Top Trends & Future of Cybersecurity with Frank Vukovits | Episode 122

Top Trends & Future of Cybersecurity with Frank Vukovits | Episode 122

Show Video

Hello everyone. Welcome back to another episode  of the 401 Access Denied Podcast, brought to   you by Delinea. I'm the host of the show, Joe  Carson, Chief Security Scientist and Advisory   CISO. It's a pleasure to be here and we're always  excited about bringing you interesting ideas,  

things that can really help you to secure your  organization, become more resilient. I've got a   fantastic guest who's returning today for this  very special episode. So Frank, welcome to the   show. Maybe for the audience, do you want to give  the audience a bit of background about yourself?   You've been on before, but sometimes it's just  good to give the audience a bit of an update. 

Absolutely, Joe, and happy to be on again, as you  mentioned. Frank Vukovitz, also Chief Security   Scientist with Delinea, been a part of Delinea  now, hard to believe it, Joe six plus months.   Previously worked for a company by the name of  Fastpath that Delinea acquired earlier this year.   Fastpath was a security on compliance provider  solutions in the business application space,   so think internal threats and frauds and your  accounting and financial systems. I was there   for nine years and I've been doing security on  a compliance and cyber and identity security now   for 30 plus years. And love chatting with folks  like Joe and sharing knowledge and experiences,  

and we got some neat stuff to talk about  what we've seen in 2024 and what's going   on in 2025 for sure. So happy to be here  for the holiday edition in the year review.  Absolutely. And that's the exciting thing is just  for the audience, just to give the audience a bit   of perspective and which is great, is that this  is the holiday special. This is the Christmas  

edition of the podcast just from, we've been  doing this for four years now at Delinea and   the amazing thing is that this is only possible  because we have such great listeners who come in   and they listen to the episodes, they subscribe  and provide feedback and suggestions for future   episodes. So we've been doing this for four years  and it means that this is episode 102. And over   that time we've had 400,000 plus listens, over  100 different guests on the show, which I think   it's around 100 plus hours of content and thought  leadership and different amazing insights. So it's   an honor to be able doing the podcast for so long. It's just fantastic. And to have this special  

edition with yourself, Frank, I'm really excited.  So for the episode today, we're going to take a   look back and it's always interesting because it's  always good to take a point in time health check   about what's been happening. So we're going to  take a look back of what's been happening in 2024,   some of the top trends, some of the  insights and lessons learned, and then   also a little bit of insights and predictions  for what's coming in 2025. So Frank, for you,   what's been some of the most notable events  during this year? What were some of the lessons   and topics that you thought was quite surprising? So I think a couple of things. Obviously AI is out   there and we'll get in AI and how it's being used  and the evolution of it and cyber security both   from a defense perspective and trying to protect  things but also how the threat actors are using   it. One thing I know, and you and I have talked  about this somehow in the past, earlier this year,  

just ransomware and how ransomware now is  really being used. It used to be from a   ransomware perspective, I'm going to, as a threat  actor come in, I'm just going to take over your   systems and shut them down, just might as well  put a sign up, Out Of Business. There's nothing   you can do to... It was literally just in the old  days when I started off, we had a mainframe, it's   like unplugging the mainframe, can't do anything. Yeah. It's literally shutting the business down   and making their systems unavailable, which was  the most common for the last four or five years.  Right. But now they're starting to think, you know  what, we can make some money that way because then  

you got to write a check or send me Bitcoin  to turn the company back on. What instead,   if I go out and say, "You have some really  valuable data." Maybe you're a healthcare   provider and I know there's some patient data  out there that I can get a lot of money for   in the black market and the dark web and now I'm  going to come in and not going to shut you down,   but I'm going to take some of your data and either  hold it hostage or just say, "I got a copy of it,   do you want it out there? And how important is  to the reputation of your company that now your   customer information is being exposed?" So it's  a flip. It's not shutting you down and saying,   "You know what, what's the most valuable to you?" And I think that tactic is really unique because   one, I would argue it might be a little bit  tougher in the past when to shut down all the   systems, what it takes to go in now if you have  one database that's not secure and you can grab,   say, this healthcare data out of one database,  easier to get to less effort and yet you might   be able to actually get more money in some  cases out of them or at least a comparable   level of money. So I think that's one trend  that's change in ransomware in terms of also,   and what are they really trying to accomplish? Absolutely. I think when I look at that,  

