Artificial Intelligence Podcast: ChatGPT, Claude, Midjourney and all other AI Tools

 Is AI Security Getting Better or Worse With Jason McKinley

Jonathan Green : Artificial Intelligence Expert and Author of ChatGPT Profits Episode 375

Share episode

Welcome to the Artificial Intelligence Podcast with Jonathan Green! In this episode, we delve into the ever-evolving domain of AI and cybersecurity with our insightful guest, Jason McKinley, an expert in cybersecurity transformation.

Jason shares his unique insights on the current state of AI security and the challenges posed by our rapidly digitalizing society. He discusses the nuanced landscape where speed of technology adoption often outpaces the necessary security measures, leading to vulnerabilities within organizations. Jason emphasizes the importance of slowing down to establish robust security baselines before accelerating innovation.

Notable Quotes:

  • "The biggest risk is... moving too fast. We're very much from a pace of technology change right now... We want to slow down just a little bit and then go faster." - [Jason McKinley]
  • "If you aren't using AI, you're wrong because your employees are, you just might not know it yet." - [Jason McKinley]
  • "Security should not trump the operations... You still have to be able to get the job done." - [Jason McKinley]

Jason also explores the cultural shifts in businesses where convenience often overrides security protocols and discusses the pitfalls of merging personal and professional digital spaces. He offers strategic advice on creating a cybersecurity culture within organizations, emphasizing the critical role of executive commitment and beginning security practices early in the business lifecycle.

Connect with Jason McKinley:

To reach Jason directly, visit his booking link on the LinkedIn profile or the company's website for further consultations and insights.

This episode is a must-listen for anyone interested in the intersection of technology and security, offering practical strategies to protect your digital assets in an age where AI continues to reshape the business landscape. If you're ready to take cybersecurity seriously, Jason's insights are invaluable!

