Ep 16: Unlocking Automatic Defense Through AI with Former TikTok Global CSO Roland Cloutier

‍Evan: Hi there and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how the threat landscape has changed due to the cloud real-world examples of modern attacks in the role AI can play in the future of cybersecurity. I'm Evan Reiser, the CEO and founder of Abnormal Security

‍Steve: And I’m Steve Ward, the former CISO of The Home Depot and TIAA

‍Evan: Today on the show, we're bringing you a conversation with Roland Cloutier, former Global Chief Security Officer at TikTok. Roland is a seasoned executive who has led security programs at notable companies such as EMC, ADP, and most recently TikTok. Roland's journey from military aerospace defense to the enterprise offers unique perspectives and valuable insights.

In this conversation, Roland shares his thoughts about the evolving landscape of cybersecurity in the age of AI, the transformative impact of AI on security operations, and the future of modern security programs.

Well, Roland, first of all, thank you for taking time to join us today. Super excited to chat with you. Um, I know Steve and I have been looking forward to this for a while. 

Roland: Evan, great to be here. Thanks for having me. Always a fun conversation with Steve, for sure. So 

Steve: could be good or bad. 

Evan: So Roland, maybe to kick us off, do you mind just giving our audience a bit of a background about your career up to this point? 

Roland: Yeah, I mean, it's pretty simple. I didn't start doing this stuff. That was not even in the same vector, for the first part of my career. I started out in the military as a aerospace defense and anti terrorism specialist and kind of moved from that into federal law enforcement.

And next thing you know, every major investigation I'm working on has something to do with the computer, and this is back in the nineties and I didn't even know how to spell database. I had to get subpoena and warrants and go beg and borrow steal from the Bureau and OSI and all these other agencies cause we didn't have it.

And it was a little frustrating. And I kept going to this one technologist who said I don't mind helping you Roland, but can you please just go back to school? You have a propensity to be able to do this sort of stuff. Just go figure it out. So I actually did.

I went back to BU for a couple of years and fell in love with it. I mean, I was the guy in the back of the course, still in semi uniform, depending on the day, and, turning off other people's computers in the front. It was, uh, learning the deep technology behind it, and the lesson that progressed into me building critical infrastructure security groups.

I, I married the love for defending with the love for technology, and it was kind of a match made in heaven. And next thing you know, I'm working for EDS building their security organizations, protecting customers, then said I could do it better. Built my own two companies that was painful and a lot of great lessons learned on entrepreneurship and foundership, and what it takes to really run a business and got acquired and I went through a couple of acquisitions. Ended up building companies that were reacquired with other partners. The next thing, you know, I'm the first chief security officer for EMC, now EMC Dell. And, then I moved on to ADP, as a growth and experience opportunity, building their global security program.

At the end of the day, we have security operations in 13 different countries, um, you know, protecting about, you know, 13 trillion in money movement. And my expertise is in converged security. So how do you take cyber defensive operations? How do you take risk management? How do you take resiliency? How do you take financial crimes, defense and fraud management and put them all under one umbrella for the business?

And then I got a little tap on the shoulder and said, Hey, we've got a unique problem that involves a national security perspective. Maybe you can go out and help this little known company called TikTok, build a global trust program. And so that's what I've been doing for the last 20 or 30 years.

Evan: So much has changed, right? Sincer you first started working in this field before it was probably even called cybersecurity. We're in kind of a period in history where we've never had the rate of kind of technology change as we do now, and I'm sure next year will be crazier. But I'm sure like back in the day, when you thought about protecting an organization, right?

Maybe ADP. You put up a firewall, maybe you have an email gateway, you lock the doors and like, that's kind of it, right? But now, like anyone can access anything from anywhere in the world, right? With any device, any network. The boundaries kind of exposed, right?

People are attacking your vendors and like their software and what's all in the cloud. What are some of the things that keep most CISOs up at nights? That are just things that you never had to think about 10 years ago. 

Roland: Yeah, I have a whole list. Let me see where did I put that book? No, just, just kidding. Let me start with what's good. Because I think we always start these conversations and oh my God, the world has changed. It's, it's going dark. How are we going to do this? 

