#251 - AI Just Changed Data Security Requirements with Ronan Murphy

September 22, 2025

Learn how to elevate Data Protection in the Age of AI with Ronan Murphy In this episode of CISO Tradecraft, host G Mark Hardy and guest Ronan Murphy, Chief Strategy Officer at Forcepoint, discuss the critical importance of data protection for enterprises in the age of AI. Discover expert insights on common mistakes CISOs make, how AI revolutionizes data security, and the evolving role of CISOs from enforcers to strategists. Learn about effective data governance, AI’s impact on data, and leveraging tools like DLP & CASB for robust cybersecurity.

Plus, hear about Forcepoint Aware 2025 and actionable strategies for elevating your organization's data security posture. https://www.forcepoint.com/aware

Chapters

00:00 Introduction: The Importance of Data Security

00:26 Meet the Expert: Ronan Murphy's Background

02:40 Challenges in Data Protection

04:01 The Role of AI in Data Security

06:26 Strategies for Effective Data Management

19:05 Understanding Data Loss Prevention (DLP)

20:36 Exploring Cloud Access Security Brokers (CASB)

24:37 Data Security Posture Management (DSPM)

38:36 The Future Role of CISOs

40:30 Conclusion and Upcoming Events

Episode Transcript

#251 - AI Just Changed Data Security Requirements (with Ronan Murphy)
===

G Mark Hardy: [00:00:00] Hey, what's the most important thing in your enterprise? It's not your infrastructure. It's not your endpoints. It's your data. And if you're not protecting that adequately, you have some potential problems. And I'm gonna show you with an expert how to avoid those. Stick around.

G Mark Hardy: Hello and welcome to another episode of CISO Tradecraft, the podcast that provides you with the information, knowledge, and wisdom to be a more effective cybersecurity leader.

My name is G Mark Hardy, and today I have with me on the show Ronan Murphy. And we're gonna be talking about well all things data, but more importantly for you as a C source of security executive, how to up your game in terms of improving your protection of that most valuable thing that we've got in our enterprise, our data.

Ron, welcome to the show.

Ronan Murphy: Thank you for having me. Excited for our conversation today.

G Mark Hardy: Now you've been doing security [00:01:00] for quite a while now, haven't you?

Ronan Murphy: Yeah, I've been in the industry for the last 20 years, there's not a lot I haven't seen when it comes to cyber or data security.

G Mark Hardy: Interesting. So as you look at that, tell us a little bit about your background and, so the audience can learn a little bit about what you know, what you've done.

Ronan Murphy: yeah, I've been involved in building security operation centers across the globe. I joined Forcepoint earlier this year as the chief, strategy officer. so working with some of the world's leading organizations, helping them to implement, data governance programs, helping them to operationalize ai, helping them to ensure that their most valuable asset, their data stays secure.

it's a fascinating area right now.

G Mark Hardy: Now before Forcepoint, I think you did a little bit of founder type things that get visibility. Can you

Ronan Murphy: Yeah, I.

G Mark Hardy: bit more about that? what got you, what turned you into a founder? 'cause I'll think a lot of us think about I got a better idea. Maybe I can do something with it.

Ronan Murphy: Yeah, I found that several companies over the last 20 years all involved in cybersecurity, get visibility, [00:02:00] was a really interesting organization in so far as it was building technology to help organizations get visibility of their data. Because data is a complex challenge, unlike, let's say vulnerabilities of vulnerability for a hospital or a defense contractor.

Represents the same risk. Whereas, data is non-standard. Organizations have different risk profiles. They interpret data differently. They consider the context of data, they look at it in different ways. So I built get visibility to help organizations to, get exactly what it does on the tin, get visibility.

And that company was acquired by Forcepoint. and now it is, Forcepoint, ESPM

G Mark Hardy: Then here you are. Interesting. So when we talk about data and things such as that, what do we find out in terms of protecting data? What are some of the biggest mistakes that you think that CISOs and even organization leaders make when it comes to protecting that?

Ronan Murphy: Y Yeah. Look, that's, it's a really interesting question. If you consider the world we now operate [00:03:00] in, we're seeing the adoption of ai, across organizations and it's very insidious actually. AI comes in the form of, Agent AI, RAG, SaaS applications, Large Language Models, Shadow AI, and all of these applications, the oxygen they need to be, the oxygen that they need to be effective Is, is their data. and organizations assume that their firewalls or their antivirus are adequate, and in fact, they're not. it's a, it's becoming a complex area for CISOs.

