Leveraging AI: Accelerating Security Operations
Leveraging AI, when effectively evaluated and implemented, enables security teams to improve their organization's security posture when they might otherwise be dead in the water due to budget cuts. This episode dives into:
- How cybersecurity and risk are viewed differently across entertainment, healthcare, and manufacturing
- Business drivers of AI SOC (and other solutions) across an organization's ecosystem
- How to evaluate AI SOC solutions, from short-listing vendors to communicating results
You can watch the episode now!
Podcast transcript
Kamal Shah: Hello everyone, and welcome to another episode of Security Amplified, where we discuss all things cybersecurity and generative AI.
Today, my guest is John Barrow, the Chief Information Security Officer at JB Poindexter and Company. For those of you who may not be aware, JB Poindexter is a multi-billion dollar, privately-held enterprise that touches everything from commercial trucks to ambulances.
Prior to joining JB Poindexter, John has spent his career navigating the intersection of traditional IT and complex business operations. He's held intelligence and cybersecurity roles in the military, at Caesar's Entertainment, as well as Texas Children's Hospital. So John, welcome and it's such a pleasure to have you on the podcast.
John Barrow: Thank you, Kamal. It's great to be here.
The Impact of Military Tradecraft
Kamal Shah: Awesome. So to kick things off, John, it's interesting you started a career as an intelligence analyst in the Army. How much of that tradecraft has influenced how you think and run security programs today?
John Barrow: It's made a huge impact. What I always say at kind of a high level, it's, it's the same mindset, different focus, right? But I think the urgency, the time sensitivity, the mission mindset, I think has been extremely helpful.
Not to get into too many details, but we have had, you know, some incidents previously where, you know, even I've had comments by leadership, like, how are you so calm right now?
You know? And based on my military background and working with the NSA, that really helped me keep that confidence and calm during a storm type mentality.
Kamal Shah: Yeah, it makes sense, right? In many ways, with the military lives are at stake, right? So what you do is just the importance of what you do there. That's not to say that working in a company is not important, but you know, you're not dealing with human lives in many cases.
John Barrow: Exactly.
Cybersecurity & Risk Across Industries
Kamal Shah: What's also interesting is that you worked in very different industries, obviously, manufacturing, hospitality, entertainment, and healthcare. And what are some of the striking similarities and or differences in how cybersecurity and risk is measured across those industries?
John Barrow: Yeah, it has been interesting. With gaming entertainment at Caesar's and the hospital where I was at, at Texas Children's, highly regulated industries, right? I mean, you had the gaming commission board as well as all the banks, the bank regulations 'cause a casino is essentially a bank, right?
And then at the hospital, healthcare, we were in a continuous audit, like it was state-funded and you have to, you know, meet their requirements to get the funding and things like that.
And then manufacturing. I mean, the industry as a whole is much different because it's a little more old school. It's a little more legacy-type systems. The mentality is a little different.
But also the difference too is both of my previous organizations were public companies. But with JB Poindexter it's privately held, right? So there's, there's some differences there as well as, I mean, mainly on the kind of regulation standpoint.
So my, my two previous organizations were, it was more, you know, it was a requirement you had to, to meet those standards to operate without getting fines and things like that, so it was more continuous, and I would say reactive.
But here, since it's privately held, it's more proactive, right?
Meaning that we have to get our ducks in a row. We have to be aligned with all the different frameworks and regulations, so that we don't put our partners at risk, right? Because if our maturity and our posture is in a certain level, then we could lose contracts, right? We could lose opportunities for future business.
So it's a different mindset. I know when I first got to JBPCo, that was one of the first things I mentioned when I talked to leadership. I said, I know we're privately held, and this may not be on your radar, but very soon we will start getting audits from some of our major partners, you know, and so we need to get ahead of this when that happens, so we'll be ready.
And, and at first it was like, eh, that doesn't really apply to us, you know, we're privately held.
Then I'm like, well let me clarify and kind of explain to them the implications if we didn't get ahead of it. And then sure enough, very shortly thereafter we started getting some audits from some of our top customers, some of our top partners, and I was like, well, this is what I'm talking about.
So that's kind of the main difference.
I mean, industry-wise, more on the regulatory standpoint, but also the attack service was a little different at the casino. It was 24/7 operations. So was the hospital. You have the regulatory standpoint, but you also have, I mean, there's a lot of value in what data they have and all the information that they house in those organizations.