Just take cloud for a second. What was good about that? Well, we got better controls at a deeper level in the stack and the ability to do better integration across different type of enterprise and security tools that we didn't have in the past. You couldn't connect them. It didn't matter if you had an SDK or an API. Imagine trying to do that with an SDK. Like the company says here, here's our SDK. So I'm going to use like 250, 000 hours of programming time just so I can see your freaking log, really? Like that has changed dramatically. So there's better access to things.

But here's the reality behind that. It's a metric, but ton more of threat surface. Like our threat surface grown from our enterprise to our cloud platforms, to our SaaS, to our iPass, to our edge partners, to our third, fourth, fifth, and sixth party, like you just can't lie. And what happens there? Now you get segmented visibility.

I preach at the top of mountains. You cannot protect what you cannot see. And when you get segmented visibility, it means you get a lack of visibility. And so this has caused an increase in pocketization of being able to defend. It's caused a problem around having to have more tools, which you were trying to get rid of.

And don't get me wrong, I think secure platform management technologies or SPMs and DSPMs or ASPMs or CSPMs or EIEIO SPMs. You know, they have helped certainly aggregate some of the problem space. But we're still not there. We still have major issues around data defense. I mean, think about it back when, you know, Steve was in the seat we used to have all these conversations about data security programs and things like that. I've kind of recoined that to data defense and access assurance, cause you're never sure where that's going to be, but that control assurance across multiple platforms, multiple partners, multiple edges, and that expanded IDM, that expanded insider threat issue, how do you defend against that in a reasonably consistent manner that ensures a level of protection that you can articulate to your shareholders and to your business?

And last but not least, I think, what has now become a new opportunity for chief information security officers is resilience. I mean, everyone's talking about cyber resilience. Yeah, we have ransomware out the bazoo and we have a bunch of other areas, but business operations protection resilience, how things connect, who connects across those. That is a massive area that people really have to start looking at. This is not about third party defense. This is about your new value chain, which used to look straight across like this, and now it comes in and out of your environment, in and out of your environment. And how do you assure that? 

So, I think this is a whole new education sector for organizations, for CISOs to be true leaders and be able to redevelop a problem set in our industry that we haven't really had to attack in a meaningful way.

Steve: Roland, I want to sort of give you a statement and then I want to see if you have your own spin on it. You've been out for a few years now, so have I. I feel like if I went back now, I feel like, I would look at things differently that I had so much focus on what I call crawl, walk, run. So, the crawl being visibility, the walk being a bit of the posture management that they classify it now. Tell me what's wrong. But very, very little on the run, which was the fix. I'm almost like convinced that if I went back, I would flip my budgets in those categories. Like, I don't want to see any more. I don't want to identify the bad things anymore until I have the BAU and the ecosystem available to fix the things in a proper way.

A, am I completely wrong? And B, do you have something where like, when you sit there and you're like, ah, if I ever went back, this is kind of probably how I would approach something or focus on something different than what you did back in the day. 

Roland: I don't think I'd flip it. You can find problems and you can fix problems, but you don't know the downstream residual impact of those things unless you have the totality of the environment you're defending.

So I think you still have to have that visibility. I learned that lesson in a board meeting one day and I was taught kind of the same thing. It was a big industry problem. We went out and we looked for stuff and we found it and we patched it, but it was Wall Street front page stuff and I'm in a board meeting like the following month. Great for me. Right. And so we had to work fast. We knew it was coming. And in the, comes up, I give them, you know, this is how we're handling it. This is our level of blah, blah, blah. And then really smart CTO was on the board goes Roland, but how do you know? Like, and I stopped and I was like, what do you mean? How do I know? Like. This is the report. No, I didn't know you got it all across all the code bases, across all the products, across all the infrastructure, like what's your visibility to be able to do something at that level?

And it was a great question. Felt totally stupid. I didn't have a good answer. But it's one of those things that caused me to stop. And every time. I get close to this question, I say the same thing. I want to at least know I have 80 percent visibility, or I have 20%, or I have 30, so I can make a good decision based on that.

But I would start with visibility. But beyond, like the, what do you do first, the chicken or the egg, the visibility or the defense? I think there's some, really great things that I would focus on faster, which is informational assets, right? A decision support capability for a CISO.

