KJ Haywood: Exploring AI and Cybersecurity

[00:00:00] Show. Welcome to the Phillip Wylie Show. Take a look behind the curtain of professional hacking and hear compelling discussions with guests from diverse backgrounds who share a common curiosity and passion for challenges and their job. And now here's your host, offensive

[00:00:20] security professional educator mentor and author Phillip Wylie. Hello and welcome to another episode of the Phillip Wylie Show. Today I'm very excited to have my friend KJ Haywood joining. KJ and I know each other from the local cybersecurity community and

[00:00:45] see each other at conferences and North Texas ISSA luncheons from time to time. And so we've been, I've been wanting to get around my podcast for a while. And so finally the star is aligned and it happened, which has been a time, it's been a while since

[00:00:58] I've been trying to get this done and it's all on me, but finally we're able to get it done. So thanks and welcome to the show. Of course, they all of course, of course. And I made sure that I had your, your pen testing

[00:01:11] book out as a promo. You guys need to get this. So it's a great read. So you guys need to definitely check that out. So how are things in your world? Things are good, you know, they're good. This whole AI, LLM world that we're living in,

[00:01:37] Gen AI is shifting so much in our industry, right? I mean, my space is governance and compliance. So just to let the audience know the level set. My background is cybersecurity, but focus is hyper focus is governance with some compliance. So I've

[00:01:55] been doing that for, I've been in governance for like 25 years plus. But security specifically security governance about 11 years. And what I thought was that I was going to retire from that industry and then AI hit.

[00:02:13] Oh God. Okay, now I need to, I need to shift. So I do have a, I do freelance. So my company is called Nomad Cyber Concepts. And I focus on organizations that are mid-sized organizations that are looking to pivot their solutions and look

[00:02:35] at either designing models or acquiring Gen AI tools to help them build their own, either platforms or build out their client base. So I kind of focus on that now Phil. And I'm getting a lot of individuals who are interested, but at

[00:02:54] the same time, like everyone else, I'm learning. You know, I'm learning quite a bit. I just completed an MIT course. Yay on AI, no coach. So now I know how to build models. I'm really a geek now officially.

[00:03:10] That's awesome. That's good. And it's a good inspiration for folks because a lot of my listeners are people that are new to the industry or just trying to break in. So getting to hear those stories because, you know, people think

[00:03:25] I've had, you know, I've had people talk to me career wise saying, you know, I'm, I'm 30, I'm 40, I'm 50 years old. Am I too old to move into this, this different area? And one of the things, one of the examples I have from

[00:03:37] my old podcast, I had someone on that was an esthetician. She spent 20 years in the beauty industry, went to school, got associates in IT. Got interested in cybersecurity, got another associates in cybersecurity. And she works as a pentester now. So she's like 40 something and went into

[00:03:54] a new career. So it's just people just need to realize that it's, it's easier to move than what you think. And it seems like when you follow your interest and you're passionate about stuff that, you know, you do a lot

[00:04:05] better job and it's more fun, you know, because you're going to spend eight hours a day at a job. It should be something you enjoy. And I agree with that. My little journey is kind of bizarre too. I was in

[00:04:19] human resources before I was introduced to cybersecurity. I didn't even know what it was. Even though this is my second business and my business prior to that was more implementation of software, right back in the day. And

[00:04:35] I was like in the 90s. So I really knew nothing about cybersecurity. And, you know, I go and meet someone who says, Hey, I know you want to do an HR job, but I'm looking at your experience and your background and the type of

[00:04:52] business that you ran before. You know, would you be interested in this job called IT governance? And I'm like, what? What's that? I have no clue what you're talking about. So I shifted from HR to cybersecurity. And I mean

[00:05:07] frontline, like he had me managing applications and then I did vulnerability testing. And, you know, it was just, it was fun. And I didn't realize, like, you know, like your friend that you're talking about, I

[00:05:20] didn't realize that I had an acumen for it. But when I was able to like, you know, shift and go, Oh, okay, I can do this. But you start geeking and you're like really geeking out on you're like, Oh, yeah, you know, we just

[00:05:36] had a vulnerability yesterday. And, you know, what are we assessing? And, you know, who's who's who's in charge of that? And how do we make sure that we deal with that? Or we have an exploit, you know, last night,

[00:05:48] you know, a zero day, you know, hit us, you know, in terms of a vulnerability. So it's like, mmm, so you get involved in that and then learning so much from other teams. For me, that was like, I loved it.

