Ep 11: Insights on AI Integration and Operational Evolution with Former Abbott CISO Betsy Wille

Evan Reiser: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal Security.

Steve Ward: And I’m Steve Ward, the former CISO of The Home Depot and TIAA

Evan: Today on the show, we’re bringing you a conversation with Betsy Wille , Former Chief Information Security Officer at Abbott. Abbott is a Fortune 100 global healthcare company that manufactures a wide range of healthcare products, including diagnostics, pharmaceuticals, and medical devices. 

Steve: In this conversation, Betsy shares her thoughts on the unique challenges of defending enterprise businesses, AI’s impact on the evolving threat landscape, and how cybersecurity teams can harness AI more effectively.

Evan: Betsy, uh, thanks again for making the time. I know you're super busy and, uh, excited to get to chat with you today. So maybe kick us off. You want to tell us a little about kind of your career and you know, how you got to where you are today? And, uh, yeah, I'd love to hear, you know, yeah, what brought you into cybersecurity?

Betsy Wille: Well, I was fortunate to get into cybersecurity really at the beginning of my career. So over two decades ago, I aged myself a little bit, but I, after a short stint at ENY out of college, I took a job doing SAP security at a bank, which, uh, pretty quickly after that was acquired by JP Morgan. Setting up accounts, you know, doing, doing that kind of work and that became, that group became part of the information security organization when the bank started to, to build that as a, an actual function in, in the company.

So I had this great opportunity to really grow my career in the field as the field itself was evolving and emerging, particularly at a, you know, global bank and what that offered and that gave me the opportunity was to, to really jump around to a lot of different roles. I actually went from being part of a group deploying a global single sign on and access provisioning platforms, very early days, to running the global SOC at J. P. Morgan. 

I mean, not a transition you, you typically see. And I think these days you don't always see that. little bit more kind of specialization in different areas. So I had this great opportunity to really learn the field. I probably stood out a little bit as a young woman in the field as well. I recall that my, the first time I managed a team, I was probably like 25 or 26.

I had 10 team members. They were all men. And I would guess that they were probably on average 10 years older than me. And here's the spunky, you know, like young thing that didn't know any better. But, uh, yeah, not always bad to stand out. I had a lot of people in my corner for that career. 

And so I ended up 14 years at J. P. Morgan, and then five years at TIAA in cybersecurity leadership roles and rotating through that. And that brought me to Abbott in 2019. I joined as their second ever CISO. So came in at a time that the program was growing, the organization was growing, but turned into a bit of a wild ride because a year after we were hit with a global pandemic and Abbott emerged onto the front lines of that response.

We were making COVID tests within weeks of it becoming, kind of a global situation, and then out with one of the first rapid tests. So very quickly, myself and my team, we had to shift from, you know, what we were doing to mature and grow the program as a whole, to really make sure we were focused on the work of the COVID testing and protect those operations.

And it wasn't just for the company, of course, it was for public health. as well as we had a target on us. We were part of the, you know, the cohort of companies doing vaccine treatment and testing, uh, research and development. So a crazy time. And then after, you know, over two decades. As an operator in cybersecurity, last year, I left and launched the cybersecurity studio really in a, with a focus to help other cyber leaders meet the demands of today's role.

Evan: I'm just imagining, you know, back in your time at J.P. Morgan, right, you're leading kind of security operations, but that's got to be one of the hardest, scariest jobs in the world. You know, the biggest bank. All built around trust and security, like it's the thing. That's a tough job, and I imagine a lot of sleepless nights, right? Even with an incredible team. 

Where does your inspiration come from, right? Because it would take some motivation and discipline and willpower and inspiration to like tackle that challenge. So, you know, what is it about cybersecurity that kind of like motivates you or inspires you? 

Betsy: Well, I mean, it was particularly a big leap, as I said, coming from like a, not coming from a network security background, not having ever done a day in security operations to come run.

And it was, I had like the tier one, tier two SOC, but well, I never backed down from a challenge. I knew it would be a really unique opportunity to step into a new space. And, and I should say, leading up to that, I had, I had raised my hand to work on kind of a process improvement or a quality improvement program around the SOC holistically.