We used to call it the security intelligence data warehouse. What I'm talking about is a security data lake that is enabled by true ML or AI capabilities that provide you a level of insight, understanding and diagnostics that we did not have five years ago. It's the use of commercial capabilities of ML, but the advanced LLM capabilities to search and inquire at the speed of a human thought. When an analyst, a good analyst goes, Hey, did we think of this? Let's find out if this is in our data and not wait six days for someone to create a query to go across 1600 databases. You do it at the time you're thinking about it, get great visibility, be able to make actionable decisions on good information. 

That's the game changer. That's the thing that are going to save businesses and enable other new industry opportunities for businesses to go create things in that space to get us closer to near real time defense or informational assets that will get us there. 

I mean, the reality is we're going to get to platform as a service, platform as a whatever adoption that will have these things integrated and we'll be able to provide us those things. But until then, we have to rely on our capability to ingest a lot of different information from a lot of different tech and make sense out of it. And I think that's the first thing I would focus on, Steve. 

Evan: You talked a minute ago about the opportunity for superior machine learning and AI and behavioral analytics. To what extent do you think AI puts us on a path to a good place? Is that going to save us? Is that like a false belief? Is there too much hype? How do you think we get on a path to like a good place?

Roland: A lot of prayer, a lot of prayer. No, just kidding. Just kidding. I want to respond to one thing first before I jump into like my AI considerations, like I've been living the life of AI for the last three and a half years in a way that most people don't get to do. So, let me say this. Our jobs are always going to be operational.

And I'll use law enforcement and public safety. There's still fires, right? There are still people that commit felonies. In our space, it is not a race to escalate a technology war, but it is a constant creation of new capabilities for the bad guys. New capabilities for us to take the market. Our businesses have become a hundred percent digitalized. Even Joe's pizza on the corner is using digital supply chain to get, their supply chain in house. That's a real thing. So if you don't like operations, don't do this job, right?

You've always gotta be in the fight and you always gotta know what your mission is. And sometimes you've got to take a step back, but you know, it's always going to be a tough job. Now, is there light at the end of the tunnel? I think there is. I think there is a great opportunity. I think We'll get some really capable auto defense capabilities. And I'm not talking about a certain company's self healing network. I'm talking about true understanding of if we see that we don't allow it, right. It not so much as a firewall, but understanding complex attacks across APIs, across technology stacks, across human transactions or human like transactions, within infrastructure, and then be able to say, no, that's a 93 point percent visibility.

I've recently seen a new technology that stops the attacks prior and how do they do it? They're everywhere. They see pre performance setup of known criminal organizations of attack vectors and are able to stop the implications against domain environments before they even hit them or hit their customers. Like, it's the most amazing thing. These are really cool technologies that are coming out. 

I think that people are underestimating AI pipeline defense as well. So what will apply to that, I think we'll be able to do to our regular technologies, because so much focus on AI. So if you think of like the Atlas of MITRE's Atlas view of how things are attacked, I think we'll be able to get to near real time technology defense on the normal MITRE attack framework, right? I think that'll be pretty important. 

You know, there's just things we're not going to get to out of the blue, but from a work perspective, we're going to take the stupid out, right? Why do I have people? Why do I have really wicked, smart people doing things like writing scripts that go across logs? That is insanity. Why do we do that? And people hate it. like I mentioned earlier, we're going to get to deeper insight faster through AI. So as a practitioner, we're going to have better weapons to understand what's going on to apply defensive postures quicker.

And the reality is we're going to actually have more complex issues that we're going to need more experienced practitioners on. So taking the stupid stuff away, retraining our folks, and having them be able to do that, I think is going to be really important. But at the same time, AI is lowering the bar to entry for criminal actors in this space. So we're still going to have work. We just have to figure out how we prioritize that work and which tools we put in place to give us better insight defense and faster capabilities. 

Evan: I mean, obviously I'm a very bullish on I think AI's like longer term ability, right, to um, you know, give the advantage to the defenders. But also I think a lot of people are nervous about, hey, what happens in the short term when every petty criminal is using like GPT 7, it can now send nation state level sophistication attacks. You can load in databases of emails and messages and all this stuff and like some AI that you can run your laptop spits out very convincing social engineering attacks. Like what happens in the short term? 

