Future of AI in Cybersecurity. A Double-Edge Sword. Artwork

Cyber Crime Junkies

Translating Cyber into Plain Terms. Newest AI, Social Engineering, and Ransomware Attack Insight to Protect Businesses and Reduce Risk. Latest Cyber News from the Dark web, research, and insider info. Interviews of Global Technology Leaders, sharing True Cyber Crime stories and advice on how to manage cyber risk.

Find all content at www.CyberCrimeJunkies.com and videos on YouTube @CyberCrimeJunkiesPodcast

All Episodes

Cyber Crime Junkies

Future of AI in Cybersecurity. A Double-Edge Sword.

February 09, 2025 • Cyber Crime Junkies. Host David Mauro. • Season 6 • Episode 50

🚀 AI is transforming cybersecurity! In this episode of Cyber Crime Junkies, host David Mauro interviews Arik Solomon, CEO of Cypago and former CTO of EY’s Cybersecurity Center, to explore the future of Governance, Risk, and Compliance (GRC) in cybersecurity.

🔍 What You’ll Learn:
✅ The role of AI in cybersecurity automation
✅ Why GRC is essential for businesses of all sizes
✅ How AI and NLP reduce manual efforts in risk management
✅ Cyber threats & compliance challenges for CISOs and SMBs
✅ Best practices for cybersecurity governance and policies

📌 Chapters:
00:00 - AI in Cybersecurity & GRC
03:15 - Arik Solomon’s Journey into Cybersecurity
06:10 - GRC Automation in Cyber Risk Management
08:43 - Why GRC is Critical for Small Businesses
11:40 - Real-World Cybersecurity Compliance Examples
16:34 - Cyber Governance: Risks & Opportunities
21:50 - The Future of Cyber Governance

📢 Subscribe to Cyber Crime Junkies for expert insights on cyber threats, AI in security, and risk management best practices. Don't forget to like & share! 🔥

#Cybersecurity #GRC #AIinCybersecurity #RiskManagement #Compliance #CyberThreats #CyberRisk #SmallBusinessCybersecurity #CISO #Governance

Send us a text

Grow without Interruption. Stop Breaches. Leverage Advances in Technology with NetGain. Contact NetGain today at 844-777-6278 or reach out online at www.NETGAINIT.com

🎧 Subscribe now http://www.youtube.com/@cybercrimejunkiespodcast and never miss a video episode!

Follow Us:
🔗 Website: https://cybercrimejunkies.com
📱 X/Twitter: https://x.com/CybercrimeJunky
📸 Instagram: https://www.instagram.com/cybercrimejunkies/

Want to help us out? Leave us a 5-Star review on Apple Podcast Reviews.
Listen to Our Podcast:
🎙️ Apple Podcasts: https://podcasts.apple.com/us/podcast/cyber-crime-junkies/id1633932941
🎙️ Spotify: https://open.spotify.com/show/5y4U2v51gztlenr8TJ2LJs?si=537680ec262545b3
🎙️ Youtube (FKA Google) Podcasts: http://www.youtube.com/@cybercrimejunkiespodcast

Join the Conversation: 💬 Leave your comments and questions. TEXT THE LINK ABOVE . We'd love to hear your thoughts and suggestions for future episodes!

Future of AI in Cybersecurity. A Double-Edge Sword.

📢 Subscribe to Cyber Crime Junkies for expert insights on cyber threats, AI in security, and risk management best practices. Don't forget to like & share! 🔥

#Cybersecurity #GRC #AIinCybersecurity #RiskManagement #Compliance #CyberThreats #CyberRisk #SmallBusinessCybersecurity #CISO #Governance

AI in Cybersecurity,GRC Automation,Risk_Management,Cyber Governance,Compliance Strategies, Cybersecurity automation, Governance risk and compliance, GRC in cybersecurity, Cybersecurity for small businesses, Small business risk management, Small business compliance, GRC for SMBs, Cybersecurity strategy for startups, Cyber protection for businesses, SMB cybersecurity best practices, GRC for small businesses, Why GRC is important, Cybersecurity automation, AI in cybersecurity, risk management strategies, cyber risk management

Host (00:02.272)
Well, welcome everybody to Cyber Crime and Chunkies. I am your host, David Mauro And in the studio today, we're going to talk about GRC, Governance Risk Compliance within the cybersecurity space. have, I'm very excited to have Eric Solomon on the podcast today. He's a consummate expert, founder of a company that focuses on GRC and has a phenomenal

history with the Israeli cyber intelligence, as well as formerly being CTO of Ernst & Young Cyber Security Center, and he founded and is CEO of Saipago. Eric, welcome, sir.