Connect with Jonathan Green

Is AI security getting better or worse? We're gonna find out today's amazing special guest, Jason McKinley. Welcome to the Artificial Intelligence Podcast, where we make AI simple, practical, and accessible for small business owners and leaders. Forget the complicated T talk or expensive consultants. This is where you'll learn how to implement AI strategies that are easy to understand and can make a big impact for your business. The Artificial Intelligence Podcast is brought to you by fraction, a IO, the trusted partner for AI Digital transformation. At fraction a IO, we help small and medium sized businesses boost revenue by eliminating time wasting non-revenue generating tasks that frustrate your team. With our custom AI bots, tools and automations, we make it easy to shift your team's focus to the task. That matter most. Driving growth and results, we guide you through a smooth, seamless transition to ai, ensuring you avoid policy mistakes and invest in the tools that truly deliver value. Don't get left behind. Let fraction aio help you. Stay ahead in today's AI driven world. Learn more. Get started. Fraction aio.com. Now Jason, I'm so glad to have you back because we've had some crazy stories in the news lately where people are finding out that your chats with ChatGPT Aren't a secret that a lot of stuff is getting indexed and that. It it's almost like we're living in a post privacy society where someone has your data, someone has your phone number, someone has your email address, and I think people. I've seen already the people who've I already saw a story of someone who fell in love with chat, GPT, and then the chat GPT ran outta memory and he was like crying.'cause she like, like I was like, that's a wild situation. And so I've seen that, but it's imagine that and then you're forgetting everyone's talking to the same AI and the conversations aren't private, but we're having these. Pseudo private conversations, right? Where you're say, I'm sure people are saying things like, I'm thinking of cheating on my wife, or I'm thinking of committing embezzlement. Gimme some tips. And you don't realize that it can be subpoenaed or that the records exist and that it's searchable or even if it's accidental. And that's just at the, that's at the most well-known tip as for 'cause it's most interesting. But what are some of kind of the wildest mistakes people making right now because they're so excited by AI that they're moving too fast to be secure. Yeah. The biggest problem that we're gonna find, call it from a cybersecurity perspective, call it just good baseline technology practices, right? Is people wanting to move a little too fast. We're chasing shiny new object. The tools can be really good. They can be terrible, right? There's some bad AI stuff out there. There's some really. Not so good things you can do. There's some open models that you can take the guardrails off. And it's not so ideal for the rest of the world, particularly from a cybersecurity perspective. But that, that biggest risk is a little bit just that moving too fast, right? We're very much from a pace of technology change right now when you apply the business context to it, let's call it for a second. We wanna slow down just a little bit and then go faster, right? Let's put the baselines in, play the table stakes, get all that dealt with, then we can really start going after it. You're getting into because you don't understand or you haven't thought through all the possible consequences. You're doing things with the technology that. Put you or your business in a state of risk that you didn't necessarily need to. That's it. Nine times outta 10, you're just going a little too fast. Think first, then act. I think that sometimes there's this assumption that it won't happen to me. We're too small, we're too new, we won't get noticed. And this happened to me when I first started putting security on my blogs. I was like, I have 30 visitors a month. And I put, and I go, I put on a security thing that would alert me. Every time there was a hacking attempt, I turned it off. After the first day, it was like, yep, ding ding. It's like hundreds of times because that's, people know that mindset. They go, oh, that's the easiest thing to break in. And let's say I. Especially if I'm a small startup and then I'm a vendor for someone bigger, they get into my system, they can leapfrog into someone else's system. So actually you become this opening factor, and that's what I see as the most worrying thing for me is that there's a lot of tools built on top of chat, GPT built on top of cloud that do very cool things and you connect with them. And a company's new, it's a net growth phase. They don't have a security officer, they don't have a security policy. They're just chasing maximum growth. And you're playing this game of. Hope. Like you're just like, I hope it doesn't happen to me. I hope it happens to someone else. And this, it's exactly like you were talking about. It's very exciting. There's a lot of very exciting tools, big promises, and it's distracting to talk about security. Like it's not fun to talk about the negative, but it's really important. Obviously it's important to you. What do you think are some of the biggest things that are distracting people are causing. Like these poor decision making that's happening right now. What are the kind of pitfalls that people really need to avoid? We want 'em to think slower and be a little more methodical. What else can we do to help people avoid the most common pitfalls that are just causing security problems in this world of ai? So number one thing, right? No matter what you're doing from an AI perspective, from a digital perspective at all, if we chase and execute. Those transformations from the perspective of good technology best practices. Just because AI is a new thing doesn't necessarily