Cisco Systems, Inc. (CSCO) Earnings Call Transcript & Summary

Hello, everyone, and welcome to the Cisco and i-4 Webinar: AI and Effective Governance in Cyber webinar. I'm Mark Watcher, Webex producer. In a moment, I'll turn the session over to Gio Tan, but first, I have a few housekeeping notes to cover. Please note your microphone has been automatically muted. So feel free to ask your questions in the Q&A panel throughout the session. And to view the Q&A panel click the 3 dots on the lower right corner of your WebEx window. At the end of the session, a survey will automatically pop up in your browser. Please click continue to complete the survey. We really appreciate your feedback. With that, we are ready, so let's get started. Gio, in a few seconds, it's all yours.

Hi, everyone. Welcome to today's webinar, AI and Effective Governance in Cyber. So as AI is here to stay and top of mind for a lot of organizations, there is a need to incorporate AI risk management policies and set out guardrails within the security resilience framework to navigate AI associated risk and embrace AI. So our experts today, will actually be sharing about the current AI landscape, cybersecurity risk, building AI risk management strategies and real-world examples, including Cisco's approach to Generative AI. So this webinar has been prerecorded ahead of time to enter a good webinar experience. But not to worry, if you have any questions, please post them in the Q&A tool. Our experts will also be here to answer and support any inquiries you have. So on the panel today, we have Dr. Paul Lothian, Director of KPMG Singapore; Dr. Josh Harguess, AI Security Chief at Cranium AI; Matt Carling, Cybersecurity Solutions Architect for Australia and New Zealand at Cisco as well as Wendy Nather, Head of the Advisory CISO Team at Cisco. So with that, Mark, can I get your help to play the webinar recording, please.

Hello, everyone. My name is Matt Roach. I'm the Head of the International Information Integrity Institute, better known as I-4. I-4 is the world's longest running cybersecurity trust group and think tank and was actually founded in 1986, all out of academia and has been a safe place for the CISOs and cybersecurity leaders of global corporations to come together and to learn from the experiences and the wisdom of others. AI has been a very popular hot topic for our members over the last couple of years. I'm delighted to bring together a webinar for I-4 members and also guests and clients of KPMG and also Cisco. Both KPMG and Cisco are strong contributors to the I-4 community, and this webinar is a great example of that. I'm going to bring together a panel of experts to come and share their insights and their wisdom that you can take away and take these learnings back to your organization to help refine the way that you're investing and governing the use of artificial intelligence and AI within your organizations. Delighted to be joined by panelists, Matt Carling from Cisco's Advisory Service, Josh Harguess from Cranium AI; Dr. Paul Lothian from KPMG Singapore; and Wendy Nather, who leads Cisco's CISO advisory practice, and has been a CISO in a former role herself as well as a leading cybersecurity analyst. Wendy, the floor is all yours, and thank you very much for leading this session.

Thank you so much, Matt, and welcome to everybody. I'm excited to be having this discussion, not least because AI in itself is such a controversial topic and is being defined all sorts of ways by people within the security industry, whether there are some people who believe that AI is just sparkling automation, other people believe that AI will save us all. Some people, I think, believe that AI will bring along the singularity. No matter how you feel about AI, the fact of the matter is that this is going to be and is already a disruption in what security professionals already have to deal with every day. So no matter whether you're a true believer or a skeptic, we need to figure out how best to deal with this, this insertion into the business as security professionals. So that's why I'm glad to have all of us here to talk about this with you and people coming at it from different perspectives. So given that AI is coming whether we want it or not, no matter whether you're welcoming it, it is going to create change and create additional risk for the organizations. Again, no matter how you adopt it, there are going to be changes in business processes and risks that we need to manage. So the point of this webinar is to talk about how we can ensure that the opportunities can be realized while reducing the risk to our organization. So how to provide governance within the organization? How to identify risks and mitigate them? And what are the key steps, a security leaders should take?

So let's start with the topic of just the impact of AI overall, how are organizations adapting to this disruptive change that is happening. And I'll ask Paul to kick us off with maybe a view of the region and the clients, including their appetite for adoption and their stages of adoption.

