Jim Griffiths on Board-Level Buy-In and The Human Factor

Show Notes

In this episode of ThreatCast, Paul O'Sullivan is joined by Jim Griffiths, Head of Information Security at Associated British Foods, to discuss the intricacies of gaining board-level support for robust cyber security practices. They delve into Jim's extensive career, from his beginnings in the Royal Air Force to his current role in the private sector. The episode highlights the critical challenges and potential strategies for aligning senior management with cyber security objectives, the human factor in security models, and the evolving landscape of information security in light of AI advancements.

What We'll Cover:

• How can organisations effectively and safely integrate AI to enhance cyber security measures?
• What are the common vulnerabilities associated with the increasing use of QR codes in daily business operations?
• How can organisations ensure comprehensive cyber security training and awareness among employees?
• What are the best practices for gaining executive and board-level support for cyber security initiatives?
• How can the cyber security community better highlight and share successful security practices and techniques?

ThreatCast podcast is produced by Threatscape.

Our mission is to provide a secure and certain future for our clients. Keeping them protected so that they can go about their business is how we know we’re delivering on our promise.

Contact us

Email Address : info@threatscape.com

Thanks for listening & keep podcasting!

Chapters

• 0:00: Highlights
• 0:50: From Uniform to Corporate: Challenges of Transition
• 3:20: Overcoming Obstacles: Finding a Niche in Cybersecurity
• 5:40: Bridging the Gap: Aligning Security with Business Goals
• 8:20: Winning Over the C-Suite: Effective Communication Strategies
• 11:00: Risk vs. Reward: Navigating the Business Landscape
• 13:30: Building Trust and Credibility: The Key to Cybersecurity Success
• 16:00: Overcoming Resistance: Selling Security to the Business
• 18:30: The Regulatory Landscape: Balancing Compliance and Innovation
• 21:00: Adapting to Change: Staying Ahead in the Cybersecurity Game
• 23:30: Final Thoughts: Key Takeaways for Cybersecurity Professionals

Transcript

0:00

You can't check into a hotel room without scanning the QR code for the menu these days. If that can be subverted, that's a problem. Let's just say so. And video platform nation state use it as a mechanism to distract and dumb down the population. people doing it for money, or they're doing it for their ideology while they're doing it because they're being coerced, or they're doing it just because they've got an ego. demonstrating how information security is very equitable with site safety. Of course, we've seen every vendor in the world is now got an AI component. the bigger challenge, I think, for everybody is getting that buy the humans the weak points of all security models. But they're also the first line of defense. Hello. And while the threat cast a podcast by threat scape where we chat about all things cyber. My name is Paul O'Sullivan and the UK sales director. And in today's episode, we'll be discussing what it's like to get the board bought into good cybersecurity practices. in today's episode. I'm joined by an old contact friend, Jim Griffiths. some of you may know him, but I'll let him introduce himself. Jim, over to you. Thank you. Paul. Yeah, I think you and I first met. Crikey. What would it have been? 2007, eight ish? Maybe back in the days we we were bringing yodel to life, but. So, yeah, I'm Jim Griffiths. I'm currently head of information security at Associated British Foods. and for the last 35 years now. Crikey. I've been working in information security for 16 years with, with the military, serving with the Royal Air Force Police, and then lastly, the last 20 years, working my way through management, up to the lofty heights of CSR, my previous role with the K Group construction company based in the UK and covering UK and lots of, European and whatnot. And then, yeah, the move to food manufacturing and ingredients a couple of years ago, back in 2020, gainfully employed today and I'm very much on the front foot in all things cyber and obviously we know each other, as you said, going back some time. But I guess digging into that, looking a bit for the benefit, the audience served time in the Royal Air Force. Walk me through the the step into civvy world and more importantly, into cyber security. How how did that come about? Yeah. So thankfully the military offered me a good career as a policeman, and I started that in the late 1980s, where, I think the biggest role we'd got at the time was nuclear weapons security. Then a couple of years on that and then got promoted and had to make a choice on how I specialized. And we had two choices. You either went down the the seduced the CID style route, making villains, put them in jail, prosecuting that, that kind of thing. Not interested. The CIB World Special Investigations branch, it wasn't for me. isolated the sexy title counterintelligence. not not quite knowing what that was, but it introduced me to this world of information security. back in the day when it was all on a piece of paper, on a file, in a safe, in a registry before computing, and then along came computers, you know, the mainframes we'd always had, but we certainly didn't have them at a desktop level. So that was my kind of entry into, computer security at the time, as it was called, but largely looking after all of the classified, sensitivity related to operations equipment, all of that good stuff that that we've that we carry over into business today. I mean, in 2003, I managed to hurt myself to a point where I couldn't continue