Creating an AI Security Culture

Welcome to Cybersecurity Business. I'm your host, Kevin Pouchet, COO at Klogix. In this episode, we're exploring what it really means to create an AI security culture. It's one thing to adopt tools. It's another to shift the way teams think, experiment, and lead. To help us unpack all this, we're joined by Sean Dobson, CISO and CTO at Wafra. Sean has over 25 years experience in IT. In security leadership, he's helped organizations evolve from the ground up. He currently chairs Wafra's AI Working Group and leads a firm -wide initiative that's helping reshape how the business operates with automation and intelligence at the center. Sean, welcome to the show. Thanks for having me. Did I leave anything out? I know you've accomplished a lot, and this is your chance to toot your own horn here. No, I think that's a good intro. Well, I want to get into it, but I thought maybe I'd take just a quick step back. Just to get your take on this whole topic of AI security culture and sort of why it matters, why it's important, and why more people should be talking about this. Yeah, I mean, it matters because it's where we are. Things have fundamentally changed, as you know. And this is something that I've been really pushing at Wafra. For example, phishing emails, obviously, have gotten... A lot tougher. And you have things like deep fakes and cloning audio and things like that. So I've used those as a way to make the culture stronger. I've done things like send out deep fakes of myself and other colleagues just to show how easy it is to create it. Things like that. So, I mean, the culture is very important these days around AI just because. Things are changing so rapidly. So you got to get people on board. Right. We did an exercise here a couple of months back where we cloned my voice using AI. And I could barely tell the difference between myself and the clone. And that's me. And yes. So we've actually onboarded a platform for this where we're basically creating these clones and using them to train our users. So it's been. Pretty well -received so far. John, I know you've done a lot of work around building a strong top -down security culture where every employee is engaged, which sounds like a tall task. How has the emergence of AI shifted that culture? Yeah, I mean, like I said, it's made it stronger. And that's because I've used it as an opportunity. Like, you know, never let an opportunity go to waste. So what we've... done, like I mentioned, is use it to train, use it to basically interact with our users. So whether that's going out and showing them videos that I've created, whether that is interacting with our accounting teams to show them examples of folks that have been hacked using deepfakes. So it's really, it's an opportunity to step things up. But the goal really there is not to scare people. And it's definitely not to train them on how to spot a deepfake, but really just train them on going back to the controls that we set for us years ago, which is like, hey, if someone is telling you to do something, you call back a known number. Like that control doesn't go away, right? It's the same as it was before. Call back a known number. So yeah, it's given them an opportunity to step things up. As part of this opportunity, I know you've created this AI working group. Within the organization, right? You established it. Describe sort of what that is. Yeah. I mean, this is something that has been going on now for a few years. It's kind of like when generative AI was just sort of a whisper and chat GPT was just starting to be talked about. I went to senior management and I said, look, this is a chance to lead. This is a chance for us to be a leader in AI. I want to create a working group to get everyone together. And so I created the working group, collaborated with the department heads, you know, work with them on finding champions around the firm. I didn't want it to just be the senior leadership. I wanted it to be folks that are really interested in this and tech forward. Yeah, we did like we created a charter mission statement and met every couple of weeks with really the idea being to grow and learn together. We brought in experts. We did 10 different training sessions to get everyone on board. And then, of course, did the hundreds of demos at this point, tracked use cases. And we even created like a sort of marketing report on how Wafra is leveraging AI to stay ahead. That is still going strong, but what we've done now is a more magnified approach, I guess you could say, Creating like smaller AI pods where we're sitting down and focusing on end -to -end processes and figuring out where AI can fit in. So it sounds like a lot of the groundwork that you've built around AI security has started to change the way sort of the broader business operator makes decisions, especially if they're coming out now with proactive reports about leveraging AI almost. sort of as a competitive advantage. And I also have to assume because you've put yourself at the forefront and you have this expertise that the business is now proactively coming to you and involving you in many business conversations that sort of transcend technology. Is that fair to say? Yeah, again, AI is another, this is kind of like cybersecurity was, I don't know how many years ago, that is 15. 