Thank you so much for joining us in this interview series. Before we dive into our discussion our readers would love to “get to know you” a bit better. Can you share with us the backstory about what brought you to your specific career path?
My parents raised me with the “Renaissance Person” mindset — that it was a good thing to be multi-talented and multi-skilled across multiple fields — and that’s why I went to 9 different universities and had 7 majors. I was drawn to computers because that was a way to get a degree in something that crossed all those different interests.
Then, I joined a dotcom, and it was profitable, which was very rare for dotcoms. Since Fastweb dealt with data from 16- to 24-year-olds, privacy and security were critically important, and that’s when I got into security. Basically, I backed into computers, and I backed into security, and found I was good at it. It’s interesting that when I discuss backgrounds with my colleagues, there are art history majors and music majors and economics majors, even physiology majors. Many paths can lead to cybersecurity.
What do you think makes your company stand out? Can you share a story?
The founders of Trexin and I actually worked together almost 40 years ago at MCI, the big telecom, second only to AT&T. MCI had bought a Canadian company, SystemHouse, Canada’s largest system integrator, and that was such a wonderful experience. We would tackle the big problems, we would laugh at the difficulty, we’d have fun doing it, and that has been carried forward in the DNA of Trexin. It’s a combination of the trust among team members, the absolute skills of Trexinites, and the joy in tackling and surmounting the big problems.
You are a successful business leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?
First, it was the fact I was smart and multi-skilled, which attracted Bell Labs to give me my first job offer, working on Unix. Or, at least, I thought I was smart — until I joined Bell Labs and worked with truly world-class brilliance. So maybe this first trait is better characterized as “I was brash and overconfident”, which led me to some amazing opportunities and experiences.
Over time, I learned the essential value of being a team player. I remember during the AT&T breakup, one networking product was split into two products in two different spinoffs — just different enough that the networks couldn’t talk to each other. I led the team that did the impossible, blending the two back together. Not a single individual on the team could have done it on their own.
The third trait is having open-source-like transparency. This is big in the Chicago CISO community, where we have built a mutual support system and compare notes, allowing for open collaboration even among competitors. Yes, there is such a thing as oversharing, but on the balance a trust-first attitude is the best attitude.
Let’s now move to the main point of our discussion about AI. Can you explain how AI is disrupting your industry? Is this disruption hurting or helping your bottom line?
There are claims that GenAI can replace expert advice and is a threat to management consulting. Let me be clear: this current level of GenAI is the appearance of intelligence, but it’s really parroting the “wisdom of the masses”. For management consultancies like Trexin, demand for the wisdom to apply information is the same niche that we had before, so GenAI is not a competitive threat.
However, GenAI is not something you can ignore. We have had to spend a considerable amount of our attention mastering this new technology and keeping up with it. We must take advantage of it on behalf of our customers and be aware of it ourselves in order to provide good management consulting advice and strategies.
How does that answer change if applying it to the cybersecurity industry?
I saw a survey that something like 70% of CISOs think GenAI is more useful in defending against attacks than harmful from quicker attacks by actors who have less experience. But, very frankly, we’re facing those threats from nation state actors even now, and we have to defend against them anyway with our much more limited corporate budgets.
So, the same threat, even if it’s faster or more numerous via GenAI, doesn’t necessarily represent a new threat.
Which specific AI technology has had the most significant impact on your industry?
I think GenAI has leveled the playing field, if you will, allowing less experienced individuals to do things (good or bad) that previously required seasoned experts, similar to past technological advancements like PCs and the Internet.
That brings me back to a previous point: GenAI is not real expertise, it’s the appearance of it, and that’s the real danger. The other day a colleague was asking me for the best schemes for ranking vulnerabilities and patching, and then asked if the scheme I recommended is used by other companies. I asked GenAI who else uses this prioritization scheme as their standard and I got references to Google using it, Microsoft using it, and major government agencies using it. I knew enough to follow up asking for explicit links, and then (because I was in a hurry) passed it all on to my colleague. He came back to me the next day saying none of these links work, so I checked, and confirmed they didn’t work. I went back to the GenAI tool, and I said “These links don’t work. Provide better links,” and it said, “Oh, I’m sorry. Nobody actually uses this scheme.” (Final answer? I poked at GenAI harder for an hour, and manually verified, and found three links/references that did work.)
