 Hello, and welcome to SuperCloud 6 and the continuing discussion around AI innovation. I'm Rob Streche, managing director with theCUBE Research. Today, I'm joined by Paul Hawkins, CISO for Cypher Stache, a company that aims to secure your data, not just your systems. Welcome Paul. Hey Rob, thanks for having me. And thanks for joining, you know, tomorrow, which it's you're already over the international date line down there in Australia, you know, it's really great to hear from the future and be able to kind of get into this AI innovators dilemma, especially where security is such key to it going forward. So thanks for joining us. Yeah, it's great. And the future is looking sunny actually this morning. So it's a good day. Well, I hope you send that our way as well. So let's jump into it. You know, what does it mean to secure data and not just the system? Aren't we really doing that with encryption in flight and encryption at rest? And so Cypher Stache, she's the company I'm the CISO of, we built a searchable encryption technology and that's the technology that enables the product offerings we have and our message is securing the data, not just the systems and traditionally people have secured systems. So encryption at rest, as you mentioned, encryption transit, but that the unit of protection is the database, for example. So people do encryption at rest, which mitigates the risk of somebody taking that database and copying it somewhere else. But if you've got access to the database, you've got access to the data. The technology that we've built allows you to secure individual pieces of data within a database and then you can do really thawing brain access control on that. And also you could have really great visibility of who has accessed what, which means that you can scope down the protection to the individual unit of data potentially even to individual records. So that means that you can have a greater degree of control over what data is being used by what systems and what humans have access to what data, which is really interesting when you start thinking about how data is used in an organization when you start training large language models, for example. Yeah, definitely. I think that's a good jumping off point because AI is really built on data and you could say it's the ultimate data product that is AI. How do you believe companies have to think about protecting the data within AI? Well, it's kind of simultaneously an interesting future problem and kind of a modern problem where businesses really want to use AI and large language models to accelerate their business decisions. It makes a lot of things really easy. Kind of put some prompts in against some information back in and you can make decisions based on that. At the same time, it's actually a really traditional problem. Having visibility of where your data is and what systems are using that data is something we've been doing in the security industry for a really long time. And the context of AI and the context of training models means that we just have to make sure that when we are training data, we know what we're training these models on. So a good example is if I'm a healthcare provider and I've got a bunch of information about patient records and treatments, in order to provide better information to the people in my business, I might want to have some models trained on that information, but I want to be really conscious that I'm only training it on genericized anonymized data. So being able to protect the truly sensitive data in that data set is incredibly valuable because it allows me to get the value from AI but without leaking information that I am responsible for protecting. So it's trying to strike that balance of being able to move fast but being really, really conscious of the data that I have to protect very strongly. Yeah, we totally agree. I think it's that innovator's dilemma of how do I use all of the data versus protect things like you were saying like PII and looking at how I put kind of guardrails on that data but with not tying the hands of the developers and the folks trying to create yet new data products. What are the things that companies should really look at from a governance perspective and a data governance perspective that kind of tie into that? I think the way I think about governance is this is the organizational machine you build that allows you to move quickly and make good consistent decisions. Those are really good about figuring out complex problems but you want to give them as you say guardrails and the framework for making those decisions. And as a security person where I think that my role lies is building that organizational machine which allows the business or the engineers in my organization to make decisions around the products they build and where they can use this data but not have to really figure out every time they want to use a data set or what do I have to do to protect this. I want to build the decision-making framework that allows them to just move quickly confident that the foundational security protections are built into those data sources. And again when we were talking earlier you mentioned that you're actually you know that's one of the places that you're actually leaning into AI as well is to help you get to I guess you could say higher value development for your own product set by using AI and and seeing how AI can play a role in that. Yeah we're being very thoughtful and pragmatic about it at the moment but if I think about my role I'm supporting the engineers and Cypher Stash building products and helping them build it in a secure and reliable and resilient way. We're doing some really interesting stuff with assembling kind of well understood cryptographic primitives in an interesting way to deliver this searchable encryption. Being able to do plain text searches and encrypted data is a hard problem to solve and I want the engineers to spend as much of their time as possible solving that problem and not spending time with sort of the plumbing of how to assemble systems so being able to use some of the AI coding tools to help with syntax and help with structure and repeatable kind of lower value tasks means the engineers can spend more of their their time and effort on the actual hard problems which then ultimately helps our customers with the products we build. That totally makes sense and I think again it's it's one of those where you gotta it's a balancing act and in fact you know when I talked to other CISOs and we're out there talking to different organizations a lot of them are trying to be you know not the I guess you could say the people who have to say no all the time but how do they put things in place in particular you know they're always I'm always asking them how do you see secure you know security playing nicely with those other organizations such as data engineering and platform engineering dev ops IT ops you know we all we all have to get along but how do how do you approach that and how do you suggest others are approaching that. Well I think there's kind of two things that I really think about the first thing which is really important