggestions for future episodes. So we've been doing this for four years and it means that this is episode 102. And over that time we've had 400,000 plus listens, over 100 different guests on the show, which I think it's around 100 plus hours of content and thought leadership and different amazing insights. So it's an honor to be able doing the podcast for so long. It's just fantastic. And to have this special
edition with yourself, Frank, I'm really excited. So for the episode today, we're going to take a look back and it's always interesting because it's always good to take a point in time health check about what's been happening. So we're going to take a look back of what's been happening in 2024, some of the top trends, some of the insights and lessons learned, and then also a little bit of insights and predictions for what's coming in 2025. So Frank, for you, what's been some of the most notable events during this year? What were some of the lessons and topics that you thought was quite surprising? So I think a couple of things. Obviously AI is out there and we'll get in AI and how it's being used and the evolution of it and cyber security both from a defense perspective and trying to protect things but also how the threat actors are using it. One thing I know, and you and I have talked about this somehow in the past, earlier this year,
just ransomware and how ransomware now is really being used. It used to be from a ransomware perspective, I'm going to, as a threat actor come in, I'm just going to take over your systems and shut them down, just might as well put a sign up, Out Of Business. There's nothing you can do to... It was literally just in the old days when I started off, we had a mainframe, it's like unplugging the mainframe, can't do anything. Yeah. It's literally shutting the business down and making their systems unavailable, which was the most common for the last four or five years. Right. But now they're starting to think, you know what, we can make some money that way because then
you got to write a check or send me Bitcoin to turn the company back on. What instead, if I go out and say, "You have some really valuable data." Maybe you're a healthcare provider and I know there's some patient data out there that I can get a lot of money for in the black market and the dark web and now I'm going to come in and not going to shut you down, but I'm going to take some of your data and either hold it hostage or just say, "I got a copy of it, do you want it out there? And how important is to the reputation of your company that now your customer information is being exposed?" So it's a flip. It's not shutting you down and saying, "You know what, what's the most valuable to you?" And I think that tactic is really unique because one, I would argue it might be a little bit tougher in the past when to shut down all the systems, what it takes to go in now if you have one database that's not secure and you can grab, say, this healthcare data out of one database, easier to get to less effort and yet you might be able to actually get more money in some cases out of them or at least a comparable level of money. So I think that's one trend that's change in ransomware in terms of also, and what are they really trying to accomplish? Absolutely. I think when I look at that,
absolutely, when we did the state of ransomware research report earlier this year, that highlighted one of the interesting things from that report, and we'll also make sure that the audience will get access to that report and show us. So that report, we also highlighted the shift from the traditional type of encryption-based ransomware to much more of an extortion-based. So extortion ware has become the big trend. And it overtook in the past year traditional ransomware. And I think one of the big things was, and I think it's really down to having better security and better strategy because organizations got much better at having ransomware resilient backup and recovery strategy. Right. Yes. And because of that, because the attackers started realizing that we just encrypt and we don't have anything else, the victim will have a way to recover without paying the ransom. So they get into what other ways can we get ransom? And it was multiple things. It's gaining credentials
and selling onto other criminals. It's getting sensitive data and then threatening to disclose it and the public are in a dark web and sell it onwards. And that becomes another method that doesn't depend on the backup recovery strategy and it also might reveal into actual property, it might be data which is persistent. Like you said healthcare data, it could be financial data, things that is static data that hasn't historical and very damaging. So
absolutely, I have seen extortion ware becoming a massive factor this year and it will continue. It means that having a good backup recovery strategy is great, but we still need to make sure that we encrypt the data that we locked on the access, the privileges, the authorization, authentication to the data even better as well. Because you're absolutely right. If attackers continue to take advantage of stolen and weak credentials, they will continue to be able to threaten with extortion ware. And let's not kid ourselves, there's money out there to be made. Yeah. And just to give you an example,