In manufacturing, it's a little different flavor to that. I mean, it's, we don't have as much PHI or PII and things like that, but our intellectual property is more of the focus there. Like our engineering designs and things like that. So it's been, it has been fun. Kind of interesting learning the different industries.
Building a Unified Security Vision in a Manufacturing Environment
Kamal Shah: Absolutely. And speaking of the complexity in manufacturing, right, and you think about scale, how did you think about building a unified security vision when your attack surface includes everything from office endpoints to manufacturing shop floors.
John Barrow: Yeah, it's been interesting.
I mean, with that, obviously the first area we had to focus on is building partnerships is really getting to know our manufacturing leaders, the operations, engineering, all those different teams and that leadership and building trust with them, building relationships and partnerships with them.
Because as you know, in manufacturing, on the operations side, it's very territorial, right? Like it's all about uptime and making sure that we're as lean as possible. We're pushing out product as quickly as possible. And so anything that hinders that process, that ability is unacceptable, right?
And so I started there with really building strong relationships and really explaining the risk there, the why, our thoughts on what we need to do to help them to elevate, the protections, but also, you know, minimize the operational impact and make sure that that's clear and that everyone understands that.
And so we're actually in the process now of working with the manufacturing site on implementing visibility, asset management, vulnerability management, other things around OT security in that space.
But again, the key to all that, I mean, had we not started with the relationships and those partnerships, that would've been nearly impossible to even move forward.
Kamal Shah: Yeah, that's a great lesson, right? The IT/OT boundary can be challenging. And if you don't build those relationships and don't help them understand the risk element and the implications, then it can be challenging.
Because when you think about it from, you know, on the manufacturing floor, what they care about is, as you mentioned earlier, they care about uptime, they care about quality, they care about performance and helping them also think about risk from a security standpoint also becomes important as part of the conversation.
John Barrow: And even now, I mean, even though we've built those partnerships, once we do detect misconfigurations or vulnerabilities or anything that needs to be addressed, the response and the remediation actions need to be taken on those plant machines will actually be the other team.
Like they'll have to work with third party vendors, and so again, we're still gonna provide them with technical controls and solutions like software to support those efforts. But ultimately it'll need to be them taking the actions on those. So again, that partnership is so, so important in addressing those type of situations.
Where Legacy & AI Meet
Kamal Shah: On that point, John, how do your leaders on the manufacturing side work with those legacy providers and help them understand the urgency? Right? And of fixing vulnerabilities or implementing patches, which often can be challenging. And do you see AI playing a role in that as we embrace generative AI in our organizations?
John Barrow: Absolutely. In fact, I know we have. Part of our AI program is, is specifically on the operation side, on manufacturing.
But I mean, it still requires, I mean I doubt we'll ever get to a point where manufacturing's gonna allow remediation to be automated fully.
You know, 'cause obviously it needs to be scheduled maintenance and things that need to happen, you know, out outside of office hours, outside of production hours. So that still needs to be coordinated, but I think a lot of that can be automated and streamlined.
I don't think it'll be automated fully from end to end, but current state versus future state, I think absolutely could greatly benefit from automating some of that process.
Kamal Shah: Yeah, absolutely. Makes, makes perfect sense.
Zero Trust
Kamal Shah: So switching gears a little bit here, John, in a past appearance on the CISO Series podcast, you essentially talked about your philosophy of a anti zero trust approach to security programs. Can you talk a little bit about what you mean by anti zero trust and how does that feed into accelerating your team's adoption of AI in implementing security programs?
John Barrow: I kind of laugh 'cause I mean, I'm not anti zero trust, but I think, I mean, zero trust is kind of the ideal state, but my thought is if you fully implement zero trust across an org, it can no longer operate. Right? And the business exists to make money. Right?
So with risk management, as a whole across the organization, it's a balancing act.
Like there's many situations where I know with my cyber hat on best practices are X. But I also know the risk tolerance of the business. I know what the business requires. And so in a lot of situations, I mean, not in some situations. In all situations, what the business needs is gonna trump what cyber best practices are.
So my goal, or what my focus is and priority is to really understand the business need, understand the risk, and balance that to minimize the risk, but also minimize the business impact, right? And so it's a delicate balance. There's kind of an art and science to it, right?