absolutely, when we did the state of ransomware  research report earlier this year, that   highlighted one of the interesting things from  that report, and we'll also make sure that the   audience will get access to that report and show  us. So that report, we also highlighted the shift   from the traditional type of encryption-based  ransomware to much more of an extortion-based.   So extortion ware has become the big trend. And it  overtook in the past year traditional ransomware.   And I think one of the big things was, and I think  it's really down to having better security and   better strategy because organizations got much  better at having ransomware resilient backup and   recovery strategy. Right. Yes.  And because of that, because the attackers started  realizing that we just encrypt and we don't have   anything else, the victim will have a way to  recover without paying the ransom. So they get   into what other ways can we get ransom? And it  was multiple things. It's gaining credentials  

and selling onto other criminals. It's getting  sensitive data and then threatening to disclose   it and the public are in a dark web and sell it  onwards. And that becomes another method that   doesn't depend on the backup recovery strategy  and it also might reveal into actual property,   it might be data which is persistent. Like you said healthcare data, it could   be financial data, things that is static data  that hasn't historical and very damaging. So  

absolutely, I have seen extortion ware becoming  a massive factor this year and it will continue.   It means that having a good backup recovery  strategy is great, but we still need to make   sure that we encrypt the data that we locked on  the access, the privileges, the authorization,   authentication to the data even better as well.  Because you're absolutely right. If attackers   continue to take advantage of stolen and weak  credentials, they will continue to be able to   threaten with extortion ware. And let's not kid ourselves,   there's money out there to be made. Yeah. And just to give you an example,  

I mean it was the one earlier this year it was  the CDK, which is a car dealership systems,   they paid 25 million in the summer in a  ransom payment just to give of perspective,   as you mentioned, cryptocurrency is the common  value or monetary kind of focus that criminals   look to. And that 25 million in June or July this  year is now 50 million today because the value of   cryptocurrency is increasing significantly. And  they're not selling it off, they're holding it   in the cryptocurrencies, they're laundering it in  those exchanges. So you just think of that, they   got 25 million in July, its worth 50 million today  and that's just sitting and waiting because of the   value of cryptocurrency is also continued to rise. Absolutely, absolutely. Yeah, it's scary.  What other things have you been seeing  this year? What's also been of interest?  So obviously, AI, and we've been talking for  a while now about how AI allows for advanced   tools to be out there and so easy to get a hold  of and they can do more things just to process   some power. I like to say the quality that I can  run scripts now, I can find these scripts easier,  

but now the scripts are more intelligent and the  access to the tools or threat actors obviously   continues to increase, but I want to combine two  together maybe. So the evolution AI is great,   gives us a better way to protect and try  to stop the threats and we can use AI to   look for anomalies and we'll go through  all this detective and shut things down.   And be proactive and preventative, where we're  looking for certain signals and using AI to say,   "You know what? Those three signals  don't line up, I'm going to stop you."  Or you even get into network from  maybe authentication perspective,   maybe going to stop you once you're authenticated  from being authorized to do things because   the data, signals don't match up. So that's  helpful, but at the same time it's so easy to   get a hold of the tools and the tools are  so more powerful with AI. But the other  

thing that's scary is the threat actors and  state-sponsored cyber work that's going on.  I was recently at the Gartner IAM Summit actually  this week in Dallas from the states and they were   telling some stories about deep fakes and sat  through a session where someone said there's   a country out there, I'm not going to name  it but we know, state sponsor... And I read   about it on the news too then later in the week  where they're going out and using deep fake to   set up new employees through the hiring process,  it's all virtual. And you think you're talking to   someone in an interview like you and me, people  can question is that really Joe Carson there,   or is that a deep fake image of him? Absolutely.  And they're using AI in the interview process  and you have a nice resume and these companies   are hiring them and the trick then is they get  a company laptop and it's getting shipped to   an address that you think is where this  employee works. It's not where he works,  

think of a server farm in the day. It's basically  a laptop farm where someone's receiving all these   laptops that are provisioned with the access- They're just plugging them in, they're plugging   them in, making them available remotely. And they're managing remotely from these   countries. And now those laptops, because the  position they hired into, have access to do all   sorts of things. Absolutely. 