I mean it was the one earlier this year it was the CDK, which is a car dealership systems, they paid 25 million in the summer in a ransom payment just to give of perspective, as you mentioned, cryptocurrency is the common value or monetary kind of focus that criminals look to. And that 25 million in June or July this year is now 50 million today because the value of cryptocurrency is increasing significantly. And they're not selling it off, they're holding it in the cryptocurrencies, they're laundering it in those exchanges. So you just think of that, they got 25 million in July, its worth 50 million today and that's just sitting and waiting because of the value of cryptocurrency is also continued to rise. Absolutely, absolutely. Yeah, it's scary. What other things have you been seeing this year? What's also been of interest? So obviously, AI, and we've been talking for a while now about how AI allows for advanced tools to be out there and so easy to get a hold of and they can do more things just to process some power. I like to say the quality that I can run scripts now, I can find these scripts easier,
but now the scripts are more intelligent and the access to the tools or threat actors obviously continues to increase, but I want to combine two together maybe. So the evolution AI is great, gives us a better way to protect and try to stop the threats and we can use AI to look for anomalies and we'll go through all this detective and shut things down. And be proactive and preventative, where we're looking for certain signals and using AI to say, "You know what? Those three signals don't line up, I'm going to stop you." Or you even get into network from maybe authentication perspective, maybe going to stop you once you're authenticated from being authorized to do things because the data, signals don't match up. So that's helpful, but at the same time it's so easy to get a hold of the tools and the tools are so more powerful with AI. But the other
thing that's scary is the threat actors and state-sponsored cyber work that's going on. I was recently at the Gartner IAM Summit actually this week in Dallas from the states and they were telling some stories about deep fakes and sat through a session where someone said there's a country out there, I'm not going to name it but we know, state sponsor... And I read about it on the news too then later in the week where they're going out and using deep fake to set up new employees through the hiring process, it's all virtual. And you think you're talking to someone in an interview like you and me, people can question is that really Joe Carson there, or is that a deep fake image of him? Absolutely. And they're using AI in the interview process and you have a nice resume and these companies are hiring them and the trick then is they get a company laptop and it's getting shipped to an address that you think is where this employee works. It's not where he works,
think of a server farm in the day. It's basically a laptop farm where someone's receiving all these laptops that are provisioned with the access- They're just plugging them in, they're plugging them in, making them available remotely. And they're managing remotely from these countries. And now those laptops, because the position they hired into, have access to do all sorts of things. Absolutely.
You find an AI technology from the deep fake ... of getting the interview process and get the device in and now you're using the AI technologies then once you get into the systems that go do really nefarious things and it's a huge problem. Deep fake is a problem and it has been a problem, but I never thought about it for me a way to give- Absolutely. I think for me, I think that the big one this year was the KnowBe4 disclosure. I think that really highlighted it. KnowBe4 was one of the organizations, it was a security company who hires lots of amazing security industry professionals and they actually disclosed, I think it was back in September, October timeframe where they disclosed that they actually went through the process and they actually hired one of those individuals who had passed the background check, actually had went through the interview process and it was actually stolen identity, it condoned it. They had actually stolen identity. They'd used AI to modify the images to look like that's the one identity and they
went through it and they got hired. And it wasn't until all of a sudden that machine, once they got plugged in and started getting all the malware and it started putting lots of alarms and alerts and then it was detected. And this is continuing, you're absolutely right with using AI and using deep fakes and machine learning in order to really manipulate. And I
think the latest reports was that in North Korea they've got an army of 10,000 people. Yes, I read that. That's basically doing that actually one, is they're getting paid actually and quite well with some of the salaries I've seen of those individuals getting paid quite a nice salary. At the same time they're using that for insider threats and stealing intellectual property, getting access to those organizations as well and some of them in very critical, high profile roles as well. So absolutely, the combination of those things definitely is alarming and it means that organizations, even if people pass the background checks, you want to make sure it really gets into sometimes we do want to meet the people in person. Exactly. Or at least
have the ability to have an intermediary meet that person and verify their identity really. And this is something that we had to find a way to minimize that because it is going to be a growing risk as the reports. Say there's a 10,000 person... And it's not going to stop there. That's going to continue. We always had that, the quietly quitting scenario, which people were all taking on multiple jobs during COVID. This is another scenario which is escalating further from that.