I know earlier on in my career when I was more of an individual contributor and practitioner, I'd freak out and see all these red flags and go to my leadership.
I'm like, why aren't we doing this? There's no way. We can't allow this. And like they're like we applaud your passion. That's great and we understand, but the business won't accept that. That'll be too, there'll be too much disruption.
And so I've been really coaching my team and evangelizing not only to my team, but other leaders as well.
Where it's like, I understand, I understand. But we're here to support the business, right? It's not IT or cyber versus the business. Like it's all about the business. We exist here for the business, right? So being able to balance that, you know, it's not risk elimination it's risk management.
Kamal Shah: I think that's extremely well said.
I think a lot of security leaders miss that element of, hey, understanding the business and working with the business and understanding the risk appetite, the risk tolerance of an organization, because that varies, right? It varies based upon the industry you are in.
That varies based upon the regulatory environment you might be working with. And so balancing that and mapping it, mapping your cybersecurity programs to the business need and the risk tolerance of the organization is so critical.
John Barrow: Well, and adding to that, I mean, part of your question too is how has that helped us drive the adoption of AI and, and innovation, things like that. And that's been huge because that's been our approach from day one.
Like when we're rolling out any new changes or new technology, we make sure we clearly communicate to the organization the why, why we're doing it.
We explain what potential impact there'll be. We do very thorough testing to really minimize the impact, any disruption.
And then as we roll it out, because we've done that work upfront, and because we've built that trust over time by implementing things and, and really causing minimal disruption or impact. Now it's gotta the point where when we're about to roll out a new technology, we still communicate, we still explain the why, and we still allow people to ask questions and you know, concerns and things like that. But we're able to roll out like major technologies within like weeks when other organizations that would probably take months or maybe years to implement. Right?
And so, because that's the approach we take is really partnering with the business. When we're doing things to make sure it's aligned with the business objectives, it's allowed us to move much faster.
So that's, that's been, a huge, huge win for us.
Kamal Shah: That's awesome, and it was truly refreshing to see that a manufacturing leader like JB Poindexter be an early adopter of AI technologies, right? And comes back to partnering with the business. As it comes back to communicating with them, helping them understand the why, helping them understand the implications of that from a risk perspective, from a business need perspective.
Business Drivers of an AI SOC
Kamal Shah: So speaking of AI, John, you were an early adopter of AI technologies within security, right? And one of the technologies that you have embraced and implemented is an AI SOC platform.
So before we dive into the results and what you've seen, it would be helpful to understand like what were the key business drivers and pressure points or challenges that drove you and JB Poindexter to consider evaluating AI SOC solutions.
John Barrow: The main business drivers were budget to be honest.
Budget and the volume and speed of attacks. Not necessarily attacks, but alerts, you know, that we were seeing.
And my team was doing a fantastic job, right? Like our mean time to respond was fantastic for a human team, right? But we kept seeing the volume just continue to increase exponentially, you know, as technology evolves and everything, right? And obviously the adversaries are leveraging that as well.
But we also, due to the economic uncertainty right now, with all the things happening in the world, we've had a lot of budget constraints and a lot of budget cuts. Not just my team or department, but all the departments across the org had been asked for reduction in force, and we've really tightened our budget, right? And so I explained to our leadership that very clearly and urgently that unless we invested in an agentic AI SOC solution, we wouldn't be able to keep up with the alerts and we wouldn't be able to protect the company.
Because I was asked, I had three SOC analysts. And I was asked to reduce two. And so I was literally gonna have one SOC analyst. And so I've really made sure they understood like, unless we do this, we're gonna be kind of dead in the water.
But another piece of that too was not just being able to maintain our posture and our ability to respond to these alerts, but also save money. I mean, we were actually able to elevate our program by investing in the agentic AI SOC, but also save the company money.
Even when I presented that to my CFO, he is like, so wait a minute. You're elevating the program and you're saving us money. He is like: you're a wizard. Like this is amazing. You know, so, so, so obviously he loves seeing that, you know, or hearing that.
And so that was a big win too, right? And we, we've invested in AI in a lot of aspects of our program, and kind of the similar scenario as well.
Kamal Shah: That's great to hear. And that's refreshing, frankly.