So GenAI had all the appearances of a completely valid response. I was in a hurry, I didn’t do enough checking, and it was complete and total hallucination. Even as an experienced user and an experienced cyber professional, I was caught by it when I was in a hurry. That’s a problem.
Can you share a pivotal moment when you recognized the profound impact AI would have on your sector?
A pivotal moment for me was a colleague’s remark comparing GenAI to the first browser, something that you can feel is going to be big but don’t know exactly why. My previous story above also is a reminder, like the human blind spot, how we are hardwired to assume, even while convincing ourselves we are not. It’s an excellent reminder of the need to protect against assumptions and haste, the GenAI equivalent of clicking on a phishing link and immediately thinking “I shouldn’t have done that”.
How are you preparing your workforce for the integration of AI, and what skills do you believe will be most valuable in an AI-enhanced future?
The CISO community seems to be split right down the middle. At Trexin, the first thing we did was set guardrails, then encourage playing with GenAI tools within those guardrails, and then we launched a cross-functional team to develop a corporate point of view on GenAI’s capabilities and limitations. Out of that playing, we want to formalize, harvest, and communicate so the overall level of expertise in the company increases.
Thinking ahead about the most valuable skills, we first need to look back. We’ve been in these cases before, like when PCs sat on people’s desktops, and they were able to break away from the mainframe-centric data centers and do their own work. When the Internet connected us to things like Wikipedia and then later blogs, we were able to support ourselves; then mobile phones extended the Internet to be with us everywhere, nearly all the time. Each time we had to adjust and determine what’s the most valuable in that enhanced future — and to tell you the truth, it’s been a mixed bag because you also see the negative effects of social media and ubiquitous exposure to being online. Both the best and the worst parts will be amplified during the integration of GenAI.
So what skill is the most important? The skill is to not just fact check and not just be suspicious of what you hear, but really develop the skill of critical thinking; to know when GenAI has a nice-sounding story, but in reality, is leading you astray.
What are the biggest challenges in upskilling your workforce for an AI-centric future?
The main challenge is overcoming mental blockers. One end of the spectrum will dismiss GenAI as insignificant, saying we’ve been here before, while the other end is fearing job loss. It’s crucial to take a fact-based view and leverage GenAI for personal, company, and global benefit…and consider the very real environmental concerns.
What ethical considerations does AI introduce into your industry, and how are you tackling these concerns?
One of the primary concerns for adoption right now is plagiarism. Another ethical concern is that the data that trains these large language models carries bias, and how do you make sure that bias is not inflammatory? A current real-world example is if you were to read news sources from some of the more autocratic regimes around the world, they’re really manipulating people’s viewpoint. GenAI just takes that further and it sounds entirely reasonable when it’s entirely false.
The last concern I want to mention is the environmental impact of the compute power required for GenAI data centers. There may only be room for a few large companies to be able to bear the cost and have the wherewithal to build and run these kinds of data centers. These are powered by electricity and generate a large amount of heat, which has a strong negative environmental impact. Microsoft was experimenting with putting data centers underwater to offset the heat dissipation, and this was just under normal data center loads. With GenAI, it requires 10 to 100 times more electricity, which is an ethical concern.
What are your “Five Things You Need To Do, If AI Is Disrupting Your Industry”?
1 . Establish guardrails, compliance, and governance in your company. I have only reluctantly followed my own advice, here. Up until literally this week I resisted, as CSO, creating a separate GenAI corporate policy, and made no restrictions on the experimentation so important at this stage of GenAI. But I got enough questions from my own folks about “can I do this?” “is this legal?” “what about this?” that I realized simple clear guidelines are better than no guidelines! (I still resist a separate GenAI policy, though. I believe well-written policies should be able to cover new technologies with little or no changes.)
