Ep 13: Elevating Cyber Defense Through AI with Avery Dennison VP & ISO Jeremy Smith

‍Evan: Hi there, and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, Fortune 500 CISOs share how the threat landscape has changed due to the cloud, real world examples of modern attacks, and the role AI can play in the future of cybersecurity.

I’m Evan Reiser, the CEO and founder of Abnormal Security. 

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security.

Today on the show, we’re bringing you a conversation with Jeremy Smith, Vice President and Information Security Officer at Avery Dennison. Avery Dennison is a multinational materials science company with over 34,000 employees and over $8 billion in annual revenue. They manufacture and distribute a variety of sophisticated branding labels and adhesives including high tech RFID inlays. 

In this conversation, Jeremy shares his thoughts on the evolution of cybersecurity at Avery Dennison, the advantages of AI-powered security tools, and how cutting-edge technology enables a successful defensive strategy.

‍Evan: Thank you so much for taking the time to join us. Do you mind just sharing a little bit about, you know, what your role is and can you give like a, like the quick overview of kind of how you got to where you are today and, you know, the role you play at Avery Dennison?

Jeremy: Yeah, sure. So I am the VP and, uh, information security officer. I've been with Avery Dennison for, for 10 years now. I started off with Avery. Uh, leading the security operations team, but prior to that, and throughout my career, I've worked in a lot of different industries, a lot in, in the finance space, more in the infrastructure side, and then I've even had a short claim to fame and security at early social media company called MySpace.

Uh, so I have spent a lot of time in, in kind of both heavily regulated industries and the infrastructure that kind of led well to moving over into, uh, the security space with Avery Dennison. 

Evan: You've worked in, uh, you know, information security for a long time. At what point did like the light bulb go off where you felt like inspiration or motivation or passion to work in security?

Jeremy: I think it was really probably three years into my time at Avery Dennison. When I first started over 10 to 11 years ago, really the focus was kind of the traditional endpoint security, firewalls, and IT security was, was kind of seen as a necessary evil and more compliance based. And it really changed when a lot of threat actors started going after companies, and I remember very specifically the conversation we'd always have 10 years ago was we need to do more in security. We, there's a lot of areas that we need to, to improve on. And, and the answer was always. Um, who is really going to go after a company that makes adhesives, right? It just wasn't any, any motivation, they thought for threat actors to go after a company like ours. I mean, we do have intellectual property, so that was one piece, but the game really changed when the monetization it was for, for the threat actors to go after anyone with the, with pockets.

And when, with that, it really changed our need to defend our need to communicate with our leaders around the importance of security, uh, and then also just really to up our game in terms of. Not just doing it for our compliance sake, but to look after all these new threats that were coming out and, and really kind of create more of an ecosystem of cybersecurity rather than just a point products that were, were kind of protecting the perimeter.

In the manufacturing sector, safety is always considered a very high level of, uh, of awareness around it. Obviously the safety of our employees is, is very important. And we're trying to elevate cybersecurity to even to that level, um, where it's thought of just intrinsically in everyone's daily life of, of just doing the, the, the bright things around cybersecurity. So it's, uh, yeah, it's, it's changed quite a bit from the over oversight within our. Our company to even now trying to get our employees even, even more aware and understanding of the threats that are out there. 

Mike: You know, Jeremy, it'd be great because maybe not all of our audience knows who Avery Dennison is. Can you maybe just give us a brief overview of what your business does? 

Jeremy: Yeah, it's, it's interesting. Uh, Avery Dennison, whenever I start off talking about Avery Dennison, people bring up the, the Avery labels that you would buy at staples. And the really interesting part about that is that we no longer own that company. Uh, we sold it off maybe about eight years ago. 

