Mark Jones [00:00:00]:
Adoption isn’t, you know, watching some YouTube clips, keeping up to date with some articles, maybe doing a course in AI. That’s not adoption. Adoption is getting your hands dirty, as in your machine, your lab, understanding how it works, what it looks like.
KB [00:00:16]:
From KBI Media, I’m Karissa Breen and this is KBKast. My guest today is Mark Jones, co founder and deployed engineer at MosaicalAI, who spends weeks in front of CISOs and boards helping them to adopt AI without becoming the department of no. We talk about moving fast on AI versus keeping it controlled. Why banning tools backfires into shadow AI. And the question hanging over every security team, do you reinvent yourself in the next two years or do you get left behind? Before we get into it, do me a favor and hit follow we’ll wherever you’re listening, it genuinely helps the show reach more people who need to hear these conversations. Alrighty, let’s get into it. Okay, so, Mark, cybersecurity has spent years being known as the Department of no, as we know. So why should anyone trust cyber teams to become the champions of AI adoption?
Mark Jones [00:01:16]:
Well, I think inherently cyber people know and understand risk, and given what we’re moving into, that’s something that I think we can’t overlook in this situation. So we need to really kind of leverage and understand what the business is doing and apply the discipline of what we’ve learned over many years in cyber security to this new pace of technology, I guess this implementation of technology. And yeah, really just work out how to. How to control it and not be standing behind it or stopping it, just understanding how. And we can adopt it safely.
KB [00:01:50]:
And so given your tenure in the space and what you’re doing now, do you still. What are your sentiments in the market? How do people. What are they thinking about AI? Because I know that majority of people are like, yes, we’re going to embrace it. Obviously there’s the guardrails and all that sort of stuff. But what’s your view in terms of how people are approaching it? Specific to maybe Australia, where you’re based,
Mark Jones [00:02:12]:
the thing that we picked up, definitely it’s a good point you raised across different countries that we. And this is from the field, Australia is definitely behind in adoption. And I’m not saying every. Every place, but certainly just looking at the last four or five weeks that we’ve been out in front of a lot of CISOs and security leaders, there’s. What we’re putting together is. And about to publish some research on, hopefully soon is this spectrum of adoption and in particular what that means for the cyber team. So it goes literally from we really don’t understand even where to start to we’ve got a little bit of stuff, we might have some copilot and a bit of chat in interaction right through to the spectrum of we’ve got fully set up, governed, guard railed, harnessed environments, builders in every team and pretty much everything in between. That spectrum is, you know, what we’re seeing.
Mark Jones [00:03:00]:
So it’s definitely something that we need to help support and security. Being thrust into that discussion is an opportunity to kind of lead from the front rather than sort of stepping behind it, as I said. So, yeah, there’s really a, a very wide spectrum of adoption that we’re seeing and that’s, you know, from literally from talking to people and going through what they’re doing, how they’re doing it, and then trying to obviously help work through the next steps of adoption.
KB [00:03:27]:
Okay, so staying on the spectrum piece for a moment and you said Australia is behind because, you know, as we know, reserve market. Would you say people that you’re speaking to are not fully on board with it, they don’t know how to do it, they feel overwhelmed, et cetera. Where does that sort of sit? So do you think it is more mature organizations that are on board or do you think it’s companies that are smaller that have got the capacity to change and move things around faster than perhaps a more entrenched, old school, bureaucracy style company? What are your thoughts there?
Mark Jones [00:03:58]:
Yeah, that’s, that’s a really good question, I think. I won’t say his name, but one of the first pieces of advice that I got from a very, let’s just say reputable CISO in the Australian market at the start of our journey was I think you’re going to face some challenges where especially CISOs and security leaders, I think embarrassment is the right word, but they just don’t have the time to understand what this is. So the adoption is slow because, and we are massive advocates of this adoption isn’t, you know, watching some YouTube clips, keeping up to date with some articles, maybe doing a course in AI. That’s not adoption. Adoption is getting your hands dirty, as in your machine, your lab. Understanding how it works, what it looks like and when you start to talk to people about what they’re doing around AI, we’re definitely finding that the maturity and understanding of, of what it is, what it’s capable of doing, how it’s working, as I said, is really varied. And I think people and we, we’ve got to get past this. And we’ve got to be able to help and support not just our security leaders, but also everybody underneath that and everybody in the business, by the way, to understand and embrace it and what it can mean for them.
