PODCAST

The CVE Tsunami Is Coming – Are You Ready?

Subscribe now on your favorite platform

Transcript

Shift to AI – Episode 1

Presented by Cycode, the Agentic Development Security Platform

Roland Cloutier

Hi, everyone. Welcome to Shift to AI, presented by Cycode, the agentic development security platform. I’m your podcast host, Roland Cloutier – former global chief security officer at TikTok, ADP, and EMC (now Dell EMC), and digital business executive helping other companies develop their next-generation cyber defensive operations.

This is a show where I sit down with the world’s leading CISOs to talk about the shift to AI: what it means for security, how AI-driven development is changing our programs, capabilities, and mission space, and what it takes to actually build agentic security.

This is our first episode, and I’ve been looking forward to recording this for quite some time, because today I am joined by two amazing peers and great practitioners: Rami Houssaini, a multiple-time CISO and Chief Cyber Solutions Officer, most recently at Cloudflare – but I’ve also known him for well over a decade as peers in the industry, fighting bad guys together and sharing tips, tricks, and working side by side.

And Phani Dasari, Chief Trust and Resiliency Officer – we’ll get to that title a little later in this podcast – at Firstsource. Phani is also a multiple-time CISO, and a little background from my perspective: I’ve known him since he was fresh out of grad school, and he worked in a few of my organizations early on. It’s just great to see so many wonderful practitioners doing great things.

So guys, welcome. I appreciate you joining me on my first kickoff show.

Rami Houssaini

Thanks for having us.

Phani Dasari

Thank you, and appreciate the warm introduction for both of us. Thank you.

Roland Cloutier

It’s not going to last long, guys – I’m going to jump right into it. This question is for both of you, but Phani, you’re getting a break on this first one, so you get to think about it for a second. Rami, walk me through the first 30 minutes of your morning – what you’re looking at before you’ve had your second coffee – and then the last 30 minutes of your day. What does that look like to you?

Rami Houssaini

Yeah, thanks for having me, Roland – a real pleasure to join you. Those who know me know that my first coffee is a cappuccino, and there is no second coffee. I pride myself on following that discipline.

For me, the first 30 minutes are really about signal, not noise – and the distinction between the two has become its own discipline. The volume of AI and security commentary is exceeding anything our industry has seen. So it’s important to stay very focused on a narrow, curated list of primary sources and practitioners who are actually shipping things, rather than getting pulled into the fire hose of noise. I’m scanning for what’s changed overnight in terms of capability – not opinions, but actual changes in capability.

The last 30 minutes is a bit the opposite mode. I take a step back from the stream to ask what everything I learned during the day means in the grand scheme of things. Some of the most important shifts rarely announce themselves in a single headline – they show up as a pattern across a week or a month. So the evening is about synthesis: coming up with the key priorities for the week ahead.

Roland Cloutier

Excellent. Phani, how about you – first 30, last 30?

Phani Dasari

Thank you, sir, thanks for the opportunity. The first 30 minutes – I built my security philosophy around putting a premium on clients and the business. It’s a global organization, so when I wake up, the first thing I check is whether there are any client escalations. Second, is there anything from leadership – my CEO, my CTO? That’s the first thing I do as soon as I start work.

Then I pivot to high-context signals – anything that needs my immediate attention – and act on whatever the outcome of that is. If that’s not the case, I move to understanding how the programs we have in flight are doing, because with a global team, a lot happens while it’s already midday or evening elsewhere. So I want to see what’s been accomplished. That’s how I start my morning.

Roland Cloutier

I find that so interesting – both of you have this concept of understanding your operation: the context and globality of the organization you’re serving, the jurisdictions you’re operating in. I love this perspective of ‘does our stuff work, and has something changed that’s made it less effective.’ This is all about the shift to AI, so we’re going to talk a lot about that, but I hope we get into how this helps us even more with controls assurance, verification, and validity of our operating environments.

Rami, I want to set the stage a little bit. One of the main reasons I wanted you on the first show is that you were both part of important documents written over the last month or so in this changing time. You co-authored the AI Vulnerability Storm: Building a New Mythos-Ready Security Program – but you did it from the perspective of a two-decade in-seat defender. How would you describe the moment we’re facing right now as practitioners?