Roland: Massive growth, massive growth in criminal opportunistic issues. We're already seeing it. We're seeing financial crimes. We're seeing attacks on call centers. We're seeing individual extortion or extortions of organizations.

Let's not forget code is everything. Our businesses are built on code. Our infrastructures are built on code now. Our networking capabilities, our communications platform, everything's code, right? And it lowers that bar to entry for malware, ransomware, the speed of malcode development. It's going to be painful, folks. 

There's no difference when we started migrating over into cloud data centers. I'm looking at Steve because I remember we went through this at the same site. We're like, you know, you have these, Massive tier one global data centers and your CEO turns around and says, yeah, we're moving those to the cloud in two years. We're what? 

Evan: And we've signed the deal already. Can you figure it out? 

Roland: And we signed the deal and we're going to make sure we're paying for it by taking out of other people's budgets. And you're like, Oh, okay, let's go do this. But they had a leg up on us. We didn't understand our platform control. We didn't understand our, our key capabilities, how to manage logging. It was so much stuff that we had to learn in such a short amount of time. And so bad things happened. 

We had several breaches, early breaches in major cloud organizations, especially in the financial sector, that were based on the maturity of our capabilities to defend. Now that has wholly changed, and I would rather be in a cloud environment than my own enterprise environment, to be able to do defensive ability at scale. But we are going to see auto attack and attack defense subversion capabilities like we've never seen them before.

One quick story. I know this CISO. He may or may not have been at a large social media organization, and he may have spent, seven or eight digits on a like major anti bot defense capability, looking at inauthentic attacks across platforms for validity.

And so we turn on this capability and we have the capability to monitor what was going on. Or they did. And they killed it, and it was beautiful. Everyone's high-fiving. But within several hours, all of a sudden  they start seeing little pokes at the door. And then weird attacks on little other areas on API infrastructure and some other stuff.

And so the question was like, what's going on? And we realized that it was machine speed. Like it was unbelievable. And so what the bad guys were able to do, in recent history, was to be able to play out a secondary attack sequence on a known control infrastructure that they were already monitoring with an automated playbook on the back end to say, if this happens, go figure out to attack here, here and insert our bots here, like at speed. So something we may have spent a lot of time and money on that was then just rendered useless in a couple of days. It's crazy at the speed that you have to defend for and the instrumentation in your environment to monitor for those type of attacks. 

Steve: But Roland, if you look at sort of where generative AI is going, is there a space you think it disrupts the most in a good way for us?

So sort of how some disrupted SIM, we'll call it, vulnerability management that got disrupted that we now call CSPM in the cloud, things like that. Is there something there that you go, okay, we know what the attackers are going to do with it. We know that it gives them the jeans and t shirt attackers a bit more power. Not really any different than when Metasploit was created and things like, that made it easier. What's going to be great for the operator side of the house on sort of what gets disrupted say over the next like five years. 

Roland: Well vulnerability management will become a thing of the past. Absolutely. at the end of the day, we'll be able to look at changes in the environment, changes in state, and understand complex issues and downstream complex issues. And so I think how we do vulnerability management will be very, very different. 

I think there's massive hope in the use of AI around code defense. First, code's going to be created differently. And don't forget it'd be created with AI and with constructs. And therefore we have the opportunity to put security control capabilities or quality measures in capabilities at the time of code. I mean, like Sally or Jimmy on the keyboard are giving an instruct and it goes to grab code, we can actually tell it what it can and can't do, what its high and low limits are. So, right, like, like, STLC, thing of the past, right? It's going to be very, very new. By design will be a real thing. Like, when I load it in the system, what's that app going to be used for? What country is it going to operate in? Whose type of data is it going to be in it? What are the ages? It's going to automatically do privacy by design and security by design in an automatic way, like we ain't never seen before. So from a compliance perspective, we're going to be able to operate as businesses in a much better way.