G Mark Hardy: Yeah. So if they're, we think they're adequate and we're not, then it suggests that we're probably missing something in the first place. We're either trusting technology that can't be trusted, we're not implementing the correct technologies, or we're just not putting the whole picture together. which do you think is the biggest one of those three

Ronan Murphy: Honestly, I think it's a, it's, it's all of those play a factor in it. up until now, I would say the role of the CISO was to [00:04:00] build walls, right? to build big, high walls and a mote around all of your data and keep it safe inside because of AI, suddenly you need to operationalize that data.

So you're seeing that CISOs are having to look at the existing tooling that they have, their firewalls, their EDR tools, their identity tools, and say, we now need to supplement these with more capability to actually get visibility of our data. Because if we want to be on the coal face of technology, if we want to operationalize.

All of these new sophisticated tools, then we need to be in a position to serve up our data, to make those initiatives work. So the CISO is moving from more, let's say, an enforcer or a builder of controls to now becoming a business strategist to help you know, the business to operationalize these tools.

G Mark Hardy: And that is an absolutely key insight, and we have been saying on the show for years that security is the business of revenue protection. We're all about enabling the organization to go after new markets to serve their [00:05:00] existing markets and then protect what they've got rather than. Being the department of no, which says, sorry, you can't connect that.

No, you can't have that. As you point out, AI is really a game changer and what it's doing is it's now saying, Hey, instead of I want to go down and grab a piece of data. Oh, lemme go to my SharePoint. Lemme go get this. Oh, lemme go out and find this stuff. We're saying we're gonna make this all available.

The AI is gonna potentially. live in this area, it's gonna distill out of it and then be able to answer questions, which really sets almost a whole new type of a paradigm for the enterprise we need to protect. We started out, you had end points. Then we go, wow, we put something on a Novell Netware and great.

Then you could talk around the office and you had dial up modems. Now of course, everything's connected to the internet. we have no perimeter. To speak of because of everything that exists from portable devices to, to the like and the use of the cloud. And so from that perspective, I've almost wondered if we were to do a zero based review, [00:06:00] that is to say, take everything that we've got.

Someone says, Hey Ronan, here's a really wealthy person. Here's a gigantic check. And, you can write in whatever dollar amount you need. What is your strategy?

What should we be putting in for the enterprise of tomorrow to protect it that may not be present from a security perspective in the legacy enterprise of today?

Ronan Murphy: That's a that is a great question. So I think what you have to do is you have to consider, the type of revolution that's taking place with AI right now. it's a profound revolution that's going to have very significant impacts on the way we, The way we work and productivity and so forth.

So across the globe, we're seeing, copilots appearing in every productivity suite. We're seeing agent ai, we're seeing automation, we're seeing open source models. and the opportunity is staggering for every company. So companies, how they, look today [00:07:00] could look very different in five years back in the early nineties when the internet started kicking in, companies.

Five, 10 years later were indistinguishable, to what they were 10 years earlier. So there's a huge opportunity. 70% of organizations are now looking at AI and building AI, but there is a challenge. And that challenge is that for AI to be effective, you need to understand your data. And like you said, data is in, on-prem, it's on endpoints.

It's in Microsoft, it's in Google, it's in Oracle, it's in SharePoint, it's everywhere. but if you wanna benefit from the, the staggering opportunity that exists with ai. You need to get your data into a really good, posture. my advice to organizations who want to capitalize on this wave of innovation and transform productivity and build automation is.

Understand where your data is. Understand your intellectual property, your company secrets, your regulated content, and then be in a [00:08:00] position to serve up these different data assets to the type of AI initiatives that you want to be successful and to give you a competitive edge.

G Mark Hardy: See, one of the challenge that I face as a practicing CISO is that when I look at the desire to go ahead and identify and classify and label. All of the data, there's two elements. One is that going forward, here's what we're going to do. But the hard part is I've got terabytes of information that has accumulated since the dawn of time.

None of it's labeled. None of it is, we don't know what, where it belong. And so you say, do you just give up and say, Hey, we're just gonna start moving forward and hope things slowly fall off the map. Is there a more mature strategy to be able to get your hand around understanding the data in the enterprise?

Ronan Murphy: Yeah, so the vast majority of the, that data lake is legacy data, but that's where the value is, right? [00:09:00] If you wanna drive insights and you want to build automation and you want to cha train agents, that's where you get the real value. And that indeed is a very, significant challenge for organizations across the globe.