mean that those things that were best practices five minutes ago still aren't best practices. As long as you can follow those to some degree, even if it's gonna take time to fully roll all that stuff out and yes, it will slow you down a little bit, but. It's better to slow down just a tad. It's better to make sure that we're doing good DevOps, we're doing solid data privacy controls. We're making sure that we have the right governance in place before we start throwing data at things. Or we have DLP to make sure that people, data loss prevention technologies of some kind to make sure that people are using the AI model and tool that we've set is acceptable to use and not. The random thing that they queried Gemini for on Google and came up with as the right solution to their problem. So deploying and executing, and again, slowing down just a little bit to go a lot faster on the backend is going to be your win, right? This all comes down to good transformation practices and good project execution. And good people change activities way more than it comes down to a particular application of a tool or a technology. One of the things I've noticed is that sometimes the people at the top of the sweet seat of the board are a little more laie faire with their security policies, and they don't realize that everyone else is paying attention. So if I tell my kids, for example, they're not allowed to watch a movie, then they watch it and I'm watching that. It creates some, then they just, they can do it, but don't get caught. They don't believe in the rule anymore. And I've seen where they're a little more fast and loose. You're like I don't wanna put my fingerprint all the time, or whatever. And it starts to create a company culture where, 'cause you first get hired, you go through the HR training and you go through all that. And then it's if they, if it doesn't feel like they're taking it seriously oh, you just have to watch these videos, but it doesn't mean anything. It creates that, and I think that we're missing that cultural element, which is you have to create this, and it's like a top down thing where it's I really treat security seriously so that my team treats it seriously, otherwise. Exactly. Like they take out a phone, take a picture of the screen and say, chat, CPT, how do I do this? So now we now have an era where an air gapped computer isn't enough because you can quickly de air gap it with a single screenshot and it's the shortcut thing. Or it's you can just turn the ram into wifi and have a little fun with it. Exactly. That's that's a, again, exactly. There's a hardware thing and it's we don't, something I've been thinking about a lot is that. When I first started working, you had your work cell phone and your personal cell phone, and they seem to have merged. Yep. And I feel the same way about your computer. Once we started thinking of a computer as an entertainment device. So it's like I watch Netflix on it and I do work on it. It starts to, people can't really switch security modes in the same computer. They don't think that way. Yep. Like I've seen it where you go, oh, log into a different profile when you're doing personal stuff and there's not that separation of work. Work and personal. Personal. And as we. Break down that barrier. It just leads to more and more of these problems where you go a company says, has a contract with Gemini or have copilot, but I don't really like it, so I'm just gonna use Chat GPT You on my phone anyways, I can take a picture of the screen and it will do it. And we don't realize that the reason we have that contract is there's a BAA in place. So there's a no data retention policy or there's these other elements that are really important because we don't. Oftentimes we make a rule, but we don't explain to the whole team why it's there. And they go, I don't know why half juice, Gemini, it stinks, or Yeah, whichever one they hate. So a couple things here, right? Yes, it's absolutely a culture thing. So when you look at the enterprise, that, that kind of is, I would call it just finally completing their transformation from a people and process perspective into what's called safety as a culture, right? And as much as it can be. It can feel like overkill sometimes. We do a lot of work with large scale enterprises, a lot of pharmaceuticals, a lot of life science, manufacturing in general, biotech, l and gene, big boys, right? And some enterprise healthcare. The requirements can feel a little bit extra, particularly for us, it guys that might be mostly at a desk job. But the reason it's there is for everybody in the organization, all the contractors, all the consultants, all the construction guys that are out there pouring concrete for the footings for a new $30 million filling line, right? It's got to be designed and executed as a culture, and it has to be pervasive. If it's not, you absolutely will have a problem at some level in that entity. That's why when we get into this kind of mess. Particularly the smaller the company, the more necessary it probably is to chase what we call cybersecurity. As a culture, it's really hard to get there, particularly for a smaller entity, small businesses if that C-suite level isn't into it, doesn't think it's important. It's gonna happen at some point, they're gonna get bitten and hopefully they will learn from that. Sometimes they won't, sometimes there won't be a business to continue to learn with at that point, unfortunately. But it's, it has to be at that top down level. It can't just be a check the box. And if it is, you will open yourself up to risk at some point, and it probably will bite you. And there's going to be monetary damage associated with that bite. How catastrophic it is. It's gonna depend on a lot of things. There's a significant amount of risk there, and the more folks can start to understand that, the better. That's why you