Arik Solomon (00:47.768)
Thank you. Thank you, David. It's pleasure to be here today with you.

Host (00:52.211)
Yeah, no, I'm interested in hearing your origin story. Walk us through, how did you, when you were a kid, I assume you didn't plan to be the head of a GRC SaaS program because they weren't around then. So walk us through what drove you to get into cybersecurity in the first place.

Arik Solomon (01:16.878)
Yeah, well, it all started when I was 10 months old. No, just kidding. Today, I'm the CEO and co-founder at Saipago. But my journey into the cybersecurity world and later into the cyber GRC world started as probably many other Israeli entrepreneurs with the Israeli intelligence.

Host (01:21.225)
Ha ha ha ha.

Arik Solomon (01:45.038)
where I spent some years with the famous 8200 unit and later some 10 years with Israeli intelligence as a department leader when I built and led a large group of researchers and developers and other type of professionals in doing a lot of interesting stuff around cyber, some offensive cyber.

But eventually, I mean, that's super exciting. But this in one sense, this is not real life. I mean, you're playing like GI Joe, which is great. Cyber G.I. Joe. It's funny that nobody has came up with this kind of action figures yet. Maybe it's another.

Host (02:26.802)
Mm-hmm.

Host (02:33.221)
You just heard it here on Cybercrime Junkies and I'm about to trademark that because that sounds like a great action figure, doesn't it? Yeah, right with the keyboard. He's able to like fly drones like you could just see all the accessories.

Arik Solomon (02:38.156)
Hahaha

Yeah, with a keyboard attached.

Arik Solomon (02:50.2)
Exactly. So anyway, when I kind of went back to the industry, my first important and kind of mind-opening role was as CTO for ENY, Ernst & Young, their cybersecurity center. Back then, I was based in Tel Aviv, but my main focus was the North American market, mainly the US. Working with large enterprises, coming in with the suit and tie.

as a consultant, an advisory, kind of an advisory board, working with CISOs and helping them go through their security assessments. And I think that this was the first time that I really encountered the challenge. I really faced the challenge, the real life challenge. Think about super large enterprises with tens of even hundreds of thousands of endpoints, large complex networks. And when I'm...

I was asking like simple questions such as the CISO, how well are you familiar or how well do you know that your cybersecurity program is aligned with the business requirements? Whatever the business needs you to have in place, not just shiny, cool tools that you have in your security stack.

Host (04:06.716)
Not just from the technical perspective, right? Like also like, it aligned with the business growth initiatives? Is it aligned with their cost cutting measures over in this department, their expansion in the other department, all of those initiatives, right?

Arik Solomon (04:21.24)
Exactly. And even more so, is it aligned with the enterprise risk approach, the risk appetite, as everybody are the same notion as everybody else are using. But think about the aggregate amount of requirements that a business needs to live up to. The regulator, the industry in general, the customers, internal company policies. There are so many inputs.

Host (04:28.026)
Absolutely.

Arik Solomon (04:50.23)
Now these inputs eventually all translate into because we are all digital businesses today. Even the nuclear energy power plants are based on computers. So the CISO, the one that leads the information security has a lot on their mind. And in order to make sure that their security programs are functioning the way that the business needs them to function.

Host (05:02.1)
Of

Arik Solomon (05:17.166)
So I believe that this is where the idea around cyber GRC really started because GRC has been around for ages now, right? Governance, risk and compliance. That's a well-known and well-familiar concept. But taking that and implementing that, the projection of cyber GRC or GRC on the cyber domain, on the security program, this is something relatively new. We as a company,

Host (05:24.977)
Yep. Yep.

Host (05:44.839)
Yeah.