So we, we have two main business units. One is called a materials group business where they're actually making large rolls of adhesive used to everything from wine, beer labels to really anywhere that adhesive is needed. And then our other business unit is called solutions group. And that's much more of a, a conglomerate of other mainly focused on apparel. So all the tags and labels and apparel. And RFID. We're one of the largest RFID manufacturers in the world, and that's a big growth business for us. And where we're really going, if you combine both kind of the adhesive business and our RFID capability is being really the connection between physical and digital.

So we are on most products in the world and we feel like we're in a really unique position to have item level identification across the board for things that never had it before. So, traditional materials business really going into this, uh, this digital world because of the unique capabilities that we have in, and just our, our history. I mean, we've been around for, for 80 years, actually, I think it's coming up on 90 years now, uh, as a company. 

So with that too, as you can imagine, we have a lot of, uh, uh, a history of legacy of, of technical debt, et cetera. But, uh, yeah, now really going for the next chapter of our, uh, of the company, um, to really become fully digital.

Mike: So one of the things I always love to ask is, every organization is different. What are some of the unique aspects of your cybersecurity program at Avery that somebody that isn't an insider might not appreciate or might not be aware of? 

Jeremy: Yeah, I would say one of the unique pieces of our cybersecurity organization is really our security stack, and the fact that we really got involved in some very cutting edge technology pretty early. Now, and Abnormal is definitely part of that story. We, I think very early, we met with Sanjay and had discussions about our need. And we, we weren't, we didn't have kind of a traditional security email gateway because Google was doing a fairly decent job of, of kind of that, that perimeter, uh, email security.

So in addition to that, I mean, we were very early customers of, of Wiz, um, and Armus, and because of that, we've been able to partner with companies that were at the startup phase, give them insights into, to our needs and even, kind of, work with them to, to really create best, best in class products. So I feel very fortunate that our team has, has had that capability of working directly with product managers on and technology startups in the cybersecurity security space to meet our needs, as well as to develop some pretty cool companies that have, uh, have come up. 

Evan: So maybe kind of switching gears to, um, you know, how, you know, what's evolved right in cybersecurity. I think without a doubt, we're in this exponential growth rate of technology capability across the board. And when the three of us, you know, had our jobs 10 years ago, it was a lot different, right? We're sitting down at our desktop computer in a office, where there is maybe a firewall. We locked the doors, right? A much more controlled security environment.

Today with everything, you know, shifting into, you know, cloud software and we're working from home, there's been a bunch of benefits on the productivity side, at least in my personal belief, but it also really changes like the security landscape, where now anyone can log in to any application from anywhere in the world. Any, any network, any device, pretty much access, you know, any application, any data, all these applications are interconnected, right? So the surface area has, you know, expanded dramatically. 

What do you see is like the biggest changes in that threat landscape, you know, today in that new environment versus maybe 10 years ago? 

Jeremy: Yeah. So I see there's maybe two or three themes in kind of the move to the SaaS move to the cloud that we have to look at that we never had to before.

The first one, and I think a lot of companies are, or have a lot of focus on this now is third party risk. When everything was kind of in your, your four walls, it was much easier to, to secure it, you were responsible for it. You knew it state with SaaS vendors, every piece of software can be offered in a SaaS solution now, and you have lots of people running these companies and they're trying to innovate, but they have different levels of, of knowledge of, of security. Some are very early stage and they have very little. Others are much more mature and, and have a very robust security stacks. So really tailoring our, our program to understand the risks that we have with these third parties, and also working with them to improve their security program. So we can actually use them. That's been a big learning.

Another part of it too, is that you really can't solve that problem, right? I mean, we can do all the surveys of third parties that we want. I mean, look at Microsoft, right? Are you going to not use Microsoft because they, they had a recent event. It's an interesting issue with the third party risk. And I don't know if it's ever going to be solved, but there are, are ways of just reducing your risk and, um, understanding at least where you have very high levels of risk with maybe some immature third parties. 