20 years ago, where it kind of became important and then it gave you a seat at the table. AI, kind of the same. That's why I decided to lead. It brings me into different conversations. It brings me at the level of understanding our investment team's detailed processes and sitting next to them and figuring out what they do and really doing what we're supposed to do, which is lining with the business and designing for more. And there's got to be some parallels between this and I'm sure you went through this heavily, digital transformation. Right. And lessons learned from that because they're both business conversations at the end of the day. To be honest, it's kind of the same thing. I mean, well, really what I'm starting to fully realize is it's hard to do AI right without first doing digital transformation, especially around data. not do that and still get a lot of benefits from AI. But if you want to really get the benefits, you're going to have to have your house in order first. And so that's why I think they kind of go hand in hand. What advice would you give to somebody that's facing skeptics in terms of some of the stakeholders? I mean, is it as simple as, hey, listen, the train's leaving the station, either get on board or get left behind? So this is actually a good question. It's been hard in that area because there are always skeptics. I mean, really, the way that I practice is sitting down. And, you know, we're a small enough organization. We only have a couple hundred employees here. So if we were a giant organization, this would work. But, I mean, I've, you know, looked at who's using that and who's not. And those that weren't, I sat down with. And I said, hey, check this out. Look at this. You know, I know what you do. should do research on the automobile industry, check this out. And I'll do a deep research on, you know, the industry and send it to them or show them. And they're like, wow, okay, this is actually something. Almost every single one of them had like that light bulb. It's that training. We did prompt engineering training, which not only shows you how to prompt AI, but also by attending that training, you're seeing how AI actually works. And that's been also pretty good. I guess, again, like there's always going to be skeptics, but this is the change management piece. It's just a matter of sitting down with them. And like you said, I mean, the train is leaving the station and there are those who might not want to hop on board, but I think everyone is curious enough to where you can get them on. I think it's great too that you are creating something where every employee is engaged because at the end of the day, human behavior is important. And I'm curious if you've sort of identified in this process, certain human behaviors that introduce big AI related security risks, or have you been able to avoid that since you're so proactive? Can never avoid that. I mean, what we do really is, well, first of all, we have a good policy around this, right? That's the start of it. policy says that you can only use firm approved systems for example you have to tell us about them and then we block all non -approved systems so at the same time those that we allow we're monitoring so it's like we're creating those guardrails to make it easier for folks not to mess up and then we also let them not look consider your accounts the same as email like you know they're not private not that we're looking at problems we have an approval process for that but That at least gives folks the guardrails. It lets them know, hey, like use it, go crazy with it. But here are the rules and here are the guardrails. Now, when you're trying to gauge success and say to yourself, okay, I really believe that this is taking root. We do have this really positive AI culture here. Are there certain metrics you look at? Is it as simple as... saying some of these trainings and some of these exercises and some of these phishing exercises, you know, you look at the results of those and if they're trending in a positive direction, you know, it's taking root or there are other metrics you look at. Yeah. When I think of metrics around AI, I'm worth thinking less about the security metrics and more about the metrics measuring the success of AI itself. So yeah, usually it's... Save time, save money, increase quality are the three things. So what we've done around that is a lot of survey and a lot of talking to folks about how a process was, showing them how to do it in AI and then look at sort of how it is after AI. It's very hard to do this, by the way. It's hard to measure these things, but it's important to have those measurements. But obviously... Also looking at usage logs is one indicator, but you know, folks could be doing all their personal stuff. So who knows? Yeah. What we're also working on actually is building an AI collaboration hub. And that's where the idea there is this is where everyone can go to collaborate around AI. Like someone creates an agent or a GPT, they can post it here. People have questions, they can post it, you know, all of our tools will be there and things like that. When I did conversations around, you know, our use cases and things, there was a buzz. So people are using it and we do have some of the metrics, but yeah, it's not easy to measure. So I assume all the things we're talking about right now, including this AI collaboration hub, is internal to Wafra Corporate. And I know you must have a tricky job because not only do you have to manage that, but Woffer has what, 29 billion in assets and investments. So there's all these other investment companies that I have to think you're sort of an advisor to. And do you play a role in tailoring and shaping their AI strategy and culture as well? Yeah, of course it depends on the strategy. It depends on the company. And that's something that. we are starting to really focus on. I mean, we started a couple years ago with just making sure everyone had a policy. So we had an AI policy we created. We sent it out and worked with folks to get it implemented. At least that allows them to have the guardrails in place so that they could move forward with AI. Now we're sort of doing more