Arik Solomon (05:46.146)
I've seen that in the last couple of years as an emerging need that is specifically evident and acute with the large enterprises out there.

Host (05:56.893)
So let me break that down, that was really helpful. So, and it's interesting that you spotted that void, right? Or that disconnect in organizations that you were seeing. First I want to ask you, based on your experience, do some of the CISOs, not naming names, because I know a million of them, so do you, right? But some of the CISOs, do some of them struggle with

the sophistication of simplicity with boiling down the technical features and benefits and the data into business terms, into like, this is where it fits. I mean, is that part of why you saw that need? I'm just curious.

Arik Solomon (06:49.344)
Yeah, first, let me share my sentiment, my deepest sentiment with all the CISOs and other security leaders out there. Becoming a CISO these days, you need to have a unique approach to life in general and business in specific. This is super challenging these days. There are so many things, so many moving pieces.

Host (07:07.568)
Yes.

Host (07:11.29)
Yes, and the burnout rate is high. Yeah, the burnout rate is very high. They don't last long generally. Some of them have been there for decades, but some are just, it's tough. It's really, really hard.

Arik Solomon (07:26.798)
Exactly. So this is why I believe that our responsibility as vendors is to help security leaders as much as we can. And I believe that help should come in the shape and form of along the lines that you've just mentioned to make things simple, actionable, that you can tie the loose ends. Because again, you may have 30, 50 or 100 different types of security solutions in your stack.

But someone needs to put some order into the chaos. And we at Saipago are trying to do our share, to contribute our share in making this, building this order.

Host (08:11.185)
So for listeners that might not, we have a whole group, our audience is varied, but for say the small mid-sized businesses that don't have a CISO themselves, they might engage an IT company, MSSP, but for a lot of them don't have GRC formalized. It's formalized. They have governance. They have

policies in place, their MSSP is helping them, et cetera. walk us through like what, like just simple terms, what is GRC? What is governance? What is risk and compliance within the business space? Because some organizations have actual departments. They have like GRC departments or it's aligned. It's some of them, you know, are aligned with insider risk groups and some

Arik Solomon (08:57.134)
Sure.

Host (09:08.045)
In some organizations, those fall under cybersecurity. Sometimes those fall under HR. I've seen it every way. Like, there's a lot of different models.

Arik Solomon (09:18.808)
Yeah, absolutely. So I think that in many ways it's similar to cybersecurity in general. Right? I mean, the minute you open your new Gmail account, you're now a potential victim. Someone will attack you somehow. You'll get a spam or even something worse. The same core threat exists with Walmart as well, right? With 1 million employees.

Host (09:32.25)
Right. Yes.

Arik Solomon (09:47.424)
In essence, this is the same. So GRC or cyber GRC, it works exactly in the same way. If you're a small or medium business, your overall risk exposure is smaller, is more manageable, maybe your compliance needs are limited because I don't know, maybe you're not even directly regulated. So it's just.

something like a standard, a security standard that you need to adhere to, like ISO 2701 or SOC 2 or something similar. But it's.

Host (10:21.036)
Exactly. NIST, NIST 800. Yep.

Arik Solomon (10:25.558)
Exactly. essentially the processes that you need to go through are exactly the same as the monstrous, large, super large company. So you need to be first, the most important aspect from the management perspective is awareness. You need to know we now, we live in a world that we don't have the privilege to look at the other side. There is risk.

There are compliance needs. There is a need to implement some governance methods, processes. You have to do something in this area. Now, if you're small enough, you can outsource that. You can use MSSP, as you mentioned, and some other measures. Or you can use one of the relatively long list of software out there that helps you go through that.

Host (11:16.698)
Yep. Right. But regardless, they, the, the smaller than size business entity, they have a lot of risks because a lot of times they don't have a lot of the standard protocols in place. A lot of them don't have even EDR in place and like all these basic fundamental things that enterprise organizations all have their risk is bigger because there's such a wide foot.

print and they've got to cover all the bases. But some of the smaller organizations, they fly blind. They don't, you know, they're not prepared for a breach. just don't have those policies in place. They haven't addressed a lot of this. that's really, that's so important. So understanding the role of governance risk compliance from a formal setting in that enterprise environment.

the small and mid-sized business can see what good looks like and as they grow, that's what they need to mature into.

