Mimecast CISO On Why AI Has Become A Cybersecurity Risk

And if you are running a business right now, you may have noticed there's a quiet shift happening. One that most people are still underestimating. And that is, your company doesn't live inside your network anymore. It lives inside the browser. That's where your SaaS apps sit. That's where your data moves. And increasingly, that's where attackers are focusing their attention. So Nord layer has just launched its new business browser. and it's designed specifically for small and medium sized companies that need visibility and control without the overhead of enterprise security tools. What I like here is the balance. You get advanced protection, better compliance and full visibility into how your team is working online but without slowing anyone down or forcing them to learn anything new. It feels like a practical step forward rather than another security layer that adds friction. So if you want to see more about how it works please head over to Nordlayer .com slash browser and check it out and let me know your thoughts. But now on with today's show. What happens when the very AI systems designed to accelerate your business quietly become your biggest security risk? As organisations continue in that race to adopt all things AI and implement AI agents, many are pooling sensitive data, exposing new attack surfaces, and teams are underestimating just how quickly things could go wrong. Now today I'm joined by Leslie Nielsen from Mimecast. and he's a cyber security veteran with nearly three decades of experience. So today we're going to explore why AI models are becoming high value targets, how shadow AI is creating unseen risks inside organisations and come away with some actionable takeaways of what leaders need to be thinking and doing right now to stay ahead of some of these threats. But enough from me, let me introduce you to my guest now. So a massive warm welcome to the show. Can you tell everyone listening a little about who you are and what you do? Oh Neil, thanks so much for the invite really honored to be here. My name is Leslie Nielsen I am a well, I've been in cyber security longer than it's been called cyber security I'm I think I just hit 27 28 years Started as a cryptographic programmer back in the day. I used to say crypto, but that has a different connotation now, so cryptographic programmer. I've been around the block a bit. I did a little bit of outsourcing, a little bit of consulting. I've had the good fortune to be the Chief Information Security Officer of six companies. Mimecast, the company I'm at now, is my sixth. We are a cybersecurity provider. I'm so happy to be here and I will just tell you, I do have a soapbox for cybersecurity. security, I absolutely believe all of us have the mandate to ensure the digital safety and security of those around us. Fantastic. Well, you are in the right place, my friend. Step on that soapbox and feel free to preach your gospel today. And one of the reasons I was excited to get you on here to join me is I was reading one of your reports that suggested that AI models themselves could actually become a new high -value target, essentially a corporate brain trained on sensitive data. So how real is this risk today, and why are organizations underestimating it? Because on one side, I'm going to countless tech conferences all around the world. Everyone's talking about agentic AI getting excited. The other side, I'm seeing Target, I think, in the US this week, and said, hey, if your agent goes and buys anything, it's your responsibility, nobody else's. So what are you seeing here? You know, there's two sides of it just like there is to everything. One is, if you take all of your data and put it in a central place, you're running a risk, right? Because you probably had other controls and things around it. And then secondly, if you're exposing that data in a way like just a rapid fast paced agile way getting things out as quickly as you possibly can cuz ai is accelerating faster than just about anything if not anything we've seen then you're running risk and that's the biggest challenge we're having right now. People are exposing the data to prompts and. There's the ability for other people to take advantage of the prompts for agents to expose things for MCP servers, the model context protocol servers where people are trying to do integrations between things to be exposed. It's just you don't have to stop, but you do just have to take a step back and make sure that the controls you already have in place are going to be sufficient or find the right controls. Know what you're doing and know what's going on in your environment. And these concerns that we're highlighting here are very real and we're not alone with these concerns either. We're seeing 80 % of organizations that have voiced concerns about sensitive data leaking through generative AI tools. And we've got the shadow AI problem in the workplace as well, which is an entirely different topic. But where are these leaks actually happening in practice and what behaviors are driving them? You know, there are multiple avenues for leaks, but really the biggest one that we're seeing in the wild right now is just unsanctioned AI usage by good intentioned employees. And I'll just build on that a little bit. So your boss comes to you, there's a