I would say that, that data is incredibly valuable. It provides an amazing opportunity, for your business, but also indeed it creates significant risk should you fall victim to a cyber attack or ransomware. A double extortion, an insider threat. Or you operationalize it incorrectly with an ai initiative.

where we are seeing a huge amount of interest right now globally is where organizations are saying, okay, how do we solve that data lake problem? How do we understand if we've got risk in there? How do we classify that data? How do we contextualize that data? How do we profile that data? And then how do we get that data into a position where we can serve it up for the different types of initiatives we want, as an organization.

G Mark Hardy: Now, does that require a [00:10:00] retroactive, picking up every single file looking at it and said, Hey Charlie, does this thing look sense? No, I don't know. Or is there automated ways to do that? And if so, the very thing, technology that's driving us, AI seems to me to be the best tool to go ahead and go back and prepare it for ai.

Ronan Murphy: Yeah, so what we did, I mean in Forcepoint is we've been looking at this problem for many years, even before AI was, let's say, as mainstream as it has become in the last 36 months. And we really understood the complexity of this problem and the nuanced, attributes associated with data in different industry verticals, healthcare, manufacturing, defense, retail, et cetera.

So what we did is we built what's called an AI mesh, which is a whole zoo of small language models. And these models have one function, one purpose, that is to interrogate the contents of it. A piece of data document [00:11:00] and determine what that is. So what this allows, customers to do globally is to look at vast, data repositories and then very quickly and accurately contextualize what is inside them.

So do we have data that's sensitive? Do we have data that's regulated? Do we have intellectual property? Do we have customer details? And then when you, when the AI mesh. Has found these documents, you have the ability then to tag them, to profile them, and then to make some very informed and powerful decisions around what it is you want to do with that data.

G Mark Hardy: That's fascinating. So this AI mesh, as you're saying this, I'm thinking, do I either do a batch process and say, Hey, go and categorize my data lake, or do I do it real time where I go ahead and I reach out for something that I haven't reached at before? I can run it through this small language model.

It'll go ahead and on the fly say, yeah, you can use this, or maybe you shouldn't use this. which approach do you tend to do?

Ronan Murphy: Yeah, brilliant. Yeah, we do both. So for example, I had a [00:12:00] very interesting scenario, a few weeks back where we were dealing with a large pharmaceutical organization and their, most valuable asset is intellectual property because they spend, hundreds of millions of dollars inventing new, drugs and so forth.

And they have very strict policies about who in their organization should have the ability to see intellectual property. Now, you can imagine tracking data can be, a complex chat task because, for example, let's assume you are not allowed to see the intellectual property. I could go into a document, I could copy it, I could paste it into a.

A Slack channel or a teams channel, or I could email it to you in an in in a, in an Outlook or G suite. So what we do is not only is looking at the data at rest, which is in, SharePoint or OneDrive or, your S3 bucket, we also look at the data as it's moving through the internal, the inside of your network, right?

So for example, should I paste that IP and send it to you? that is, that creates, an [00:13:00] event and that event. In real time sees, oh, somebody is sharing IP with somebody that should not have access to it. the ability to understand, interpret, and track data through an organization has, is now more powerful than it has ever been before.

G Mark Hardy: And now I'm getting the value proposition that you're having because if we think of data. As being in a silo. Okay, here, this is here, we've got these. And of course, in the US government, we used to have silos of excellence. They don't talk to each other, but they're excellent inside. But their whole concept of protecting data was in a silo.

Oh, I need to classify it. I need to go ahead and label it, and I need to control the access to and from that data. That's only part of the problem because what you've talked about is a more comprehensive approach, a more holistic approach, if you will, that says, Hey, yeah, person one can read this data. But unless you have a way to detect if they're copy pasting it someplace else, you've just [00:14:00] lost all of your controls.

So that says, we need a bigger solution.

Ronan Murphy: I in Indeed. But it, I think there's even an extra dimension to this, which we should touch on, right? And that is, most organizations, for the last however many years, when you think about labeling or taxonomy that you associate with data, you might have five or four or seven fields on how you classify that data, right?

It might be internal, external, confidential, highly confidential, and so forth. The problem now is that with ai. You may be looking at trying to operationalize a new piece of software in your HR department, right? And in order to maximize your benefit from that software and then, and realize an ROI, you want to give it all of your HR data except, disciplinary records and except paycheck payslips, for example, right?

