Mario Duarte [00:00:00]:
We have to get into an honest conversation with our senior executives and explain to them that we do wanna get into this exciting field of AI. But let me tell you right now, right now we don’t have a lot of visibility. If we’re gonna do this, we need to do x first or convey to the employees, give us a little time by a little time by saying, here are the policies on AI. We need you to do x for the next period. These are difficult conversations, but we have to have them. And at least inform our senior executives about this risk that we’re taking. The idea that you’re gonna go use AI in a company and let people use it if you have no visibility or level of visibility in what people are doing is dangerous.

Mario Duarte [00:00:52]:
that security and testing and performance and scalability police can comply. And we can actually automate it.

Karissa Breen [00:00:58]:
Take that data and use it. Joining me today is Mario Duarte, VP of Security from Snowflake, and today we’re discussing how AI fits into the state of cloud security. So, Mario, thanks for joining and welcome.

Mario Duarte [00:01:12]:
Welcome. Thank you, Katie. Thanks for inviting me.

Karissa Breen [00:01:15]:
So I wanna start with your view on the current state of cloud security.

Mario Duarte [00:01:21]:
Well, I think there’s been a lot of progress in cloud security. You could see that through some of the lesser events that have happened around cloud misconfiguration. I mean, it still happens, but I think people are generally getting used to the different infrastructure and the technology. I think we’re becoming better at it. So that’s really helpful. It it has it it also has proven to be a very useful platform to use cloud, and also cloud security as well.

Karissa Breen [00:01:50]:
So do you think people feel a little bit overwhelmed when they hear, like, cloud security? Because if I go back to when the cloud was somewhat emerging and it wasn’t as ubiquitous, people felt afraid, and now it’s we meant, like, cloud security. Do you think how do you think people are sort of responding to that those sort of terms from your perspective?

Mario Duarte [00:02:06]:
I think it it’s kinda regularly accepted now. I you know, when I first looked at when we’re talking about cloud or just even the cloud back in 2 2007, 2008, and it was really a foreign topic, foreign subject, and people didn’t quite understand it. Imagine when I first joined Snowflake was back in 2014, and we didn’t even have a product or customers back then. And the idea of putting your most precious data on the Internet was what with some crazy to a lot of the companies back in 2014. You fast forward to now, and that’s a generally accepted and approved model of posting your data.

Karissa Breen [00:02:48]:
So just another quick question on that front then. Do you think people in general get cloud security? Because I’ve spoken to people on the show at length just about, like, cloud in general, and they were talking about cloud security. Do you think that there are a lot of misconceptions still in the space? And then if so, what would they be?

Mario Duarte [00:03:03]:
A lot of the companies have moved on that journey from being on prem or solely on prem to, you know, kind of a hybrid model. In some cases, like us at Snowflake, we were born in the cloud. We didn’t have any infrastructure, so it was very different. Those are still kind of rare cases, KB, when a company’s strictly cloud. But I would say I would venture to say the vast majority of companies have a hybrid model, and they are as I you know, if I talk when I talk to them about cloud security, they I I believe they have a general understanding and comfort with the particular cloud that they’re using. I think things get a little bit more complicated and more and difficult and and difficult to secure quite honestly when you’re having to do multiple clouds. So if you have Azure, GCP, or AWS, that becomes a bigger daunting problem for companies. That’s where I see still more the challenges when it comes to cloud security.

Karissa Breen [00:04:00]:
Would you be able to elaborate a little bit more on those challenges that you’re sort of seeing? Even, like, maybe 2 of the challenges?

Mario Duarte [00:04:06]:
Well, I mean, I think even even think of some of this basic as logs, and the way the logs are presented by Azure or it could be very different. And I I I there are some cloud providers. I’m not gonna pick on any of them, but some of them are easier to interface with and to collect logs, for example, and the richness of those logs and, and telemetry compared to another vendor who might be a little bit more difficult to integrate with and difficult to assess some of the telemetry that’s being provided by that cloud provider via their logs. That’s an example that I can think of.

Karissa Breen [00:04:41]:
And I know you’re sort of generalizing. You’re not sort of picking on anyone in particular, but do you think those cloud providers are aware that maybe it’s a little bit complex, so they’re working on making that easier? Because the whole sort of idea about cloud, to to some degree, from a vision point of view, is to make it easier for people to do stuff. So you’re saying it’s hard to integrate. Isn’t that sort of counterintuitive then?