Arik Solomon (12:23.31)
Absolutely. What makes it even more complex and challenging is that like in nature, know, that big fish, it's the smaller fish. In business, we hope that nobody eats no one else, but the big fish out there, they use the smaller fish, the supply chain methodology, right? So I can be again, Walmart, but eventually down there are the links. If I follow them through the chain,

I will find probably thousands or tens of thousands of small businesses that all contribute to my business as the giant company. Now, if I have a risk, this risk will trickle and will propagate and eventually will materialize itself with the large fish out there. So when we talk with these large enterprises, this is something that we put an emphasis on, that when you go out and you go about and calculate your risk and you are

Host (13:00.641)
Absolutely.

Arik Solomon (13:21.666)
walking through your security controls. You need to make sure that you're gathering, collecting all the data from all across as much as possible. Make it 360. You want to be omnipresent and as continuous as you can.

Host (13:39.597)
Yep, absolutely. So what are some of the, what are some of the, I guess, real world examples when an organization would see governance risk and compliance in place? The compliance piece, I think is pretty self-evident, right? They have a standard they have to comply with each control there. I mean, here in the U S we have CMMC.

Even CMMC level one, the very basic one that does apply to a lot of small businesses. Even that one has 17 controls now. Like a lot of organizations are like, we had no idea we had to do that. Right. Like they don't even realize it. But, but they're, but they're pretty clear and you just have to put these initiatives in place and get them done. But the governance piece and the risk piece, I get a lot of questions on that. Can you walk us through like,

What's an example of we have governance in place. have, you know, we've, we've, we've looked at our risk. Can you walk us through that?

Arik Solomon (14:47.49)
Yeah, with pleasure. So again, my kind of backyard are the larger enterprises and the processes that they implement. But again, the challenge is the same. You can do that and measure that in different scales. I think that the simplest way to put it is to, again, think about an organization that has multiple business units. This can be two or three or 200.

And each of these business units, maybe you have different product lines that you sell into different industries, or you have different geographies. In that case, you automatically have like a multi-dimensional metrics with different types of requirements, compliance, regulation, other market demands. And now from the information security standpoint, from the cyber risk management standpoint, you now have multiple entities that you need to manage.

So that I would say is the first component of when you think about governance. Governance starts with knowing. Again, we're not in a position where we can look away. We have to know and we have to get that ongoing continuous visibility into what we currently have. That's the first most basic step. think the second important element to that is the ability to implement, to define and then implement policies. Now every company has them, right?

Host (15:55.917)
All right.

Arik Solomon (16:17.634)
than in, I don't know, 90 % of the cases, these are documents lying over in some, I don't know, forgotten folder somewhere in the cloud or who knows where, and nobody really cares about them. So this is the second component of governance, being able, and again, thinking, looking at the world through the cybersecurity lenses, taking these policies and making sure that they are properly implemented in real life.

employees and the company in general, the processes, the IT, the apps, whatever you're using, the data is in compliance with your own internal policies. Why? Because the board or the risk committee or some other entity within the company has decided that this is the way that we want to operate. And now this is the way that we're going to implement it. Now there are some tools or methodologies that you can use.

One of them was introduced early last year, February or March 2024. It's the known NIST CSF framework. back like 12 months ago, the 2.0 version was introduced with an added layer of what was called govern. So that was an additional set of requirements or guidelines, more to speak, that helps organizations

kind of break down to break that that some sometimes vague definition of governance into concrete real steps that they need to take.

Host (17:54.689)
That's excellent. when we, when, when we think of, the benefits to having that visibility, your platform is a SaaS platform, easy to install. It puts it all on a pane of glass. And while not talking about the product specifically, just having that visibility and having that awareness seems so important. Can you walk us through

kind of what the benefits are for a business to kind of leverage it all in a single pane of glass. I can assume what they are, but I would like to hear it.

Arik Solomon (18:38.04)
Yeah. I believe that it starts and ends with risk management in order to decide if you are currently experiencing a risk that is below or above your risk up the companies, the organizations, exactly.

