Ep 21: From Butter to Bots: How Land O’Lakes is Innovating Cybersecurity Through AI with CISO Tony Taylor

‍Evan: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security executives are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, fortune 500 CISOs share how AI has changed the threat landscape, real-world examples of modern attacks, and the role AI can play in the future of cybersecurity. I'm Evan Reiser, the founder and CEO of Abnormal Security

‍Mike: And I’m Mike Britton, the CISO of Abnormal Security. Today on the show, we're bringing you a conversation with Tony Taylor,  Chief Information Security Officer at Land O’Lakes. Land O'Lakes is an American member-owned agricultural cooperative. The co-op has 9,000 employees who process and distribute products for about 300,000 agricultural producers. Land O Lakes handles 12 billion pounds of milk annually and is one of the largest producers of butter and cheese in the United States.

In this conversation, Tony shares his thoughts on how AI is rapidly evolving the cyber threat landscape, the paradox of AI empowering defenders while enabling attackers, and strategies for cyberdefense in an AI driven world.

‍Evan: Well, Tony, uh, first of all, thank you so much for joining us today. Maybe to give our audience a bit of background, you might share us a little bit about kind of your career and kind of how you ended up to where you are today. 

Tony: I've been in infrastructure engineering and operations the bulk of my career. So I always say that I've been doing security my entire life because, you know, that's where security started, right? When we were simply managing firewalls for a living, then it got a lot more complex. So 30 plus years in infrastructure engineering operations role in the last seven, fully dedicated as the chief information security officer in Land O'Lakes, where I'm responsible for cybersecurity and privacy here.

Evan: Awesome. And when you wake up on the average Monday morning, what kind of brings you motivation or inspiration? It's a hard job, right? Working at cybersecurity in 2024 and everything changes so quickly. What kind of inspires you for that, that mission and kind of hard work?

Tony: I'm a pretty competitive person. I play sports that I can bet on because I like to compete. I view cybersecurity as a competition. Yeah, I got to get it right 100 percent of the time. They only got to get it right once. All of those, you know, words and phrases we hear all the time, but I enjoy the competition. I might lose a couple, you know, fights along the way, but I'm going to win the battle. 

Evan: I think probably most of our audience are, is familiar with Land O'Lakes. Um, if you've been to a supermarket, you've probably seen the brand, but can you share a little bit more about the organization then, um, you know, what might the, you know, what might the average listener not, not totally fully appreciate about the, you know, scope and scale of what you guys do?

Tony: You're right. Probably most people think of us as the butter company. That's what we're most known for. But, we touch 50 percent of the harvested acres in the U. S. So we have a big ag part of our industry. We process about 12. 5 billion pounds of milk on an annual basis and we feed 100 million animals every day.

On top of that, we have a large sustainable part of our business, so we're here to represent farmers and give them access to a market and a competitive market, but we bring a lot of technology to the field and also around the sustainability side. Farmers are the most sustainable people in the world. They care about the land probably more than any of us do. 

Mike: Yeah, I can definitely appreciate that.

You know one of the things too and it's amazing how much technology is used in in all sorts of businesses I'm sure Land O'Lakes, just a tremendous amount of technology is used. But we, we've seen so much innovation in the technology space. A lot of organizations are moving to the cloud or SaaS or AI, is really just fundamentally changed the way things we, we approach security.

How do you see the threat landscape expanded and changed in today's technology world? 

Tony: You're right. I think us, like many industries, are adopting cloud, whether that's SaaS solutions to run our business, to bring new innovative capabilities to the business. Or we're adopting things in Azure And AWS, we're reducing the footprint of our internal data centers per se. 

On the adoption of AWS and Azure, the thing that scares me the most that I probably do wake up every night and go, Well, I wonder if we got that right, is before we could make a simple mistake inside of our network. We could make a misconfiguration, but it wasn't on the Internet. And now everything's on the Internet. You make a simple configuration change and open something up. What, they say they're scanning that environment every 11 seconds within seconds. You're going to be known that you've got an opening and you're going to have data exposed. That's probably the biggest concern I have. 