Mark Jones [00:05:06]:
Because at the moment, I’ve got this feeling of reluctance to acknowledge that they don’t really know what to do about it. Some have open and really transparent with. I just don’t have the time to learn what this is and learn how to use it. And when I say learn, I mean practically learn it, get it working, understand what the concept of agentic means. Not just reading an article, actually having it set up and running and working. Because once that happens, and I can tell you through experience, it’s almost like people. I see people’s eyes light up, the light bulb goes on and they’re. They like.
Mark Jones [00:05:41]:
I can see it now and then just like myself, my journey. You’re just on this path of discovery and reinventing and reapplying the knowledge that you’ve learned. The IP that’s in your head, you’re able to express it in a different way, get it out to solve problems that you’ve never thought possible, really. There’s definitely this apprehension, lack of time to really adopt and understand AI. But it’s inevitable. This change is coming. Businesses are pushing to do it, and security needs to kind of catch up and start really, like I said, getting behind it, if not being in front of it, to be the sort of advocates rather than the department of no.
KB [00:06:18]:
Okay, so you raise a good point. The businesses are pushing it. What I’m hearing from people like yourself across the world is in order to stay competitive now, as a business, we need to be ahead of our other competitors. Maybe they’re not leveraging AI, Maybe we can do things faster or, you know, more productivity, all of the stuff that we already know. Do you think that’s going to be the main catalyst then for these, you know, businesses to start thinking, okay, we now need to prioritize. If I don’t have time, something else has got to give so I can put attention to this. Because security is there to serve the business, and we know that. So do you think that that shift will start to change? Because again, like, you know, people aren’t going to like, hang around.
KB [00:06:59]:
If a company starts to lose that competitive edge, they’ll start to fall behind. When they fall behind and they make less money, and then we know where that sort of spirals down to. So is that going to be the main sort of driver of the lever for People to think and reprioritize things that are going on in their business, or what are your sentiments there?
Mark Jones [00:07:16]:
Let’s just put it this way. I had a meeting with a CTO at the SIZO on the same call, and it was really clear the CTO had a seat at the board at the executive level about what AI adoption means and what it looks like and what they need to do to one. This technology enables something that we haven’t really seen before. When, you know, when you’re running a business and, you know, everybody kind of understands this, when you want to make the business more profitable, you either turn up how you generate revenue or you reduce operational costs and then that obviously results in a profit. What AI is giving us is the possibility of doing both. You can turn up revenue through new ways of doing things, and you can increase productivity and increase the output and throughput of workflow, process and everything to make the team that you’ve got more supportive and aligned to where the business needs to go in terms of generating revenue. So this meeting that we had was a classic example of the CTO pushing and obviously I can’t wait to talk about the name, but just let’s call it a retail brand. Where the cto, once we kind of walked through some prototypes and understanding was about, well, hang on, you can build something that sits over our data warehouse about inventory management, that we could see if there was a spike in a certain state in Australia around production of something, and you can kind of aggregate all that, build an orchestrator layer that would present and use the same data to basically generate and help with decreasing costs in warehouse storage.
Mark Jones [00:08:45]:
So that was the revenue generating efficiency thing. The SISO immediately went to, how do we control this with no, stop, slow down, we need to make sure that we do this the right way. So basically, from my background kind of understanding both we said they’re not mutually exclusive, we need to make sure that this prototype is set up because the business, that’s where the business is going. That’s where the executive of the group understand and want to apply this technology. And I totally understand and appreciate the CISO perspective on you can’t just jump into having a bunch of cowboys building this stuff out in the environment that’s not controlled around governance or whatever. So the question, to answer the question directly, I think that executives and boards are 100% and I’m looking forward to the new financial year, but 100% allocating, budget building, teams, structuring, and looking at how AI is going to be adopted. It’s not a matter of if, it’s how and when is it going to start generating results. So yeah, and that’s what I’m saying about the cyber team needs to not be a passenger to that.
Mark Jones [00:09:46]:
They need to be involved and helping the business kind of coordinate with confidence how this technology is going to be used, not if it’s going to be used, how it’s going to be used. So yeah, I think businesses are really starting to wake up and businesses at all levels, by the way, from an SME right through to enterprise. I was with a, let’s just say a large company in Australia yesterday and they’ve got two floors of AI teams, engineers, structured groups, work Sprint groups, you know, you name it. Like two floors dedicated to every department in that company to adopt and get AI out. So that’s what the big end of town are doing. That tells you that it’s coming for every group and if you’re not, it’s definitely a risk of sort of falling behind competitors for sure.
