Today, our guest is Sachin Shetty. Dr. Shetty is an Executive Director at the Center for Secure and Intelligent Critical Systems and a Professor with the Department of Electrical and Computer Engineering at Old Dominion University.
We will discuss Building a Resilient Future with Secure and Intelligent Critical Systems.
Summary of the episode
In this episode of the Cybersecurity Guide Podcast, host Steve Bowcut interviews Dr. Sachin Shetty, the executive director of the Center for Secure and Intelligent Critical Systems at Old Dominion University.
They discuss the importance of building resilient future systems and the role of cybersecurity in critical infrastructure. Dr. Shetty explains his research interests in computer networking, network security, and machine learning, and how his work focuses on understanding and mitigating security threats to critical infrastructure.
He emphasizes the interdisciplinary nature of cybersecurity and encourages students and early career professionals to explore various domains and understand the role of security within them. Dr. Shetty also highlights the significance of AI and quantum computing in the future of cybersecurity, particularly in securing critical infrastructure systems.
Listen to the episode
A complete transcript of the episode
Steve Bowcut:
Thank you for joining us today for the Cybersecurity Guide Podcast. My name is Steve Bowcute. I’m a writer and an editor for Cybersecurity Guide and the podcast’s host. We appreciate your listening. Today, our guest is Sachin Shetty. Dr. Shetty is an executive director at the Center for Secure and Intelligent Critical Systems and a professor with the Department of Electrical and Computer Engineering at Old Dominion University. Our topic for today, what we’re going to be discussing is building a resilient future with secure and intelligent critical systems. Let me tell you a little bit about Dr. Shetty before I bring him in. Sachin Shetty received his PhD in modeling and simulation from Old Dominion University in 2007.
Before joining Old Dominion University, he was an associate professor with the Electrical and Computer Engineering department at Tennessee State University. He was also the associate director of the Tennessee State Interdisciplinary Graduate Engineering Research Institute and directed the Cybersecurity Laboratory at Tennessee State. He also holds a dual appointment as an engineer at the Naval Surface Warfare Center, Crane, Indiana. His research interests lie in the intersection of computer networking, network security and machine learning. With that, welcome Dr. Shetty. Thank you for joining me today.
Sachin Shetty:
Thank you, Stephen. Thank you for the opportunity to speak to you and your audience.
Steve Bowcut:
All right, this is going to be fun and interesting. I’m looking forward to it. Let’s start with giving our audience a little bit of a background and an introduction to you. So tell us about your role as the executive director of the Center for Secure and Intelligent Critical Systems and maybe kind of how you got there, what your path looked like.
Sachin Shetty:
Sure. Thanks, Stephen. So the Center for Secure Intelligent Critical Systems is one of the many research centers that are housed in Old Dominion University. So this particular center’s mission is primarily in applied research in the area of cybersecurity, and right now I’m the director of the center. And I have a team of 20 research scientists, students and software developers. So the mission of the center is to do a comprehensive modeling and analysis of security threats to critical infrastructure in general. And so within the auspices of the center we do several grants and contract funded activities for the defense, federal and commercial sectors. And we develop technologies, products, algorithms, techniques, to better understand the risk associated with the critical infrastructure. And so it follows the continuum of, I called it math to marketplace. So if you recall, I mentioned it’s an applied research center, so the end result of any effort that we undertake, my mission is for that to be in the hands of the end user.
So if it’s a customer in the defense space, I always try to understand and identify the lack of capabilities that the warfighters would have within their technology Rolodex, and I find out where the gaps are and then I identify, given that I’m a researcher, I always try to find a very fundamental research challenge. And then I and my PhD student will just work through the math of it so…and we don’t just throw out a product out there. So we want to make sure that the technique that we come up with has been blessed by a peer academics, and then I work with the software developers to then create a product out of it. So that’s the objective of it.
