What AI Is Actually Changing in Cyber and How to Keep Up

00:00 Trailer
01:01 Chainguard ad
01:28 Intro and today’s three topics
02:30 Entrepreneurship in a tough market
04:30 The rule of three and how Cole runs his business
07:00 Why SaaS product moats are disappearing
10:00 Roll your own vs buying commercial security tools
13:30 When rolling your own actually makes sense
16:00 Cash flow warning for Australian business owners
18:00 Why Cole is building an AI course for security professionals
21:00 Models vs harnesses and why most people get this wrong
24:00 How the cyber industry needs to change its approach to AI
27:00 What Cole looks for when hiring graduates right now
30:00 Systems thinking, humanities and the skills that still matter
33:00 Grandma’s pot and questioning everything you think you know
35:00 Closing thoughts

Cole Cornford:

I’d say that everybody, every role in cybersecurity is changing really fast and I know a lot of cybersecurity professionals who are just confused and don’t know where to start and their use of AI continues to be hey Chat or hey Claude, which is the least effective way to be working with an AI. With this AI course, I want to get away and just teach people that it’s not about the models themselves. You can choose the appropriate model for the use case that you’re trying to do.

It’s how you interact to that model. Hi everyone. I’m Cole Cornford and you’re listening to Secured, the podcast that dives deep into the world of software security. Open source now powers over 90% of the software we build, but it’s also where attackers increasingly strike. Chainguard closes that trust gap with hardened, secure, production-ready open source builds so teams can build faster, stay compliant, and eliminate risk. Get your free CV reduction report at dayone.fm/chainguard and start shipping software with confidence.

This is a solo episode and it’s a little bit of a departure away from our usual bringing guests on and asking them interesting questions. I try to do a solo episode every two to three episodes, just talk about things that are on my mind and stuff that could be useful for you all. I’m splitting it across three categories today because my experience is obviously in software security, but I’ve also got thoughts on AI and how it applies in that space, as well as entrepreneurship. Maybe I could have a little bit extra about family and stuff towards the end, but we’ll see how I go for timing.

Anyway, starting with entrepreneurship, it’s a tough market to start a business right now unless your business happens to be an AI something firm AI for X or AI for cloud operations or AI for code analysis or I don’t know, AI for logistics. If you run any other form of business and investors are not particularly interested in talking to you. I’m not going to say that there’s a bubble because I think bubbles are only really visible in hindsight, but yeah, it’s a tough time to raise capital right now and it’s also a tough time if you’re running a services business, which a lot of bootstrap people are too, because realistically, unless you have existing customers, it’s very hard to get through to GTM spend from these AI businesses and it’s very hard to get executive cut through when the only thing people want to be hearing about is affecting the bottom line, not necessarily top line revenue.

We’ve been seeing masses and masses of AI job cuts, but I’m finding that a lot of the more innovative companies are actually spending the time to hire a lot of those people back into them. So the more people you have, the more connection pathways that need to exist. And I know a lot of people will say, “Our mythical man month is dead.” but realistically all of the agents still need to talk to one another and that creates communication challenges.

I saw a blog poster a few weeks ago by someone who had basically simulated different organizational structures and created agents that mapped to these org structures and worked out who was better at performing a reasonably simplistic task. And it was interesting to me because it showed that just if you replace humans with AI agents that are emulating whatever the position a human was before, they’re still going to have the same challenges about conflicting demands, communicating, getting access to information, understanding context, all of the things that we normally struggle with as humans in a larger business.

So yeah, all his narratives about one man who’s been able to use AI to solve all of his problems. So actually probably not that unlikely because one person doesn’t have any communication issues. But then when they try to scale it into a larger business and you have AI agents able to talk to one another, suddenly it’s like, “Hang on a second, we’re just swapping what carbon-based life forms are silicon ones.” So anyway, there’s three kind of things I want to talk through that are probably useful lessons for you all. The first one is the rule of three.

Now this is common in public speaking, common in writing, common in basically everything. It’s that if you have more than three things, it’s like you’re distracted, you have too many things going on and it’s hard to convey your message because it’s too much to remember. If you have less than three things, then there’s not enough. People feel like they need more. So I’d kind of stick to talking about things in threes. I guess the reason I wanted to bring up the rule of three is because that’s a big part of how I run my business.

I speak to a lot of other entrepreneurs and they have a lot of plates spinning and then I ask which plates are the most important ones and oftentimes they haven’t been able to answer that question because they’ve been too busy spinning plates to actually sit back and think about what the most important plates to be spinning up. In fact, you can drop a bunch of those plates and if nobody’s watching you at the circus, then it doesn’t matter if you drop a couple of plates.

