Ep 26: Approaching AI, Identity, and Scale with Former Unilever CISO Kirsten Davies

‍Evan: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Mike: And I’m Mike Britton, the CIO & CISO of Abnormal Security. Today on the show, we're bringing you a conversation with Kirsten Davies, former CISO of Estee Lauder and Unilever, and founder of the Institute for Cyber. Kirsten’s storied career has given her a front-row seat to understanding the complexities of securing global organizations. 

In this conversation, Kirsten shares insights on the scale of enterprise cyber operations, the hidden challenges of AI-powered security innovation, and how human risk is still the biggest concern in the age of AI.

‍Evan: Well, Kirsten, so, so great to have you join us today. Mike and I were really looking forward to this episode. Maybe kick it off, do you mind sharing with our audience a little bit about kind of your background and kind of how you got to where you are today? 

Kirsten: Kirsten Davies. I'm a three time CISO and two time deputy CISO, so deputy at Siemens and at Hewlett Packard Enterprise, uh, and then CISO at, actually CSO and managing director, director at Barclays Africa Group, uh, and then Estee Lauder Companies in the Unilever. And, uh, right now I, uh, have founded a non profit organization called Institute for Cyber.

Our first initiative we were working on cyber security hand guides like handbooks for election workers and poll watchers to help them understand what cyber security incidents might look like. And next, what we're doing is we're partnering with some organizations in order to get some better information out there on anti-human trafficking.

So digital grooming of today's youth to make sure that they, they're better prepared and better equipped for what it looks like when they're being targeted online, because that happens, and we don't like that that's happening, but that's what we're working on now.

Evan: So Kirsten, you've spent a lot of your career fighting the bad guys, right? Can you share a little, like, what inspires you? What motivates you? Right? Like, you know, most people don't want to wake up and do hard work like that, right? But you've been doing it for a long time. And so was there like a moment in your career, right? Or your, your kind of personal journey, like the light bulb went off or, you know, what can you share about kind of what motivates and inspires you today? 

Kirsten: Yeah, look, I think all of us who are in whatever form of cybersecurity we're in, there's an innate nature within us to protect. Whether we have this inclination to protect our family, or protect animals, or protect nature, or whatever that is. I have, I have yet to meet a person in cyber security who's stayed in cyber, that doesn't have that innate desire to protect or defend, right, that, that are the ones that run to the fire, that say, hey, if you need somebody, it's me, I'm, I'm gonna step into the gap.

That's always been part of who I am. I don't think necessarily that's something that's been fostered, like something you can learn necessarily. I think it's something that you have, that you nurture.

I remember the first time I kind of woke up to this. I used to be in the music industry. I don't know if people knew that about me. Spoiler alert. Um, and I had a couple of stalkers while I was doing that and I would change my name of hotels that I would check into like I would go under a pseudonym all the time. Um, and I, we would, we would change the itinerary and we would publish like a false itinerary of where we were going because I had some real creepos following me. And, and I look back on that now and I realized that was where I understood how to look at life from an attacker mindset because I always had to be thinking ahead of where the difficulty might lie for me, for my band right when we were doing it. Small, small piece of the puzzle.

But it feeds into this innate nature we have in security, which is to protect other people. It could be just to protect ourselves initially, of course. That's, that's Maslow's triangle, right? Needing safety. But I think it's much more than that. 

Mike: You've worked for a lot of really iconic and, and probably some hyperscale type organizations. Maybe what are some unique cybersecurity use cases at some of the places you've been that the average listener may not fully appreciate? 

Kirsten: You know, stepping from consulting where I worked with some really major organizations as well, right, um, into Siemens as my first kind of in industry full time role. The scale is enormous at times. 

So when you're thinking when a lot of folks when I work with innovators and startup companies, um, and have wonderful ideas. Great ideas. But you walk into and you get introduced into an environment the size and the scale of Siemens or the size and the scale of Hewlett Packard. It can be really, like an eye glazed over moment. 

I'll give you an example. There was, uh, one particular startup company, uh, that I walked in the door at Hewlett Packard. This particular startup, we would have been their first major, major client like they had worked with a couple of very small size businesses, you know, 50, 000 employees or less, actually probably 20, 000 employees or less at the time, like really quite small. They had some great traction. Really, really great solution for, uh, threat intelligence and, and for kind of on, on the security operation side of things.

And I convinced the CISO, uh, to give them a shot. We put them inside of a, a sandbox portion of our environment, but a live replica of part of our environment. And they failed miserably. Okay, like falling on their face failed and I, I took that as a huge learning moment for myself just to say, okay, I need to be asking different questions at the beginning and some of them better questions.