KB [00:10:28]:
And would you say as well, Mark, that cyber people are passengers on the bus currently or are you sort of seeing a couple of outliers that are like, nah, we’ve just got to wrap our head around it. Yes, we’re all busy time poor, you know, overwhelmed, but this is what’s happening and we just need to make room for it.
Mark Jones [00:10:45]:
Yeah, there’s both of those. I think that, like I said, that spectrum of understanding, and not just an understanding, but adoption, use and application goes from, you know, we’ve set up, we’ve, we’ve written an AI policy, we’ve got an AI governance forum that we kind of, we’re a member of and we’re kind of just helping review things as they come through. Which that to me is, you know, you’re absolutely a passenger, you’re just sitting there, you’re not really doing much. You, you might put up a couple of red flags around keeping things in line with what you think needs to happen in terms of your architecture and infrastructure and, and model use and all that sort of stuff that needs to be controlled right up to even the proper governance of things. I think I’ve seen a couple of examples where it’s starting to really take shape. Well, but because it’s so early in the, in the stage of this actually happening, just like we run our company, for example, we’ve got a governance layer that not only is dictated by policy, but it’s actually real time in place, monitoring all the models we use, everything that’s built, every interaction all the token consumption, what data is being accessed, how it’s being accessed. So that at scale is very complicated to do, but it’s absolutely possible when I say that governance, that’s where security could play a role in setting that up. They shouldn’t own it in my perspective, because it’s not a security thing to control the governance, but they certainly should have a view of that’s how our policy, our kind of guardrails, our harnesses, that this is how they get checked and validated and verified and put into the real time process is through this orchestration layer of governance which kind of takes them from just a passive passenger to a.
Mark Jones [00:12:26]:
We’ve got this monitored in real time. And again, that’s the cybersecurity in the business. There’s two distinct things here around putting cyber into the AI process and then putting AI into the cyber processes. They’re two, they’re two work streams. Both should be definitely focused on focus point for cyber teams.
KB [00:12:43]:
Okay, so my next question would be, we’ve spoken about people’s apprehension around it time, perhaps not getting hands on the tools themselves to figure it out, et cetera. But you also argue that cyber teams of course need to have the hands on AI, like get amongst it. But then what happens is many security leaders are then banning the tools as a result of trying to get amongst it. So would you say then it’s the leaders are becoming the barrier then? Because like you said, it’s not just about listening to this podcast, it’s actually about going out there and giving it a go. But then how can you give it a go if someone’s saying no, we can’t do that and now it’s banned. What do we do now?
Mark Jones [00:13:25]:
Yeah, yeah, that’s great. Well, we know this, we know what happens here. We did it with when the cloud. Everyone understands this, but I just, I’ll just regurgitate the same information. We, we’ve seen this when a group says we’re not moving, for example, going back to the cloud, we’re not using this. We inhib everything local. We’re going to. Everything sits here.
Mark Jones [00:13:41]:
What happens, you get shadow AI. And this is, everyone’s talking about this at the moment. If you stop someone doing it in the workplace or you know, trying to restrict so much, especially now, given the use and the availability of these tools and the ease of which they can be adopted. Shadow AI is a real thing, so you can block and stop and put as many controls as you want. There’s nothing stopping someone going harem Putting it, taking a photo of a document, loading it up into that screenshot, into their, whatever they’ve got at home and kind of pulling things together. Not saying that everyone will do that, I’m saying the process of blocking it will generate its own issues. So the way to do it is, again, like we spoke around with this governance is just to understand and appreciate what all these different things are doing. And we’re AI native, we are every morning waking up, getting briefs from our agents around what happened overnight, what things are happening, what new models are out, what new tools have produced, what’s doing what, what companies are doing things.
