August 2023 – Management Events

August 25, 2023

Former TikTok CSO: How to Tackle the Cybersecurity Talent Shortage

The number of open cybersecurity jobs globally is predicted to reach 3.5 million by 2025, marking a 350% jump over eight years (Cybersecurity Ventures). As the cybersecurity talent shortage continues to be a hurdle for CISOs and their peers, what measures can they take to empower and engage current employees? What can they do to find and attract cybersecurity professionals from an ever-shrinking talent pool?

We speak with Roland Cloutier, former CSO at TikTok, on why it’s difficult to search for cybersecurity talent, how to adapt to the shifting expectations of today’s young workforce, what cybersecurity leaders can do to make their efforts visible to the rest of the organization, and more.

WHY IT’S HARD TO FIND CYBERSECURITY TALENT

Cybersecurity is a demanding career field involving working odd hours and 12-to-16-hour days. Cloutier comments that only a special group of people can take on that level of mission-focused fight daily. One of the reasons he loves the cybersecurity field is that every day is different. However, this line of work is not for everyone. “The problem solving and understanding the deep issues is never fully complete or transparent. You have to dig for those answers. We hear that a lot from people that don’t end up going into cybersecurity.”

Cloutier cites these reasons as contributors to the talent shortage:

BROAD, SPECIALIZED, AND ALL-ENCOMPASSING: Cybersecurity has so many specialized areas including cyber defensive operations, incident response, threat management, threat detection, content development, privacy enforcement groups, data defense, and more. “There are so many different aspects that require technical specialties. It’s hard to find talent for all these specific areas.”
DIFFICULT TO UNDERSTAND: “It’s difficult to understand what we need as leaders in this career field, to figure out how to make it easier to understand, and what type of further career programs to have.”
SUPPLY AND DEMAND: Cybersecurity professionals must be highly technical, university-educated, and trade-certified individuals to accomplish the field’s level of depth and understanding.

“We’ve got an uphill battle in front of us. But there are a lot of incredible possibilities, especially with today’s new, young, and dynamic workforce.”

HOW TO FIND CYBERSECURITY TALENT

HAVE A 10-YEAR PIPELINE: Although the average job lifespan of a global CSO is two to five years, Cloutier advises cybersecurity leaders to have a 10-year pipeline when it comes to finding talent. “In the U.S., it starts in junior high school, and funding organizations in STEM with a cyber flair that are focused on bringing people to the company and understanding the cybersecurity field.”
HAVE A 10-YEAR PIPELINE: Although the average job lifespan of a global CSO is two to five years, Cloutier advises cybersecurity leaders to have a 10-year pipeline when it comes to finding talent. “In the U.S., it starts in junior high school, and funding organizations in STEM with a cyber flair that are focused on bringing people to the company and understanding the cybersecurity field.”
IMPROVE UNIVERSITY ALIGNMENT: Cloutier stresses that university partnerships must be continually aligned with organizational needs. Universities need to have the right disciplines within their undergraduate and postgraduate programs. “We want people to want to come to our companies. Large MNCs should have partnerships with two to four universities. The selection is small enough to directly manage those relationships.”
RECRUIT FROM THE MILITARY AND GOVERNMENT: He adds that many government agencies and militaries today have major cyber programs, cyber commands, and cyber defense organizations that train competent practitioners. “They may not have a traditional path to where they are, but they are great personnel that you can choose from. In Europe, organizations like Europol and Interpol have cyber specialists that come from law enforcement or the military. They have real-life experience and can support your team greatly.”