You know, we see this across the board, across all our, uh, customers and prospects, where, as you pointed out, the velocity and complexity of attacks is increasing because our adversaries are leveraging AI, and at the same time, our customers enterprises, businesses are being asked to do more with the same amount of, you know, team members or even less, right?
And so how do you deal with it? Right? And the only way to fight AI was, is with AI, right?
John Barrow: Yeah, absolutely.
Coming Up with the Shortlist of Vendors
Kamal Shah: So once you made that decision to say, look, we have to look at agentic AI SOC solutions or platforms, how did you go about identifying, okay, who are the vendors you wanna speak with? And then how'd you think about who are the vendors did you want to evaluate or do a proof of concept to see who you wanted to partner with?
John Barrow: I mean I leveraged my network. You know, I talked to several of my peers. I have strong relationships with a lot of the VC companies and just kinda asked around, you know. And then started talking to them at conferences. I met with several different agentic AI SOC founders over that period. 'cause I, I, I knew that we were gonna need to invest in one soon. And so that's how I found the different solutions.
And then when I look at any type of new solution, I wanna bring in my technical SMEs as well, because I can see it from a strategic and leadership perspective, but I want them to be able to geek out and dive into the technical weeds with them and really understand, you know, how the technology works and how it'll fit into our security stack.
And so, so, yeah that's how it was brought in. And then once I had my technical SME like dive in and really look at it and kind of kick the tires and things like that, then we made our decision.
Kamal Shah: Thank you for partnering with Prophet AI and we are truly grateful for that partnership.
Success Criteria in the Evaluation
Kamal Shah: As you think back into the evaluation process and the POV process and based on feedback from the technical team, were there any success criteria that stood out to you that you would want to call out or that you would recommend our listeners or your peers pay attention to as they think about agentic AI SOC solutions within their organizations?
John Barrow: To be honest, I went in very skeptical.
You know? I was like, wait a minute, you're gonna tell me you're gonna automate my security alert response? You know, my first question was, well, what kind of permissions does it need? Like, what's it gonna have access to?
So I went in a little skeptical. But then as we started kind of talking through it and looking at it, we saw that it would be able to, you know, automate a lot of the initial triaging for the alerts without needing write access from the, from the beginning. And, and so some of those core requirements was that.
Like what permissions does it need? What will it truly have access to? And with that limited access, what can it really do? Right?
And then another huge requirement was, you know, I wanted to make sure and validate how thorough it was, like when it was doing its queries and its validations and all the different checks and steps when it was triaging an alert. We went pretty deep all the way to the bottom just to validate like, you know what all it all was seeing what all it was annotating, what all you know, just to make sure that it was valid and it was accurate. 'cause accuracy was a huge part of that.
And another piece of that is, I'd mentioned that we were asked to drop to one SOC analyst. Now to add even further to that challenge is that the new SOC analyst was a new SOC analyst. She had only been on our team for two to three months. And so we needed a solution that would help streamline her training process, get her up to speed to where she would be proficient and would be ready with the help and assistance of Prophet to maintain our security alerts.
And so that was a big deal of how intuitive is it? How easy is it to use, how is it easier for her to become proficient using the platform? Right? And so those were all key requirements.
But also it was really important for us that we could integrate with all of our, our key core like security solutions. That was another requirement.
'Cause we did have a previous SOAR technology, and we had like a, an analytics platform, like a SIEM. But it wasn't kind of an ideal state. And so that was a key requirement as well, is like, everyone, you know, claims to have that single pane of glass and then you only have to look here.
And so we wanted to make sure that that was accurate as well. So we, we thoroughly tested all of those different aspects.
And Prophet did really well with that.
And I don't mean to foreshadow 'cause I know you're gonna probably ask the question, but, um with that, I mean a key part of that too was, you know there's no such thing as a perfect solution, right?
There's certain aspects that were like, Hey, it'd be really cool if we could have this, or it'd be really cool if you know, or be helpful if we could do this. Or, you know basically the feedback loop between my team and the Prophet team has been a mazing, right? Like they're super responsive. Whenever we have feature requests or we have areas where we're like, it would be really helpful if y'all could add this, or just little tweaks and like, you know, almost cosmetic type things where making things easier, more accurate, additional, tweaks to processes and things like that.
Your team has listened. Been extremely responsive, and in most cases, if not all cases, they have made those changes, you know, to make it work better, make us more successful as a team utilizing it.