And I think one of the things you mentioned around AI, I think for me there's three major components of AI. One is the organizations. Absolutely, we're seeing a lot of empowerment from AI and tools and solutions, that really enhance security, which is great. Fantastic. And I think that's the area that we've seen accelerate the most. And as the second point you mentioned is around the lowering of the bar for criminals, meaning that they don't need to be as sophisticated.
There's lots of AI GPTs out there that have the guardrails removed that are used for malicious activities. I've seen it being used for phishing translations and phishing email creation. I've seen it used before data analysts and the attackers can analyze data much faster than they would've done previously. And I think the third thing is that organizations are using a lot more AI enabled solutions and therefore we really need to make sure that people are only authorized and should have access to the algorithms to make modifications. Those who need to have the
right access to, for example, query and use the algorithms and sometimes those are sure the AI agents which allows it to use algorithms to be run on the edge. Then we get into the training models and the data that's used for those training models. So it's not even, we're seeing that the escalation that yes, AI is being used and we've got a lot more enabled, it's a... for criminals. We need to protect the access, its much more critical than ever. To me sometimes it's two things. It's still the human identities that are using AI and making sure that only authorized people have access to make changes. And then the second thing is that we're doing a lot
of integration, again, API's and AI API's in the background that also need to be protected. So I think this really raises the importance for making sure that authentication, authorization and governance and the highest identity security for AI enabled systems and organizations really... Because those systems have a lot more intelligence then. And the more intelligence they get, the more sensitive that information becomes and therefore they need to be protected. And only those who should have the ability to query those systems, should be actually... It means the security controls need to be very, very good and that's something that organizations need to prioritize. What's your thoughts around that? Is that-
No, I think the whole governance of securing AI in 2025 is going to continue to be a hot topic and I'm starting to see a lot over the last six months of people say, "Oh, AI is going to allow us to do this, this or this, including in the security space." I mean Delinea AI helps our products out and that's great, but how companies are using AI themselves and the governance around it. Lots of- You need policy, AI policies. Exactly. What do you do with my data? Do you have a statement of responsible use around AI? And securing the AI tools. So it's sort of plenty to think about, we're using AI to help provide security as security tools, but where else are we using AI and how are those tools secure from a data loss prevention perspective? Lots of companies now are starting to say, "How are my own employees using a Chat GPT or some AI feature that's built into a tool and no clue. And is it the free version that means the
data that you're putting in is going to be used for training? Exactly. And are you training with customer data? Yep. That part I think people have to be really careful when they say, "Oh, we're using AI." How are you using it? How's the governance around it? Not just for company's own use, but if it's what data it's reading and answering that for your customer base and then for those companies like Delinea that are in the security space, you need to have your ducks in a row about how your tools are using AI technology. Yeah, it's providing a service to protect.
We get that and secure, but it's by default that doesn't imply that it's secure itself. You have to provide evidence of that. So I think that's going to be big and just the governance around AI. And the other thing I would say, which is a bit scary again at the Gartner event this week, I forget the name of the company, but they said the company went out there, did a study and put in some chat rooms or discussion boards, like five certificates or five scripts that the way they worded them they knew they could be picked up by the threat actors on the dark web is these are things go use immediately. They put them out there, the servers they hit, 10 seconds from when they were posted to when they were used. Now give them, they didn't get, it was just a test, 10 seconds. And I'm sitting there thinking is that because there's all many
people logged in monitoring these discussion boards or is there AI tools running behind the scenes to pick up on stuff like that, looking for certain terms and then immediately dumping into a hacking tool. So it's just so much data the bad, the threat actors can get at now. Absolutely. It's just scary. It's integration from things like showdown searches. Yes. Plugging those directly into AI algorithms and then automatically running the campaigns right afterwards. It's the
full automation. It's really automation on steroids, which is really what is happening. Automation is scary, like that. Yeah. One of the things that was interesting, so absolutely in that I've seen areas where, for example, people adding chatbots and stuff into our transcription bots agents into things like meetings and then the transcription of those meetings then going off into third party. So it's really getting it to the point where it's
not just about securing and having the policies and governance but also about knowing what tools are actually have AI enabled in them and do you want them enabled or not? And also is it going into your own private, let's say data lake or is it going to third party data lake? If you want all of your company meetings being recorded and then transcribed and then used for learning and then been held in a third-party data center. So that's really where you get into having AI policies critical so you understand about what's acceptable and what can I also audit and inventory about what systems actually have it enabled and that are being used. Yeah, the auditor me would tell you, trying to keep track of all those AI tools that you're using, those bots you have installed and who really knows exactly what they do behind the scenes. You might say it records everything in a Zoom call or a Team's call. Absolutely. What you see is the output,