Mark Jones [00:14:43]:
So I understand that that’s a complex position to be in and everyone’s got a day job, but there needs to be some sort of comprehension and understanding of if these things we’re blocking. We need to understand exactly why, because tomorrow we might need to loosen that restriction. And when we start talking about proper AI adoption, we’re still working on a very subsidized model with all these big frontier models. So the concept of local models, how we’re going to set up our architecture to do this properly and set things will require different, potentially considerations to model. So I questioned hard, when we speak to a client and they say we’re all in with X provider that like, I understand why that’s the case at the moment, but if we were, if anything was proven to us over the weekend with anthropic, you know, having everything hinged on one provider potentially introduces risk that I don’t think people fully understand yet. Because when the business starts operating on some of these, off of these models and it’s critically ingrained in how we’re doing it, if you don’t have the ability to plug and play with different models, you’re kind of putting yourself at risk. And the models, the models underneath the frontier ones are rapidly catching up with how they do work. So when you were able to do things potentially locally and your workflows, things actually start to make a lot more sense to use different things, use different tools, use different methods to complete the workflows or do whatever you need to do rather than having full reliance on one product.
Mark Jones [00:16:10]:
But then, yeah, so the banning thing I get, I mean clearly I get as a cyber, you know, a cyber professional for this me time of sort of stopping things running. But yeah, I think people need to keep a little bit more of an open mind, spend more time on the due diligence, understand really don’t just follow the bouncing ball of this model’s bad because Of I read something on LinkedIn or I read an article. Do your own research, do your own understanding of what the real risks are, because at some point that’s going to become a real, a real challenge for your business. And if you’re not up to speed with why and how things are made, decisions were made, it’s. It’s going to potentially come back and present a new risk that you weren’t aware of.
KB [00:16:47]:
Okay, I want to paint a scenario. Given what you’ve said. Is it A, this is going to be hard. Is it A, better to just let’s try the AI stuff internally and there’s no restrictions, I mean, like within reason and see how we go. If there’s an issue, then we sort it out, or is it B, better to try to restrict it, but then you get shadow AI and then it creates another problem. If you had to place risk, you had to place your bet. Which one would it be?
Mark Jones [00:17:15]:
Look, I’ll tell you one of the best discussions we had. What was it? Probably four weeks ago, with the CTO of a company where he completely and openly understands where cyber fits in. But as I mentioned before, CTO has a proper place at the table to make decisions about where the tech’s going. Not saying that cyber doesn’t, but cyber is an enabler and to provide confidence to the tech group and the executive to keep things moving. CTO has a obligation and responsibility to embrace tech. So what this company did was there’s no restriction on any model, but there’s a restriction on how things are routed, how they’re used, how the people are trained in the department. So this, this group, and obviously I’m not going to name them, but they’ve done things around hack days where they pulled in builders from every single department, understood and comprehended what their problems were that they were working through. And then the model selection is put into, like I said, this environment, which is fully controlled, contained, governed and managed in the guardrails within the harnesses so that even when the models are used, they’re running locally because it’s like.
Mark Jones [00:18:21]:
And again, I’m not telling anyone to suck eggs here, but you don’t need to be pushing out to frontier models for. I just need to aggregate these finance numbers. There’s other models that are. You don’t need to, you know, crunch your tokens down with pushing out. It’s like having a graduation student and a Professor answering, what’s two plus two? The professor is going to be, you know, $800 an hour. The graduate absolutely knows how to do that and that, that sort of model, that approach needs an environment that has, so we talk about LLMs. There’s this concept of SLMs which this, this company’s done, where they’ve got little models that just do a thing and that in the environment is a really safe way to do that. The data that IT access is controlled, it’s been sanitized, it’s verified for use and if anything else needs to come into that pool, it has a process of doing it.
Mark Jones [00:19:12]:
But basically it gives the business builders full autonomy over how they build, what they build, when they build, how the architecture is established, and at the same time those people that are doing that work, doubling, tripling, quadrupling their effectiveness, their marketability as a, as an individual in their, in their career, the opening up of everything in a controlled manner is something that’s not my opinion. I’ve seen it and I’ve seen it working and understood how it’s working. So, yeah, I think controlled open, but with really strong governance and a really clear objective of why this technology is coming into our business, where and how it’s going to be used and what we expect to come out of it. So starting to quantify what the, as I mentioned before, the revenue kind of going up or operational effectiveness going up, or both, you can do both. So, yeah, I think controlled environment internally is a really great way to push.