have a separate work laptop and home laptop. It's a, it's an argument that we have all the time with small managed service customers of ours is that, a C-Suite member who's worked in other small businesses might not understand why we don't allow you to get to Netflix. On your work laptop? I'm a C-Suite executive. Is that rule doesn't apply to me. No, it applies to everyone. That's the point. Yeah. I've found having worked with a lot of different clients, 'cause they'll put me on a project and then I talk to their AI or their IT team about their security policy. They go, oh, we're all M 365. And I go, great. We'll build everything inside your ecosystem. No Google Sheets, no. Zapier. Yep. We use Power Automate, which. It's a whole new process. We built that for a second. They were like, and some clients are like, they don't know why we're doing it, but then they're glad we do it right? And then other ones are like we really love Google Sheets. I'm like, yeah, but it's a violation of your security policies. Yeah. And it's not your platform, and you can use both if you really want. We have both. Google Workspaces is marketing automation. Nothing real gets put there because the security just isn't as good. It's not quite as enterprise class from a control level without. A really significant amount of knob turning on the backend. That's just not worth it. Right there there's a lot to be said for playing in the ecosystem. You understand, and from a data perspective, the fewer places you house data, the fewer places you have to secure, and therefore, overall, the cheaper it is, even if you're maybe spending a little bit more on this one project. Because while the guys that did it originally were used to Google Sheets and Zapier and. Whatever else it has to be, we gotta swap it into power Automate and co-pilot and yeah. Okay. That's a change and it's a little different. Maybe you just can't work with that piece of technology. It's probably better than the risk of sticking in a Google sheet 'cause Yikes. It's a good thing that Google understands the risks of their platform and doesn't really let you and that's it. And that's the thing is that again, it's like they go, we don't understand why this is more secure, but then they follow my policy, which is great, right? Then there's other people who are like it's still my favorite. Or even I go, you have an enterprise chat GPT account with the BAA. Why are you still using a different. It's the same Chat, GPT, so I've even dealt with, so those ends of the spectrum and you have this ex, it's this thing, it won't happen to me, it doesn't apply to me. I'm an executive. And having first started off in it way back in late nineties where if you wanted to access the internet from home, the IT came to your house and set it up, and they set up the VPN and you had a physical token with the rotating numbers and it's like this. And actually the first time I ever. Use your credit card online. I had this American Express thing that you would plug in inside your computer and then you'd stick the card inside of it, like they would run it. They don't do that anymore. And it's like security was much, much more serious. And we have shifted to a culture of convenience where we really merged. Like I, one thing I can't believe is, you see all these day in the life tiktoks in security companies in Silicon Valley where someone's walking around and it's like they're showing this is the metal detectors. And I was like. You can't, aren't you not supposed to film that at the point You don't. Why are you showing people how to get in, like showing all, you don't realize what's in the background of when you're filming around street and it, that always blows my mind. Like the things people film around their house and whatever and like right without, or their buildings and like these little things you don't realize can be a security issue and it. We want our business to be fun. We want be, we have a culture of fun here. And it's, I think that, and this is something I deal with my kids. I'm like, my job is not to stop you from having fun. My job is to stop you from getting hurt and to realize my job is to protect you. And I think that sometimes we have this mindset that security, or it is like the Debbie Downers that they're there to stop you from having a good time. And it's and when I worked in it, it was like people are playing too much mind sweeper. My kids don't even know what that, it's like such a different thing. You weren't worried about the same things and now it's like we have these wide open networks and people like, I remember you couldn't use any chat. Like the thought of having a Skype on a work computer, even this is like 2007, was like, no way. We have a company internal chat tool, whatever it is, and that's it. You email each other, you don't have access to internet. If yeah, if you have a Skype enterprise, then we didn't. So it was like, 'cause you didn't need it and. That's the thing is that we have this I talk to work and I talk to my friends and do you think we'll ever get back to a culture of where we separate the two of 'em? Especially 'cause everyone's working from home and it's I don't wanna have two laptops. And this mindset like, can we get people to separate work from play?'cause once you merge them, you stop, loosen that mindset of security and that's when you start. Cutting little corners. And I think I've heard someone who does pilot stuff, call it the Swiss cheese, which is where the little holes line up and that's when the bad thing happens. And that's when somebody gets in. So you always say, we've always done it this way. Oh boy. Have my least favorite phrase right there. So here's where this gets really interesting. Security, cybersecurity, physical security, doesn't matter what it's, you never get to Trump. One thing and one thing, everything else you can probably Trump, but