but what's really going on behind the scenes? What level of access that to have, where's it pushing the data out to, where's it stored and where that data's at, what other tools have access to it to read in for other purposes? Some of the other trends I've seen as well is around definitely the transition to cloud as well continues to be a massive push and organizations are still struggling to get and they end up with too many stacks across multiple clouds and hybrid clouds and SAS and they end up too many differences in security controls. So we've seen a massive drive towards consolidation to move towards platforms and API and interoperability. Is that something you've seen and any thoughts around that? Absolutely. And obviously cloud's... there for a long time now, but I would call it silos or pockets where a company goes out and the accounting department acquires a SAS solution over here in the cloud. And then the HR department's another one and then next we know
the IT help desk is getting a new solution to do support and ticketing into that cloud. Two of them are AWS and one to run Microsoft Azure I would say, and yet I'm the sister of CAO and I want to deploy consistent security frameworks of principles across to secure all my assets. And guess what? We still want some stuff on-prem. So you need to have some type of platform and
this is where the industry's going, that allows you to have access to these multi-cloud hybrid environments. So whether it's on-prem, hybrid cloud or full SAS in one place, and I know it's a marking term single pane of glass dashboard, but let's not kid ourselves, there's so much data and signals we have to look at, trying to look at them from multiple sources, then consolidate them versus one place at the beginning of it. I think you're going to see that trend to continue in the security space with trying to move things onto a platform because with all the API's you can get the data. And what's- Absolutely.
... in one platform and now let's begin to really manage things accordingly. And that's, again, because of AI, we can do more. Right? And there were just this complexity. That's one of the things is that I've seen the biggest... If we look at the pain points that I've had lots of discussions throughout the year with so many CISOs and IT leaders and security thresholds and the challenge, what's causing security incidents, over complexity is too many solutions, too many different environments, too many different inconsistencies, too many tools to try to do multiple things. And what they're really driving to is how to reduce that, how to reduce complexity, how to simplify things. And that's why getting into this where you've got platforms
that have strong APIs and integrations that have good interoperability and good orchestration. To your point is that allowing... And one of the things is a lot of that reduces the skills gap as well because you have more focus, more people that can specialize in those areas as well. And one is it helps organizations do more automation, leverage AI much more and do more with less as well. So for me, absolutely this is an area that I think is going to continue and I think it's an area that many organizations will look for that platform consolidation definitely to take away a lot of the pain from complexity in that multi-hybrid cloud... The skills gap you talk about is not going away. There's two things going on. Skills gap,
not enough cyber security professionals to keep up with the threat actors and two, the ones that we have in the profession are getting burned out from long hours and fighting battles they see that they never can actually get over the- And we're always in transition of technical change. The technology we're using five years ago is not the same as what we're using today and therefore it's important that if you need to invest in skills and training for the existing staff. If we don't invest enough time and training and knowledge to the employees, is that skills gap will continue to increase. So it's not just about getting people into the industry,
but it's about making sure that the existing people we have continue to develop their skills over time to stay modern and stay current with the technology. That's one of the things is that we talk a bit about the cloud challenges is that we have less people skilled in cloud than we do on premise because of course, a lot of times you're handing that over to third parties and that skills gap is a knowledge gap. So yeah, I think it's two areas. I think sometimes we heavily focus on the skills gap, but it also is that knowledge and the gap on developing employees to be up to date with the current tool sets. Yeah, because you need as many resources you can. You're not only... to resources, you have to develop those people because guess what, if you're not developing, there's someone else out there that going to hire them away that is going to develop them. So one of the other things I'd like
to cover as well is any major updates in governance and compliance this year? Has there been new kind of moves, been new regulations out, new compliance efforts? Anything interesting? Obviously Dora talked a lot over in the UK. I think I read a stat the other day that in the United States of the top 48 companies, GDP-wise, we're the only one that doesn't have a country wide data privacy act. So where you have GDPR and the like. You've got it from a state level, the CCPA, there's other states are doing it? Colorado has it, Virginia has it, California CCPA, but eventually that's going to come. I think Dora is the one a lot of people are talking about. My old neck of the woods with dealing with SOX, Sarbanes-Oxley or JSOX that's going to continue even the Corporate Reform act in the UK that was dead and then they went back and said, "Well, we're not going to have the fines with it." Companies in the UK I've worked with are starting to follow some of the guidelines in it anyways.
