The Impact of AI on Cybersecurity

Show Notes

In this episode we discuss how AI is reshaping trust, identity, cybersecurity, and organisational accountability. 

In recent weeks, governments, regulators and cyber security professionals have been gripped by the emergence of Mythos, the powerful AI model developed by Anthropic. Touted as capable of identifying software vulnerabilities at a level that rivals some of the world's most skilled human researchers, the model has generated excitement, concern and intense debate.  

 Against this backdrop, our guest on this podcast is an internationally renowned cybersecurity leader, educator and technology strategist. Caroline Wong is Chief Strategy Officer at Axari and the author of The AI Cybersecurity Handbook. 

 In this conversation, Caroline explains how cybercriminals are using AI to launch sophisticate cyber-attacks. We also discuss how organisations can use the same technology to strengthen their cyber defences. 

 But this conversation goes beyond the technical. We discuss why trust is becoming the central battleground in cybersecurity, how deepfakes and AI-generated content are reshaping the way we verify information, and why human judgment remains critical despite rapid advances in automation. We also take a closer look at Mythos itself and what it means for the future of cybersecurity.   

Useful Links

LinkedIn Learning Cybersecurity Courses

Wake Up Podcast Series

Phaselaw

This podcast is sponsored by Phaselaw - a purpose-built solution for document disclosures, like subject access requests and FOI requests. Instead of redacting PDFs one by one, or forcing litigation software to do a job it wasn't designed for, with Phaselaw you get collection, review, and redaction in one workflow. Teams across the World are using it to cut response times from weeks to days.

For Guardians of Data listeners, Phaselaw is offering a two-month free trial; run it on live requests, see what it does to your backlog, decide from there. No card, no commitment.

Transcript

Ibrahim Hasan 0:06

Welcome to Guardians of Data, the podcast where we explore the people, ideas, and technologies shaping the future of privacy, information governance, and digital trust. I'm your host, Ibrahim Hassan. Today's episode is about how AI is impacting the world of cybersecurity. In recent weeks, governments, regulators, and cybersecurity professionals have been gripped by the emergence of Mythos, the powerful AI model developed by Anthropic. Touted as capable of identifying software vulnerabilities at a level that rivals some of the world's most skilled human researchers, the model has generated excitement, concern, and intense debate. Against this backdrop, our guest is an internationally renowned cybersecurity leader, educator, and technology strategist. Caroline Wong is Chief Strategy Officer at Aksari and the author of the AI Cybersecurity Handbook. In this conversation, Caroline explains how cyber criminals are using AI to launch sophisticated cyber attacks. We also discuss how organizations can use the same technology to strengthen their cyber defenses. But the conversation goes beyond the technical. We discuss why trust is becoming the central battleground in cybersecurity, how deepfakes and AI-generated content are reshaping the way we verify information, and why human judgment remains critical despite rapid advances in automation. We also take a closer look at Mythos itself and what it means for the future of cybersecurity. This is a conversation packed with practical insights and thought-provoking ideas. Let's jump in. Caroline, welcome to the show.

Caroline Wong 2:02

Thank you so much for having me. I've really been looking forward to it.

Ibrahim Hasan 2:06

So have I, I'm really excited by this conversation that we're going to be having because it brings together two key themes of our Guardians of Data podcast. One is, of course, cybersecurity, and the other is artificial intelligence, which everybody's talking about. So let's go. Caroline, you are the author of the AI Cybersecurity Handbook. Can you just remind us what your motivation was for writing the book?

Caroline Wong 2:30

You know, right now, what I'm observing in cybersecurity is a massive change across how work is done, across the type of work that cybersecurity professionals are doing. Certainly, artificial intelligence is hugely impacting not only cybersecurity, but actually many aspects of our lives, both personal and professional. And one of my great passions is teaching as well as sharing what I learn with others. So I thought, you know what? Here's a cool opportunity. Why don't I perform some deep research and then share what I've learned with the world?

Ibrahim Hasan 3:13

And I think that passion really comes through within the book, Caroline. It's always great to read an author that is able to explain the subject in a logical, clear way, especially for somebody like myself who is not really an expert in cybersecurity. One of the key ideas in your book, Caroline, is that the AI acts as a force multiplier for both attackers and defenders. Starting with attackers, how are cyber criminals using AI today?