Yes. Thanks, Wendy. And looking forward to the discussion today. A couple of perspectives on the adoption. And it does vary by country, by industry, by region. KPMG did a study last year on the shifting public perceptions of AI. And I think there were some interesting things coming out of that. One of the key topics was the trust and the acceptance really depends on the AI application. And one of the least trusted areas was the human resources, perhaps because of the use of personal data and the privacy. But actually, one of the others was -- most trusted was for AI use in healthcare because people are seeing maybe the benefits of treatment and care. Looking at the risks, cybersecurity, which is a key topic today, that was one of the top areas. There's obviously different risks associated with AI, and I'm sure we'll get into those in the course of the discussion. But of lowest concern was the AI bias. When we look at sector sort of approach, and this is a global view. People are trusting the universities and also the defense organizations to develop, use and govern AI. But maybe they're a bit more skeptical about how the government and commercial organizations are using or exploiting this destructive technology. The country view, and Asia Pacific is obviously a vastly different region. If you include some of the big countries like India and China, they're probably top of the adoption, where they're more like wanting to embrace the opportunity. Those are, of course, closely followed by Singapore and South Korea. And interestingly, Singapore, where I'm based, one of the key things of the study. The participants are most trusting AI at work, so really embracing it there. And then when you move really to Australia, there's maybe a reduced benefit of the perceptions that came out of the study and the usefulness of AI. So I would say maybe more ambivalent towards the adoption much like maybe U.K. and Canada. That was one of the other key things that came out of this survey. So you can see there from some of these points of view that the AI adoption and benefit and regulation, there's quite varied views, Wendy.

Yes, all over the place. Thank you. Josh, let me move to you next. How can organizations understand their AI risk?

Sure. So first of all, definitely, agree with Paul there. I mean the disruption that AI is causing is kind of here to stay. We're going to see a lot of adoption. And with that adoption, obviously comes some amount of risk. So what are these risks? How do we understand them. It's a rapidly evolving landscape. The biggest risk really right now is just the lack of awareness and education. So I think that's a big one to inform yourself, inform your teams, learn something about AI, learn something about data intersection of AI and security. AI does introduce a new set of vulnerabilities, not really previously imagined. There's things like model and data extraction where you can actually retrieve training data from some of these models that were used. Obviously, that has implications with data privacy, PII, PHI. We also have things like data poisoning where if someone has access to your training data, that can introduce the backdoor into your model and be able to manipulate your model at will. These are sort of things that all -- traditionally, I need to kind of worry about. And then in the case of generative AI, now we have things like prompt injection attacks. So you may have seen some interesting examples, for example, a Chevy dealership essentially just use ChatGPT to have interactions with customers and some hackers were able to turn that agent into a Honda salesperson, for example, or sell it a car for $1, something like that. So really interesting new attacks that we need to be aware of. Obviously, AI-enabled cyberattacks, so scaling traditional cyberattacks to much wider and more sophisticated campaigns where phishing attempts are going to be very hard to recognize. They're going to look like they're coming from humans. A really interesting example where some folks were fooled by a Zoom meeting with deepfakes into handing over a bunch of money. That was a recent example and pretty dangerous. Deepfakes, I think that's one definitely to be aware of with the election coming, deepfakes disinformation. Obviously, that's something that we're thinking about. And then some kind of nontraditional things that are a little bit outside of security normally, but they're definitely at risk here, things like bias. So bias could end up in your training data sets, but then ends up in your models as well. The lack of transparency and what's actually going on in these systems. And then finally, I think we're going to get to this later, but the compliance third-party risk piece.

Yes, absolutely. And for example, someone asked Generative AI to pull down a bio for me, to write a bio and instead of scraping a copy of my bio, which is all over the place, all over the network, it wrote one and decided that I had worked for the NSA. So because apparently, if you write about women working in cybersecurity, most of them will have spent some time at the NSA. So that's how it came out for that. A hacker friend of mine took voice samples from many of the YouTubes of me that are out there. And within 15 minutes, had generated a very plausible-sounding recording of me, suggesting things that I would ordinarily never suggest. So in just 15 minutes. So yes, these are the sort of risks that [indiscernible] said, just run the gamut. Now Matt, let's come over to you and talk about AI readiness.