CHANGING WORKFORCE DEMOGRAPHIC AND REQUIREMENTS

HUMAN CAPITAL MANAGEMENT (HCM): Cloutier stresses the importance of having a designated HR specialist for finding and engaging cybersecurity talent. “The HCM has to become a cornerstone of our organization to ensure that not only are we hiring and retaining people, but implementing programs as part of the business of security to ensure our teams are cared for.” He also mentions that the average age of today’s workforce is getting younger. “How do I engage with that workforce? Who are they and how do they want to be engaged?”
METHODS OF ENGAGEMENT: It’s as simple as sending out a survey to find out how the workforce wants to be engaged. Cloutier says that engagement in the past focused on one-on-ones and direct opportunities to listen to the leadership. He adds that the younger workforce wants weekly engagement on a more flexible basis. “You have to understand your workforce to find out what they are interested in. Engaging with your practitioners is something that all organizations should measure.”
A JOB FAMILY THAT REFLECTS ORGANIZATIONAL NEEDS: “Does your job family reflect the requirements of your business? Face it, none of us have firewall engineer one-on-ones or old network security job positions anymore. We have cloud security engineers and risk and threat analysts. These are very different job descriptions. We have to make sure that our job family reflects that.” Cloutier adds that today’s workforce wants to join organizations with forward-thinking and leading capabilities. For example, what is the path of an analyst who wants to become a CISO? “It’s important to have programs in place to train, educate, and elevate them into the next generation of the job family.”
TRUST IS ESSENTIAL: “As a leader, people are going to trust you when they understand what you’re doing. But that has to be transparent for both good news and bad.” Trust, transparency, and articulation are also important to get employees to believe in the company’s mission. “When I was at TikTok, I was there to allow freedom of speech and expression for people around the globe. We embed these concepts as a mission primer and continue to deliver our cyber risk and privacy services with a focus on that. If you can align what an individual is doing to that mission and articulate it to them, you’re going to have a happy employee that’s engaged in that mission and moving it forward.”

“Cybersecurity professionals understand the concept of good and evil, and they want to use their technical skills to do good things and see the impact of their work.”

LEADERSHIP MATTERS, ALWAYS

“There are many practitioners that have followed me from organization to organization over the past 20 years. When I asked why they stay, they say that they like working with my leadership and that I empower them to do their jobs well. Continuing to deliver that commitment to engage and be a positive leader is something that’s important to me.”

Cloutier also highlights these areas for leaders to prioritize:

VISION, KNOWLEDGE, TRUST: “Those who work for us don’t always understand the decisions we make or why, so there’s pushback. But if you share that knowledge and vision of where you’re going, it creates trust and helps them become successful in the organization. Building trust is a major component of that.”
LISTEN, ENGAGE, ACT, COMMUNICATE: Listening is the most important and the hardest. “We’re fighting incidents, we’re trying to gain budget to tackle hard problems. These things take up our time. But stopping and listening to the beat of the organization and what they’re saying is going to make our jobs that much easier.”
WEEKLY TOUCHPOINTS: “With a new workforce, spend 30 minutes a week with the entire organization, a stand-up where they can dial in to ask questions. It really works. I know large global organizations record it and play it for teams that are in different time zones.”

INDIVIDUAL SUCCESS = ORGANIZATIONAL SUCCESS

“It’s hard to find people and keep them. But when word of mouth goes out that people can be successful in your organization and grow their careers, it’s fantastic,” Cloutier says.

Individual success can translate to organizational success through consistent work in these areas:

EDUCATION: “We can’t send hundreds of people to events all over the globe, but we can buy a package of online-based training for our organizations where everybody gets an opportunity to learn. Consider education as a primary requirement in your budget process.”
RECOGNITION: “People want to be appreciated by their peers for doing great work. Doing that on a frequent basis really helps drive team camaraderie.”
FUTURE LEADERS AND RISING LEADERS: “I look at programs that focus on management — from individual contributors to management, and management to next-level executives. There should be special security-focused programs that are either six months or a year that provide training to make them next-generation effective leaders.”
COMMAND STAFF EXCELLENCE: “The requirements of leadership have continued to change. Understand the changes in the industry, technology, and investment theories for security programs. Your command staff wants to work for a leader that looks out for them.”

BUILDING BUSINESS TRUST

For cybersecurity leaders in a high-functioning organization, a lack of understanding from business-minded colleagues can put pressure on their teams. Therefore, Cloutier says that building programs that drive business success is vital.

“We have a responsibility to our people to help build trust with the remainder of the organization.”