my career. So I had to leave. just embarked on my master's degree that the RAF was paying for, with the University of Westminster. so I was given time to complete that. And then I was medically discharged for the what I was thinking, I got, you know, how do I bridge the gap now? I've got 16 years under my belt, all my skills transferable. And thankfully, it's, it's the IT security that there was a transferable skill set, but I didn't look for a job. One of our, one of our, our mod suppliers rang me up. So we had you leaving defense. You come in to have a chat. So I moved off to consult with with them for a while, for a couple of years before I was. Then enticed into the world of security management, with with a company that provided a lot of banking level insurance to your current account. You know, you pay your 10 pounds a month for the current account. The banks have to offer you some services for that money. and one of them was, was Tech Protect insurance. So I joined that, the insurance division of phones for you back in the day and embarked on my managerial career henceforth. And then every kind of 3 or 4 years kind of moved up the chain from manager to to director, director into CSO and then just moving laterally, then to come into baby foods by British Sugar in 2020 and then moving into into the operational center space, back in 2022, something that's a half years now looking after the security operations center and very much owning that operational environment and freeing up the CCL to concentrate on the C-suite, and the daily politics that managing a big old business kind of brings to life. And it's almost like you're setting this next question up for me, because it segues quite nicely into very much that the challenge, which is the point of this, this, this podcast or this, this straight podcast, as it were, and getting that buy in because for my mind, the tech bit is a challenge in and of itself and maintaining compliance, of course. But the bigger challenge, I think, for everybody is getting that buy in a I'm kind of interested in maybe some examples of that where you whether it's way back in the fund for you, insurance space obviously you dealt with iMap or or any of the others for that matter. Well, you've you've gone into that organization and there's almost been this indifference or devil may care attitude towards what we now call cybersecurity Executer I.T security involves any examples of that where you kind of can have that kind of what movements. Yeah. So certainly the movements of management, when the funds for insurance gig that was largely driven by the people that they serve. So they served all of the high street banks and the banks themselves and said, look, you need somebody with this kind of profile to come in to manage your information security because we're giving you customer data. Right. And that's that's vital to us. It's our lifeblood. So they actually put a profile together at the then Lifestyle Security Group, kind of a lifestyle services group. Sorry, but then stepped to market and sourced against. And that's kind of followed. So when I moved to yodel kind of four years then down the line, it was it was being split out of Shop Direct Group, to, to be stood up and the brand created and same kind of do you know when you're delivering for big, big retailers, they're giving you customer data. And again, they want to make sure that the security that information is appropriate. So bringing in that can be the single point of contacts operates at senior level. Advise and guide. You know, the senior stakeholders and top level boards on on what those requirements are, how to operate and execute against them. But do it in a way that makes sense with the business objectives. Very much front of front of mind as well is kind of word of mouth spurs in the scene. That kind of move every four four years or so to to more senior, more responsible, positions. and that's I think the style that I've applied in each of those engagements is there's not a subservient role, which quite often when you move from the military to civil sector, you're very rank conscious, depending on where you are in the military organization, but you're just part of doing business now and you're the subject matter expert. Just as a finance director or a H.R. Director is the subject matter experts in their environments, and it's been able to understand the business objectives of the business language and put it across what, you know, quite complex problem statements into bite sized chunks that are solving problems that that continue to move that business forward appropriately, you know, and face into the the no end state to security kind of perspective and the emerging threats and vulnerabilities, of the day. Interesting. You say that, breaking it into bite sized and understandable. So I mean, I perhaps I'll pick, you know, Dallas an example and and upstate. But my head to to to I guess explain or share you know my mind. Yes. There's customer data in there. But I guess as an organization whilst there's the data protection side of it, equally there's probably a lot of takes. I'm saying this now we've we did some work together, getting the management to actually make the correlation between data over here in to fix this stuff here to protect this data here. Otherwise you know everybody has about day and all over the CEO or something. Can you give maybe some examples of where you started to help them make that correlation with those not sized chunks as you describe them? I'm particularly interested to see some of that. yeah. So I remember having a very good conversation with a chap called Jonathan Smith that was the chief executive of yodel. back in the day. And, because it had been split