Caroline Wong 3:44

You know, just like AI is affecting each of us, both personally and professionally, in terms of the way that we approach tasks. You know, I'm now looking at attackers and any sort of task which might have required an attacker to string together a number of manual activities, many of these can now be automated. So one example I like to talk about is social engineering. 30 years ago, you might have a person based in one country trying to perform a social engineering attack on a person in an entirely different country who speaks an entirely different language. Now, at that point in time, the attacker would have to do their best to learn the language of the person that they're targeting. Today, AI makes that not only automatic and instantaneous, but extremely compelling. So that in the past, we would advise folks to look out for cybersecurity scams and social engineering and phishing. And we'd say things like, look out for misspellings or grammatical errors. Because in the past, that was fairly probable. You know, if I tried to write a message to someone in a language that is not my native language, uh almost certainly I'd make a mistake or two. But today, with all of the very publicly accessible and easily consumable AI tools that we all have at hand, I can say whatever I want to in whatever language I want to. And I can actually even do things like say, make me sound like a technology executive, make me sound like a nervous mother, you know, make me sound like a stressed-out delivery worker. AI is actually so incredibly powerful when it comes to native language, as just one simple example, that this is something that attackers are really taking advantage of.

Ibrahim Hasan 6:15

I see. And I suppose with all these tools, it's making uh hacking much more democratic.

Caroline Wong 6:23

Absolutely. I consider myself very privileged to know personally a number of extremely talented hackers. And just like any area of expertise, you think about what can a person accomplish in terms of developing mastery of a subject or mastery of their craft? And I think we think, okay, well, if if somebody puts in 10 hours of effort, they might be able to learn a little bit about something. If they put in a hundred hours of effort, they're gonna learn significantly more. What about a thousand hours or 10,000 hours? And now I think in the cybersecurity field with regards to attackers, we're really seeing folks who could put in 10 to 100 hours. And yet, because of the AI tools and capabilities that are available to us, they could actually make an impact and conduct activities that previously would have taken a thousand or 10,000 hours for them to achieve that level of expertise. That's what AI is doing for folks.

Ibrahim Hasan 7:44

So just to summarize what you've said, Caroline, it means that hackers can get hold of these tools. They are cheaper, they are faster, and they're learning at a rapid rate, which enables them to scale up their activities, which is really interesting. Let's dive a bit deeper into the use of AI as an attack tool, starting with AI reconnaissance. As we know, hackers don't just wake up in the morning and decide to launch a cyber attack, they do their homework, known as AI reconnaissance. How are they now able to harness the power of AI to do this research?

Caroline Wong 8:19

You know, so much of this research had previously been done manually. And of course, that would take a lot of time. If I were a cyber attacker and I was looking to attack you or someone in your network, or maybe if I was trying to pretend to be you, then I'd probably start out with some Google searches. I might look to see do you have any sort of social media presence? Certainly in your case, you've got a lot of podcasts that you create and produce. And so there's actually a tremendous amount of data kind of out there in the public sphere with regards to what sort of words do you use when you're speaking? What is the tone of your voice? How exactly does your voice sound? You know, for any of us and for any of our companies or organizations that we work for, there is a lot of publicly available data if only an attacker chooses to go and look for it. And AI has made this data collection and data gathering, you know, something which might have taken an hour can take literally five minutes at this point in time. I could, whether I'm an attacker or not, I could look up your name. And before I might have used a search engine like Google. And today I might use an AI technology like Claude or Chat GPT. And I might actually be able to gather as much information about you or about any individual or any organization in just a few minutes that before would have taken me an hour or more to gather.

Ibrahim Hasan 10:06

That's going to resonate very well with the majority of our audience, privacy and data protection professionals, because for years we've been educating people to say be very careful about the information that you put online. And now you're saying that criminals can get hold of that information much quicker. They can use the power of AI to process it, to build the profile of an individual or an organization. So this is perhaps where data protection and privacy is coming together with cybersecurity and AI.

Caroline Wong 10:38

Absolutely. I think the common question that we want to be asking ourselves is what information is out there who has access to the information, and what sort of time and effort is required to really analyze and interpret and gain insights from that information that are going to be useful, whether that is for an attacker or for a defender or for a privacy professional, a data protection professional. You know, these questions, I think you've really described it well, are common concerns that we have.

Ibrahim Hasan 11:21

And a lot of organizations at the moment, we're still sort of in the experimental stage of AI. They're allowing their employees to use generative AI, encouraging them for the purpose of research and to produce drafts. But I suppose there should be a word of caution that if they're pasting information, they're automating workflows, it increases the risks in cybersecurity terms. That's what we're saying, aren't we?