The founder of that startup came back to me, um, I'd say five, six years after that. And he pulled me aside and he said, thank you so much for giving us that opportunity. I said, but you guys failed. And um, he goes, yes, but we came away from that experience and we re-architected our entire solution as a result of that. And they have since gone on to great, great and wonderful successes. Success upon success. 

And I think back on that, and I realize that that's probably one of the biggest lessons for organizations to learn is just because you have a great idea doesn't mean that you understand what it takes to scale to the size of the prize that you're actually after, like a major hyperscaler, to your words there at the very beginning.

Evan: What are some of the lessons you'd offer up to maybe other CISOs or CIOs, right, when it comes to trying to figure out where do you build, where do you buy, where do you partner? What are some of the cultural best practices?

Yeah, any advice you'd share to maybe some of your, your peers out there? 

Kirsten: Sure. I've been very blessed to be a part of a variety of different organizations across a variety of different industries. That's not the same with a lot of my peers. The reason I bring that up is because the culture of the organization is very critical.

If you're at a technology driven company or at a high tech company, chances are your culture is going to want to build before they buy. And that's important to understand what your culture is before you start introducing innovation, right? Number one, super important to understand what your culture is, whether it's a build versus a buy versus a, you know, like a smart source or a blended service model, that kind of a thing.

Number two out of that is you have to understand where your strengths and where your gaps are. And having gone several times into organizations. I mean, literally being brought in. That's kind of my hallmark. I'm brought in to do a transformation. I have to know as quickly as possible, what is the state of the state? Right? 

What are we looking at? What tech do we have? What, across IT, What's the legacy? What's the innovation culture? All of these types of things. The reason being on that one is, you may have the greatest idea in the world knocking on your door, and you even implemented it at several other organizations, and you walk it in the door in this new organization where you're ready to serve, and it may not be fit for purpose for where you are.

So I think those are two really major ones that are there.

Evan: What do you think are, like, the new attacks, right, in this kind of AI era that become a lot more important than maybe, like, the CISO from five years ago wouldn't even have been on their list? 

Kirsten: I'll use a real easy example - email security. We used to be able to weed out, filter out, spam pretty easily based upon syntax error. For example, you could tell when an email was not written by a native English language speaker and you kind of go, come on, right? Or it was, it was the typical "We have a prince in Africa that you need to help out", you know what I mean? Like these, those things were fairly predictable. I don't want to say across the board predictable because people were still falling for them. We, we know that. 

I think, on the attacker side, AI is being used very smartly, very smartly. Um, the sophistication of whaling, spearfishing, the sophistication is very strong and it's bypassing a lot of those traditional filters that we had back in the day. Right. I think we got to the place where all we really all, all we had to, I'm just using air marks everywhere, like rabbit ears, all we had to worry about was business email compromise because those were much more sophisticated attacks. They were targeted. They were using language that was targeted towards that particular VIP, you know, executive, whatever that was. Now it feels like, oh, all of the email attacks, email based attacks are super sophisticated, very targeted. And they have really major repercussions on the back end, right? Lots, lots, huge, huge dollar and euro signs attached to them. 

So I think there are some practical uses of A. I. on the defense side that are more effective than others. I think the promise of A. I. for, you know, for defense, for security operations, for all of that, the promise is there. The practical outcomes are being seen in, in much more of those kind of standardized, quote unquote, attack vectors, like email, like smishing, right? Things like that. 

Mike: Chad GPT is mainstream. Everybody's using it. Attackers are using it. Uh, you know, Evan and I were talking earlier just on how good video has gotten. Where do you see it, you know, a couple years from now as we just continue this rapid acceleration on the capabilities, what do you see on the attacker side, you know, two years from now when it comes to how they're leveraging generative AI to be more sophisticated than they are even today?

Kirsten: Yeah, I, I think it's more of the same of what you talked about. I think video is going to get stronger, um, you know, one of the defense mechanisms that we've heard about across the last year ish, maybe a little bit less than a year, on the video is, ask the person you're doing the video with to stand up and move away from the camera. Because at the time, AI was not generating anything in real time above kind of, you know, shoulders to head. So one of the defense mechanisms was just to get the person to, to stand up and back away from the camera. And then you could see that it was real time iteration of video as opposed to an AI generation. I, I think that gets blown out of the water in two years time, if not already, quite frankly. 

