Ep 5: The Disruptive Advantage of AI with Vistra Corp. CISO & VP of Cybersecurity Paul Reyes

Evan Reiser: Hi there, and welcome to Enterprise Software Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks. In each episode, Fortune 500 CISOs share how the threat landscape has changed due to the cloud, real world examples of modern attacks, and the role AI can play in the future of cybersecurity.

I'm Evan Reiser, the CEO and founder of Abnormal Security. 

Mike Britton: And I'm Mike Britton, the CISO of Abnormal Security. 

Evan: Today on the show, we're bringing you a conversation with Paul Reyes. Chief Information Security Officer at Vistra Energy. Vistra Energy is a Fortune 500 company with over 5,000 employees and more than $13 billion in annual revenue.

Vistra is one of the largest power generators in the United States. In this conversation, Paul shares his perspective on tangible ways organizations can leverage AI, the disruptive advantage of adopting AI and the evolving cyber threat landscape cooled by automated attacks.

Evan: Paul, to kick us off, can you give our audience a little bit of background about you and your role at Vista? 

Paul Reyes: My name is Paul Reyes. I'm the Chief Information Security Officer for Vista Corp. I've been with our company for a little over 13 years. Half of it was within infrastructure and operations, running the data centers and, and the like.

And then eventually I absorbed into the cybersecurity space and in 2018, I have been taking over the CISO role with cyber risk and compliance since then. 

Mike: So Paul, with your security program at Vistra, what are some unique things that people may not realize about your program? 

Paul: Well, some of the things that they probably wouldn't realize in our program is that we're broken up into various business groups, and each business group has a different need than the others.

You know, we have a generation arm, clearly with Vista, and so safety is a huge area to focus on and how do we protect or. Retail is much different, right? It's more time to market. How do we make sure that we're. That's probably not necessarily apparent for folks that only have one business focus on there. And so you have to really look at the solutions that are right for your business unit and, and then embrace where your, your areas of specialty would be and, and, you know, how do you focus a lot? Our, our first approach that we normally would take is, how do I reduce the risk itself rather than try to mitigate it?

And so that was a big area for us to go focus on in each one of our different business units. 

Evan: One of the unique things about Vistra that I've been impressed with is kind of the, the speed of innovation for a company and industry that's notorious for kind of moving, you know, slower and a little more intentionally due to all the kind of, you know, safety issues right around, you know, which is very appropriate.

But Vistra has this like very interesting balance of like being very thoughtful and controlled and intentional, you know, in the right areas, but also being able to like, innovate quickly in other areas. Like how do you, how do you kinda strike that balance? 

Paul: Well, one, it's it's team, right? Uh, my team is definitely.

Always loved the, the challenge of, of what's happening in the industry. Uh, the, the, I have direct reports and then team members below them that are keeping a good pulse on what's happening in the industry. And we partner with some good, you know, people that kind of keeps us up to date on what's changing.

And so they're constantly looking at what is the next thing that we need to do and then how do we do that safely? That's always a, a key component for us and in areas where we can, you know, go fast and help our customer. Drive that. So you know, one of.

Was zero trust. We, we took on that when a company just came out with some of that capabilities and we said, look, this is an area for us to be able to reduce our risk completely in our threat landscape. And we said that's more better for us than trying to mitigate it all. And so we went head, head down on trying to innovate and figure out how do we do that successfully, right?

And so I think that those were areas where our team gets really stoked and. Doing things that are innovative, but at the same time driving great business value. 

Evan: Obviously the last five years there's been this huge adoption enterprise software around, you know, SaaS platforms, the cloud. How has that kind of changed, like the threat landscape for Vistra?

Paul: I think, you know, for us, we, we looked at our boundaries being much different. You know, before, you know, the boundaries were within the, the plan infrastructure or a data center was our boundaries and everything funneled through those. As that, you know, time occurred. We got, you know, data in the cloud, we got SaaS models as you described.

We, we definitely have all of that. But we then looked at our boundaries are really around our counts. Each individual account is now our becoming our boundary, right? How do we then now secure every individual separately to ensure that there are isolated from, uh, threats and every device they use. And so that's where we took a zero trust model to start looking at how do we protect.

Our users, uh, our, our employees, our partners, uh, anytime they're accessing our systems, no matter where they're at, no matter what they're accessing, whatever our critical asset is, whether it's in the cloud or on premise, how do we protect that along all those and not have to worry about boundaries of going to a hard firewall on a data center, or every device that they use has to be able to be visible to us, uh, for us protecting them.

Evan: So kinda like the, the perimeters moving away from like the firewall down to like the individual person and like the, the data, is that what you're saying? 

