Welcome, Rick Hemsley

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of the To The Point Podcast. I'm Rachael Lyon here with my co-host Jon Knepher. And of course, I have a thunderstorm happening right now that my dogs are very excited about. Jon, it's one of those days... One of those days.

Jonathan Knepher:
Your place sounds exciting right now.

Rachael Lyon:
It's very exciting. Three dogs, two cats. Just couldn't ask for more. But I did want to ask you something that's been burning on my mind. Have you heard about this angel AI doc or how I became an apocalyptomist? That just came out at the end of last month. And it's this fellow. His wife is expecting their first child, and he's been thinking a lot about the world ahead and bringing a child into the world of AI dominance, if you will. But it sounds like there's a lot of great interviews there.

But like the social media documentary, do you watch and you want to see behind the curtain, or do you just like it? I'd rather not know.

Jonathan Knepher:
I mean, that sounds pretty scary to me. I've been worried about similar things, and yeah, I don't know if I want to think about it too much more.

Rachael Lyon:
Yes, sometimes it's nice. Just keep the blinders on. Well, I'm so excited to welcome today's guest. Please welcome Rick Hemsley. He's the UK and Ireland cybersecurity consulting leader at Ernst and young with over 25 years of consulting and industry experience. Rick. Rick continues to work as he always has throughout his career with a broad range of organizations, including governments, to improve their security posture. With Rick's advisement, clients have been able to enhance reporting and operating models.

This has also helped clients gain an actionable and accurate picture of their cybersecurity posture and build a priority list of activities to further enhance cyber resilience. Rick joined Ernst and young in 2022 from a large global consulting organization, where he delivered key cybersecurity transformation projects for clients. Prior to this, he worked in leadership roles for many leading cybersecurity organizations. Wow. Welcome, Rick.

Rick Hemsley:
Hi. Thank you.

Rachael Lyon:
Thanks for joining us. So we're going to shake it up a little bit today, and we're going to bring the end of the conversation to the beginning for this week's chat. So, always curious what the path to cybersecurity has been, you've got 25 years of cybersecurity consulting. What does that path look like in that time?

Rick Hemsley:
Yeah, I mean, it all started out at university. I did a computing science business degree, undergraduate degree, got super interested in how computers were connecting and talking, and communicating and dating myself, Unix, different flavors of AIX or whatever, Unix and Novell NetWare, and lots of things from the distant past that most of the listeners probably will not remember. Some of that interest was really driven by a book I read early in my time at university. It was one, I think, a number of friends and colleagues in the industry have talked about and referenced. But Cuckoo's Egg by Clifford Stahl. And in my best attempt at geeking out and really loving my topic, that it felt like a thriller to me, a spy thriller, a really kind of search for that mysterious hacker. And it just got me excited about how things were connected and how they could do things maybe that they weren't meant to do, or how those things happened. And then, since then, it was rolled into it out of university before effectively doing cyber work, but not called cyber at that point in time, maybe just.

Rick Hemsley:
Or information assurance, and then through a career, just through identity management, instant response, pen testing, red teaming, strategy advising organizations. It's been fascinating. It's just never the same day twice. I was asked the other day, was it passion or money that drove me to cybersecurity? And it was definitely passion. Some of the young students, when they come in, we were hosting some school. Some school kids at the moment, I call them kids. That's terrible.

But you know, school people at the moment, and they're thinking about this as a career, and that was their question. And it was definitely passion.

Rachael Lyon:
Absolutely. Because it's so. It's ever evolving, too. Right. You learn something new every day. And I just can't think of other professions where that's the case. So, at what point in your career, though, does this AI thought bubble start entering your consciousness, and you're like, hold up a second, I'm seeing an intersection here with cyber risk that perhaps we need to start looking at.

Rick Hemsley:
Yeah, we've been kind of thinking and talking about it for so many years that it was something way out in the horizon when computers could do different things and interact in different ways that could really change the game. And I think maybe about three, three and a half years ago, myself and some colleagues at EY were running workshops for a number of decision leaders across government and with industry, and we were really starting to talk about AI being used as a threat vector and a mechanism to generate malware, to generate phishing emails, crafting those better emails to socially engineered users. So we've been talking about that risk now for a number of years and seeing it enacted and seeing it happen. And then in the last few years, really been thinking about the flip side to that, the use for benefit. And we're seeing those threat actors use it. We're seeing attacks happen at machine speed. Our defenses need to be at machine speed. How can we do that? And then the wider piece of we want to use it in our businesses, we want to gain an advantage competitive advantage in our businesses, and business leaders are pushing on with it.

