The Takeaway
Attackers’ Resource Constraints: Industry’s “dirty secret?” Most vulnerabilities go unexploited because attackers lack the time or monetization methods. AI may soon allow them to industrialize these efforts.
Structural Advantage for Defenders: Long-term superiority belongs to defenders because they possess the organizational data and context required to design for defensibility and resolve vulnerabilities more effectively than outside actors. But it will take a while for defenders to adapt for AI security.
The Power of Defaults: Implementing “secure by default” configurations beats “secure by design” alone — nearly all users will maintain high-security settings, like MFA, if they are the starting requirement.
“Shifting Down” Security: True enablement occurs when security, compliance, and privacy are bundled directly into the underlying technology platforms so that the secure path becomes the easiest and most cost-effective route for engineers.
CISO Role Bifurcation: The position is evolving into two distinct paths: a Chief Digital Risk Officer focused on enterprise-wide risk management and a technical leader who modernizes infrastructure to built security into the IT fabric.
The Transcript
James Kaplan: Okay. Good afternoon everyone, and welcome to the first podcast for Prosaic Times. And, we’re very lucky to have the first video interview with, I guess, cybersecurity eminence—cybersecurity legend. Which nomenclature do you prefer, Phil?
Phil Venables: Phil is just fine.
James Kaplan: All right, that is fine. Do you want to, briefly, introduce yourself and then we’ll get into it?
Phil Venables: Yeah, so hi everybody, Phil Venables. I’ve been a CISO at a number of organizations for many different years, as well as a chief risk officer in various other roles. I’m now a partner at Ballistic Ventures. We invest in seed and Series A level cybersecurity and some cyber-adjacent companies. So, it’s good to be here.
James Kaplan: All right. So, if a CEO were to stop you in an elevator and say, ‘How much is changing about information risk and about technology risk, and how should I be thinking about this differently than I might have even two years ago?’ what might you say to this person?
Phil Venables: Well, I think that the first thing is the ongoing trend that I’m sure everybody listening and watching is aware of. It is the ongoing—I’m not a big fan of the phrase, but it’s probably apt—digital transformation. This includes companies, the public sector, and the economy writ large, covering everything from automation and digitization of supply chains to moving to the cloud and adopting AI technology.
However, we’re also seeing widespread and much more sophisticated adoption of AI by attackers.
It’s just more and more of the same, but at an accelerating pace and with an accelerating expectation of the degree of value that’s obtained from that. A big part of that, which security has been a key part of for many years, is making sure that—I know it’s kind of clichéd but true—security is an enabler. It shouldn’t be a blocker, but at the same time, it shouldn’t be a passive observer if such transformation is going to create immense risk. The role of the CISO increasingly is to be in the middle of that business strategy, not just playing catch-up on adding security to every project they can find. It’s being much more in the heart of it.
We are currently in the middle of using AI to reimagine how business is done. In the past couple of years, much of what we’ve been doing on AI was a fairly naive application for routine automation and pilots. We’re now starting to see a reimagining of business and security processes using AI. We’re just starting to see the first wave of that, and that brings with it lots of opportunity.
However, we’re also seeing widespread and much more sophisticated adoption of AI by attackers.
James Kaplan: Attackers are reinventing their business processes.
Phil Venables: No, absolutely. I think the thing that a lot of organizations potentially underestimate is just how much resource-constrained attackers have actually been. The industry’s ‘dirty secret’ is that there are way more vulnerabilities that go unexploited than those that are exploited. That is a signal that either attackers don’t know how to monetize it or they just don’t have the time. Attackers using AI to industrialize their capabilities is worrying; it means more things must be defended more timely.
Against that backdrop, there’s a tidal wave of vulnerabilities coming at us because there’s more code generated by AI or engineers augmented with AI. Vulnerability management processes are going to have to be revolutionized. This isn’t just an AI versus AI story. High universal baselines of control—like multifactor authentication, segmentation, or high-velocity patching—become table stakes for everyone, not just the advanced. That complex dynamic is way more than a one-minute elevator conversation, but there’s a lot of stuff going on.
James Kaplan: I think history is important in thinking about technology strategy. In World War I, the combination of the railroad and the machine gun gave the advantage to the defensive. In World War II, airplanes and tanks gave the advantage to the offensive. Do you think the advent of GenAI advantages the attackers or the defenders?
I sound pessimistic in the short term because, in every wave of change, attackers are usually ahead because they have fewer constraints. They don’t have to fill out regulatory compliance forms or ensure the trust, safety, and security of their AI deployments.
Phil Venables: In the long term, I think AI advantages the defenders quite significantly, but defenders have to do the work to take advantage of it. I sound pessimistic in the short term because, in every wave of change, attackers are usually ahead because they have fewer constraints. They don’t have to fill out regulatory compliance forms or ensure the trust, safety, and security of their AI deployments.
Long-term, I’m more positive that this represents a structural advantage for defenders because they have the data and their own organizational context. They can design for defensibility and use the same technology to find and resolve vulnerabilities. Ultimately, the data, context, and environmental advantage of defenders outpaces attackers. But CISOs, CIOs, and CEOs must partner ever closer together to build technology environments where security is built in, not bolted on.
James Kaplan: You could draw a comparison to the early days of cloud. Initially, attackers had an advantage with misconfigured S3 buckets, but now we have a far more robust security model.
Hyperscale cloud providers have gotten better at being ‘secure by design’ and ‘secure by default’. They ship products with full safeties on.
Phil Venables: That’s right. Most organizations get a significant security and resilience upgrade by moving to the cloud. Hyperscale cloud providers have gotten better at being ‘secure by design’ and ‘secure by default’. They ship products with full safeties on. In prior roles, we actually implemented ‘loosening guides’ rather than hardening guides—products shipped with full safeties, and you only loosened them if it was too stringent. If a product is secure by design but ships with configuration settings wide open, it’s still exploitable.