Paul: Yeah. Each individual, no matter where they're at, we think they're the boundary. So as you know, they're in The Bahamas, then that person's boundary is isolated for them.

Then every traffic that they do, no matter what device they're on, is need to be protected and, and, and, um, isolated. 

Evan: So it seems like a lot has changed in the last five years, right? The rise of enterprise software. I mean everything is collab. We're deploying new SaaS apps every day. If you kind of think Paul, like five years from now, there's like a new set of things you have to go worry about. Right. What are some of the areas that you think now, like are kind of disproportionately important investments to be making over the next, you know, one or two years?

Paul: I, I think, you know, clearly, you know, what's on our fingertips right now is the rise of ai. Ai, uh, I, I think there's been AI machine learning for quite some time, but the fact that. Generative type of AI where it's also thinking, you know, start to think faster than we can. That I think is gonna be the huge impact where you start seeing threats, vulnerabilities, uh, and impacts to businesses a lot faster and a lot more thoughtful than we've ever seen before.

And, and I think the solutions for that also has to be in the same. So we balance leveraging AI to, you know, against.

Challenge for people to get their arms wrapped around and how do we do that safely? The other area is probably around this quantum computing capability where what we thought was secure before is no longer secure at all because of the ability for it to be broken a lot quicker. Uh, I don't know what and how that's gonna impact businesses, but that does sound like a, a big focus area that is going to be a challenge for us to overcome.

Mike: So speaking of that AI threat, do you have maybe a recent example of a cyber attack that you've heard of or, or seen that leveraged AI that maybe was particularly innovative or unexpected? 

Paul: Well, we saw in one of our threat feeds and, and I don't know, you know, the companies or anything, but you see some very interesting items where you got, uh, ai, you know, throwing out a botnet and then doing investigation on reconnaissance of their threat actors that showed.

Some impacts on that, that, uh, botnet attack and then from that then generated reconnaissance that enabled them to be very pinpoint on what and how they would attack. Uh, just a thought process of that. Being able to, uh, be all developed within, you know, hours or minutes, uh, all by an AI is just like crazy.

And so, How is that gonna evolve? Uh, you know, we, we've talked, you know, internally around some of the targeted emails that are, are looking at, at how our, our, our internal customers are using their email systems and finding out how do they do reconnaissance around that so that they can be mimicking, uh, that right into the customer.

So, so they are trusting now those emails and now just clicking because they wouldn't know any better. That just seems like the next wave of change on how AI can start to predict how our internal customers are going to react.

Evan: How do you see AI changing the threat landscape? I think we're all excited about AI because it increases the productivity and it'll improve our business not to be more, not to be more, more profitable, but to be easier for us to focus on more interesting tasks and also provide a better customer experience. But those same tools right, can also be used for, you know, bad purposes, right?

For, you know, for, for creating crime. So, yeah. How do you, how do you think criminals will kind of use these technologies and, um, you know, what are the implications of how, of what that means for security organizations? 

Paul: Yeah, that's a good question. I, I, I think back to your, your statement around reconnaissance and being able to put a pattern together and, and formulate a, an attack based on bits of information throughout a time period.

Is something that a normal, you know, human, we wouldn't be able to see that pattern and where the, the best vulnerabilities would be for a company. But, um, you know, having AI to be able to assess that in detail, we get, you know, a lot of companies are out there trying to solve that same view of looking externally into a company and derive what those holes are, both for attacker probably, and as well as to sell services back to a company, to, to kind of solve those.

But yeah, I do think reconnaissance and, and, you know, parts of the first part of the kill chain is gonna be some of the, you know, things we'll see right off the bat. 

Evan: Yeah. You, you can imagine a lot of the AI powered sales and marketing tools will just be, you know, copy pasted for, uh, criminal reconnaissance.

Paul: You know, internally think thinking about, uh, um, how my team, you know, has asked how, how are we gonna be affected internally, you know, how, how are we, um, going to leverage AI? And, and, and, and I always, you know, laugh at, because, you know, we've been using AI in various forms, um, for a bit. You just gotta start now.

Start evolving with that next phase is, but one comment that someone had made to me was, hey, you know, I saw it on, either a webinar or a discussion that the next wave of cyber, uh, folks, or even just in general, probably. The same is, is a re resources aren't going to be replaced by robots or ai. They're gonna be replaced by other people that know how to use AI well. Right. And so they not necessarily, you know, be, you know, impacted or just. Disrupted by just specifically AI itself, but folks that know how to leverage it, uh, appropriately and and useful to their capabilities internally.