So suddenly what that now means is that you have to look at your HR data and say, you know what? We now need a far more granular [00:15:00] taxonomy and classification because we need to label certain document types, which we don't want as part of our HR AI initiative. So suddenly organizations are realizing that in order to be effective with their data strategy, they need a huge taxonomy of very granular, labeling capabilities across different departments.

And that's introducing a whole new conundrum and complexity for these businesses.

G Mark Hardy: Now if that is the case, and for, I think for a lot of us that are listening in, we go, Hey, wow. They resonate If I. In the organization you described, so you have HR and maybe let's say it's more specifically, healthcare organization, HR department within multiple organizations. Do I start out with a blank sheet of paper and then I have to figure them out or, because you've got multiple clients, you've seen multiple things.

You can say, here's a template and this is going to roughly fit, but you might be 80 or 90% of the way there. Tune this for your own business needs. Which approach tends to work better?

Ronan Murphy: Yeah. [00:16:00] So we tend to, have blueprints on what works for each industry vertical, right? So what's important in healthcare is different to what's important in the defense industrial base or in the financial vertical, right? in healthcare there is, well-documented HIPAA controls required with data.

You understand that the data asset that represents the most value is patient data and health data. And there's very clear laws documenting how you should be handling and storing that data. So off the shelf we would be very sophisticated in terms of our AI mesh to discover health data, to profile health data and to risk assess health data.

we take a very much, an industry vertical approach. When we engage with these, different industries, it feels like they're almost, engaging with subject matter experts for their sector because, how you, if you implement a firewall, for a retail [00:17:00] organization or a finance organization, it's the same thing, right?

It's a firewall. Data's a very different discussion. Data ha has a very different nuanced approach to how you solution around it, and that's where we have a huge focus.

G Mark Hardy: it makes me think that organizations that do mergers and acquisitions face a real challenge because first of all, a lot of that m and a decision making is done by the MBAs and the quants, and the accountants are saying, we're gonna make more profitability. We'll achieve some streamlining, effectiveness and efficiency and things like that.

Rarely do you get sitting at that decision table, the grownups table, as I like to call it, the Chief Information Security Officer saying, what issues do you think we're gonna inherit? What risk are we going to assume from a cybersecurity perspective? But what you're suggesting now is that. This could be a tremendously valuable tool for anybody looking at M&A to say, Hey, we are using this type of a tool set to classify, organize label, and then process our data to ensure that it's protected.[00:18:00]

I'm gonna require that company and in six months we're gonna be merging our data. I want them to have a copy of what I'm using and I want them to get prepared so that when we show up, it's just a little minor tweak and it's not a panic where you realize that these people are totally unstructured and unprotected.

Ronan Murphy: Ab, yeah, it's a great point. And one, one of the most prevalent use cases I've seen in regards to m and a is where the company being acquired, in many cases before they even announce it to their own staff, they wanna make sure that they don't have the insider data loss. So they don't wanna have, people who are worried that they might get let go.

raiding and pillaging the IP that they have as an organization. So we see in many cases, it's both the acquirer and the acquiree looking to ensure that they understand where all of that data is, how that IP is moving around, who's accessing it, and do they have adequate controls associated with it.

G Mark Hardy: That's a good point. So lemme go into a couple. [00:19:00] Terms, acronyms that we have in our industry, and I wanna make sure we define them because most people know what they are. But sometimes we get listeners on our show who are fairly new, DLP, data loss prevention. If we're trying to explain to an executive who's not an IT person, what does DLP do for my organization?

How would

you explain that?

Ronan Murphy: Yeah. so like, when you talk about DLP, it does what it says on the tin, right? it's stopping data being lost, out of the organization. So it's like the, let's say the bars on the prison cell, right? it's stopping. Someone breaking out with data. So it's, DLP has been around for a long time.

It's a well, documented, capability for organizations. and it's effectively at the edge. in Forcepoint, we will be the global leader when it comes to DLP. we've been doing it for probably over 20 years in terms of the

G Mark Hardy: Wow. So explain to the executive, it basically acts like either the bars or a security guard is gonna [00:20:00] inspect packages on the way out of the building. If you're at a manufacturer, let's say you're making things or a diamond mine, you don't want the employees walking out with, free samples. And so A DLP, you're gonna be able to go ahead and apply a policy that we get to reflect the business requirements.

That's gonna suggest whether or not certain things can go certain places. And as long as the company has a well understood policy of where things should or should not go, you can affect that at scale rather than have to manually pick up. And they'll hand me that floppy disc, let me read it, see what's on it, things like

that. Now, how about the concept of a CASB cloud access security broker? It sounded like a cool term, but how would, again, let's explain it to an executive first.