deadline, and you're trying to get something done. And they're like, look, I need this done. And someone had told you about using insert your favorite unsanctioned AI online that's not licensed by the company and controlled by the legal protections that you have with a contract or a license. you upload a bunch of sensitive data, financial data, etc. The difference in that versus years ago where maybe you'd have a data leak or data loss, a spill, and you could contact Google, you could contact web pages, have stuff taken down, have stuff removed. Once data's into a large language model, especially a large language model that you're not paying a licensing fee with, it's effectively gone. not only is it gone from your control, other people can then start querying it and seeing that data or pulling information out about your company. So using the financial example I was using, if you take your end of year, let's say you're a private company, you take your end of year, you put it up, your competitors might be able to figure out just how you're doing and what you're focusing on and what's not going well. So it's a real danger. It is happening. More than most people probably think because they just don't have the visibility and what's happening on the use of AI. And one of the most striking findings is that malicious insider activity is now rising at the same rate as negligent behavior. And I saw a BBC report recently where the reporter himself put himself out there on the dark web and he was quickly offered a King's ransom just to have his log in. So what do you think this tells us about how the insider threat is evolving too? Yeah, years ago, the biggest cybersecurity risk was a vulnerability on the edge of the network that somebody was going to be able to exploit and then get into your network. Then the attackers got more sophisticated. They started using email and other things, and then it was somebody clicking on something, malware or something getting into your network. Then introduce crypto. That's the next level. Then they were able to lock up your network and ransom your network. As email security and other things got better, then they just said, well, hey, why don't we just contact the employees directly? We've looked on blind and other websites where people are complaining about companies. All we have to do is just find a couple of disgruntled employees with some good user credentials. We'll just pay them. And it's happening. I mean, it is a real threat. It is happening to companies. I've been at companies that have been approached. We've had people say, we're being reached out to on LinkedIn. We do a counter Intel program where we get a burner phone and go at it, et cetera. The main thing is to find out what they're looking for. And a lot of them are looking for customer lists. If you have any customers that use crypto, they want those lists so that they can then attack those people and try to get their crypto wallets, et cetera. But yeah, it's a really, really real risk. And ironically, AI is making it worse twofold. One, AI is making it easier to go through and do that enumeration to find out who the susceptible people are in your org. And people are becoming afraid of being replaced by AI and ergo are then becoming bitter to the company and then becoming that malicious insider. And there really seems to be a clear gap between awareness and action. There's any excuse for not being aware of what's happening. We've seen all these news articles. We've seen the big breaches, et cetera. But with many organizations recognizing the risks, but lacking preparation. Why is that gap proving so difficult to close? What are you seeing here? Yeah, this is twofold also. The beginning of the problem is that We know the right things to we cyber security know the right things from a compliance and security awareness training perspective to tell our employees people go through it etc. Time goes on maybe they forget etc but at the end of the day. We have to follow up on those that are having problems. Sometimes we jokingly call them frequent flyers, but it's the people that don't take training. It's the people that are having other problems at work, et cetera. We need kind of a cross -functional view of what's going on. It's the human risk. Getting that view and understand what employees are at risk, are most attacked, et cetera, is a very important thing for the security team as well as the human resources team and other people to have a view into. The second part of it, one of the reasons it's so hard to get a handle on is things are moving so fast. And I often liken this back to the day when public cloud came along. Most cybersecurity people were deathly afraid and deathly against public cloud. And the reason they were wasn't because they thought public cloud was a bad idea. It's because they didn't even have the security controls in place. for their private cloud or on -prem, so therefore they couldn't extend those to public cloud. And that's what we're running into. Companies just haven't taken the time, they've been accelerating, they've had cutbacks, et cetera, to do the correct investment and maturity on the security controls they need to be able to expand those to, you know, an AI and an agent -centric environment. Big thank you to Denodo for supporting the Tech Talks Network and making these