The second one is, I have a security team, but we don't manage all the infrastructure, right? I've got to work across peers of technology folks doing this, and that's a massive educational change. That guy or gal that used to administer in the house computer systems, now managing in the cloud, went through a ton of change to get capable at their new role, and the cloud rolls out new capabilities every day. And you don't know what's on and what's off. That's, that's the biggest thing for me. 

I think the other one is SaaS. We do a ton of SaaS around here. For me, that's just making sure that we're doing single sign on, we have strong MFA in place. I think back to the snowflake incident that happened just recently. These capabilities exist, or you better buy the capability in the SaaS that exists, because if it doesn't exist, you shouldn't be signing up for it. But then you have to enable it. You have to do the simple things right in security that protects you every day.

Evan: So we're sitting here in September, 2024. It's hard to have any sort of conversation more than 10 minutes doesn't involve AI. So I'm going to summon some of that spectrum of the conversation. Right. You mentioned kind of like, you know, uh, phishing emails. I have to imagine if you're a phisher in 2024, chat GPT is like the best thing that's ever happened to you. Right. 

You know, attackers have always been quick to adopt new technologies, whether it's AI or the cloud or, you know, python scripts, whatever it is. Uh, what are your thoughts on like how this kind of rise of AI is going to affect the threat landscape and where do you see kind of criminals using some of these new tools and technologies to do more bad things?

Tony: Well, you know, I, I think the first bar that's already been crossed, cause I'm seeing it all the time is in the, in the social engineering emails I get, there are no longer bad uses or grammar errors in the emails, right? There's no spelling issues. There's, there's no folks that don't have English as their primary language, just making it obvious that it's coming from somewhere other than somebody in the United States. That's already gone by us, right? I mean, I don't think I've seen a bad form phishing email recently. 

I think the other thing it does is we are just seeing exponentially year over year, two times, three times, four times growth in the number of attacks and even the emails that are coming in and that's what scares me is just you don't even have to be a professional in this business anymore to launch an attack with AI and ransomware as a service and all the components you can just buy. Anybody sitting at their home can go do it. They're not necessarily the ones I'm concerned about, but you can do it. 

Evan: Are you kind of implying that, um, there's people that maybe five years ago wanted to be cyber criminals, but they were disabled from doing that because it wasn't accessible enough. And now these new technologies enable, like, is that, is that a dimension of, of kind of attack scale is that there's more people that can be criminals today because the technology makes it more accessible and more easy.

Tony: Yeah. I mean, and I still think they're criminal networks and they're, They're small businesses, but they don't need to go higher in the expertise, per se, anymore. And they don't need that cyber hacker on their team. They need to be organized. They need to be funded. Uh, they need to be able to execute, but they can buy everything they want.

Mike: So we've talked about a lot of the threats and the consumerization of, of the attackers and the scale and all those things. Let's talk about the other side and the defender side. What role do you think AI is gonna play in helping us protect our environments and stop these attackers and, keep on pace with their own use of AI? Kind of the good AI versus the bad AI?

Tony: Well, I'm personally really excited about the, the good side of AI. I, I think it's potentially early in the hype cycle yet. But I think of my, my SOC. So we have 22 people in security. I have a SOC that's, uh, also supported by MSSP. So we typically bring in our younger people into the sock, uh, recent cyber graduates from, you know, different universities that we recruit at. They have the academic background, but they don't have the real world background. And we partner those folks up with engineers and we teach them and we mature them and they eventually go through our engineering groups. It's a great success story in terms of. How we bring people in and through the organization.

But if I think about what AI could do, and, and, uh, companies like yourselves and others that could leverage AI, and how much you could assist, not only a senior engineer, but especially a new person about, here's the event I just saw, uh, what are the three steps I'm supposed to do again? Now if I don't already have a playbook for it, it should even add to and enhance my own playbook.

And then you add automation to that, because we can't hire enough seasoned people and security to do the work. We need to be able to bring in less mature or less experienced people and let them build that experience because the workforce isn't there. I can't go hire senior engineers all over the place because they're not available.

