Anthropic’s Mythos and the Future of Vulnerability Management | Interview with Thom Langford
Welcome to Secure and Simple Podcast. In this podcast, we demystify cybersecurity governance compliance with various standards and regulations and other topics that are of interest for consultants, CISOs and other cybersecurity professionals. Hello, I'm Dejan Kosutic, the CEO at Advisera and the host of Secure and Simple Podcast. Today, guest is Thom Langford, and he is the CTO of EMEA Region at Rapid7, a global cybersecurity company. And he has extensive experience, he is in the IT and cybersecurity business for more than thirty years now and works with clients from three continents.
Dejan Kosutic:So in today's podcast, we'll tackle one very, I would say, attractive topic, and this is about Mythos, the new AI model from Anthropic that is, I would say, shaking the cybersecurity world. So, to the show, Thom, or better to say welcome back, because we already did another episode a while ago.
Thom Langford:Thank you for having me.
Dejan Kosutic:Great to have you here again. So what do you think? Is this mythos only a marketing stunt from Anthropic or is it for real?
Thom Langford:You know what, I vacillate between the two states of being very, very cynical, possibly unnaturally cynical and thinking this is just big marketing stunts, etcetera. And then on the other end of thinking this is going to just change the world forever and that, you know, this is the beginning of the end, etcetera. And the truth lies somewhere in the middle, of course, I think, you know. So there's a lot to find out, especially given it's not been released to the general public. It's only been released to a very select few organizations who are under strict NDAs and can't talk about it, you know, apart from the pre authorized talking points.
Thom Langford:So it's very difficult to get a real picture of the impact this is going to have. But, you know, as professionals we can project and we can, well, and also we have opinions, right? And I have many of them.
Dejan Kosutic:Yeah, yeah. There is some information released, like Mozilla says that this early Mythos actually found something like two seventy or so vulnerabilities in their Firefox browser, which is amazing, right? Because I think the previous versions of AI models found something like, I don't know, 20 or 30 or 40. Now this is a completely different level. So if this whole thing is true, I mean, this new AI model and by the way, there will be others, right?
Dejan Kosutic:It's not only Anthropic. Other AI models will soon have very similar capabilities. So what does this mean really for software development? Does this secure software development then feel more achievable or is this simply going to become overwhelming? I mean, these kind of vulnerabilities.
Dejan Kosutic:So what will actually happen?
Thom Langford:I think we need to think about the symmetry of this in the same way that we've got companies releasing tools that are exposing vulnerabilities and making them, and actually utilizing them, and actually taking advantage of them. The flip side, the defensive side is there's gonna be products out there, they're gonna be finding these things internally during the actual software development life cycle, for instance. So we should see a balancing of this in my opinion. I think, and again, we've not seen this that, you know, those are, that's the released, what's been released by Anthropic talks about this 170, 180 odd vulnerabilities. We've not seen how it operates in the wild yet.
Thom Langford:So is it gonna be quite as, you know, dramatic an impact as that? And we've seen it on one set of software. Now, directionally, it's going in this direction. It doesn't matter whether it's, you know, today it's overblown somewhat and it's not as effective, but directionally it's only going to go like this anyway. So there's a lot to find out, but I think it doesn't change the fundamental requirements of software developers, of security engineers, of CISOs, etcetera.
Thom Langford:We're still doing the same thing. We've always said this about AI, it's scale and reach, you know, that's what AI does. And it's just now applied to this. So we have to respond in the same way.
Dejan Kosutic:Okay, so let's assume that if not today, but let's say in six months or twelve months, basically these capabilities will be widely available to basically anyone who wants to buy them. What does this really mean for, let's say, software development? What does this mean for cybersecurity in general?
Thom Langford:Yeah, it's a game changer in the sense of the speed and scale of what's going to and the reach of these tools and what's going to be exposed. Again, it doesn't change the fundamentals of we still need to be patching, you know, discovering and patching vulnerabilities. We still have to have effective patch, you know, vulnerability management and patch management programs that are gonna find us. So with these tools, there's going to be many, many more CVSS, you know, thrown out there. There's gonna be, you know, of varying degrees.