Rick Hemsley:
How do we secure that data? How do we keep trust levels? How do we do all that? So, yeah, it's an ever-increasing topic and conversation piece. And I think at RSA the last few weeks, the number of mentions of AI were, if you're playing buzzword bingo, you were done within the first two minutes.

Rachael Lyon:
Yes. It's like what zero trust was a few years ago. Right? I mean, you just couldn't escape it.

AI's Dual Role and the NAVI Threat Landscape

Jonathan Knepher:
So, Rick, I wanted to start off the rest of the conversation, you know, starting around the threat landscape and so on. And I was hoping you could start with giving us a background and an overview of NAVI and what that means to security teams.

Rick Hemsley:
Okay. So we published a report, EY published a report late last year, and we talk about NAVI. So, the nonlinear, accelerated, volatile, interconnected nature of various things. And from a cyber perspective, we're seeing that nonlinear triggering sudden tipping points that can catch organizations by surprise. The accelerated pace, just the speed of response needed, the volatility, the frequent changes, the direct organizations are needing to be agile and cyber even more on top of that, and the interconnected nature of business, today, we're in supply chains. We're interconnected to societies. So those cascades of that. So we see one constant thing in cyber, and that's change.

Rick Hemsley:
And threats evolve. We're seeing sudden shifts in exposure, we're seeing that increasing pace. The breakout time that we call out in the report is continuing to fall. The challenges and agility, just that meeting with CISOs, meeting with security teams, is what's the next threat? How do I deal with this? And attackers are doing something different. So constantly need to be agile, constantly needing to be aware of what's happening. And then I mentioned RSA. There was a session at RSA where we were seeing zero-click attacks on AI and the data and the systems connected to it in some of the sessions. And it's fascinating what is capable, and it was eye-opening to some degree as well.

Rick Hemsley:
To think of the pace that we're seeing.

Jonathan Knepher:
That, yeah, that zero click in AI is something I noticed on one of my devices. Just sudden outbound requests as my phone's AI processing emails, and it's like, why are you doing this? But coming back to this framework and the AI interaction, how is AI impacting this? And you mentioned that dwell time in the report. The dwell time drop is just astounding to me, how quick it is.

Rick Hemsley:
Yeah, I think so. We see that movement and the breakout time as well. I'm forgetting the number now, but in CrowdStrike's report, they talk about seconds. It's for breakout and the use of machine. Humans are not breaking out at that pace as much as we might think. There's some amazing hackers and amazing people and threat actors out there. It's machines; they're using machines to operate at that pace. So I think that's the big thing that we're seeing.

Rick Hemsley:
And then when you look beyond that, the report talks about some of the losses and some of the impacts on it, potentially just very, very large.

The Governance Gap and Beyond Shift-Left

Rachael Lyon:
There were some really interesting findings in this report, and for all of our listeners out there, we will be sure to link to this report so you can have it in the show notes. But it looks like you guys found that half of all organizations have already been negatively impacted by AI. Introduced bones, average losses of 4 million per incident. And then on the flip side of that, you've got 68% of organizations letting employees basically innovate. Right, build and deploy AI agents with seemingly little to no oversight. Because innovation doesn't wait. We have to move forward. So when you put these two things side by side, though, what does that tell you where most enterprises are today in terms of AI governance within their AI transformation strategies?

Rick Hemsley:
Yeah, I think it's definitely lagging or a gap. I think we see that. One of my colleagues had a really interesting chart we put up with some clients recently, and it was talking about the pace of innovation as the top line and how fast the business and the organizations they wanted to drive forward on AI initiatives. And then below that lagging line, with a gap between it to where technology organizations within the companies, within the organizations, were running, and then even below that, where the cyber teams were, and that. So that increasing level of gap, when you go with pace and innovation, is material, and it's impacting organizations today, and threat actors can exploit that gap; they can be more agile, they can adapt. If we're relying on legacy controls.