And how did I land up in the center? So I moved to ODU back in 2016. And so at that time I just wanted to just do research in cybersecurity in general, and had a couple of students. I was just primarily focused on advising PhD students to do some research on cybersecurity. But then my involvement with various customers, the defense of federal space, exposed to me problems where we were successful in delivering those solutions. And then we scaled from a small lab to a center where all our success allowed us to keep growing and keep solving a multitude of problems.
Steve Bowcut:
So from what you’ve told us so far, your interest in cybersecurity predated moving to Old Dominion University. So how did that come about? Did you, I mean, as a teenager…? Was it in your undergraduate years? When did cybersecurity kind of come onto your radar?
Sachin Shetty:
Well, I think it came a little bit late in my career. So I did my undergraduate in computer engineering and I think at that time cybersecurity was not the forefront of my endeavors. I was curious about technology in general and most of my background was in computer networking. Interconnection of systems was always a passion of mine. I always felt pulled towards understanding how distributed and disparate systems come together. And you can see with the evolution of my research as well, I didn’t know this back then, but it was very clear that convergent teams were at the heart of it. That’s why I was gravitating towards interconnector systems. But throughout my PhD training, that’s when I realized the challenges with interconnector systems, where now you’re talking about, when I said disparate, you don’t have centralized governing edict in terms of how you trust those systems, and there is no singular threat that ties them. So how do you get disparate systems to play nice?
And so to have everybody follow the rules is very challenging. So that’s when I started reading and thinking more about the challenges with securing systems, understanding that if I’m going to be connected with some other system, I better understand the cybersecurity posture, otherwise I’m going to be in a weaker spot because I’m connected with something that is not as strong as me. So that was the early breadcrumbs, if you will. But later on in my PhD career, a very specific experiment that I conducted really made the light bulb go off. So this was the advent of cloud computing, and so I was, just like anybody, was just dabbling with understanding the mechanics of cloud computing. So this was when we were trying to grapple with how information can be uploaded to the cloud. So you’re basically relinquishing control and you’re going to be fine with it.
So that’s the trust piece. So now I’m trusting this cloud provider. And I saw something interesting. I was uploading some images on the cloud, and I was watching the IP address. Because I understood the concept, I’m uploading an image, it is going to get housed in a computing instance that Amazon or any cloud provider owns. And I noticed that every time I accessed that image… Or the next couple of weeks, I noticed the IP addresses kept changing. And that got me thinking that, even though that was not a secret problem, that I’m wondering that, is it possible? So that’s the curiosity, that if I’m going to upload some sensitive information, how do I ensure that that information stays where I want it to stay? For instance, I don’t want that information to go into a country where certain restriction of laws might allow them to view those information.
So that’s when I started thinking about the need to develop systems to better understand, especially when you’re talking about relinquishing controls, so your personal information, personal data. And so that was my genesis of my very first effort. I think the paper was almost titled Shopping for a Secure Cloud. At that time I was looking around to see that if customers are looking to put the data on the cloud, is there any tool out there that helps them that, okay, if you have certain level of security attached with the information, you might want to go for cloud X versus cloud Y? I noted there wasn’t a tool that helped questions. Now you just implicitly trusting the cloud provider, and that’s the trust basis. I would rather have a third party verification, at least let the customer know, knowledge is power, right, so let the customer know the trade-offs between offloading the information from cloud X cloud Y. And you’ll always trade off something, but at least if you don’t know that then you’re not well-informed. So that was the genesis, and then I started embarking on the journey.
Steve Bowcut:
Excellent. Thank you for that. I appreciate that. So critical infrastructure is in a word critical, that’s why we call it that. So give us some insight, if you can, into some of the research and innovation that you’ve been involved with. I think that would be interesting for our audience.