Mario Duarte [00:05:01]:
It’s more about automation and the richness of their API, their cloud APIs, and how some of these folks you know, if you look at the cloud at least 3 clouds, let’s for example. You just have to kinda look at their history. I like to go back to where they started from. And that tends to be kind of their angle. So, like, somebody like, for example, Azure. They are traditional you know, it started with the PC, for example, and they’re more of the on prem, more of the enterprise model. While you have something like AWS or even GCP, and what you get is you get a lot more developer driven cloud cloud infrastructure, whereas less like a system administrator, more of an engineer developing on top of those clouds. And and these are very general.

Mario Duarte [00:05:47]:
Right? I mean, that’s not I mean, you can have the same thing happen with Azure engineers as well, but I’m just talking about the the basics components for these cloud providers and their their heritage.

Karissa Breen [00:05:58]:
Okay. Let’s focus now on the role of cross cloud security. So maybe walk me through your thoughts on this.

Mario Duarte [00:06:06]:
We started doing this cloud migration, or cloud integration at Snowflake. So Snowflake was originally born on AWS, and we were primarily AWS for 3, 4 years. And then we needed to start working on Azure and and deploying Snowflake on top of Azure. Even then, some of the challenges you would have even though, you know, a lot of times, even the terms, are not even the same. Right? So so your HSMs may be different. They may be called key volts on Azure, k m k k KMS on, on on AWS or it’s just Samsung, AWS. So even the the jargon is different. Where it gets kind of interesting was in those I mean, again, I’m talking about 3, 4, 5 years ago.

Mario Duarte [00:06:53]:
Some of their HSMs provided by Azure may not have had the same level of ciphers or type of ciphers that AWS had. So even then, that was difficult. I think things are getting a lot more, I think some of the basics are being shared across these cloud providers, but it’s still challenging when you go from one cloud to the next cloud.

Karissa Breen [00:07:13]:
That’s a really interesting point you just said there, Mario, and I had this conversation with a friend of mine who said security for a retailer. Do you think that people, it’s it’s a challenge. Right? So do you think people sort of just stay with cloud providers even because it just becomes too hard? Couldn’t be bothered. It’s all too much work. So do you think that pay perhaps people staying compromised or because this is too hard, or what are your thoughts then on that front?

Mario Duarte [00:07:38]:
I think people get used to it, 1. K? So engineers get used to something. You wanna be efficient. You wanna be productive. Anytime you have a change, a different infrastructure, that becomes more challenging for that engineering team to learn something new. Sometimes you need to hire losing engineers of that expertise. I mean, that’s kinda what we did at Snowflake. We needed to actually hire folks who were engineers from Azure.

Mario Duarte [00:08:01]:
They came from Azure. They had experience with Azure, and we did the same thing with GCP. So you need to bring in some talents at times that are experts or are knowledgeable in those particular cloud providers. And eventually, it becomes you find ways to be able to manage multiple cloud providers, you make it easier to work with. And that becomes kind of your your your your your your your your secret sauce as a company. But but bottom line, it really is one about comfort. And when you think of comfort, that has an impact on productivity. And so a lot of companies would hesitate to do multiple clouds because they understand how challenged the problem can be.

Karissa Breen [00:08:42]:
Yeah. I totally hear your point around you get used to it even on this platform we’re recording on today. Like, we’ve been using this for a while. There are multiple other ones out there, but why would we change when we know the processes? We know how to fix it since we had that issue before you and I jumped on here today. So I think that it’s sort of a mindset thing. So why would be the impetus to someone moving anyway? I get the whole, you know, like, multiple cloud, especially from a backup Doctor point of view, but why would a company go, alright. Let’s just go and move everything. What would be the reasoning then behind that?

Mario Duarte [00:09:15]:
From a business perspective, having multiple cloud providers gives you, the consumer, potentially a better way to bargain for pricing, to negotiate for better pricing from these cloud providers. You basically say, see, you know what? You if this cloud provider is offering me this while the other cloud provider is not and or they’re charging me more. So you really you know, even though it’s comfortable to be one cloud provider, I I I caution and I encourage folks to consider looking on our turn to you leveraging more than just 1 cloud provider. And that’s just from the backup, but just from a business perspective, you wanna have better negotiation leverage.

Karissa Breen [00:09:57]:
Okay. So talk to me a little bit more. You said you can bargain for better pricing. So what does that sort of look like, and is that effective for people? Because sometimes speaking to people that is on the show or just people that I know in my network, like, they do say, like, hey. Looking at x cloud provider, they’re better at this area, but not as good in that area. So I get, like, you’re not gonna always have in a perfect world. Everything’s gonna be amazing. Some are better than others at certain areas.