PROGRAMS THAT HELP DRIVE SUCCESS: “Discuss the strategic pillars your CEO has set out with your team. What can your organization do to help accelerate that? How do you promote that internally to show that you’re driving the business forward?”
PROMOTING ACROSS BUSINESS LINES: “Do you have an incredible technical leader who can do great things as a CIO or CRO? Consider doing these swaps where they can get promoted and be fully engaged in those departments.”
ORGANIZATIONAL EFFICACY, METRICS, AND TRANSPARENCY: “Make sure you’re driving your organizational effectiveness, not just standard metrics. How are you ensuring you’re meeting the requirements of the organization financially? How are you delivering that transparently to the rest of the executive team in your organization?”

KEY ISSUES TO ADDRESS URGENTLY

RETURN-TO-WORK AND WORK-FROM-HOME POLICIES: “Practitioners can work from wherever they want. You’re in competition with security, risk, and privacy practitioners that can work from home. Many major multinationals are now taking their analysts and IR teams and allowing them to totally work. It’s really up to you and your organization to have a plan that is fair.”
CHANGE OR BE CHANGED OUT: “The same job isn’t going to be there in the next five to 15 years. Make sure everybody understands the expectations of the next-generation job, what positions they should be focusing on, and what are their requirements. You have to get people comfortable with change in their career field and force them into it. If they can’t do defense operations in cloud or work around data, it’s going to be problematic. We have to push people in these areas and plan for it.”
STRESS: “Organizational stress has always been there. We need to make sure that we’re swapping people in and out, and that we’re giving time off and down days for training. When it comes to self-stress, make sure you’re physically and mentally fit. We all have ups and downs. This job is extremely taxing. Be a leader who takes time off so that you can maintain that level of pressure and high output.”

August 16, 2023

Frank Astor: Stay Positive in the Era of Digitalization

In this exclusive interview, veteran entertainer and keynote speaker Frank Astor shares the inspiration behind his successful shows Future Now – the future is now! and The Human Program, insights into the latest tech trends and innovations, and advice to business leaders on how to embrace digitalization.

Frank Astor is a professional keynote speaker, moderator, and entertainer with over 20 years of experience. Since 2015, he has been the CEO of Future Now Events and has performed over 4,000 shows in the areas of digitalization, motivation in the digital age, and strategies for success in challenging times. Frank conveys these themes in exciting, entertaining, and humorous shows that have been attended by thousands of business leaders.

Tell us about your shows, Future Now – the future is now! and The Human Program.

I’ve been a keynote speaker for 25 years and I’m always looking for new themes for my shows. I’ve spoken about motivation, finance, work-life balance, and corporate happiness. In the last 20 years, I’ve been a specialist for keynote shows about digitization, trends, and innovation called Future Now – the future is now! The show lasts an hour and is very intense, followed by 20 to 25 minutes for audience discussion.

I also have a keynote show dedicated to robotics and AI called The Human Program. There are a lot of fears and risks associated with AI and in my show, I have a discussion with my robot, Torbi where I share my fears about AI, and Torbi tells me that AI can solve all our problems. The shows have been very successful.

What are three emerging trends or tech innovations that will affect business leaders in the next five years?

Firstly, the metaverse as it merges the virtual and real worlds. Leaders have to investigate this development, especially with the creation of the recent Apple Vision Pro headset. Next is ChatGPT and other AI solutions. We have noticed how quickly AI has developed in the last few months. Everybody is still talking about ChatGPT and using it. So, it’s important to be well-informed about AI possibilities. Lastly is the management of resources and green tech as they are very important for environmental purposes. Leaders have to focus on the development of green tech, especially with e-mobility and batteries.

What are the biggest threats or challenges in the current era of digitalization?

We have to be careful not to spend too much time in the virtual world. Every day we have to remind ourselves that we are humans, and we are part of nature. Now we are spending 8 to 12 hours on computers and smartphones and in the virtual world. Isolation is also a problem because there are a lot of people, especially young people who grow up in the digital world who are unable to have relationships with real people. Digital devices also drain a lot of energy, and we have to be healthy to manage that. In addition, we have to be careful not to be controlled or manipulated by information on the Internet. We have to be able to identify what is fake news and what is real information. This will be a big problem in the near future.