Sachin Shetty:
Yeah, that’s a good segue, because I mentioned that my first foray into cybersecurity was cloud. And so this was at the tail end of the first decade of this century. And so since 2010 to 2012, I started dabbling into cloud and mobile, critical infrastructure wasn’t really in the forefront, but around 2013… And if you notice with cloud and mobile, they’re traditionally information technology, IT type of infrastructure. And I attended a conference where I was first exposed to the term OT, operational technology, and I learned about how IT and OT are different. And that’s when it just hit me in terms of the impact of OT infrastructure, impact of a cyber attack on an OT. Because this is a scenario where, what comes under OT, you have your energy, you have your water, the really fundamental needs of the human society and infrastructure that drives us, and how a cyber threat to those infrastructure can impact society. So I did, not a full 360 shift to OT, but I wanted to start understanding challenges with OT.
So around 2014 and 2015, around that time, I was lucky to be part of two centers actually. There was one center called Center for Cyber Resilience Institutes, and that was funded by Department of Homeland security. So it was called Critical Infrastructure Resilience Institute, CIRI. The second center was called CREDC, Cyber Resilient Energy Delivery Consortium. So these two pretty largely funded centers, by the Department of Energy and Department of Homeland Security, was primarily stood up to translate fundamental research into technologies that could be used in critical infrastructure. It’s a very wide space and I was always interested to better understand the risk associated with cyber threats through the critical infrastructure.
So for instance, I was curious about, let’s say for instance, take the energy delivery system. So if you look at the infrastructure that is responsible for delivering energy, I was curious about, how many pathways exist? Is it possible for somebody in the basement to not just have an attack and strip the breaker of the substation in my neighbor, in whoever your energy provider is? Is it possible? And so that was the question that I had. Again, these are all things that you read about in the news, but I wanted to actually find out is that, even a single pathway, however difficult it may be, it might take 20 steps to get there, but is it possible? So that was the research problem that I wanted to work on. And always, a lot of my research, it’s an area of security metrics. I always like to measure the risk and then provide the mitigation. So good analogy I will provide you with is, so we all know of a way to find out our credit scores, but what would be really helpful is, what do I do to improve my score?
So if it’s possible, let’s say if I was scored over 600, I would like to know what are the three things should I do so that I go from 600 to 800 in a month or two months? That’s what I really want to, right? And so coming back to critical infrastructure, being able to identify this pathways, therefore somebody to terminate at the breaker and trip it off. And should I care how likely is it? Is it 10% likely, 20% likely? And what other two or three things should I do? Because this is the economics of security, because we do this a lot of time, everything in life is about risk management. In our day-to-day life, we don’t realize it, but we do a lot of risk management. For example, if I had to go to Arizona, would I take a flight or would I drive to Arizona? I’m doing the risk.
Steve Bowcut:
Exactly.
Sachin Shetty:
So the same thing for any energy provider. They would like to understand, how much defensive measure should I invest? So I call this the induced cost and incurred cost. So I’m going to incur some cost, but I would like to know how much cost I’m inducing to the attack. So if I’m making their job difficult, if it’s just 10% more likely, will I take the chance? Well, they’re successful, they must shut you down. So that goes into, well, what did they get in, how worse could it be? So I was always curious about developing techniques that can basically provide the situational awareness. Most of the times the stakeholders don’t even know, they hear about ransomware, “Let me see if that’s possible in my infrastructure. Show me exactly, show me all the steps that’s possible.” And if you show it to me, then I’ll say, “Okay, then tell me…” The same, the credit score analogy, “Okay, tell me what should I do to fix it, because I don’t have a lot of money to invest in this. I would like to tell me two or three things.”
And then we can play around with those, and then you can use security. Budget is limited, but you at least know the techniques that you should use to remediate. So that’s the work I do in infrastructure. And so, one of my products, my very first product, so as a researcher I am lucky enough to be involved with ability to transition my tech into a product. And so my first product that came out of my lab was in the area of measuring and mitigating risk. So that’s the journey. And so that’s a journey I’m still involved with. So I’ve been very involved with energy space. Energy, something that is very near and dear to me. So right now I have a new center for securing wind energy farms. So again, with the same, I started with traditional energy delivery to now, renewable energies, and trying to understand security problems associated with them.