out of shop. Right. It was very, very focused on physical security, you know, delivering goods essentially around the country. And I joined off the back of, of these retail organizations. I know you need something information security as well. So I remember sitting in a three way meeting with Jonathan and with Andy, the physical security director, and just talking about all of these crown jewels in the business hat. You know, we'd got not just customer data for retailers, but the retail channel information, our own information as well. you know, the the kind of the crown jewels in the business, whether it was our employee data, whether it was all, you know, profit and loss, whether it was our financial performance, because we're, you know, we're privately owned and we're held accountable by, by private equity to, to perform. So bringing all of that into a conversation concluded with Jonathan saying, I don't get why we've not done this before. Yeah. And it was all based on on just creating the bite sized chunks, not talking about cyber, not talking about threats and vulnerabilities, but just talking about regulatory environments. You know, the legal statutes that we've all got to comply with wherever we'll, bring in that into our business ways of working and our operating models understanding were the critical points were, and what capabilities we had today, where the gaps are, but then providing an assurance that we'd close out the gaps, you know, and we can't do that overnight. It's going to take time. It may take investment depends on the capabilities that we've got, which is really bringing a kind of, a seat to the table that can then talk about doing business appropriately with information security. Very much front and center in the conversation, to to demonstrate the quality of the business and to give those customers and retailers and clients the confidence that we're the right partner for them, that's then maintained, rolling forward no matter where we've operated. Yes. So if you think that was logistics, I've done insurance. I've done some of the critical mass of infrastructure projects. It's the same principles applied and I've applied them for 35 years now, you know, and they were probably brought to life in the 1980s, but they're still relevant today despite the legal and regulatory environment changes. I mean, the way you describe what we often say, it sounds like you very much. You're talking, a business level and then kind of bring across and correlate any elements of tech that might need considerable process, whatever it may be. Whereas I get a sense oftentimes people are perhaps trying to get, Jimmy the the broom of the, border the individuals into understanding tech speak. Is that is that a reasonable description? Would you say? Very much. you know, I think the that the point I would make here is that all of this is learned behavior, right? I certainly didn't get into business knowing all of this stuff. 9 or 12 years down the line. It's about understanding what works and what doesn't, you know, and I remember I remember going into chief exec, in one place and I'd been asked to look at operational risk, off the back of something we've done around information risk. and we are in the compliance style. Right. To play back this this risk register to to the chief exec. And he just ripped out physically ripped up the paper product we put in front of that. And I was a guest, you know. Oh my God, my career is in tatters. I've done all right today. But this is not going the way I thought it was going to go. Why not? And he said, Jim, you've got to understand we're in an entrepreneurial business. Risk is my reward. So it's great that you can track my operational risks and thank you for that. But I'm not interested in seeing the register because I will chase whatever risk I feel is relevant. Wow. Big, big learning moment right? In your career when everything else to date have been relatively, you know, steady, steady state, rinse and repeat. But you move from a kind of a regulated business to an unregulated business to an entrepreneurial business. And by golly, those different environments top right hand. Yeah, it's it's interesting you mentioned that I cast my mind back to I was at an event working for a vendor in one of these, what we call speed dating, where you're going to do the talks and then, yeah, the likes of yourself, sort of client side of forced to sit in front of some sales droid like me and listen to you. Those events we live so much like. Okay. Yeah, I could just tell this guy this this look of what? Complete deflation stuff that I just said. Some stuff I've been trying to picture. how does this, you know, be. What's he been like? He he clearly you've even made come here, like, let's let's just dispense with that. we got we got on quite well in the head about it sort of failed. And we are talking about risk and PCI and all the rest of it and then obviously unacceptable risk. And he said, well, the thing he said, yeah, along comes Mastercard and Visa. Whoever said we must do X, Y and Z. We've got this planned refresh project next year that's already scheduled for £6 million. If they're going to find us 250 grand, so be it. We'll take that risk because we're not going to bring that forward. Let's go and talk to our cash flow. so they can take it or leave it. If they don't like it, then we'll just stop accepting Mastercard and say we go there because it will hit them. Mobileye hits us. Yeah. And and that was one of my moments of realization that, you know, this is the business taking a business view. It so all these vendors hawking that that wares completely wasting the time. Oh you must do this because of PCI and your retailer. Yeah. Join the