surveys around this to see where folks are, where they want to be. Some of the companies we're working with could be Like a marina operator, it could be another private equity firm. So it varies. Some we have control positions, some we don't. So really the only way to know is to first ask the questions around both digital transformation and AI transformation and then kind of tailor it from there. I assume you own this at your organization, right? You're the CISO, you're the CTO. Moving forward, should... CISO, CTO, own maturing AI security culture? Is that where it should stay? Yeah, I mean, I think if Woffer had the separate roles, yeah, I think the CISO should be in charge of that from a security perspective. Yeah, definitely. So I know this is all new. Where do you think, you know, you're doing it right. Where do you think most companies go wrong when trying to embed AI into their security culture? I don't think everybody's doing this to the extent you are, Sean. That's for sure. Well, I mean, one thing I would say would they need to encourage experimentation and not just block everything. Since I'm the CTO and the CISO, I sort of go back and forth, which makes it a lot easier. You know, security versus sort of, I guess you could say, like, just experimentation. They can both go hand in hand with guardrails, but... I really think, yeah, allowing the experimentation and creating the guardrails. If you're saying no, that's one end of it. But you also don't want to just let everything go wild and not put in the guardrails. So I think like in the past, CTOs, they buy a tool, they roll it out, and they move on. That doesn't work with AI. You know, that's not going to change the culture. That's not going to change things. It's all about change management and, you know, looking deeper at things, not just rolling it out, training, collaborating with folks, documenting their processes, looking at processes end to end. This was something I wasn't that great at before either, but I would say a large part of my job now is change management. I think this is for AI what separates good from bad. And I also think like a top -down approach is going to help in a situation like this versus, you know, the CTO or CISO or whatever just pushing AI out. I think a top -down approach with KPIs and things like that are also going to make sure that things are successful. There's always going to be resistance. But, you know, when there is, you... Work with folks one -on -one. In the life of information security, when has there not been resistance? Always is. Always is, yeah. No, I think that's really good advice. This was great. I mean, awesome insight. I have a few more questions for you, Sean. There are some quick rapid fire questions to sort of just get to know you a little bit outside the realm of your day -to -day job. And I'm going to fire them at you if you're okay with it. Of course. All right. What was the last book you read? I'm always reading stuff. I read a book about, what was it? This is the most boring thing in the world, but I'm looking at it because it's behind me. Mastering Linux Security and Hardening. That was the last technical book I read, but I'm always reading self -help stuff. Yeah. Okay. If you could instantly master any new skill, this could be professional, this could be... Totally personal. What would that skill be? Playing the piano. I'm really into music. I play the drums. I play some other instruments and make music. But I've always wanted to be better at the piano. So you play it, you just wouldn't consider yourself a master? I have one. I press the keys on, yeah. But I'm not that good at it. Okay. If you weren't working... As a CISO and CTO, and let's say you were just outside the realm of tech and cybersecurity, what would you be doing? Maybe making music. I love that. Yeah, it would be making music, but no, I'm really attached to the Adirondacks, which are upstate New York, so I would be doing everything I could to protect the Adirondacks. Make sure it stays there forever. It's a special place and it's close to my heart. Nat, do you hike a lot there? Of course, yeah. So fun. All right, last question. What's one piece of advice you wish you had when you first started your career? Take it easy. I mean, I only learned that in the last three years and I've become a much better leader because of it. I was trying to do everything I want, working 14, 16 hours. you know, striving for perfection. I think I could have chilled out a little bit and enjoyed it because it's all about, to me, like it's stereotypical or whatever, but I've learned that it's all about the journey and enjoying the process. I think that's amazing advice. I think it's hard for somebody just entering the workforce to really understand and take that on. And if they can, boy, I think that, That would be great advice. Yeah, it's almost impossible to do at first, but yeah. Well, I appreciate you indulging us with those rapid fire questions. That's about a wrap on today's episode. So I really want to thank you for doing the podcast, Sean. And for those that don't know, Sean in December was profiled in our Feats of Strength magazine. And that was a really fun article. So if you haven't read that, please. Go to our website and check that out as well. And you've done both for us. I think you're a great leader. Buffer's probably lucky to have you there. And I think more people should be putting themselves out there for topics like this. So I really appreciate you coming on and talking with us. No, I really do appreciate it. It was fun to chat. Great. So you can hear this as well as all of our podcasts, Cybersecurity Business. wherever you get podcasts or klogicsecurity .com forward slash podcasts. Thanks so much, y 'all. Thank you.