Thom Langford:Just because it's a high CVSS doesn't mean that it's actually one exploitable, two in the wild, and three practical to use in, you know, in in by criminals today. And it doesn't give any kind of context either. So, you know, the for instance, the of of those 170 in the Mozilla Foundation, you know, platform, etcetera, there's probably plenty of caveats in that you have to have physical access. You have to have this in place. This needs to be, you know, this needs to be lined up, that package needs to be delivered out, you know, installed elsewhere, etcetera.
Thom Langford:So yes, we're gonna see this, you know, massive growth, but are they relevant to us as CISOs and to us as organizations? Are these the vulnerabilities that we need to be worried about? Are, you know, is our exposure, our real exposure going to increase dramatically as a result of this? Time will tell but yes it'll probably go up but as dramatically as you know the figures that are coming out now I don't think so.
Dejan Kosutic:So what do you I mean see from let's say as a wider picture? What will be the main impacts then of these let's say new technologies that are enabled by AI?
Thom Langford:I think really what it's going to show is or what it's going to highlight is the organizations that, or the immature organizations are gonna be shown up. So the organizations that just literally react to the latest CVSS or CVS scores, the ones that react to the vulnerabilities that they've been told to fix by the software vendor or by the auditor, even worse. The ones that don't actually have a strong vulnerability management and a patch management program, those are the ones that are going to suffer. And potentially, you know, that's, as well as the, you know, small office and home office users and, you know, people at home as large swathes of unmonitored and, you know, day to day used devices are being used. For those CISOs that have got mature vulnerability and exposure management programs in place and subsequent patch management, there may be larger backlogs.
Thom Langford:There may be a greater volume, but frankly, job stays the same. Core actions remain the same. Find a vulnerability, ascertain its effectiveness and its context and how it's actually relevant to you, risk score it accordingly and patch it accordingly.
Dejan Kosutic:Okay but wouldn't the whole let's say process actually change? Of course it will need to speed up right but will be the whole let's say setup of winding and fixing vulnerabilities change because of this?
Thom Langford:Why would it do that? It's purely finding more vulnerabilities. Vulnerabilities that need patching.
Dejan Kosutic:Yeah, because of the speed, right? Because it's not like you can...
Thom Langford:Yeah, so speed. Yeah, absolutely. Speed is part of it and that backlog will increase, know, but this is why actually just responding to vulnerabilities is not the right approach. If that's all you're doing, that's an immature program. That's not a program that is going to be able to scale.
Thom Langford:If you're able to risk score and apply that context of how relevant is this vulnerability to me. I liken it to, I was talking about this just the other day with a friend and I said, you know, if I get a CVS score of 10, it's the equivalent say of I leave my car unlocked every night. Just leave it unlocked. That's pretty bad, that's bad. But if I leave my car unlocked every night inside a secured shipping container, inside a compound patrolled by armed guards on an island in the middle of the South Pacific, that's not relevant.
Thom Langford:Yes, it's a high scoring risk, but the context means it's not relevant. And that's what's important, I think, with this. Yes we're going to get a greater volume and greater speed but they're still not all going to be relevant to me.
Dejan Kosutic:Okay, okay. I read the article from Bruce Shire the other day where he actually commented also on mythos, and basically one of the main conclusions there was that the main change actually with AI systems like these is going to be that this monitoring of vulnerabilities and finding vulnerabilities will become actually a continuous activity which will be tightly related to software development. Okay, I know that some companies are already doing this, but his point is that everyone will need to do it in the future. So what's your take on this? Is this a good direction?
Thom Langford:I completely agree with that. I completely agree with that. Know, you're tying for so long with an industry for all the right reasons have been focused on detection and response. Of course, because that's the speed and that's the easiest place to find them. You're sniffing out your network, you're checking what's on there, if you see something, then you know, you see a problem, you fix a problem.
