 Hi, this is your host, Sabil Bhartiya, and we are back with our yearly prediction video series. Today we have with us, once again, Steve Winterfell, advisory CISO at Akamai. Steve, it's great to have you again on the show. Always great to be here. Enjoy your show quite a bit. I enjoy discussions with you. Today, we are of course going to ask you to pick your crystal ball and share your predictions for 2024. But before we go there, just let's do a quick intro of Akamai. Akamai is a great company. We started off with content delivery on performance. We also are a place you can use Edge compute or our cloud infrastructure to build. But really over 50% of our business now is around securing your company and making your customer experience safe. And so today we support all of that through Edge support and segmentation and a number of other security capabilities. Now it's time for you to pick up your crystal ball and share your predictions with us. So it's interesting as I look forward into next year. Obviously the hot topic is AI. So AI has been around quite a while, but the novelty is this year with large language models or generative AI, everybody can engage with it. You can go log in and use it unlike robotic AI where you have cars that are self-driving or manufacturing floors working on themselves or the more traditional machine learning and structured supervised algorithms. And so we see this and it's got a lot in notoriety. I will say that it's a two-edged sword, first of all. Obviously, we use things like machine learning and detecting criminal activity and countering it. Criminals are also using machine learning and how they're attacking. And we're gonna see that same thing with large language models. We're gonna see jail breaks, people coming in and breaking into it. We're gonna see criminals using it to better send phishing emails or malware like ransomware inside a phishing email as well as business email compromise. And with business email compromise, convincing someone to send a payroll statement to the wrong bank, what we have here is ability to engage with deep fakes as well, emulating voice, emulating video. So I see a lot of social engineering danger. I will say one great reference. I've talked about OWASP in the past. OWASP for top web attacks, for top API attacks. They've actually put out a top 10 vulnerabilities or attacks for large language models. Encourage you to go look at that. Next, let's take a look at kind of the governance and compliance landscape. NIST, the National Institute of Standards and Technology is coming out with the new incident response, regulation governance. And it had that incident response cycle in a circle. And now in the center, they're adding governance. So we're gonna have to go back to kind of our policies and our procedures and make sure that we talk about how the governance is integrated in our incident response. We see industry standards like PCI, DSS-4 coming out. And that's gonna require us to look at new threat areas like our JavaScript environment. And I think probably the most impactful will be the regulation coming out of Europe. We first saw privacy regulations coming out and a bunch of states implemented that. The one coming out now is the EU Digital Operational Resiliency Act, DORA. And I think that's gonna drive more and more people to talk about what are we doing here in the United States and other countries around resiliency. And so that's another aspect of our policy that I would encourage people to start going and looking at is how do you think about resiliency? How do you define it? And where is it integrated in your processes? Next I wanna talk about some of the DDOS and API. We've seen new record set, new innovations. I expect both of those continue to dominate. Ransomware will continue and evolve. We've seen this year that we had more initial access brokers. We saw a transition to people focused on the holding data hostage versus the encryption. We've even seen criminal groups going to the customers of the victim attacked and saying, we stole your data, go back to your vendor and tell them to pay us. And in one crazy case, we saw the criminal groups reporting to the Securities and Exchange Commission, the SEC, that a company they had broken into didn't report within the timelines. So continue to work with our people around, how are we dealing with all the criminal activities? But again, are you ready for the new levels of DDOS attack? Do you have visibility on your APIs? Are you aware of where there's abuse? Do you know where you have rogue APIs? It's gonna just become more and more important as the threat focuses on those. Next I wanna talk about kind of the stress. Staffing is gonna continue to become a challenge. We have new need for talents. If you would have told me a couple of years ago there'd be a job rack out there for a prompt writer. I wouldn't have known what to say. We need people with that as science capabilities. We need so much talent and the stress and impact of work that I think more and more of my fellow or my peer CSOs are thinking about a flexible staffing approach. How can I make the quality of life better? Where can I reduce complexity? So my staff isn't trying to maintain so many things. Where can I bring in an augmented engineering? Where can I move stuff out to manage service providers? It's just gonna, I think we continue to deal with the lack of talent and the stress our talent is under. And then the last thing I wanna talk about is more and more CSOs are trying to shift some of their budgets, some of their protection into minimizing dwell time. You know, if I have a big flat network how do I segment it? How do I monitor East West traffic or internal lateral movement? How do I get it? So my situational awareness is just not North South but it's throughout my entire environment. My cloud, my service providers, my internal data networks or legacy data centers such a hybrid environment. So how do I get that visibility to minimize the dwell time? So the shifting dollars away from prevention to rapid detection. So those are kind of my top of mind thoughts. Thank you for sharing these questions. Now let's look at what are some of the major challenges that you see will be there in 2024 not just for the industry but maybe for even Akamai to deal with. So as we look forward I continue to have this complex dynamic environment but one of the biggest changes is around transformation within the business. So as my business models change I have to be flexible. If the business is now engaging customers in a different way you have specific industries like healthcare that have new mandates for transparency, access for patient to get to their data. There's just this constant transformation as people think of business cases to use generative AI in production another security challenge. And so really I think a lot of this comes back to how do I minimize that complexity? Do I want to go from 75 vendors to 25 vendors spend more time on security than necessarily vendor management? Do I want to go to, you've probably heard of me talk about the MITRE attack framework. There are a bunch of sequential steps that a criminal has to take to gain access and execute their plan. Do I want to map out and have two or three controls in each one of those columns giving me better defense in depth? How am I going to approach staffing? Am I growing the talent? Am I, do I have a pipeline of future talent? Do I have the right skill sets? How am I developing those people to understand how to protect generative AI? And ultimately, how am I matrixing that? Where am I taking non-core functions putting that out there? Finally, are my vendors understanding my compliance requirements? My privacy needs? My data localization or data sovereignty needs? If I'm in a specific industry, that industry's needs. And finally, resiliency. So I think all of those are kind of top of mind right now. What is going to be the focus of the company or maybe your focus in 2024? I think most of our key customers, the ones that we get the feedback that drive us are talking about two things. One, they're talking about transformation and their desire to make sure their APIs are understood and they have the ability to mitigate threats to do an investigation, to do audits. And so a lot of our focus is working on that API transformation environment. Understanding East-West, North-South abuse, all of that situational awareness stuff is our one focus. And then our second focus is kind of that, minimizing that dwell time and impact zone. So are you segmenting? We put out a state of segmentation report recently that showed six ways to segment your network that would allow you to mitigate in much faster time, reducing that impact. And so between host-based or software-based segmentation and API, I think that's where most of our customers are engaging with us. Steve, thank you so much for taking time out today and share your predictions. As I said, I would love to have you back again next year, not only to check how many of your predictions turn out to be true and also get next set of predictions. Thank you. Awesome, thank you.