Jonathan Knepher:
So Rick, in the software engineering world, we're always looking to shift left, shift left about everything. And I think that's always been true for security as well. How do we get security earlier in the development cycle? Reading through some of your material, it seems like this isn't sufficient. Why is it not sufficient and. And what is the right answer here?

Rick Hemsley:
So I think I agree. I've also been advocating that shift left. I think we all have for so long, and I think it's the pace of innovation and what we're doing and the risk of cybersecurity, cyber resilience, becoming the blocker to the innovation and blocker to the ability for the organization to function. We're seeing that move at a pace, wanting to move at a pace, and cyber not being able to be that business partner and helping them achieve their goals safely. So I think it's a kind of flip in mindset of being an enabler, not a blocker. Building trust together, managing risk, and establishing some of those guardrails around it. So clear points around human factors data, the various aspects we talk about it in the report. I won't bore everyone by reading out titles from a report, but it has those guardrails establish a framework that enables the business, and you can work in partnership with the business to achieve the outcomes.

Rachael Lyon:
And as we all know, blocking just makes people find other Creative pathways to 100% get done what they need to do. Not that I have ever done that in my career. Just so we're never never so we're clear. But it is interesting as we see the development of adversarial attacks, meaning targeting AI systems through new vectors such as data poisoning, prompt injection, and model theft. It looks like you guys have reported that AI-generated phishing is up 67%, phishing attacks 442%, and just all of these problems overlapping, and do they all have a common solution, or are there overlapping solutions that we need to then look at on how to address this, but also move at machine speed, hopefully to do that?

Rick Hemsley:
Yeah. Anyone who walked the floors in RSA and saw the many silver bullets to solve all problems will hopefully be as skeptical as I am of that these days. I don't think there's not a single magic silver bullet or solution to these things. I think that human factors piece we talk about culture and awareness are a topic that I don't think ever should go away. Well-trained, informed, skeptical users of systems will provide much more resilience than any tooling alone. Curbing errors and helping people detect social engineering campaigns. But those better phishing emails, those phishing attacks, all of those have improved. So, looking for some of those traditional things just aren't there anymore.

Rick Hemsley:
But it doesn't mean we don't need tooling. And I would strongly argue that the brilliant basics, the having a clear view of identity, who is in your environment, and that identity isn't now just humans, it's robots, it's AI, it's all of these things. What are those entities trying to access? Why are they trying to access it? Is that a valid reason? So that leads to insider threat programs. And those insider threat programs aren't just insider threat as in a human, it's an insider of any variety.

AI Supply Chains and Agents as Insider Risk

Jonathan Knepher:
Can you talk a little bit too about the threats that might come in via large language models, where CISOs and so on might not have a lot of control, and especially things like AI supply chain attacks.

Rick Hemsley:
Yeah, definitely. And we talk about that obviously in the report. We're seeing that CISOs are, that we're working with, that you are working with, are mitigating those AI supply chains by working to have transparency, visibility, minimum security standards across those third-party providers and the AI components, where they can't achieve that, that's when they have to start raising the flag and saying, look, there's our data. There are potentially the crown jewels going into these systems. We need to do that. So, strengthening the asset management and rigorous third-party risk control. Again, the basics, the cryptographic verification, Are we using the right models, our data models and the data we are sharing into things, Are we being respectful of the GDPR and all the privacy requirements that we have and look for those hidden dependencies and vulnerabilities, just as we would in software engineering around the whole supply chain of components, Are we introducing more vulnerabilities through any of that external AI software and code?

Rachael Lyon:
The big conversation on AI, too, which I find this a little fascinating. So everyone's moving towards automation, agentic AI, and helping us out. But I guess what is your perspective in terms of how much human judgment needs to remain in the loop? And I say this, you know, kind of flagging things like sometimes these agents just lie to your face, and then you call them on it, and they say, "My bad, you know, so we kind of have to manage through that." So what is your perspective there?