Thom Langford:What we're not tying that into, and going back to that previous point, is the exposure management side. We're all preemptive security, as, you know, I think we and many other organizations are calling it. And that preemptive security is talking about taking control of your surface, your attack surface, understanding and making sure you know 100% of that attack surface, and that you can actually preemptively patch. You combine that with things like threat intelligence that will tell you that in this region, in this country, and in this industry, and, on these platforms are being currently targeted by x y zed threat actors, well, then you can start your your prioritization is becoming even more fine grained. But but, yes, you know, to my point about mature organizations versus immature mature ones are constantly, constantly, you know, threat hunting and, you know, vulnerability hunting and contextualizing and making sure that, you know, and running strong exposure and patch management programs.
Dejan Kosutic:Okay, now what will happen actually with these companies that are not, as you were saying, so prepared, right? Because let's take this scenario, let's say that Mythos is really as powerful as they claim. Sooner or later they will have to release it into general so that anyone can actually access it, which means also that the bad actors will be able to use it and basically use it against companies. Now, okay, these guys that are, let's say, I mean, these companies that are already prepared, they will have less vulnerabilities. However, there will be a huge amount of companies that are not prepared, especially if they didn't have the access as part of this glossoming project from Anthropic.
Dejan Kosutic:So what will happen to these companies? I mean, does this mean that the number of breaches will drastically increase at that time?
Thom Langford:I think potentially, yes. Think, you know, to my point of the immature organizations, the small ones, we may need to be looking at them reinvesting in their security functions. You know for you know and also in many cases a lot of these small organizations they do a lot of platform consolidation. They're wholly on Microsoft, for instance, or they're wholly on Google. Well, in these instance, they are involved anyway in the initial throwouts of Mythos, you know, Microsoft and Google involved.
Thom Langford:Well, hopefully Microsoft and Google, for instance, there are other platforms out there, will evolve to address these threats as well. So if we're talking about just a pure enterprise environment, I. E, you know, we are a company that sells widgets online and we just use a Microsoft platform to run everything. Well, that'll be, you know, Microsoft will have to step up that game, you know, because these smaller organizations are relying on them to manage not only their enterprise environments, but their fleets of Windows laptops or whatever. So there is that.
Thom Langford:If they're doing their own internal software development, they're going to have to have a major review of that process.
Dejan Kosutic:And what do you think at what point in time will Anthropic actually release the mythos to general public? Mean to anyone?
Thom Langford:If I knew that, I'd be putting money into Anthropic shares right now. Mean, come on, there's the big question, right?
Dejan Kosutic:Yeah. So, do you think that they should what kind of, let's say, governance should be put in place there? So, first of all, should they publish it ever to the general public? And if yes, under which terms? So, should they verify somehow who's using it and so on.
Dejan Kosutic:So, are we entering into a, let's say new era here for who actually can use AI models under which conditions?
Thom Langford:Yeah, it's a new arms race really. And I think Anthropic will have no option but to release it because another company, OpenAI or whomever, any of their claws will be releasing their own as well. Anthropic have just set the marker of being the first to do something is going to create such a difference. The other companies are not going to want to be left behind and they will continue to develop and enhance and build on that. Now the danger of that, of course, is with any kind of arms race is that you're releasing very, very dangerous tools into the market purely for market share and and and shareholder value, which is, you know, it's not a great place to be.
Thom Langford:But that genie left the bottle many years ago anyway already. This is this is an inevitability, and I mentioned before about directionally. This is this is literally we're we're at Floor 1 of hundreds of floors above us. So it is gonna be released at some point. Maybe it will be through a vetted licensed process or something like that, which is probably, you know, that's already kind of what they're doing already. But then, you know, those processes, they can be subverted, code can be stolen. You know, attackers, Anthropic has put a target on their head for, you know, threat actors and criminals to try and get access to these tools as well.
Thom Langford:So it's not going to be long before it's weaponized by the threat actors and the bad actors.
Dejan Kosutic:Yeah. But I mean, the outcome could also be that governments actually decide to kind of define some rules of the game for these kind of things. So, for example, for medical devices, right? If you're using software in medical devices, it has to be released, let's say, under certain conditions. So it might be that for this industry, something like that happens as well. But yeah, we'll see what really happens in the future.