KB [00:20:10]:
We’ll come back to that after a quick word from our sponsor. Handling sensitive health data, you already know security and compliance aren’t optional. Whether it’s ISO 27001 SoC2 or GDPR, Vanta helps you build trust while staying focused on patient outcomes. Their platform automates up to 90% of the work, so you can hit your compliance goals faster and scale safely. Visit vanta.com KBKast that’s V-A-N-T-A.com KBKast to learn more. So then the other issue that I’m hearing about as well is with that then becomes the AI sprawl. Like, you know, we’ve been through tool sprawl and then quickly people telling me like, hey, we’re already at the AI sprawl. Like everyone’s trying different things to see what works, which I understand.
KB [00:20:59]:
But now it’s like, oh, now we’ve got too many things going on, we’ve got to reign it back. Are you seeing that as well in Australia? And I get it, you know, it’s still relatively newish for people to understand it and get amongst it. But then do you think people Just go out of control with it now or what?
Mark Jones [00:21:12]:
This is just my opinion, my experience from the coal face, I think we’re. That discussion has kind of come up, but I don’t think especially the groups and places that I’ve been working with and talking with, we’re not sort of near that yet. But absolutely, I agree with the perspective that will be coming. Like I said, we kind of read and update ourselves every morning with what’s going on and it’s wild. It’s wild. There’s so much going on and it’s amazing. It’s actually the, as we know, the biggest step change in technology that any. Well, I’ve certainly seen in my almost 30 year career.
Mark Jones [00:21:45]:
So I think that will definitely become a challenge because there’s just so much happening and so many things out there that are amazing and working and able to be adopted and understood really quickly and easily. Again, not just by tech people. This opens up the use of tech like things we’ve never seen before. So people in HR and procurement, in finance, in business leaders, everybody’s can understand and comprehend parts of this that will, yeah, eventually probably end up in. We’ve got so much going on here. But then that comes back, as I mentioned before, to proper AI governance. It’s not just this is a policy and everybody adheres to our policy on the intranet. It’s okay.
Mark Jones [00:22:26]:
Maybe if there’s a new tool that we need to adopt that we want to look at, we’ve got a model and an approach and an environment and an architecture that we can safely do that in a way that this is the process, this is the way we do it. We don’t want to step in front or stop or block. We want to do it in this controlled manner so that we can either accept or reject this new tool. But yeah, we’re probably heading towards that. I think Australia compared to other countries in, you know, what we’ve been sort of researching is definitely on the up, which is ridiculously exciting.
KB [00:22:58]:
Okay, that makes sense because here in the US people are talking to me or US guests that I’ve got on the show. They’re talking to me already about the AI sprawl. So I’m assuming that’s going to start coming down the pike for the Australian businesses due course. My next question would be the other thing that I’m hearing in the United States would be I was at a conference recently in New York City and their verbiage was companies now are blowing the doors off with the whole tokenization. They’re Just blowing the budget in one month for the year. And we’ve read about these stories, but is that becoming a thing there down in Australia as well?
Mark Jones [00:23:30]:
So I mentioned before about the not banning tools and not being so rigid in, in how models work and what they’re doing because like I said, we’re in a heavily subsidized economy at the moment. Just go and look at the maths on the logic of the businesses don’t make sense. But I can tell you as a very heavy token consumer, you need to understand it because absolutely, I can completely appreciate and understand the bill shock that comes through. If you go right, we’re going to open up, you know, call it Claude or whatever to everybody. Everybody can install Claude code and they can start doing whatever they want. And you know, we’ve got full access to all the code, the code work options. Look out for your next bill. Like it’s going to be out of control.
Mark Jones [00:24:14]:
And because there’s no again this constraint on if not controlled and people don’t understand how it actually works. You’re ringing the professor every time to ask every question. Like it’s just, it’s ridiculous. What I was saying before about the local models and the setup internally, getting things running on your infrastructure, training and building up different types of tech to work with certain types of problems. As I said, the models underneath the frontier ones now are shaping up and every day, every week, every month, things are changing and getting better and better and better. So tokenomics or whatever you want to call it, everybody’s starting to shift to that and the financial obligation is on the business to, well, people within the business to understand what that’s going to look like. So I, you know, our prediction is I think we’re going to see in Australia a lot more, which is already happening by the way, but a lot more consumption of how do we set things up locally. What does that mean? We’ve got this critical process now working.