Rami Houssaini

I’d say that really, we’re not dealing with a storm anymore. Since that paper was released – and I want to take this opportunity to thank the Cloud Security Alliance for championing that community-wide perspective on the topic, and more specifically Gadi Abraham, who really herded cats over a weekend to get that paper released.

Roland Cloutier

One weekend! Never done before, since I’ve been doing this. That’s – what, 20, 21 CISOs, Rami?

Rami Houssaini

A lot more, actually – a lot of co-authors, plus an extended ecosystem of reviewers. That was a great moment for our community.

So to answer your question: from a defender’s standpoint, this is no longer a storm – it’s climate change. For decades, our entire profession rested on one big assumption: if we had skilled talent, enough tools, and enough caffeine, we could think faster than whoever was on the other end trying to attack us. We hired around that assumption, we organized around it – every war room, every tabletop exercise, every escalation path, every quarterly pen test was a monument to the idea that human judgment and human action were the rate-limiting step in our attack-and-defense mindset.

Unfortunately, with today’s Mythos-class models, that assumption has expired. We’re dealing with an environment where AI is discovering vulnerabilities in bulk, chaining them together, and enabling highly orchestrated attacks. And the tools available to attackers have changed too – we’re now talking about the ‘citizen hacker.’ You don’t need to be an expert in networks, applications, or cybersecurity to launch a substantial attack. That’s fundamentally what’s changed.

So we have a moment where we’re going to face some short-term difficulty, because there’s a mismatch in capabilities right now, but it’s also a moment of transformation. This is an amazing moment – I’m genuinely optimistic about the mid- to long-term, because it’s going to force cybersecurity to turn some of these tools inward and ask honest questions about what matters, about having the right architecture, the right resilience.

I believe this is going to be really transformative in a positive way for us – an exciting moment for our community.

Roland Cloutier

I couldn’t agree more. What’s interesting to me, Rami, is that once we get over this hump – call it the next 18 to 24 months – where we burn down the legacy issues and get to a net-new reality, or a new ‘global temperature,’ to use your metaphor, we’ll actually be in a really good spot to defend, to see, to understand, to respond, to be resilient – because we can do things the adversary can’t. We understand our environment, and we’ll have the tools and technology to move faster across a more dynamic view than they have.

So I’m right there with you – it’s exciting to talk about. It’s going to be painful for a couple of years, don’t get me wrong – there’s a lot of cleanup to do, a lot of new organizations to stand up – and we’ll get to that in a few minutes. But this is really important.

Phani, I didn’t see you shaking your head no when Rami was talking. You’re a sitting CISO defending a major multinational infrastructure that touches other companies – a sizable job protecting a lot of different perspectives. Are you seeing signals that tell you this isn’t just security hype, that this is a magnificent change in our digital capabilities, ecosystems, and businesses?

Phani Dasari

Absolutely, 100 percent. It’s not a pivot, it’s a shift – and it’s not just a change in the rules of the game, the sport itself has changed. I love acronyms, so I look at it through a formula: Scope, Speed, Scale, and Sophistication. All four have changed completely.

The scope at which bad actors come at you has changed completely – they can scale in minutes. The speed at which they come at you – you don’t even have days, sometimes not even hours; you have to defend yourself in minutes. And the sophistication – the one good thing is that now everybody has those techniques available. Nation-states used to have this capability; now, to borrow Rami’s words, the citizen hacker has it too. So do we – the same capabilities are available to us, and our advantage is our moat: the domain knowledge we bring, and how well we understand our own infrastructure and what’s important to us.

Somebody put it well: you can’t patch your way out of this. The old playbook is out the window – you have to approach it in a very different way. I know we’ll discuss more, but those are my thoughts on the latest shift.

Roland Cloutier

I want to jump on that – you just made a really good point. Rami, I’m going to throw this out from left field, because here’s my belief: I think we’re heading toward a zero-defect capability. When we release infrastructure as code, business as code, digital partnerships as code, products as code – everything as code – we’re going to have the capability to come out essentially zero-defect and keep pace with vulnerabilities and commitments across the changing external environment, map that to CTI, map it to our general infrastructure, and do some things we’re only just beginning to scratch the surface on.

