Andy Ellis
π€ SpeakerAppearances Over Time
Podcast Appearances
So either you have fundamental controls in place that will be helpful in that world, or you're playing catch up.
That's basically your two choices.
Now, conveniently, like when people moved to the web and started to do like e-commerce in the early days, there were people who came and helped them.
And those are the folks who became the first chief information security officers were the people who got out ahead of it.
So if you want to advance your career, you should be out ahead of AI and you should be figuring out how you're going to help your marketing team use AI better and more safely.
Because what I'm seeing at more and more companies is you have these very
very lean agile marketing team sometimes only one person doing the work of six or seven and they're using ai for everything so if you're just screaming no no no you can't do it that's the failure mode let me let me
Okay.
So this one is funny because it feeds into one of my favorite conversations, which is that most metrics that are in use, especially in the security profession are perverse metrics.
They don't actually show you what you think they show you.
Okay.
Um, and I give like
I think one of my favorite examples is like the average time to patch vulnerabilities, which often has some weird denominator in it.
Like, is it the ones that were closed or is it the ones that are currently open or closed in the period?
And in fact, if you go look at a bunch of talks I've done, this is one of the examples, like when I say how to build a security program is make sure your metrics survive against perversity.
And I don't mean perversion, just the perversity of the world.
Like, oh, if you find new vulnerabilities, you close them immediately, but you only report once a month, nobody will ever see those vulnerabilities in your metrics.
But you're like, oh, but I know we did something good.
So the underlying question here that I'm actually have to ask is, are these metrics actually really good high quality metrics or are they not?
And I'm gonna actually go with the, because it's most security programs.