Karissa Breen [00:10:22]:
Depends on what you’re what you’re looking for. But how does that then look for people that perhaps are thinking about better bargaining, getting, you know, better bang for buck, etcetera?

Mario Duarte [00:10:33]:
Well, I one one of the things you wanna do is you start thinking about, you know, like, storage itself. And 1 vendor might charge you, you know, $10, $20, $30 for a a gigabyte of storage, while the other one is charging you a $100. Why? This is the first question. Why are you charging me more while these other vendors charging me less and and the technology is basically the same? And that’s just a basic one. Just right right I mean, then you start thinking about transfers. If you’re moving data in and out, that that also becomes pricey depending on who the cloud provider is, and that’s another area where you can negotiate better pricing.

Karissa Breen [00:11:10]:
So just going on your two example, storage and transfers, do you think that these are sort of areas that people forget about then are blindsided when the bill comes or when they’re actually going through how it all looks from a pricing perspective?

Mario Duarte [00:11:21]:
I mean, I think most of us have been more used to that because there’s a kind of basic it it it really actually goes more up the the chain. It’s more about more feature richness and what they have to offer. Some features are better on one vendor than others. There’s more integration on another vendor than the other one. You can certainly live with that, and accept some of those challenges, but that is also a way to negotiate better pricing with your cloud providers.

Karissa Breen [00:11:47]:
Okay. I wanna switch gears now. And now depends on who you speak to, and people are varying opinions on AI, as you know. So now I wanna sort of talk through how AI fits into the state state of cloud security. And then what is your opinion then on this?

Mario Duarte [00:12:06]:
Just like cloud, I was thinking about this recently at another chat with with Aliyah’s thesis in the industry, and we were talking about when the original cloud or when you started hearing about the cloud back in, like I like I was mentioning, 2000. And, you know, people started testing it, kind of dabbing into it slowly or some people just went all the way in, but it was new. I would say the same thing happened with containers. This, you know, Kubernetes containers, Dockers, whatever that is. When they first came out, it it was really it was a weird creature to begin with. How do you secure was the next question. I don’t feel comfortable supporting this. Why is the business having us do this? And so those are the things that we would think we would generally think about in security.

Mario Duarte [00:12:55]:
It’s the same thing with AI. I mean, I know there’s all these amazing things that AI, or at least people are saying AI is gonna do, but it’s just another form of technology. It’s a new technology, and we’re gonna get used to it. We’re gonna learn from it, and we’re gonna learn how to secure it better. We have to.

Karissa Breen [00:13:10]:
So people talking about, like, ethical frameworks around AI and all of these types of things now, what are your thoughts then on that?

Mario Duarte [00:13:18]:
I’m more concerned about it’s not that I’m I’m not concerned about ethical AI and how people should be using it. I, you know, I’m just reading a book recently called the Chaos Machine. I don’t know if you read that before. And and if you read that, you you would you’d be like, wow. Oh my goodness. This is this is scary from what power what AI can do and and the ethics part of it. I kinda leave that to the smarter people, KB. My job really is to think about I’m a much more basic.

Mario Duarte [00:13:46]:
I’m a much more basic animal. I’m thinking about how can a how can our company use AI in a secure way that doesn’t expose customer’s data or our own data, and how we can manage and govern that?

Karissa Breen [00:13:59]:
So on that note, so how can your company leverage AI then?

Mario Duarte [00:14:03]:
One one of the things that a lot of companies do is they’ve invested heavily in their security program, in their governance. They understand to an extent where their data’s at, who’s accessing their data as an example, what are they doing with that data. So you you build some processes, technologies, people that understand that, and you you you I don’t wanna call it a virtual castle, but think of it as you get comfortable with these these these controls that you implement. What one needs to do, in my opinion, is bring the models to your data, closer to your data. I think where we run into some challenges is when we start using some public AI models, gen AI models, LLM models that are using the public. We should be concerned with employees using our data, company data, in public forms, public areas that are, you know, used by other by other by other companies as well. It it’s the idea of think of, you know, I had a a colleague of mine who’s kid had turned 21, and they took a picture of their their driver’s license when they turned 21 and posted it on Instagram. The entire driver’s license with all the minutiae of your the the driver license numbers and everything else, you would never do that.