Um, I think the, the, the voice spoofing. Is massive. That was already happening eight, nine months ago. Perfect anecdote. A colleague of mine, uh, in, in my last organization gave me a call. Not somebody in security gave me a call and said, I just hacked my own utility company password. And I was like, what do you mean? He goes, I called into my utility company and did my own voice authentication using an AI version of my voice and it allowed me into my utility company accounts. And I was like, congratulations. Would you like to talk more about cyber security budget for, for my area now? You know what I mean? It, that was nine months ago. 

And so I think two years from now, the sky's the limit. We're already seeing the rendering much more accurate and fine tuned in video in in still pictures. Forget about it. Forget about it. Still pictures. Every sky's the limit already already. Right? Um, in in audio. It's already there. 

Um, with the compromise of all the telecommunications companies now by a certain Um, nation state actor, rolling my eyes. Um, we can't rely on SMS for multi factor authentication. So we're without trying to be chicken little saying that the sky's falling. We're really behind the eight ball here.

We really need to be upping our game on the defense side, um, when it comes to multi factor authentication, when it comes to voice ID verification, video identification, like there, there's a lot of work for us to do. We're, we're behind already, and AI hasn't really been mainstream for that long. 

Evan: It does feel like there's a shift in the threat landscape to focus less on infrastructure, more on people because people are inherently susceptible and vulnerable and accessible.

It seems like some of the technical indicators are used to stop attacks, they become meaningless, right? In the age of generative AI, we have to look for all these behavioral, uh, clues. Now it seems like the amount of automation being used by criminals, right, they can get in and out very fast. Like, you can't detect a breach a day later, right?

Because you're kind of in and out. So I guess, I guess, like, this is a very long winded way of questioning, but like, we talked a little bit about, like, we talked about the gloom and doom of the future. I think all three of us are very worried on behalf of civilization, right? Let alone industry, let alone any one organization. We're very worried. It seems like there's some dark times in the short term, but like, where do we get to long term, right? Well, what gives us optimism or what gives you optimism about the long term opportunity and what world do you think AI will play in helping us, you know, get to a world where the cyber crime charts are down to the right instead of up into the right.

Kirsten: That presumes that the cybercrime charts will ever go a different direction. Um, which I think is a big assumption. I don't think we'll ever be done with this battle for as long as there's internet and as long as there's digital. We will always have a role to play as warriors in this battle, um, and I mean that sincerely.

I think what gives me encouragement is everything old is new again. It still goes back to relationships with people. It still goes back to good old fashioned communication capability. Good old fashioned eliciting support from across the business or, or the government or wherever you are, you know, wherever you find yourself as a warrior on this battlefront. It still goes back to some of those real age old capability sets, which is, You might trust, but you must verify. I don't really trust much of anything. I verify everything, right? 

We still need to build alliances and coalitions and partnerships in defense for collective defense. We still need each other. It's not going to be more effective being on our own and isolated. It will only be more effective the more we lean into collective defense. 

It is still about building awareness, like the human element of risk, the human risk. It's still about that. It, that will never go away. And I think that this is an incredible opportunity. And one of the reasons why I started the institute was average everyday citizens. You know, how many generations do we have right now that are alive, right? How many of those generations are digital native?

I'm not a digital native generation, because of my age group. Right. And it still is all about people having safe experiences while they traverse the digital universe. It is a replica, if you will, of our natural universe, and it requires a different skill set. And so I'm encouraged because It still goes back to people. It still goes back to really just like walking alongside individuals, wrapping your arms around them and going, let me teach you. Let me help you. Let me show you a couple of new tricks here. You know what I mean? And, and that to me is actually really encouraging.

Mike: You know, when you think about human risk and how we protect individuals, whether, you know, employees are of companies or just, you know, humans in general, where do you see AI maybe playing a role to help us on the protection side of things? What like maybe use cases or capabilities that might help protect the human risk angle with AI versus the attackers using it? 

Kirsten: Yeah, look, I think email is a great example of that. There's tools that can come alongside of your employees, your, you know, your colleagues. Just to say, are you sure you want to click that link? Are you sure you want to reply to that email? Because, uh, you haven't replied to that person before and it's going external to your organization. So there's a lot of use cases right there, within AI, that can help with the tools that our colleagues use every day. Email is a great example of that. Um, I think we can use it more effectively across, uh, smaller mobile devices, right? Phones and tablets and things like that. I'm looking for that to be a lot more prolific, of A. I. use that's there. 