Now going back to the rule of three really helps me prioritize. You could do it in many ways you could have as a macro theme. So like these are the objectives for the quarter or for the year. You can have it as operational things and say that these are the things I want to get done today or this week. But sticking it to three means that you can time box yourself, keep yourself accountable and you actually make meaningful progress.

I’ve seen people push it back to just pick one thing and focus only on the one priority, but I think that that’s hard to do because you could end up getting deadlocked where you can’t progress that one thing. So what are you doing next? Whereas at least if you’ve got free priorities, you can kind of juggle between them if one of them is waiting on some kind of external async process, like a customer responding to a statement of work or to a sales proposal.

You can’t do much of an annoyed customer to get back to you, but then you can go focus on marketing or doing a delivery activity like writing an SDLC assessment or something. Next I’m thinking I want to talk through I don’t think that products have much moat anymore and that’s going to be very interesting. Most of the businesses that have been successful in the last 10, 15 years have been based on raising capital and then using that capital to expand it all costs, like acquire as much market share as possible and then figure out how to monetize it down the track. And there was a lot of reasons why it was successful because you could grow globally, immediately.

You had very low overheads. It was a tried and trusted playbook that VCs were happy to back and the intention was to just get to the next round over and over again instead of focusing on things like goodwill or assets or managing inventory or like staff hiring, et cetera. I think that that’s going to shift quite dramatically and that the business model is really, really under threat, not so much from competitors, but from the concept of role your own.

A product business, like let’s just take Snyk, for example, Snyk was the darling child in the 2020s and then basically focused exclusively on GTM after about 2021 and that’s when we started to see competitors popping up like Aikido Security and all labs and so on because they were innovating and doing things differently that Snyk was really struggling with because Snyk’s focus was on targeting the enterprise buyer.

So let’s add SSO, let’s get the right security qualifications, let’s get integrations to like AD and Azure and Bitbucket and so on and then just focusing on bringing on more salespeople and marketing and so on. But realistically, the core product offering didn’t change all that much for four to five years. And even if you look today, the people have been able to in weeks, sometimes days, create a reasonable replacement to what Snyk’s capability is, which is effectively getting a package manifest, comparing it to a known list of vulnerabilities and a reporting results back to a user as well as like analyzing source code against known patterns that are vulnerable.

And I believe it does taint analysis, but the thing is, so again, all of these LLMs and AI assisted systems nowadays, you can teach them to create a call graph, you can teach them to do the package manifest comparisons and they have access to source code to do things like that already. So I don’t see it as a conversation between do I choose Snyk or Veracode or Fortify, which one’s more feature rich? I see it more as a, do I go buy a commercial offering provided to me or do I choose to roll my own one?

Now I’ve previously done lots of role on my own in companies and it’s usually gone badly and that’s because the IP and the knowledge stays in the engineer’s head who has built this with bang new system. I remember when I was working at a large bank in the past, we built something called secure code as a service and effectively it would be whenever there would be a change to a code base, we would pull the code base into a Docker container, execute a scan against the differential and then send the results back to the dev team quickly and we’d have to pre-compiled previous results for that and it’d basically be like polling to see if anything new would happen and you’d pull it in when something new happened.

And that was kind of preferential for a lot of the dev teams as opposed to packaging source code and sending it to the security team for review because they could trigger a security scan whenever they wanted to. But at that time the engineering effort was rather substantial and used new technology that was kind of hard to replicate. The main one being a Docker Compose and Docker Swarm was the underpinning infrastructure and that bank was not set up to have a production system running these kind of things at that point in time.

So I have always advocated away from rolling your own because I know that the ongoing engineering effort to maintain a system like that is quite substantial as opposed to the license costs of purchasing a static analysis tool or an SEA tool or so on. And there are open source tools available as well, but think of the open source tools is if you work in a regulated environment, it’s quite unlikely that the regulator is going to accept that you cheaped out and are just running like Bandit or Brakeman and saying that this is good enough.

So usually to cover the ask of the executives, they go out and buy some of these bigger tools so that they could say, “Yep, we are investing in the capability and we’ve spent money to try to address the risk.” But yeah, it doesn’t look good if you go out to those same people and say, “Yeah, we’ve just been relying on Dependabot free alerts to patch things.” And I’ll say, “Well, what? No, you should be doing something else.” So anyway, going back to that product versus where we were in the past.

Today though, the cost to maintain an engineer system has changed dramatically. You don’t need the same level of expertise and you can actually engineer the system in a way so that it can manage itself. It’s not going to be perfect. It’s not going to know what it needs to do and it’s not going to be as good as a lot of these commercial products that if you’re paying nothing for it and engineering costs are minimal ongoing because agents have learned how to do that task, then I think it’s quite worthwhile to be looking at rolling your own.