What is your advice to business leaders on how to respond to those challenges, especially those who are afraid of digitalization?

It’s never good to follow your fears. Digitalization is here and we have to confront it and not only look for potential risks, but also opportunities. Every manager is responsible for getting the information they need to improve their processes and create good frameworks for employees. Be aware that these developments are very quick nowadays. For example, the smartphone has only existed for 13 years and changed the world. I also think the metaverse and ChatGPT will move faster than smartphones, so you have to stay very well informed. Be open to the chances and risks and manage them. ChatGPT and other AI solutions also open up more job opportunities for consultants, developers, and instructors who can show us how to deal with these AI inventions.

How can business leaders embrace and utilize the rapid pace of digitalization today?

Be honest and open-hearted about the problems and the skepticism of your employees. You have to confront the problems now before they become bigger in the future. Also, you have to look at the positive aspects and be very careful about what systems you use. As a leader, you have to decide what is the best solution for the future, what is easy to handle and manage, and not to jump on the train too fast. Have a very good view of the work-life balance of your employees as they are spending 9 to 10 hours in Zoom meetings on the Internet, computers, and smartphones. That drains a lot of energy, and you need healthy employees.

What are the three things you hope Aurora Live members will take away from your show?

Be ready for the digital world and digital developments. Stay positive, look for opportunities, and always have a good balance between the digital and the real world. And don’t lose your humor!

*The interview answers have been edited for length and clarity.

August 8, 2023

Bard vs ChatGPT: Which is Better for Business?

Google’s AI chatbot Bard has finally launched in the European Union (EU), positioning itself as a direct competitor of ChatGPT. With Bard AI on the market, European IT leaders now have another option to pilot generative AI initiatives. According to a report by MIT Technology Review Insights and Databricks, most CIOs are adopting generative AI as an enterprise-wide strategy and 78% consider scaling AI a top priority.

However, is Bard better than ChatGPT? Let’s review both AI chatbots’ features, pros and cons, and privacy policies.

*Update: Bard was rebranded to Gemini on 8 February 2024.

ChatGPT vs Bard: A Quick Overview

	CHATGPT	BARD
Developer	OpenAI	Google
Language Model	Generative Pre-training Transformer 3 (GPT-3) or Generative Pre-training Transformer 4 (GPT-4)	Language Model for Dialogue Applications (LaMDA) and Pathways Language Model (PaLM 2)
Data Training Set	Common Crawl, Wikipedia, books, articles, documents, and the Open Internet (limited knowledge after September 2021)	An “infiniset.LaMDA” Includes data from Common Crawl, articles, books, Wikipedia, access to Google in real-time
Languages	Supports over 50 languages	Supports over 40 languages
Programming Languages Supported	JavaScript, Python, C#, PHP, Java, and more	C++, Go, Java, Javascript, Python, Typescript, and more
Sign in Method	Any email address	Personal Google email address
Price	Free* *ChatGPT Plus is $20/month	Free

ChatGPT vs Bard: Pros and Cons

Bard and ChatGPT are similar in terms of having a user-friendly interface, an easy sign-up process, and a chat-sharing function. However, Bard and ChatGPT have their own advantages and limitations.

ChatGPT Pros and Cons

Pros	Cons
Accounts can be created using any email address, work or personal	Unable to retrieve real-time data. Web browser feature only available for ChatGPT Plus*
Has more plugin options with third-party applications	Unable to analyze text in URLs. The text needs to be copied and pasted into the chat.
Availability of ChatGPT API for integration with company products and services	Only provides one answer per prompt
Better for content creation – produces long responses	Unable to retrieve images

*On 3 July 2023, OpenAI disabled the Browse with Bing feature that was introduced in May to provide real-time results after instances of displaying content that could bypass paywalls and privacy settings.