So it was the SOC and the engineering team and then the incident response team and how they were all operating together. So I knew, I came into it knowing where some of the challenges were. And what it turned out was we had a really Good and strong team with a lot of, of knowledge. The challenges we had were on people and process and building trust amongst the team in the U S and the team in India, you know, the tier two analysts that talking to the incident response when they, you know, escalated alerts, like our issues were processing people.

And all of a sudden I said, well, that I know like, that I'm good at that I've proven over my career, the. Deep technical expertise. I've got a team that can help me with that. And I did. I had, and I leaned in heavily to that. I had trusted sources, trusted people that, that taught me and I wasn't afraid to recognize what I needed there and where I needed, you know, to lean on the experts.

But then I could lean into to what I did best. 

Steve: Betsy, yeah, if you look at sort of where we started our careers and it was very focused on data center devices, right? Endpoints that were at a cube and specifically what was in a data center to what you eventually got to at Abbott, where you had your SaaS solutions, you had your cloud solutions and probably migrated there.

And then also. Medical devices, right? And things that ended up in people's bodies. How did that change your idea around? Traditionally, we were okay, someone's going to attack us on an endpoint that's in a data center to now I have to worry about this, sort of 3X environment in some instances on the things that we had to protect there and some of the attacks that occurred in those environments.

Betsy: One word to, to sum it up is sprawl. You know, I mean, that is really what you described. I mean, there's just more of everything. Uh, the attack surface is, is so much greater than it was. And it just multiplies, you know, every year, uh, to your point. And, and it's now an ecosystem of technology than it is kind of a contained environment.

Um, and when you look at it and think about a traditional technology stack, that technology stack now includes things that you control and things you don't. Things that go through the central IT team and things that don't. And so I, one of the biggest shifts that I had to make and, you know, continue to hear other CISOs make is this idea of the connection of that ecosystem includes the extension out to these, to SaaS providers, cloud providers.

They are protecting part of the technology stack that, you know, that runs the business. So it's not a third party relationship that's kind of cold and on paper, but one that has to evolve into a real partnership and, and relationship and then understanding of it. And so it is rethinking your processes of like, I go to my partners in infrastructure to determine where we're at or to, to work with on the projects that we need to roll out to secure our infrastructure. We now have many more partners to work with and relationships to build. So I think that has shifted. 

The other is also part of that ecosystem is building greater relationships with your business because the other part of SaaS and cloud is it is so much more accessible to the business without going through central IT.

I mean, we certainly saw that in the early days of cloud and SaaS, you know, developers ran to AWS, sales teams ran to Salesforce and threw a credit card down and all of a sudden we're doing business that we had no idea was out there. You know, we've reined a lot of that in, but the business can engage a SaaS provider using a third party service to manage it.

And that never comes back through central IT. So, you know, when cyber teams are managed under that, you know, central IT and rely on that to be the funnel for what's out there, we get there's a lot of blind spots. 

I actually, I have a story around that. I was probably not three months on the job. And one of my partners in legal came running into my office and said, okay, so I, you know, there's a cyber event going on at a SaaS provider in, you know, a critical business area that's in there, man. And I said, okay, well, you know, who, who owns that relationship? And, you know, let's go get, get the digital team involved. No, no, the digital team doesn't manage it. The business does. It's, it's a third party provider. 

Okay, there's not a lot I can do. You understand that my incident response team doesn't have visibility management and we probably really don't have a relationship there. Happy to run point, but there's nothing we can do. You understand that. Like it was just one of those moments of, wow, there's a lot that's outside of our control.

Steve: Yeah, I remember the days of when we used to talk about who owned technology assets, and we used to talk about drift and try to control what the business could do, right? The phrase was always shadow IT, shadow IT, and it There was a time where it sort of just shifted. We were like, there's really no such thing as shadow IT.

It's now business has its own IT demand and we kind of just realized that we had to let them go in order for them to be as agile as they needed to be. So just, if you look at the next five years, where do you think things go from a budgetary standpoint, right? We're always talking about budgets that typically dominates every conversation, every survey that gets put out on what budget is growing,, where and at what percentage and what percentage of it is against the IT overall IT budget.