Yes. So I guess this -- Cisco did a survey. So 8,000 businesses across 30 countries and is really to assess the readiness of the organization. So we're going to prepare for disruption. It's like basically, let's get ready. So it's got the Cisco AI Readiness Index, so you can search for it. It's got some nice breakdown. So wherever you're listening from your country, you can see how your country or your peers in your country are ranked against, say, the global benchmark. So obviously, some countries are more experienced or being focused on the AI challenge for a bit longer than some others. But when you look into [indiscernible], so about 84% of the businesses think that AI is going to have a significant impact on their specific business. And then we assess the -- their readiness across 6 -- what we call the foundational pillars and only 14% of those all thought they were pretty much fully ready to address the disruption or to maximize the benefits that AI might bring to the [indiscernible]. So pillars are strategy. Obviously, you need to plan infrastructure. So if you're going to run AI workloads on premise, it takes compute, it takes power, it takes space, networking, so that it's quite a compute-intensive task, some of the larger models. Obviously, it requires data. So Josh referred to some of the risks around data poisoning, but where you're going to provide your own data? Is it solo? What's the quality of it? Is it current? Do you have the right access to it and so forth? Obviously, the governance piece, which we know we're going to talk about later. But our obligations around -- privacy obligations don't go away. And indeed, there are new challenges that AI, especially some of the generative AI solutions coming out, bring to some of our existing obligations. And lastly, I'll say talent. So a lot of the conversations around AI might displace jobs or potentially augment jobs, but you need some pretty specialist AI skills, not just technical skills, but how do you integrate it into our business practices and processes to realize the benefit within your org. And then lastly, culture. So with any technology change, you can see, in some of the organization's success and the benefits require adoption and a mindset change sometimes in companies. So that's -- they are the 6 pillars. So when you look at readiness for disruption, that's just we look at that as a lens to start with.

Yes. All of that, all of that. So since you did mention governance. Let me ask you all, what governance models are being used within organizations that have adopted AI to bring structure and control? And what changes to our current controls should CISOs be thinking about? Matt, let me start with you again first. So you can talk about how Cisco has been handling this?

Sure, sure. So let me step back a bit and obviously, all of our organizations have hopefully mature governance practices across all elements of their business. So to some extent, it's not [indiscernible] net new, but it's making sure that any adoption of AI, whether we're consuming it from a third party or whether it's within in our product, is treated like we treat other concerns at business level. So we sit back and we have Cisco's principles for responsible AI. We published this a few years ago now, whilst things like Generative AI are relatively new and certainly in the press. AI and Machine Learning and all the variants have been around for many, many years and part of many, many organizations, including Cisco. So hence, some of the concerns about AI have been with us for a number of years. So the goal -- the principles -- so how do we bring the benefits and opportunities of AI, but still meet our obligations around transparency, fairness, accountability, privacy, security, that we're touching on, reliability. And then that translates for us into a responsible AI framework, and that's where we start to see things like what are the governance controls, what are the security controls, what are the incident management controls. So it's like, are they adequately treated or do we need to refresh those because there are new threats [indiscernible] of them that AI brings to organization that we weren't treating before because they didn't exist. So it's something like looking at your landscape, what's treated already, make sure it's covered. And then like how do you need to refresh it to address some of the challenges of AI.

Yes. And sometimes you have to be very specific. I remember at Cisco when we got the corporate notification on reminder, never to type in proprietary information into an external LLM, Language Learning Model. Because it's not clear how much of that data would be stored, would be regurgitated to another query and so on. So that sort of very basic reminder is something that has happened in a lot of organizations as they've adopted these things. Let me move on to Paul. What are some of the preparations that KPMG's clients are making?