Phani Dasari

One caveat I’d add, Roland: if you’re not ready to get off your legacy systems – for whatever reason – that’s the exception. Some businesses won’t move off certain applications because of the revenue those applications bring.

Roland Cloutier

Right.

Phani Dasari

Legacy tech is one component, but you have other methods of protecting those systems, like we’ve been doing – you have to keep doing that. But otherwise, everything else you said is spot on.

Roland Cloutier

Rami, since this is a massive change – and I love how you framed it at the beginning – what do you think are the steps to get us toward this zero-defect capability? What do organizations need to be thinking about over the next couple of years to get there?

Rami Houssaini

I love what Phani just highlighted – cyber and technology debt, and I think this is going to be incredibly relevant. I feel that architecture is going to become the ultimate control. We’re past the point where patching is our primary measure of defense – containment and speed are going to be incredibly important.

If we think about how we measure and assess success, we can work backward from there to figure out what it means for investment and portfolio allocation. A few key metrics come to mind: defender lag – time to contain against an adversary’s time to exploit – is an important metric given where we are. The blast radius index – how accessible are our crown jewels? This is where domain expertise, our home-field advantage, becomes incredibly powerful: understanding our most critical applications and the steps needed to reach them lets us qualify and quantify that blast radius.

Another metric that’s becoming more powerful is coverage ratio – how many of our security and technology workflows, tactical or strategic, run through agents, and to what extent our detection and response can operate without a human as the rate limiter. Self-discovery matters too: how much do we discover on our own versus what we learn from an external source, whether adversary or advisory. And mean time to recover has long been the honest measure of resilience, and it’s going to matter even more, because this era is about containment, not eliminating the probability of an incident – it’s about avoiding catastrophic loss and recovering quickly without impacting operations.

If we define those as our key success metrics, then working backward means focusing on defense in depth: the right containment strategies, the right segmentation to limit propagation. Controls that mattered two, three, six months, or two years ago are still going to matter going forward – deploying zero trust consistently across the entire estate, understanding and shrinking the attack surface. So I’d re-emphasize: architecture is going to be the ultimate control in this era.

Roland Cloutier

Yeah, couldn’t agree more. I’m going to ask a question I don’t think Phani is expecting, but I want to get into it because he’s smack in the middle of it. Rami, you mentioned ‘resiliency’ three times in your last answer. Phani, you’ve got a new title – a lot of our peers have moved to Chief Trust Officer, Chief Security Officer, Chief Enforcement… there are 15 different titles now, and titles don’t mean everything. But sometimes there’s a real pivot happening in our industry, and I think we’re at one. As a converged security expert running multiple security, risk, and privacy programs across disciplines, there’s a massive focus now on resiliency, and what it meant three or five years ago has entirely changed.

So now you’re Chief Trust and Resiliency Officer. Talk to me about why your business made that change, and what you think that – and changes like it – mean for us and our peers in this field.

Phani Dasari

So this is my new gig – I joined as a CISO. On day three, I was talking with my boss about industry trends, and I shared my thinking that the CISO role will transform into a trust-and-resiliency role, because the ‘I’ in CISO is about information and data protection – and today’s mandate goes far beyond that.

In the agentic era, companies aren’t just selling products and services, they’re selling decisions and outcomes. What used to be a product-quality issue is now a security problem, because when agents make autonomous decisions at a speed and scale we’ve never seen, the stakes change. Say you’re doing claims processing with a 3 percent error rate across 5,000 associates making 5,000 adjudications a day – that’s 150 errors. Now imagine the model has drifted 100 percent from its baseline: the outcome is 100 percent wrong. Or if someone maliciously skews the model against a particular demographic – now you have a class-action suit against you.

We have a playbook for data loss: how to rebuild trust, and when data is lost, you’re seen as a victim. This is completely different – now you’ve done real damage to individuals, to the business, and to yourself.

Roland Cloutier

So it’s still accountability at a quality level – just a different type of quality – and someone needs to own those next-generation resiliency capabilities.