[00:06:05] You know, like you said, I you've got to really love cybersecurity. You've got to love technology because it's like 24 hours, seven days a week. Yeah, because for anyone that's working IT to knowing, you know, being on call. So you're, you know, the week you're on call, you

[00:06:25] get called middle of night for something. So it's like you said, it just doesn't it just doesn't end and really to be good at those areas, you know, IT, cybersecurity, now they I you've got to constantly be learning because there's so much of it to

[00:06:38] learn. I mean, it's just I've seen people that can function well, working 40 hours a week. But you know, for myself, it takes me learning after hours, I can't just get all done in 40 hours. Yeah, I think our our industry, at least from you know, I'm sure

[00:06:54] you've talked to people like this before our industry is really a lot of us are introverted, you know, like socially we're introverted. And or we're like that hybrid, you know, for me, I came from a different industry. But I

[00:07:11] certainly can say that my, my best times are after five p.m. After five p.m. is like all of a sudden my brain wakes up, you know, at 10 o'clock at night I can write. And I know for some industries is different, like, you know, doctors, you

[00:07:30] know, they they definitely have the ability to have the energy. And I think with our industry, and I tell especially people who are transitioning their careers, Phillip, I let them know, hey, are you sure you want to transition to

[00:07:46] this industry? Because you have to really love what you do. Because it's easy to get burned out. Very, very easy. I'm sure you have I have many of our colleagues have so it's very easy if you don't create that balance, you can get burned

[00:08:03] out very easily. So I always ask individuals, I don't care if they're coming from a different industry and they're transitioning, are you absolutely sure? You're gonna have to really want to be up at three o'clock in the morning,

[00:08:17] you know, because we had a breach, you know, and every it's a hands on deck. So can you do that from time to time? Yeah, yeah. It's a friend wellness. Yeah, it's very good. So what do you as far as you know,

[00:08:36] you kind of mentioned people working better after at certain times, what do you recommend for folks to kind of adapt and be productive when you have a your circadian rhythms don't match up with the eight to five, how would you

[00:08:52] recommend their workflows and how they could be successful and thrive? What I mean, again, I'm putting on my little former HR lens. What I would always recommend to people is even before they even consider cybersecurity or any domain of technology is be

[00:09:13] realistic about where your skills are and your acumen is, right? I even tell them look at your resume, look at your skill set. Go back and see if that's something that you're really interested in. Do you find yourself researching things

[00:09:28] just because do you find yourself engaged with reading or trying to play with some type of device or app or development or playing around with code? Do you find yourself doing that kind of on your side? Are there things that you

[00:09:48] actually do that really start intriguing you? And as far as time wise, I always recommend people to engage where they are like individually, because especially our practitioners that you and I, we've talked about that before, they're on the front lines. They're working those 40, 60 hour work weeks and

[00:10:11] their best time is after five o'clock and they can shut down or they can turn on. But I also recommend people to make sure that you assess your own gauge of your own health and well being because you can make major mistakes. And if you're

[00:10:31] exhausted and it's five o'clock and you know that you are mentally shut down at five or six, take that break even if you know you have to push through the evening because you're working on something in particular a deadline, that

[00:10:45] break, that mental break is crucial. I mean, even for all of us, regardless if we're in the C suite, or if you're in the front lines, you know, in some area of technology. So I I don't listen, don't take my my life advice. Take what the

[00:11:04] words that I'm saying, because I was horrible at that horrible. And I managed to fail over and over and I don't necessarily mean in my job, but I failed with my health and well being and that's it's not that serious. No job is that serious of