Caroline Wong 11:50

It really and truly does. One of the foundational concepts that I've thought about throughout my cybersecurity career is that security, and while my expertise is in cybersecurity and I know relatively less about privacy and data protection, access to information is at the same time powerful and also a security or a privacy concern. You know, the reason why cybersecurity is the enormous field it is today is because we can now share information so very easily across the internet, using our laptops, using our mobile phones. It is because of this sharing and connection that we have the security and the privacy problems in the first place. It's actually quite funny. I think to myself, in sort of the 2005-2010 time frame, I was working for a large e-commerce company. These were days when nobody really worked from home. Everyone went into the office. And one of the things that we would say to folks is don't put your password on a sticky note and have that be sitting on your laptop, because anyone could just walk by your machine and log in as you if that if that credential information is right there for anyone to see. And today, I think a bit ironically, one of the safest things for me to do is actually to write some secret, whether it be my password, my credential, or whatever it is, and put it right here on my laptop. The reason, of course, being that the context has changed entirely. An attacker, unless it's one of my kids or something like that, is far less likely to have physical access to my device when I'm working from home than they are to have access to any and all information that is digitized and anywhere on the internet.

Ibrahim Hasan 14:07

So that's a great example back in the day. Joanne's new password is because anybody could access that. Whereas now we're saying, as you say, that's actually much safer than putting your details and your credentials online. So yeah, interesting how times have changed, Caroline.

Caroline Wong 14:29

Right. And just as sort of a practical note for our listeners today, with regards to password security, the advice these days is to use a password manager. When you use a password manager, you're going to have one very, very important password. That is something that I recommend to folks that they consider writing down on a piece of paper and putting that piece of paper in a secure location. Now, for some folks, that secure location might be a safe, but it might also just as well be a drawer in your home. And so just wanted to make sure that as we were touching upon that topic, that we were also providing folks with the correct guidance that's up to date.

Ibrahim Hasan 15:17

That's good advice. Thank you for that, Caroline. Now, you've got a whole section in your book relating to malware, of course, a time-honored tool for cyber criminals, malicious code injected into a system, trying to steal passwords or shutting down the system. You say in the book, though, that AI is supercharging malware at machine speed. How is it doing that?

Caroline Wong 15:41

So here's a way that I think about malware in terms of our ability to detect malware. If I think about, I'll kind of switch our context for a moment and I'll think to myself, sort of a neighborhood watch situation. In my neighborhood, for example, it's a fairly sort of intimate community. Any of us will be in our front yards, in our backyards, chatting it up with our neighbors. And we sort of know, like who our neighbors are and who their family members are and who their friends are that come and go on a regular basis. And if someone were to see someone who they did not recognize, then they might say, Oh, oh, what does this person look like? Oh, that that person's wearing a green sweater and they've got red colored hair. And so your folks might be looking out. And if they were to see a person with a green sweater and red colored hair, they might approach them and say, you know, hey, is there is there something that I could do for you? Can I help you out or something like that? But if I look at that in kind of a malware scenario, then there are technical attributes which we can use to detect malware. Historically, these are often called signatures. And the reason is my physical signature of my name is an identifier. The idea being that only I can really write my name the way that I do, that somebody else might try and forge it, but it's not likely to match. So for decades in cybersecurity, we have used signatures to identify malware. So that if we know that there's malware out there, and for the sake of example, we'll play with this story about a person with red hair and wearing a green sweater, and we'll say, if you see a person with red hair and wearing a green sweater, don't allow that person to enter your home. Now that works if it takes a long time for a person to change their clothing or their hair color. And historically, malware would sort of go out and it would kind of look the same. But today, it's actually very, very easy for attackers to take a piece of malware and effectively launch a hundred different versions all at once. And one of them is gonna have a green sweater and have red hair, another one is gonna have a purple sweater and have black hair, another one is gonna have a blue sweater and have blonde hair, and so on and so forth. And so it's actually much more difficult for cybersecurity professionals today than it was, say, 10 years ago, to be able to identify malware so as to detect it and block it. Today it's it's much more challenging to detect because it can become iterative. And signatures are no longer something that lasts.

Ibrahim Hasan 19:03

So it can change all the time. Can it change whilst it's all inside the system as well?