Kamal Shah: We appreciate the kind words and we appreciate the partnership, and to me, this is a partnership, John, and that's how we, we treat every customer relationship. This is not about, Hey, we got the transaction done. I'll see you again in a year. Exactly. Good luck. It's all about working together and making it, making each and every one of our customers successful.
But just to summarize for our leaders, I was taking some notes as you were talking.
The most important criteria for you was accuracy and making sure that the depth, the quality and accuracy of the investigations were there. Because without that, you can't really trust any agentic AI solution.
The second thing, interestingly, that you mentioned, which we hear consistently from many of our customers is transparency and explainability. So when Prophet AI shows the work, then your team, your analysts can also learn from that because we outline all the steps that we take in the investigation process, and so they get smarter over time.
Integrations and integrating with your workflows and all the security tools that you have in your environment.
Adaptability, which is being able to take your policies, your organizational context, and being able to have that reflected in the product, and so that the product is essentially, as time goes on, becomes more, fine tuned to your environment.
And then finally, it's just the responsiveness of the team in terms of building out features and, uh, adding capabilities requested by your team.
Does that summarize your, your feedback?
John Barrow: Yeah, you know, you did a great job.
Kamal Shah: Well, I was just taking notes, John, as you were talking, so all credit goes to you.
So thank you for that.
Areas for Agentic AI Solutions
Kamal Shah: As you think about, you know, moving beyond the AI SOC, are there any other areas within security where you're looking at agentic AI solutions to say, Hey, this could be an interesting use case for another aspects of security beyond the AI SOC.
John Barrow: Yeah, I mean, we we have. In fact, I just had a meeting earlier this week with John Pointex, our owner, CEO as well, and my boss talking about this specifically. Like how, how are we leveraging AI in our cyber program? Like, how are we being innovative? How are we getting ahead of it, you know?
And so we have an AI autonomous pen testing solution that I, I've invested in that we're utilizing now. I think that's a game changer on that.
We also have, you know, for for a few years now, we've had an AI email security solution that also freed up a whole resource.
We have a lot of our like data security platform. We have our SIEM. We have a lot of areas that have AI based capabilities that are helping us kind of keep up, you know, get ahead of, of some, some of the areas.
But, but in general, speaking, like, I really think anything that has to do with data crunching, data mining, anything that's a repeatable process, something that usually takes a lot of time to do. I think all that can be automated.
In fact, earlier today I was on a call with another solution that automates your third party risk management assessments, you know, things like that, right? Like anything that, is mu, I don't wanna say mundane, but things that are data-driven, that are repeatable. AI does an amazing job on that.
But you know, with that being said, I mean, obviously in certain areas you still need the human in the loop. You still need, because you want specific outcomes, you need to have the context, so I, I think there's a lot of opportunity to leverage AI.
But I think I would caution everyone also. And I, I'm sure most of my peers would say, yeah, of course we're not gonna automate certain things, you know. But I'd just be methodical on it and really think through it and test it and make sure you have the right guardrails in place.
But that's, I mean, that's the key.
I mean, even for our overall AI program at JBPCo is, if we have the right guardrails in place, then we can move faster. Right. You don't have to be scared. You don't have to, uh, try to do things, but you're, you have fear, you know, to break anything or do anything wrong.
Like if you have the right guardrails and policies in place, you can move a lot faster.
CISO Challenges Adopting AI
Kamal Shah: Absolutely. Speaking of peers, you've been very active in the Houston CISO community. What are you hearing from your peers about their biggest challenges as they think about adopting AI within their organizations?
John Barrow: I think it's very similar, where it's you know all the organizations, the leadership are saying, Hey, we need to embrace AI. We need to have competitive advantage. We, you know, we need to embrace this.
But they're, it's almost like the business is moving faster than the security team can move to make sure they're doing it the safe way and securely.
And so I know a lot of my peers are like me. You know, we're still wrapping our heads and our arms around everything and making sure that we're staying on top of the latest developments. You know, like the Glass Wing report and all the other things that we see every day.
' But also it's, I mean, like you went to RSA I mean there was what, 75 AI security solutions.
You know, it seems like every domain, which is exciting. There's a lot of innovation coming out and there's a lot of great technology coming out, but there's a lot of noise, right. And I think we're just getting buried by all of it. And knowing which one to look at and which one does this, and having enough time to really, truly evaluate all the different ones.