So any crystal ball guesses here on, on where you think this goes in the next five years? 

Betsy: I don't think you're going to have a lot of headlines that cybersecurity budget has been cut at the biggest organizations. That's not a good look. It's not, you know, what is going to play out. But those of us that are in, you know, have done the role and know how these cycles go, the dollar figures might not be changing much, but your labor and resources to maintain it, to align to the growing, you know, number of projects that are out in the business and then, you know, the digital teams to support those, that may not be growing.

Because those are, you know, payroll and, and dollars spent on labor is usually to do tighten. So that's, that's what constrains our ability to grow exponentially. You could give me all the money in the world to buy new tech, but if I don't have anybody to, you know, really drive that change into the organization, maintain it, it's not gonna do us any good. So those two things go hand in hand. And I think in the economy that we're in, and over probably still for the next couple of years, that's where the rub is going to come in. 

Now, on the other hand, where I hope and think that we will continue to grow in the next five years is evolving our thinking that the cybersecurity budget is some kind of budget that sits with one group in the organization and that the people needed to engage in those cybersecurity programs are only in one organization, and rather start to push this out into the business and the other IT teams, and see those dollars.

I mean, I would be, I would have been happy to and did many times fund, you know, projects, you know, with labor and people into, you know, teams in the business or in other ideas that needed to execute it instead of taking those in, in just within my program. So it's, you know, also expanding that definition.

I do have another story there. I won't name any names, but there was a product that we were doing a POC on in the, the cloud space and we had had it in the, the environment, I think probably for at least a year for free under extended POC, just kept, you know, kind of playing around with it. And I actually left, it was still there when I left and I got a call maybe three months later from that vendor and said, and the salesperson said, Hey, I really wouldn't know what to do here.

I hate to like tell them, like we have to yank it out, but if they're not going to make a decision about buying it, you know, like any device and I said, take it out. I know the developers love it. Take it and tell them that, you know, the POC is done. pull it out of the environment and the developers will come to the table and the development team and ask for it and come to and help the cyber team make the business case.

And sure enough, that is what happened. Um, they came back two months later and it was two groups bringing it forward and it was funded and it was, it was, um, it was a go. So I think there's some changes that way. 

Steve: The best advice I can give operators who are listening to this is, is keep a shadow budget that you use for your IT partners so that you can fund their projects for goodwill.

I've done it. You've been with me when we've done it, where we've kind of secretly funded other projects. And it's, it's a way to get some, some chips on your side of the table that you can call in later. And trust me, you'll need them. 

Evan: I'm tempted to make a joke here about, you know, any abnormal manager listening to this, there is no shadow budget.

So Betsy, you brought this great point, which is probably warrants a whole episode, right? About the challenge of having enough people to actually successfully deploy, and manage and operate, you know, technology, right? I think what you said is totally true, right? You can have the best technology in the world, but if no one's there, setting it up, configuring and monitoring, optimizing it, right? Like that's, you know, these things don't work by themselves, it turns out, right? 

So I'd love to talk about like, you know, AI, right? I just feel like we'd be remiss right in 2023 to like not talk about AI, right? On any sort of podcast, right? It's part of our job. 

Steve: You're not allowed. You're not allowed to talk.

Evan: Okay. Um, so, but before, before we go into like, you know, how does that get deployed and how does that things change? I think, you know, inside, you know, inside, you know, enterprise security teams. How do you think that affects like the, the threat landscape, right? How do you see criminals using these technologies and what are maybe some risks that you'd advise your peers to maybe put a little bit more weight behind that you think they might be underestimating, you know, going forward?

Betsy: Well, they're, they're criminals, so they're going to use it every way they possibly can, at every, you know, stage of the attack chain to be more targeted and more stealth. I do think we'll see fewer attacks of opportunity and, and many more individualized, specialized attacks. You know, I mean, it takes a lot of work for the, the criminals to, to put together targeted attacks. It's a lot of resources, labor, you know, focus. And so it kind of, you know, that had been saved, if you will, a little bit for the intelligence gathering, the intellectual property, the, you know, high financial gain, you know, targets. And then the rest of the attacks were more around kind of, where can I find a soft target, you know, common attack to many, uh, see where it lands.