Caroline Wong 19:10

Yes, it can. That's one of the kind of terrifying things. And it's a very interesting technical problem for cybersecurity defenders to solve, which is to say, well, in a world where I can't identify it by the color of the sweater, I can't identify it by the color of the hair. What I need to do actually is I need to try and identify it according to its behavior. And that is the new way, and it's a little bit different and it's a little bit trickier.

Ibrahim Hasan 19:45

It's interesting and also, as you say, frightening at the same time. And that's nicely answered my next question. Something that I was grappling with in your book, the phrase rule-based detection can't keep pace with AI-generated novelty. Now I understand.

Caroline Wong 20:03

Exactly. Exactly. And I'm so glad that we're really pulling that apart because it is such a key concept with regards to cybersecurity and artificial intelligence. And so I'm really glad we were able to kind of dive deep into that point together.

Ibrahim Hasan 20:22

Excellent. Thank you for that. And we hear a lot, and you've already mentioned, Caroline, social engineering being a key tool for the cyber criminal. I was interested to read the 2026 Trends and Priorities report from the American-based, I believe, Information System Audit and Control Association, ISACA for short. Their report says that AI-driven social engineering is set to become one of the most significant cyber threats in 2026. Can you just explain a bit more the term social engineering and how AI has made it much easier?

Caroline Wong 20:57

I would be happy to. So if I step back for a moment and I ask the question, what exactly is social engineering? The way I think about it is, you know, there are technical vulnerabilities in systems. If you've got a technical vulnerability, then an attacker can exploit that vulnerability. But because ultimately we're talking about humans using computing systems, basically you can either try and trick the computer or you can try and trick the human. And many times it's actually easier to trick the human because we are social creatures. One example is, and this is kind of um a little bit outdated, but certainly it applies in some cases still. If you think about an office where the only people allowed to enter that office are employees, folks would have a badge that they'd use to. To identify themselves and they'd probably tap it and then they would be allowed to enter the building. Now, humans, if we see somebody who's struggling a little bit, maybe they're carrying a lot of things in their arms, maybe they are on a phone call, they seem really stressed out, maybe they've got a uniform that indicates to me that they're coming in to perform some service work inside of the office. There's any number of reasons why it's actually a normal social thing. Even if you're supposed to present a badge in order to enter an office, if you see somebody struggling a little bit, nine out of 10 humans will hold the door open for someone else. And that's just a normal social nicety. And I actually think there are many, many wonderful things about the fact that that's how a lot of humans behave. But attackers will take advantage of this. And they'll say to themselves, if I need to get into this office, I'm gonna pretend to be a pregnant woman. I'm gonna pretend to be very, very busy and on a phone call, kind of stressed out. You know, I'm gonna load up my arms with items so that it looks as though it would be, it would be inconvenient for me physically to have to get my badge and tap it to this card and then open the door. And so these things can happen not only in a physical office setting, but also in so many ways because of the ways that we communicate with each other. I might receive an email. I might receive a text message, I might receive a message on a social media platform, whether that's LinkedIn or Facebook or Instagram. I might actually get a phone call or somebody might leave me a voicemail. And today, there are so many ways for attackers to try and fool people. Somebody might call you and say, hey, it's your niece. Somebody might call and say, Hey, it's your doctor. Hey, it's your bank. And because of our faces, our lightnesses, our videos, our voices being so much in the public sphere, there is a technology called deep fakes that attackers are using. And they will essentially be able to produce video and audio that is so compelling that it's nearly impossible to tell apart from the real thing. And so, from a cybersecurity training and awareness perspective, we've actually had to shift entirely what we tell people to help them avoid getting scammed. I mentioned earlier in our session today, we used to look for things like grammatical errors and misspellings. We used to look for graphics that didn't quite look right. Today, everything is going to be spelled correctly. There will be no grammatical errors, there will be no visual cues. In fact, what I'm teaching people these days is you've got to pay attention to your nervous system. And you've got to learn how to pause. If you receive a message, you've got to ask yourself, did I expect this message? Is this message asking me to do something? Is it asking me to give any information? And then there's an opportunity to always go out of band and just validate is this real or not? If I receive a phone call and the person on the phone says they're my sister and they sound like my sister, and they're saying to me that my niece is in the hospital and she really needs me to send her some money right away, it might sound just like my sister. And if it's a phone call, then what I can do is I can send her an email and I can say, hey, is this really you calling me right now? And so it this is really kind of the best tool that we have on our side at this point in time is to pay attention and ask ourselves, did I expect this request? And to check it using a secondary channel.