Yes, it's interesting because I think there's a couple of things on governance, due to the nature of the AI disruption and the risks, I think what we're seeing is that the institutions are developing cross-functional governance, it's not just a business or a tech issue. It's actually cross functional. So a lot of them setting up that top-level governance, even the Chief AI Officer in a reporting to CEO Board because it is covering all the different dimensions from the AI, the risk, the cyber, the tech, the legal and the compliance. There's many aspects. So organizations are adopting a holistic approach and the governance is set up to track and manage the risks and the mitigation whether that be from, some of the bias or lack of proof challenges with AI to the shadow AI and how do you manage the AI in the business and develop it safely and responsibly. So I think that's one thing cross functional. I think maybe the second thing that I'd call out is that the regulatory framework is pretty dynamic to the external environment. Of course, organizations will set policies and standards within the governance, that cross functional governance, which is fine. But it's pretty dynamic. What's happening across regulations. So the front runner is the EU AI Act, recently formalized. We talked about for a few years that set the high bar like GDPR did a few years ago for privacy. And then you have other frameworks across the region, Singapore, China, Australia and then others developing regulation as well. So really keeping abreast of that and deciding what the bar is for the AI, is important. So I think those are a couple of key things that we're seeing being implemented. Then really, at the last point really, I think, is on the operating model and what are the standards we're going to use. I think there's a plethora of standards that have been around from the U.S. including [ MITA ] and [ NIST ] frameworks and then also the National Cybersecurity Center and American agencies producing collaborative efforts on secure AI system development to guide organizations on how they do this. So I think those are 2 or 3 or maybe the strategic and the operational things that organizations are doing.

Great. And Josh, from a Cranium point of view, how do you see governance being implemented?

Great question. I think there's a lot of information, I definitely agree with, presented already. The EU AI Act is definitely in the way from what are we actually going to do [indiscernible] wise giving some actual penalties to how they're seeing the adoption of AI and the use of AI. And there's some others who watch NIST AI Risk Management Framework is one, the White House executive order that's playing out right now. We'll see how -- we'll see what comes out of that. [indiscernible], obviously, which involve the U.S., U.K. and Australia. So it's good to have to figure [indiscernible] of all of these different types of governance that are coming around. So as an organization, I think Cranium, we're recommending folks have an AI policy. So how do you use AI in your organization. You should have a policy, whether it's -- we don't -- you want to use AI or do you want to use it in these specific ways, have an AI security policy, how are you going to handle incidents, to have an incident response plan, have an SOP. So be thinking about how you prepare for these governance and compliance restrictions that are coming. Are you ready to adopt AI? Are you ready to secure AI in your own system? And so some of the things that kind of go around that, I mentioned this before, but training education or where this is paramount here. I think allowing organizations to innovate is still really important, too. We want to embrace AI. So investing in R&D, having sandboxes and proxy data sets, proxy models that the people can use. But those are some ways that we're seeing some organizations adopt governance within.

Great. Thanks for that overview. Paul, how our organizations generally reacting to third-party risk? And by this, I mean, it's clear that organizations are not going to be able to develop their own models for the most part, so they'll be dependent on third-party models or using them at least as part of the supply chain. So how are organizations generally reacting to the third-party risk issue?

Yes. I think it's a good question. And with any emerging tech or disruptive tech, one of the key areas is, you're understanding the landscape, the tech solutions, the suppliers, what they're doing in the supply chain, interdependencies, software building materials is often talked about. So understanding that, and that can be -- for AI can be a challenge because it's new if you plot the vendors or the suppliers, there's a lot of them. I know in the cybersecurity space, there's a lot as well. But AI, there's a lot, it's emerging, it's changing fast. So in terms of trying to manage third-party risk, I think those are a few of the key areas that we're seeing organizations focus on. And then it comes back to, I think, the point that was made earlier about you need to have people in the organization to understand the ecosystem and the landscape and where the risks are, because if your businesses are adopting the AI, you need to do risk assessments and understand not just your own organization, but the ecosystem and the supply chain. Most organizations are running some sort of APIs and connected ecosystem these days. So you need that sort of view, and that comes down to people with capability to be able to understand the risk because you can do a lot of risk assessments, but you might get the wrong risks, so then you get the wrong controls in place or you must spend on controls that aren't needed or not, I think to -- incrementally to reduce the risk. So I think that's probably what organizations are doing at the moment on that journey. The other perspective I'd offer is that is actually -- it's the flip side, it's the use of AI to automate and accelerate the identification of risks in third-party programs where some organizations have thousands or tens of thousands of suppliers, and you just have that shared issue of scale and how do you generate insights from the data. So it's also starting to be used there, particularly because of the large third-party ecosystems that some of the clients have.

Yes, that's incredibly complex. And Josh, let me come back to you and ask about, in general, about third-party AI risk. I mean, what -- how could you even do an AI bill of materials, what would go into there? Would it just be the providence of the models being used and the providence of the data, I mean, what's the thinking on that?