I think it's important to be able to kind of weed through that and make sure that we're helping each other to understand like, hey, you know, I've looked at these 30 AI solutions. You know, these are the two or three that I've seen that I think are the most mature or they cover the most, most of the AI ecosystem.
You know, 'cause different solutions cover different aspects, and they're almost kind of niche, but they don't really cover the full ecosystem.
It's the whole point of a network is we're all in this together. Help each other out and share, the things you've seen and what you've noticed.
And I, I do a lot of that right. Because I am an early adopter and because 50% of my program is startups. Right. And I've greatly benefited from that. And I'm kind of evangelizing that and educating people and sharing that with my peers.
Some think I'm crazy, but, but I think, I really think it's the only way to keep up, you know?
And so just trying to help the community, you know, get ahead of that as well.
Kamal Shah: Absolutely. And it, there is so much noise out there and the good and the bad about cybersecurity is anybody can copy anybody's messaging. And so when you go to anybody's website, you know you have 50 companies that talk about the same thing, and you really have to peel the onion and you have to dig deep to understand what's real, what's not.
And that's why I think the best the best way that we think about it, getting the word out is through word of mouth. Right? And having respected leaders such as yourself talk about the results that they have achieved. So you know, speaking of which, one last question from me and then we'll get into rapid fire set of questions.
Communicating the Results/Metrics of AI SOC
Kamal Shah: How do you think about communicating the results of the investments you made in AI technologies like AI SOC, for example?
What are the key metrics that you're communicating to your leadership, John Poindexter, to say like, here are the results we've achieved by investing in AI.
John Barrow: One of the top metrics, you know, it's one that I've been reporting every month in my top five KPIs is our mean time to respond. Right? And I know depending on the leader, some people hate those type of metrics, but I mean, we went, like I was saying, my human team did a fantastic job. We were at 15 minutes, which is amazing for a human team, right?
But by leveraging Prophet's agentic AI SOC solution, it immediately went down to three minutes, which is incredible. You know, a human team would never be able to get to that efficiency, right? So sharing that metric with them and also sharing with them that because a lot of the false positives and a lot of the informational and all the type alerts that we don't need to worry about, it's also helped minimize those, right?
Like we were, I wanna say our total alert count per month prior to Prophet was around 20,000. I mean, granted a huge percentage of that was false positives, informational, and things like that.
Once we implemented profit, that's dropped to around 2000. And then still with those 2000, we ended up having to actually investigate about a hundred a month. And so that's greatly reduced the number of investigations we need to perform, but it's also greatly reduced the noise and all the other false positives and things. So I report that up.
And then also, again, I mean, having an analyst that's only been on the team for three months. And she's kicking butt. I mean, she's learning a ton. She's able to dive into all the alerts and seeing what all the validations and all the checks y'all are doing, and it's really helped streamline her training and proficiency. I mean, now she's been on the team seven months or something like that, and she's, she's awesome.
I think a huge reason for that is because of Prophet and her being able to see all that.
'Cause a lot of that context, a lot of the analytics, and how to think and be able to determine what's abnormal, what's normal. You know, what, what do I need to validate? What should I ask? What, what systems do I need to query? Just kind of that thinking that, that analytic mindset isn't something you can learn overnight. Right. And so her being able to see that has kind of helped streamline and like help her focus on the areas she needs to look at when she's performing investigations.
So that's been, that's been a huge benefit.
Rapid Fire & Conclusion
Kamal Shah: Thank you, John. And with that, let's dive into rapid fire set of questions.
John Barrow: Sure.
Kamal Shah: So first, if you had to pick a different career entirely. Nothing in tech, nothing in security. What would you be doing?
I'd be playing music. I'd be playing music. Yes. So I sing and play drums. Um my dad was a country singer in Nashville, so that, that I would definitely be playing music if I didn't do cybersecurity.
Amazing. Your favorite beverage of choice?
John Barrow: Are we talking alcoholic or non-alcoholic?
Kamal Shah: It could be either.
John Barrow: Okay. Well, I would say vodka and soda with a lime. On the non-alcoholic. I drink a ton of water, so I love water.
Kamal Shah: I love it. What have you recently read or a podcast that you've listened to that you would recommend?
John Barrow: Yeah. So right now I'm actually finishing, Nexus, um which is, um, here, I'll, I have it right here. It's if the author is Yuval Noah Harari.