Ibrahim Hasan 26:38

So just to summarize what you're saying, Caroline, social engineering is about the criminals targeting the individual as opposed to the system, and they are now using all the tools available through AI to produce those, whether it be videos, voice impersonation, etc. And it's interesting that you mentioned uh deep fakes because we've just had local elections in this country and in that we're on the verge of having a parliamentary election which may have an impact on who the next prime minister is. And what we're seeing is a proliferation of deep fakes, politicians complaining that videos have been produced of them apparently giving money to people in mass and lots of other sort of misinformation. So that's really interesting that AI has really allowed the criminals to up their game in that way. Just interested to know, Caroline, and of course you don't have to answer this question if you don't want to. Have you ever fallen prey to an online scam involving AI?

Caroline Wong 27:44

You know, I've definitely fallen prey to online scams.

Ibrahim Hasan 27:48

And that surprises me, Caroline. And that's that's perhaps a lesson for all of us, if you as an expert.

Caroline Wong 27:54

I I'm literally a 20-year cybersecurity expert. I've written books on the topic, and yes, I've been scammed. And I'll tell you what some of the scams are. One of them happened to me. I was on social media, I was on Instagram, and I saw an advertisement for inexpensive Lego sets. And at this point in time, my kids were fairly young, sort of that perfect age where a Lego set is just the perfect gift. Although truly, Lego sets are a perfect gift for any age. And before I knew it, I was so excited to see discounted Lego sets that I'm adding them all to my cart. I'm typing in my credit card information. And I realized later, gosh, there's no way that could have been real. More recently, I fell for a scam where someone was pretending to be a recruiter and they reached out to me about a job for a big four consulting firm. And I thought the job sounded very interesting. And I began to pursue it. And what tipped me off was they said, your resume is pretty good, but let me connect you with this other person. And for just $200 or something, they can make your resume just perfect for you to submit. And I thought to myself, this is a scam. The point though, you know, none of us are immune to these things. And so I think one thing that I really like to try and promote is that we all give ourselves a little bit of grace and then we all be a little bit kind to ourselves. Because at this stage, the scams are very, very, very challenging to detect. And every once in a while it's going to happen. And the best we can do is to try and keep our eyes open, to be paying attention, to be asking some of these questions. Did I expect this? Is there a sense of urgency? And then always to simply validate through a secondary channel.

Ibrahim Hasan 30:05

Absolutely. Check, check, and uh double check, especially when it comes to Lego, because it's just so expensive these days, isn't it?

Caroline Wong 30:12

That's exactly right. That's exactly right. So it was a very clever scam.

Ibrahim Hasan 30:19

Yeah, yeah. Do you know when I was a kid, there was just a different colored Lego, and it was all in sort of three or four different shapes, and you had to use your imagination to build a plane or a house, and now they have full kits. And I'm thinking, I'm glad my kids are much older because I would have fallen for that scam as well. Wonderful, wonderful. So it seems to me, Caroline, that cybersecurity in the world of AI isn't just about the sort of technical aspects, it's very much about the behavioral aspects. And in a way, it's really about trust, isn't it? Would you agree that trust is the key background?

Caroline Wong 30:59

Oh, absolutely. And I think that it's a strange world that we live in. I had connected with a professional who works in marketing, and she and I we met in person and we found out that we have a shared fascination with AI. And she told me that as a marketing tool, she had built kind of a deep fake of herself. She basically made a fake digital resemblance of herself. And she said, Caroline, do you want to have a video call with my twin? And I said, Sure, this is so fascinating. And I had met this person twice in real life and maybe twice on the phone. And I'll tell you, when I met with her digital twin that she herself had created for professional purposes, I think I could have been fooled by it. It was really fascinating. And so the ways in which we represent ourselves, the ways in which we trust representations of people and organizations that we really do and truly trust, I think this is gonna shift. I think that this is gonna evolve over the next couple of years.

Ibrahim Hasan 32:25

Absolutely. And I suppose though, things haven't really changed. If you think about the means have changed, the uh ability of attackers has changed, and as I say, much faster, much cheaper, much better. But in the end, confidence tricksters, impersonators, scammers, they all rely on humans to behave in a certain way. They try to get trust, they try to get into the confidence of the victim, but AI has just sort of upped their game, really, hasn't it?

Caroline Wong 32:58

That's right. In my opinion, it's done it on both ends, which is to say the the attackers now have an advantage, and so do the defenders. Many people kind of make this chess game or arms race sort of analogy. And I think it's really very, very appropriate. You know, the attackers get one step ahead, and then the defenders get one step ahead as well. And then the attackers get two steps ahead, and then the defenders get one step again ahead, and so on and so forth.