And I think AI changes that so drastically, it will be so much easier and it becomes so much easier to create very individualized, customized attacks at organizations, maybe with a very similar arc and, you know, an approach, but customized on the front end of how you get in and, and, and make it very real to that organization and customize once you're in, you know, changing just enough and evolving just enough of the tactics to make it look new.

So we're going to enter world. Where anything, you know, looking for patterns that, of known things from before just aren't going to work as well, um, or at all, and everything's almost going to be a zero day. Not to be alarmist and things like that. But I think that, that is what, you know, changes so drastically.

And so it is looking at each of those stages of the attack chain and the protections and detection and capabilities that we've put in place and said, What is it heavily reliant on? Is it signature and pattern based? Okay, we're gonna need to know where is their road map going? Or do we need to look at something different? Because that future is here pretty quickly. 

The other area that the attackers will certainly take advantage of is just the new attack vectors opened up by the businesses and the business areas that are rushing to harness this opportunity. So again, not unlike the early days of cloud and SaaS where you had credit cards thrown down and the business operating.

I think that's happening here too. You know, businesses wanting to harness the opportunity and, and not let this get away or let their competitors get ahead of them. And so they're trying new AI models, they're integrating them. And the security teams are, are playing, you know, catch up and trying to keep pace with that to understand, you know, what models are they acquiring, developing and deploying in the organization.

I think we're a little bit more ahead of it than in the early cloud days and talking about it more, but it's just, it's evolving so quickly, so it's more, it's also going to be that, that, you know, lack of a robust understanding of the attack surface. created by the business with the use of those AI models and how those might be compromised that we now have to protect.

Steve: So Betsy, just putting like a, maybe a positive spin if we can, as it relates to the workforce. Do you agree with the comment, and do you have other possibilities around positive implications of this, that when you look at sort of 95 percent of what we hit in the ops space, for those that have eyes on glass, There's a potential for the A. I. To actually work for us to get rid of that 95%. And instead of looking for a needle in a needle stack, you're actually able to find some some bad things a little faster. Can you think of any other things where okay, it's going to benefit the attackers? Sure. But that's also an opportunity to benefit the operations folks and the technology here.

Any other ideas on where it benefits us, right, on the defender side? 

Betsy: Yeah, I mean, well, I mean, I think in the app space, to your point, you know, I've run SecOps a few times over, and, and the thing that we still spend so much time on is tuning and, you know, normalizing data across disparate feeds to try to figure out what really is, you know, true malicious activity versus noise.

So I think the, the ability to streamline that Not only to reduce the number of alerts, but then that actually leads us to maybe Really seeing a time we can have automated containment and remediation. Uh, you know, we've played with that, but most organizations are pretty, pretty still careful about say, and let it rip, you know, because I don't really know if I, I trust it. Um, I think we'll, we'll get so much more high fidelity alerts that we can, we can see that future. So that, that is exciting. 

I, I also might. My roots are identity and access management. So I, I love the possibility of AI in the access management space, you know, role based access, RBAC, zero trust. I mean, the, the, the elusive dream, right?

I mean, I've seen so many programs and none of them really deliver at scale because we don't really know what people need to do their job, particularly in this digital world and proliferation of systems. We've never worked really well with HR to follow somebody through their career journey and the changes in their job roles, you know, I mean, all those things, and it's never been a great experience.

So I think that there is a lot of opportunity for that to become true, you know, that we really do have the ability to enable only what's needed. 

Steve: I love it when the investment thesis matches the, the operational demand because we, I sort of have a thesis here on the investment side that the first Domains, first two domains I'm going to look at for AI to be disruptive and security is actually IAM and data protection. There's the most money has gone into them with the least amount of progress. 

Betsy: Yes. 

Steve: And those are the two areas that I really hope from a founder standpoint, if there's any founders listening, build into that space with a pure AI platform.

And I think you're going to be pretty disrupted later on. 

Betsy: Can I offer a thought on that? Um, cause I, I, I have a dream, um, of kind of the user access and data protection together. Um, and that is that we, we feed a model first with the, or the company and organizational information, like everything that we can possibly feed it with around the company's financials, their organic growth products, the acquisitions, their markets, their competitors, you know, everything about the business.