Phani Dasari

And the consequences are very different. For this, we don’t have a playbook yet, and you risk disrupting your business – potentially losing it completely. Just three years ago we were worried about coordinated inauthentic behavior, misinformation and disinformation spread through AI across social media. Now we’re talking about bias in a product that delivers a negative outcome – from information to drugs. It’s mind-blowing that we have to think about that. Resilience is part of it, but really it’s the trust in what we’re delivering.

Roland Cloutier

Great point. Rami, I want to pick up on your earlier point about doing things at machine speed and the capabilities we need to adapt to. If vulnerability discovery, remediation, testing, and revalidation are all moving to machine speed, what assumptions in security programs are becoming outdated? I’m cheating a little, since you and I discussed this in London a couple of weeks ago, but for peers who are just getting their arms around governance and enabling their business for this kind of work – what should they be thinking about that’s becoming outdated immediately?

Rami Houssaini

Governance is one of the key considerations. In an era where everything is moving at machine speed, the biggest mistake we could make is not rethinking budget cycles and the cost of traditional governance. If approval speed becomes the bottleneck for selecting and deploying a security control, that’s a real problem, because we’re dealing with evolution on both the defender and attacker side, and that really warrants a rethink of governance.

We need AI-powered governance, and clarity on which decisions can be fully automated versus which need humans ‘on the loop’ – not necessarily ‘in the loop’ – to validate execution. We need to shift toward containing rather than patching – a philosophical shift. I like the analogy of building watertight compartments into a submarine: we engineer the environment assuming exploits can happen, but ensuring they’re contained – reducing the blast radius and enabling fast recovery without catastrophic impact.

So it’s not about throwing out the existing playbook – the fundamentals haven’t changed that much; they’re becoming even more valuable. Defense in depth is a core principle for us as defenders: how much segmentation do we really have, how much egress filtering, how much phishing-resistant MFA, how disciplined and rigorous is our identity and access management, and how ruthless have we been about shrinking our attack surface? All of these are still part of the core playbook. What’s changed is how we adapt these principles to machine speed – and that transformation starts with governance.

Roland Cloutier

I want to shift the question slightly, in the same context. When everything is code – the business, the supply chain, the infrastructure – what does defense mean now? What has to change in defense in depth once everything is code, and how does that change program priorities?

Phani Dasari

I’ll pick up on what Rami said – defense in depth as a principle never goes away. That wrapper has to be around your agentic security: the guardrails for AI agents, regardless of what the agent does. But guardrails alone aren’t enough – we’re not at that maturity level yet, because frontier models are changing every single day, so how effective your guardrails are is a moving target. Having that defense-in-depth wrapper on top, and following the governance architecture completely, is how you defend not just your systems and applications, but your business.

Roland Cloutier

I’d add to that the concept of context, intent, and explainability.

Phani Dasari

Correct.

Roland Cloutier

Right now it’s binary – it’s doing what it’s supposed to do, or it isn’t. There’s some context-rich work happening in bot defense and other areas of automated defense, but the reality is, from quality to defense, we have to understand the intent behind the agentic request – from the moment it starts to the outcome it delivers. This outcome-based assurance is-

Phani Dasari

I’d call it outcome-based quantification.

Roland Cloutier

I like that.

Phani Dasari

That’s where the calculation has to go, because it can’t just be a general CRQ anymore. It has to be outcome-centric quantification for every risk you look at. That’s how you make decisions – and how your agents make decisions about controls, control effectiveness, or whether you even want to control a particular outcome. It all depends on that.

Roland Cloutier

The changing workforce – what your workforce looks like in two years – is something we might touch on at the end, but we’ve circled around this idea for the last several questions, and it keeps coming back to the speed of capabilities and what that really means.

Rami, the CSA released that report – we’ve all read it five times, and it gave us a great, actionable framework to build for our organizations and understand the implications we need to think about. It was really well done. But the time between a new issue emerging and business disruption is shrinking fast. You talked about this from the attack side before – time to exploitation, and then exploitation to negative business impact. I’m seeing this happen in under four minutes at some major multinationals with really good teams. On that larger scale, where this starts impacting the business, what’s the first organizational change – in terms of people and leadership – that our peers should make to prepare for that reality? I’ll go to both of you, but Rami, I want to start with you since you’ve put a lot of thought into this.