queue. Yeah. Absolutely. Absolutely. So and I obviously the big one where you know so real change though for me was when you were in Kenya, this this I remember the famous conversation, the very reason I'm sitting myself today because that whole time. But drive that because organization with massive technical debt, I'm sure a myriad of people who weren't necessarily bought into the importance of technology, let alone good security practices. Let me give maybe some examples of some of the challenges there or. Yeah, what you've most reached a tipping point and got for me to to have that light bulb moment. Yes. Yeah. Yeah. So I think joint joining care we urgent care through acquisition I was with a business that go fund and I was invited down on a Friday afternoon to have a conversation with the, with the k CIO chat called Duncan, stop. and Duncan invite me down. Of course. I drove all the way down from Staffordshire to to Bedfordshire, thinking Friday afternoon in a business that's just been bull. I've done all of this great due diligence over the last six months. I know what this conversation is, right? It's going to end up with a with an envelope and me coming back up the M6 metric because I've just been let go. And I arrived and Duncan introduced himself, introduced the company, and then said, look, my, I'm looking for a head of information security. The minute you've done all this really good work through the acquisition, do you fancy fancy joining me? Well, brought back at that point, because this is not the conversation I'm expecting working with Duncan, probably the single biggest career change of heart because he treated me as a partner, you know, to come in and add a skill set that they didn't have. They've got a couple of contractors doing kind of commodity information security policies, procedures, that kind of thing. But care is one of these businesses that is involved in in UK critical infrastructure, itself. It builds stuff. So all of the key government level projects all need a name security manager. It's got to be cognizance of the built asset security space. There's a whole discipline that comes from designing and then building infrastructure. So I suddenly found myself kind of put in front of the senior operational guys. We had a couple of CIOs want to look after business services and BPO and want to look after the more traditional construction. I think we had a third at one point that looks have to housing. You know, you're in front of these guys. They all want to know what they've got to do in terms of security at physical level and an infosec level, you know, and you're the guy that we've just hired because we bought the company and you've now got the gig. Duncan's looking after the I'd say you're looking after the security. How's it going to work? As, as as a part of doing business. Duncan and I are partners, you know, he's the chief information officer, and I'm your information security officer. And over the course of the next two years, I would set some objectives to grow the head overall into zero, to face into the kind of the that the top level board environments there and work with everybody from group counsel across the operational operational spaces into the back office, head office spaces, you know, every level of the organization. So yeah, it's I often find you join these businesses and you look at who they are and you do your research and how they present themselves. You get behind the scenes and there are much, much bigger, more complex beast than, than did you thought you've underestimated. So, you know, my first kind of three, six months that always becomes I've got to learn the business, got to learn what works, what doesn't, what language they use. What I listen is when can I push a message and inform people of what needs to be done? When do I need to just back off a little bit and recognize that we're already doing something in this space? I just need to support, and then equally, every now and again, crises happen. So how do we lead businesses through events to ensure that we've got a business recovery model that's achievable and capable, you know, and then just make sure that in the 20 1718 WannaCry and not petty moments, we batten down the hatches, survive, and then thrive inside of it. Yeah, that's an interesting point. You make that about understanding the business and the language and the people. I mean, we've covered up all the guests. I've had and we've touched on all the things that go on that's not been brought to the forefront. Yeah, I mean, we have to do that as salespeople to try and figure it out, to drive success, to hopefully in if we are in the frame for supplying something to to ensure a success in doing so. And I do often joke whether you see CEOs and maybe Nazi leaders could benefit from working with salespeople and some of those approaches. But what you've said there seems to validate that. I mean, what was your observation in that that I again, without training anybody? Hendrick. Also, I mean, you're making comments that might be a little slow. The search, I mean, did you find the appetite was grow? Was it kind of mutual? Was it different? Was a UN team making that investment? Where did it sit over and so definitely cautious on all investments because when you're dealing with a lot of of infrastructure projects that that largely run as, as businesses in their own right, you know, so the project has its own budget for its own profit loss, and that aligns kind of that into a division and then into the into the wider business. So I remember sitting in front of, construction site managers in porta cabins with computer systems, portable and fixed kind of making sure they'd got the right things to comply with what the customer was asking, what