You find an AI technology from the deep fake  ... of getting the interview process and get the   device in and now you're using the AI technologies  then once you get into the systems that go do   really nefarious things and it's a huge problem.  Deep fake is a problem and it has been a problem,   but I never thought about it for me a way to give- Absolutely. I think for me, I think that the big   one this year was the KnowBe4 disclosure. I think  that really highlighted it. KnowBe4 was one of the   organizations, it was a security company who hires  lots of amazing security industry professionals   and they actually disclosed, I think it  was back in September, October timeframe   where they disclosed that they actually went  through the process and they actually hired   one of those individuals who had passed the  background check, actually had went through   the interview process and it was actually stolen  identity, it condoned it. They had actually stolen   identity. They'd used AI to modify the images  to look like that's the one identity and they  

went through it and they got hired. And it  wasn't until all of a sudden that machine,   once they got plugged in and started getting  all the malware and it started putting lots   of alarms and alerts and then it was detected.  And this is continuing, you're absolutely right   with using AI and using deep fakes and machine  learning in order to really manipulate. And I  

think the latest reports was that in North  Korea they've got an army of 10,000 people.  Yes, I read that. That's basically doing that actually one,   is they're getting paid actually and quite well  with some of the salaries I've seen of those   individuals getting paid quite a nice salary.  At the same time they're using that for insider   threats and stealing intellectual property,  getting access to those organizations as well and   some of them in very critical, high profile roles  as well. So absolutely, the combination of those   things definitely is alarming and it means that  organizations, even if people pass the background   checks, you want to make sure it really gets into  sometimes we do want to meet the people in person.  Exactly. Or at least  

have the ability to have an intermediary meet  that person and verify their identity really.  And this is something that we had to find a way  to minimize that because it is going to be a   growing risk as the reports. Say there's a 10,000  person... And it's not going to stop there. That's   going to continue. We always had that, the quietly  quitting scenario, which people were all taking   on multiple jobs during COVID. This is another  scenario which is escalating further from that.  

And I think one of the things you mentioned around  AI, I think for me there's three major components   of AI. One is the organizations. Absolutely,  we're seeing a lot of empowerment from AI and   tools and solutions, that really enhance security,  which is great. Fantastic. And I think that's the   area that we've seen accelerate the most. And  as the second point you mentioned is around   the lowering of the bar for criminals, meaning  that they don't need to be as sophisticated. 

There's lots of AI GPTs out there that have the  guardrails removed that are used for malicious   activities. I've seen it being used for phishing  translations and phishing email creation. I've   seen it used before data analysts and the  attackers can analyze data much faster than   they would've done previously. And I think the  third thing is that organizations are using a lot   more AI enabled solutions and therefore we really  need to make sure that people are only authorized   and should have access to the algorithms to  make modifications. Those who need to have the  

right access to, for example, query and use the  algorithms and sometimes those are sure the AI   agents which allows it to use algorithms to be  run on the edge. Then we get into the training   models and the data that's used for those training  models. So it's not even, we're seeing that the   escalation that yes, AI is being used and we've  got a lot more enabled, it's a... for criminals.  We need to protect the access, its much more  critical than ever. To me sometimes it's two   things. It's still the human identities that are  using AI and making sure that only authorized   people have access to make changes. And then  the second thing is that we're doing a lot  

of integration, again, API's and AI API's in  the background that also need to be protected.   So I think this really raises the importance  for making sure that authentication,   authorization and governance and the highest  identity security for AI enabled systems and   organizations really... Because those systems  have a lot more intelligence then. And the more   intelligence they get, the more sensitive that  information becomes and therefore they need to   be protected. And only those who should  have the ability to query those systems,   should be actually... It means the security  controls need to be very, very good and that's   something that organizations need to prioritize.  What's your thoughts around that? Is that- 