you can't Trump operations, right? You still have to be able to get the job done. So if the security is causing too much of a drag, one of two things is going to happen. And this is where you can occasionally get C-suites that go the other direction because they've experienced being unable to do their job because it went too far. Because somebody in it wanted to act like the policeman instead of enabling, right? So from an IT perspective and from a executive perspective even, you really should be focusing on how do I reduce my risk without reducing my ability to generate revenue, right? If you need that fun culture to hire the right people, awesome. How do I. Obfuscate the metal detectors so that I can't see 'em in the background. When people take videos. It's we're changing. You have to change, right? With the times at that level to meet your employees and your people where they're at. When we look at technology change in an organization, cybersecurity or otherwise,'cause for us, cybersecurity is just the lens through which we view everything. Always cybersecurity first, and we go from there. But the process, methodology the execution framework, people, then process, then technology. Let's understand the business, right? And that means understanding the people, right? If I'm a, if I'm a large scale enterprise and my labs are full of recent college grads, I'm gonna put a different limb system in. Then if I am a startup and every second person in my lab bench has two PhDs. Those are two different limb systems that I'm gonna put in because it's two different types of people executing on. Then you can look at the processes, fix maybe what's broken. If you look at it, then you chase the technology. It doesn't matter if it's cyber technology or ai chase those two ones first, you'll have a hell of a lot better experience. But even with the security aspect of it, we have to figure out how we reduce risk to a tenable level because you can't remove it, right? That's just not possible. You, as you and I were talking before the show starts, we've got access to some really neat security technologies, right? Stuff that's right out of NSA and DOD patents. Things that are biometric sensing, fingerprint readers that are rings that sit on your fingers. We can stick in front of people's bank accounts, stuff that, an average MSP or even an average security provider might not have. But if we can't apply the technology in a way that still allows the business to operate, it's all meaningless anyways because people will find a way around it. That's why we push so hard when we look at the small to medium enterprise space that if you aren't using ai, you're wrong because your employees are, you just might not know it yet, and that means you're not reducing the risk. I hesitate to say you're not controlling it because you're really gonna have a hard time doing that. Some of your examples, right? I don't like this particular AI model, so I'm gonna take a picture of what's on my screen and run it through chat. GPT. Oops. You're not gonna be able to completely reduce the risk. What you should do is try to put the right boundaries and guardrails and practices and policies and procedures and culture in play so that you can reduce it. While letting everybody get those 10 to 70% gains, if you're lucky, from an AI perspective in efficiency, right? We're not cutting head count with this stuff. Technology transformation doesn't do that except in the enterprise, and even then it still fails. But that's a whole separate topic of conversation. One of the things I've noticed is that people think of AI equals ChatGPT. So even when we had a Google Workspaces account, everyone had Gemini and the G New Gemini model, I think it's great, I use it a lot, but they would go, we want ChatGPT. And I was like let's get it for 'em. Let's get be a like, let's just, they're gonna do it like if you because they're like I don't wanna use the bad one. And it is that balance of. You could only change behavior so much. Like whenever I'm building an automation for someone, I'm like, the more I have to change your behavior, the less likely this is to succeed. And it's exactly that balance of advice. What tools do you use? What's your process? What's your what you do things. I want it to feel like nothing's changing. And one of the things I think about, and I want your security perspective is we transcribe everything now. Like now the thought of wearing a wire on yourself when I was a kid now you, you can get 'em you can pay like 50 bucks. Amazon just bought a company that does this. I think it's yellow. And you wear a watch that just records you all the time and it's what are you doing? That's such a different mindset. It's we've all said something we regret. You know what I mean? It's like we don't want that recorded and yet we're recording everything and we don't think about where those files are. And they're all, let's say they're all stored in your Google Drive and then you integrate your Google Drive with everything. You only need one thing to have a security issue and now your Google Drive is open.'cause I noticed that people don't, aren't very fastidious about, this drive is available to this person, this drive is private and this is for this group. Even though we say we're gonna do it, like it doesn't really happen. Let's be honest. And that. You just, there's always holes when someone's into your cloud infrastructure. They're probably gonna get most, if not all of them. And it's that trying to change behavior is really hard. So you have to figure out how could make this work without changing you? And I think that's. Probably the biggest challenge you face, which is we've changed how we approach computers, how we approach it. It used to be no one could afford a computer, so it was only at work. There was no thing. And then now we're the expectation. And again, this is