Ibrahim Hasan 33:33

I'm glad you mentioned defenders because it's not all doom and gloom. Can you just explain a bit more how organizations can use the power of AI to improve their cybersecurity?

Caroline Wong 33:45

Yes. So if we think about any sort of manual repetitive task that an information security professional would do, one particular use case is third-party vendor risk management. This is essentially when one organization is looking to establish a business relationship with another organization. And the organizations are kind of checking each other out to say, okay, what's your risk profile? And does it align with my risk tolerance or does it not? And historically, this had been a very manual sort of back and forth surveys and questionnaires and interviews, very, very time consuming. Now, today, AI can help these processes of third-party vendor risk management and customer due diligence questionnaires to go much quicker than they had before. And what this allows cybersecurity professionals to do, the defenders, if you will, is it really allows them to spend less of their time on coordinations and tactical operations and more of their time thinking strategically? And this, of course, is a huge advantage for the defenders.

Ibrahim Hasan 35:10

So what you're saying is that AI can be an enabler and a force for good in terms of cybersecurity. Is that the same both for large organizations as well as small ones, or does it depend on the resources available? Is it about just buying the best AI-enabled uh security software, or is it about using other tools to do the same job?

Caroline Wong 35:32

Money still matters. I think money will always matter. A teeny tiny organization with a security budget of call it less than $100,000 is always going to be in a very different position than an international conglomerate with uh tens of millions or even hundreds of millions of dollars available to them from a budget perspective. So definitely money still matters. However, it's important to acknowledge that AI does not work perfectly. AI is still very vulnerable, it's very error prone. And so for any cybersecurity professional trying to use AI, it's gonna take some experimentation. It's not quite as easy as okay, you identify the top security software in the world, and all of your problems are gonna go away. AI is not a silver bullet for solving any of our problems. And actually, what I think is gonna matter, increasingly so, is governance and then risk management as well as communication between different stakeholder groups inside companies, outside companies, you know, it's still gonna require a group of humans to determine, for example, what a privacy policy should say. Now, is it much easier to draft and to iterate upon the exact language of a privacy policy than it was, you know, even five years ago? Certainly. But at the end of the day, you're still gonna need to talk to humans and get some buy-in. Uh, and those sorts of things, in my opinion, are not gonna change. So whereas AI is speeding things up and a lot of things up, it doesn't apply equally across the board.

Ibrahim Hasan 37:36

And I suppose we mustn't forget basic cybersecurity principles and governance principles and not be lured too much into spending a lot of money on AI-enabled security thinking humans are no longer needed.

Caroline Wong 37:49

Correct. What I expect to see in the next 12 months or so is organizations really trying to figure out what they are going to do about AI token spend because AI is not free and AI is not even cheap. So when organizations are looking at, okay, yesterday we had a human performing this work, and that human cost us however much that human cost. Today we can look and say, well, how much would it cost AI to go and do this? And over time, I think that the cost for the token, effectively the cost for the AI to do its work, that is going to be something that organizations will need to pay a lot of attention to. Uh, and I'm very curious to see how this evolves.

Ibrahim Hasan 38:50

Absolutely. So don't take the immediate cost of implementing an AI solution and perhaps making an employee redundant. Look at the long-term costs and the implications. I recently heard at a conference somebody talking about the environmental impact of AI and how we will all end up paying for that in the future. So yeah, that is certainly good advice and things to consider. Can we just turn to the hot topic at the moment in the world of cybersecurity, of course, which is mythos? The company says it's found the tool that can outperform humans at some hacking and cybersecurity tasks during testing. Mythos was able to identify and exploit vulnerabilities. It found a 27-year-old bug in an AMP operating system known primarily for its security. How has mythos changed the way we look at cybersecurity?