Host (18:54.707)
Acceptable risk management. Yeah. Yeah. And I think you bring up a good point and I apologize for interrupting you. didn't mean to be rude, but every organization kind of identifies what their risk appetite is. Like we're in heavy growth mode, high risk, but now that we've captured good market share, we want to really make them more profitable. Keep the retention of those clients.

lower the risk and really get better at our controls. And it ebbs and flows for a lot of organizations. understanding what that risk appetite is and then aligning your GRC program to that. Is that what you're saying? Makes sense.

Arik Solomon (19:38.382)
Exactly. Now, business risk immediately translates into information security risk or cyber risk. And now the only way to monitor or measure and calculate the risk is having that visibility. You need to know what's going on, what's happening. Again, going back to the policies or regulations or other compliance regimes that you need to adhere to, eventually at the end of the day, it translates into a list of controls, hundreds, sometimes thousands of controls.

Host (19:44.637)
Absolutely. Yeah.

Arik Solomon (20:07.512)
that you need to implement. And you need to track and monitor and make sure that they are still in place. Now, since organizations are dynamic creatures, many things happen on a daily basis. People come and go. New apps are being introduced. Someone changes configuration. Someone does something by mistake. Whatever. You can now do something on January 2 and assume that this will last till next Christmas. This will not happen. You need to do that.

Host (20:35.593)
Right.

Arik Solomon (20:36.788)
essentially 24-7. You need to make sure that nothing material changes. And this is where the ongoing visibility serves this exact purpose.

Host (20:48.36)
That's, that's phenomenal. And then, is there reporting available? I mean, what's the importance of stakeholder awareness of how operations, sales, development, and R and D and all those departments in any organization, how are they with, how are they aligned or how are they in compliance with the GRC program? Like

walk us through kind of like how do we communicate that with the board or with the partnership that owns it etc.

Arik Solomon (21:26.69)
Yeah, so usually what we see is that this is kind of a bidirectional process. It goes top to bottom and bottom up. It usually starts with a governing board, usually the risk committee again, or the audit committee that kind of dictates or sets the rules or the guidelines to what the company needs to achieve. That immediately goes down maybe through the CIO to the CISO or some other.

depending, of course, on the organizational structure. But again, the security department will get that as an input. And now they need to do their magic, which is, in most cases, tedious, ongoing, daily job, super important one. This is exactly where we as a vendor in SAP Agua are helping them with that, to make that daily job a lot more

Host (22:12.712)
Yep.

Arik Solomon (22:22.238)
easy and easy to consume and also easy to share back with the big boys on management. Because they need to know what they need to know from the more generic or strategic perspective. They don't need to know exactly what was configured in AWS. They don't really care about it. I'm not sure that they know that we have AWS, but they need to know that A, they need to know that we have implemented.

Host (22:40.025)
Exactly. Right.

Host (22:45.309)
Exactly right.

Arik Solomon (22:49.462)
all the control, all the requirements that have been set in place by external entities, that we are following our own internal policies, and we're tracking that. Now, if something is out of order, that's fine. Nothing bad will happen as long as we can report on that and take the necessary measures.

Host (23:09.227)
That's phenomenal. uh, Sipago uses, it leverages generative AI and NLP systems. Um, how does it do that? Like, what is the benefit of that? How is that integrated into the platform?

Arik Solomon (23:26.542)
Cyber in general and GRC in specific and cyber GRC together is a type of or a kind of a set of processes that involve tons of data. Think about all the configuration that you can read and you should read from all the different apps you're using, login data, whatever. Everything that.

Host (23:48.938)
It really boils down to visibility to me. Like to me, from a very simplistic standpoint, they need to see what the threats are, what the vulnerabilities are so they can fix them or they can defend against them, right? And it's just visibility. Now it gets a lot more complicated than that, right? And there's ingestion of logs and events and looking, threat hunting for anomalies and all this stuff gets really complicated. at the end of the day, they just need to see

what the risk is, right? So they can calculate it and like you mentioned, make sure it's aligned with our risk appetite at the time.