how old I am. I'm like the expectation that you get Netflix on your work computer is so weird to me is like you barely got work email when I was working corporate. So it's very different. And we have had this cultural shift. So pilot was. Yeah. Bigger than the iPhone Pro Max spac. Spac. Yeah. I loved my POM pilot. And then I had a Blackberry and you had BBM and you could send Blackberry to Black and it's like your Blackberry's for work. Any other phone's? Personal and I. I don't know why it, I guess that's convenience.'cause it's like having, remember we used to have a phone holster? No one would do that. Now, can you imagine? Like I have, I remember one point, yikes. I remember in City S slickers where he reached for his phone holster so you could get the phone out faster and flip the phone open and pull the wire and that was cool. Yeah. I was like, that's so cool. What's cool is shifted. So we have this cultural shift where it's I only want one phone'cause it can handle everything. I only want one laptop and I want super communes.'cause people don't wanna spend five minutes locking in.'cause if you make it take too long, which I love you said they'll find a way around it or they'll just leave it locked in all the time. For people who are thinking about. Should we have a security policy? How early in the business process if they're just doing fundraising or they're starting a business, when should they start thinking about creating security policies? So here's the deal with that and I'll go back to the statement that you said that when you're executing and building process stuff for customers, you're trying to, to. Make it the least painful change possible, trying to make it feel like they're still doing the same job they were yesterday almost. Now I would argue that taking advantage of technology change wants to always look to fix the process, you have to have the right transformation activities in play and that's just as much people as it is technology and technologists like you and I will occasionally struggle with that sometimes, but. Here. Here's the deal. Putting in guardrails after the fact, after a breach, after something happens, even if it's not after something happens, but you're doing it as a 500 person company rather than a five person company, guess what? The class of providers, tools, technologies, systems, not only are those more expensive. So you're gonna cost yourself bigger dollars. Process change takes longer and people will fight it harder, right? Always start as early as you possibly can. It doesn't matter whether it's tech change or cybersecurity policy. That governance, that procedural level processing processes and systems as early as you can afford to put them in, is. Always the right choice. That's the biggest difference. When I look at a startup that I'm invested in, or a small business that we're working with, or somebody that I'm just mentoring. The difference between a $5 million a year entity and a $50 million a year entity, nine times outta 10 is one thing. One has systems and processes and the other one doesn't. That's the biggest differentiating factor every single time. So start early. Move fast, break some things cause a problem or two, do it while the risk is lower. And I know it feels like the risk is big today, two years from now, if it's a successful idea and you're doing twice what you were in revenue, it's gonna cost 2, 3, 4 times as much to execute change. I love that. I think about, my kids have always had school uniforms because of, so that's all they've known, but it's when a school that doesn't have uniforms tries to enact them, there's protests outside and my t-shirts are freedom of speech thing. My kids don't even think that way. No, we just, you have your school clothes and you're not school clothes, and they just think that way. So you're exactly right that it's so much easier to start from the beginning than to let people get away with it. I love that. This has been amazing. I appreciate you giving us your time Again, you're just, this is so good, so many great ideas for me, for people that are like, oh my gosh, I need to start taking security seriously. Where can they find you? Where can they find you online and where can they like take fast action? So easiest way to get ahold of me from something like this is my booking link is always available online. You can't see what I'm in meetings for, but you can see when I'm available we leave those on my, on our LinkedIn profile, there's, there's corporate driven ones where you can get ahold of me or anybody on the team really who's available. That's, that sits on our website, they sit on our LinkedIn page. I don't really do Twitter or anything like that. LinkedIn is always the best one. If you can't get ahold of me on there, try the website that's shot number two, or reach out to somebody on our business development team. I promise they will always answer, and if they don't, I should hear about it. So amazing. Thank you so much for being here. I'll put the links in the show notes and of course, below the video for those you watching YouTube. Thank you again so much for being here today, Jason, for an amazing episode of the Artificial Intelligence Podcast. Thank you for listening to this week's episode of the Artificial Intelligence Podcast. Make sure to subscribe so you never miss another episode. We'll be back next Monday with more tips and strategies on how to leverage AI to grow your business and achieve better results. In the meantime, if you're curious about how AI can boost your business' revenue, head over to artificial intelligence pod.com/calculator. Use our AI revenue calculator to discover the potential impact AI can have on your bottom line. It's quick, easy, and might just change the way. Think about your. Business while you're there, catch up on past episodes. Leave a review and check out our socials.