Steve Bowcut:
Excellent, thank you, I appreciate that. So it seems like’s incremental improvements in security posture is kind of the strategy that you’re promoting. So what can we do to understand our risk and what incremental improvements can we make to improve that security posture for critical infrastructures, if that’s a fair kind of summation of the overall approach that you’ve had in your research? Is that fair?
Sachin Shetty:
Yeah, I would say the former in terms of more so about providing the situation awareness. Because I think once at least I’m able to clearly identify all the different ways you’re vulnerable, and then present to you prescriptions that work. And then let you decide because I’m always cognizant about your budget. And this is always a challenge with a lot of stakeholders because security is never seen as something that creates value.
Steve Bowcut:
Right.
Sachin Shetty:
Again, this is the business speak, so I’m always cognizant about. So for instance, I remember a story about when a physicist goes to the director and says, “I’ll make you a plane 30 times faster.” Okay, that’s driving value, to go faster. The cybersecurity person says, “I’m going to make it more secure.” Well, that’s [inaudible 00:18:25] yesterday. So trying to provide that value proposition as to, you have a particular service that’s a certain value, and if you don’t, this is the incurred cost, how much cost you’re going to incur. If you don’t do anything, then that service may not be available to your customer and then you lose, right? So it’s not that you’re going to gain something, but you’re minimizing your losses. So being able to educate the stakeholders, because once they see those numbers then they’ll make educated decision as to how much they want to invest.
Steve Bowcut:
Excellent.
Sachin Shetty:
Otherwise they will do the bare minimum that they need to do so that they can escape the regulators.
Steve Bowcut:
Exactly.
Sachin Shetty:
I try to avoid that, try to see if I can give the business speak of value, and value not being maximized because you didn’t do the things that you’re supposed to.
Steve Bowcut:
Got it, thank you. All right, so let’s turn our attention and our focus to our primary audience. As you know primarily, or largely, our audience is comprised of students and early career professionals that maybe are still trying to decide, do I want to get into cybersecurity? And if so, what would that path look like? So talk to us about that, and maybe kind of cybersecurity generally, and even more specifically, in securing intelligent and critical systems. What does that path need to look like? What do they need to know?
Sachin Shetty:
So I always say cybersecurity… And a lot of times when I get approached by students, I always tell the students that cybersecurity is not all about technology. For me, cybersecurity is a human challenge, and I’ll tell you what I mean by that. And so I’ll always start with that I never use technology as a way to teach cybersecurity, and I always want the students to be curious about the role security plays in every facet of a life. So remember I talked about cyber risk? I actually look, risk, as a three-pronged lens. You got the technology lens, you got economic lens and you got legal lens. And I might even add the social behavior, psychology, all aspects. Yes, I named social, sociology, behavior, psychology, legal, so you can see I’m covering a wide multitude of areas.
And by the way, I even have a project where I collaborated with a dance instructor. So imagine choreography and security, where it was choreography and privacy. So that’s another challenge of how the arts and entertainment should also be intersecting or as a solution to intercept. And as a matter of fact, the more I’ve been involved with cybersecurity, I feel like instead of being bottom up, you got to be top down, and I’ll explain what I mean by that. So as I mentioned to you how cybersecurity permeates all aspects of our life, so imagine if I take economics, if I take finance, you might think, what a finance major basically worry about cybersecurity? Well, that I already mentioned about the economics of security. So if you are working with organizations and you have to make a decision on how much you’re going to invest into security versus how much you’re going to invest in other aspects of your business, just understanding the financial aspects of this is so critical.
