Radio Interview – KRLD-AM

Kayne and Tom are joined by special guest Michael Chaoui, the Founder of Atlas One Security. Michael pulls the covers back on some of the challenges of companies going through the ATO process. We also discuss recent legislation and draft memos intended to modernize the FedRAMP process, all while enjoying one of Michael’s favorite stout beers.

Kayne McGladrey, IEEE Senior Member, noted that the use of generative AI models in business hinges on their ability to provide accurate information. He cited as examples studies of AI models’ abilities to extract information from documents used for financial sector regulation that are frequently relied on to make investment decisions. “Right now, the best AI models get 80 percent of the questions right,” McGladrey said. “They hallucinate the other 20 percent of the time. That’s not a good sign if you think you are making investment decisions based on artificial intelligence telling you this is a great strategy four out of five times.”

Confidential computing also is an emerging technology meant to protect data in use, said McGladrey of the IEEE.

“Confidential computing can allow the processing of data from multiple parties without sharing the input data with those other parties,” he said. “For example, if an organization wants to perform processing on a large set of healthcare data collected from multiple third-party organizations, properly configured confidential computing potentially permits those third parties to provide their data for processing in aggregate. In this scenario, not even the cloud provider can see the cleartext data provided by the third parties, or the results.”

Kayne McGladrey (@kaynemcgladrey), security architect at Ascent Solutions LLC, said that providing secure access to corporate data for employees regardless of the location of either the employees or the data is still the biggest concern for companies with a hybrid workforce. “Solving this is the core of a Zero Trust strategy, he added. “Zero Trust is now the foundation of modern defensive architectures that companies should use to reduce the material risks associated with legitimate threats.”

When CISOs work with go-to-market teams, cybersecurity transforms from a mere cost center into a valuable business function. This change is crucial in B2B interactions where robust cybersecurity controls offer a competitive advantage. A centralized inventory of cybersecurity controls, grounded in current and past contracts, helps businesses gauge the financial impact of these partnerships. This inventory also identifies unnecessary or redundant controls, offering an opportunity for cost reduction and operational streamlining. By updating this centralized list after the termination of contracts, the business can further optimize both its security posture and operational costs. This integrated strategy empowers the business to make well-informed, data-driven decisions that enhance profitability while maintaining robust security controls.

The biggest issue with prioritizing software fixes is that there’s often a disconnect between security controls and business risk outcomes, according to Kayne McGladrey, IEEE senior member and field CISO at Hyperproof, a security and risk company. That makes it harder to get executive support, he says. Code maintenance and dependency management aren’t sexy topics. Instead, executive interest tends to focus “on the financial or reputational repercussions of downtime,” McGladrey tells CSO.

“To address this problem, organizations should document and agree upon the business risks associated with both first-party and third-party code. Then they need to determine how much risk they’re willing to accept in areas like reputational damage, financial damage, or legal scrutiny. After there’s executive-level consensus, business owners of critical systems should work to identify and implement controls to reduce those risks,” McGladrey says.