And then, I honestly think third party risk management needs just an explosion. And I get it, there's regulations in place. I had to adhere to these regulations for 400 years. I get it. But there's no such thing as third party anymore. Look at a certain healthcare insurance organization recently. It impacted healthcare in every state, even with organizations that it wasn't a partner with. They happen to provide payment structure capability and delivery of funds or collection of funds from insurance indices, but they were a linchpin fifth or sixth party organization in their digital ecosystem that they didn't even know about. We need to understand that. How does my business operate? Who are their partners? And so I think that gets blown up, in just using AI in a very prescriptive way. 

And I think the fourth area is AI defense. We're all getting worked up over AI, most of us can understand the kill chain. And by the way, it's still data defense on large data sets that we have to be responsible for. It's still pipeline defense before what we're looking at. It's still 60 percent of that problem. 80 percent of that problem are things within our care custody and control right now. It's that last bit, that automation of like bias defense and things that aren't necessary security problems, they're quality data issues, but there's a crossover there. And I think the things that come out around, how do we defend AI at speed, will help us in many, many other areas. 

Evan: Roland, one thing you said, which was a great light bulb moment for me. You were talking about, it was kind of like co pilot code generation, right? That’s interesting by itself. But that also enables like a new integration point to apply security, right? Instead of waiting for the code to be complete and then you analyze it. You can put those instructions in your co pilot saying, Hey, please watch out for this, this, and this.

So the reason I found that really just interesting and insightful is not for that specific use case by itself, but it's example about how the deployment AI is actually going to change like the paradigm of how we should even think about security. So I'd love to hear your thoughts on like, where do you think people over underestimate, like the paradigm changes that are going to be created or enabled by AI.

Roland: Let's stick with that auto defense capability for a second. I don't think people get it. So AI is going to be this massive pile of stuff that now shows up and code's going to be generated the time someone thinks about it and blah, blah, blah. But it doesn't have to go in a queue for us to check. We don't have to wait till something gets checked in. Like we can instrument the AI with our AI capabilities that says, okay, automatically remove any OS pipe turning, and tell them what you did. Like just do it right at the end of the day. It's going to provide clarity and downstream view.

I mean, think about the modeling capabilities on a per second basis it can provide when it evaluates code. I'm so excited about that area because it's been such a big pain point over my career. Like, how do you get at all the code? But you can do that in every other area. 

We were talking about CSPM. You know, automatically understanding jurisdictional considerations of where a microservice is operating in and then applying a very specific thing for that environment and validating it, from a risk and vulnerability management perspective and providing an automatic certificate of operation for that country. I don't need 60 people operating in Europe to be able to run those manual checks and provide me like a CO? That's craziness. But that's what's going to happen. And so what we have to do is we have to encourage these young founders and startups, that are in these environments say here, here's how that will help me. And here's what that will look like. 

I think that is some of the most exciting things that we can focus on is the automation. And honestly, that other area is, how do we take a net new problem, model that out at speed to all the bad things that could potentially happen. Think about a new piece of ransomware attaching to different types of ransomware and then modeling my environment, that's all code, based off what that is doing and show me exactly where I have vulnerability exactly what I have to do to fix it and in seconds, right? 

Like people sometimes get over consumed on I don't want my users doing stuff that's going to get my intellectual property and data out there. Yup. DSPM will cover for that in a couple of years. They'll be automatically integrated into the data warehouses, housing the data infrastructures that are controlling your AI environments. LL shims are already available for private, semi private e-captured organizations, so you don't have to worry about it going out.

People are already solving for that simple stuff. It's the capability it's going to give you at speed and just having the imagination to do it. 

Evan: And like, again, I think this is like the example you gave is just, it's like emblematic of like a paradigm shift. Right. What you said is like the old world is like, there'd be a bunch of alerts and some poor soul would have to go deque as alerts and go like query through all these like log files. And that's like much different than what I think the potential is, the promise of AI will be. 

So like, you know, how do you think leaders should be reconsidering how they organize their teams, how they train their teams, like what things like were acceptable to do three years ago, but are unacceptable, right?

Like, cause again, I feel like we're in this like unsustainable place where you can't just go like hire more people to look at more dashboards, more alerts. 

Roland: Nope. I'm all in on this question, right? Because organizational constraints is not a thing. It's the leader's inability to organize appropriately that is typically the problem. 