Thom Langford:But that's an interesting one in and of itself, because government regulation will be interesting. So most of these companies are American and, you know, America may well provide some regulation or even, you know, under the current climate, try and restrict its use just for US companies and things like that. There are many other companies out there. The Chinese companies, you know, most notably who are making massive strides in AI environments. They can't regulate other countries, you know, building their own and, you know, relying on themselves.
Thom Langford:And, you know, Europe and the UK especially has also got some very, very, you know, promising challenges to some of these larger companies, larger American companies. Regulation is is one way, but it's not universal.
Dejan Kosutic:Okay. Let's speak a little bit about CISO and how the position of the CISO will change because of Mythos or because of these, let's say, new AI tools where everything is much quicker, right? And where everything is where you actually have to be much thorough in what you do.
Dejan Kosutic:So what will really change for CISOs in your opinion?
Thom Langford:There will be far more scrutiny on the CISO function and role, I think. You know, this has been front page news effectively. This has been talked about in a boardroom. You know, I'm talking to customers about it. I'm talking to friends and peers about it.
Thom Langford:I'm talking to family members who have nothing to do with cybersecurity about it. That's how it's got to, you know, so it has very much entered the zeitgeist of the current world of, you know, this is AI and this is how it's going to change the world, etcetera. So for CISOs, what it's done is it's raised the requirement, raised the bar for security even further. So it's kind of like, well, you were barely coping before. How are you going to cope in the future when this tool comes out?
Thom Langford:Now hopefully, you know, mature CISOs and, you know, stronger CISOs will be able to use this in a way not to drive fear, uncertainty and doubt of FUD, but use it to drive that agenda of this is why we need to do X, Y, Z. This is why I need to invest in my, you know, my exposure management, in my preemptive security, vulnerability management, my patch management. This is why I need to invest in, you know, people, tools, and procedures to make sure that when this oncoming avalanche of vulnerabilities, you know, arrives, I can make sure we are fixing the right ones at the right time and in the right way. So I'd like to think it will elevate the importance of the CISO because it is it is such a a global phenomenon, you know, across all organizations. My fear is that if if if CISOs or if a CISO doesn't sort of address this head on with their leadership and with their boards, is that it's going to purely just become another IT tooling problem or something like that.
Thom Langford:And that, you know, the CISO will be bypassed or even the CISOs role changes into not chief information security, but chief AI security officer, and that's it. You know, so, you know, my fear is that they'll get bypassed. My hope is that they will be elevated.
Dejan Kosutic:This could actually be a good trigger for CISOs actually to show their value, right? Not only, let's say, security, but also kind of business value, because this will also introduce some business changes. So, I mean, CISOs are focused, let's say, on governance, compliance, stakeholder management, these kind of things. Will this actually focus off a CISO change because of these changes in AI models?
Thom Langford:I think it will. I think they will have to take it into consideration. A good friend of mine is CISO for a larger organization. He's actually hired a very senior, head of x AI security into his team. He he jokingly said, because I can't attend any more of those meetings anymore.
Thom Langford:I'm just fed up with the AI meetings I'm having to go to, so I'm hiring someone to do them for me, jokingly. The reality is it's going to become just another part of the CISOs sort of suite of responsibility. As you say, you know, governance, risk, compliance, architecture, testing, resilience, AI. It's just going to become another part of it. And it kind of has been up till now, you know, a good mature organization will have put in some kind of AI governance procedures and AI governance programs to monitor internal use, etcetera, you know, and to ensure that data isn't arbitrarily exfiltrated through the use of shadow AI tools.
Thom Langford:That's in many cases has fallen onto the CISOs shoulders. I think it's going to become effectively a dedicated vertical within the CISOs suite of responsibilities.
Dejan Kosutic:Okay. And because of this speed of, let's say, discovering vulnerabilities, I assume that, you know, things and how the CISO and people around CISO make decisions, this will also have to change because obviously, probably these decisions will have to be made more quickly. So how do you actually see this change and what kind of change, what will change actually in this decision making process?