It's Nexus. It's a really, really interesting book. And I think it's timely, you know, kind of around our conversation actually. It's talking about, you know, the information networks, you know, from the beginning of time, civilizations how information and data has been shared from human to human through, you know, like tablets and paper and papyrus and you know, the printing press and telegraph and all the way up until now where now it's like computer to human interaction and sharing of data and how soon it could become the human could be completely cut out of that information sharing loop and the algorithms. And it's really exciting, but also really scary.
You know, talking about how, you know, governments and financial systems and everything across the board could be managed and owned and dictated by algorithms and machines, you know?
And so, with AI, I'm, I'm kind of like the one, one foot on each side, you know.
One side I'm extremely excited about it, but it's, it's a little scary, you know, if we, if we, again, if we don't get ahead of it and make sure we're properly defining the desired outcomes, the guardrails and making sure there's, you know, ways to fix issues, and having that feedback loop, you know, things like that.
I mean, it's pretty wild to think about it. But yeah, I would highly recommend reading that book if you haven't.
Kamal Shah: He's one of my favorite authors. I read Sapiens was the last book that I read. I, I haven't read his book about the 20-21 lessons for the 21st century or something like that. But I will definitely check this book out.
And then the very final question from me today is: is there any security tool or a security category that you expect to be phased out or be obsolete in the next couple of years because of AI?
John Barrow: I'm trying to be careful in my response. I don't want too many angry people, angry listeners.
I would kind of double down on what I said previously.
Like any areas that is data driven, data mining, data crunching, repeatable processes, I think that'll be eliminated.
I think there are opportunities for certain areas, where it's too much for humans to keep up with. I mean I've seen recently, you know, areas where automated RAC, automated network security, like firewall management, automated. I mean, obviously on one hand that sounds scary and how would you ever trust AI to do that? But you know, I've never been in an organization where the team had enough time and resources to maintain the firewall rules and policies accurately, right.
Things like that where it's just, it's a beast and it's too, there's too much to it. There's too much manual effort needed. I think any areas there will need to be automated again to keep up. Right?
If you're, if you're leveraging AI in, in all aspects of your cyber program, but yet there's areas you're not, I think the areas that you're not leveraging AI are gonna fall behind, and that'll be your weak spot. You know, your weak point.
Kamal Shah: Completely agree. And you know, some folks feel that application security as a category will just become part of these frontier models because as we are leveraging them to write code, who better than them to help identify vulnerabilities and do code reviews, because they just have a deeper understanding of the code that they are writing themselves.
And so it'll be very interesting to see what happens over the next couple of years. But nonetheless, it's gonna be a super exciting couple of years and
with.
John Barrow: Well on that,
On that, I don't know if you saw it, but there was some report that was sent out that that had a percentage of the startup solutions at RSA that could have been vibe coded over a weekend. And there are a lot of, I know personally, a lot of folks that are kind of building their own agents and their own, you know, security solutions with AI.
Um, and they're looking to potentially start building stuff in house rather than going out and buying solutions. Right. And that's, I think. There's, you know, there's some opportunity there too, right? So, um, I know it's, it's gonna be interesting, you know, I mean, you no longer have to be a Wizard coder to, to build things anymore.
Kamal Shah: Yes, absolutely. And I, I do think that that folks are underestimating what it takes to maintain and continue to write enhancements. And so it's one thing to vibe code A MVP and do a demo, but you know, we've had customers who have come to us six months later when they try to build their own AI SOC and they said, Hey, demoed well, but you know, you have to make sure the SOC is working.
It can't be offline. Building a system that's robust, that's scalable, that's reliable and has, you know, five nines level of availability is hard. Right? And if you don't have that, you have an alert that's fired. And if your system is not picking it up and you know, you don't get to your MTTR of three minutes or less, that the damage may be done.
Right? So there is a, there is a level of you know, building a product versus a demo or, or a feature. So there is some elements in some areas of it, but there's certainly categories of software where you could argue, Hey, you know, I don't need that five nines level of availability, reliability, and scalability and able to get the job done.
So with that, John, yeah, with that, thank you so much for your time, for your insights and uh, with that. Great to have you on the podcast and we'll call it a wrap. Thank you.
John Barrow: Thank you, Kamal. Appreciate it.
Speakers
