0:00:00.0 Max Havey: Hello, and welcome to another edition of Security Visionaries. A podcast all about the world of cyber, data and tech infrastructure, bringing together experts from around the world and across domains. I'm your host, Max Havey, and today we're taking a look at what's on the horizon for next year, talking 2025 predictions with our guest, Kiersten Todt. Currently serving as president at Wondros, Kiersten has spent much of her career working in the public sector. Including stints as Chief of Staff for the Cybersecurity and Infrastructure Security Agency, CISA and Executive Director of the Presidential Commission on Enhancing National Cybersecurity. And I'm so excited to hear her thoughts on the year to come. So, Kiersten, thank you so much and welcome to the show.
0:00:40.2 Kiersten Todt: Thanks so much, Max. Great to be with you.
0:00:43.1 Max Havey: Absolutely. And as we near the end of the year, we enter a time that many in the industry have dubbed as a prediction season where thought leaders from across industries offer their thoughts about what's on the horizon for the year ahead. So today, I wanted to pick your brain and get your take on some of the predictions that are hot on your mind. So Kiersten, can you hit us with your first prediction here?
0:01:00.3 Kiersten Todt: So I think one of the key elements is with artificial intelligence. We've obviously been talking a lot about AI for the last couple of years, and I think what we're gonna see is that that bubble is gonna pop a little bit, that this sort of surge, there is a curve that they talk about in research that you see the most activity when people know the least about something, and I think we've sort of hit that pinnacle. But what we're gonna be seeing now is probably a more focused look at how artificial intelligence is a tool, how it can be used actually to enhance cybersecurity. When we're looking at refactoring code and we're looking at scanning for vulnerabilities, there's a real opportunity here for artificial intelligence to work with cybersecurity.
0:01:41.4 Max Havey: Absolutely. And that's kind of vain there. What sorts of insights do you think cyber folks can gain from this bubble beginning to pop?
0:01:48.3 Kiersten Todt: Well, I think it's really understanding how we appreciate the breadth of artificial intelligence. I think so much with technology is very much about using it as a tool, as an opportunity, and also being aware of the challenges of it. And so certainly we focus on these things in a very extreme way. When it's come to artificial intelligence, we've seen it as it's gonna take over the world, it's gonna take over humans, and it's also the, it's gonna be this holy grail innovation that's gonna save the world. And usually the reality is somewhere right in the middle and we've kind of swung the pendulum in those different directions. And so now as we're focusing, I think we'll see again, artificial intelligence as a tool to help us enhance cybersecurity, enhance these technical issues where we don't necessarily need to have humans as a part of it, but humans certainly need to be staying engaged.
0:02:36.3 Max Havey: For sure. It's to a degree, kind of finding that middle ground. It's not being a doomer about it, not being too overly optimistic, but kind of understanding the real value of it at this point.
0:02:45.8 Kiersten Todt: Yeah, exactly.
0:02:46.2 Max Havey: On that same topic, how do you think those sorts of insights around finding that middle ground can help sort of move security forward?
0:02:53.1 Kiersten Todt: Well, I think the more we understand and educate ourselves, I think the challenge with artificial intelligence is there's such variability on what people know. It sort of became the center square and everybody's bingo card. And so you are hearing boards of directors and CEOs and executives talk about how are we using AI when we know in fact that artificial intelligence has been around for a while and a lot of companies have used it for a while. So what we're hoping to see now is greater fluency, greater literacy, and what artificial intelligence is, how it can be used and the appropriate caution about how we're always gonna integrate innovation when we don't actually know all of the applications of it that that's part of the research and part of the growth of the issue.
0:03:36.9 Max Havey: Absolutely. Well, 'cause it's that sense of, I know the way people talk a lot around Generative AI. It's often been sort of the life finds a way. People will constantly find ways to be working with this and to use this both through the benefit and detriment of a lot of organizations. So having that appropriate caution kind of seems key in finding the best way forward.
0:03:54.2 Kiersten Todt: Yes, exactly, exactly. 'Cause I think like anything, it's always, it's guardrails and guide. We can see how we can be guided by this technology, but we do need to have the appropriate guardrails. And I don't think in our lifetime, there'll be a situation where we are ever gonna hand over major critical infrastructure or major elements of our society to technology that we always have to have human judgment in the loop. And I think that is particularly critical when it comes to tools that are built off of AI.
0:04:23.5 Max Havey: For sure. I think not disregarding the human element in all of this, especially anything related to security, the human element is a thing you kind of have to always keep in mind.