conversations possible. Because when your lake house stores the data, the real challenge is getting that data where it needs to go and faster. And your lake house stores the data, but Denodo helps deliver it faster. So with real -time access, built -in governance and a business -ready data marketplace, Denodo can help your teams unlock insights without costly duplication. And you can learn more by simply visiting denodo .com. I'm curious, from your perspective at Mimecast, how should organizations and leaders listening to this conversation today, what should they be doing to maybe rethink security when employees are actively feeding sensitive data into AI systems as part of their daily workflows, almost like small children playing with dangerous toys, unaware of the dangers? Yeah, you know, there's a framework that many cybersecurity professionals use called NIST CSF, National Institute Standards of Technology Cybersecurity Framework, and it has several steps in it. I'll get to the point, I promise. I just want to be complete, though, on acronyms. I hate people that talk acronyms and don't define. And it's govern, identify, protect, detect, respond. Protect, detect, respond are really the important ones. Protect means to proactively put controls in place to stop something bad from happening. Detect and respond is if those proactive controls fail. Things are moving so fast that we're not necessarily getting the proactive controls in, so we have to be ready to detect and respond. And that just literally comes down to visibility. You have to have visibility into what's in, what's on, and what's transversing your network, and what the people and the systems and the non -human identities on your network are doing. Yeah, I completely agree with you there and I do think many companies still rely heavily on native security controls within email and Collaboration tools even though they admit those controls are not quite enough because so much has changed in the last three years alone But what would you say is missing from the environments now because it was about five years ago Everything switch and to a few people the privileged few working from home to everyone then we've moved to hybrid working now AI What's missing in today's environments? You know, there are so many communication channels, and with kind of that proliferation of communication channels, we've also end up with silo visibility. And what we need is the ability to cross -functionally look across those channels. If something's happening within email and it's bad, the reality is that's probably going to propagate out. It may end up if, you know, if somebody gets a toehold, a hacker, a nation state actor, a threat actor, they're probably then going to get in and start checking out the collaboration tools, the instant messaging tools and things such as that. And we can usually see we being the industry as a whole, the individual attacks that might happen within those. But then once an account takeover or a valid credential is compromised, We don't necessarily have the user behavior analytics to understand that that's happening. And the meantime to detect and meantime to respond, that's what lessens the impact of any event, both financially, reputationally, and just for the company as a whole. And the report also highlights somewhat of a lack of visibility into exactly how data moves across systems, especially AI models. Well, we've seen this in the past with APIs, and a select few know how they work, which data goes where, et cetera. But how critical is that visibility now? And what does good actually look like in a modern enterprise when you've got AI on top of APIs? Again, we're talking way too many acronyms there. Yeah. Yeah, and I'll try not to introduce any more, but from a data flows perspective, what's kind of happened in a lot of the industry is people have said, you know what, I may not know all the data on my network, but I have good vulnerability management. I have good security awareness training, and I have good identity management. So they put those proactive controls in place. And then it's, so with all those things in place, the chances of a data spill, a data leak, et cetera, are lessened because what we've done is we've done network segmentation, we've done the various good controls. Back to the original premises we talked about on AI, people are pooling data together. They're pulling a lot of data together in either a central location or a central resource that can be accessed. It's completely changing the behavior, and it's changing the data flows. So they had controls in place to work with the system that they weren't 100 % aware of how it operated on the very lowest level, all the data elements. And now the acceleration of that data is just proliferating the network. You have to have visibility. into the flows, you have to see what things are being touched, what employees are reaching out to, the shadow AI, the shadow IT and things such as that. It is just paramount these days. As we look ahead, an AI inevitably becomes even more embedded across every workflow. What is the one shift you think organizations and leaders need to be making right now to avoid turning their own AI investments into a security liability? We've seen the dangers of the past of moving fast and breaking things. I like to think we're a little bit more