And a lot of the people I’ve spoken to at tech businesses primarily, they’ve been saying things like, “I don’t know why we need penetration testing or I don’t know why we need Shannon or Expo when realistically, I could just get myself my own penetration testing harness that I built over a weekend and just get it to Target all our repos on a daily cadence or something.” And there’s a lot of logic to that. I don’t know what’s the value Is it worth millions of dollars to buy the capability as opposed to just using something that some guys mucked around with on a weekend?

So well, I do think that there are good reasons that the commercial players will still stick around and still be effective, but role your own is definitely the biggest threat. I know I mentioned this before, but if you’re in a regulated industry, the free lines of risk and it’s very like while you can roll your own to help you identify and manage risk, almost certainly you’ll want to have audit done independently of your company. And so if you’ve got an assurance product like a penetration testing tool or a code review tool, that is owned and maintained and operated by a third party entity, then that seems quite reasonable to be able to check that compliance and risk box.

Another thing is just core competencies. If you’ve got one thing that you’re really good at, then spending effort on this little piece over here of security as opposed to spending effort on whatever your core business is may not make much sense. You may be able to reduce the bottom line a little bit, but by spending the time engineering a system, you’re not actually doing your core role. As a security professional, is your job to be building software internally or is it easier to just pay 20 or $30,000 for a software product? Don’t know.

So I find software businesses tend to build their own products instead of buying the ones off the shelf, but by the same token, I think it’s because they have an excess capacity of headcount, which is why they’ve been laying off people left, right and center. So who’s to say? But yeah, that’s going to be a big thing for all of the product businesses and startups that I know is how do you get in front of a buyer and then convince them it’s worthwhile to pay money when a lot of those buyers can come back to you and say, “I don’t know why I would buy this when there’s a good chance that I can just make it myself if I put some effort into it.”

So I’d go back to those people, talk about that you can’t mark your own homework, that the effort that they put into building a security tool is not as important as them focusing on say risk or finance or whatever else. And yeah, just your depth of expertise matters too. Another thing I’ve seen coming up that people are not so aware of is the cash crunch that’s coming around end of June, July for most business owners because we will have at that point paid superannuation guarantee and end of financial year IAS and BAS, which is your tax on individuals who are employed at your business and your GST payments as well.

But come next financial year, we’ll be moving from having monthly or quarterly superannuation payments as well as individual income tax payments to having to do them per pay run. And that suddenly creates a bit of an ongoing cashflow problem for people that may be focused on collecting on a regular basis as opposed to collecting, what do you call it, just upfront so that they can meet these obligations. So just think about liquidity and having options available for next FYI for yourself before it comes up. So I know a lot of entrepreneurs do listen to this.

Moving on. So artificial intelligence. Now, I’ve been umming and ahing and I’ve kind of almost decided that it’s time for me to build some kind of AI course. I think I would like to structure it as AI fundamentals, using AI for security and securing AI products as kind of different modules that build on one another and then maybe working out whether there should be a one-day course, a three-day course or a five-day course. I’m inclined to do five days or to modularize it and make it available online with homework.

And the intention behind it is that I think that a lot of the stuff that I’m teaching in the foundations of application security course, which has been my flagship for a number of years, it’s changing very, very fast. I’d say that everybody, every role in cybersecurity is changing really fast and I know a lot of cybersecurity professionals who are just confused and don’t know where to start and their use of AI continues to be hey Chat or hey Claude, which is the least effective way to be working with an AI today.

Most folk aren’t even talking about harness engineering. Even reading an article by CISO Lens recently, they said that the Mifos problem is here for everybody and to me, that implies that most of the security leaders who contributed to that article don’t have a technical grasp on what Mifos really means for the industry because Mifos is a model and it may be very good at things, but a model is interacted with via harness like Claude or Copilot or Cursor and that’s where the real challenge is because all of the ways that you interact with the model are now gatekept by what a third party allows you to do using their proprietary wrapper for the model itself.

So I think that I would not be surprised if in the next month or two we start to see a hell of a lot more businesses like big tech companies especially come out and say, “Hang on a second, why are we focusing on models and obliteration and like small language models and like parameters and so on when that’s like going to be, it’s already reasonably commoditized with like Gemma 4 and MiniMax and Mistral and so on.

It’s the interaction with these models that’s the problem. That’s why with this AI course, I want to get away and just teach people that it’s not about the models themselves. You can choose the appropriate model for the use case that you’re trying to do. It’s how you interact with that model and you can interact with it the way that Anthropic tells you to or the way OpenAI tells you to, but then you completely lose all control and have to effectively pay for all utilization of that model.