Thom Langford:Well, again, I think to that point of elevating the CISOs role, oftentimes, and all too often, CISO is seen as a tactical solution, not a strategic solution. So they're effectively told what to do, and then they just decide how to do it. With the elevation and further elevation, and that's not, know, because like I say, that tactical approach is not for everyone, it's not, you know, across the board, but it's very common. With that elevation, I'd like to think that we would see the CISOs being far more strategic, being the far more, this is what we are going to do, you know, and my teams will execute how to do it. But in the me you know, in the same way that the board doesn't necessarily tell the CFO how to run their books and how to, you know, report effectively and all that sort of thing.
Thom Langford:Because the CFO just says, trust me, I'm doing my job. You know, you're paying me the big bucks to make sure we stay profitable and I'm moving money effectively and all that, so that's what I am going to do, you know, within the framework of, you know, our own governance framework. Similar has to be done with the CISO as well. You know, I am going to introduce policies that will limit or increase or monitor or whatever AI usage. I need you to sign these off. I'm telling you that we are doing this rather than the other way around.
Dejan Kosutic:Okay, and how can actually CISOs use this, let's say, moments or trends to, let's say, switch from a threat to what he's doing actually to an opportunity in actually elevating this position in a company? So how can he really or she become a really equal player, so to say, on the board level when it comes to company strategy?
Thom Langford:I think actually understanding, because again, I think it's going to take a little while. Again, it's about educating and informing their leadership and you know executive leadership and the board about what Anthropic Mythos actually is and why it's important, why they should be taking notice of it and why it will affect their business. Because, yes, as as I mentioned, you know, professional friends and colleagues and peers and family members are all talking about it, but they're talking about it from a knowledge of, hey, this sounds big and scary, etcetera. What are the true implications, not just to cybersecurity, but to our industry, our business? How is this going to change?
Thom Langford:If they can say, look, the types of attacks or the types of probing that we're seeing at the moment, know, are x, well, you know, based on what Anthropic has said so far, well, we could be seeing 10 times that, you know, and that, and here is the impact operationally, here is the impact financially, here's the impact to the bottom line. Now we can mitigate that and we can minimize that through investments and through investments you know, in synchronous responses, investments into AI security tools, or investments into organizations, or into security vendors that are heavily invested in responding, you know, with AI solutions, or at least AI supplemented solutions. And so it's an opportunity for them to then mature their own capabilities as well. So I think that's a key part of it, is translating what Anthropic and Mythos or Anthropic Mythos is doing not only in our industry, but in their industry and their marketplaces, and translating that to how it will impact on the sort of day to day running of the business.
Dejan Kosutic:Okay, could it potentially mean that, let's say, because of Mythos, this ISO actually concludes that if a company has developed its own software, maintaining the software becomes too costly because of too many vulnerabilities, and actually that the strategic decision should be to switch to a third party software. Is this the kind of things that you're speaking about?
Thom Langford:I think that's a very valid approach to take because if you've got a small team of developers who are either producing an in house tool or maybe even selling a niche product. Know for instance, a colleague of mine, he, a friend of mine, works in the educational sector, small teams, small companies that produce very niche products for schools around, you know, around the country. They don't have large teams. They don't have the ability to fully invest as much as he would like, but they get the job done, you know, and they're good enough. Frankly, they may not be good enough tomorrow.
Thom Langford:They may not meet the standards. So we may find, you know, and I'm projecting out here, you know, quite considering and thinking out loud, we may find that there's gonna be a consolidation of companies in markets like education, where three or four come together so that they can pool their resources and produce a singular product that is up to the standards, because it is going to put a strain on those teams. But conversely, the adoption of Strong's internal security tools that are designed to address the very same problems, I. E, you know, making sure that poor code isn't written or insecure code isn't written in the first place. Investments in that, I, the thing we should be doing already, because the, again, the fundamental different the fundamental, challenge isn't different.