Bottom line is folks are figuring out, and they've known this, but they're taking more action that some of these regulations in the corporate governance side related to finance side of things, strong control controls are important public or private, even if you're not publicly traded in the US. The concepts of SOX, Sarbanes-Oxley's still apply to secure your financial systems. Same with over in the UK maybe you're not listed, but the corporate format, the ideas and the controls that was suggested are still important. And I still think data privacy is huge and I think companies are missing out a little bit. Looking at the data privacy regulation based on the country they may be domiciled in or headquartered and not knowing their regulations could care less about that because the privacy regulations are to protect their citizens that own their personal data. So it's where the citizen resides, which could be in your customer database, could be your employee database that you need to focus in on what country that's from, not where you do business or where you're headquartered at. Absolutely.
It's challenging. Regulations are only getting worse from a volume perspective, Joe they're not going away. If you're in finance or healthcare, it's our government, it's the amount of areas that you have to focus on. And that's why one thing is I've had numerous auditors on and they always say that one of the mistakes organizations make is that security is part of their compliance program where actually compliance should be part of your security program. Yes, yes. So sometimes it's getting the right strategy because ultimately, if you do security with basically understanding about the overlap in a lot of the compliance regulations, you'll be able to meet them much more seamlessly, much more easier without that friction create itself. Absolutely.
And there will be many more to come. I'm expecting the world to kind of look at AI as well because the EU has already got the EU AI Act. There's Dora as you mentioned, there's the Data Resiliency Act or Digital Resiliency Act. So there's tons of different coverages and it's just going to continue and become challenging. I want to move into a little bit of insights and predictions for this year. So any thoughts, what do you expect to come in 2025? What's the expectations there?
Lots of things. Obviously AI can continue to be really relevant. We talked about that. I think we may well see some of the tools unfortunate threat actors have and the power they have some new tool come out that we don't have a good answer for. That's one thing that would scare me a little bit. And I think too the continued explosion, machine identities or non-human identities,
NHI, there's stats out there, there's 40 to 50 times machine or non-human identities for every one human identity. We get so focused in the security world about people and human identities and with the rise of AI and bots and RPA and just the evolution of technology, the access that those non-human identities require to support business functions are critical. We've got to do a better job of managing those identities because if we don't know what those non-human identities have access to do, we can't secure. And power technology with AI, especially with that I think is going to be the biggest challenge in 2025 is how do we secure the non-human identities and even inventoring them to know what they can do, watching them and securing them. And I think that's... Especially when they're behind the scenes and it's harder part to secure as well, the human sides, we can put pass keys in place, we can do biometrics, we can put multi-factor authentication in place. We can record the sessions,
we can rotate the credentials and passwords. We can do all of single sign-on federated. There's lots of things on the authentication side which makes it possible, but it is more challenging on the non-human side or the machine identities. I prefer to call it unhuman because it's my term, I've used it over the years, but it is the harder thing to do. But it is the more riskier thing when it's not gone right. Yes. And if you're not maintaining asset inventory, all of the API accounts, all of the service accounts, applications running in the background, integrations cloud, automation, AI agents- AI agents. ... you're kind
going through all of those, then absolutely you end up becoming the risk increases of the risked organizations and the damage when those accounts compromised is even more severe as well. Yeah, more severe can happen quicker. And again, you may not even know it's happening. Absolutely. So for me, one of the things for me, I was out the news with Google Willow, I don't
know who the Google Willow quantum chip, which basically they released some of the benchmarks that they conducted and it was quite shocking, where they were able to basically crack a key challenge that would take basically something around, I think it was traditional computers, that it would take 10 septillion years, 10 septillion, which is 10 to the power of 25, which is mind-boggling to have that number of zeros after. And their Willow chip was able to do that within five minutes. That just shows you the acceleration and the pace. When we talk about quantum, they're almost like five years, 10 years time from now. And for me it's not just about