No, I think the whole governance of securing AI  in 2025 is going to continue to be a hot topic and   I'm starting to see a lot over the last six months  of people say, "Oh, AI is going to allow us to   do this, this or this, including in the security  space." I mean Delinea AI helps our products out   and that's great, but how companies are using AI  themselves and the governance around it. Lots of-  You need policy, AI policies. Exactly. What do you do with my   data? Do you have a statement of responsible  use around AI? And securing the AI tools. So   it's sort of plenty to think about, we're using  AI to help provide security as security tools, but   where else are we using AI and how are those tools  secure from a data loss prevention perspective?   Lots of companies now are starting to say, "How  are my own employees using a Chat GPT or some AI   feature that's built into a tool and no clue. And is it the free version that means the  

data that you're putting in is  going to be used for training?  Exactly. And are you training with customer data? Yep.  That part I think people have to be really  careful when they say, "Oh, we're using AI."   How are you using it? How's the governance  around it? Not just for company's own use,   but if it's what data it's reading and answering  that for your customer base and then for those   companies like Delinea that are in the security  space, you need to have your ducks in a row about   how your tools are using AI technology. Yeah, it's providing a service to protect.  

We get that and secure, but it's by default that  doesn't imply that it's secure itself. You have   to provide evidence of that. So I think that's  going to be big and just the governance around   AI. And the other thing I would say, which is a  bit scary again at the Gartner event this week,   I forget the name of the company, but they  said the company went out there, did a study   and put in some chat rooms or discussion boards,  like five certificates or five scripts that the   way they worded them they knew they could  be picked up by the threat actors on the   dark web is these are things go use immediately. They put them out there, the servers they hit,   10 seconds from when they were posted to when  they were used. Now give them, they didn't get,   it was just a test, 10 seconds. And I'm sitting  there thinking is that because there's all many  

people logged in monitoring these discussion  boards or is there AI tools running behind the   scenes to pick up on stuff like that, looking  for certain terms and then immediately dumping   into a hacking tool. So it's just so much data  the bad, the threat actors can get at now.  Absolutely. It's just scary.  It's integration from things  like showdown searches.  Yes. Plugging those   directly into AI algorithms and then automatically  running the campaigns right afterwards. It's the  

full automation. It's really automation on  steroids, which is really what is happening.  Automation is scary, like that. Yeah. One of the things that was interesting,   so absolutely in that I've seen areas where, for  example, people adding chatbots and stuff into   our transcription bots agents into things like  meetings and then the transcription of those   meetings then going off into third party. So  it's really getting it to the point where it's  

not just about securing and having the policies  and governance but also about knowing what tools   are actually have AI enabled in them and do you  want them enabled or not? And also is it going   into your own private, let's say data lake or is  it going to third party data lake? If you want   all of your company meetings being recorded and  then transcribed and then used for learning and   then been held in a third-party data center.  So that's really where you get into having   AI policies critical so you understand about  what's acceptable and what can I also audit   and inventory about what systems actually  have it enabled and that are being used.  Yeah, the auditor me would tell you, trying  to keep track of all those AI tools that   you're using, those bots you have installed  and who really knows exactly what they do   behind the scenes. You might say it records  everything in a Zoom call or a Team's call.  Absolutely. What you see is the output,  

but what's really going on behind the  scenes? What level of access that to have,   where's it pushing the data out to, where's it  stored and where that data's at, what other tools   have access to it to read in for other purposes? Some of the other trends I've seen as well is   around definitely the transition to cloud  as well continues to be a massive push   and organizations are still struggling to  get and they end up with too many stacks   across multiple clouds and hybrid clouds and SAS  and they end up too many differences in security   controls. So we've seen a massive drive towards  consolidation to move towards platforms and API   and interoperability. Is that something  you've seen and any thoughts around that?  Absolutely. And obviously cloud's... there  for a long time now, but I would call it   silos or pockets where a company goes out  and the accounting department acquires a   SAS solution over here in the cloud. And then the  HR department's another one and then next we know  

the IT help desk is getting a new solution to  do support and ticketing into that cloud. Two   of them are AWS and one to run Microsoft Azure  I would say, and yet I'm the sister of CAO and   I want to deploy consistent security frameworks  of principles across to secure all my assets. And   guess what? We still want some stuff on-prem. So you need to have some type of platform and  

this is where the industry's going, that allows  you to have access to these multi-cloud hybrid   environments. So whether it's on-prem,  hybrid cloud or full SAS in one place,   and I know it's a marking term single pane of  glass dashboard, but let's not kid ourselves,   there's so much data and signals we have to look  at, trying to look at them from multiple sources,   then consolidate them versus one place at the  beginning of it. I think you're going to see   that trend to continue in the security space with  trying to move things onto a platform because with   all the API's you can get the data. And what's- Absolutely. 