Then you use that to crawl your data and who has access to it. And maybe then you actually could discover what is your crown jewels and who might want what, and have and and be after it from internally and externally. Because let's face it, We can talk all we want about it outside of some very maybe niche places Understanding, you know a crown jewel that it's the project in the medical device Space, that is the product in five years and that schematic and all the research that's going into it and some like PowerPoint and PDF document that is the crown jewel only up until the point that it puts into a submission for Approval and then it's the world knows it and it's no longer private. Like those those are the challenges to your point Steve that I would love to see what this can do 

Evan: Tell us more here. Like what, what is like, help us dream about what the future could be, right? Where do you see kind of AI technology having kind of big impacts and security and like, if we fast forward five years, like, you know, what's the, what's the kind of upside case where it's the bull case, right? How has AI changed, you know, how security operations work for large enterprises?

Betsy: Okay, well, I'm going to give one that I feel like a lot of ground gets covered, you know, ops, data, whatever, but I'm gonna give one other. I think it is actually just kind of the application, the potential of LLNs to translate cyber and technical, you know, talk and, and complexity into the business, into something business understands.

Cause if you also talk about something we haven't gotten materially better at over the last, you know, 10 or so years, it's talking to the business, translating it again, that this dream I have of. I mean, the hardest thing when you come into an organization is, especially at a leadership level, is just figuring out how, how the company makes money.

What's most important. I mean, I, you know, Abbott was 40 billion for business divisions, and there could be one division under that that was 2 billion of its own. I mean, these are, I complex, you know, companies, and we have to protect them. We have to, we have to understand the business to protect it. And then we have to, uh, evangelize everybody in the business to be part of that journey.

And we have not, we're not great at that. And we haven't developed those capabilities over time, but there's a lot of potential in just the translation through the LLM, so it's an it's an unconventional one that changes things, but I think there's a bridge there. We may see that starts to get closed that no amount of training and development is probably going to do for our workforce 

Steve: When we look at right now, what's overhyped in this space? What do we need to sort of calm folks down about? Is it sort of the risks of, of AI? Is it, in some ways what I see is we're calling things AI that aren't. They're a bit gimmicky, right? And integrating it to chat GPT does not qualify as being an AI security company. But anything on the operator side that you think is right now being overhyped.

It could be regulatory, it could be just the technological capabilities of it happening sooner than we think. 

Betsy: I think I'm as curious as everybody else to see where it goes. I mean, I, if what is overhyped, maybe it all is. I, I, I'm not sure. Um, but what I would say is I think there are some, probably some obvious, near term realities versus ones that are further off of the possibility. And that becomes important for particularly cybersecurity leaders to, to really look at. 

Do I see the, you know, the change is something that, and the opportunity that's in front of us in the next year or two, because it's just, it's ripe for that, uh, evolution that that's where we focus that we're so, you know, we get caught up in shiny objects. So it's easy for us to be like, Oh, the potential is five years down the road. So let's focus on it now. We got enough on our plate. So I think it's, you know, what's right in front of us that has that either has already started because I think anything that is started with traditional AI models probably has a shorter leap to the, the, the emerging newer models versus a product that never talked much about AI or again, you just kind of saw through the smoke screen that it wasn't. That's a big leap to the models that are emerging now. So I, that would be one way to analyze it. 

The other thing is I don't, I do think it's overhyped of how many, you know, like the elimination of jobs that's gonna occur, like any technology, new jobs emerge, and there'll be new capabilities that we need to introduce. So I don't think that's going to, you know, have the wide scale impact. And frankly, keep in mind, it's not going to be very far off. We're going to have people entering the workforce that are AI native. We're going to be starting to talk about that, right, that don't know any world except for an LLM or they came up in school using chat GPT. And so thinking about, I mean, there will be jobs that, you know, get, do get eliminated, but then what gets created and, and, you know, where are those next, next, uh, jobs going to come from. 