the government was asking, and then taking that message back to the customer. I found a bit of a secret to success because my first couple of months, not nobody was like, what are you even doing? You know, it's a head office thing. We've got our rights. It just works. And it was it was about bringing them through the contractual level obligations that we'd engaged against and demonstrating how information security is very equitable with site safety. Yeah. So you're operating in a safe way. You're looking after the information, the designs. You know, nobody wants the designs to be leaked to to an attacker or to the wrong party because we worked on some very, very secure sites and equating it to safety was was a common denominator which, which worked well equally, when I then went back into the C-suite and promoted conversations, they're entirely different lens, entirely different language. You know, it's not the it's not the the local language of a construction site, which can be quite fruity. This is now a bit more corporate, but I think the best conversation I ever promoted there we did a tabletop exercise with the C-suite, around an event. And the trigger for the event was, you know, data being leaked or lost. You know, the day before we're about to announce results to market and it's cfAa civil. What on earth do we do, Jim? You know, and I said, well, we've got chief counsel here, we've got the corporate comms director, we've got the CIO, we've got the operating offices. You know, this is very much a head office thing, right? It's a it's a stakeholder thing for, for the shareholders. So we need to know what we're telling them. That's going to be the key message because we can't produce the information tomorrow ATM that were meant to do. Well actually you can because in the release the markets is the end of a process, not the start of a process. But I remember the the comms director saying, oh my God, you know, we've got to get this message out. It's got to be this, that and the other. And she council said, no, absolutely not. Tell no one nothing ever. You know we've we've had a think we don't quite know what that thing is. So what are we telling people. And the CFO. Well what do we do. Well we let this conversation happen because we've got to find the midpoint, right? We can't hide the fact we've had a problem. But when we report it, we report on a plane crash, a really technical incident that makes a plane fall out. Sky is analogous to this situation. You know, it's a technical problem with a clear resolve that we can't give the shareholders the information tomorrow morning. So what are we going to go with a holding message for? And is it going to be done under NDA? Is it going to be done publicly. We're not you know, we're shovel is we're a publicly listed business. We've got fiduciary responsibilities. We've got legal responsibilities. Yeah. So all of that's got to factor into your thinking. And that one conversation I think cemented the reason that I got the gig. Yeah. Information security was absolutely critical to the organization. when the when the balloon goes up and you've got to respond appropriately, you need somebody advising and guiding. It's never going to be the guy that's talking to the press, but it's going to be the guy behind the scenes or the girl behind the scenes. You know, guys, that androgynous term I hope these days, the folks behind the scenes, let's settle on that. it's a bit Wizard of Oz. You've got to be behind the curtain, staring, pushing, cajoling, you know, staring, knowing that the people that do then have to do the front facing stuff have to be as well-informed as they can be. But not all the report. It just, you say that. And how did the tabletop exercise come about? Was that something you instigated? Was it something they instigated? Or. so Duncan was very much cognizance of of, not having done well before, through, through the communities I'm a member of outside of my professional career. I've kind of been involved in that. Well, for about 20 years or so, through various focus groups and special interest groups. And Duncan had come along to one of these sessions. It seemed kind of what was what was being adopted in the security industry. came back in straight away and set up in chat with my boss, the CFO. and we think it's a really good idea if we run this tabletop exercise because we've never done well before, John, how much it work. So we we kick the kick the problem around the room for an hour or so, come up with a strategy and a plan. A tabletop exercises, a tabletop exercise. We'll have some principles. It's a safe to fail space. You know, you can put your hand up and say, I just don't know. I don't know what to do next here because it's a training environment. and then, yeah, it can be done at any level of the business, right down into the kind of, the weeds of, you know, 90 operations or finance operations or, the air. And you can just scale it up, you know, providing, you know, which part of the business you're dealing with. When it went down, a storm. And in my current business, I've got a team that does that pretty much day in, day out. And it's probably the most well respected team that I've got here. Second to my security operations. That's interesting. I think that's the takeaway for folks watching. That's that's got to be one of the less then because interestingly and coincidentally, maybe an interesting way. I went to a vendor event, a linebacker organization, and they actually used, like a scenario, almost like a to be like a tabletop exercise to get the people who came to the event thinking about this. So there's lots of I.T folks, 1 or 2 partners like myself, partner has, it was a whole Leo that the anatomy of a ransomware