2 . Engage in fact-based experimentation. Remember what I said about our blind spots (and insistence that we have none)? Dig deep, check it out!
3 . Compare hard costs and look for savings or revenue opportunities. An example would be to take a GenAI tool and compare it against the same tool that doesn’t have GenAI. See if you can have the same functionality for less cost using the new tool, and only afterward guardedly look at savings and/or increased revenue opportunity via the GenAI dimension.
4 . Look at your customer journey and find the bottlenecks. Eliyahu Goldratt said that paying attention to any part of the value chain that’s not the bottleneck is wasted effort.
5 . Reengineer process flows and tools for a total transformation. The current buzzword for this is “digitalization”. There were earlier buzzwords (“reengineering”, for example), there will be later ones. Whatever the buzzword, the key point is to make sure the process delivers business benefit, before adding tools to make it faster. Otherwise, it’s like introducing bullets as an improvement on arrows, without bothering to aim first.
What are the most common misconceptions about AI within your industry, and how do you address them?
The most common misconception about GenAI is that it’s actually intelligent. It does a great job of sounding intelligent to the human mind, and that’s not surprising because the Google breakthrough that OpenAI brought to the market is that instead of trying to understand a question in a human cognitive fashion, it builds its answer phrase by phrase by what statistically seems right, mimicking what’s in the web and what has been trained into its model.
Bottom line, it sounds great to us, but there is no intelligence behind it. It can be misleading, it can be incomplete, it can be biased, it can be an outright fabrication. The most common misconception results from us believing what we read, without sufficient critical thought.
Can you please give us your favorite “Life Lesson Quote”?
There’s a combination of a couple of quotes. One is every time my kids came to me and said, “But it’s not fair!” I would look back at them and say, “Who promised you fair?”
And then the second part of that is if you’re faced with a choice on what to do, the harder option is probably the right one.
Do you have a story about how that was relevant in your life?
Nothing that I would put in print ☺.
Off-topic, but I’m curious. As someone steering the ship, what thoughts or concerns often keep you awake at night? How do those thoughts influence your daily decision-making process?
Did I actually lock that door downstairs? That seems whimsical, but it’s actually true. I may have locked every window, but as a cybersecurity professional, it’s that one unlocked door that does keep me up at night.
For the decision-making process, I was just reading an article today, that when you’re interviewing or recruiting for a cybersecurity professional, you want actual incident experience. That incident experience has multiple phases: preparation, triage, actually dealing with the incident, recovery, and then there’s the communication aspects.
In real life, when the adrenaline is flowing, you have to move from “planning and prediction” into “action mode”, and during that action mode you are less likely to listen to inputs to change your mind or be flexible. It only comes with experience to overcome that natural psychological tendency and unfortunately, or fortunately, cyber security incidents do not require the same reactions as in real-life, kinetic ones.
For instance, in a kinetic scenario, you can be in a street fight where it’s something that you can hear and you can see. A cyber-attack has a broader threat radius and it’s not just what you can see locally. You have to have a broader perspective, so things like this are in my daily decisioning. I’m trying to keep in mind that the proper decisions and actions are not necessarily the reflexes that I’ve trained in myself for non-cyber incidents.
You are a person of great influence. If you could start a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. 🙂
A top concern of CISOs now is burnout on the cyber teams. I encourage everyone to be kind because you never know what someone else is going through. It’s easy to get impatient with the person taking a long time to get through airport security ahead of you, but she might be flying to visit an unwell loved one. Don’t honk at the driver not moving when the light turns green because he might be trying to calm a child’s tantrum in the back seat. Be patient with the passenger who pushed by you on the train; he might be rushing to the office to deal with a critical cybersecurity breach. This kindness should also be directed to yourself — cereal for dinner, watching reality TV, or skipping a workout on a busy day are all okay. Let’s give ourselves and each other a little bit of grace.
How can our readers further follow you online?
You can find me on LinkedIn (where you can connect with or follow me) or visit the Trexin website to learn more about what my colleagues and I are working on.
Thank you for the time you spent sharing these fantastic insights. We wish you only continued success in your great work!