Then the next piece is really when you're using these, these applications, how do you prevent attackers from attacking them? I think a lot of this goes to a zero trust architecture. I know zero trust is, is overly used as a, as a marketing play out there in the world. We at Avery Dennison have really taken zero trust very seriously from a very early on. 

So we actually created a whole maturity model around how do we get to a better Zero trust architecture. And what we found is that a lot of the technologies weren't there to do it well. So being able to prevent people from accessing your SaaS applications from non corporate devices, for instance, we're still working on that. Being able to monitor and manage all these different SaaS apps and understand their, their security posture. And if, and if a change is made to, to, uh, open up a risk that that's still kind of developing. Identity, I think is one of the key parts of both zero trust and, and how we have to better protect. Actually all the key tenets of zero trust, really identity, device, network. 

One of the interesting kind of side things that we found during the pandemic, we were very fortunate in that we were also using kind of a cloud based security gateway, which a lot of companies then, kind of, moved to after they realized all their employees were home and they were no longer protected, protected by the firewall. And then we're also working on kind of a whole zero trust network access, um, solution. But one of the things we're looking at now is, well, I'm at home, I'm working, I maybe connect to my VPN once a week, and that's just for this, this one expense application that is on our corporate network that requires me to, but when I go into the office, I put my computer on the network and I'm sure like a lot of companies, now my, my computer is exposed to the whole network.

Why? I just was at home and had very little exposure to our entire corporate network. Now I'm going to exposing my whole corporate network to my device, which, to me is somewhat kind of ludicrous. So we're looking at even potentially blowing up the whole network, right. And looking at how we can basically take our devices and just have them off the network altogether and really just leverage kind of that zero trust access to kind of provide access to both internal and external applications.

So that whole thinking has changed that you are connecting to a device. Now you're connecting to an application, right. Which is kind of a mind shift for a lot of companies. We were fortunately very early there in our thinking, but the technology isn't quite there to do it as we'd like to. 

Evan: What's the implication of that long term, right? Like if you look at the lowest levels of the technology stack, there's no information security on like fiber optic cables. We don't apply security at some of those layers, but we still applied it like the end points and the network. Does that mean the importance of those layers kind of goes down and you put more focus at the application layer or like closer to the human. Where does that take us, you know, five years from now?

Jeremy: Yeah, it's, it's interesting because, uh, that problem is very prominent in kind of operation technology spaces, because you can imagine a lot of the devices don't necessarily have mature operating systems to have kind of protection and controls on it. So in that area of really the strategy for a lot of companies is to at least have visibility, right?

Understand what's going on in that environment. Look at patterns of what's normal, then look at deviations from that. And I think that's really the way things are going to go. And that's where AI can help us, right? I mean, we, we can take that at scale of what is kind of a normal traffic pattern within a factory, for instance, and where that then deviates in some way that, that would show that there's potentially an attack or at least a vulnerability.

So I, I really do think that AI is going to empower us to be able to not just kind of do the defense and prevention, but have that kind of monitoring and understanding of environments that we really never had before. 

Mike: So when you look at it, like, where do you see the attackers going, with everything you explained. And you guys are forward thinking and a lot of your program. Where do you think there'll be attacks or how do you think attackers will be attacking organizations a year from now, where we may not necessarily, you know, have our eyes on the ball on that today. 

Jeremy: Uh, it's interesting when you look at the, the major attacks that happened to, to enterprise organizations, they really haven't changed that much. They tend to get a foothold into a company, move laterally, get to as many systems that you could impact, put in some ransomware and exfiltrate data, and Leverage kind of active directory and all of its weaknesses to kind of escalate privileges. So to, to me, it's, it's probably a lot of the same, but now with AI and, and capabilities, it's going to be more of it and, and quicker and at more scale. I could imagine that just understanding a company's doing that initial discovery and doing that kind of attack surface, um, discovery for attackers, it's just going to be so much simpler with AI, right? 