attack. But this, this, retail organization, the problems they face and so on and so forth. And I think to the point that if that's the tipping point, the trigger to get people thinking, you know, that's the beginning, have you starting to get that buy in? So that's, that's a that's a really good shout out to you. And thank you. I suppose we could maybe move nicely. Then on to say of industry, I'm going to come back to the how I came to be here and stuff in a second. So what's what she awesome. So it's obscure since the minute and it's a purposely open question. Yeah, that's a question. But such a, such a broad question. The state of the industry, I think it's it's maturing quite nicely. You know, we've, we've, you know, at the business level, we've we've earned that respect if you like that, that inclusivity now within a business organization is a broad church, as you say, whether you're a vendor and provider, whether you're consumer and business or whether you're somewhere in between. It's it's an industry that's come together. Well, at times we've been divisive, you know, I've been in those meetings where it's just another vendor pitching to you. Well, how do you even know I've got a problem to solve in this space? but our isn't managed by, you know, meeting requests with vendors that have got the latest shiny, shiny. it's it's a company investing, and it's money that is shiny. Shiny is definitely your words. But for all our concern that comes, you know, and and I think we all kind of share that that same ethos in this day and age that, you know, infosec is is a thing. It's not going away. The government, the UK National Cyber Security Center said a couple of years ago and it was founded. There's no end state to security. Yeah. So kind of look at that and think, you've got to be mad to work in it in whatever context. You know, we've we've got those dreaded buzzwords that keep driving the kind of the marketing of it. But, you know, we've got game changing capabilities now coming to the fore. I'm going to find myself. We operate a 5 pound penalty, in NAB phrase, if we mention the words I. So there we go on a five year clarity. But you say, well, what a what a game changer. Everybody wants it and it's a massive accelerator, you know. So how do you secure that when there's no reference model out there. Because it's so new to market. You know, how do you adopt it cautiously. You know, do you apply those same principles that you've been practicing for years? Due diligence, no critical information and validate the answers out, that kind of thing all coming together. But it's it's it's now a mutually beneficial ecosystem. Yeah. So marketeers might pick up the latest greatest buzzword but then get used to it. You know, if I was if I was a diehard. Yeah I'd say that, you know, traditionally cyber is threats emanating from the internet. That's how it came to be all those years ago. Yeah. But cyber is the one ball, the one board level word now that covers the entirety of the information security ecosystem and our supply chains of vendors, our partners are all critical to us. When, you know, when the balloon does go up and we've got to flex, we've got to flex and pull together. Yeah. So I think the industry's coming along well. It's it's got no end point. So crikey, you know what's around the corner. Lord only knows. But right here right now we're dealing with some really exciting opportunities. and we're doing that this year. Of course, in an election year where there's a lot of disinformation, misinformation and that cyber events happening everywhere, you know, are we having the opportunistic conversations to say, right, so what happens if that was happening to us or we comfortable, are we confident that we've got the right capabilities, the right partners, the right vendors, the right solutions all in space to stand is in good stead? Yeah. We'll see what the rest of the year brings. Yeah. Come on. I mean, a few things there. unpacking that is public comment about vendor. Well, I, I get the sense that it's coming. I think that's because of the cooling of appetite around investment, therefore throwing crazy money at people who had a half an idea. And I was yourselves droids. You were just just brainwashed. You know, that's that's kind of little scattering off. And hopefully we'll be seeing a, a settling and not the nonsense that the semi release crescendo until probably last year. So that's one thing I do sense that there's also a recognition that whilst is still this kind of supply side and client side, almost like not quite complex to, you know, this we hate salespeople. You of course get hold that. That's easing a little bit. there's a bit of a spike, I think, in terms of those dreaded initials. And I, but again, as the average sales droid to explain it and then watch for the vacant stare. Can I have my money, please? Fix. Yeah, yeah. You're qualified out. My next, I want to stay with AI for a second because I was chatting with, Christine, who's on the podcast, which people have seen my that and we also kicked off our podcast series myself, Colin, you know, and Andrew was I had Microsoft practice kind of bouncing around and our consensus was it's just automate automation with a massive data set that, a disservice. But what I've seen and what I've heard from you, we have proper podcasts, if you like, like Risky Business with that. It's really just been used for, social engineering at scale. There's not seen any real evidence of it using being used in an adversarial role per se. And from, you know, blue team, you know, outside kind of perspective. It's just automation to get to the meeting. What's happening? but it's still early days. What what your observations on that will do for