the number of qubits, it's about the quality of qubits, which is also a major factor, which they didn't talk about. They talked about the number, but they didn't talk about quality, which for me was missing in the news a lot. But that shows that it's getting closer to no more secrets. The movie Secrets, Sneakers, Secrets, Sneakers was my favorite, Sneakers, Robert Redford. And it gets into really where we are getting to the current encryption. That means that we have to move faster. If that's where the Willow chip is today, that means from a data protection
and encryption level. And that's of course why we at Delinea have done basically the quantum safe capability into our own products. So they're already ready for those types of scenarios. What was your thoughts around the announcement, did you have any perspective on that? We were talking about it at dinner the other night, myself and David McNeely and first thing went through our minds is well that's cracking. Can they
crack the algorithms and the like for Bitcoin? All of sudden Bitcoin is not secure. All the bad guys and gals that are loving the fact, they can now maybe, from a Willow perspective, use that to crack your systems. But then the ransomware perspective of what they want the ransom to be paid in can be cracked. What are they going to do? And the cryptocurrency is all one way hashes. So probably in cryptocurrency would be more the wallet. So the protection of the wallets,
I think that's the concern versus actually... The protection of the wallets. That's right. The protection of the wallets where you get into on the exchanges as well. The idea is this technology is allowed them maybe to do more things we don't want them to do, but then how are they going to get paid to keep it secure? But I think forget about Moore's Law and every seven years or what have you, when I was reading the article about the Willow chip, its just mind boggling. And yet the technology's moving so quick, the next Willow chip probably we'll hear about it in 2025 and it'll probably be more powerful.
Absolutely. I think we're getting closer to the point where how we protect data and how we do encryption is going to evolve very quickly. This news means that in 2025 we had to think about how to act much faster, rather than saying it's coming in the future. I've heard different terms 10, 15 years, but at that pace, what Google announced. Yeah, I remember- The pace is quickening. I remember being at a conference a year ago and they were talking about password tracking, quantum computing and we're still got five, 10 years before something even be that concerned about. And then no, if they've known the Willow chip was coming out and the stats behind it,
that five 10 year window would've been shrunken. That was the only year ago and oh, we still got some time. We have time, but not as much as we thought probably... this week. Absolutely. And the other area for me, I think my final big thing for 2025 is going to be a run
identity test. I think for me, I think the acceleration that we've seen with AI, with deep fakes, with machine learning, with all of the information's out there, and I'll say that we as society are putting more of our DNA digitally into the public internet. And with a couple of minutes of your voice and audio and your video, a defect can be created to what we talked about earlier, such as people hiring for jobs under basically stolen identities or doing meetings pretending to be somebody else on that meeting. Oh, yeah. It's getting to the point where the quality is so impressive and so hard to tell the difference. I've even got to the point where I've actually started using safe words with people that I trusted that are sent that if I have a phone call from someone, I'm like, it's an emergency or asking for money, like, "Okay, what's the safe word?" Something that you're not basically digitally kept online is something that you've exchanged in person. So I think that's one of the things we're going to have to release in 2025, identity theft, which means going back to the digital authentication and governance is going to be crucial for organizations, but definitely also integrating that and working with the alarming rise of deep fakes.
For sure. I mean on the finance side, we're spending a lot of time, the old trick of talking to CFO, it's out of the office and you get in their email system and send an email from the CFO saying, "Hey, I'm on a meeting here in San Francisco, can you wire some money?" Those days are gone. Now maybe the CFO is going to, "call" you on the phone or going to just send you a conversation with them on Team and look at them videos, they asked me, that's got to be right. And the thing is that if they've stolen identity and they've got enough of their style from the internet is that they can actually make it so that even not just sounds like them and looks like them, but also the actually style of the- ...communication, the manner they're actually, a personality is also accurate as well. And that's lot. Yeah. Yeah. And I would think between the two of us, there's so much recorded audio
and video out there, it would not take much for someone to go out and record a podcast Joe and just send it us, look like you and me talking. To be honest, I mean there is enough of us out there that we could literally use AI and deep fakes and machine learning to take it and just automatically create future podcasts. We are not doing that today... This is a real in person, real actually. Human, non AI, this is human. Human created podcasts.