Great question, and I'm glad you asked. This is something we've been thinking about a lot. So Cranium has come up with this thing called the AI Card. And the idea behind the AI Card is, you can request one from your vendors or as a vendor, you can supply one to your supplier or to your requester. And what an AI Card sort of entails is, AI building materials. I'll go into more detail about that, but it also has things like governance. So are you adhering to the NIST AI RMF? Are you adhering to EU AI Act? And you can have that sort of all in place in this AI Card. And then further down the line, what are the unique risks that are mapped back to that Al building materials that we were able to discover. So yes, from an AI building materials perspective, I'm glad you brought that up because that is coming up more and more in these conversations. So a lot of what we're hearing, people depending on where they are in their AI journey is just what is on my system. So the -- it's very easy these days to have an API call out to a large language model that you may not be aware of even happening in your system. So that kind of leads to this like shadow AI discussion. So do you know that there's AI on your system. So just understanding the inventory, what's on your system is sort of first. We've taken an approach to quickly add value of looking at code scanning. So hooking into GitHub, Bitbucket sort of some repositories, understanding what the AI models, data sets, unique libraries that are being used in your system and then mapping that to known threats, whether it's something that we might find in OSV, the open-source library vulnerability, or it's MITRE ATLAS or [indiscernible]. But understanding the unique vulnerabilities that kind of have to do with your system and I kind of [indiscernible] these 3 different types of vendors that I've been hearing about from folks concerned with this TPRM side of things. One is a vendor that's using AI, they're very open and honest about fact that they use AI and they're very clear and transparent on that. Obviously, those are rare. A vendor claiming to use AI, and it's actually a formula in a spreadsheet. So that's one flavor. And then finally, the one that's kind of that shadow AI case where there's a vendor that doesn't disclose their use of AI or doesn't know that they're using AI, but they are actually is some AI under the hood.

Yes. Wow, that's a lot to worry about. Matt, how is Cisco dealing with this? And how are we prepared to support clients on this?

Yes. I guess like 2 lenses. So one is, obviously, as an enterprise, we use third party suppliers. And so we run a program for CASPR, Cloud Application Service Provider Remediation. And it's like, as Josh and Paul described, its risk assessments against our providers. And one of the key questions, and you raised this earlier when news around, well, if we put data into a service that does AI, maybe it's in the context because it's chatbot type of application, maybe sort of trivial augmented generation, and we want to load in our own knowledge base to complement our publicly trained model. How does that intellectual property or confidential data, sorry, Cisco, stay within our sandbox or our space and not become part of the general knowledge of that model, of that service provider. And we're going to see -- there's been incidents where various organizations have -- this is a great tool, and they put confidential data in there without thinking about the safeguards around well, where does that data go? And is it still ours to some extent because it is now part of the bigger model. And so when you look at just things like data protection, then we've got tools that we have today, do you run DLP, Data Loss Prevention, on your inputs into external chatbot agents, large language models. Do you filter for a certain personal identification like social security numbers in the U.S. context or whatever country you're in around to make sure that you don't put that into that service because it was never approved or you'll have some legal obligations on certain data types that you can't put them into the cloud or you can't put them into that provider because they're not assessed or they don't have the right certifications. So all of those concerns will apply. And so it's really expanding those risk assessment frameworks, so to be able to mention to make sure it covers the AI use case. So to flip it around to our clients. And we've talked about this, the scorecard, but like obviously, we run a trust portal. We try and provide as much transparency documentation of what actually where is your data, where is it processed, is there AI involved. So we're all on WebEx today. There's a lot of AI here. We've got virtual backgrounds. We can kind of hear dogs barking, so there's a lot of AI in the technology. But then these assistants now will automatically summarize the meeting. And so, like an exact summary of the meeting that Matt and Wendy hosted and it will generate quite a good executive summary about we spoke about, all the key points. So I missed the webinar. So in the [indiscernible] angle well, where did that occur? Because ultimately, there's a video recording and an audio recording, we put that somewhere. And then some AI algorithms pull that and keeps that information and then turn it back into readable text, quite well structured. So all of that -- we're just transparent about where and how that happens and how you can opt in and opt out, right? So if you don't want those features, [indiscernible], I think an important thing in AI is how you can opt out because I don't -- I'm not prepared to accept that risk.