[00:11:24] your health, you just have to know when are good times when your brain is like really working like you're really on you know, and be able to balance it. So since you're you're really into the AI stuff and you've

[00:11:38] been doing a lot of studying around that, what are your recommendations for someone that hasn't done any kind of AI or generative AI? What some of your learning recommendations? What I've always recommended for individuals now is get an understanding of the literacy of AI first. Because that's the

[00:11:59] first foremost is same with member back in the day with cybersecurity. A lot of organizations they would hire even HR people they would hire and they didn't know what type of person they were hiring or you know, they'd say software developer, software engineer. They're like, I don't

[00:12:17] know the difference. You know, the job descriptions would look identical. You know, I think we're going to repeat that cycle in so many different areas. I'd recommend individuals if they don't have the funding to definitely take a look at all the free tools that are out there. There's

[00:12:38] Coursera. There is CyberRary and there's others that or there's Microsoft, there's Google that who are offering free gen AI classes. There's certs, they're not certifications, but at least their completion certs to identify where your level of expertise is and where that

[00:12:59] falls. If you want to learn no code AI model design, there's opportunities to do that at no cost. And if you're an executive or if you're in the C suite and you're like, okay, I need to understand this stuff. I

[00:13:12] recommend for them, Phillip, is that they actually get a certification at an institute. Mine was at MIT and I did a no code. And that was hands on learning how to build models, but also how to interpret those models to

[00:13:29] my colleagues there in C suite, right? How to interpret those models and communicate to the marketing and sales team to the development teams. And so there's lots of different courses out there. There's MIT, there's Stanford, there's UT Austin. I mean, we've got a

[00:13:46] whole host of them. But for those who are just beginning, get your handle on gen AI first, I would say definitely first because you have to understand the difference between large language models, deep learning, natural learning processes, all of that. And

[00:14:06] that is a process. It's not an overnight learning process. It's going to take some time. Very interesting. It's just amazing how AI is caught on because I remember back at towards the end of 2022, whenever chat GPT came about and people were starting to

[00:14:27] use it seeing all the things that people were doing with it. It's amazing. And interesting thing to compare it to other technologies is I really can't remember anything accelerating the way this has even even with the internet and the dot com

[00:14:41] boom and all that really didn't move in advance as quick as this is because you just saw like in a matter of months, right? You know, all this stuff. And now you've exposed this technology to creative minds that haven't had access to it before. Because the

[00:14:57] expense of trying to do AI now it's readily available to to the world. It's just interesting to see what people are taking using their creative thought thought process and what they're coming up with. So it's pretty amazing. It you know that I was doing some research when I

[00:15:14] wrote an article and it was like, I think in you guys have to read my article on my website. But it was something around 24 billion in terms of activities for the chat GPT was at 3.5. That was released when 3.5 was released 24 billion in

[00:15:36] terms of activity within a I think it was a 48 72 hour window. And I'm like, that's insane. That's absolutely the same people just was just on it. You know they were just all over and this course is all over the world right? This is not just

[00:15:53] US based numbers. But and then within a week, I mean those numbers slowed down and there were other geni AI tools that were released around the chat GPT 3.5. There were other geni tools that release but the Microsoft one obviously hit by storm because they you know they've been

[00:16:13] working on it for like maybe three to four years prior to the 3.5 release. So they had at least beta tested tested tested tested the model and they were ready. The others had not had that length of time of testing. But you're right.