... in one platform and now let's begin to  really manage things accordingly. And that's,   again, because of AI, we can do more. Right? And there were just this complexity. That's one   of the things is that I've seen the biggest... If  we look at the pain points that I've had lots of   discussions throughout the year with so many  CISOs and IT leaders and security thresholds   and the challenge, what's causing security  incidents, over complexity is too many solutions,   too many different environments, too many  different inconsistencies, too many tools to   try to do multiple things. And what they're really  driving to is how to reduce that, how to reduce   complexity, how to simplify things. And that's  why getting into this where you've got platforms  

that have strong APIs and integrations that have  good interoperability and good orchestration.  To your point is that allowing... And one  of the things is a lot of that reduces the   skills gap as well because you have more  focus, more people that can specialize in   those areas as well. And one is it helps  organizations do more automation, leverage   AI much more and do more with less as well. So  for me, absolutely this is an area that I think   is going to continue and I think it's an area that  many organizations will look for that platform   consolidation definitely to take away a lot of the  pain from complexity in that multi-hybrid cloud...  The skills gap you talk about is not going  away. There's two things going on. Skills gap,  

not enough cyber security professionals to keep up  with the threat actors and two, the ones that we   have in the profession are getting burned out  from long hours and fighting battles they see   that they never can actually get over the- And we're always in transition of technical   change. The technology we're using five years  ago is not the same as what we're using today   and therefore it's important that if you need to  invest in skills and training for the existing   staff. If we don't invest enough time and  training and knowledge to the employees, is   that skills gap will continue to increase. So it's  not just about getting people into the industry,  

but it's about making sure that the existing  people we have continue to develop their skills   over time to stay modern and stay current with  the technology. That's one of the things is that   we talk a bit about the cloud challenges is that  we have less people skilled in cloud than we do   on premise because of course, a lot of times  you're handing that over to third parties and   that skills gap is a knowledge gap. So yeah,  I think it's two areas. I think sometimes we   heavily focus on the skills gap, but it also is  that knowledge and the gap on developing employees   to be up to date with the current tool sets. Yeah, because you need as many resources you   can. You're not only... to resources, you have  to develop those people because guess what,   if you're not developing, there's someone  else out there that going to hire them   away that is going to develop them. So one of the other things I'd like  

to cover as well is any major updates in  governance and compliance this year? Has   there been new kind of moves, been new regulations  out, new compliance efforts? Anything interesting?  Obviously Dora talked a lot over in the UK.  I think I read a stat the other day that in   the United States of the top 48 companies,  GDP-wise, we're the only one that doesn't   have a country wide data privacy act.  So where you have GDPR and the like.  You've got it from a state level, the  CCPA, there's other states are doing it?  Colorado has it, Virginia has it, California CCPA,  but eventually that's going to come. I think Dora   is the one a lot of people are talking about.  My old neck of the woods with dealing with SOX,   Sarbanes-Oxley or JSOX that's going to continue  even the Corporate Reform act in the UK that was   dead and then they went back and said, "Well,  we're not going to have the fines with it."   Companies in the UK I've worked with are starting  to follow some of the guidelines in it anyways.  

Bottom line is folks are figuring out, and  they've known this, but they're taking more action   that some of these regulations in the corporate  governance side related to finance side of things,   strong control controls are important public or  private, even if you're not publicly traded in   the US. The concepts of SOX, Sarbanes-Oxley's  still apply to secure your financial systems.  Same with over in the UK maybe you're  not listed, but the corporate format,   the ideas and the controls that was suggested are  still important. And I still think data privacy   is huge and I think companies are missing out a  little bit. Looking at the data privacy regulation   based on the country they may be domiciled in or  headquartered and not knowing their regulations   could care less about that because the privacy  regulations are to protect their citizens that   own their personal data. So it's where the citizen  resides, which could be in your customer database,   could be your employee database that you need to  focus in on what country that's from, not where   you do business or where you're headquartered at. Absolutely. 