Caroline Wong 39:44

I love this question. Because what mythos has done, and in my opinion, mythos is real. In my opinion, mythos works. You know, earlier in our session today, we talked about how many hours does it take for a human to achieve mastery of a subject. And while I know researchers and professional hackers who certainly are able to operate at a mythos level, this capability is now possible, thanks to AI, for significantly less number of human hours. And that is different. And some would say terrifying. The reason is because when it comes to cybersecurity vulnerabilities, fundamentally there's a few different ways for us to look at it. One way to look at it is what is the time and the cost to find a cybersecurity vulnerability? This is what Mythos has taken from hours and days and months and turned it into minutes. But just as importantly, in fact, maybe more importantly than finding security vulnerabilities, it's just as important to have to fix those vulnerabilities. And what's happened at this point in time is we now have a significantly improved approach for finding vulnerabilities, but we don't yet have an equally speedy approach for fixing vulnerabilities. And this is really where the biggest problem exists. Now, there is a group of companies called Project Glasswing, and these folks have access to Mythos. And the idea is that if Mythos is finding all of these big important security vulnerabilities, then if the sort of big tech companies of the world have access to it earlier, they're in a position to go and fix those vulnerabilities. Overall, I think that's generally a positive thing. But folks know that the mythos capability is not necessarily specific to mythos. AI, in general, and more broadly speaking, than Mythos, can provide humans with the ability to identify security vulnerabilities much faster than they could in the past. And that does have an impact on today's and tomorrow's security teams.

Ibrahim Hasan 42:43

You mentioned that we need more capability in terms of fixing the bugs and the issues that the likes of Mythos are identifying. So I suppose perhaps that's good news for cybersecurity professionals and those that thought that they'd be out of a job because of Mythos and the like.

Caroline Wong 43:02

I hope so. I actually personally predict that in the next 12 to 18 months, we are gonna see some sort of really big bad AI cyberbreach. And this, in my opinion, is gonna cause cybersecurity professionals, data protection professionals, privacy professionals to all take a pause and start to think about what are some of the governance and controls that we need to be thinking about because today folks are just running at full speed and providing a lot of access to AI tools with not so much care or concern about what's going to happen. And I think that there will be a consequence to this. And so I think it'll be very, very interesting. Interesting to keep our eyes open and see what's going to happen in the next 12 to 18 months in this regard. And I believe that when this big bad cybersecurity attack that's related to AI happens, that that will change what's needed for the workforce.

Ibrahim Hasan 44:18

That's very interesting. So I was reading that Anthropic themselves were saying that other AI companies will have mythos class models within the next six to twelve months. If these tools are so powerful, then is there a case for banning such tools, or do you think there's a better way?

Caroline Wong 44:36

You know, this I think is going to reflect something about my personal style, which is that I don't personally think that banning works well. I think that throughout history, when different things have been banned, what ends up happening is a small group of privileged people have access to it and others do not. And I think that that has societal impacts. Now, one of the very practical problems with banning mythos, in my opinion, is that while mythos is currently proprietary, there are, we expect, uh, going to be models that are equivalent. I actually expect that there are models that are equivalent today. And so even if mythos specifically is banned, there's nothing that prevents somebody from making the next mythos. And so I think that an attempt to ban or limit it, you know, I do think there's value to it, but it will be limited and it will change quickly over time.

Ibrahim Hasan 45:53

And of course, the thing about banning anything is that it increases its value and it increases the people uh wanting access to it because they think that there must be something to it that it's banned and therefore it just drives it underground, doesn't it?

Caroline Wong 46:08

Yes. You know, we as humans, boy, do we like to get our hands on the things that we're not allowed to talk.

Ibrahim Hasan 46:13

Absolutely. Absolutely. One thing that comes through strongly in your work, Caroline, is that despite all the focus on automation, human judgment still matters enormously. How do you see the role of the human in the loop when it comes to cybersecurity?

Caroline Wong 46:32

You know, human in the loop is such an interesting concept. I think about it like on any given day, I go around and I walk around my house and other buildings and I switch on lights without even thinking about it. Do I understand the inner workings of the electrical system? I do not. Do I switch on the lights anyway? I do. And so I do think that when we're talking about human in the loop, there is different levels of abstraction to consider. And going back to our theme of trust, this is gonna change. We as a society, we as cybersecurity professionals, we as privacy professionals, we as data protection professionals, the way that we think about what needs a human in the loop is evolving very, very quickly. And so I don't think there is a straightforward answer. I do expect to see a lot of change. And I think things will settle down in a few years.

Ibrahim Hasan 47:44

Excellent. Thank you for that. Now, Caroline, you're an experienced cybersecurity professional. We have a lot of listeners who are working in the field of data protection. As we mentioned before, the fields of data protection and cybersecurity, once seen as separate disciplines, one technical, one regulatory, now seem to be coming together. For anyone in the cybersecurity arena or hoping to break into it or perhaps expand their area of expertise, in the AI era, what skills do you think they should be developing?