Evan: You use this phrase like an AI native workforce, I think all of us would agree, five years from now, there's gonna be a whole new set of risks, a whole new set of tools, a whole new set of ways we even like use computers, right? Let alone run security. So in the context of the cybersecurity workforce, how do you think that affects the team over time, right? Do you see jobs shifting around?

Do you see kind of new training or enabling requirements, right? I don't know. There's like a new job, which is, you know, internal AI operations, right? You know, efficacy, you know, manager, like, you know, what's the kind of, like, how's the workforce shifted, you know, for a security operations team with the rise of these new AI technologies?

Betsy: I don't know if I have a great answer. I don't know that I know exactly how that'll, that'll shift. And I think, you know, the reality of at least the, you know, the AI translation and really in AI, original thought has to be put in to get a result out. We aren't at a place where the, the, the machines are thinking on behalf of us.

We're still thinking we still have to find, we still, there is still going to be the need to validate, stress test the models to make sure we trust in what they're producing. I think those will be maybe the near term roles that there will be SOC analysts that are on the side, validating and testing the output of it because we won't just, there's not gonna be a day that we all just wake up and go, Oh, I'm sure this is the, this is it like we completely trust what that's telling us.

And so go ahead and lock down the environment. So I think the near term will, there will be some that really understand this and we'll be testing the models output long with obviously, you know, kind of red teaming and pen testing that the model integrity, but you know, beyond that. Again, I think we're going to see the bridge between the super technical, you know, person that you go, they're really good at their job, but we can't put them in front of anybody, you know, start to change and evolve and that they are going to be more able to do security in context of the business than do security for the sake of security.

Evan: I know you kind of already talked about this a little bit, but love to just like, you know, hear more about your view of what that future looks like. And so my question is, like, what do you think is going to be true about AI's future impact on cybersecurity that most of your peers today would consider science fiction, right?

What's your, like, contrarian view about the opportunity that, you know, that that's going to happen that, you know, maybe other people aren't thinking about? 

Betsy: There's something I was reading, I can't say I'm an expert on it, but this idea of almost a human digital twin that is like a fingerprint. But it is encompassing of your behavior, your language, how you show up in the world and, and interact in the world.

And that is what authenticates you versus some kind of biomarker. And it continues to evolve as you, you know, go through life and, and evolve so that it is consistent. And so that's what's going to, you know, keep us from, from being replicated and, you know, and, and the deep fakes out there. So I, I don't know.

I don't, it's creepy, uh, maybe to think about, but, but I do think we're going to, you know, the authentication of, you know, being able to prove you are who you are is going to evolve. Without a doubt. 

Evan: For what it's worth, Betsy, I am 100 percent there with you and I've used this digital twin concept, right?

Yeah, I've used that literally literal language because like, I think if you, it's a very, it's a very compelling vision because if you can kind of build that digital twin, right? That's a very powerful, right? 

I think the challenge, right, is like people put too much trust in these digital identities, right? And the, you know, whether that's technical trust, trust, or like social trust. And so the problem is, especially with these new generative AI technology, it's very easy to, or it's increasingly easy to deceive, right?

Today it's, you know, fake emails. You know, you know, in six months, it's fake videos and that's fake zoom calls and FaceTime. And so, you know, a lot of the kind of more superficial indicators for how you verify the authenticity of a, a session or a communication, right. Those are not going to, those are not going to work in the future.

Right. And so, but I do think if you have this digital twin, right, there's this kind of multi dimensional authentication, right. Authentication of. Again, whether it's a session or a communication, right? There's some, there's a richer set of data that you can use, right? Um, through AI in order to do, to, to use that kind of digital twin as your, as your key of sorts, right?

Um, and that's going to be required as, you know, human's ability to do that authentication of, you know, again, communications or even a simple out, you know, simple algorithms ability to authenticate a user as being the real person they think it is behind the keyboard. That's going to get a lot harder in the future.

We're going to have to build a way more advanced way of doing this. 

Betsy: Yeah. Yep. That's, that's, that's exactly what caught my eye. I mean, it's interesting because I come from, you know, medical device and manufacturing world. So digital twin is a concept used in the manufacturing space to, you know, digitize the, that whole, you know, manufacturing operation.