is that we are all in the same company we're all trying to solve the same problem the engineers are the GTM folks the sales folks the product folks the security folks our original goal is to build awesome products for our customers so the first thing is that we're all in this together and we're all trying to then go in the same direction we have different perspectives we have different individual focuses but we're all building towards a common goal and the second thing is being the sort of traditional security department of no doesn't work and having empathy for the fact that some engineers may have worked in organizations where they would worry to go and talk to the security folks could they got told no a fill by job is to empower them to be able to get to their outcomes as easily as possible and give them guidance about the security domain which they may or may not have a lot of experience in and I'm really lucky that because we're a security software company security is front of mind for everything we do so it's a really easy conversation but me making the engineers jobs easier is a real kind of north star for me and then because I've taken the approach of how can we fit this thing on securely how can we ship product features securely how can we tweak our build process so there's the lowest amount of friction possible while still maintaining our security bar means that when there is something that I do need to say no to and that's pretty rare thing I've earned the trust with the engineers so when I say actually we need to spend more time looking at this they know it's a real thing it's not just all security saying no again so those two things work together so that we can move quickly and we can have a critical thought process around you know is this the right thing to do for our customers and our business that makes total sense and I think you know again we've been you and I have both been at a particular hyperscaler and had to go through and had various different I guess you could say not having been in the security side of things but been on the product development side I think you look at it and go I never felt that they were just there you know security in the CISO's office was there to say no I think they were looking to protect our customers which we were all very customer you know working backwards from the customer and very focused on that but I think that especially with where you guys are you know your product is really focused on the data and really heavily one of the big targets that I see when I'm talking to organizations and especially those that have gone through the whole exercise of consolidating their data town is these data lakes and data warehouses you know data platforms have now become logical targets what what do you think when you talk to other organizations and they're like okay yeah we have to protect this but that's what the system's for as you were kind of saying earlier hey we take the data warehouse or the data lake and they tell me it's secure from the outside how do you what are the things that people need to really consider about that well I think that people have done a really good job historically of you know securing the system and securing the applications and a lot of different places folks talk about their app site processes but I think as we use more and more data and as we are able to identify those kind of behavioral trends of what normal usage and abnormal usage looks like particularly if you think about like the the the medical application I was talking about before there's unlikely to be like a big slurping of data out of the application in normal use so if you've got really good visibility of the operations on the data you can then identify when like when data is moving because that's a lot of the challenge data lives in multiple different places in an organization it could live in a no-SQL database it could live in a SQL database and then you're trying to aggregate these different types of data into a data lake to drive real value for your business but you need to understand the the superset of all of this data that's been pulled from different databases are you still protecting it effectively and does the risk profile of the data from a database that's activate accessed in an individual record kind of style from a particular application that's something you're pretty comfortable with but if you punt all this data into a data lake and then you're able to do like a lot broader analysis of it the the risk profile of that larger dataset changes slightly so being able to have the protection move for the data is really valuable so you have a greater degree of confidence that when business teams join all of these data sets together you still have the level of confidence that is protected and the business can still reach their outcome and do queries on large data sets and get insights from it without leaching the individual records No I think that's great advice and I think you know kind of last question I have for you is kind of as you look forward with this world of AI coming at us this world of unbelievable amounts of data what what's your advice to other CISOs out there about how they should think about securing their data and securing their AI going forward I think there's two things I would say one is that security foundations can be kind of boring but they're super important like I've heard folks refer to it as eating your security vegetables or cyber hygiene building that into the the cultural ways of working in your organization means that everybody's focused on security being important and you know when they start building these awesome applications that are really good for driving business value and making great decisions they think about what's the context here and then the other thing is from the security program end what are we doing to help people make good decisions and a really good frame of reference I've used for large language model security is the OWASP top 10 for LLNs and that's got some good categories around the particular types of threats and risks that you are considering when you think about building LLN applications so training on the right sort of data interpreting the prompts that people are putting in that being conscious that data could be leaked based on sort of different prompts that going into these general applications so being really clear about what you're trying to solve and basing that on really good security foundations means that we can take advantage of the really fast development of AI and like really accelerating our businesses but still keeping the data that we build up businesses on protected and safe and then we can all kind of move fast no I think that that is a great spot for us to kind of wrap things up because I think again it's great advice for other CISOs and I think people can really take that to heart because I think things are moving so fast but everybody you know as we kind of joked about are in the same canoe and we got a paddle in the same direction right well well thank you for coming on Paul I really appreciate it thanks for having me stay tuned for more super cloud six