I mean, you can do a investigation of a whole C suite in, in seconds, uh, with a AI chat bot, where before you'd have to go to a website and crawl it and search. Now you can just find out so much information, just at the touch of your, your, your fingertips and the speed that the attackers are going to be able to leverage with AI is going to have to be combated with less as defenders using that, that same kind of technology to, to do the, uh, to do the defense.

I mean, yeah, there's going to be additional attacks using things like deep fakes and, and all of that, but I think at large, people are going after where the money is and it's going to be to cause as much impact as possible as, as they're already, they're already doing. 

Evan: There's two things you said I want, I want to kind of like, you know, follow up on.

So one is something you said about attacks in some ways haven't really changed, right? Which I agree, right? Criminals are still trying to like steal money, steal data. It's kind of the same objectives, right? But there's new tactics and there's like new, the environment has changed, right? And so when the environment changes, like, you know, there's new surface areas, there's new strategies, new, there's new tactics.

And so, um, I I want to talk in a second about, you know, how AI can be used on the defensive side, but certainly like criminals will begin using these tools as well, right. And even with chatGPT four, you know, every petty criminal can now set like nation state level sophistication, sophisticated attacks, right. And personalize at scale.

So how do you see kind of criminals using these AI technologies? Are we going to be seeing interactive, deep fake zoom calls? And like, what do you think are the implications for security teams as they think about this new wave of generative AI attacks. 

Jeremy: Yeah, the, the zoom call scenario was an interesting one. For those who aren't aware it was a CFO was supposedly on a zoom call that was actually a deep fake with a, or a finance person with their CFO, um, and then made a, a payment. I don't know if I believe that one, actually, I think that there was probably a traditional business email compromise. And that the CFO ran to AI because he didn't want to be seen as a, as falling for an attack. I just can't envision, at least with the sophistication today of a complete Zoom call being created that is bi directional, um, using a deep fake, maybe call me a skeptic. Um, I think it will get there. 

I mean, every day, every company's CEO is, is asking someone to make money transfers, right? Over text, over WhatsApp. Uh, I think where that's going to change is those, that, that kind of areas can be much more sophisticated and they'll be able to do things like deep fakes and voice recognition. I think a lot of the controls that you have in place around that will be similar to what they have been in the past, like having multiple people sign off, right? Like those type of, of basic controls can still work in the AI world and with more sophistication. 

But with that said, we're also going to need technologies to know what is real and what isn't real, and that's kind of scary. In the past we've been able to, in general, you'd say, Oh, okay that, that, that line of the email was a little bit off. Okay. That's I'll be able to understand that that's phishing. And we can't teach that anymore. I mean, people are going to, uh, the attackers can use AI to make a perfectly generated email that sounds, sounds like it's in the dialect of that, that location. And, um, yeah, just being able to differentiate what is actually an attacker versus what is a legitimate email or phone call is going to be increasingly difficult and we'll need tools to be able to do that on the defense side, uh, as well as, uh, watch and make sure that, uh, That the tools that we're generating for, for business purposes aren't, aren't being leveraged for bad as well. So putting those guardrails around the technology that we're, we're creating. 

Mike: What role do you think AI will play in helping defenders not just stop attacks, but ideally get further ahead of the criminals? 

Jeremy: Yeah, it's a good question. I think I was alluding to it earlier when I was talking about network traffic. Taking a large data set, analyzing that data set for what's normal, and then looking for deviations from it and allowing us to find kind of that needle in a haystack. Um, you can take that kind of same model and apply it to different data sets within your security stack, right? Whether it be your network, be your authentication and login activity, and you kind of even combine all of those data sets together and look for patterns of, of what's typical versus what is deviating from there, and I think that really is going to be the power of AI. Being able to analyze large quantities of data at scale and analyze it in ways that we've never been able to do it before and give us insights we've never had before. So I think that is really where on the defender side, I'm optimistic that technology is going to be able to really help us.