Mark Jones [00:25:11]:
We’re not going to be pumping everything out to frontier models all the time. We want to set up workflows like this in our team, in our environment, in our data, in our data centers or COLOBE data centers to reduce that, that token hit. Because you’ve seen the media like I have, people are really starting to work out. Even subsidized, this can be super expensive. So what’s the answer? Well, you need to think about how that’s going to look when the subsidization starts to be removed a little bit. I mean, even if it’s not, it’s still crazy. So yeah, that’s definitely a concern that people are starting to think about. And again, sorry, going back to the governance like I’ll just talk about our business.
Mark Jones [00:25:48]:
We can measure, you know, by the minute, by the hour, our token consumption across all our agents, across all the models that we’re using, across everything. And again, it’s not necessarily a reflective real cost as in what we’re paying. It’s about if this were to be bouncing out and what we were doing, we need to be mindful of that and what and how we route things to frontier models rather than we can process locally, we can have our sort of agents sort of work and work through different approaches like that. Yeah, it’s coming. People will start to see that bill shock. Just like cloud we used to see with cloud and still do today. Actually this consumption on demand is going to, it’s going to open some people’s eyes, I think.
KB [00:26:27]:
Okay, so let’s keep talking about tokenomics. So I interviewed a very senior subsecurity leader here in the US and then it’s. Now the question is being asked. I’m keen to get your thoughts. Question is being asked with all the tokens, for example, because of expensive is the build shock. They’re now saying that it’s even exceeding paying a human being to do it. So aren’t we leveraging AI to reduce our cost? And now people are saying it’s costing two, two and a half times a human being in the role. So is it counterintuitive? Like what, what’s the sense in that then? What’s like.
Mark Jones [00:27:02]:
I can see the irony there to say, let’s think about what we’re gonna do with people. We engage and empower the people to use the tech. They start doing that then or, and always split on this thing of, you know, which I hate by the way of like trying to cut people out and kind of reduce people overhead and then all of a sudden that not only are they producing more, but they’re costing more because of the consumption. So again, the understanding of how from an architecture perspective that it needs to be built like it has to be considered because if it’s, if that architecture is not set up right and again you’ve got somebody that’s heavy frontier model consumer of, of tokens to do what they need to do, then you know, you kind of, you don’t want to stop that creativity or imagination or you know, expansion of that person’s capability. But there might be a different. Well, sorry, there is different ways to do it, so it doesn’t necessarily need to be just pumped out into that model all the time. For example, again, just talking about myself and our what the way we do, we have a very structured way and structured process of how we route what does what and understanding the different models, how they’re used, what they’re practical for, what they’re not practical for, and the consumption of tokens starts to reduce and everybody’s out there now talking about ways to do that. Routing the control, the control points, the what model does what is definitely a way to start looking at how to reduce token consumption because if you don’t, you’re going to be hand in hand with a frontier model or both or you know, like a few and it’s going to be, it’s going to be crazy.
Mark Jones [00:28:33]:
So yeah, that local thinking, local thinking, like architecture thinking, routing is a way that not just us, but companies are actually starting to implement to, to help control that.
KB [00:28:44]:
Okay, Mark, I want to switch gears and talk in more detail about implementing a strong AI governance. And you’re right, it’s not about some policy that some someone’s written and it’s on the Internet that no one ever reads. How do we start to enforce it? Because again, like I feel like people think policy, like if it can do my job faster and I can go out and have beers with my buddies on Friday, sooner I’m probably going to do that. Let’s be real. So how would you go about advising a company how to implement this appropriately? So therefore we don’t have people are blowing the doors off the budget, we don’t have other security issues that start to creep in, etc.
Mark Jones [00:29:23]:
Well, KB, if we were, if you’re a client, I would show you, I would literally just show you what we’ve set up. But the way you’ve just, you’ve framed it is exactly right. So the way that I explain it is think about it. Let’s think about it a little bit. Let’s have some workshops and some discussions around what we want to achieve, what we want to see. Go and look at all the theory about what good AI governance looks like. You know, look at the ISO standards, look at what Mister’s produced, look at what McKinsey’s been like. There’s plenty of what good AI governance looks like.