[00:16:28] This is imploding worldwide on all of us in terms of how do we get ahead of this as security practitioners? How do we ensure that when these data scientists decide to get hired in these organizations and they're being pushed to build models? How do we

[00:16:53] ensure that our data is actually segmented? How do we make sure that that data is protected? What do we do and how are our systems going to be designed in terms of you know natural laying processes that we're going to embed more

[00:17:08] LLM into our existing tools so we can fight against the adversaries. Just a whole bunch of questions out there that our security practitioners, we don't have the answers for them. We're all just trying to figure this out as we're learning. Yeah it's pretty

[00:17:28] interesting because then you have to work you have to look at the risks of someone's an organization using chat GPT they're putting sensitive information in there. Now it's out there within that ecosystem and stuff can be exposed. You have to really

[00:17:44] be careful so I can really see like your areas from the compliance because you know it really seems like one of the things companies gonna have to have is put policies around it and rules because if anyone can use it you have to be careful with what they're

[00:17:59] doing and it seems like it makes sense as well. It's kind of be hard to prevent people from using it so at least kind of back to the security awareness concept you've got to train people on how to use these safely without you know

[00:18:15] exposing company secrets. Right right or their own. I mean they're using they're using gen AI tool at work and they're using it for personal use and they not fully realizing it may not even be I mean I know some people who are using

[00:18:35] gen AI and the company hasn't necessarily adopted and purchased from Microsoft the secure version of a gen AI tool which obviously is more secure if they purchase it you know and they're using these tools and the data that they're placing in there the information

[00:18:59] there they're in placing in there sometimes as their own. And it's just it's IPP it's I HP is IP IP is all the P's of the data that needs to be OK. All right we're going to purchase this but you're right I think the privilege

[00:19:23] access remember we talked a lot about zero trust and privilege access right back in the day. I think we're going to end up circling right back to that and surgeon who has access to the tools in house who needs access to the

[00:19:39] tools in the house and if we're going to allow everyone from the marketing team all the way through our developer teams and that includes you know HR that includes you know the finance teams if we're going to give everyone access to this what level of access do we

[00:19:59] really need to give you know to them and what are we doing internally in terms of protecting our systems. Are we building internally or are we purchasing and governance is going to have to do that whole risk and compliance and I think it's going to

[00:20:15] hyper focus on third party risk. I think that's what we're going to begin. I think 2025 we're going to hear a lot about large corporations saying OK now we need to upscale our third party risk assessments because now we decided that we want

[00:20:34] our third party vendors are MSPs to help us with more enhanced learning models so that we can do whatever service that we do health care finance whatever. So I think it's going to be interesting but we still need to address vulnerabilities and model design. We still need governance

[00:21:00] around providing that oversight and model design whether it's internal or whether it's providing oversight from a third party risk perspective. So what are some good security resources that you've run across for for machine learning and AI. I have honestly for security I'm a

[00:21:21] big I'm a big advocate of Alaska. If you are in security you guys should know what a last. A last is the open web application security project that's what it stands for and they really provide the guidelines and standards for secure development. So software development lifecycle

[00:21:46] right that whole process and model design is not too much different from the concept of oversight from a security perspective right it still has a life cycle process and a life cycle development process. It just may not be software per se right its data being ingested into

[00:22:08] a model and the model is actually learning from that data and being tested. So I think if we focus on OWAS as security practitioners at least they have security controls they have data security they have what else do they have. They have model in terms of

[00:22:28] providing model development and providing development oversight of model and then threat modeling. You know we have that aspect of what OWAS to. So I think if we lean on some of the standards that OWAS has put out as well as the NIST AI framework.

[00:22:49] I think if those combinations especially for businesses are based in the US or use businesses that are doing business in the US particularly the larger scale mid-sized businesses. That's I think going to be helpful a very strong helpful tool to give us some baseline and say OK

[00:23:06] this is where we can start. Now we just need to level up in terms of our own knowledge and skill set of how our models design so that our practitioners can ask the right questions to a data scientist or ask the right question to someone who is

[00:23:24] building a model so they don't just throw a whole bunch of jargon out and say oh yeah I'm doing this and I'm doing this and it's basically a sales pitch and it ends up affecting the organization or unfortunately hurting someone you know especially if it's health care.

[00:23:41] Good points and so we were discussing before the show about community so I know you're a teacher you mentor a lot of folks helping people out so what some of your recommendations for people community wise different groups you'd recommend different types of conferences and stuff.

[00:23:59] For my practitioners I'm advocate for secure world they offer online trainings that also provide UCPU and CPEs so if you have certifications then I would definitely recommend as many online trainings that they offer and they offer a platform from January through November every year so and they're free.