And there's going to be new technologies. And I've, I've seen a bunch of existing vendors in the security space that are now buying AI companies to even just leverage that talent internally to develop their products further. I think it was a CEO of one company that we work with that was just saying, if, if there's gonna be two kind of companies, right? There's gonna be ones that leverage AI and then there's going to be the companies that are out of business.

So in the security space, I think just because the problem is just massive amounts of data sets and analyzing it and looking, looking within that, we have a unique area of being able to leverage AI. I think that that goes beyond a lot of other use cases. 

Mike: And I think just to double click into that, so obviously there's the technology side, but how do you think that's going to impact your team and, and the cybersecurity workforce in general? Is it going to eliminate jobs or is, what's that long term impact there from an AI perspective? 

Jeremy: Yeah, I really don't see any cybersecurity jobs going away anytime soon. Um, I, I think the problem keeps getting bigger and our attack surface area, uh, growing more and, again, as we, we were talking about earlier, just the threat actors using this, this technology as well.

I think it will allow us to be more efficient. Um, I see that already just in kind of creating presentations, right? I mean, a very simple thing of tell me about these, these frameworks and which one we should be using and why, and just be able to create presentations on for leaderships as well as, uh, just, I think that the productivity is, is kind of the big playoff doing it, be able to do more with less, but also be able to do more things. It's really going to be the difference in the cybersecurity space. 

And we will need to have upscale, right? I mean, I think that leveraging AI, well, there'll be some, some people who are just using it as a, as a chatbot and providing feedback, et cetera. It's, it is a, it's going to be a change in how we work. So it's not going to be kind of traditional looking at, at alerts. It's going to be understanding datasets and, and be able to dig into it deeper. And I'm going to be looking for people like, like Evan to help me with this, uh, to create new companies to, uh, to, to help solve this problem, because, uh, obviously, uh, being an enterprise, our, our focus isn't purely on cyber security, which to, to make products. And, uh, we're, we're going to be needing to rely on some, some smart people and smart partners to help us defend and leverage this technology to get against the threat actors. 

Evan: All right, so Jeremy, we have like seven more questions in our, like, in our notes here about AI, but we are a little short on time. So I wanted to maybe skip to, uh, our, our kind of lightning rounds, right. Just for the last, you know, five or so minutes. So we just had like a handful of questions and looking for like, the one tweet response, right?

Some of these questions deserve like 10 page essays so forgive us in advance if they're a little bit tricky, but, um, Mike, do you maybe want to kick it off for us? 

Mike: Sure. So what, what would be the one piece of advice you might give to somebody stepping into their first CISO job? What they might maybe overestimate or underestimate about the job? 

Jeremy: I would say the first thing is learned and sit back and learn what about the environment, learn about the culture of the company before going in and trying to make massive changes right away. You have to be able to work with the culture of a company in order to, to influence change. And I think that was a, I was fortunate and I was with Avery Dennison beforehand, uh, before becoming the head of security here, but I have seen a number of leaders go into companies and want to make big changes really quickly. And you, you have to learn the culture and the environment you're working in before, before you can put your, your stamp within that company. 

Evan: So, Jeremy, I've worked in applied AI for 15 years. I read like half the white papers that come out. I feel like I'm always behind. I'm like new technology. So I have to imagine if I was, um, you know, a security leader or a security analyst, and I'm dealing with criminals trying to break in 24 seven, it might be difficult to stay up to date with, you know, given how fast technology is changing. Any advice for, you know, some of your peers who are, you know, trying to stay up to date on both, you know, the rising security challenges related to AI or maybe AI technologies, while weeding through all the kind of marketing hype and fluff. Like, how do you, what would be your advice about how people to sort the signal from the noise? 

Jeremy: Yeah, that's a, that's a difficult problem and I would say if you go on Twitter, which now X and you rely on that, you're going to get some good information, but you're also going to see things that are way over the hype cycle that just really aren't prime time.