sensible now, but it's easy to get caught up in the excitement, isn't it? It is. I'm going to start by putting it on the cybersecurity community. If you're a cybersecurity professional listening to me right now, do this. Be the leader in AI. Go out and adopt agentic software, put controls in place, and then make that the policy for, look, we know how to do it. Here's how to do it. Get visibility into the sanctioned AI and the unsanctioned AI and use the sanctioned. Talk about it. Do little webcast internally. Do enablement session, lunch and learns, et cetera. Just from a cybersecurity professional, so many times in the past, we've all been the office of no. There's no no when it comes to AI. It's here, it's going to happen, and it's going to keep going. We have to be a part of it, and we have to be enabling feature on it. And then just from the business perspective, think about a plan. A lot of people are just, hey, we got to go do this, go do it. Take a step back. What are you trying to solve? Are you trying to become more efficient? Are you trying to get more leads into your business development representatives? Are you trying to augment your sales force? Think about what you're going to do and build out a plan. Because what's the old line, right? Failing to plan is planning to fail. And I think that's the biggest mistake most people are making. They don't necessarily know what they need to do. And they're just kind of thrashing around. And we're ending up with unbeknownst data flows. potential data loss, data leaks, et cetera. Now, you did make the mistake at the very beginning saying you do like standing on a soapbox. I'm going to pull out my virtual soapbox now and ask you to maybe reflect on the conversations that you've had with your many clients around the world and also the news articles that you might come across, the LinkedIn posts when you're doom scrolling on social media. Are there any? myths or misconceptions you see about everything that we've talked about today. Are there any myths that you continuously read and you think, this is wrong, we need to stop this? But is there anything like that that comes to mind? The thing that sticks in my head, and it's kind of an inferred myth, but people don't think, and this is cybersecurity and other, they don't think that the controls exist to protect AI and to protect data. And some people are then just take it. Hey, we have to take the risk. Let's just go out there and do it. But the reality is those controls do. I mean, an agent is running under an identity. Humans run under identities, right? We've been managing human risk for years now. We're looking at a significant acceleration or perhaps proliferation of that. But the controls are there. We just have to double down on doing them right. And we just have to be very, very succinct about our expectations and what we're going to do. I think that's probably the biggest myth. It's the let's just put our head in the sand. We have to do this anyway. And let's not worry about security. Love it. And is there anything you're optimistic about looking ahead as well? We've talked a lot about the warnings, things we need to do, things we need to be prepared for. What makes you optimistic about this future we're heading towards? I'm using AI to fight the good fight on security. That's what I'm optimistic about. It's going to be AI versus AI, but the reality is many of the tools, cross -collaborations, efficiencies, maybe short staffing and stuff like that, we're able to combat a lot of that. Now, also the bad guys are doing it, but at the end of the day, it's giving us a new lease on just injecting enthusiasm and action. into all the good work that our teams do. Well, it's been an absolute pleasure sitting down with you today and talking about this, a language everyone can understand. For people listening, I'll include a link to the report we've referenced and your LinkedIn. Anywhere else you'd like me to point, everyone listening? Oh, I think that's good coverage. I really appreciate it. Awesome. Well, I would encourage everyone watching and listening to our conversation today, please feedback. What are you seeing? What are you doing differently? What would you change? Any myths that you'd like to come on here and share on this virtual soapbox too? I'd love to hear from you, but more than anything, just a big thank you for you coming on here and sharing your story. Really appreciate you, Tom. Thank you so much, Neil. If there's one thing that stood out today, I think it's that AI is, yes, moving fast. But security awareness and action are struggling to keep pace. And that gap is exactly where real risk lives. So a big thank you to Leslie Nielsen from Mindcast for sharing such honest and practical insights with me today. And for everyone listening, here's a question for you to take away. Are your AI initiatives creating competitive advantage? And are they quietly introducing risks that you can't see yet? Certainly food for thought. Look into that. Let me know your thoughts, what you found, what worries you, what excites you, everything in between. TechTalksNetwork .com I'd love to hear from you all. But that is it for today. So thank you to my guest and even bigger thank you to each and every one of you for not only listening, but listening to the end. Thank you. And I'll be back again real soon.