With artificial intelligence on the rise, cybersecurity has become an even bigger concern in the tech space.
With artificial intelligence on the rise, cybersecurity has become an even bigger concern in the tech space.
Two years ago, governance and compliance firm GRC Concierge spun off from Wesley Clover Services, in part as a response to increased demand, said Tiffani Westerman, who is CEO of both organizations.
“We found, especially in the current market, that there was a lot of hesitation on spend on things like development and operations, but no hesitation on when it came to all things security,” she told OBJ Thursday. “The changes in the industry, and certainly the bigger boom in AI, led companies down the path of needing to not just better understand their security posture, but really make that something they focus on.”
In this instalment of Top of Mind in Tech, Westerman talks about the changing behaviours of buyers, the role AI plays in cyber-attacks, and the cybersecurity leadership gap facing small and mid-size organizations.
This transcript has been edited for length and clarity.
What do you mean when you say that compliance has become a growth enabler?
Previously, I was a vice-president of product development, so I've actually built and spun out a couple of different SaaS products. At the time, I would say compliance frameworks used to feel like a cost of doing business. Today, I'm seeing them as much more of a competitive advantage. Buyers are asking for these compliance frameworks and audits earlier in the sales cycles. Without them, companies are being left out of those opportunities. It's now more top of mind. Compliance has really shifted from being a defensive checkbox to an offensive growth strategy, where we see clients win business faster when they can demonstrate security and trust upfront. We've been watching, over the last two years, that change of reframing compliance into a business enabler and no longer a blocker to doing business.
What’s driving buyers to prioritize those checks?
Organizations are increasingly dependent these days on SaaS and cloud vendors and many of those breaches are happening through those external partners. This is what I call internally “closing the gap.” For years, we would say, here's how I secure my system. But now, if you want to talk about the cloud I'm on, you'll have to look at how a GCP or an AWS secures their system. There was this pass-off, like here's where we end and they begin. And a lot of those breaches that are happening outside of your company can now make their way into yours in various different ways. It's no longer enough to just secure your own systems. A company's security posture is only as strong as its vendor's ecosystem.
We're seeing boards and customers ask tougher questions on risk assessments and, to be fair, rightfully so. So we help our clients by implementing structured vendor onboarding, continuous monitoring, so that we can turn a major risk point into a managed, more trackable process to ensure that we've closed those potential gaps.
What are some of the threats that are becoming more prevalent?
A lot of it stems from the speed in which AI is advancing. We have a lot of conversations about the excitement around AI and how we can use it for productivity, but what's important to always consider is that there are the people doing good with it and there are the people that are trying to do bad with it. We're seeing attacks at a much larger scale and frequency. We're seeing systems being pounded 24-7, 365. Before, you used to think about a hacker in a room, hacking away, and then our security teams in another room trying to block them out. That was people versus people, who have to sleep, who have to eat. That's turned into more of a machine-versus-machine approach and it's getting a lot more sophisticated.
Everything is moving so fast that it's almost becoming reactive and I think that's playing a large role in why we're seeing the need for closing these gaps. We've seen a couple of them hit headlines, where everyone's doing this fingerpointing, saying, ‘That wasn't us, it was our vendor, or it was our provider.’ Clients no longer really care whose fault it is. They want it to not happen.
What does the talent gap in the industry look like?
I was at (cybersecurity conference) Black Hat in Las Vegas a couple weeks back and I found a common topic of conversation was that we're seeing a shortage of senior leaders. The bigger problem is that many organizations can't attract or afford a full-time CISO (chief information security officer). This is becoming something that, unfortunately, companies can only afford if they’re large or their products are quite mature or they have a pretty large client base. So we’re really seeing the emergence of the (virtual) CISO — companies that can't afford to attract that talent are looking for fractional expertise in this space.
Are there similar gaps on the junior end?
I actually feel right now the gap’s in the middle, which I think is good. The CISOs of the world that existed pre-AI boom are the ones that I'm talking about, that smaller companies can't afford to bring in, or if you're looking for someone more intermediate, they don't necessarily have that skillset.
What I am very optimistic and excited about is that I have a son going into university this year and I noticed a ton of university programs around cybersecurity that I just don't think existed before. I do think that we've seen this boom and change in this specific area that we didn’t have before. The CISO, it’s been around a while, but we didn't have them in the right strategic area of a business and now it's sort of becoming predominant. So I am excited to see that the schools are pushing this, that you can go and do computer science with a focus on cybersecurity. I'm optimistic that the gap is in the middle and we're going to see a lot of people come into this line of business and that hopefully it's (an issue) for the short term, not the long term.
Tell me more about your thoughts on AI and how cybersecurity firms are responding.
I'm very optimistic, but also careful with watching AI trends, probably because I'm in cybersecurity. But cybersecurity is becoming, like I said, a battle of machines and attackers using AI to scale phishing campaigns, write adaptive malware, probe networks and deploy AI monitoring. And really what we can do on our side is respond with machines. This is why I won't ever be the person who says there's no place for AI in cybersecurity. There must be, right? We have to fight machine-versus-machine. But what I am very careful about is thinking that that can be done without the human element. It is an AI-versus-AI war, but we can't remove the human element. AI is great for spotting patterns, but it can't replace things like judgment, prioritization or really internal and proprietary governance. We've seen organizations achieve resilience with the pairing of the two. What I would say worries me a lot is the pure AI cyber-tools out there today that don't have a human element that are being used to replace the combination of both.
I still find it so exciting, right? I think it's really just understanding that an AI is an enabler, not a replacement. We are at a time where we aren't being attacked in the way that we used to be and we're not going to the news every day and reading about 50 breaches. So we're not failing at it. It's just kind of an exciting time for the industry, where I think it's getting a lot of attention that is needed at every organizational level and that, I think, is what's optimistic. Companies of all sizes are caring about this. They're starting early at the startup phase, because now we have the attention of boards and investors to ensure a proper security protocol is in place and we're more enabled now than we ever have been. There's a lot happening in the space and I think that so far it's going well. 
