Episode 51: From the UK to the US: AI Security for the Enterprise with Harmonic's Alastair Paterson

Narrator:

Welcome to 909 Exec, your source for wit and wisdom in cybersecurity and beyond. On this podcast, your host, veteran, chief security officer and cyber aficionado, Den Jones, TAPS's vast network to bring you guests, stories, opinions, predictions, and analysis you won't get anywhere else. Join us for 909 Exec episode 51 with Alastair Paterson.

Den:

Hey, everybody. Welcome to another episode of 99 Exec, your podcast for executives in tech, and hopefully we support your journey and we'd love you to support our journey as well so we can try and make this shit just a little bit better. But the reality is it's the guests that make this show, and I'm always blessed to have some great guests, and today I've got a fellow Britt. So I guess if we had an Irish guy, we could do the Scotsman Englishman Irishman joke, but we don't. So Alastair Paterson, hey, thank you very much. CEO and co-founder of Harmonic Security, AI Security. So this is something that we're all excited about, scared about. I don't know. But why don't you introduce yourself and tell us a little bit about Harmonic?

Alastair:

Yeah, great to be here, Den. Thanks for having me on. We definitely should do the Irishman, Scottsman, Englishman joke sometime, but we need a pub as well. So we'll-

Den:

Yeah, we do need a pub. Yeah, that will be a live session, I think.

Alastair:

We'll do that next time around. It'll get spicier for sure. Yeah. So I'm Al, CEO Cothener at Harmonic. Harmonic, we're all about enabling the secure AI adoption of the enterprise. Right now, pretty much every company on the planet's trying to figure out what to do with AI. Huge amount of tension between the business that's wanting to push forward and lean into this wave in a big way. And then the security legal and compliance teams are trying to hold the tie back a little bit to make sure that business is protected and isn't losing a ton of sensitive data or causing all kinds of problems for themselves that they'd rather not. So Harmonic sits in the middle of that and we've got a pretty unique way of helping companies adopt while managing the risk with appropriate guardrails, governance and control of their data. So that's what we do.

And I'm in San Francisco today where we have our headquarters.

Den:

Oh, brilliant. Brilliant. And the English accent, so let's dig in. So let's dig into ... There's a couple of things actually just to get us warmed up on the conversation. So how old is Harmonic? And when you started Harmonic, I'd love to get into that journey. Were you back in the UK at that time and then moved to the US as part of the Harmonic journey or were you already in the US and then you come up with the idea? So how did this all begin?

Alastair:

Yeah. So my prior company was Digital Shadows in the thread intel space. So I was the CEO co-founder there. That was a kitchen table in London starting point all the way back in 2011, where I was still in my 20s just about and not super credible, so I couldn't raise a ton of money very fast. So we had to bootstrap for actually about four years before I managed to raise some money in the Valley. So I got myself out here in 2015 to build out digital shadows from ... Just had a handful of customers at the time. We had about 500 at the time of acquisition in 22. So yeah, got acquired July of 22. At November 22, ChatGPT appeared on the scene. And I'd gone from managing 150 people to zero and had a bit of time on my hands to jump straight into this AI wave and got very excited very quickly.

And that's where Harmonic came from.

Den:

And so when you're thinking about Harmonic and the problem that you're solving, I mean, when you had that initial brainwave, what was the problem you initially thought you were going to solve and how has that evolved over the last few years?

Alastair:

Yeah, it has evolved a little bit actually. So I think, I mean, first of all, I'm a sort of geeky techie at heart and I just love the technology. So I sort of immediately thought ChatGPT was just a magic moment in history and got very excited because I live in the Bay Area, essentially all my friends are in tech. And so most of them are adding something in AI. And so pretty quickly, I could spend a whole bunch of time talking to people about this and trying to really wrap my head around it and where it was going. And because of the security background, I immediately thought, well, every enterprise is going to need this, but there's going to be all kinds of issues here with where the sensitive data that companies need to put into these tools is going, because employees are going to want to adopt them.

How is this being governed and controlled came to mind immediately? And I think the other cool thing though with this wave is it enables us to do much better things in security. And so one of the places we started going straight away was, well, look, when it comes to protecting sensitive data, all the existing controls kind of suck. I mean, we've lived 20 years of DLP and data labeling and it's a horrendous mess that no one's ever got to work. And it's mostly a regulatory tick box and not a whole lot else. The beauty of this area is you can start to use language models for data protection too. So where we were going initially with Harmonic was saying, well, look, we're going to look at all the risks around AI adoption and center data leaking into AI applications using language models to do that really well with the context and understanding around what users are doing and the intent behind the data that they're putting in there and a sophisticated understanding of data types that aren't just social security numbers and credit cards, which is pretty much all you can do with DLP.

So it's really going off in that direction. And where the markets pull this is, because I was originally thinking, "Well, look, we can just go and take on the data protection category here with this AI." And sure, there's room for that as well. But the bigger thing is just this AI adoption waiver's become so big and so significant and it keeps growing legs because now it's not just the use of these channel applications. Every enterprise application is building LLMs in the backend employees using these applications in different ways. You now have Cursor and Winsurf and Codex and all the rest of the coding tool engineers are using. And so actually trying to govern this entire new surface is where we've been pulled by the market and you can't do it the traditional way because you just don't have the context around the end user or understanding of the data they're putting into these apps.

So whole lot of new risks that have been appearing that we're addressing with Harmonic and focusing on the AI wave.