Ronan Murphy: Yeah. Yeah, it, again, it's kinda what it says on the 10, right? It sits between the employees and the cloud applications like Salesforce, office 3, 6 5, Google Workspace. and it makes sure that data going out is [00:21:00] safe. for example, if you want, visibility into seeing what cloud apps that people are using, you want to ensure you have compliance.

and making sure that your policies and regulations are being enforced. if you want to have threat protection, that's where you know your cloud access security broker. So you implement your policies that you want as a business, and you make sure that the user and the cloud, that policies being implemented.

G Mark Hardy: Okay, so if I'm using some sort of a cloud-based service, software as a service, you said you protect against threats and things like that. Am I really worried about something coming back at me? Is there, what type of threats does this help mitigate?

Ronan Murphy: for example, you may, there may be applications, in the cloud that you do not want your users using. They're unsanctioned and you may want the ability to block your users, connecting to applications which could potentially be malicious. [00:22:00] So that's, it's to decide. it's implementing the policies that you want to action as an organization.

G Mark Hardy: Got it. So if I'm using, for example, Salesforce and I've got a number of people that are connecting to Salesforce, we're putting contact data we're managing and things such as that, what would A-C-A-S-B do? How does that add business value to that process? So that could go ahead and get that purchase order approved when it comes time for budget review.

Here's my

benefits.

Ronan Murphy: so it's validating that, this user can connect to that application. if somebody else remotely tries to connect to that specific application and they are not, in your Cs b setup, then that security checkpoint. blocks them from accessing. Or another good example would be, for example, if someone tries to upload, let's say, documents to Dropbox, that contain, sensitive information, you can have the [00:23:00] ability in your Cas B to block them because it's outside the policy that you want as a business.

So there's a lot of kind of different functionality, which are CASB, that you can operationalize in line with kind of the compliance, the governance and risk that you have as an organization.

G Mark Hardy: Got it. So it really comes by, I think, as you said, compliance, governance, and risk. it's not GRC per se, but it's the same thing, which is what we wanna do is we wanna ensure that the business can accomplish its goals with the least amount of friction. But with the least amount of risk that you are going to either compromise information, make bad decisions based upon what you have, or, the third.

Element of that is lose information where somebody comes in, disgruntled employee and said, yep, there we go. because I know that one of the concerns has always been in Salesforce is that if you tell a sales guy, you're being let go on Friday, what gets downloaded? The entire customer database and, Salesforce.

I, I dunno, for me, it's still an enigma. I am, [00:24:00] I have, Rights, but I don't understand it because it's just very complex and it's interesting. So it would seem that if instead of trying to go off and become an expert at Salesforce, then become an expert at another app and then become an expert at another software as a service app, that if I had a CASB tool, I only have one thing I have to learn.

It's tuned for me, for my organization, and then from that point, I could then mitigate everything else, and that would seem to be a much more efficient way to do this in the

future. You are spot on.

Data Security Posture Management or DSPM?

Ronan Murphy: Yeah, so the, not that we needed another acronym in this industry. We're already all acronym outright, but

G Mark Hardy: Yeah, we're gonna have to go to five letter acronyms where you've

three and four ones.

Ronan Murphy: a hundred percent. DSPM is probably the fastest growing segment in the global cybersecurity industry right now. [00:25:00] it's an incredibly exciting sector, and it's being, driven by the adoption of ai, right?

So all of a sudden, for many years we've been saying the data is the new oil, right? But with AI data really has become the new oil, Organizations are trying to operationalize it. Regulators are trying to govern it, hackers are trying to steal it. so overnight data has become incredibly important, and you said it in your introduction quite eloquently, but you can outsource the responsibility for your software to SaaS providers.

You can outsource the responsibility for your platforms to PA providers. You can outsource your infrastructure to the hyperscalers, Amazon, Google, Microsoft. The one thing you cannot outsource responsibility for is your data. Because everyone knows that it's high stakes poker, and if you get it wrong, the consequences are very profoundly damaging, at every level.

So a data security posture management is the, it provides organizations with the ability to look at the posture of their [00:26:00] data and then make decisions. and when you think about the types of use cases that you can apply to your data, they're literally limitless. it could be risk assessments, it could be governance use cases, compliance use cases, InfoSec use cases, and data security, posture management, the acronym.