It's challenging. Regulations are  only getting worse from a volume   perspective, Joe they're not going away. If you're in finance or healthcare,   it's our government, it's the amount of areas  that you have to focus on. And that's why one   thing is I've had numerous auditors on and they  always say that one of the mistakes organizations   make is that security is part of their compliance  program where actually compliance should be part   of your security program. Yes, yes.  So sometimes it's getting the right strategy  because ultimately, if you do security with   basically understanding about the overlap in a lot  of the compliance regulations, you'll be able to   meet them much more seamlessly, much more easier  without that friction create itself. Absolutely.  

And there will be many more to come. I'm expecting  the world to kind of look at AI as well because   the EU has already got the EU AI Act. There's Dora  as you mentioned, there's the Data Resiliency Act   or Digital Resiliency Act. So there's tons  of different coverages and it's just going   to continue and become challenging. I want to move  into a little bit of insights and predictions for   this year. So any thoughts, what do you expect  to come in 2025? What's the expectations there? 

Lots of things. Obviously AI can continue to be  really relevant. We talked about that. I think we   may well see some of the tools unfortunate threat  actors have and the power they have some new tool   come out that we don't have a good answer for.  That's one thing that would scare me a little   bit. And I think too the continued explosion,  machine identities or non-human identities,  

NHI, there's stats out there, there's 40 to  50 times machine or non-human identities for   every one human identity. We get so focused  in the security world about people and human   identities and with the rise of AI and bots  and RPA and just the evolution of technology,   the access that those non-human identities require  to support business functions are critical.  We've got to do a better job of managing those  identities because if we don't know what those   non-human identities have access to do, we  can't secure. And power technology with AI,   especially with that I think is going to be the  biggest challenge in 2025 is how do we secure the   non-human identities and even inventoring  them to know what they can do, watching   them and securing them. And I think that's... Especially when they're behind the scenes and it's   harder part to secure as well, the human sides, we  can put pass keys in place, we can do biometrics,   we can put multi-factor authentication  in place. We can record the sessions,  

we can rotate the credentials and passwords. We  can do all of single sign-on federated. There's   lots of things on the authentication side which  makes it possible, but it is more challenging on   the non-human side or the machine identities. I  prefer to call it unhuman because it's my term,   I've used it over the years, but it is the harder  thing to do. But it is the more riskier thing when   it's not gone right. Yes.  And if you're not maintaining asset inventory, all  of the API accounts, all of the service accounts,   applications running in the background,  integrations cloud, automation, AI agents-  AI agents. ... you're kind  

going through all of those, then absolutely  you end up becoming the risk increases of the   risked organizations and the damage when those  accounts compromised is even more severe as well.  Yeah, more severe can happen quicker. And  again, you may not even know it's happening.  Absolutely. So for me, one of the things for me,  I was out the news with Google Willow, I don't  

know who the Google Willow quantum chip, which  basically they released some of the benchmarks   that they conducted and it was quite shocking,  where they were able to basically crack a key   challenge that would take basically something  around, I think it was traditional computers, that   it would take 10 septillion years, 10 septillion,  which is 10 to the power of 25, which is   mind-boggling to have that number of zeros after. And their Willow chip was able to do that   within five minutes. That just shows you the  acceleration and the pace. When we talk about   quantum, they're almost like five years, 10 years  time from now. And for me it's not just about  

the number of qubits, it's about the quality of  qubits, which is also a major factor, which they   didn't talk about. They talked about the  number, but they didn't talk about quality,   which for me was missing in the news a lot. But that shows that it's getting closer to no more   secrets. The movie Secrets, Sneakers, Secrets,  Sneakers was my favorite, Sneakers, Robert   Redford. And it gets into really where we are  getting to the current encryption. That means that   we have to move faster. If that's where the Willow  chip is today, that means from a data protection  