So what do you do? Do what you did with cloud. Go create an entire new part of your job family focused on AI defense, AI automation for security defense. I don't care what you want to call it, but you're going to go find people. You're going to change your partners at the university level for inbound pipeline for resources. And you're going to start migrating people's jobs and give them a two years heads up and say, your job's going away in two years. I want to train you for a new job. It's up to you if you want it or not, but here's what it's going to be. So show your organization that you have a plan to make them successful, the organization successful, and give them capabilities to be able to defend it against new technology. I think that's step one, change your org. 

The second thing is, get real about what this is going to take from a people perspective. You are going to need data scientists in some way. You are going to need AI specialists in some ways. But you need to make those people, security practitioners first. That doesn't mean they become it first. It means that they transition for whatever they are to security understanding defense capability. So secondarily to changing your organization is having a pipeline program for resources coming in and being able to really develop practitioners, security risk and privacy practitioners, for kind of like the next generation.

And lastly, make it an industry thing. If you found something that works, go out and share it with your peers. Go out there and listen to what other really smart men and women in this space are doing to ensure they're successful. And, I wouldn't say steal it, but steal the hell out of it. You know, understand what they're doing that's making them able to get at these ideas, build these programs and attain really great resources and use that for yourself. 

Evan: Roland, I have about 30 follow up questions, but I know we're coming, we're a little bit short on time. So we're going to switch over to our lightning round. So looking for kind of like the one tweet responses. Steve, you want to kick off our five question lightning round? 

Steve: Biggest mistake you made on your first board presentation.

Roland: Wasn't prepared enough. 

Evan: Roland, I've always been impressed by how up to date you are on technology trends. What's your advice about how CISOs can stay up to date with the right information, without getting bogged down in every white paper, especially when it comes to things like AI.

Roland: Schedule, put it into your schedule. You can't learn if you don't schedule time for it. 

Steve: If you were hiring a leader to report to you right now, what's one of the Best attributes you're looking for, in a leader reporting to you? 

Roland: Mission focus. They got to get the mission. They got to want to be in the mission. They want it. They have to want to do this for a living. And once they have that, I can work on everything else. 

Evan: Maybe on, on the more personal side, what's a book you've read that's had a big impact on how you think about leadership or how you think about security or technology? 

Roland: One of my former executives had suggested this to me. The mission, the men in me, and it's a former Delta operator. And, you know, tier one special operations in U. S. military and talking about leadership in the context of special operations and high performance teams and people, and it is a great reminder for those of us who guide, lead, and build other leaders, that it's an important responsibility in what to do. And that has been the best book, I'd say, in the last year that I've read. 

Steve: Give some advice to, to someone who's getting into the job, first time CISO, on how to create the balance of it is a mission, we live and breathe it every day, but you do have a life. You do have a personal life. You do need that balance. How do you create that balance, cope, and increase, create some stability in your life so you don't get so wrapped up in it. Probably like we did where we worked too much, too many hours. And in some ways we thought we were saving the world a little too often, and didn't really keep perspective on the balance.

Roland: Focus on family first. And I know we say that too much. The jobs will bring you in and let you go as, as often as they need to. Your family is there for you forever. And, and remember that's the one place you can land. And I would also say you get paid through time off. Use it. No one's going to complain if you don't.

But you're not going to be able to recoup, get brain space, find your soul again, whatever it may be that you need to do unless you use that time. So use your time off. 

Evan: Roland, those are wonderful words of wisdom to end with. Um, just want to say thank you so much for joining us and looking forward to chatting again soon.

Roland: All right. Thanks guys. Appreciate it.

Evan: That was Roland Cloutier, Former Global Chief Security Officer at TikTok.

‍Steve: Thanks for listening to the Enterprise Software Defenders Podcast. I’m Steve Ward, the former CISO of The Home Depot and TIAA.

‍Evan: And I’m Evan Reiser, the CEO and founder of Abnormal Security.

Please be sure to subscribe so you never miss an episode. You can find more great lessons from technology leaders and other enterprise software experts at enterprisesoftware.blog. 

This show is produced by Josh Meer. See you next time.