Rick Hemsley:
Yeah, definitely. I mean, I think, I think it's, I said, I sat on a number of those sessions at RSA looking at, looking at different agentics and everything. I think it's not an Easy question, definitely, but one that we have to address. And I forget the presenter, but the topic was something along the lines of your agents are my minions. I call it the presenter who's very good at both the content and the showmanship on the presentation, you know, but those insiders, those agents becoming insiders, being attacked, being turned to achieve outcomes for threat actors, is terrifying and something that we really have to think about. And without humans in the loop, without some judgment remaining in the loop, I think we're missing ourselves. But then, to your point, the machine speed, there are some things we're just going to have to accept, have to be done at machine speed, and get comfortable with it. And it's that balance we're in at the moment.

Rick Hemsley:
And I personally don't have a silver bullet magic answer for it. It's judgment, and it is judgment from the CISO. The risk, thinking about the data use cases, getting back to the basics. What are we protecting? How critical is it? What are the priorities? What would the impact be? How do we continue to operate and be resilient?

Jonathan Knepher:
But given that, what kinds of things can enterprises do to detect these threats? Right. You've already mentioned you kind of have to send these models certain amounts of private data in order for them to do what they need to do, like and prompt injection and all sorts of other things are open risk vectors, right?

Rick Hemsley:
Yeah, yeah, I think, I mean, just, you know, I mentioned that title. Your agents are my minions. They are, they are a potential insider risk. So treat, treat your data flows. Treat, treat all of that as you would with an insider risk program. Think, don't, don't separate them into their machine. They're, they're, they're an entity operating with your data. Think about them as a potential insider.

Rachael Lyon:
Coming back to, I guess, per incident cost. Right. It's quite significant. And these things can grow over time, as we know. So how can these things, these are real-time attacks that require real-time action. How confidently can enterprise security teams be that they can act in real time and get ahead of these AI-driven threats?

Rick Hemsley:
I think the only way we can do that is by adopting and using AI ourselves.

Rachael Lyon:
AI to solve for AI?

Rick Hemsley:
Yes, AI to solve for AI. Yeah, we're seeing that with clients, TNT out we've been implementing, and again I wouldn't help, I would labor on specific vendors, but we made some announcements at RSA ourselves as EY where we're working with particular technology organizations around having agentec agents into SOC and using it to help support the defenders and being able to manage those risks. This is where the organizations we work with are shouting at me for not mentioning their names, but I'll be good, no adverts to do so.

The CISO's Seat at the Boardroom Table

Jonathan Knepher:
How do we enable the decision makers and the CISOs to get a seat at the table to ensure that they're there from the beginning on all of these security decisions?

Rick Hemsley:
Yeah, I think the best CISOs we work with today, I think are getting the seat at the table, and I think they've earned that, that right to have the seat at the table. How do I think they're getting there? I think they're getting there because they're talking the language of the business. They're talking in terms that the risk, the understanding of it, and they're using what's happening in the world with governments, with regulators, with shareholders, really placing much more emphasis on, and I'm not going to say cybersecurity, but cyber resilience. We've seen organizations, large, large organizations, massively disrupted by cyber incidents. So that impact on the bottom line and taking the conversation in the language the executives and boards can understand is how CISOs earn that seat at the table. And as I say, many of the best CISOs that EY works with today are doing exactly that. For those that maybe aren't today. I would say look at the business outcomes, translate, act as the translator between tech teams and executives.

Rick Hemsley:
And I'm not saying that executives don't have to be building their education and understand more of the technology side of it, but by talking their language, seek first to understand and then kind of take people on the journey with you. So then educate the execs along the way, bring them with you as involved in an activity with the UK government. It published the Cyber Governance code of practice, and it poses 20, 27 questions, 20-something questions to boards. And the point of that is for them to be able to understand the posture of their organizations on cyber. So I'd say to CISOs, look to things like that and say, could you answer those questions in business language that would be understood by the board?

Rachael Lyon:
Flipping this a little bit, and how we look at it, Rick, and I know there's been a lot of discussion relative to things like AI regulations enacted by certain regions and impact of innovation first versus security first, and those things. So what could be the consequences for those organizations that are saying, you know what, we kind of want to take a little bit of a wait and see approach, you know, kind of see how this thing might play out and get a better sense of things before we dive into the Deep end. You know, is that a play here or do? Are they just really left behind in the dust, and that's not a leapfrog opportunity by waiting?