[00:24:26] So if you're looking for something like that in your practitioner interested in learning a little bit more about different areas different domains of security and or technology. Big advocate for them also a big advocate for women owned I'm sorry women run nonprofits that are also hosting

[00:24:48] conferences because I'm a big proponent on women coming into the space of technology as well as security particularly security. So I know O and UG is one of those organizations. I'm sorry it's not O and you do it's a W I Y S Y S

[00:25:08] I could be saying that wrong and please forgive me. Yes thank you please forgive me. They are an incredible organization that is open to new practitioners. They have a great platform of speakers and educators and leaders that are part of their organization women

[00:25:27] leaders and I know some of our local C-sweets are members of that organization as well. So I would definitely recommend getting into that there's another leadership organization that's women based just putting a plug for women is called a STEM S T E M leadership

[00:25:49] and it's a global organization. So it is inclusive of women you know from various backgrounds diverse background but that's basically STEM so math science technology. As far as our local conferences I think we talked about a few of those. I know we have no tech

[00:26:08] and no tech is one of a conference that comes to Dallas that also is open up for practitioners as well as C-sweets. So I would definitely recommend those type of conferences and if you're a leader there's C-so X C that we have that comes to our

[00:26:23] conferences and other things. I S S A we are huge in the Dallas Fort Worth area I S S A I would definitely recommend any conferences trainings that they're doing because they're big advocates for practitioners and helping individuals who are beginning their careers in cybersecurity

[00:26:44] and or the technology space and they're really ahead of things. I S A square is another organization you might want to consider joining on the former vice president of that organization. And then for certs bill that's sticky that's sticky because my domain is governance. So I governance

[00:27:08] has a cert they have a cert called AI GP it's brand new like Bill it came out April of twenty twenty four. They did a paper exam in Washington D.C. It was over 300 people there taking a paper exam like crazy right for twenty twenty four.

[00:27:33] But it was successful. It's an international recognized cert. And when I say international I'm seeing Singapore Japan Brazil Mexico I mean across the globe you you the EU European you know it's it's an incredible certification to have if you are a governance practitioner

[00:27:59] and or if you're beginning your career in governance I would recommend that cert and the C risk which is the CCRC that's put out by ISE squared. Those are search for practitioners there's other search for you know C Swings you know CIS SP and CS system CISM

[00:28:22] but for those individuals who are beginning their careers I would suggest doing certifications that fall within your domain and learn as much as you can about other domains don't like pigeon and Bill knows this don't pigeon hold yourself don't don't do it don't do it.

[00:28:43] This is my fifth career so I can tell you don't do it. Yeah, yeah it can fall behind easy and that's one of the things that's been fortunate for me. I really followed what I was interested in so for myself I started out in CAD drafting

[00:29:01] found out about CIS admin work through IT moved into that the IT I found out about security moved into security while I was working in security one of the changes that happened was fortunately for one of the CISOs that I had we had a new CISO

[00:29:16] on this in this company I worked for at first we were all doing the same thing and he decided to put us in different silos and so I got put on the app sec team and that's where I found out about pen testing got interested in pen testing

[00:29:28] and just kind of follow that interest and it stays interesting and you keep progressing sometimes if you just you know like they say you your career dies in the comfort zone if you sit there and just find what's comfortable and don't you know work to keep constantly improving

[00:29:43] is just kind of difficult to to really thrive career wise yeah and I'm I'm I put the plug in to your audience about your book because the reality is is that pen testers are needed that's not an industry that's going to die we're going to need you

[00:30:00] we're going to need your skill sets as particularly as AI and large language models begin to be more developed more defined we're going to need your help because we need to protect the data the data sets that are being used for those models we need to start doing

[00:30:19] some segmentation we need to assess our environment and the tools that some of these third parties are developing we really need to keep our lens on that and we need pen testers very much so you guys consider going into pen testing if you haven't already considered it