you for big issues, as it were on the front. Yeah. So I presented, a couple of sessions for, a special interest group, one at BSI that the, the other a kind of a big event for them that sets up the day and, you know, my research into the space AI has been around for years. AI is first coined in the late 1950s. Machine learning came along in the 60s, then kind of fast forwards a little bit through the 80s and 90s to to hit the modern variants of that, which is the the kind of the GPT, generative, pre-trained, transformers, you know, bringing all of that to life. It's just a tool. Right. And we're, we're really good whether we sell it, whether we consume it, whether we use it, we we're all looking for the the tool that will save as time and effort. And generative AI definitely has that capability in that space. Of course, we've seen every vendor in the world is now got an AI component. You know, even Apple, God bless them, are selling the new M4 chip as an AI. And I kind of capable chip Intel are doing the same thing. Everybody's got an AI component to something, but I, I has been around for an awfully long time. So how do we go through that hype cycle? You know, how do we come out the other side of that, being able to do things quicker, smarter, better? You know, augmenting my physical workforce with, with a digital twin that is responsible, that can ingest large quantities of data but churn out a real quality answer to the problem that you've got, or at least give you, a bit more of a starting point. So you're not searching through the first 20 pages of a Google search result. You know, I think it's it's a massive game changer. And just getting out ahead of that. On how to adopt it into business, how to see through the kind of the marketing spiel where you suddenly try to flog the latest AI product. But actually it's the same product, but they've just got some new marketing, you know, there's a skill set to that and there's a patience to that. But it's for me working in that space. It's built on trust. You know, you and I have known each other long enough now that that we're mates inside and outside of where there's a professional lens, and then there's a personal lens where we can have conversations mostly around this kind of thing. What do you think about have you seen, you know, what are you trying? and that I think is, is the secret to success. So technology is ever changing. There's no end state to security. And everything we do is based on trust, including, you know, the conversations that we have across the broad church of security. I just, I guess, just round out from that kind of supply and client side that I think where it's gone wrong is that vendors have tried to accelerate the process. Me 50 minutes. It's, whatever. Completely missing the point that yourself and your peers are very much about trust. And it's something it's over a long period of time. But then after the quick sell on the quick win and so the two are just incompatible. So the approach that they're taking to try engage with you is completely incompatible with the way that you want to engage. And I don't think they still quite realize. But yeah, yeah, yeah I exactly I think I've seen that that sea change definitely happen. You've driven a lot of this yourself with the companies that you've worked for. It is about understanding the strategy. The plan, the opportunities, you know, the qualification of that and then delivery at an opportune moment. Not, not as a flog and log kind of, approach that, that leaves you with some shelf work. Yeah, but it's not the way to go. So, so we kind of slid a little into this. So I see the threats and challenges going forward. So we've touched on the advance in AI or the availability and how that might take us. But putting that aside, what do you see as threats and challenges going forward? You mentioned, for example, election year. So that's perhaps an obvious one. The the deepfakes, the potential for that. But any others or do you think that's the main one? I think the warning signs are there, aren't they, that, you know, back in, back in the WannaCry days, you know, you do the research around that and I think there's there's a very good book on they tell me, this is how the World Ends by a New York Times reporter that really does a deep dive into the the threats emerging from nation states and how Russia used Ukraine as a testbed for a lot of that. My worry is, you know, we were either way directly attacked. You know, we can understand understanding who we are as a business. The threat model, in food manufacturing and ingredients, you know, some of the critical partnerships we've got with, with, UK infrastructure in scope for next to that kind of thing, those things are always going to emerge, you know? but but the nation states are very, very good, but you don't know they're happening until they happen. The criminals are a little more, full forth, on the front foot, you know, that they will attack to make money. So it's a it's a model I bring forward from my military days. You know, when when I was working in that world of counterintelligence, there were four things that we largely looked for. those character traits, you know, for, for people that could either then be used to compromising material. We'd look at money, you know, people doing it for money, or they're doing it for their ideology while they're doing it because they're being coerced, or they're doing it just because they've got an ego. And if you translate that to to the world of infosec, it's the same job as yeah, many cyber criminals, ideology, nation states, coercion could be anywhere between the two. And then the kind of the ego side of it, the script kiddies. Yeah that that will have a pop for anybody