Rick Hemsley:
No, I think it's an organized, you know, it's a valid question organizations have to ask themselves. I think for me, more and more we see organizations caring about that trust. The trust of their own people, the trust of their clients, the trust of society. And trust is the keyword, I think there. So I think if you wait and see, you are endangering that trust. And I think the guardrails that we propose provide a flexible, business-friendly enablement approach that probably would work well for most organizations to gain the advantages without endangering the trust, not risking reputations, or the horrible end of the spectrum, the fines, the legislative consequences, and I think being proactive in thinking about the risk. In some ways, we have a green field in front of us. How many times in it have we had a greenfield in front office where we can build security in from the start? We've all inherited stuff.

Rick Hemsley:
I started in the 80s, 90s, I've been doing this a while, and we had the legacy, we had COBOL, we had code, we had lots of mad things that we inherited. No one had thought about the security roundabout. Those this is a chance where we're making a fundamental shift in what we're doing with this technology. It's a great opportunity to think about how do we create those guardrails and build security in from the outset.

Jonathan Knepher:
So if you were to distill down to just a couple of action items for our listeners on what they need to be doing right now, what would you be telling them?

Rick Hemsley:
All right, think about those guardrails. The report will be linked. There are five of them. Think about them. Use that to help you secure your AI rollout across the enterprise, generate more value for the business, for the organization, and the cybersecurity function. This is a thing that can really support and drive value for that. The CISO should be helping the business promote the function of what cyber is bringing. It's helping deliver trust, it's keeping the organization more resilient.

Rick Hemsley:
And by doing it right, it'll help the organization keep pace in that NAVI world.

Quantum Computing: The Next Y2K

Rachael Lyon:
I have a closing question, Rick.

Rick Hemsley:
It's a little hot.

Rachael Lyon:
Take a question. Because we keep mentioning RSA, one of the other topics that also came up quite a bit in addition to AI was quantum quantum computing. And for so long, an existential threat. Existential threat. Oh, maybe not, right? I think Google was kind of bringing in a timeline a little bit sooner than others had thought. So what is your perspective there?

Rick Hemsley:
Yeah, that was my other, that was my other fun topic of geeking out and going to go to Quantum sessions. I think there are some really level-headed sessions this time on Quantum, and I think it is a pick which timeline you want to go to. For me today to say it's a Y2K problem again, maybe dates me, and maybe is lost in a lot of folk. We set about documenting and having an inventory of where we were using dates, how those dates were critical or et cetera, et cetera, and how those systems could be updated or not. I think it's the same at the moment. It's what are we encrypting, how are we encrypting, where are those, how are we doing all of that stuff at the moment? Get clear on what you are protecting with what? There was a session that I attended, and it presented the timeline it takes to change a cryptographic algorithm in an organization, and we are still using things that were broken 15 years ago. I didn't see one timeline on any of the sessions that said Quantum wasn't going to happen in 15 years. We need to be on top of it and understand the criticality of where we are today with our data, with our encryption, and start to think about how we would prioritize the action round about that.

Rachael Lyon:
I do remember Y2K very well. I wanted to take a trip, and I was a little nervous on December 31st. You know, should I be in the air when the clock changes? I don't know what's going to happen. What a wonderful reference. Well, Rick, thank you so much for joining us today. This has been a really fun conversation on such a hot topic. I know it's top of mind for all of our listeners. Thank you so much for your insights, and again, we will absolutely link to the EY report that has all of those wonderful insights and data points that folks can use as they start navigating the AI transformation path forward.

Rachael Lyon:
So thank you and to all of our listeners out there. Jon,

Jonathan Knepher:
Smash that subscribe button

Rachael Lyon:
And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. 

About Our Guest

Rick Hemsley, UK&I Cybersecurity Consulting Leader, EY 

With over 25 years of consulting and industry experience, Rick continues to work, as he has throughout his career, with a broad range of organisations, including governments, to improve their security posture. 

With Rick’s advisement, clients have been able to enhance reporting and operating models. This has helped clients gain an actionable and accurate picture of their cyber security posture and build a priority list of activities to further enhance cyber resilience. 

Rick joined EY in 2022 from a large global consulting organisation where he delivered key cybersecurity transformation projects for clients. Prior to this, he worked in leadership roles for leading cybersecurity organisations. 

Check out the Guardrails Report: Reimagine your cyber guardrails to accelerate AI value | EY - Global