0:04:31.0 Kiersten Todt: Right. 'Cause I think the other piece is we have to appreciate that particularly Generative AI as you shared, that's it's everyone always talks about garbage in garbage out. Like whatever's going into artificial intelligence, if we are putting in any type of bias data, then what the model is going to kick out is exponentially going to be biased. And so it's not that's... People tend to see that as an extreme, but it's just an important reminder that if anything that we put into artificial intelligence subtly is not accurate, the Generative AI will produce that in much more extreme forms. So we've gotta be paying attention to things that only humans can determine. Tone, tenor cultural issues as we're building out these AI models.
0:05:14.4 Max Havey: Absolutely. Well, and in that same sort of vein, to pull a prediction from one of our folks here at Netskope, Neil Thacker, our CISO over in EMEA, he predicted the idea that the rise of even more AI regulations and organizations wanting more visibility into AI, will potentially see the rise of a new role, a sort of Chief AI Officer. And as we're talking about AI, I wanted to get your sense of how does that sort of prediction strike you looking ahead?
0:05:37.3 Kiersten Todt: We already have it. I don't know that it's actually predictive for next. Like we have, that's been part of the executive order in government and government is rarely the leader when it comes to these things. But they're the executive order and artificial intelligence identified a Chief AI Officer and all the federal agencies. So you're seeing that I think industry will be close behind. I think what's gonna happen though, that we have to be careful of, 'cause we've actually seen this in government, is you just don't want somebody who's doing all this other work, if they're a CISO, if they have other responsibilities, now all of a sudden they add Chief AI Officer to their role. That might be fine, but similar to the way that CISOs and CIOs evolved, that was often a role that was held by somebody who had another set of responsibilities that had adjacent skills and expertise, and then they sort of had to figure out what the role was, and that there was this variability of what a CISO or a CIO was.
0:06:30.2 Kiersten Todt: I think we're mainstreaming that more. But I think if you looked at position descriptions across major companies and what their CIO and CISO did, you'd certainly see some common ground, but you'd see some strong differences based on the company. We'll likely see that type of role evolve. My guess is you'll probably see CISOs and CIOs take on the job of Chief AI Officer. You might see a head of research and development become that it might become part of position descriptions or other roles. I think the key will be just clarity on what is expected. I think we have to be careful that we don't get into a check the box exercise on AI. It's like, yep, we've got that officer. What does that mean? There will be different focus areas, but the key element to this will be what is the company looking to achieve through this role and with artificial intelligence?
0:07:17.4 Max Havey: Absolutely. Putting the outcomes first and what they want to see from using these sorts of technologies and how they're trying to protect with them or protect from them.
0:07:25.6 Kiersten Todt: Yep. Yes.
0:07:26.5 Max Havey: Excellent. Well, to pass the baton back over to you, as someone from a real strong public sector/government background, do you have any predictions about security and the public sector looking ahead at 2025?
0:07:36.0 Kiersten Todt: Well, I do think we're likely gonna see more high profile intrusions from China as a nation state actor. We have seen the family of typhoons this year, Flax Typhoon, Volt Typhoon, Salt Typhoon. And I do think we'll see something with similar, if not greater impact that will reveal in a different way potentially, but how China is sitting on critical infrastructure networks. And the key will be how prepared are we to respond to that? How are we sharing that with our critical infrastructure partners, and does it change how we are securing ourselves, how we're treating this threat that we know is finite in this time period between now and 2027 when there is a prediction that China will take a strategic action against Taiwan? So I think looking at not just the awareness of having this type of event be revealed and public, but what do we do with it as a nation?
0:08:32.8 Max Havey: For sure. And specifically, what would detecting another incident like this really mean for federal sector security?
0:08:38.8 Kiersten Todt: Well, I think what you could see potentially is does this create a catalyst for regulation? We're seeing a lot of churn and discussion over the last year and two about critical infrastructure regulation, how we look at sectors and the protection of sectors and sector risk management agencies. There's always been this concern about regulating critical infrastructure across all infrastructure because different... There's collaboration and there's again, such variability. I do think if we see these attacks continuing to happen on critical infrastructure, does that raise the bar for what's expected? How are we looking at the federal government's organization to work with industry and protecting critical infrastructure? I think it could create, again, a catalyst for some of these discussions and potentially, hopefully some further action that helps to clarify their roles, but importantly improve and increase security and safety.
0:09:28.7 Max Havey: Definitely. And what does that also mean for global CISOs, for folks even outside of the US? What do these sorts of incidents kind of signpost or signal to them?
0:09:37.2 Kiersten Todt: I think as we know, cybersecurity doesn't really respect geographic boundaries. And so the concerns that we have are certainly shared by our like-minded economic partners by our Western allies. And hopefully, I think the work that the State Department has done with the bureau that Ambassador Nate Fickett is running on emerging technology and really looking at diplomacy in cybersecurity, and creating some normalization and harmonization of regulation, but also responses that this will provide an opportunity for us to work together and to collaborate more globally and internationally, which is always something that we think we can do better on.