I can get recent graduates, I can get those folks in. They need a lot of training and help. And I think AI automation can really, really advance their skills and our capability. 

And when I think about large companies, yourself, Microsoft, Microsoft. Anybody who sees all the threats they see, you should be able to build that into an AI engine. These events equal this type of action. 

Evan: And so, what do you think it looks like, you know, three years from now, five years from now, like what role does AI play in the, in the SOC?

Tony: You know, part of that answer for me, Evan, is, you know, how much trust do I have in the AI engine? And I think we've learned not to trust anything until you prove that it works. So I think at the beginning, it takes the rudimentary stuff and the low hanging fruit that you think is pretty standard, you can trust the engine and do it, and all the way through remediation, I don't even have to see it. And let those people then work on higher threat hunting, more value added activity versus getting rid of all the noise.

But again, as that AI engine matures and gets better at it, plus you allow me to interact with it, I just don't have to fully trust it. Maybe it does 80 percent of the work and says, here's what I found, here's what I found, and here's what I'd recommend we do, and we look at it and go. Yeah, go ahead and do that. Or no, in our environment, that's not right. 

So while I have an AI engine, probably from a vendor, let me tweak that engine myself and modify it for my environment. That, I think, is where we need to get to. 

Mike: Are there maybe some use cases where you've seen, maybe areas where you didn't think maybe AI would be useful, and you're seeing some good use cases where AI proved to be really helpful in solving those cybersecurity problems?

Tony: Well, uh, I'm going to use your company. I mean, I, I justified the investment in Abnormal based on all the work we did, working with our finance people, taking them through training and education. And this is how you process an ACH wire transfer, and it's, it's not a technology issue. This is a process issue, but every year, regardless of all the training we did and education, we tried to do, uh, undoubtedly that we'd see money going out the door. And we said, okay, this is one of those areas where you should try to educate your users, but at some point, you're going to fail. Somebody's going to click on something. In this case, they're going to process a wire transfer because they didn't call the person and talk to a known person, right? Simple stuff. We just said, alright, because of that, we're going to invest this money and it's going to create a return. In some cases you just go don't even let it hit their inbox 

That's that's the best example. I have honestly so far that I can you know materialize and like get my hands around and go, That was a really good investment It's saving us x amount of dollars a year because for the last five years we saw that money go out the door every year. 

Evan: Maybe kind of like conversely, like, what are some of the areas where you're a little more bearish on AI, right? Maybe you've heard some of your peers talking about how AI's going to do these magical things. You're kind of looking at it with squinty eyes saying, I don't know. I just don't think that's, that's going to happen. Like what are some areas that you think we should maybe be a little more hesitant or cautious or more bearish on? 

Tony: I think for me, and I do think we're in this hypothetical that you can't talk to a vendor today where they don't talk about their AI. Right. Everybody's got an AI engine. 

Evan: Everyone's a leader in AI. 

Tony: Yeah. Everybody is a leader in AI. For me as a, you know, consumer of that technology, I goes, well, show me how that AI works. I mean, you know, I'm a doubting Thomas when it comes to this stuff. It's like, show me what it really does and prove it to me. Don't make me prove it to myself. And also let me have an avenue to go yes or no. I want that turned on. 

Then I'll speak from my privacy side. It's like I get really concerned about AI and Gen AI engines If you're going to take my data, you're going to take it into a public domain. Now we got a different problem because that's my data and I don't want to in the public domain. That's got to stay in my domain 

Mike: Yeah, and I think following on the privacy side, you know, one of the the struggles is i'm sure your business wants to always be innovating, always be using the latest and greatest technology. And so what are some of the ways that you've been successful in keeping pace with your business? I always find that a lot of times security always feels like they're lagging behind the decisions the business wants to make. What are some of the ways that you've been successful at Land O'Lakes of staying on par with your business and helping protect them as they want to innovate from a technology perspective?