Yes. And that's very important. It sounds like transparency is key, no matter how you're using AI and what you're doing because it isn't just like DLP where you're trying to look for particular well-defined character strings anymore. It's how you are putting this knowledge together to generate or infer certain types of information which may not have anything to do with particular known strings. I have some friends who have been hacking LMs for some time now and you probably heard the expression, Google Dorking, and they describe what they do as prompt dorking, where they will play with prompts until they can elicit at different times, pieces of the information they're trying to get and then put them together just then to draw some sort of context and data that you might not have foreseen with the older models of DLP. So yes, this is on a different level entirely. So let me follow up by just asking the 3 of you, what do you as security leaders see as the benefits of AI, benefiting you and your security teams going forward? Let me start with Paul and see what he says.

Yes, thanks. And I think when we look at where is the benefit or where can we use AI in the security risk organizations. I think we're seeing clients maybe exploring in a few different areas. It tends to be the areas where there's large data sets to generate insights. So really, there's a couple of different areas from forensics and instant response, I think that's where they're starting to explore on that for the [indiscernible] and the triage, which have traditionally take a long time. So that's kind of one area where we've seen clients look. And the other is on identity access management. Again, in the larger organizations, you have provisioning, behavior analysis and review, which AI can all help with. And then you also have the broader security operations space where I guess there's more vanilla use cases with metrics and dashboards and reporting, which has been around for a while, clients starting to explore that. But then also looking at maybe more the chatbot side of the things for detailed analyst remediation as well that can help accelerate the time to remediate vulnerabilities just because that richer quality information is there. And then I think finally as well, there's some other area around the tech surface management, which is popular at the moment, particularly where there's large internet presences globally to baseline that and monitor it again because it's a large-scale data set and can help generate baseline and insights and continue monitoring. So I think those are 2 or 3 of the areas where we're definitely seeing AI powering or helping to power the -- some of the security capability.

Okay. Great. And Matt, benefits of AI for security, where do you see?

Yes. So obviously, we can see the role of AI Assistants to sit side by side with the SOC operator or the incident responder where you've got lots of data. And you can [indiscernible] and support in your role. So sort of that efficiency, productivity gain from having an AI Assistant. But then as Paul is saying, there's rules for AI and machine learning, where it's the data is vast, and that's where machines, machine learning, AI, can pull that insights that really humans wouldn't be able to do. So Cisco for a long time has had encrypted malware analytics. So, when we look at all data on the Internet is generally increased. So what's the good data and what's the malicious data. And so that's a good challenge for algorithms to say, is there something about the behavior of malicious packets traversing a network or something to do with the payload that leads you think it's probably malicious versus [indiscernible] good traffic. And so that's a good ML/AI challenge that humans really can't process. And I guess the other areas where even where humans can do it, can we do it at the scale needed? And so when we look at business email compromise, right? So if we look at any email security or a number of indicators to do with the markings or the headers of the e-mail that might indicate that it's a phish or a malicious email, there might be malicious attachments. But what about the body of the email itself. So when we look at phishing text or business email compromise. The urgency of an email saying, I you need to transfer the money, but if the CEOs overseas that scenario, there's a certain language that's trying to entice or incite the recipient to action. And so that's a good analysis of what can AI say, well, like it's look like it's got the right level of urgency. It's got some people involved [indiscernible] maybe they don't normally communicate that way. And you could do that as a human, but could you do that across the millions, if not billions of emails that flow around every day. So it's all about that scale solution I think that's another opportunity that AI can open that security space.

Yes, definitely. And then, Josh, from your perspective, what are the benefits? And I know you've worked in AI for a very long time now, so I'll have to ask you to -- not to enumerate everything because I'm sure there's -- with you, a very long [indiscernible].