0:10:14.7 Max Havey: For sure, 'cause this isn't necessarily a new thing, but it's becoming more and more high profile as these incidents happen. That becomes like more and more of a news peg for folks out in the world.
0:10:23.9 Kiersten Todt: Well, I think that the prepositioning of China and our infrastructure are very specifically related to Taiwan, that is new, and I think that's why we're seeing the declassification of this intelligence within this country in particular even more forward-leaning because the importance of sharing this information, making sure that the awareness, monitors and CISOs and CEOs are paying close attention after Salt Typhoon, which was when we understood that China was on the network of communications companies had breached communications companies, and specifically the system that was sharing data with law enforcement about wire tapping. I had several CEOs and senior executives with whom I had done some cyber work ask what does this mean for me? And I think that's still a challenge when we see prominent companies that are still questioning how they should respond to this. Hopefully, there is more collaborative engagement on the part of these companies and that the continued work with industry and government and that collaboration will increase.
0:11:25.5 Max Havey: Absolutely. Collaboration is the operative word when it comes to a lot of security stuff. A previous theme on this series was security as a team sport. And I think the idea that this is a thing that everyone is dealing with at some point, everyone's trying to figure out how they can best protect against these new threats as they're sort of coming up is extremely important.
0:11:45.1 Kiersten Todt: Yeah, absolutely.
0:11:46.4 Max Havey: I'd love to see, do you have any other predictions that are hot on your brain at the moment?
0:11:51.8 Kiersten Todt: I think it's both a prediction as well as an aspiration. I think if I say it as a prediction, I might be able to manifest it and make it happen. But I think how we identify critical infrastructure, what is critical infrastructure continues to be evolving based on the threat environment and other issues. But cloud, the issue of the cloud, what it is, what we put up there, this to me, we need to identify cloud as critical infrastructure. And I think having been in this space for a long time, there was a period of time where the identification of a company as critical infrastructure was not really seen as an opportunity, it was seen almost more as a penalty because it typically meant you were gonna get regulated and that there were more restraints put on you than opportunities.
0:12:34.9 Kiersten Todt: I do hope, and I know there are a lot of efforts underway on the part of the federal government that being identified as critical infrastructure gives opportunity to engage more closely, more directly with the federal government in helping to protect what is critical infrastructure. And I think that it also helps to manage how these services are provided. So certainly, cloud service providers how everywhere that they are ubiquitous that they are in this space, we have to be thinking through how do we manage that tool and how do we ensure that it has a baseline level of security given how connected it is to so much of how we operate, not just as a nation, but as a world.
0:13:10.7 Max Havey: Absolutely. And I mean, how would that sort of change, impact the way that organizations today are thinking about the cloud as they operate within it?
0:13:19.9 Kiersten Todt: I think that it might just mean that there's more of a deliberate effort to understand what it means to bring them into your organization. I think it's seen as like a technology that yes, this is how I have to operate, but in some companies, it may even be seen as a nice to have not a need to have. I think if we see it as something that is so ubiquitous that has so much impact and touch points across supply chains, that will be more thoughtful, not just about how we're choosing it, but also the questions that we ask in engaging cloud service provider.
0:13:49.7 Max Havey: For sure. To a degree, it feels almost as important to daily work and to keeping business continuity going as the internet. They are occupying a similar space where to some, the internet was not an imperative resource, it was not seen as a need to have.
0:14:02.8 Kiersten Todt: Right, exactly.
0:14:03.5 Max Havey: And the cloud is sort of moving into that same sort of, this used to be a nice to have, but now you absolutely need to have this.
0:14:09.3 Kiersten Todt: Yeah, exactly. Exactly.
0:14:11.9 Max Havey: Well, and in that same sort of vein, what sort of outcomes do we expect to see from this kind of reclassification?
0:14:17.3 Kiersten Todt: I think we'd hope to see just increased security and safety and greater collaboration with the government on how the technology advances and ensuring that we don't substitute innovation for security and safety. I don't think that they have to be mutually exclusive. In technology, sometimes it's often seen that way, but that we can advance thoughtfully and deliberately and ensure important levels of security and safety, not just for the company that's the cloud service provider, but importantly for the companies it's serving and the supply chains that touch that ecosystem.
0:14:50.3 Max Havey: For sure. It's the notion that the world has become a lot smaller as we all move to a more hybrid world. Everyone is operating within the cloud now. It's a thing that like your grandmother knows about now.
0:15:00.6 Kiersten Todt: Yeah.
0:15:00.7 Max Havey: And it touches everything in a way that you and me probably recognize that we all sort of touched, but in a way that like your everyday person on the street maybe didn't realize until it was sort of thrown right in front of them.