Mark Jones [00:29:51]:
That’s fine. Even, you know, have an agent analyze all that for you, by the way, and produce what might be relevant for your specific company. Then as we talk about with any adoption of this stuff, get a safe environment and build it Just build it, build a prototype, build something that’s going to set up and control what you’ve articulated through all your documentation and all the theory, set it up and work out a way to capture the things. So build management, inventory management, access controls, data boundaries, model selection, logging, all your cost, visibility across all the tokens, how you stop certain things from running, like kill switches, what data is being accessed, all of it can be captured in your governance layer from a technology perspective. And I’m not going to speak with authority specifically around, I’m sure a platform will pop up that kind of does it. My push is you don’t need a platform, you don’t need platforms to do lots of stuff. Now you can set up, govern, control and build this as part of your AI journey to do exactly what you want, how you want to do it, and then if it needs to change, you change it. That’s the beauty of this.
Mark Jones [00:30:59]:
It’s kind of collapsing the way that things come together. The first thing when I hear people talk about an AR policy is give me the policy, give me anything else that you want to do. And then we work out a way to prototype it and work out the architecturally what the business is structured like where everything’s kind of sitting, how things are being used. And then you find out really quickly that, wait a second, we’ve got pockets of things happening all over the place, people, like I said, the shadow AI people, the HR team’s doing it this way. These guys are just, we’ve given them access and they’re prime soft and they’re doing whatever. That’s kind of where the challenge starts to come around. Well, the horse is bolted, so let’s try and work out a way to bring that back and control it and then set up again this layer, this orchestration layer that’s controlled by the business. Somebody obviously has to be in charge, but there’s a council of individuals that need to be included in that layer.
Mark Jones [00:31:49]:
And it’s certainly not just, you know, security and tech. It’s got to be some business people that understand again, the, all the governance, the how things are being worked. If something starts to split off what we’re going to do about it. Is this a real use case that we need to potentially adjust the governance? But yeah, it just has to be live, you have to do it, you just have to build it. And it’s not a governance committee of people coming into every, every week, a meeting to talk about stuff that’s kind of a decision, a decision tree. This is tech. So we need to use tech to manage it and we don’t need to use, you know, in sort of more of an advanced perspective. We don’t need humans to do it.
Mark Jones [00:32:23]:
Sometimes you can have an agent that, that can run and help with determining what decisions need to be made, if that makes sense. Not necessarily like humans still need to be in that loop, but we’ve got the capability now to have governance agents that run across the fleet, that run across what’s happening. So that should be considered as well. But yeah, it’s kind of an evolving point from a policy document and standards. Then just get it built, just build something specific to your company’s requirements, regulations, whatever you need to include and just evolve it. But the longer we just sit around talking about it, the more out of control things are going, they’re going to become. So that’s why we push really hard on this governance layer, because it’s, it’s not stopping, it’s not slowing down. And if you, to your point before, if you do stop it and slow it down, that’s got its own impacts.
Mark Jones [00:33:11]:
So you’ve got to try to catch up and keep in front of it as much as possible.
KB [00:33:15]:
So I want to know what you’ve been saying is the sciences that you’re speaking to or have spoken to are saying like my mark, I’m busy, I need to understand it, but I don’t have time to even do that. Do you think that they then default to buying the platform because, like, I don’t have the time. So sometimes we have more time, but we don’t have money. We can spend more time building it ourselves. We don’t have time, but we got money, we’ll just buy the thing and then hopefully it solves their problem. How does that sort of sit with you, that equilibrium of you don’t need to buy it, but then also people are running short on time where. How do you sort of find the best of both worlds?
Mark Jones [00:33:49]:
No, great question. And sometimes, because this is definitely something that we, we get asked a lot around, you know, it took, I kind of understood the SAS ocalypse when it happened. Now I completely get it. So my, my opinion on that is, yeah, there’s going to be some things that just for right or wrong, you just, you can’t and don’t want to build and maintain and run and operate and govern yourself. So it just makes sense to do it. On the other hand, there’s things that completely makes sense to do that because we’ve been in this economy where I’m a massive consumer of like a lot of tech. So I get it. But we’ve been in a thing with.
Mark Jones [00:34:24]:
This is my thing. You basically subscribe to this thing and you stay within the guardrails and the control of what this thing is. What we’re in a state now of is I don’t want to do that. I want to do this, I want to do that and get something built this way. So for simple, well, not even simple, but from simple to moderately complex things you can, with time and understanding. And don’t Forget we’re in 2026, the middle of 2026, like in the middle of 2028, I think it will be completely different. But right now we’ve got the capability, the capability to pretty much do anything. Whether we have the willingness and we want to do it is another, that’s another point.