Whereas you can now design a harness to help significantly reduce the amount of money that you spend on that model and control which models you’re interacting with and even do stuff locally on your workstation if you’re thinking about that system architecture. So it’s like those kind of misconceptions that I really want to be addressing by having some kind of fundamentals course to be like, this is a model, this is a harness, this is like why we’re doing this engineering.

Here are the reasons that you would want to do it. Here’s the reasons that you’d want to just use Claude, et cetera, et cetera. But yeah, that’s on my radar. I’d love to chat to people who are interested in the kind of content you think would be value for your organizations because I have a good zero to hero pathway in my head for how I want to be doing the content and I want all of the content to have practical exercises rather than just be like a bunch of theory. But yeah, just let me know if you’ve got feedback about what you would like to see in an AI course.

Now speaking of AI, let’s move to cyber quickly. Now the cyber industry is changing a lot and in a very short period of time as well. I know most of the people I speak to are still doing things the traditional way and saying stuff like, “Why are you still using Burp Suite?” Usually is very offensive to penetration testers because that’s the way we’ve always known how to do things.

Why are you using Word documents when you should be using markdown files and storing it in the Git Repository? Why are you spending the time on reviewing everything when you could have a Gan set up with LLM-as-a-judge and then just get it to test which of the outputs is the most appropriate before you review it? So it’s a different kind of attitude and skillset to approaching security than learning just traditional tech. I’ve been hiring graduates still, which is I think an encouraging sign.

I think a lot of people … I know that big law firms have been saying that have been cutting off the graduate hiring pool because a lot of the tasks can be automated, but I think that’s all well and good to reduce OpEx, but the broader economy is shrinking as well. So I’m not seen as graduate positions disappear. I think people are just a bit more selective about which types of graduates they’re bringing on to respond to the amount of supply there is.

Yeah, I still think that the most important qualities I’ve had in these grads and younger people is just systems thinking and humanities attitudes really. If you can understand how a business or how a process operates end-to-end and be able to reason about things like performance or complexity or about caching or just all of these traditional computer science concepts, which we’ve all seemed to have forgotten because with cloud computing, you could just auto-scale in a response to it.

I think that’s a still super valuable skillset because well, if you scale your AI systems by just using cloud, then what you end up with is spending heaps of money on token utilization in a consumption model. And so if you go back to things like, “Hey, what type of data structure should we use? Should we be caching results? Should we be trying to store stuff locally in a repository? Should we be using indexing?” It’s reasonably straightforward approaches to standard memory and performance things. I think you’ll go far.

What I’m more concerned about are the people that said, “Hey, I’m going to go do some learn how to write policy standards and frameworks, or I’m going to be a ISO lead implementer of masters in cyber and pen testing, and all they’ve done is run necessary, run NMAP, which you can ask an agent to do for you and feed that back in, or you can ask an agent to run subagents and then get those subagents to collate the results and get it digestible for you.” That’s the kind of stuff, the monotonous parts of the job, that’s going away.

And if you’ve only learned the monotony or the rigid stuff as opposed to thinking, why are we doing the things we’re doing and how do we make it so that we can think differently? There was an old story I read ages ago called Grandma’s Pot and it was like the daughter asked the mom, “Mom, why do we use this pot?” And then mom says, “Oh, it’s like grandma’s pot. It’s been in the family forever.” And then the daughter asks the grandma, “Grandma, we’ve been using this pot for ages and it kind of sucks. So I’d like to try something new.”

And grandma says, “Oh yeah, that makes sense. The reason we use this pot is because it’s the only pot that fit into the oven at my old house and now you’ve got a bigger oven, so it may as well try something differently.” And so we have these preconceived processes or ideas or opinions about things that we’ve learned over the years and then we failed to question. I think that cyber is going through this now and asking questions of itself like, what is the value of an assurance activity?

If the code that we write is changing every two to three minutes, how do we even do assurance? Does that mean that we need to be doing it every two to three minutes? What about with certifications? Is anyone going to be reading the policies and standards or are we going to assume that someone is reading them is doing it through an agent? And then if that’s the case, is the agent, does it have appropriate guardrails in place to stop it from confabulating what it thinks does standards and policies say?

So yeah, I’d say that one of the biggest skills is to still learn the existing criteria, but to be quite curious and open-minded about how things could be done differently. Anyway, that’s coming up to the end of my solo episode today. I hope you’ve had fun and I will speak to you all next time. Thanks a lot for listening to this episode of Secured. If you’ve got any feedback at all, feel free to hit us up and let us know. If you’d like to learn more about how Galah Cyber can help keep your business secured, go to galahcyber.com.au.