Rami Houssaini

Organizational change – if we’re thinking about talent, we’re going to need more builders within cybersecurity teams, because both attack protocols and response protocols have shifted. As a community of defenders, we’re going to have to deploy a lot of agents in our own environments – but not blindly. We have to think carefully about the scope of these agents, the identities they operate under, and having the right observability.

I agree with Phani – it used to be that we focused heavily on identity and access management. Now I think we’ll create a new discipline: outcome management, as an actual program for understanding how agents behave in our environment. Builders are one key ingredient in the makeup of a next-generation cybersecurity program.

The second is making sure we’re doing the due diligence to explain this shift across all layers of the organization – executives, lines of business, the board – because they need to understand this is a substantial inflection point. The technical and cyber debt they’ve been carrying on the books just had its interest rate massively increased, and that opens up some interesting transformation opportunities across the stack. If we don’t do that internal roadshow and explain it, we’ll be constrained by a mismatch between expectations and understanding of the problem.

So, making sure everyone understands the problem and the opportunity – because this is really a moment where we could become more agile, more resilient, deliver better user experiences, and actually deliver on the promise of digital transformation we’ve all been talking about. That ties back to governance – decision rights are going to evolve, because we can’t wait for weekly or quarterly meetings to make certain decisions anymore. It’s going to be dynamic, and we’ll need confidence that when we enable autonomous remediation, the thresholds for those decisions are well understood, well accepted, and part of our overall risk acceptance as a business.

Roland Cloutier

There’s an amazing insight that people have a hard time internalizing – that their organization is going to look very different, and they have to start with ‘what can I do, what’s my responsibility.’ Think about your digital ecosystem as a set of concentric circles – the old bullseye model for protecting data. As you move from the internal to external layers of the business, visibility, accountability, and authority get smaller and smaller. Maybe it’s our data, maybe it’s an external process – but not everything within our digital ecosystem is ours to control.

So we have to rethink the services we deliver back to the business. Speaking of services and readiness – Phani, let’s say you’re walking into a new Fortune 500 organization tomorrow. Oh wait, you are doing that. [laughs] Rami talked about three metrics he looks at for this shift to AI. What are three indicators of readiness you look for when you walk into an organization?

Phani Dasari

Do they have visibility into their AI pipeline – shadow AI? Do they have a comprehensive view of what’s going on? Because you can’t predict what you can’t see – that’s step one, and honestly I should get that tattooed.

Second, is there a governance structure for onboarding agents and supply chain partners? When your new shiny tool is in the hands of every employee in the organization, they’re going to do a lot of things – some good, some not so good for the business. So how are you governing that? Do you even have a governance structure? And if someone tells me governance sits solely with the CISO, that’s not a good governance structure – you need the right people at the table: your chief AI or data officer, whoever in the business owns the agents – probably your CTO, your CPO – and of course the CISO.

Third, do they have the education in place – not just for leadership, but for everyday associates?

Roland Cloutier

Can the teams actually do it – do they have the requisite skills, is there vibe-coding happening? Phani, I’ve had this conversation with other leaders over the last couple of weeks – we have to make hiring decisions starting now. If you’re not AI-native, you can’t work here. People have to redevelop themselves to be AI-native.

Phani Dasari

Exactly. And you have to bring the culture along with it, because – let’s be real – the teams have anxiety, especially the frontline staff. They worry they’ll be replaced, that everything will be automated. That’s not the case. What they have, that nobody else has, is domain knowledge. Keeping that in-house is more valuable to the organization than fully automating with a tool that doesn’t understand the business.

If you understand your domain, you’re in a strong position. What I’d suggest: attach yourself to the engineering team, borrow a couple of engineers, and start experimenting – ‘I want to automate this component, that workflow’ – and take their help. As part of that process, you’ll build the knowledge yourself, become AI-native, and six months down the line, you won’t even need them.