Mario Duarte [00:15:27]:
Right? Never do those things. Not where everybody can see it. It’s the same concept with AI. Bring your models where your data is at, where you’re managing and governing your data.

Karissa Breen [00:15:38]:
But isn’t this the part where people like, what you’re saying makes sense and, you know, it’s correct, but people are still trying to do, like, basic stuff here. Like, basic stuff, like patch management. I’ve gone on about that for so many times on this show. So talking about, you know, you know, from your perspective, yes, it seems really simple, but people are struggling just to do day to day stuff. And so then when we’re talking about AI and the complexity to it and, yes, I do agree that it does make life easier, but you still gotta wrap your head around it. And the people about you mentioned it before about being comfortable. I don’t know if people are comfortable yet. Would you agree with that statement?

Mario Duarte [00:16:13]:
People are not comfortable with it yet. There’s a lot of geekiness to it. There’s a lot of really smart people. I I could not you know I I look at this and and in the all fairness, KB, I I am a little bit I wouldn’t say scared, but I’m a little bit intimidated by by I I I I, you know, I I didn’t I I studied statistics, but I wouldn’t call myself a scientist in this in this field. So I’m a little bit apprehensive, and and and so I think that is natural. But just because something is is is foreign I mean, we’re in technology for a reason, especially in security. Right? We’re constantly changing technologies and we have to readjust and learn and relearn. This is just no different.

Mario Duarte [00:16:56]:
AI is no different. We are gonna have to learn. We’re gonna have to embrace this change, and we’re gonna have to figure quickly how to make it secure and usable in a company.

Karissa Breen [00:17:05]:
So So how do we sort of get people comfortable, though? Do you think it’s just a matter of time? Like, with anything, with any change, it takes time, or do you think there are other ways people can start to get a little bit more comfortable?

Mario Duarte [00:17:16]:
Well, first, you need to have visibility. Like, you need to understand who’s using it, where are they using it, and how they’re using it. And so first, you gotta ask yourself, how am I able in my if I’m looking at a company, like, when I go talk to their other CSOs as well, is, okay, first, you have to have visibility in in how your employees are using it. 2nd, you need to provide 1, we the companies need to provide our employees with the right AI tools that are approved in an approved environment so our people can go work with them, learn from them, test, etcetera, but in a controlled and safe environment. So we want you to have visibility, but then we need to

Karissa Breen [00:18:04]:
what you’re saying, but there’s probably people that turn around to you and say, well, I don’t even have that. Why? Because look at all the major data breaches that have happened here in Australia. People don’t have visibility. So then what happens when someone turned you and said, well, Mario, I’d love to have visibility, but I don’t. What do you what do you do then, and how do you respond to that?

Mario Duarte [00:18:19]:
That’s not an AI problem, KB. That’s a visibility problem. So we instead of going I mean, instead of talking about AI, yeah, you’re right, but you can’t learn how to swim right now if you don’t know how to get in the water. So it sounds to me like what we have is a visibility problem. Okay. Let’s figure that out. How can we improve our visibility? How are your employees working? Where are they working from? How are they accessing resources? How are you collecting that information and bringing it into a central place that you can make sense of that? So to me, it’s a it’s a different problem. It’s a visibility problem, not an AI problem.

Karissa Breen [00:18:51]:
But that that’s the part that I’m that I’m that I’m asking. If it is a visibility problem, you’ve gotta crawl before you can walk, run, whatever that saying is. So then that’s the part that that I’m curious to know if people aren’t even doing that or aren’t even there at the visibility and don’t really have that, which is fair enough. I understand that. So then how like, then we’re trying to introduce complexity then already. It’s like saying to a baby, okay. Go out and run, like, a 100 meters or

Mario Duarte [00:19:16]:
That’s correct.

Karissa Breen [00:19:17]:
So how do you move past that then?

Mario Duarte [00:19:19]:
We have to get into an honest conversation with our senior executives and explain to them that, you know, we do wanna get into this exciting field of AI. It’s gonna make us more productive. It’s gonna advance our and if we don’t keep up with the competition, they’re gonna beat us. But let me tell you right now, right now, we don’t have a lot of visibility. If we’re gonna do this, we need to do x first or convey to the employees, give us a little time by a little time by saying, here are the policies on AI. We need you to do x for the next period. Now, I mean, these are just conversations. These are difficult conversations, but we have to have them.