I would say working with your existing vendors and understanding their, their roadmaps and asking them how they're going to be leveraging AI is, is key. As well as just being out there, right? I mean, meeting with other heads of security. I am in a number of round table groups and keeping on top of, of what they're seeing and what we're seeing, and then working with our vendors to help solve those problems. Um, I think has been really useful for, for us. 

And then also just seeking out some new innovative vendors and having some time just to, on your schedule to, to keep up to date on what is the latest trends and, and new companies out there and the problems that they're solving. I wouldn't spend all your time there, but it's, it is, uh, very useful because we've been very lucky, very fortunate to be able to work with some very innovative startups and, and really help better our security posture. 

Mike: On the more personal side, what's a book that you've read that had a really big impact on you and, and why. 

Jeremy: Recently I read a book called atomic habits. I don't know if you're familiar with this book, but it's, uh, yeah, I, I, and I can't remember the, the author off top of my head, but the whole idea behind atomic habits is, basically getting into a routine of improvement and really looking at not doing things a point in time, but really creating those habits that, that bring you, you, you further. It seems so simple, right? Like you do the same thing every day. You're going to get really good at it. A lot of people don't realize that, right? 

Like if you look at some of the startups in the security market, And you're like, Oh, wow, they came out of nowhere. Well, then you look at the history of the founders of those companies and you realize that they've been doing this for years, right? And it's because they've had those atomic habits of doing that same thing over and over again. And if you, if you rinse and repeat and you do it a lot, you're going to be really good at it. And that's something I think that's overlooked. Just spending time and doing the hard work is, is really what, uh, what leads to success in the longterm.

Evan: What's future cyber technology are you most excited about? 

Jeremy: Yeah, I mean, it's definitely AI, right? I mean, how could it not be? It is, it is AI in both in the products and tools we already use. And then also like, like if I look at like Sim, right, like that is a place that could be, should be disrupted and needs to be disrupted. I think that kind of central orchestration and, and being able to look at all log sets and analyze it and be able to, to give out outcomes rather than kind of traditional rules being written. I think that that is a huge opportunity that I'd like to see technology being applied to, and I'm sure everyone's biting at the, is going after it, right? I mean, that's going to be a big disruptor and I'm excited about that because I do feel like that market and that capability, I should say, within organizations is kind of stagnated and has become this expensive, not so effective component of our security architectures. 

Mike: Alright, last question. Any advice you'd like to share to inspire the next generation of security leaders?

Jeremy: Um, I would say in terms of advice to give for the next security leaders, it would really be to, to still learn the basics first, right? And to foster a culture within your organizations, um, and your employees of safety. My employees know that they can fail and there'll be forgiveness as long as it's, uh, as long as it was done in a, in a way that, that was not malicious. And, uh, So, so really fostering a culture within your, your security organization, I think is so key. And I've been very fortunate that we have a very diverse team, global team. And really because of that, we've been able to, to have a culture where all different inputs and thoughts have been able to cut rise and, and help us. So really driving that, that culture within your team of, of both success, but also willingness to accept failure, I think is, is. It's been one of the keys to, to what I've seen in my success and working with, with my team and Avery Dennison. 

Evan: Jeremy, thank you so much for making time. Great to see you and looking forward to chatting again soon.

Mike: Thanks Jeremy. I mean, you really had some very insightful points that you made and it was great learning, you know, what you guys are doing at Avery Dennison and anyone that listens to this can't help but walk away inspired. 

Jeremy: Thank you very much for having me here. It's been great. It's been a real pleasure to talk to you about the future of cybersecurity and all the risks that we're going to see with AI, but also all the opportunities we have. And it's always a enjoyable experience to talk with colleagues.

Mike: That was Jeremy Smith, Vice President and Information Security Officer at Avery Dennison. Thanks for listening to the Enterprise Software Defenders podcast. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the CEO and founder of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprise software.blog.

‍Mike: This show is produced by Josh Meer. See you next time.