Is, designed to, to provide leaders, executive leaders and InfoSec leaders and risk leaders to look at that data and then make decisions. How do we for a really interesting one that we see a lot is what is our gen AI readiness. Are we in a position as an organization where we can turn on an AI application and serve up data that we feel has been, correctly, discovered, classified, profiled, tagged labeled.

That's, probably one of the most in interesting use cases right now.

G Mark Hardy: So when we're talking about posture, when we refer to data, we're not talking about sitting up straight, [00:27:00] putting our shoulders back and things like that. but just to make sure that our listeners understand that, when you talk about data posture, what are we talking about here?

Ronan Murphy: W when you talk about posture, I, let's say beauty is in the eye of the beholder, you will have, the ability to decide what you want your posture to be, your risk appetite if you are a large bank. Is different to, if you're a small, mid-size unregulated organization and depending on the type of, risk appetite that you have, you may want a different posture.

DSPM gives you that visibility across the data, across your cloud, across your network to understand is your posture good? Are you sitting up straight? Are your shoulders back? are you, is your tummy tucked in? or are. Are we slumped over with bad posture and we need to improve it.

So it, it allows you to get that visibility, [00:28:00] holistic visibility across all of your infrastructure, and then make decisions on where it is we want to start improvement.

G Mark Hardy: Now that sounds a lot more like operational requirements and security requirements. And so who should own the DSPM in an organization?

Ronan Murphy: That again, that is a great question, right? we see many different stakeholders, embracing DSPM, right? So there is some very profoundly powerful use cases from security. So for example, if you want to operationalize DLP or. DRM, digital rights management effectively. DLP is like a bouncer in a nightclub.

When the bouncer comes to work, the nightclub have to tell them what type of, clientele they want coming in or to, to their nightclub, right? They have to be over 25. They have to be well dressed, and they're not wearing runners, right? That's like your DLP at the edge. DSPM. Is the brains behind the DLP.

It'll look for all of the data across the [00:29:00] organization, and then it will interpret what that data is based on the content, and then it will label it. So it's giving the bouncer at the edge, the DLP, it's giving that the intel on what can come in and what can go out, for example. that use case would be specifically an InfoSec use case used by the cyber practitioners.

But you may also see use cases where, The data protection office may say, we would like to know if we've got risk associated from a privacy prof perspective, like GDPR or CCPA. so we do tend to, resonate with both, privacy professionals, cybersecurity and InfoSec, and then obviously GRC.

Is a big one. And especially with ai. So depending on who the business asks about ai. Are we ready as an organization to embrace ai to operationalize it? You're starting to see now faster than never before. [00:30:00] two departments, which I always felt were siloed being, governance risk and compliance and security are suddenly, coming together, to try and, mitigate the risk of ai, but also seize the opportunity.

G Mark Hardy: Yeah, it's interesting because as we look at that, as I've rolled out ai, my requirement is I need a policy and I pushed hard for policy. I wrote a draft, I think it was February of last year. We finally got around after. All the chop chain to having something. And then part of that was to say the understanding with the users that if we pay for it according to the contract, they're not gonna train on our data.

And we maintain some sort of data, privacy, going back to the GRC and the privacy folks. But if you use a free open models, then who knows? You're just going ahead, giving stuff away. And so don't do that. Do this. And if you look at a world where today there's a lot of BYOD. How do you enforce something like that if you know that, and maybe this is outta [00:31:00] scope for what we're talking about, I think of these as business problems.

How do I make sure that if I got a controlled device, okay, I can lock it down really well, but if it's in my tenant, I have a, control, it's an into and I can push a button and make it self-destruct. But if I'm in a BYOD world, is there, does that scale over to that as well? Or am I asking for trouble when it comes to AI and access to

Ronan Murphy: so what you're describing is shadow AI, it's like shadow IT, right? It's where people are using ai, applications within your business. And these are hoovering up data, which is, potentially very damaging to the organization. And, just back to a point you made a moment ago, whether you pay for AI or it's free right?

I look at the problem a little bit more, at a granular level in so far as even if you want to operationalize a product like Microsoft Copilot inside and the core of your network, right? [00:32:00] they're incredibly powerful productivity tools, right? And I would, I would encourage organizations to be, evaluating them from a productivity perspective.

But, if. You don't label your data properly or train it properly, and you suddenly are giving an internal. Copilot access to data, and even your own employees could prompt it. And I could prompt it. What was your salary last year? Why were you sick last week? What's your disciplinary record? And if you've fed that data into the copilot and you haven't labeled it properly, or it's been fed in there by mistake, you are literally, as an organization, one prompt away from a data breach or a data loss, right?