Mario Duarte [00:19:58]:
And at least inform our senior executives about these risks that we’re taking. The idea that you’re gonna go use AI in a company and let people use it if you have no visibility or lateral visibility in what people are doing is dangerous.

Karissa Breen [00:20:11]:
So what specifically about the conversation makes it difficult? Is it people are, like, reluctant? You said before apprehensive. Is it they I’ve got to invest all this money, time, resources. What is it though from from your point of view?

Mario Duarte [00:20:23]:
It’s a newer technology. So anything new, anything change, it’s difficult for us human beings. Our minds are not designed to handle change very well. Okay? So that’s 1. You gotta just be empathetic quite honestly. A lot of the times you have to understand, okay, what is the business? What is it that you’re trying to do? I mean, I have, like, like, for example, every marketing organization out there wants to use every marketing tool on public Internet as you probably are familiar, but maybe some of these vendors you’re gonna work with in the marketing department are maybe not the most secure hygiene folks in the world, and maybe those are not the ones you wanna work with. I think you need to have these conversations with the business and say, okay, maybe we can use all these AI tools that we want, but let’s go look and partner up with those vendors who appear to be ahead of the game or at least understand the problem and are providing a secure environment to to work with.

Karissa Breen [00:21:14]:
Okay. You said something before that I wanna just press on on, which is empathy. So would you say not enough people are being empathetic? Now I say this with love to my cybersecurity community. I’m a practitioner. I trade myself. But if we look at the standard stereotypical cyber person, it’s like, just do the thing, and there’s maybe, perhaps, at times, not a lot of empathy then around it. So would you say that maybe people aren’t approaching that with with love and care towards their executives?

Mario Duarte [00:21:42]:
Let me use an analogy. If you think of a company as being a vehicle and every group in that vehicle is a wheel, if security is a square wheel and everybody else is a run wheel, that driver, that CEO, is not gonna take that for too long. They’re gonna pull over, and they’re gonna replace that square wheel with a run wheel that fits the model, fits the business, fits with the culture, and helps the car drive more efficiently. I think we, you know, security people need to be more empathetic and listen to the business, listen to the folks who need to do whatever it is as a function of the business, but understand they’re challenging, especially when we’re telling them when we’re putting new controls. Because when we put controls on people, it makes their job potentially a little bit more challenging. It’s definitely different. So I think if you don’t listen first to how they work, what is it that they’re doing, and what challenges you’re gonna introduce, your security program’s gonna introduce to somebody, then I don’t think you should be in the security industry.

Karissa Breen [00:22:45]:
Well, that’s absolutely that’s a that’s a fair point. So do you think after hearing people hear you say that, they’re gonna say, well, maybe maybe I’m out.

Mario Duarte [00:22:53]:
Well, yeah. I I I I think look. You you know, I I got into security 25 years ago. I love technology. I love technology for the sake of technology. Okay? I mean, I just I can just tinker around with it. I love working on on systems and code and everything, but not everybody is wired like that. And if you’re gonna be a leader in security, you have to learn to appreciate the different audiences you’re working with.

Mario Duarte [00:23:16]:
You know? If even even the terms that we use, you need to understand who you’re speaking with, who is your customer, who is your partner. And and if you’re trying to have a communication, you’re trying to communicate, you’re trying to get a point across, learn to listen first. And learn listening means also how to communicate with that person so your message resonates better.

Karissa Breen [00:23:38]:
So you say AI will be an enabler. So maybe what does this sort of look like in your mind?

Mario Duarte [00:23:44]:
Well, I mean, like, just give you an example. So think about, you know, if you get CloudTrail events. Let’s talk about CloudTrail logs. Right? You’re getting from AWS, Azure, or GCP. And they have, a lot of oftentimes, you you consume those. You put them in your security data lake or you put them in some SIM, whatever that is. Right? And so if you look if you consume all those JSON files, they have, you know, patterns. They have brackets here, brackets there.

Mario Duarte [00:24:06]:
Oftentimes, the security analyst needs to review this and and, yeah, we get used to it. It’s almost like like the matrix. Right? We’re kinda looking at these logs and making sense out of them. Using some AI, some basic, AI tools, you can make it user friendly where the models can actually consume the CloudTrail events, remove that JSON complexity, and make it human readable, human understandable. Imagine a new security analyst getting into this industry, how effective they could be, how much more productive they can be if if the the cloud filled events are translated in human form.

Karissa Breen [00:24:43]:
And is that the part where you believe people don’t don’t see that on the how much more productive your team can be? Is that the part you think maybe people don’t quite understand?