Bard Pros and Cons

Pros	Cons
Able to export responses to Google workspaces like Docs and Gmail	Accounts can only be created with personal Google accounts or authorized Google Workspace account
Real-time data retrieval – better for research	Limited plugins with other tools
Provides three draft answers per prompt	Still in the experimental phase – more prone to errors, biases, and stereotyping
Able to analyze text through URLs	Limited integrations with non-Google products
Able to use images in prompts and retrieve images in responses	No API is available yet

Reminder: Both Bard and ChatGPT are not free from hallucinations and may produce inaccurate results. All responses must be fact-checked and require human intervention with proofreading and editing.

ChatGPT vs Bard: Which is More Secure?

The issue of data security and privacy with generative AI chatbots continues to be a concern, especially in the EU. The delayed launch of Bard in the EU was due to Google’s efforts to make changes to controls for users and increased transparency to comply with regional privacy laws.

Google has also agreed to conduct a review and report back to the Irish Data Protection Commission (DPC) in three months’ time. In addition, a task force under the European Data Protection Board (EDPB) is looking into both Bard and ChatGPT’s compliance with the pan-EU General Data Protection Regulation (GDPR).

Forbes contributor and author Joe Toscano also did a deep dive into the privacy practices of Bard and ChatGPT. Bard claims that they do not track user browsing activity or collect user data for advertising purposes. Advertising aside, Toscano found that Google may send Bard conversations to human reviewers and does not delete conversations. “It’s safer to just assume everything you put in will be saved and used to train Google’s systems,” Toscano says.

On the other hand, ChatGPT collects certain personal user information such as IP addresses and device information. ChatGPT also stores all user prompts and responses. “There’s a good chance that if someone asks a question that’s similar or could use your content as a response your proprietary information will then be repurposed by the system,” Toscano adds.

It’s unclear how data shared with Bard and ChatGPT are protected. In the meantime, the onus is on the users to refrain from sharing confidential and sensitive information and use VPNs whenever possible.

The Use of ChatGPT and Bard at the Workplace

Since the launch of ChatGPT in late 2022, many organizations have leveraged the AI chatbot and other similar tools to ease workflows particularly in marketing, sales, and customer support. In addition, the coding functionalities in ChatGPT and Bard have made building applications much easier.

However, the rising use of generative AI tools in the workplace opens a can of worms for IT and security leaders. Since tools like ChatGPT and Bard are highly accessible and user-friendly, employees tend to use them without supervision from IT and security teams. Gartner predicts that 5% of employees will engage in unauthorized use of generative AI in their organizations by 2026.

ChatGPT has already made headlines with its security vulnerabilities. In May 2023, Meta released a report detailing their investigation into ChatGPT-posing malware that’s been stealing user accounts. A month earlier, Samsung banned ChatGPT organization-wide after employees unintentionally shared confidential information with the AI chatbot.

Therefore, IT and security teams must work together to ensure generative AI tools are being used safely within the organization to reduce security risks and prevent data leaks.

The Adoption of ChatGPT and Bard: What IT and Security Leaders Can Do

Conduct a shadow AI audit: This is to get a clearer picture of how widely generative AI tools are being used by employees. Determine which functions use it the most, what data they are sharing, and calculate security risks.
Provide training on generative AI: Employees can benefit from function-specific training on how to use AI chatbots safely. Training should cover privacy policies of the tools, reminders to never input confidential company data, how to write effective prompts, security risks of generative AI, and more.
Create policies for generative AI use: Establish clear guidelines on how employees must use AI chatbots at the workplace. For example, only using IT-approved generative AI tools and data sets.
Invest in data-loss-prevention (DLP) tools: Carve out an annual budget for DLPs to bolster cybersecurity measures and prevent data leaks as more employees use generative AI tools.

Is Bard Better than ChatGPT?

Despite their risks, generative AI tools like ChatGPT and Bard have the potential to create more efficient workflows and drive employee productivity if used correctly. Therefore, IT and security leaders must make developing clear policies and guidelines around generative AI use a priority.

The answer to whether Bard or ChatGPT is better highly depends on how both tools integrate with existing processes, how educated employees are in using them, and which one will pose fewer security risks for your organization.