The, these tools, while incredibly powerful from a productivity perspective, also introduce very significant risk. And then to the second part of your question, when we think about shadow ai, that's even introducing more risk because, I dunno if you saw about three or four weeks ago, open AI chat, [00:33:00] GPT started getting indexed by Google.

It's like terrifying. So you could go into Google and you could just Google, your competitor and ask what data ChatGPT has been loaded up on your competitor. Have they, what? What queries have they put into ChatGPT? so you, when you think about that, if you have shadow AI and you have data that hasn't correct guardrails around it, or you're not tracking in real time and it's finding its way into these models. if you ask me as a guy doing this 20 years, I'm more concerned about data loss in large organizations through AI than I am from the most prolific ransomware actors. I think you have more chance of losing substantial quantities of data if AI is not done right, than ransomware actors and I never, ever anticipated that is something I would say

G Mark Hardy: And have help us when we get ransomware active using ai, which [00:34:00] they're

Ronan Murphy: correct. Which, they're already do. the quality of phishing emails now is terrifying.

G Mark Hardy: it is. and so what that kind of. It brings up another thought is that we have a lot of technologies out there, and you guys at Forcepoint have created some really amazing stuff. Of course, your background and things that you had done with get visibility, et cetera, but it seems to me that the better the technology, the more likely the attacker is gonna aim for the human.

Because that person, although we have all these security, Hey, let me hold the door open for you. The problem with that is, is that if the human opens the door for the bad guy, and we're seeing a lot of the, the click fix type of attacks for people who don't understand windows and then say, oh yeah, I just do a Windows R, a Control + V and then Enter to prove you're a human and sure, I'd prove you're a human.

'cause you just downloaded a script which calls a PowerShell script, which calls a mailer that says, oops, your files are encrypted. is there anything. That we're, could [00:35:00] be doing better to integrate our security tool set with our human education so that as this thing is enforcing, instead of just getting a block, you can't go there is, what I'd love to see is, you can't go there and here's why you can't go there.

So you go ah, I get it. Is that something that's being built into systems or do we just gloss over that today and leave

the

companies?

Ronan Murphy: so it's a very wide ranging, question you've posed. I think there's many different moving parts to it, but I think, education is just something that we have to continually do. We have to be cognizant of one very depressing fact, and that is on a global basis.

The bad guys are. cybercrime is growing year on year in terms of the impact that it's having from a GDP perspective, as a, as an industry. It is, I think, it's going out of all proportions. A lot of that is being powered by the bad guys ability to operationalize AI with phishing and compromising users, like you [00:36:00] said.

But if you think about the modus operandi of the hackers, encryption really isn't that big a problem anymore because companies invest in business continuity, business backup, business restore, and they can be back up and running very quickly. So what those user, what those hackers are now doing is they're saying, okay, let's compromise a user, like you said, with a phishing email.

Then let's, harvest their credentials. Let's escalate the privileges. Let's get in on the wire, but then we need to steal data. 'cause if we steal data that gives us the best ability to, extort. The victim, because they're terrified that these guys have stolen the data. And in many cases, and I see this on a weekly basis, the organization has no clue what data they've stolen because in many cases they don't have visibility into that data.

And that creates a very, an environment of fear and uncertainty. So the bad guys now have the data and they can extort their victim. But what they can [00:37:00] also do is they can also disseminate that data and they can do. second and third degree attacks on either the people in that data or the organizations in that data.

So with all of that said, my fundamental view and my belief is that both from a cyber risk perspective and AI operationalization perspective, and considering how good the bad guys are getting. Everything is focusing on the data layer. So in my view, as an organization, if you go in and if you understand your data, you can then start making some very profoundly powerful, decisions in the business.

you can ask a question, what would happen if Ronans, privileges get stolen? They get he somebody gets access to the network using his profile. What damage could they do? And, based on our data. State, how do we want to mitigate that risk? So having visibility of your data allows you to make very [00:38:00] profoundly powerful conver decisions and take, very important steps to hardening, I would say, your data security posture.

and also your risk, your governance, your compliance.

G Mark Hardy: So you cover a lot of ground here already and so I'm thinking as we're getting close to the end of the show. You were to sit down with a CISO who says, wow, I'm still listening and I'm taking notes, and this is good stuff. What sort of plan of action would you recommend or what type of, action should they take to reduce their likelihood of having a significant data event?