Mario Duarte [00:24:54]:
I think they’re starting to, but I think what they don’t understand is they probably are afraid of, like, where do I start? I don’t know this. This is very different. And so they get caught. They they just paralysis analysis. Right? Basically. I think, KV, you were talking about multiple clouds. Well, you know, imagine having to you could use an AI tool that allows you to simplify the complexities, the uniqueness of each of these cloud providers and make you more productive, where you don’t have to worry so much about the individual minutiae of each cloud infrastructure, and you can abstract all of it in a much simpler way for you to work with. That becomes very powerful.

Mario Duarte [00:25:35]:
I mean, really quickly.

Karissa Breen [00:25:37]:
So just quickly, on the mindset approach to AI, etcetera, Now you’ve you said before, you’ve been in the space 25 years. So when the Internet sort of started to emerge, if you wanna call it that, in nineties, do you think people sort of had the same sort of apprehension? Like, oh, like, what’s this gonna do? But then look how much it’s transformed the businesses, how many more jobs it’s been able to provide to people. So do you think there’s this element of, well, we don’t know what we don’t know yet, but hindsight’s always a beautiful thing. So do you think in 5 years time, you come back on the show and you’re like, hey. That conversation we had, KB, you know, a lot of those things have been demystified because now people understand what’s happening, and when people understand, maybe they’re they’re they’re a little bit more comfortable.

Mario Duarte [00:26:19]:
I I I would hope so, and I would look just at past history of how we embrace newer technology we humans do. And all you know, the the wonderful thing about competition and and and competitors out there, they’re they’re constantly trying to produce or provide a service that’s better than the competition and that makes their customers happier. Competition is gonna drive us to embrace AI and to make it more secure to work with because that’s just what’s gonna happen. The competition’s gonna do it.

Karissa Breen [00:26:55]:
So would you also say that in this let let’s my doing air quotes. You can’t see me, but AI world, if you wanna call that, or how we’re traversing towards this this way of operating. Isn’t this the inevitable, though? Weren’t we eventually gonna get here? Like, it had to happen at some point, whether it’s, you know, in the last couple of years or the next 10 years. Like, eventually, this would be the natural progression. Wouldn’t you agree?

Mario Duarte [00:27:16]:
100%. This is exactly what’s happening. Right? Like, we’re going to have this. We we like, just like we did with like, again, with cloud providers. You know, before, we had to put this hardware or this network devices in our closets in our network closets. Right? So there was always this physical component of it. And we moved to the cloud, and we removed all that. I think at River KB, maybe you you may be not being around, but maybe 20 years ago, you had a bunch of network administrators, network engineers for a lot of comp for companies.

Mario Duarte [00:27:46]:
Right? You needed your network engineers. Where are they now? I mean, they’re still around, but they’re certainly not the size that they were before. So where did they go? Well, they either learn new skills for the new new needs of technologies or they either change jobs or they retire. That’s what’s gonna happen. It never stops.

Karissa Breen [00:28:07]:
So would you say that’s the part that people are struggling, like, for just I know there’s lots of parts, but I’ve just focused now on learning new skills. Because back in the day, like, I don’t know, my parents growing up, you would go to university or college, and then you’d sort of just do the one thing. And and there wasn’t much change, whereas now things change daily, and there’s a lot more constant upskilling that you need to do than ever before. So is that the part where people are like, oh, I couldn’t be bothered. I’ve already done my 6 year degree, and now I’ve gotta do these micro credentials courses. And like you said, well, what happens to them? They either go outside of the the company, the business in that role, they retire, or they’re forced to to upskill.

Mario Duarte [00:28:42]:
Right. And if you’re forced to upscale upscale, you become a you you know, you get rewarded. I think you get rewarded well from a salary perspective opportunities. It’s just, you know, AI is not going to replace the developers. The developers who use AIs are gonna replace the developers who don’t. That’s really what’s gonna happen. And a lot of these what we call AI would just be you know, you won’t even call AI. It would just be the way we work.

Mario Duarte [00:29:12]:
It would just be part of, kind of a augmentation to to some of the things that we do. So it’ll become seamless, quite honestly.

Karissa Breen [00:29:21]:
So the other side of this coin I wanna look at now is you also say that AI could become a potential blocker. So talk to me more about this then. What does that look like?