I think there's a lot of opportunity for the silent use of A. I. in the background because there's an above the waterline and below the waterline approach to cyber security. There's all the things that are visible that should be visible so that people know when they're traversing a security line or or they know when hey, Oh, this is secure. Like the little, when I have to do an MFA to log into my bank account, right? That, Oh, okay, great. They're taking this seriously. Like visible security, above the waterline. I think there's some important aspects of that. That should always be visible and there should be friction to a certain extent in security. Then there's all that stuff below the waterline, right, which is I am not suggesting in any way whatsoever that we traverse across privacy rights or anything like that.

What I am suggesting, though, is that there are a lot of ways for, for a I'd understand, and some of this is being incorporated into EDR tools, for example. Um, and, um, and some of the insider trust tools that are used as well. There's a lot of ways to use AI to learn patterns of behavior. It's what we used to call advanced analytics.

And then we would understand when there were abnormalities outside of those advanced analytics. And then we could just focus on what was abnormal in the behavior. Well, with all of that, with the supervised learning, the machine learning, and the advanced analytics learning, now we incorporate AI on top of that in some of these smarter tools.

You know, there's still going to be a bit of a false positive ratio across them as they learn. However, the below the waterline tools can start using this AI stuff much more effectively. Predictive analytics, for example. Um, identifying abnormalities in system behavior, network behavior, um, device behavior. Login behavior, for goodness sake.

You know, one more example across this, we've been talking about identity management for ever, forever. It's never going away. Think of how many service accounts there are now. They are exploded in numbers. Larger than people, digital identities, the number of service and machine identities we have is astronomical compared to what we used to deal with, say, 10 years ago. You know what I'm saying? 

Leveraging of AI across predictive learning and predictive abnormality Identification of service IDs. Think about critical infrastructure, manufacturing, all of these embedded, uh, uh, applications that are sitting somewhere in, in a dam or a waterway or a power grid or in a, in a manufacturing plant that that could be, and again, there are some tools that are using this. So some tools that I know of and that I'm, I'm in favor of, and I'm a supporter of. This is where the opportunity is on the defense side, where you actually don't even have people involved anymore and it's system to system or software to software or or software to machine, right? That that the command that controls the ICS SCADA, all of that type of thing. This is, this is where there's enormous opportunity for the use of A. I.

Evan: Okay, we got like, four minutes left, so I'm gonna try to, we're gonna do the lightning round of the lighting round. So we, we try to, um, we try to kind of, um, do the last section with some kind of like quicker hits. We're looking for like the, the one tweet response to questions that are way bigger than the tweet. So forgive us in advance that this is like to, um, these regular, regular, but, um, Mike, um, you want to kick it off for us? 

Mike: Sure. So what advice would you give someone stepping into their very first CISO job?

Maybe it's something they might overestimate or underestimate about the job. 

Kirsten: A. Just do it. B. Be great at the job you have right now and not so focused on being the CISO. Because the CISO job is made up of your entire team, right? And you need to be a great team member in order to be a great CISO. 

Evan: So we talked about how the IT architecture is changing, the threat landscape is changing, there's all this new AI stuff. What's your advice for the best way for CISOs to stay up to date on both the new security challenge and the new technologies available to, you know, cyber security teams? 

Kirsten: Uh, listen to every podcast you possibly can. Um, listen to what other CISOs are saying. Um, and attend smaller conferences, not just the big ones. A lot of folks tend to go to the big ones, attend the smaller conferences because you get a richer conversation and you get a lot more one on one time, especially with vendors. 

Mike: We love to throw a personal one in, uh, what's a book that you've read that's had a big impact on you and why? And it doesn't have to be work related.

Kirsten: Um, I'll go out on a limb. I'm reading an amazing book right now. It's called Imagine Heaven, and it's blowing me away. It's a book about people who have had near death experiences. It's literally blowing me away. Love it. I can't put it down, and that's really unusual for me. I usually read a couple of chapters and I go, eh, okay, read it.

I haven't been able to put this book down. 

Evan: Ooh, okay. That is intriguing. That's going on my read list. Um, maybe kind of a, as a last question, what would, um, what would you share as advice to motivate and inspire the next generation of security leaders? 

Kirsten: This is the most exciting field I have ever been a part of. I've done a lot of things across my lifetime. Um, it is not the same job every day. And for the upcoming generation that loves challenges, that loves purpose, that loves already, even in their young years, what does it look like to leave a legacy? This is the field for you.

Evan: Kirsten, I really appreciate you taking time to join us. Looking forward to talking more with you again.

Kirsten: Thanks for having me.

Mike: That was Kirsten Davies, former CISO of Estee Lauder and Unilever, and founder of the Institute for Cyber.  I'm Mike Britton, the CIO & CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the founder and CEO of Abnormal Security. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog

This show is produced by Josh Meer. See you next time.