and encryption level. And that's of course why  we at Delinea have done basically the quantum   safe capability into our own products. So they're  already ready for those types of scenarios. What   was your thoughts around the announcement,  did you have any perspective on that?  We were talking about it at dinner  the other night, myself and David   McNeely and first thing went through our  minds is well that's cracking. Can they  

crack the algorithms and the like for Bitcoin?  All of sudden Bitcoin is not secure. All the bad   guys and gals that are loving the fact, they can  now maybe, from a Willow perspective, use that   to crack your systems. But then the ransomware  perspective of what they want the ransom to be   paid in can be cracked. What are they going to do? And the cryptocurrency is all one way hashes. So   probably in cryptocurrency would be more the  wallet. So the protection of the wallets,  

I think that's the concern versus actually... The protection of the wallets. That's right.  The protection of the wallets where  you get into on the exchanges as well.  The idea is this technology is allowed them  maybe to do more things we don't want them to do,   but then how are they going to get paid to keep  it secure? But I think forget about Moore's Law   and every seven years or what have you, when I  was reading the article about the Willow chip,   its just mind boggling. And yet  the technology's moving so quick,   the next Willow chip probably we'll hear about  it in 2025 and it'll probably be more powerful. 

Absolutely. I think we're getting closer to  the point where how we protect data and how   we do encryption is going to evolve very  quickly. This news means that in 2025 we   had to think about how to act much faster,  rather than saying it's coming in the future.   I've heard different terms 10, 15 years,  but at that pace, what Google announced.  Yeah, I remember- The pace is quickening.  I remember being at a conference a year ago  and they were talking about password tracking,   quantum computing and we're still got five, 10  years before something even be that concerned   about. And then no, if they've known the Willow  chip was coming out and the stats behind it,  

that five 10 year window would've been  shrunken. That was the only year ago and oh,   we still got some time. We have time, but not  as much as we thought probably... this week.  Absolutely. And the other area for me, I think  my final big thing for 2025 is going to be a run  

identity test. I think for me, I think the  acceleration that we've seen with AI, with   deep fakes, with machine learning, with all of the  information's out there, and I'll say that we as   society are putting more of our DNA digitally into  the public internet. And with a couple of minutes   of your voice and audio and your video, a defect  can be created to what we talked about earlier,   such as people hiring for jobs under basically  stolen identities or doing meetings pretending to   be somebody else on that meeting. Oh, yeah.  It's getting to the point where the quality  is so impressive and so hard to tell the   difference. I've even got to the point where  I've actually started using safe words with   people that I trusted that are sent that if I  have a phone call from someone, I'm like, it's   an emergency or asking for money, like, "Okay,  what's the safe word?" Something that you're not   basically digitally kept online is something that  you've exchanged in person. So I think that's one   of the things we're going to have to release in  2025, identity theft, which means going back to   the digital authentication and governance  is going to be crucial for organizations,   but definitely also integrating that and  working with the alarming rise of deep fakes. 

For sure. I mean on the finance side, we're  spending a lot of time, the old trick of talking   to CFO, it's out of the office and you get in  their email system and send an email from the   CFO saying, "Hey, I'm on a meeting here in San  Francisco, can you wire some money?" Those days   are gone. Now maybe the CFO is going to, "call"  you on the phone or going to just send you a   conversation with them on Team and look at them  videos, they asked me, that's got to be right.  And the thing is that if they've stolen identity  and they've got enough of their style from the   internet is that they can actually make it so  that even not just sounds like them and looks   like them, but also the actually style of the- ...communication, the manner they're actually,   a personality is also accurate  as well. And that's lot.  Yeah. Yeah. And I would think between the  two of us, there's so much recorded audio  

and video out there, it would not take much  for someone to go out and record a podcast Joe   and just send it us, look like you and me talking. To be honest, I mean there is enough of us out   there that we could literally use AI and deep  fakes and machine learning to take it and just   automatically create future podcasts. We are not doing that today...  This is a real in person, real actually. Human,  non AI, this is human. Human created podcasts. 