Mario Duarte [00:29:33]:
I I think the biggest problem is if you start moving your data or using your data in a public forum where other people will be able to see that information, that will become a blocker in this industry. You don’t want that. I think when we start making mistakes or potentially even internally, what may happen is somebody who’s really excited about this new AI models that they wanna implement gain more access to data that they shoot in and expose it internally unbeknownst to them. But once you feed these things, these data into the model, other people can ask the model for some of that data even though they may not have access. Those things are gonna start becoming blockers. Those are concern concerns that we need to think about and address.

Karissa Breen [00:30:24]:
So if you if you had to boil it down to if AI is more of an enabler rather than a blocker, would you agree that AI is definitely, hands down, wins the race of being more of an enabler rather than a blocker if you had to wait it percentage wise?

Mario Duarte [00:30:37]:
Yes. Yes. It is an enabler. In the right and with the right mindset, the right timing, getting the right skill sets, understanding who you have in your company regarding those skill sets, and partnering up with the right vendor or partners out there, yes, it is a very strong solution.

Karissa Breen [00:30:57]:
So is it gonna take a little bit of time from your perspective to people get to to get the right skill sets? Like because, you know, obviously, people don’t get qualified overnight, so to speak. So is it gonna take a little bit of time before people can start really, like, motoring along in their AI journey, if you wanna call it that?

Mario Duarte [00:31:14]:
You know, I’m just thinking yeah. I’m just thinking about that problem. I love encryption, KB. Right? But I’m not an encryption kinda guy. I I I don’t have a PhD for that kind of level of of looking at at the mathematics behind encryption. I mean, I look at it, but I can never create my own encryption tools. Right? I would argue most of us may not appreciate all the math. They don’t you don’t have to be a mathematician to be able to use TLS in your environment.

Mario Duarte [00:31:39]:
Right? I’m gonna encrypt traffic. Okay? I’m just use this this program that has TLS already, built into it. I think that’s what’s gonna happen with AI. Not every person is gonna need to be a scientist in statistics and build their own models. We’re going to this is already happening. There are already models available in open source community or even commercial. Folks have tested these models with data and they’re reasonably strong. You don’t have to go and reinvent a model.

Mario Duarte [00:32:08]:
You don’t have to reinvent the wheel. Let me leverage those, use my data, and come up with new insights. So there will be different verse I mean, there’ll be different levels of what it means to use AI and what kind of skill sets you’re gonna need. But you don’t have to be a scientist to do this.

Karissa Breen [00:32:23]:
So what about moving forward then? And I know that there’s still a lot of questions that need answering, and we still don’t know what we don’t know. But, I mean, I’ve been sort of asking this question in the last, maybe 12 plus months now specifically on, I would say, significant shift when chat gpt was really launched in the market hard around November, December in, what, 2022. That’s when a lot of these AI conversations started to really emerge. So I’m always really curious now, you know, 12 plus months on where that journey is going, but then also another 12 and beyond. So do you have any thoughts then on that front?

Mario Duarte [00:33:02]:
I sometimes worry about the herd mentality that we people have humans have. Right? And I remember chat GPT and you all you know, there was also a a significant investment by some companies, right, in those organizations. And that attracted a lot of attention, a lot of VC money into a lot of startups. And I see these. I grew I’m I’m I live in San Francisco, so I’m seeing all these new startups popping on AI, and and it just reminds me of the dotcom. I hate to say this. Some of these folks are not gonna survive 2, 3 years from now. So so I see that as a concern, but at the same time, what I do see is a lot of our vendors that we have relationships with are going to start leveraging or already have leveraged some of these models to improve their services.

Mario Duarte [00:33:50]:
So we’re gonna start experiencing this in the next 12 months if we haven’t already vis a vis our vendors. I mean, think for example, Zoom. Right? Zoom now can is leveraging some AI for some of the meetings. There’s a lot of new technology being introduced of applications that we today use that are implementing AI. And we’re naturally gonna do some of that ourselves internally. Companies will do that as well. So in the next 12 months, I I I just see this rapidly growing more and more. There this is not slowing.

Mario Duarte [00:34:22]:
You need to embrace it. I mean, we need to embrace it and understand what our role is gonna be in this next space in the next 12 to 36 months.

Karissa Breen [00:34:31]:
So it’s going back to your comment around some of these companies won’t exist, sort of akin to the dotcom boom. So what do you do you think that’s gonna go out of business? Do you think that they they’ll just become obsolete, or what do you think sort of is gonna happen? There’s just too many of the same type of tools out there?

