Seth Holland: AI can be used both for and against, meaning you can take the bad actors leveraging AI to find the weaknesses of organizations to exploit. But from your clientele side, from our clientele side, there’s actually—you can look at this from two ways. You can take a proactive approach and leverage AIto get ahead of it, or, quite honestly, it could be used as a defensive approach to try to respond to a breach.
You know, David, you had mentioned two things. One, this really is a programmatic approach, which means, from my standpoint, if I’m listening correctly, this is in manageable steps that have evolved to get to that desired endgame you’re looking to achieve. A business outcome, but you can’t just swallow it all at once—it has to be in a very manageable way. Is that correct? Would both of you agree, Chrisand David?
David Arturi: It’s tough to win games by only hitting home runs, right? We want to have that layered approach where there’s a secure foundation, and we can properly build and scale upon it. That comes in both sides of the house, as far as identifying the right use cases, using the ROI we get from those original use cases to self-fund the program, and starting to build off and branch out. But again, to Chris’s point, doing so securely from the beginning. We don’t want to jump ahead to find out we have these security concerns that we should have addressed before. We want to make sure we’re doing everything, starting with a great foundation, and working our way up towards success.
This is not an overnight thing. If you just swing for the fences with AI, it’s not going to work. You have to be very thoughtful about how you approach it.
Seth Holland: So, gentlemen, I’m going to change tack on you a little bit. On August 12th, CRN published an article, and I’m going to read it directly to make sure I don’t miss the title: MSPs Are Driving AI Adoption, But Security and Data Hurdles Persist for Customers. So it’s a two-part question, Chris. We’ll start with you on this. Are you getting these questions? Are you fielding these questions? I know we’ve touched on it a little bit here, but from a specific standpoint, I know CyberSecOpwas very good at making sure this article was published out, and it really served as a public service message for those already engaged in these types of activities with our partner, Lydonia.
So, are you getting those questions directly and indirectly?
Chris Yula: Yeah, I mean, we’re definitely getting the questions. The article was great, and it raised a lot of eyebrows and interest. I think the way we look at it, there are really three swim lanes around the AI and automation piece. One of them is what we’re talking about with Lydonia: how do we take advantage of it? How do we leverage AI and automation for the greater good—to minimize errors and anomalies, speed up efficiency, and create operational benefit? The other side is, what do we do to be protective? If we know the threat actors are using it, what can we do to be more defensive?
Then the final one is really how we leverage it—not just CyberSecOp but other security companies. How are they infusing AI inside their tools to make them better? Things like automating patch management, malware filtering, data analysis, and anomaly detection. All of those are things being done now and are starting to happen, getting infused into solutionsets. That third swim lane of technology is just getting better—it’s going to be faster, have fewer errors, and provide more value to customers more quickly. That’s how we’re seeing it, in three different conversations.
In many cases, there are different people you’re talking to about each one of those swim lanes. The groups that Lydonia and CyberSecOp are talking to for automation and AI for operational stuff are sometimes different but under the umbrella of the CSO or potentially the CIO.
Seth Holland: Gotcha, Chris. And David, you mentioned that, again, through our conversations, what you’re trying to do from a Lydonia standpoint is address these concerns in a couple of different ways—whether through upfront conversations or engagement models. Can you take us through your thoughts on that article specifically and how you’ve incorporated that into your day-to-day process?
David Arturi: Yeah, I think it goes back to that strategic and programmatic approach. Very old saying: garbage in, garbage out. If we’re dealing with bad data and we try to automate it, or the only input is bad data, we’re going to have a bad result. So, as we think through this, we have to make sure everything is in the right place. What we’ve noticed over the past five, ten, however many years, as companies continue to grow and boom, there was never a clear strategy on how to handle all this influx of data.
Oftentimes, every other conversation we’re having is, “I have all these different data sets. I have this over here; I have this over there. I can’t do what I need to do.” If we don’t have the data clean, structured, and under one roof, it’s very difficult to do anything from an automation or AI perspective. That’s the biggest misconception or hidden thing: AI is great, but it only works if your data is where it needs to be.
So, a lot of times, that’s one of the first steps we take—get it in one place, in the format we need, cleanse it, structure it, and map it. Going forward, it’s much easier to scale up. When data is all over the place, it becomes much more difficult. The cost goes up, the ROI goes down. Data is absolutely critical to anything you want to do with automation and AI.
Seth Holland: Thank you, I appreciate it. So again, we’ll go back to a couple of things we talked about—the idea of uptasking staff. Having that high-value, high-dollar staff focus on tasks they really should be focused on, versus the more mundane tasks you can drive automation and let AI learn to do, with validation from those employees.
and then the other, the idea of the evolution that comes with that. So, I think those are all critical points. So, we’re going to move over to a use case. It’s a use case that, from CyberSecOp’s perspective, we actually have a program that helps organizations with their vendor management requirements. And I know Lydonia has actually worked on some of these as well. So, the use case we’re going to focus on is vendor management. We selected it for a number of reasons. What we’d like to do is focus the next part of the conversation on the ROI for that use case. Then, Chris, we’d like you to heavily focus on the security and compliance implications associated with outside vendors. I know you mentioned an incredible stat that has not changed—in fact, the percentages are going up—that over 84% of all breaches in cyber incidents are due to human error. That could largely be accidental, but there’s probably a piece of it that is purposeful.