[00:30:41] it's a lot of industries they say feel they're going to die and I think there's a lot of opportunity for all of us to pivot our careers and I don't believe in the concept of dying I believe it's going to be similar to the shift with cybersecurity industry

[00:31:00] practitioners are going to have to basically pivot a little bit of their skill set and level themselves up and there's nothing wrong with that I think individuals who are coming and brand new into the industry they'll have an opportunity that they would have had

[00:31:17] if AI did not fit the marketplace right so I think there will be incredible new opportunities but it's going to require all of us whether with boots on ground or whether we're at the C-suite all of us to level up our skill sets

[00:31:32] because we don't want our robots to take over our jobs as they say we know that's a fallacy maybe not maybe not I thought at one time that's not possible but you see now they have these robots and then now AI is making them do so much more

[00:31:50] it's really amazing at one time you never would have thought some of this is possible but just seeing some of the stuff they're doing with the robots now they get AI to make it smarter and it's pretty amazing one of my favorite quotes around AI

[00:32:04] is because people are always saying am I going to be replaced am I going to lose my job but my favorite quote is you won't be replaced by AI you'll be replaced by someone that uses AI yes and I like that quote it's a very powerful quote

[00:32:19] but it's true which is why you have your podcast which is why we're you know I'm teaching you know we do our best to educate as many people as we can casting our net as wide as we possibly can to educate to educate those who are saying

[00:32:38] I'm not sure which direction I should go well artificial intelligence is our new feature you know it's like saying I don't want to learn how to use the Google I think some people call it Google Google net or they I mean they don't know so it's like

[00:32:55] this Google thing I don't know how to use it and that was back in the day and they're like I don't want to learn I don't want to do anything with it and now you can't we're talking 75 80 year olds 90 you know up in the 90s

[00:33:11] who are using the internet fluidly fluidly and I don't think artificial intelligence or any type of gen AI tool because there are going to be so many more that are going to be launched over the next I'd say three years we're going to have so many

[00:33:30] and we're going to have so many new note code learning models so I don't you guys definitely research no code no code platforms is the new way there in there it's a way of learning how to build models without learning Python necessarily if you have Python experience

[00:33:51] that's a huge plus huge plus I wouldn't encourage if you have it just maintain it continue to learn as much as you can but if you don't and that's not your acumen you know, shift to no code tools and start building tools and playing around with tools

[00:34:06] because that's a skill set that we're going to need in the new future so we're getting down towards the end of the episode is there anything you'd like to discuss before we end? The only thing I would say is two things one is for

[00:34:24] individuals who are listening to this podcast who are in management level roles who are in the security space particularly I would strongly encourage you to start thinking about governance programs AI governance programs and how you're going to build AI governance programs into your existing third party risk programs

[00:34:51] right because you're an info set for example start really start doing your homework and researching what that's going to look like you know hire someone like me you know to help you go through that process because the third party risk aspect is going to be

[00:35:08] I believe our arsenal to fight our adversaries who are going to use you know and utilize third parties as their gateway to get to intellectual property to get to data so I just encourage you to start building those programs so we can build policies and procedures and educate

[00:35:33] I do have one final thought and that's for your general group and that is model design and data sets the usage of it we all need to understand what that means and we all need to level up our skills with artificial intelligence and literacy so that we understand

[00:35:58] what it is that we're doing developing using you know crafting whatever that is our usage I think that's important that we all level up our skills and that there is no expert out there by the way well I appreciate you taking time out of your busy schedule

[00:36:21] to join me today you're welcome it was fun it was fun I agree yeah I look forward to next time we get to meet up in person to get to have some more fun conversations so always a pleasure to see you yeah you too

[00:36:36] thank you Phil so much for having me on your show I really appreciate it it's a pleasure thanks everyone and we'll see you on the next episode thank you for listening to the Philip Wiley show make sure you subscribe so you don't miss any future episodes

[00:36:53] in the meantime to learn more about Philip go to thehackermaker.com and connect with him on LinkedIn and Twitter at Philip Wiley until next time