Mario Duarte [00:34:45]:
Somebody comes out. You know what I’m you know, I get to in in my space and most CSOs also get, you know, constantly targeted by salespeople, new salespeople saying, hey. I got a new tools. Oh, they wanna sell you something, basically. And a lot of these AI startups, they’re just service, an idea, a feature. It is not a product. Right? So they are getting 1,000,000 of dollars in VC money for a feature where you should be looking at what is the product, what is the application. Yes.

Mario Duarte [00:35:18]:
You can have multiple features, but that’s what you wanna see. I don’t see that with a lot of these start ups. They have one feature that’s interesting, exciting, fine, but that’s not worth 1,000,000 of dollars in my opinion.

Karissa Breen [00:35:32]:
You Yeah. This is

Speaker B [00:35:32]:
where it gets

Karissa Breen [00:35:33]:
really interesting because you are right. VCs are throwing lots of money at things, and sometimes it becomes down to a lack of, well and, look, I’ve spoken about this a lot, and it’s really interesting because sometimes these companies that you’re alluding to are just a feature that don’t really have a product. They’re getting the money because they do really good PR and marketing and media and all of these types of things. They’re the one that appears on the surface and gives the illusion to a VC that these guys are really, really good. Hats off to them. That’s my world. I understand know, you know, featured companies feature companies rather than product based companies then. Aren’t they the problem?

Mario Duarte [00:36:14]:
Look. You know, it depends on on on the VC company. I don’t want I don’t wanna overgeneral. I guess I overgeneralize with VCs, but, you know, if you look at it, you know, where is the VC getting involved? Is it at the c round, a, b round, whatever that is, And you’ll you’ll get different flavors of VCs and their temperament for or for risk. And some of them would just simply say, look, I’m gonna find 20 of these or 30 of these, and 29 are gonna fail. But one of these one of these is gonna make up for all the 20 nines that are gonna that are gonna that are gonna fail. That’s been the game. I mean, there’s nothing new about that, and that’s what we’re seeing.

Mario Duarte [00:36:47]:
That’s what’s happening right now. I’m sure you’ve seen the same, KB.

Karissa Breen [00:36:51]:
Yeah. I I I’ve definitely seen that. I think there’s an actual and I’m not an investment banking person. There’s actual term that they call it that they do some financial model. I don’t know. Someone smart will have to answer that. But then this is the other this is the other question that I have. So there are companies out there.

Karissa Breen [00:37:06]:
I mean, RSA then, for example, there’s, like, thousands and thousands of vendors. Then you got these little vendors, and I’m all for innovation. But then while I’m speaking to start ups, they’re like, okay. Cool. I’ve been around for 5 seconds, and I just wanna get acquired. And I want Snowflake to acquire me, for example. So then it’s like, are we really building innovation, or are we sort of just feeding the same beast that already exists? This is the part that gets me. I’m not sure about it.

Mario Duarte [00:37:29]:
Yeah. I mean, if I can without speaking for Snowflake, right, I I’m not gonna speak for my employer, but just looking at some certain strategies, may I mean, that’s not a bad you know, if I stick step take a step back. Maybe as a start up, you wanna get a single or a double. Right? You’re gonna get acquired. You’re not gonna go public. You’re not gonna make the buckles a 1,000,000 of dollars. You’ll make a little. You’ll go acquire, and that’s that’s important.

Mario Duarte [00:37:53]:
For the company who’s doing the acquisition, well, it’s either do they have the talent? Most more often than not, what you’re seeing is they’re not buying the features or the code. They’re buying the talent, KB. Right? That’s a strategy that we see. Oftentimes, we just get rid of the product and just want the people with their experience because it takes, you know, you can hire maybe 30, 40, 50 new engineers that have that, you know, that muscle memory for that particular area, and you get it at one swoop instead of having to hire them individually, and that could take you years in the competition to get ahead of you. So I I think there is a space for that. I I don’t wanna be so black and white. I would not wanna do that as a start up, but but there is a space for that.

Karissa Breen [00:38:39]:
So, Mara, is there any sort of closing comments or final thoughts you’d like to leave our audience with today?

Mario Duarte [00:38:45]:
I I think you just I know AI sounds really maybe a little intimidating, and I will be the first one to say I I I I am intimidated by it. But being in security, you have to embrace change. You have to learn, and you you that’s how you grow as a professional and how you

Karissa Breen [00:39:19]:
Thanks for tuning in. For more industry leading news and thought provoking articles, visit kbi.media to get access today.