Ronan Murphy: Yeah, so I think the role of the CISO is becoming incredibly interesting, and I believe it's going to be one of the most impor, it's a very important role right now, but it's a role for the most part, where you're building walls, you're dealing with kind of risk. But I do believe because of AI and because of the kind of revolution, we're experiencing [00:39:00] globally right now in the pace of innovation, and I said this at the start, the role of the CISO is going to evolve more into almost a strategy role because the, the architecture like zero trust architecture and best of breed firewalls and EDR tools and identity tools, they are well-defined kind of use cases.

Right now. They're, they're. It's very easy to procure these technologies even in the marketplaces like with Amazon and Microsoft and so forth. I believe the role of the CISO is going to be much more focused on the data layer, because as they implement these various tools and hardening devices around their network, the business will come to them and say, listen.

We want to, we want to build a agenda for customer service. We want to build automation. We wanna invest in RAG retrieve augmented generation. We want to invest in robotics. But to do all of that, we want to understand, are we ready? Is our data in a good position? And the CISO is suddenly going [00:40:00] to become the strategist that's responsible for not only doing the firewalls and the hardening and the security.

But also making those decisions at the data layer. And my, I guess my advice would be, CISOs who, embrace that challenge and that opportunity will become an incredibly valuable asset for organizations as they start to try and navigate this new, this brave new world and the opportunities that are being presented by this incredibly exciting technology.

G Mark Hardy: Wow. Fascinating. So I think to get better at that, of course, we need to improve our skill sets. Now I know you've got upcoming event called Forcepoint Aware 2025. It's October 7th and eighth, but I, it's virtual, so I don't have. To get in a plane and fly someplace. What can people expect if they went ahead and they attended a dedicated couple days to Forcepoint Aware?

Ronan Murphy: we have some amazing speakers and we will really be looking at again, like you and I have spoken about today, the opportunities that exist, [00:41:00] right now with new technologies, the challenges that exist, we'll be discussing. The regulatory landscape and the types of, risks that are being presented to organizations will obviously be drilling down into the types of innovation that now exist out in the marketplace.

so there's a wide array of different, world class speakers participating. I think there's, there'll be a lot of, knowledge sharing and a lot of analysis of, again, both the opportunities and risks that are out there.

G Mark Hardy: Yeah, I'm, look, I pulled it up right now. Ross Young, our co-founder here at CISO Tradecraft will be there and he's right up there with Jen Easterly and this, handsome young man named Ronan Murphy, along with others. Forcepoint.com/aware for those who are interested, I think that would be a great opportunity.

you would appreciate this though. I am gonna be outta the country in Ireland. Oh, I will not be able to do that. So I'm speaking at a conference, out there called COSAC. So any last [00:42:00] thoughts that you have before we wrap up? Ideas that you'd like to leave our CISOs with?

Ronan Murphy: yeah, I think the, the opportunity for CISOs right now to grasp, this data challenge, it will significantly elevate their own value, whether it's in the company that we work with now, or as they, maybe change. Change organizations in the coming years. I, but I do believe it's a really exciting, area.

I believe the role of the CISO is gonna dramatically change in the coming years. And, undoubtedly, it's where all of the action is happening now, where the valuations are growing, where the opportunities exist, are at the data layer. But it's, it is not simple. It is a complex challenge, but it is a super interesting one.

G Mark Hardy: So I love your insights that we're gonna become more strategic as we go forward, and we're hoping that people listening in Washington, CISO, Tradecraft, that we're helping people to do so with having conversations with folks like you. Ronan, this was awesome. I learned a whole bunch in this show and I [00:43:00] gotta imagine everybody else did as well.

So for our listeners out there, if you're not already subscribed, please go ahead and subscribe to our podcast and if you like us, give us whatever that podcast channel has. Thumbs up, five star, whatever. Not that we're grade grubbing because we don't get paid money for that, but what does help other people find us?

And so you can help other professionals in their CISO. Tradecraft. Don't forget to follow us on LinkedIn. We have a whole lot more than just podcasts. We have a regular, steady stream of high signal, low noise information. It'll be of great value to you. As a CISO, we've got a substack newsletter. We've got a lot of tools that are available out there.

So good luck to you on your career. hopefully you'll be able to go ahead and make the Forcepoint Aware in October coming up. And as they say, you can go find that on the website. We'll also put that in our show notes. and so until next time, Ronan, thank you for being part of the show

and to everybody out there, stay safe out there.

#251 - AI Just Changed Data Security Requirements with Ronan Murphy

Join Our Free Trial