Tony: Yeah, we try not to be draconian, let me start that way. We try not to create friction and we, we really do come to the table as partners. I think one of the advantages I have, I've been here a long time. I'm, I'm at Land O'Lakes 20 plus years. Everybody knows me, uh, they, they know my role and they're more than willing to open the door and let me in.

I, I always say over the last four or five years, I know I've made an impact in the organization when more people come to me, versus I'm trying to hunt people down and go, what are you doing with that data? Where did you collect that from? Did you get consent for that? You know, so it, it's just getting to know the people and being in front of them.

You can't work in cyber security or privacy and work in the back corners of I. T. You gotta be in front at the leadership team level, and you have to win their confidence that I'm here to help. I'm here to protect revenue. I'm not going to make any. Yes, I cost you money. But I'm here to protect what you bring in the doors. I want to make sure we don't get in trouble with any of the privacy legislation that's going on. And I don't expect you to know it all. So just include me and we'll do it right out the door. Otherwise I get the checklist at the end and I do become the guy who says, Oh, no, you can't launch. 

Mike: You mentioned, you know, college kids and equipping your staff. Uh, I'm a big believer that AI is going to change the workforce. And I don't necessarily think that that means jobs are going to just be displaced. But from your view and what you're seeing at Land O'Lakes and just, you know, your own personal perspective on it, where do you think AI is going to have an impact on the cybersecurity workforce?

Tony: I think it will reduce workload, uh, and I think it's It's going to reduce the workload that nobody wants to do anyway, provisioning people, de provisioning people, nobody wants to have people do active directory groups and all that stuff. So, it's going to allow people to work at a higher level and not do this mundane stuff that a robot can do and that's what we're doing. We're using AI and automation to do these things. So anybody who's eager about cybersecurity should feel really good about AI, because one, it's going to do all the work that they don't want to do anyway, and it's going to allow them to work on higher end stuff, and it's going to help them educate and teach them.

This, this environment that we work in in IT, probably true with all business, I hate it when IT people think we're the only ones who have to continually learn things. Everybody does. But you really do in cybersecurity. I mean, the change, the rate of change and the things that are happening, you have to be a continual learner and the AI engine is going to help you be a continual learner.

Evan: Tony do you think there's going to be, like new. Like, I think, I think without a doubt, it's going to change the workforce. Right. And I think what you said, I totally agree with like, there's a lot of mundane work. I think in a lot of, you know, security analyst jobs that no one wants to do, right? Like no one wants to hunt through a thousand log files for like seven different versions of some IOC, right? And those things are obviously computers are better at than humans, right? So I don't think anyone's going to miss that work. 

There's going to be new work, right? That's going to be more, more valuable, more leveraged, more strategic, probably close to the reason why people wanted to get into cybersecurity in the first place.

But do you think there's like, Like new work, right. Um, or new roles, right. Is there going to be a, I don't know, a threat, uh, I don't know, I'm making this up, but like a security, so I should probably, I thought it was going to be like a, I don't know, Land O'Lakes, like threat, threat, knowledge, GPT manager. Like, you know, like, is there different work that needs to get done, right? That like in that future, the AI powered SOC that like, we're not, we're not thinking about today. 

Tony: I think there is, you know, I've been saying for a couple of years, although I haven't gotten off my SIM, SIMs need to go away. I mean, just as you think about legacy, lethargic SIMs and what they do and how they operate, what you need is data analytics on top of a pool with AI and generative AI capabilities that then you need a skilled person who can manipulate that environment, search for things, do things in that environment, whether it's through the language that you use to operate it, or even how you create the data models. Or make sure it's clean data, right? 

I mean, the worst thing you can do with a Gen AI engine is give it bad data and have a not trusted dataset. So yeah, I think the roles in security will change over time. I think we're starting to see that already. Uh, it's going to require a higher level of a person to operate that environment. But again, if you get rid of the lower end, you give the people the time to do that. And I think they get better satisfaction out of their job when they're doing that. I don't want to come in all day and just like move groups and move people around. It's like, that's boring. Who wants to do that?