Arik Solomon (24:27.502)
Exactly that. And we at Saipago, have adopted a unique approach to this challenge. We are doing our best not to reinvent the wheel. That means that we will connect to whatever tool that you currently have in place as a customer, and we will leverage the data that you already have. You don't need to generate new data for the sake of feeding Saipago. Saipago will do that on its own.

It will reuse the data that you already have, whatever you have it on the cloud, in the cloud or on premises. But the nice thing is, and this is where our main value proposition lies, is that we know what to do with the data by implementing these advanced algorithms that you mentioned, NLP, GNI, and some other advanced techniques in order to find or figure out what's actually going on. is the true status of my overall security program?

in light of the controls that I chose to implement.

Host (25:29.192)
Excellent. That's phenomenal. So let me ask you this, just as we're kind of winding down here, what are some of the bigger threats, the more modern threats that some of your customers are seeing? I I imagine it's still social engineering, the threat itself may be ransomware or exfiltration of data, like for the double ransom.

But have you, walk us through what you're hearing are some of the more challenging ones. And I'm curious, because I get asked all the time, has AI really made it worse for the threat actors, right? I mean, has it helped the threat actors and made it worse for the defenders?

To me, it seems like an arms race, but it doesn't seem like it's done. I think we're just at the beginning still, seems.

Arik Solomon (26:34.818)
Yeah, who knows what will happen now with Stargate in like six months, 12 months down the road. We'll need to see. But anyhow, as I see it, the number one threat and probably the oldest one is us, human beings. We're the number one threat because we are in most cases, we are the one clicking the button or taking the wrong decision. that essentially that didn't truly change.

Host (26:38.109)
Mm-hmm.

Host (26:52.646)
Yes, always is.

Arik Solomon (27:04.014)
in the last, I don't know, 20, 25 years that I've known cybersecurity. However, we do have new and advanced tools that help us, let's say, reduce the probability of making an error, making a mistake. I think that AI plays a crucial role in that, starting from generating code and reviewing code and making sure that we are not repeating stupid human mistakes.

Up to designing systems, designing defense mechanisms, being able to crunch huge amounts of data and find out these outliers, et cetera. But as in so many other cases in human history, as in the nuclear race, everything can be, can and will be used against you. So it's all kind of a double-sided sword.

So yes, AI is a risk in and of itself. Not just when an adversary leverages that, but also us, we, organizations, using AI, just think about data. How many times a day an average mid-sized organization is using AI and sharing data without even thinking about the fact that now whatever proprietary data

Host (28:02.776)
Absolutely.

Host (28:06.629)
Yep.

Arik Solomon (28:31.99)
that the company created is now shared with, we don't even know with whom.

Host (28:36.847)
Right. And, we've seen that play out already, right? I mean, we've seen a couple instances where people are putting proprietary code or intellectual property inside an LLM inside AI to generate, you know, fixed bugs or whatever it might be, not even realizing that that's now out in the public. And then that gets used against them. And it's, it's, it's a big challenge. That is a perfect example of where

Governance needs to step in and have the right policies and quarantine that off so that you can create your own environment and then leverage AI internally and not let it get out there. Fascinating.

Arik Solomon (29:22.862)
Yeah, absolutely. Last year, sometime mid last year, two relatively new frameworks were introduced, one by NIST and the other one as part of the ISO family of standards. Both were designed to help organizations track and monitor the inherent risk with using AI. And this is something that I highly recommend organizations to look into.

Host (29:48.475)
Yep.

Arik Solomon (29:52.452)
and try to implement as best as they can.

Host (29:56.909)
Absolutely. That's absolutely great advice. Well, Eric, thank you so much and thank you for all that you guys are doing. We will have links to Cipago in the show notes and links to your information as well. Keep up the great work. This is fantastic. So I was looking at the platform. It's super intuitive. seems really useful for organizations. So

Absolutely, we'll keep that in mind when we're out talking to clients and we wish you guys the absolute best. So thank you so much.

Arik Solomon (30:34.094)
Cool. Thank you. It was a pleasure and I wish us all the best ever 2025.

Host (30:42.721)
Absolutely. Thank you, sir. Appreciate it.

People on this episode

David Mauro

Host

Cyber Crime Junkies