Exactly. Which I think is   important because the machine created ones, they  lose empathy and they lose kind of the force kind   of visions type of thing and the creativity  because they're based on historical data.  Definitely. So I think that's one   of the things is that I think somebody mentioned  that is the frontal cortex the AI does not have,   so therefore that's what they're lacking. Yeah.  It was interesting thing was one of the mentions  that earlier this week I heard somebody mention   that what AI is like, which I thought was quite  funny, was that, it's like, have you ever played   Super Mario Kart? Yep. Yep.  And what AI does is that actually enables humans  to go faster, which is what their mention was,   which I thought was an interesting term. And he  mentioned that it's like in Mario Kart, it's like  

when you get the mushroom and you can go faster in  Mario Kart, he says the AI is just like a mushroom   in Mario Kart, takes us faster. So I thought it  was a great analogy. I thought it was fantastic.  Sometimes you're going fast though, you  can't always see what you're passing-  Absolutely. ... learn from   it. And next thing you know when things slow  down a bit like what just happened and you   have gaps and weaknesses that can be exploited. Anything you'd like to leave the audience with,  

any resources that you would point to from  this year that would, for the audience,   they want to go and learn about some of  the things this year or what they would,   should plan for next year. What would- One thing that you talked about new regulations,   the like new NIST cybersecurity framework, CFS  2.0 came out this year. We have folks listening   out there that maybe are smaller companies and  haven't done a lot around this, was a little bit   worried. You want some frameworks, a place to get  follow to go look at free content. That's a good  

place to start. There's some organizations  out there to... for internet security  And organization you and I talked about  Sands before, but the niche standards,   I think there's lots of resources out there to  help guide you and it's still a crawl, walk,   run approach. You still need help in one bite at  a time. Yes, this is scary stuff. But ultimately   if you're trying to secure your company, you got  to identify what's most critical from a resource   perspective, do some type of assessment, what  data is most valuable and you build processes   and controls and tools to secure those first.  And don't get caught up in all the shiny balls  

and this technology, this technology that's out  there. What does your company need? And what   frameworks are out there from your government or  just the identity security industry in general to   help you follow because you're not starting from  scratch with this. And I think that would be,   if I was thinking about New Year's resolutions,  I like CFS 2.0 and start there and see where  

my company's at compared to that at. And then- Absolutely. Yeah, one additional one I'd recommend   for the audience we really started this summer  was the identity security and the age of AI as   well. So definitely from a research perspective  definitely recommend going and reading through   that, at least to get an idea to prepare and  see where you as an organization can fit with   your peers on that research as well. Frank, it's  been awesome having you on as always. I really  

enjoy the conversations and for the audience out  there, how would the audience stay in contact   with you? What's the best way to reach out? So I'm on Twitter @fvukovitz, so I just changed   my name now, you just see Frank in the bottom.  LinkedIn and then I don't mind giving my email   address out because it's out there in the public  domain a lot, but Frank.vukovitz@delinea.com as   well. Best way to track me down. I know you've put  some links. I put my last name back in there now,  

but yeah, crazy to find me very unusual  last name. Let's just put it that way. Yes.  Fantastic. I think for the audience, we really  wish that you have a fantastic holidays,   time off and spend it with your families and your  nearest friends and stay safe over the holidays.   It's always a period with attacks do increase  and there's a lot of threats out there. So be   safe. Hopefully some of the things you've learned  in this episode today will give you some new ideas   about what resolutions to make going into 2025 and  also some of the lessons from this year as well. 

So everyone, stay safe out there. Have a great  holidays. Thanks for being one of our many   listeners. Thanks for being, again, a second time  guest on the episode. Stay safe, take care. Tune   into the 401 Access Denied Tonight podcast every  two weeks made possible by Delinea. And again,   everyone, see you in the next year and hopefully  it'll be something that'll have a fantastic,   enjoyable, and safe. Thanks Joe.

2025-01-06 14:33

Show Video

Other news

How To Lead Through Transformation in Tech • Hannah Foxwell & Charles Humble • GOTO 2025 2025-01-17 04:13
How This Small Shop Broke Into Aerospace in 2 Years | Motor Control Technology Machine Shop Tour 2025-01-12 04:09
Mobileye: Now. Next. Beyond CES 2025 Press Conference with Prof. Amnon Shashua 2025-01-12 10:27