Caroline Wong 48:18

I think that it's extremely important for all of us to try and learn quickly. And I think it's important for us to cultivate our sense of open-mindedness and curiosity. I think that folks who are open to learning and open to change are likely to have an advantage because I believe we are in a time of very rapid and very long-lasting change. And so my advice to folks is learn and learn and learn and learn how to learn quickly and just keep a curious and an open mindset.

Ibrahim Hasan 49:01

So, no specific lists of skills, like back in the day, cybersecurity professional would talk about coding. More general skills is what you're recommending in terms of keeping yourself up to date.

Caroline Wong 49:15

When it comes to specifics, I would say that every privacy professional, every cybersecurity professional, every data protection professional should get their hands on AI as much as they possibly can from a consumer perspective. I encourage people to use it. I encourage people to play with it. I encourage people to familiarize themselves with it. Now, on another kind of specific path that's a bit different, I love teaching. And one of the things that I do is I teach courses on LinkedIn learning. Now, any given person or organization listening to today's podcast may or may not have a LinkedIn learning account. But even if you do not, if you follow me on LinkedIn, I have posts where I provide a lot of free learning opportunities. And there are hours and hours of free information security training that I encourage folks to learn from if they like.

Ibrahim Hasan 50:22

And it's a very valuable resource. And we'll be putting the links in the show's notes. I'd like you to look into your crystal ball finally, Caroline. Where are we going to be in terms of cybersecurity in five years' time? Do you envisage a stage because all the talk of the moment is now about AI agents, where humans will not be involved in cybersecurity and we'll just leave it to our agents?

Caroline Wong 50:48

My prediction is that we will not have all agents and no humans. I expect that we're going to have some humans and we're going to have some agents and they're going to work together. You know, there are ways in which, on a daily basis, I will message my human coworkers using something like Slack. And I think that in five years, it'll be totally normal for me to be messaging with my human coworkers as well as my agentic coworkers. And that is going to be weird, but that's where I see us heading.

Ibrahim Hasan 51:26

So the future will be a partnership between humans and agents. Fascinating. Of course, one of the problems with writing a book about cybersecurity, Caroline, as I say, excellent book. It was published in March 2026. But when you're looking at cybersecurity in AI, the issue very much is it becomes out of date very quickly. So how do you tackle that? What advice do you have for readers to stay up to date? You mentioned the um LinkedIn learning, and of course they're going to follow you on your socials. But are there sort of key themes or principles that you would emphasize which are not going to change despite some of the aspects of the book changing?

Caroline Wong 52:09

I think what's not going to change is I think we as humans are still going to need to communicate effectively with each other. And so I think studying effective communication, honing our effective communication skills is going to always be important. I also think that judgment and opinion and experience are things that the machines cannot take away from us. And so I encourage every listener to really think about your day and think about the dozens of beautiful, wonderful things that you do that AI is never going to take away from you. Picking your kid up from school, going for a walk with a friend, planting a garden. I think there's so much in life that is outside of our digital worlds, if only we are to look at it.

Ibrahim Hasan 53:01

And there'll always be a role for the human, as I say, because of those very human experiences. And because we are, in the end, through the medium of AI, still dealing with humans. So it will need humans to understand the humans on the other side. Wonderful advice, Caroline. We would love to have you back in the future to talk about more AI and more cybersecurity. Please count me in. I would love that. Caroline, it's been a fascinating conversation. Thank you very much for your time. My pleasure. Thank you so much. I really enjoyed that conversation. Thanks once again to Caroline Wong for being such a great guest. What struck me most was her balanced perspective on artificial intelligence. We heard how AI is dramatically reducing the time required for cyber criminals to home their skills and launch new attacks. Yet at the same time, organizations can use AI to automate routine security tasks, improve risk management, and free up experts to focus on strategic decision making. One of the most powerful messages from this episode was that cybersecurity is increasingly becoming a human challenge rather than simply a technical one. As Caroline explained, trust is now the key battleground. We need to develop new habits of verification, critical thinking, and digital resilience. My favorite insight from Caroline was her reminder that there are many things AI cannot replace: human relationships, lived experience, judgment, and the ability to connect meaningfully with others. As AI continues to transform both cybersecurity and society, those human qualities will become more important than ever. Thank you for listening to Guardians of Data. If you enjoyed this podcast, please subscribe, share it with your colleagues, and leave us a review. Until the next time, stay curious, stay informed, and keep guarding the data.