Roland Cloutier

There’s a lot to unpack there – eventually I want to bring an HR specialist onto the series to talk through these workforce changes. I wish we had more time, but I want to get to one more important question with Rami, because between the last few answers we’ve touched on how much this costs. This isn’t free, it’s not a simple swap – there’s the cost of what we do today, plus the new cost of the tokens we’ll spend to get what the business needs. Rami, I’ll let you both answer this – what security investments become most valuable in a Mythos-ready world, and what becomes less important? Quick take.

Rami Houssaini

I’ll go back to what I said earlier – the fundamentals and the basics are worth a lot more now, not less. It might sound counterintuitive, but hear me out: architecture and architectural containment, deep network segmentation, egress filtering, phishing-resistant MFA – all of that is incredibly valuable, because these are the controls of last resort that buy us time when patching can’t keep up. That’s high-leverage spend, not legacy hygiene. I think these are areas we’ve under-invested in because focus went elsewhere, and they’re key to having the right layered defense.

In terms of new spend, I’d focus on two areas. First, agentic identity governance is shaping up to be a major pain point – we need to solve for agentic identities as an ecosystem, because they sit between human and non-human identities; they’re really their own category. We need the right observability and control over these identities, especially as agents chain together and inherit different privileges. Second, agentic SecOps – we have to transform detection and response to operate at machine speed. A third area is agentic runtime – sandboxing agents so that when there’s a deviation from the expected outcome, we can contain it and initiate a corrective action. That’s going to be critical in mission-critical contexts, where a drift in behavior could cause real damage.

What’s becoming less valuable – and this is just how the economics work, you create new investment categories and shift spend away from others – is anything built around a human pace: point-in-time cadences like the quarterly pen test report, the reactive patch cycle. Those aren’t going to hold up in this era. To address this economically, we also need to look at the structural reasons we accumulated cyber debt in the first place – application architecture, fragmented technology stacks, or M&A that was never properly consolidated. All of these matter in an era where we need to remove classes of risk by addressing root causes, not just symptoms. So there’s a lot that’s tactical, a lot that’s strategic, and a real reallocation of focus – but the fundamentals remain core.

Roland Cloutier

Appreciate that, Rami. I can’t believe we’re already out of time – I’ve taken so many notes, I could take a lot more. I want to close with a direct takeaway for everyone listening. Phani, I’ll start with you, then Rami can close us out. What’s the one thing listeners should do in the next 30 days to shift to AI?

Phani Dasari

Get visibility – number one. Go understand what AI pipelines you have, what LLMs, what APIs, what third-party AI agents are running in your environment. Understand that first, and have a way to verify that the information is accurate.

Roland Cloutier

Fair enough. Rami, what’s the one thing everyone should do in the next 30 days?

Rami Houssaini

Back to the home-field advantage – you have that domain knowledge. So run a single experiment: pick your most critical system, the one that, if it went dark, you’d have some explaining to do to the board. Turn an agent inward, point it at that system, and try to map out everything that could go wrong – how an attacker could actually get to that bad outcome. Just doing that level of experimentation will teach you, and the broader community, a lot: here are some plausible scenarios, and here are the immediate architectural steps we could take to reduce the likelihood of them happening.

Roland Cloutier

So many great tidbits, guys. This is a wrap on episode one of a series I’m really excited about. Thank you both, Phani and Rami, for stepping up and doing this first one with me – it sets the tone for everything we’ll talk about in the episodes ahead, and it’s already shaped some of the questions I’ll ask future guests.

My one takeaway is that phrase – outcome management. Our jobs are shifting toward understanding, defending, managing, and ensuring resilience around outcome management for our business. Each of us needs to define what that means, decide what it looks like, and go architect and execute in a way that supports our organization’s mission.

Thanks, everyone. Shift to AI is presented by Cycode, the agentic development security platform. Follow the show wherever you listen so you never miss an episode. Until next time, I’m Roland Cloutier – Global Chief Security Officer and Digital Business Executive. Thanks for listening.

Coming Soon

SHIFT TO AI

Coming Soon

Coming soon
SHIFT TO AI

Coming Soon

Coming soon
SHIFT TO AI

Coming Soon

Coming soon