And I think that's really valuable for a cyber person and thinking that you be the knowledge. Person around it and you don't know how to leverage AI to help you escalate your skill sets so that you could be that senior person doing, you know, really good work in your company, then you've missed it, right?

Because those are capabilities that you can have today by leveraging this new information. 

Mike: And Paul, as we're talking about. AI and, and where it's going. What are some tangible results you've seen from AI technologies that most people may be surprised to hear or maybe even underestimate the impact of leveraging AI within your, within the organization?

Paul: Yeah. And, and there's several areas in, in, in our organization that we leverage a a i for that drives both, you know, efficiencies within our workforce. Reduces a risk reduce in, in, in areas. Uh, you know, you know, we see it in voice, like in in email protection. You see it in endpoint protection where they'll start to track behaviorals.

Um, that that's not a human doing that. That's some ai looking at the patterns and, and the behaviors of actors on top of your system and being able to do predictive. Controls and protections, and you expand that to, to the next wave of how do you do that for predicting when maintenance is needed on a huge, you know, million dollar piece of equipment, uh, which we do today.

I mean, we have an awesome team that looks at all of our fleet and uses machine learning in our own internal AI that drives how are we, we predict forecast of, of when we need to do maintenance appropriately so that we don't waste money. Those are companies looking at what tomorrow can bring and how do we innovate ourselves with, you know, this new capability.

And, and I think AI just can constantly increase that ability for companies that know how to leverage it appropriately. 

Evan: Very, very cool. Okay, let me, let me kinda do a little follow up to Mike's question. So Mike was kind of asking you like what are some areas where you're seeing the potential of ai? Lemme maybe kinda ask the flip of that question. Like, what are some of the areas you think around AI and cybersecurity that are overhyped?

What do you, where do you see AI not having the impact that maybe some of your peers are overly optimistic about? 

Paul: I think, you know, we, we've started to see, at least I started to see some, some AI trying to describe how to do vulnerability management, um, faster, more efficient, and so forth. I think that's over height because there's so many impacts that can occur if you wanna start to do.

Vulnerability remediation in a, in an efficient way, and you don't understand the impact of those changes to business processes. And so that always has to have a, a check and balance, you know, because there's, you know, legacy systems, there's upgrades that need to be done, there's things that may need investment before you can just, uh, you know, remove or eliminate that vulnerability.

Could it assist and help, uh, identify areas of impact? Absolutely. Um, I think in the remediation there needs to be a little bit more thought around, uh, that, so if that's gonna solve your world, hunger for that area, that's probably not an area that I would probably agree is fully ai. Capable. But on the flip, you know, you, you, you can definitely disrupt, uh, SOC services.

You know, we, we definitely always want somebody that's doing 24 by seven monitoring. You wanna be alerted on this and alerted on that. Uh, and, and some companies you're outsourcing that service to, to, you know, external folks because you don't have enough people or, you know, jobs that they can stay in here to be able to fulfill that.

When you start looking at the various companies that are trying to augment that and leverage AI to do these common checks and balances and services, totally agree that that's a, a good way to, to leverage that and then bring that learning and knowledge base internal to your company so that you can then modify that, uh, output to search on what's specific to your, your business. And so I think those are, are really good areas to, to focus on. 

Mike: Where do you think the future of AI's impact is gonna be on cybersecurity and, and maybe, maybe even some areas that, you know, if you talked about it today, people think it's science fiction, but you know, five to 10 years now it may be a reality.

Paul: I, I think when you look at AI in the future, I do think there's gonna be a time where AI is going to be running the show for certain things that you may not wanna, uh, accomplish internally. You don't want to have the roadblock of somebody internal to, to be the slowdown of that. Uh, I think that that will be an area where we gotta figure out where is that safe?

This is a dangerous time with no regulation, no control around that, that we gotta be careful on what keys to the kingdom will we give and how much leeway do we allow, but, You gotta, you know, be on that edge because it's gonna be available to gain your business good capabilities that allows you to move your company to the next level.

And so how do we do that safely? Uh, I think that that's gonna be some areas where you're gonna do predictive analysis of behavior, of resources, right? And, you know, when you see on the, on the network, like today, I always love to ask my team, say, Hey, what's on our network? So, And nobody can ever go say, this is what's on our network.

They're always like, well, it depends if, and you can never get a straight answer from your, your, your tech guys, right? Just 'cause they're, they're always, it's changing, it's moving. And you got, you know, well, how many users, you know, you would think that that's something as easy as how many users do you have should be, uh, a no-brainer.

Check balance, you know, but we're 187 year old company. We got like 19 domains. We got, you know, users adding and removing, got contractors coming and going to, to make sure that you have that down all the time is difficult for any, any company and, and I think. When you, you start having AI to be able to track and manage and see change in behavior, see change in patterns, that would be definitely an area where we can manage that.