So I was always kind of fascinated by that concept anyway. And then, you know, human digital, Oh, well. Yeah, I can see that again. It starts to get creepy, but doesn't it, you know, everything that we, every time we've said, well, I'm going to give somebody my, my, you know, retinal scan or, um, fingerprints and things.

But, um, yeah, I think it's a, I think it's, it's an interesting concept. I don't know how it comes together, but I think it's fascinating. 

Steve: If we could create a digital twin to check my email for me, that would be great. I don't know if that's part of it. 

Evan: Let's talk, let's talk, Steve. 

Steve: Awesome. Betsy, we're going to, we're going to get right into a lightning round.

Think of the answer as the same as a tweet. Limited characters. So, um, we'll do a round here. So, first question is any advice to a security leader who just stepped into their first CISO job and what they might overestimate or underestimate about it? 

Betsy: That it's your agenda. It's actually not. You're picking up from somebody else and evolving it from there.

Evan: What's the best way for a CISO to stay up to date with, you know, security challenges related to AI? 

Betsy: Have some great people on your team that are love the topic wherever they are in the organization that love the topic that are spending a lot of their time on it and have lunch with them and pick their brain as often as possible.

Steve: All right, Betsy, personal question here. Not too personal, but give us a book you've read recently that's had a big impact on you and why. 

Betsy: Uh, The Art of Gathering, uh, by Priya Parker. Uh, she is a, an expert on creating experiences and events and, and space and has studied what personal interaction looks like and, and, and how to make things really special and impactful.

And it's a fantastic book, whether you're running. your town hall meeting, uh, you know, something business related or, um, a birthday party. I used it for my daughter's fourth birthday party to have purpose and, and connection amongst the people there. So it's a great book. 

Evan: Maybe sticking on the, uh, personal theme and the, the answer here, um, does not to be AI related, but if it is, you know, feel, feel free.

Um, what's a future technology, somewhat related to cybersecurity that you're just personally most excited about or interested in? 

Betsy: Oh, does it have to be cybersecurity? Cause I'm going to say it's like, I, I want it to be, I am looking for the, um, parenting bot that, um, you know, everyone says there's no roadmap for being a parent.

That's not true. There are things, like there is, there is a technology that can tell me that if I don't, you know, give my daughter something to eat in the next 10 minutes, she's going to have a meltdown. Like, and, and, you know, and, and warning sign here and there. I think there is, I think there can be much more help for parenting, especially of young children.

So that's, that's what I'm going to hope for. 

Steve: All right, Betsy, last one. Security can sit in a bit of a negative state where we sort of feel overwhelmed and as if we, we don't do well sometimes or all the time. If you take a person who's thinking about taking that first CISO job, and you had a chance to sit down with them, what's the, the best piece of advice you would give them in a positive way to really encourage them that they can do it and how?

Betsy: Things have evolved a lot in, you know, the view of cybersecurity and the role of the CISO. Yes, the headlines tend to be negative and the scapegoat and, you know, we're going to lose our job, but I actually, the reality, I don't see that in reality, in most organizations, most organizations at this point do recognize the importance of the role, the importance of the team, the importance to the brand. I mean, just how many, you know, cybersecurity statements and privacy statements have popped up in, you know, ESG reports that have historically been, you know, totally focused on business things and, and, uh, uh, reducing waste and doing good in the world.

And now we talk cyber and privacy in those. It has changed. They do recognize the importance of it, but focus on the business and the building, the relationships, and you really do have the support that you need. And it is a role that is incredibly important and can be fulfilling if you focus on what you are bringing to, you know, the business that you're in.

Evan: Awesome, Betsy. Well, um, I wish we had another like four hours because I have like 400 follow up questions for you, but unfortunately we're, we're getting to the end of the show. So I just want to thank you so much for taking the time to chat with me and Steve today and looking forward to chatting again soon.

Betsy: Thanks so much for having me. This was really fun.

Evan: That was Betsy Wille, Former Chief Information Security Officer at Abbott.

Steve: Thanks for listening to the Enterprise Software Defenders podcast.  I'm Steve Ward, the former CISO of The Home Depot and TIAA

Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

This show is produced by Josh Meer. See you next time.

‍