0:15:10.7 Kiersten Todt: Yeah, yep, exactly.
0:15:12.4 Max Havey: And so attacks on the cloud, the sorts of threats that we're seeing in the cloud will then render that more catastrophic potentially.
0:15:20.2 Kiersten Todt: Yes. Well, and I think that that's exactly as we look at this, we see how interdependent systems are with the cloud. So something that happens to the cloud in the cloud to a company that really does have broad reaching impacts.
0:15:33.8 Max Havey: And are there any like recent examples of that sort of thing that you've seen out in the world that you would be willing to share the way that you've seen that sort of interdependency sort of playing out?
0:15:41.4 Kiersten Todt: Well, I think the first example that sort of shook everybody a little bit because it showed how something could impact was when there was the breach of AWS that impacted Capital One. It was determined that Capital One had the vulnerability and it wasn't because of Amazon. And I don't remember now the details of it, but it was this first kind of public awareness that hey, these things are connected and if something happens to one company, it's really a supply chain argument. If we talk about these things in new terms, cloud ecosystem, but it's always really about a supply chain. It's how does an impact of a company that's in your supply chain, not just in how you produce, but how you operate can impact the company itself. The safety, the security, its vulnerability.
0:16:26.0 Max Havey: Absolutely. So to ties things up here, Kiersten, could you give us a resolution that you have as someone who's a security expert and what are you sort of resolving toward as a security expert in 2025?
0:16:40.7 Kiersten Todt: Sure. So I've been working in this space for over a couple of decades, and we've always been looking at the abstract nature of technology and cyber. It's the technology piece. And more recently, in the last five to seven years, the work that I've done has focused a lot more on the human in the loop when it comes to cybersecurity. And what is the role of humans? At the end of the day, cybersecurity is a tool. It protects infrastructure, but that humans are the foundation of how we're protecting our nation at the security that we have an accountability and responsibility as an individual. And it's one of the reasons why I took this role at Wondros, which is really about engaging creative content to create social impact, to create human movements where people's behavior changes for the good, looking at social policy issues, but also looking at technology.
0:17:32.2 Kiersten Todt: And a month ago we launched a campaign with Craig Newmark philanthropies called Take9, which is about how do we as individuals stop becoming victims in a moment that we don't fall victim to the urgency that we go from a reaction to responding thoughtfully to acting? And I think if I look at next year, and I think about what Craig Newmark's vision is, which is if we engage communities of cyber civil defenders, we start to create a community and a culture that demands more from industry, from critical infrastructure and not as an us versus them, but in a collaborative way. And so what I'd like to see next year is that we have more individuals that are activists, activating and asking for more security, asking for more safety from these companies, because we can put a lot of this in place at the federal government level. But at the end of the day, these are public companies, private companies that are based on revenue generation. And the most strongest pull is if individuals and entities and organizations start to make decisions about the companies and the organizations with which they work based on their security and their safety posture, that will go a long way in creating cultures of security, cultures of safety, and importantly creating a more safe, secure and resilient nation.
0:18:49.5 Max Havey: Absolutely. I love that. It's the idea of everyone is responsible for their own cybersecurity and the cybersecurity of all of us around us and a rising tide sort of raises all ships.
0:18:57.6 Kiersten Todt: Exactly, 'cause any event that happens, it might be massive, it might be global, but it impacts communities. And you start with one of the things that we did at CISA that I think is a very strong success over this administration was really bolstering the work of the regional offices, because when there's an event of an energy company, a school district, to have people on the ground who are experts in cybersecurity and physical security there helping with immediate response is really important, because federal government is important, but we have to really work with the communities to respond quickly and to manage impact as fast as we can.
0:19:36.4 Max Havey: Excellent. Yeah, no, I love that. Kiersten, I can see our producers sort of waving at me that we're reaching time here, but is there anything further that you'd like to add before we close off here?
0:19:44.0 Kiersten Todt: No, I appreciate the collaboration. I appreciate the thoughtfulness. I think the more kinds of discussions where we get ideas out there, it helps to inspire further action. So thank you for the opportunity to talk with you.
0:19:54.0 Max Havey: Absolutely. Thank you so much for joining us today. This was such a good conversation and I'm so excited to hear what other folks think about all the cool stuff you got to say here. You've been listening to the Security Visionaries podcast and I've been your host, Mak Havey. If you've enjoyed this episode, share it with a friend and subscribe to Security Visionaries on your favorite podcast platform. There you can listen to our back catalog of episodes and keep an eye out for new ones, dropping every month, hosted either by me or my co-host, the wonderful Emily Wearmouth. And with that, we'll catch you on the next episode.
[music]
Why Netskope 
){kind=icon}