Let me talk about insurance. So even somebody’s going to insurance, cyber insurance is going to be a big, big issue that’s going to come up. People will be buying cyber insurance. So somebody again, who is in the financial space should be curious about the impact of cyber. So I talk about impact. So a lot of the times students get caught up into how hackers and the adversaries get in. But I want to flip that into better understanding the impact of a cyber attack. How does that affect the end stakeholder or the end system? Because that’s where the focus should be, not all the different ways that attackers can come in. So for example, if I’m somebody listed as psychology, so I even work with psychology students and faculty where I’m always interested in the, I call this, what is the intent of an attacker? What are they after? There’s a whole psychology of how attacks take place, whether it’s a lone wolf, whether it’s a state sponsor, just the forensic side of things.
And just humanness, because it’s a human element. So it could be a single human, group of humans, a hierarchy structure in terms of how attacks take place. So there’s a lot of human dynamics that needs to be better understood to find out, “Hey, am I being attacked by a lone wolf? Am I being attacked by a group?” So if you look at CSI, from the investigation, they always do profiling of the perpetrator, trying to figure out who the perpetrator is. That type of stuff gets into cybersecurity as well. Anybody who’s interested in global issues, sociopolitical issues, especially political issues. Because I was once asked by a customer, he shared me some data of an attack taking place and his question was, was this done by a Russian group or a Chinese group? Now I just didn’t have enough know-how and knowledge of the geopolitical and social constructs within the two countries to know who it potentially could be. So that’s another opportunity for people who understand different cultures and culture aspects.
But it was interesting conversation I was having with somebody in terms of the way you attack, are you more conservative, are you more opportunistic? Is that part of your culture or is that you as a person? So that tells a little bit about who’s perpetrating the attack, and basically figuring out, is it possible to understand or figure out attribution, the better profiling piece? So there are so many aspects to cybersecurity, which I don’t believe engineering technology-based solution can address this, I see multitude of those disciplines coming together. And as a matter of fact, at Old Dominion University we have a school of cybersecurity and we have majors on sociology, psychology, traditional sciences and engineering, all part of the program.
And especially, one last thing I wanted to mention is that our policies are not up-to-date when it comes to cybersecurity. So anybody who is going to be working on the next policy, we need a lot of people who are not… Especially when it comes to now trusting AI, speed at which AI technology is going, we definitely need people who are writing the next set of policies, or maybe who are going to be advising our legislators. The staffers on those legislators, I can imagine they have a big role to play in making sure the policies that are written, the bills that have been written, have that. So you can imagine somebody who is in that world may not think cybersecurity important for them, but technology is a big part of us. And you may have seen a lot of executive orders, a lot of bills, reference technology, and it would really be good for us for having next generation to be more knowledgeable about the area so those policies can keep up with the technology.
Steve Bowcut:
Yeah, I love that idea, what I hear you saying there. So speaking directly to students, it doesn’t really matter what you’re interested in, if you want to work in cybersecurity, there’s a place for you. And I think historically, and I think we are getting better as an industry, we’re getting better at this, but historically we’ve thought of, as you mentioned earlier, cybersecurity, “Well, I need to know coding and it’s a very technical field and I have to enjoy wearing a hoodie.” So we’ve created this image in our mind of what it takes to be a cybersecurity expert. And I love the fact that you’re broadening that. You’re saying no, it doesn’t really matter what you’re interested in, it could be insurance, it could be policy, it could be the arts, it could be any number of things. We need people in cybersecurity that have an interest in and a knowledge of all of those fields, not just…
I mean there’s a place for coders and we need somebody that can write code and actually do that. But understanding, for example, the motives behind the different kinds of attacks really contributes a lot to how to mitigate the attack. You need to understand the motives of the attacker, the threat actor, to mitigate that. So I really appreciate that your approach is so inclusive, if you will. So let’s try and give some career insights and advice to our students and early career professionals that are thinking about cybersecurity. I guess where I want to go with this is, cybersecurity is such a dynamic field, things are changing so quickly, so it almost seems like it’s hard to say, “Okay, this is what I need to know. This is the jumping in point for cybersecurity,” because it’s changing so quickly. So how do we prepare that next generation of cybersecurity professionals in this ever-changing world?