So, let’s talk about this a little more. David, can we talk a little bit about, from a vendor management perspective, the idea of adding automation and driving an AI solution? How does that help the ROI?
David Arturi: Yeah, I think when we talk about vendor management, it starts with onboarding all the way through the full lifecycle. I’m sure most of us, if not all of us, at some point in time, have been on either side of the fence, where you’re either trying to get onboarded or you’re dealing with trying to get a vendor onboarded, or whatever the case may be. It’s a very tedious task. It’s very repetitive. It requires a lot of information, a lot of back-and-forth emails, attachments, taking things down, storing them, saving them, moving them from place to place, manipulating data, going back, trying to find something that was maybe missing.
Right. All of these different things we’re talking about—this is that swivel chair work I was referring to. This is that copy-and-paste, pull-that-screen, clicking motion where you’d rather have your German team, or whoever it is, your lines of business, not spending their time trying to work through this stuff. You want them addressing more critical things, right? So back to that case I mentioned before, there’s got to be a hard dollar and a soft dollar savings here. The hard dollar can be the reduction in the FTE’s time. So instead of them slamming their keys, copying and pasting, they’re actually doing things that make money for the business.
But then the soft dollar side to this is, well, what am I gaining in terms of revenue generation? How do I speed things up? How can I scale without growth? All these other things. So there are two sides to the house. But when we think about vendor onboarding and vendor management, this is exactly the perfect type of use case for something like automation.
Seth Holland: Great. Thanks. Thank you for that. Chris, your thoughts as it relates to vendor management in two parts—from the automation and AI piece, as well as the security and compliance implications. How can an AI or an automation-based solution help drive compliance?
Chris Yula: Yeah, I’ll flip the answer. So, from a compliance perspective, we’re leveraging AI and automation to make a quicker assessment for our clients on their key vendors, both critical and even non-critical. Non-critical might mean they’re not critical to the manufacturing aspect or something like that, but that doesn’t really change the fact that if, in fact, a virus or malware came through—critical or non-critical—it wouldn’t have the same impact, right? So realistically, we have a watermark that we’re sitting down and assessing for each of the organizations that are coming in.
Now, as part of your rubric when you’re choosing a partner, you’re making sure that they carry at least the same or similar methodology and culture around security. The AI aspect is actually automating a lot of the awareness that’s going on. We’re using it for pushing out questionnaires, collecting information, scrolling through all that data to look for anomalies or challenges with the responses that are coming in. We’re also doing compliance testing of those third-party partners, whether that be in the form of attack surface analysis or ransom susceptibility analysis, to see how main-chain capable that organization is to protect itself from the outside. Knowing that if they are able to protect it, they’re protecting it for the benefit of the company that David might be representing.
If they are just porous as hell, then it’s common sense that it would just kind of be a pass-through—they could become a carrier. When you look at it from the automation piece directly, we have customers that have upwards of 8,000 vendors. Not everybody only has 5, 10, or 20. They might have hundreds, and it’s not just because of clerical errors where there are three of the same one in their database; it’s just what they carry for larger organizations. To sit down and actually try to do some level of consolidation while raising the watermark on expectations—that’s really what’s necessary to ensure that you’re looking at that organization to carry the same care, concern, and investment that you are in security. This makes sure they’re not creating a problem that’s unintended, some kind of fine print problem inside of a contract.
David Arturi: Just to piggyback off that, Chris, you brought up something important that goes back to the data side. Oftentimes, when we’re working with companies around vendor management, I think the vendors will have four or five different records for the same company. It could be Chris Eula Partners, Chris Eula, LLP. That sounds like one problem unsolved, but then when you actually think about the people on the day-to-day who are going to invoice or do something, they don’t know which record to pull. They don’t know. So now you have invoices going to the wrong people, the wrong information—it creates all these different downstream problems. The ability to consolidate that, cleanse that, and then apply automation really drives value in a number of different ways.
Chris Yula: Or even getting a spoof bill from something that looks legitimate. We see that over and over again. We picked up a client where a threat actor intercepted an email and, just with Adobe Pro, changed the phone number and the account number. They had over $400,000 redirected to them. When the client called to verify, “Is this the right number?” Yes, it was—because it was their phone number they were calling. And that’s with simple Adobe Pro. It wasn’t a sophisticated win, but it was $418,000 gone the moment they hit send. They didn’t find out for 45 days, and they were saying, “We need some help.” That money’s gone.
So realistically, there are a lot of double checks, and the more that we can leverage automation and AI to see the anomalies and the differences—the fact that that is not the correct direction, that is not the account number we’ve used previously—all that kind of stuff. Yes, these might be on the human checklist, but they can get missed or someone’s covering. But now, if we’re doing it in a more systemic way and building it into the program, it’s happening with zero fault. At least we’re catching more sooner, if not preventing it from happening 100%.