Exactly. Which I think is important because the machine created ones, they lose empathy and they lose kind of the force kind of visions type of thing and the creativity because they're based on historical data. Definitely. So I think that's one of the things is that I think somebody mentioned that is the frontal cortex the AI does not have, so therefore that's what they're lacking. Yeah. It was interesting thing was one of the mentions that earlier this week I heard somebody mention that what AI is like, which I thought was quite funny, was that, it's like, have you ever played Super Mario Kart? Yep. Yep. And what AI does is that actually enables humans to go faster, which is what their mention was, which I thought was an interesting term. And he mentioned that it's like in Mario Kart, it's like
when you get the mushroom and you can go faster in Mario Kart, he says the AI is just like a mushroom in Mario Kart, takes us faster. So I thought it was a great analogy. I thought it was fantastic. Sometimes you're going fast though, you can't always see what you're passing- Absolutely. ... learn from it. And next thing you know when things slow down a bit like what just happened and you have gaps and weaknesses that can be exploited. Anything you'd like to leave the audience with,
any resources that you would point to from this year that would, for the audience, they want to go and learn about some of the things this year or what they would, should plan for next year. What would- One thing that you talked about new regulations, the like new NIST cybersecurity framework, CFS 2.0 came out this year. We have folks listening out there that maybe are smaller companies and haven't done a lot around this, was a little bit worried. You want some frameworks, a place to get follow to go look at free content. That's a good
place to start. There's some organizations out there to... for internet security And organization you and I talked about Sands before, but the niche standards, I think there's lots of resources out there to help guide you and it's still a crawl, walk, run approach. You still need help in one bite at a time. Yes, this is scary stuff. But ultimately if you're trying to secure your company, you got to identify what's most critical from a resource perspective, do some type of assessment, what data is most valuable and you build processes and controls and tools to secure those first. And don't get caught up in all the shiny balls
and this technology, this technology that's out there. What does your company need? And what frameworks are out there from your government or just the identity security industry in general to help you follow because you're not starting from scratch with this. And I think that would be, if I was thinking about New Year's resolutions, I like CFS 2.0 and start there and see where
my company's at compared to that at. And then- Absolutely. Yeah, one additional one I'd recommend for the audience we really started this summer was the identity security and the age of AI as well. So definitely from a research perspective definitely recommend going and reading through that, at least to get an idea to prepare and see where you as an organization can fit with your peers on that research as well. Frank, it's been awesome having you on as always. I really
enjoy the conversations and for the audience out there, how would the audience stay in contact with you? What's the best way to reach out? So I'm on Twitter @fvukovitz, so I just changed my name now, you just see Frank in the bottom. LinkedIn and then I don't mind giving my email address out because it's out there in the public domain a lot, but Frank.vukovitz@delinea.com as well. Best way to track me down. I know you've put some links. I put my last name back in there now,
but yeah, crazy to find me very unusual last name. Let's just put it that way. Yes. Fantastic. I think for the audience, we really wish that you have a fantastic holidays, time off and spend it with your families and your nearest friends and stay safe over the holidays. It's always a period with attacks do increase and there's a lot of threats out there. So be safe. Hopefully some of the things you've learned in this episode today will give you some new ideas about what resolutions to make going into 2025 and also some of the lessons from this year as well.
So everyone, stay safe out there. Have a great holidays. Thanks for being one of our many listeners. Thanks for being, again, a second time guest on the episode. Stay safe, take care. Tune into the 401 Access Denied Tonight podcast every two weeks made possible by Delinea. And again, everyone, see you in the next year and hopefully it'll be something that'll have a fantastic, enjoyable, and safe. Thanks Joe.
2025-01-06 14:33