Evan: Well, Tony, really appreciate your insights. Um, we have limited time so I'm gonna switch to kind of the final segment of our show, which is our lightning round. So we're kind of looking for, you know, shorter answers. Also, these questions are pretty difficult to answer with like the one tweet version. Although, that's what we're going for. So please forgive me and Mike. Um, so, Mike, you want to kick it off for us?

Mike: Sure. So do you have any advice to a security leader who's stepping into their very first CISO job about what they might overestimate or underestimate about the role? 

Tony: Don't underestimate the amount of time you need to spend with the business. Not the back end security people, but the front end business people. You need to build relationships up front. 

Evan: What about things they might overestimate? 

Tony: The fact that you don't have to have a business relationship. I mean, as CISO, we all come up, I think most of us come up from a technical background, and I just know a lot of folks have a hard time getting their hands off the keyboard.

And I always go, if you're a CISO or a senior leader in an organization, you got your hands on the keyboard, you're doing the wrong things because you need to be developing the people below you and building business relationships. 

Evan: What do you say is the best way for CISOs to stay up to date on new security challenges, especially when it comes to the evolving like AI landscape and the impact AI is going to have on the world?

Tony: You know, I read a ton. I probably check 10 websites and listen to three podcasts every day on the way into work, and when I get to work. I think my partnerships with some key partners is important. You need to be consumer of information and willing to talk to people. I mean, 80 percent of my day is outward facing. It's not backward facing towards my team. 

Evan: Any kind of, you know, podcast or other types of media that's really kind of informed how you think about something related to work.

Tony: You know, I listen to a couple quite frequently. I listen to the SANS Stormcast every day just to see what happened yesterday. And for me, that's insightful in the fact that, which we already know as security people, but if you're not a security person, you don't get the context of what happens overnight in the last 24 hours every day. That you have to go look at, verify, address. 

And then I listen to CyberWire daily quite a bit. Uh, again, the insights are like, this is a tough environment that we're in. But, but I still go, you go back to the basics. And if you do those basics really well, I keep like a top ten list. It's like, if somebody doesn't have MFA and modern MFA turned on, by this time in, in your career and work, Like shame on you. Don't complain if your shit gets stolen. I mean, just basically you got to have a backup and you have to have a remutable backup and it's got to be 10 feet away from the last backup and a completely different access, but it's like quit doing stupid stuff.

Evan: What do you think will be true about AI's future impact on cybersecurity that most people consider science fiction? So looking for your like kind of contrarian view, like what do you think, what do you think is going to happen that other people like maybe really underestimate? 

Tony: Well, I think one thing it won't do is it won't replace people. I think the roles are going to change and AI will have its space and people will have its space, but it won't get rid of the workforce. I mean, even, even in business, it'll get rid of some activity, but, uh, it will provide opportunities for other things to get done in the same workforce. I don't think it's going to be the great displacer of people that some people fear that it's going to be.

Evan: Okay, maybe last question here. What advice would you give the next generation of cybersecurity leaders? 

Tony: Enjoy what you do. Don't let the stress get to you. The game you're in, you're always going to be outnumbered, you're going to be outspent, and you're going to have to win 100 percent of the time and they have to win once. Just get used to that concept and get competitive. 

Enjoy what you do. It's like, like anything you do. It's like, I didn't enjoy the work I did, whether I was doing this or digging ditches, it wouldn't matter. If I, if I like digging ditches, I'm going to have a good time if you don't enjoy what you do, don't do it. 

Evan: I think that takes us full circle and probably a great, great place to end the show today. Tony, thank you so much for making time and, uh, really enjoyed speaking with you, looking forward to chatting again soon.

Tony: All right. Thank you.

Mike: That was Tony Taylor, Chief Information Security Officer at Land O’Lakes. I'm Mike Britton, the CISO of Abnormal Security. 

‍Evan: And I'm Evan Reiser, the founder and CEO of Abnormal Security. Thanks for listening to Enterprise AI Defenders. Please be sure to subscribe, so you never miss an episode. Learn more about how AI is transforming the enterprise from top executives at enterprisesoftware.blog

This show is produced by Josh Meer. See you next time.