Mark Jones [00:35:03]:
But things around governance one, the example I used yesterday actually with my wife was she, she’s kind of running a function and there was some tools and stuff that potentially could be purchased off the shelf. And I said, just hang on, just let’s sit down with me for a little bit and let’s see what we can build with your exact requirements so you don’t have to kind of mold your requirements into this, this, you know, off the shelf kind of platform, this SaaS platform. And we did, we built it. I mean, I’m not a, I’m not an expert in what she was doing, but I can understand her requirements because they were really straightforward. So I think there’s things that will be, will make complete sense to build, manage, run, maintain internally, externally, when there’s, you know, but there’ll be certainly things that you just don’t want to even go near. But we’re finding actually one of, especially in cyber biggest discussion has been around, we have a lot of tech like, and everybody in cyber knows that there’s tools out the wazoo, there’s everything. What I actually want is I want this tool aggregated with this tool and this methodology and this, this viewpoint with this perspective and this based on my company’s risk methodology and then applying this over the top. I’m sorry, no tool out there is going to do that.
Mark Jones [00:36:16]:
So that is a clear use case for something to build. So you build it, let’s build it. And again, back to my point before of governance, we don’t have to wait for three or four months to do whatever. We can have sort of, we can have something built up in your environment running very quickly. By way of example, I was Talking to a sizo last week it was 4pm on a Friday and I get it was kind of vibe, Cody. But the concept of wait a second, if I could generate a data source from these five tools with this view and that view and other things over the, over the top, putting my security brain into that problem, if that was my problem, I’d want it to do this is the way that I wanted to make it work and look and I sort of that earlier that or later that night and definitely over the weekend and certainly in the next week, you know, this thing started to shape up, which it said, this has just saved me like so much time, so much effort that I would have been. We have to kind of manually jockey spreadsheets and things together. So you know, there’s things that would completely make sense about building internally and things I guess from a tooling perspective that you go, I don’t want or need to replace that.
Mark Jones [00:37:21]:
So I’m just going to leave that. I just want the data from it potentially aggregated in a different way.
KB [00:37:25]:
Okay, so Mark, final question. You mentioned 20, 28, things are going to be different. What do you think? Don’t have to have the right answers, just curious because things are changing every week.
Mark Jones [00:37:34]:
Well, you can look at our website, but we’ve pivoted probably three times in the last four weeks about what we’re seeing. And this isn’t our theory, this is what is actually happening in the market. So my prediction is in two years, every single team that sits in front of a computer is going to change. And I mean the people, the technology and the data that they consume and two years is concern is probably conservative to be honest, because it’s already happening. But every person, if we’re just looking at cyber, every person in cyber, their role will change in some way, shape or form to become their role plus a builder, plus an adapter, plus an applier of how to understand this tech. And that’s the advice I’m giving everyone that I speak to about. They don’t know where to start. I’m like, just start, just do it now because tomorrow’s too late.
Mark Jones [00:38:27]:
Just start today. So that’s definitely in two years. I think every team, and not just cyber teams, but anyone that sits in front of a computer, their team is going to look different, you know, potentially at different job titles, different role functionality. The technology that they use will be dramatically different and the data that comes in and out and is consumed and used and produced will be different as well. So yeah, that’s kind of where we’re starting and going back to my point before ridiculously exciting to be part of that journey in this country to see what we can do because other countries are doing it. And I’m talking everything from an SME right through to enterprise. Teams need to be different and if they don’t, something, something’s going to give in that organization. They’ll either be extreme pressure from above to change it or the market will change it, will change it for them.
Mark Jones [00:39:15]:
But yeah, that’s what I that’s what I predict.
KB [00:39:19]:
That was Mark Jones, everybody. The bit I keep coming back to is what he said about adoption. You don’t get there by watching a few clips or writing a policy. You get there by getting your hands dirty in a lab until it clicks. So if you’re a CISO listening, don’t wait around for the perfect platform to show up. Spin up a safe environment this week and start building your governance layer yourself. Like Mark said, tomorrow’s just too late.
KB [00:39:49]:
I read every reply. If you got some thoughts on this one, send me a message on LinkedIn.
KBKast – Cyber for the C-suite.