Matt and Paul covered quite a bit. I think I'll double down on like scaling teams to address these exponentially rising threats. That's a huge one. The fact is we have a lack of cybersecurity talent. We have a lack of AI talent. And then when you kind of intersect those 2, those are unicorns, this AI security person. So being able to scale teams with tools. That's huge. I'll say that some other things that may have been mentioned, for sure, augmenting human performance, I think that's a big one. So using chatbot assistance or using code-development tools, things like this to speed up your workflows. And something that we're hearing a lot is whether or not AI is going to replace people in the workforce, that's sort of to be seen. But one thing that we know for sure is that someone using AI is going to replace someone that's not using AI. So you definitely need to be comfortable with these tools kind of moving forward. And then I think I mentioned this, but automated workflow's agents. So agent-based approaches to how we currently do things, that's certainly coming. And then I'll end with traditional AI, and sort of the AI up to now has definitely needed data. It's been like really, really hungry for data. But these foundational models that have been developed they actually do have use cases for limited data. So if you're bringing a small amount of data that you want to try to extrapolate on or train on or bringing to like a RAG architecture as it was previously mentioned, that is possible now. And so the applications of these things are also expanding.

Wow. Okay. Now let's wrap up. I'll just ask each of you to give us one additional piece of advice that you would give to the CISO or security professional listening to us today. Let's start with you, Paul. What last piece of advice would you give?

I think the organizations that we see more successful are the ones that are embracing the AI, but then also conducting good quality AI risk assessment, red teaming and the cyber tools, again, the familiarity with the risks, make it real, make it practical and then they're able to evolve on their AI security journey.

Wonderful. Thank you. Matt, over to you. What last piece of advice would you give?

So to give different advice to Paul, although I agree with Paul, obviously, is -- have a strategy for AI and then communicate it within your organization. So almost certainly, there is shadow AI in your organization because there's 0 cost. This is free tiers of everything. And it's almost certainly in your org, you're just not aware of it. So part of the getting ahead of that is have a strategy and then communicate it to the organization rather than let them work things out by themselves.

Okay. Great. And then finally, Josh last piece of advice?

I think one thing we've been encouraging folks to do is to bring a diversity of thought to the table when discussing these topics. So certainly, having a policy, certainly discuss this across your organization, but bringing people together that have different backgrounds. So software engineers, AI talent, cyber folks that understand red teaming and pen testing. You need a lot of education and sort of backgrounds in order to attack these problems appropriately. So having that diversity of thought is really important.

I really like that. That's a great one. And then I'll just contribute one piece of my own, and that is to make sure, as a security professional, you understand what business processes and business decisions are going to be affected by the adoption of AI, especially if there's a proposal to automate business decisions that before now have only been made by human. Now given that AI is usually being used these days to be a supportive function for business decisions that are still being made by human, it always behooves you to ask about the source of everything about the AI, the models being used, the data being used, the assumptions being made by those and how those are going to affect the business decision being made, but it always comes back to how is the business going to be changed or affected or influenced by the use of AI. So I want to thank everybody for joining us, and I will hand it back to you, Matt Roach to take us out of here.

Thank you so much indeed. And really a big [indiscernible] thank you to our panel and to Matt, to Josh and also to Paul. This webinar will be available not only on Cisco's systems, but also in the I-4 knowledge bank, and will live on for those CISOs and those cybersecurity leaders that come after us for decades to come. AI has been seen as, and been described as mankind's society changing like the discovery of fire. And for me, it's very much more akin, I think, to the discovery of the wheel. It will help humans go faster. But I hope in this session that we've actually put some road sense and some road safety and some rules that will help us go faster but safer. So thank you very much to Wendy and to our panelists. And if you enjoyed this session, this is a buildup to the I-4 Asia Pacific regional meeting, that will be taking place on the 14th of May from KPMG in Singapore. It's a hybrid event, so you can join from anywhere in the world. We'll be looking at critical infrastructure interdependencies, we'll be looking at stress management and burnout within cybersecurity leaders and teams. We'll be looking at security resilience and how best to safeguard your business as well as having an insightful incident response panel, which will be featuring an organization suffered a cybersecurity incident talking about that alongside their lawyers, alongside their insurers and their incident responders. I hope that, that's an appealing educational session for you, and I look forward to welcoming you to another I-4 session again soon. Thank you very much, everybody.

We'd like to thank you all for attending this event. We hope you found it informative. And as a reminder, please take a moment to complete the confidential survey that has been posted in the chat panel. It will also pop up in your browser as you exit. Thank you for joining, and have a great day.