Thom Langford:It's just more of the same. It's just speed and scale and reach, as as we said. So again, it's it it is difficult to project out, but there's there's gonna be a shift somehow. Is going to be a shift. Costs of products may go up, companies may go out of business or consolidate and merge with others.
Thom Langford:And this is why I think you know there is such a response to the Anthropic tools at the moment.
Dejan Kosutic:Yep, definitely. And how do you think actually the budgets will shift? Let's say IT budgets or in general business budgets, will they actually shift because of these changes?
Thom Langford:Well, maybe it's like after every time there is a breach, budgets always go up, at least for a few months, you know. And then eighteen months later, go back down again. There's no doubt about it. Maybe we'll see an uptick in budgets to try and counter this, know, purely because it's on the, you know, executive leadership teams or the board's minds or top of mind at the moment. Whether that's sustainable is another matter of course, you know, but I think because we are just at the beginning and we've still, it's only been a matter of weeks since it was announced, know, and screenshots were shared and things like that, you know.
Thom Langford:So it's only been a matter of weeks, so there's still much to find out. But, know, I liken it, I think to a little bit like having a breach because there will be a response. Quite how long lasting it is remains to be seen.
Dejan Kosutic:Yeah, yeah. And you know because of all of these changes and again because of all these vulnerabilities that will be exploited, do you think that I would say the company's approach and company's strategy and branding will be different, that actually companies will move more towards resilience as a key aspect of their brand?
Thom Langford:Yes, think they'll have to. I think which I think is a really good point. I always said, and I'll back and use a slightly different example for this. So I remember fifteen plus years ago creating business continuity plans, the good old BCP as it used to be called. And part of that was the pandemic plan.
Thom Langford:You know, because bird flu was a thing and we had all these plans and the amount of, well, I don't know, how can I put it, cynical comments that were made, you know, oh, for goodness sake, we have a pandemic, it's all over anyway, or why are we doing that, etcetera? And then COVID came along and I'd left that company, but I remember going, see, I told you, I told you we needed to plan for this. And I think it's similar to this in the sense that we should all already be talking about resilience. Resilience is one of the is is a key business differentiator. I mean, we we call it resilience today.
Thom Langford:It was the BCP in my day. You know? It's it's the it's the same principle. Resilience is the ability to produce your product and charge your customer for it and get money for it. That's resilience.
Thom Langford:Everything else is just gravy. You know, it's just the fancy bits outside. If you when something goes wrong, you can continue your product and and get paid for it, then you are a resilient company. If you, under an onslaught of brand new vulnerabilities and never before thought of or seen methods of attack and TTPs and, you know, tools, techniques, procedures get into your environment. If you can still remain online selling your products and getting paid for it, you'll stand out, which sounds terrible, but unfortunately that's the new paradigm at the moment.
Dejan Kosutic:Anyway, lots of things that CISOs can actually do, let's say, as we said, elevate their position and position security in a different way in a company, right? Yeah. Okay. Let's speak a little bit how this will change cybersecurity industry. So there are lots of companies obviously that are dealing, you know, finding vulnerabilities, doing penetration testing and so on.
Dejan Kosutic:Is their business really in danger now?
Thom Langford:Is their business in danger? It's in danger of change, I think is probably the best way to put it. I think didn't Anthropic say that it beats all but the very best cybersecurity analysts and pen testers, etcetera. Well, think that's an interesting one. So possibly, but those very best, know, they had to learn somewhere.
Thom Langford:They became the very best starting at being probably the very worst at some point, know. So this in my conversations with customers, my conversations with my peers etc, one of the key things about the embracing of AI, which let's face it is a very important, know, part of the business, but one of the key things is who do I blame when it goes wrong? Who do I point the finger at? I can't point the finger at an AI. You know, so accountability is really important when it comes to AI.
Thom Langford:If we did, if we didn't care about accountability, every car would be self driving by now. There's no question about it. We've got the technology to do it, but, you know, and things go wrong. Things go wrong at a lot lower rates than they do when humans are driving them. But with a human, when something goes wrong, you can say it was your fault and you will pay the price for it.