Sachin Shetty:
Yeah, so what I would recommend is obviously you need to have singular discipline that you’re interested in, so for example, let’s just say, psychology or sociology or physics, chemistry, and there has to be something that… Because the reason why I mentioned that is that you need to at least have some comfort level within at least a singular area, and then you can add cybersecurity to it. That’s how we look at it. Because the way I look at it, you need to have a comfort level within a domain and then understand the role of security in that domain. So that’s how I would put it. You cannot just learn about security in a vacuum, because that would make you a generalist. What would be really helpful is that if the person, let’s say a person is interested in law, the person is interested in social issues, given the role that social media plays, and so I have a project on understanding misinformation and disinformation, just conversations.
So for example, this is a conversation that we are having. So let’s say is it possible that I’m the adversary and I’m trying to change this conversation to something different? And so just somebody for them to understand linguistics. So anybody who’s interested in languages, so that’s a domain, language domain, they like linguistics. But what does the security play in it? Well, if they’re providing a set of conversations between two individuals, to find out, “Hey, tell us, because something bad happened here, can you identify where in the conversation, was one person misleading the other person into saying something or sharing something?” The domain is linguistics, domain is language, domain is conversations, but I’m talking about a security problem with that. But still, you stick within your domain and you understand, how did this conversation, which was supposed to be a normal conversation, become adversary, or became something where the other person was misled to doing something? Who was responsible? How did that happen?
So again now, this is linguistics, and then you’re trying to understand. So again, you didn’t need to know coding, you didn’t need to know anything. And again, just fundamentals of security, which here is impact. What is impact? The conversation was supposed to be free flowing, whatever the end result is, but the result became something else. So now, maybe there are various coding help. Well, if you were to do that manually, probably would take you a lot of time. If I gave you reams and reams of sheets of paper, of conversation, maybe you would benefit from coding technology. Maybe you could better articulate that to a coder. Because what is critical is, identify the problem. Because coders know how to solve the problems, they don’t know the problem very well. And so what is really interesting is, we need to know whatever problems exist.
I’ll give you another example. We use ChatGPT type of tools out there. So let’s just imagine an organization wants to use ChatGPT because they like the prompt. You ask question, you get answers. But what if you would like to add a certain level of controls to the response? You don’t want everybody in the organization to know everything about your organization. For example, let’s say you don’t want the finance unit to know everything about HR, what HR does. So if you incorporate then, how do you attach this control? So now this is about organization, somebody who learns some organizations, and somebody’s interest in organizations, is able to then figure out how to understand that, and what’s the organization policy and procedure. So if you’re interested in those kinds of things, then you’re able to work through that.
So what I say is that you have to have a good knowledge of a domain that you choose. Whatever is the case, I can easily make a case of where cybersecurity plays a role in it because it permeates every facet of our life. And so you got to be gravitating towards a domain. And for example, I see every agency’s interested in understanding the impact of security, and more so with machine learning and AI. It’s going to be part of every piece of software, every aspect of our lives. How do you trust AI? That’s something I feel every individual should be cognizant about, or at least be curious, right? It starts with curiosity, because if you’re not curious about it, then you’re not going down the path of understanding, “Okay, what do I need to know? And who do I partner or collaborate with to solve the problem?” Because nobody’s going to solve this problem by themselves. Like I said, I have a team of 20, 24 people and a large network. So every time I work on a project, I always tap into the network of expertise to get it done.
So that goes with any student who wants to do this. I would strongly recommend, at this point in time, looking at the role of AI and machine learning and first understanding how that impacts their domain, and it’s going to impact every domain. There’s no way that AI and machine learning wont impact. And then understanding the security, because now you’re trusting this AI software to automate things. I’m always concerned about automation where humans are not in the loop.