because they've, they've, they've read something online. They're in a, you know, a forum or community, that is interested in exploring what they can and can't do with computer systems. And the internet's a big place. Somebody somewhere will give you that opportunity to test your skills. If you're the blackhat side of the community or script kiddy side of the community. So by crikey, yeah. Is it ever moving? Here's I, I so the two for me one is the the polarized nation nature of social media and the fact that the nefarious you know, nation states could use that to their advantage to disrupt it alongside the likes of deepfake. I, I'm sure we could see that the other ones, too, that I'm the last interview that it was around. Let's just say so. And video platform nation state use it as a mechanism to distract and dumb down the population. I you look at 32nd video and and people not taking up the sciences in the maths. Well meanwhile they're trying to do the same that they've done the mass manufacturing that know it has gone out the door. Now let's skill up our population and take a 2030 year view rather than just the here and now. When we see that balance of power shifting. And I think to your point, because it's slow and subtle, it's not as obvious as the criminals. People aren't realizing that. So, you know, why do mask heads when an influencer, somebody that, you know, and kind of bringing all of this together in the kind of the emerging threats environment, you know, we've we've seen phishing and smishing, you know, the traditional attack vectors, if we can use that phrase in a, in, in the industry, you know, moving on now to squishing, you know, everybody scan the QR code. You can't check into a hotel room without scanning the QR code for the menu these days. If that can be subverted, that's a problem. Yeah. And then the most recent one I like 3D, like I think, oh my God, is is where they sample your voice because you've sat on a podcast and they can sample your voice, you know, and then suddenly they've moved on. And that next contact isn't phishing or Kushner or Smishing. It's a voice message saying in your voice, in your language, in your words, what you want to do to trick somebody into doing something. You know, the deep fakery, as you say. Now, whether that's a video message or a simple voice message. Yeah. How on earth do our current capabilities mature enough to prevent, detect, report and respond against things like that? Because the humans the weak points of all security models. But they're also the first line of defense. Yeah. So maybe the top tip there is from here on in I to the podcast, in a strange voice, let's. You cares about me. You absolutely. Let's, let's, the, would be prime ministers of, countries at the time of speaking. Well, different story. Maybe they'll try putting three voices. Two just in case. yeah. I'm told in some industries they've, they've reintroduced codewords for, for certain communications. you know, if you get a message and it's unexpected or it's I expected, you know, if a particular word is in there or not in there, react appropriately. But to match the military semifinal, I suppose the final piece then, Jim, is, anybody you think I should be talking to on a on a similar vein, anybody you'd like to suggest propose? You don't have to, but if it's anybody. Things worth talking to. Oh, you've put me on the spot a day after I've come back from holiday. Paul, I'm going to push. I guess I'd recommend, you know, the guy I've got a lot of time with, is a chap called Martin Smith of the security in a special interest group, if you could. Oh, yeah. Conversation with. Yeah. I think the insights he'd give you over, over the term of information security coming to be and where it is today, he's a very, very insightful man. Is is pretty much checked into all of the, the sectors, and disciplines across the board. Definitely. That's how you have a look at him. My excellent analysis and really, really good character. very personable. and yeah, very insightful. he's moved on that, tobacco company, from here as well. But, yeah, I guess they're the two. I probably push forward straight away, but I'd encourage you to talk to they, you know, talk to the people that don't normally do the talking. Yeah. There is a definite, definite components of the CSO club that do like to be vocal, present and, and on camera and others that don't and just get on and do. Yeah. What you're doing here is shining a light onto some of those styles and techniques that that have been successful, but also often demonstrated and celebrated. Yeah. So Castanet will admit you'll find some superstars to this day. That's a Linton's in the frame. We've already discussed the agreed in principle book to the point about the people not often interviewed or talked to. That's exactly what Sir Christian said on the last podcast, that he had to seek out people, perhaps just quietly get on and do their thing. And on that vocal and visible in the CSO circuit. So. Well, I've already taken on board and, I'll be seeking people out and coercing them, dragooned them on our podcast. well, Jim, thank you so much again. Thanks for agreeing to do this. I'm sure people have got some, some useful takeaways. Certainly the one about the terms of exercise, I think was particularly useful. So thanks very much again. and, we'll catch up soon. Thank you. I'll see you soon. Thank you. Thanks, everybody for watching. Hope you enjoyed that. I hope you found it insightful. Stay tuned for more of these. there'll be regular ones throughout the year, and you can download the full episode if you wish, on YouTube channel. Or you can listen to it on your preferred podcast platform. Thanks for listening. Thanks for watching.