Thom Langford:You can't do that with an AI. Could possibly do it at a company, but that's, again, that's proven impossible in of itself anyway. So I think, know, yes, there will be changes. Yes, I think there will be some knee jerk changes, which will be the wrong one, which will be let's fire 80% of our testers and just keep the very average ones you get them to use AI. That will no doubt happen, and I think that's the wrong approach.
Thom Langford:You know, for me certainly right now, it's human in the loop all the way. The AI should be should be doing all of the all of the busy work, all of the grunt work, all of the I was talking to a test the other day, and he said, you know, when I'm finding a vulnerability, I have to remember so many different pathways and which pathway worked and which didn't, etcetera, that an AI just does that. So if you can use an AI to remember all of that and suggest others, etcetera, and use it in this sense, the humans will always be there. The humans will always have that because they're the ones that can think like a human as well. But there will be some fundamental shifts.
Thom Langford:There will be, and we'll see the pendulum swing too far the other way and then it will come back almost without a doubt.
Dejan Kosutic:Certainly, there'll be a lot of change in this industry. And how about cybersecurity consultants? What do you see as the biggest opportunity for cyber consultants?
Thom Langford:Oh, on the whole, think the biggest opportunity is actually to help companies use it effectively and for their benefit and to use it in such a way as it will improve security in their environments, not sort of slowly chip away at it. So I think consultants have got a, again, another sort of golden opportunity. It's probably a little bit excessive, but you've got a big opportunity in front of them to pivot as to how they can ensure that their customers are able to leverage AI capabilities, not just Mythos style stuff, AI capabilities internally anyway. See, if you're running your own SOC for instance, you know, actually using AI more effectively to build dossiers of activities that are happening that can be presented to the SOC analyst then decide what to do, etcetera.
Dejan Kosutic:Okay, so let's wrap up the discussion. So the last question, what would be your top recommendations for CISOs on how to prepare for Mythos and other AI models that are similar models that are coming?
Thom Langford:I've got to say is if you're not doing it already, it's the preemptive security side of things. It's the exposure management because combined with your detection and response capabilities, because if you get that right, this massive onslaught of vulnerabilities, which is inevitable, will have a significantly less of an impact on you you you and your security operations than if you don't have it. Because if you don't have it, you're going to get flooded with vulnerabilities, and you won't know which are the most important ones because they're all gonna be tens. And you won't know which ones you need to fix first. You will literally just it will feel like your vulnerability management program has gone back ten years because now you just have a glut of vulnerabilities that you have to fix.
Thom Langford:Whereas if you're focusing on that preemptive security, that exposure management, and the actually shining that light into the areas of your attack surface that you're fully confident in, and you'll have full confidence that it's accurate, you will be able to prioritize far more effectively.
Dejan Kosutic:Okay, this is really a great show and thank you for this insight, Thom. It was a pleasure talking to you.
Thom Langford:Thank you very much.
Dejan Kosutic:Thanks again and thank you everyone for listening or watching this podcast and see you again in two weeks time in our new episode of Secure and Simple Podcast. Thanks for making it this far in today's episode of Secure and Simple Podcast. Here's some useful info for consultants and other professionals who do cybersecurity governance and compliance for a living. On Advisera website you can check out various tools that can help your business. For example, Conformio software enables you to streamline and scale ISO 27,001 implementation and maintenance for your clients.
Dejan Kosutic:White label documentation toolkits for NIS 2, DORA, ISO 27,001 and other ISO standards enable you to create all the required documents for your clients. Accredited Lead auditor and Lead implementer courses for various standards and frameworks enable you to show your expertise to potential clients. And a learning management system called Company Training Academy with numerous videos for NIS2, Dora, ISO 27,001 and other frameworks enable you to organize training and awareness programs for your clients workforce. Check out the links in the description below for more information. If you like this podcast, please give it a thumbs up, it helps us with better ranking and I would also appreciate if you share it with your colleagues.
Dejan Kosutic:That's it for today, stay safe!
Creators and Guests