Steve Bowcut:
And maybe we’ve answered this next question. We need to wrap up here, but I wanted to end on a forward-looking or a future-looking perspective from where you’re at. And we’ve touched on AI a couple of times, so maybe that’s the answer to the question, but maybe it’s not. So what kind of emerging trends do you see that are going to be, cybersecurity trends, that are going to be important for critical infrastructure systems and the protection of critical infrastructure systems? Is it AI or are there other things that you’re seeing that the future might bring that we should be very focused on now?
Sachin Shetty:
Yeah, right now at this point, where we are in 2024, definitely AI is going to be a key part of the future, now and future. There’s another technology with quantum computing.
Steve Bowcut:
Okay, that’s a good one.
Sachin Shetty:
That’s another area. But I am so much fascinated with AI because it’s already made inroads into our infrastructure. And the significant advances that are happening, we are always playing catch up in trying to secure. Because it’s here and now, even though quantum computing is around, but it has not taken over our lives the way AI has, and how it’s already making an impact. And especially when it comes to critical infrastructure. That’s my concern, because now we are talking about safety, right? Because we are now talking about safety of lives, because operational technology, so we can think about cranes, if I’m picking and placing something, is it possible that it drops something on somebody because it got hacked? Because that is a safety issue. So that’s one of the reasons why I got involved with OT because now this is not a security problem that makes the email unavailable for a few hours. I lose my email for a few hours, it’s not a loss of life, but I’m more concerned about security attacks that could pose a threat to lives.
And I think that’s where, if AI is going to be part of it, can’t have AI running amok in terms of the operational piece. And then what are the security aspects of it? That’s where we need to have a good grab spot. So there are a lot of technologies out there, but I’m more concerned about AI and we need a very robust workforce that understands AI. We just need a lot of humans who are knowledgeable about the role AI plays in the domain. You don’t need to know everything about AI, but understand the role AI plays, understanding the potential threats, how to minimize the risk. So my central theme about risk management, everything in life over risk management. So you want AI, it’s going to be about risk management. And for the future workforce to be able to understand the role AI plays in their domain and understanding the risks, and then understanding how better to manage it and what tools that take place.
Because if you don’t have that in-depth understanding of what I just said, you wont know what tools work, what don’t work, because you haven’t asked the right question. And it’s always about the right question, which is critical, which is the reason why I feel like cybersecurity has to be inclusive. Because as technology intersects so many aspects of our life, people with different domains, they bring interesting questions, because that’s what I’m really interested in. So for example, I never thought I’d working with a choreographer with privacy security. I never thought that. But the curiosity and engaging and talking, we found a security problem that we didn’t know before the conversation. So that’s what I’m always interested, because it’s unknowns, right? So even now, the big banks, like JP Morgan Chase, they spend millions of dollars on understanding securities because they’re always curious about, what is it that we don’t know? So even the big banks still feel like they don’t know everything. And I think that’s where the curiosity should come in. What are the things that we haven’t thought about?
Steve Bowcut:
Yeah, excellent. And I appreciate your perspective on AI. It is a little alarming to a lot of people, I think, how quickly we’ve adopted AI. And it’s proliferated through every domain, as you speak. And as you pointed out, in security, we are kind of inherently always playing catch up, because in order to understand the threat, the threat has to exist. So we’re always trying to understand the threat to mitigate the threat, but the threat has to exist before we can do that. And so we’re always playing catch up. And so we need people who understand AI, and what the potential threats are there, so we can find solutions for them. So thank you so much. I appreciate that. We are out of time. But Dr. Shetty, this has been fascinating, you are a wealth of knowledge. And thank you for spending some time with us today. I really appreciate it.
Sachin Shetty:
I appreciate time, Steven.
Steve Bowcut:
Thank you. And a big thanks to our listeners for being with us. Please remember to subscribe and review if you find this podcast interesting. And join us next time for another episode of the Cybersecurity Guide podcast.