James Kaplan: It’s like companies that require employees to opt out of a 401(k) rather than opt in.
Phil Venables: Exactly. We once pushed out a mandatory upgrade for strong multifactor authentication and then let people switch it off if they wanted. Turns out 99.9% of people kept it on and were just fine with it. If you introduce the default, most people take it anyway.
James Kaplan: Economists tell us that stated preferences and revealed preferences are sometimes different. I’m excited by the idea of using GenAI to interrogate exhaust data and modeling technology environments as a graph. Relational databases are tough for modeling these relationships, but there is a lot of ferment around building graphs to detect anomalies or vulnerabilities.
Phil Venables: It speaks to choosing appropriate data and AI models for the task. Many successful companies recognize that relationships and technology are graph-based problems. Large language models (LLMs) have seen successes, but also disappointments when they are applied to problems they aren’t suited for. Some tasks are better for traditional deep learning or even graph neural networks. The art is deploying multiple models and techniques, using agents to orchestrate outcomes rather than just naively deploying a chatbot to point at some data.
James Kaplan: That’s why I’m not sure machines will replace us yet; it takes intelligence to know which machine to use. You mentioned security being an enabler rather than the source of ‘no’. How do you make security an enabler of innovation?
The best security teams find a way to make the secure path the easiest path. They partner with engineering and AI teams to deliver platforms with built-in safety.
Phil Venables: There are two extremes of bad security: the team that says ‘no’ to everything and the team that says ‘yes’ to everything. The best security teams find a way to make the secure path the easiest path. They partner with engineering and AI teams to deliver platforms with built-in safety. It’s important to ‘shift left’ but also to ‘shift down’—bundling control, compliance, and privacy into the platforms people use. If you make the secure path the easiest and cheapest, you must also make the insecure path expensive and difficult. Sometimes a business unit might need to take a risk to avoid being late to market, but that path should be arduous and involve executive approval. A CISO who can mediate that in commercial partnership with business executives is highly regarded.
James Kaplan: I like to say ‘APIs, not binders’. Teams hate it when you show up with a three-inch-thick binder of standards.
Phil Venables: Right—it’s solutions, not policies.
James Kaplan: AI-enabled automation might help here. Historically, it’s been hard to get investment for underlying services over business functionality. But we may see a secular improvement in software engineering productivity that frees up capacity to automate security controls.
I’m skeptical of the view that software engineering jobs are at risk because companies have a massive backlog of ideas they’ve never implemented due to resource constraints. They are welcoming increased productivity to go after that backlog.
Phil Venables: I agree. I’m skeptical of the view that software engineering jobs are at risk because companies have a massive backlog of ideas they’ve never implemented due to resource constraints. They are welcoming increased productivity to go after that backlog. We should use thought experiments: if you had infinite people and automation, how would you reimagine what you’re doing? We could commoditize high-end capabilities like red teaming with AI and make them available to more companies.
James Kaplan: Let’s shift to the CISO role. I’ve tended to believe in an integrated Chief Technology Risk Officer (CTRO) role to reduce fragmentation. What is your view?
Phil Venables: My bias is that these risks should be brought together. My past CISO roles have included resilience, continuity, privacy, and compliance. Integrating these functions allows for common controls; for example, data annotation delivers lineage, privacy, and security. Without integration, you get conflicting parallel controls.
Outside of highly regulated banks, I see the CISO role separating into two: a leadership role to embed security into the IT fabric (perhaps a Chief Security Engineer) and a broader enterprise risk management role. CISOs are increasingly expected to be Chief Digital Risk Officers. You need both independent risk management and embedded engineering.
James Kaplan: I’ve long believed that in a traditional enterprise, it’s easier for that team to report into the CIO to influence the technology organization. If you think your CIO will prevent the CISO from being honest with the board, you should get rid of both.
The debate about reporting lines is often just a symptom of root causes like a lack of accountability or a wrong strategic approach.
Phil Venables: I agree. The debate about reporting lines is often just a symptom of root causes like a lack of accountability or a wrong strategic approach.
James Kaplan: What advice would you give to a first-time CISO?
Phil Venables: Don’t feel pressured to make a massive impact in your first 90 days. You should be visible, but that time should be a listening tour—working with peers, stakeholders, and the board, and walking the floor of your industry. It’s dangerous to try to change things without understanding the context.
When hiring a CISO, CEOs should know if they want a firefighter for the next 12 months or a long-term strategist. These are often two different types of people.
James Kaplan: In B2B sectors, how much time should a CISO spend with customers?
Phil Venables: I used to spend 20% to 25% of my time with customers. It’s useful to hear their perspective and what we should be building. I often used customers as ‘the wind at my back’ to convince colleagues that certain security features were necessary.
James Kaplan: Top three things to look for in a new CISO?
Third, you have to be technical. You don’t necessarily need to code, but you must understand technology so you don’t get misled about what can and cannot happen.
Phil Venables: First is the ability to collaborate and build relationships. Second is curiosity—you need to see around corners and predict what’s coming. Third, you have to be technical. You don’t necessarily need to code, but you must understand technology so you don’t get misled about what can and cannot happen.
James Kaplan: Anything else, Phil?
Phil Venables: I’m curious to see the trend of CISOs becoming CTOs and running infrastructure. If a CISO is concerned about lack of modernization, being given the task of modernizing for defensibility is almost perfect.
James Kaplan: It’s consistent with moving security down—security just becomes part of the platform. Thank you, this was fantastic.
Phil Venables: Always a pleasure.