But at the same time, they might have keys to the kingdom. What if they get third party, you know, risk thrown into there and now it's doing something, you know, siphoning off, you know, accounts or things like that. How do you then monitor your AI is gonna be things that we have to also think about. 

Evan: What do you about like counting users, right? Which you think would be the easiest thing. How many people are here? Like I, I personally worked on our, uh, product design for our product, like how to count up how many users we protect. I. In like one Microsoft tenant. Oh my God. It is so complicated. Right? It must be 30, 40 pages because it's like, well what's, what's an employee like a contract that works full-time, halftime.

What if it's like a shared mailbox? It's gets, yeah, it's, it's funny also these seemingly simple things are complex. 

Paul: That's right. Because you, and then when you tell a business owner, they're like, well, we only got 4,500 employees, you know, or we only got 10,000 employees. It's like, not really, you know, you got.

You know, a, a regular account, you got maybe an admin account. Maybe if they're a part, like, you know, maybe you have several domains, and then they might have an account in each of those domains. So now you got one person with 10 different accounts, and then now you gotta marry them together to make sure that they're the same person that you're counting.

And then you got, you know, service accounts, you got local accounts, you got, you know, global accounts and, and so you end up. Like maybe a, you know, let's say a company of size of 10,000 might have 150 different account, 150,000 accounts out there, and they don't even know it, right? So I think that that's, you know, the difficulty is there and, you know, it's, it's really hard to unwind.

But I think, you know, this is where an AI could definitely help track and manage and Delta, show that Delta what, what's going on, and then respond appropriately. 

Evan: Okay, we only got like five minutes left, so we're gonna switch over to our, our lightning round. So Paul, you'll have to help us out here and give us some, like, like the, the one tweet responses, but, we'll, we'll maybe we'll limit it to, to four questions. So, um, uh, Mike, or maybe we'll just do a couple right? Mike, you wanna kick it off first? 

Mike: Sure. So what's the one piece of advice you'd give to a security leader that's stepping into their first CISO job? 

Paul: Ask a lot of questions. Definitely find out what is your business value? You know, meaning that talk to your business and find out what's valuable to them.

The one thing you don't wanna do is start to protect and do your efforts around something that's unimportant to the business. Uh, I, I think that's to understand how your business works and what's important to them. Start with that, and then go back and put a program in is probably what I'd tell somebody right off the bat.

Evan: Paul, we talked a lot about ai. Like what is, um, you mean you obviously have thought through this a lot and you're, you're, you're, you're really well informed. What's your advice to like the average security leader that wants to kinda like get, stay up to date with kinda what's happening in AI and some of the, you know, security consequences of that?

Paul: You definitely gotta read a lot. You definitely gotta, uh, be open to partners giving you insight and in, uh, information. I have a multitude of partners that are just constantly rating me with information around ai. A lot of times you, you know, junior folks will say like, you know, I don't want to hear all, they're only trying to sell me something.

But you got a lot of good partners out there really just trying to. Do the right thing for the industry. And, and that information is always good. And when you look at that and listen and read, you gotta just constantly be, um, keeping yourself updated because it will change tomorrow. And if you're not up to speed with that, that, that, it's a, it'd be a challenge.

And always find people in your teams that are folks that love to learn. They could be all skilled or even not skilled, but if they like to learn and they're constantly, you know, knowledge seeking, they'll grow into, you know, the cyber person you want. 

Mike: So on the more personal side, what's a book that you've read recently that had a big impact on you and why?

Paul: Uh, well, I'll, I'll just tell you the last thing I read again is, is the Bible. Uh, I always find that really interesting because I correlate even that to today's day and age, and it always gives me grounding and, and, and comfort.

Evan: Awesome Paul, it's, it's probably a great place to end for us to end.

Really appreciate you making time to chat with us and, uh, thank you for sharing your wisdom and experience with the world. 

Paul: Thanks. I appreciate it. Uh, Evan, it's been a great relationship over the years, uh, and I thank your team for, for bringing this, this is good content. Thanks.

Evan: That was Paul Reyes, Chief Information Security Officer at Vistra Energy. 

Mike: Thanks for listening to Enterprise Software Defenders. I'm Mike Britton, the CISO of Abnormal Security.

Evan: And I'm Evan Reiser, the CEO and founder of Abnormal Security. Please be sure to subscribe so you never miss an episode. You can always find more great lessons from technology leaders and other enterprise software experts. At enterprise software dot blog. 

Mike: The show is produced by Josh Meer. See you next time.