Den:

Yeah. No, that's pretty cool. And I think I totally agree. I mean, first of all, I agree DLP has always sucked. It's been really just a money pit of uselessness. I mean, there's some products in tech over the last probably 10 years that we've seen that we've been like, "Oh, that's pretty impressive." But generally speaking, the concept of tagging data and following that data, and then as data moved from being on- prem to the cloud or a hybrid, then it's just a nightmare. And I think the bigger thing is if you think about the breaches and the way people lose their data, I don't think DLP really solves- Never helps. ... any of that really. All it does, to your point, is give you a checkbox for we're doing DLP, reclassify our stuff with the thought originally that you spend more money on the stuff that's crown jewels and less money on the stuff that's not.

But the problem is you never knew the difference and nor did your users. If you've got 40,000 or 100,000 employees, how the hell do they know the difference between a confidential or restricted file? So I think we really need help in this space. And one thing that intrigued me about what you guys are doing is the ability to be really lightweight from a deployment perspective. Do you want to share just a little bit about how a client deploys gets up and running? And then we'll jump from the Kool-Aid business over to the business business. But I want to have you share that piece because that for me is pretty

Alastair:

Creative. Yeah. So I mean, the starting point for the challenge, we all understand the risks around AI adoption. What companies then do is they go and look at their existing vendors to help typically SASE, right? So they go and look at whatever they're using there, and they all have some sort of AI messaging now, of course, because they have to. But fundamentally, they see this as, oh, there's an AI category that we're going to create that has 200 apps in it, and then we're going to ... So we'll give you visibility in who's using them. Well, that's cool, but every app's got AI in it now. And by the way, what data's going into these apps is much more relevant than just someone hitting a URL because sure you can block DeepSeq, but what about everything else? Maybe I've got corporate ChatGPT, but my employees are all using the personal edition and dumping tons of data in there that's then walking with them into their next employer.

I mean, there's all kinds of stuff here and the SaaS is just not positioned to handle that. They see this as running their 20-year-old DLP models on the nine applications that they've bothered to get prompt data for, and the whole rest of the landscape is just untouched. So then Microsoft says, "Well, don't worry, just label everything with purview and you're fine." And as we talked about, that's nonsense. Of course, no one's ever successfully done that in any meaningful way. And the experience sucks as well. Oh, it's awful. It's awful. Security teams, they like the idea, but then they get to actually trying to implement this thing. Never works. I've never met a team in hundreds and hundreds of calls now where they're like, "Oh yeah, we label all this stuff with purviews. Great. Working brilliantly, totally protecting it. " And even if you did, it doesn't stop the prompt data getting out.

So that's typically where most companies are that we talk to. They have an AI policy that says don't put sensitive data into tools that we haven't approved and no one's ever read the policy and then none of these controls work. So it's basically-

Den:

Nobody reads all these policies that we write?

Alastair:

I hate to break it to you then, but there's a reasonable chance that those policies just sit there and strangely no one's read them.

Den:

Well, it's good now that most companies are only spending four minutes having AI write the policy and they're not even reading it themselves.

Alastair:

That's right. It's running, isn't it? So to go back to your point, so deployment wise, they to address this, you can't be sat in the network. So the very first thing that we did with Harmonic is a browser extension that is browser agnostic. It rolls out silently to every browser that's in the enterprise, including all the new AI ones. And so the end users experience no change at all on day one at all. But the security team gets visibility now at prompt level and at intent level into the adoption of more than 6,000 different AI and AI enabled apps. So we can actually show you exactly what's going on, who's using what, and even like some ROI stuff outside of risk, who's actually using these expensive tools that have been bought. We deployed recently somewhere where they bought Copilot from Microsoft and they had four times as many users of free ChatGPT as corporate Copilot, but no idea.

And then you roll

Den:

This out. And you guys do notice if someone's using a personal version of ChatGPT versus a corporate version of ChatGPT?

Alastair:

Yes. Yeah. We got all the tiers. There's four different plan tiers or five now that we track. And so again, something you just can't do at network level with the SASE anyway. And then-

Den:

I love how you're bringing up SASE, because it's like, wait a minute, the same guys at 10 years ago were saying we're the digital transformation friends. Then they went to the, we're your zero trust people and now they've done the, we're your AI security- Oh yeah.

Alastair:

We're all about AI now apparently. They got to love marketing. Yeah. The marketing, strangely always catches up first, but it's just architecturally they're in the wrong place for

This challenge. The beauty, so we're in the browser. We can then though run our own language models on the data that's getting fired out of the business. We sit in line, we coach and nudge end users when they're about to expose something highly sensitive, which can go way beyond the old world of PII and credit cards. So we can spot medical research data or settlement and dispute negotiations or M&A data, all kinds of highly sensitive stuff that we've built out in the models. And so then you coach and nudge the end user to safe outcomes automatically. Security team doesn't need to get in the way, if anything. So we're not bothering the security team or we're only bothering the end user when they're doing something highly sensitive. If they're figuring out their Christmas presents or kids' homework or their travel plans or whatever, nothing to do with us, let them have at it.

But corporate data's flying out. You don't need to label it. This stuff just works out of the box because we're using the language models. Sweet. That's

Den:

Really deep. It's good. Yeah. And that for us, when we talk to our clients, one of the biggest challenges they have is understanding what AI is in use in the company. So that's-

Alastair:

That's part one.

Den:

Yeah. Visibility. You can't protect what you don't know about. I think that security 101, I don't know, I never really read that book because I thought it was bureaucratic and bullshit. Anyway, let's pause for a minute for a quick break and then we'll come back and then we will start to talk a little bit about life as a founder. Hey folks, just want to take a minute to say thanks for listening to the show, watching the show, however you engage with us. If you're liking the conversations, if you think we're adding some value, we'd love you to like, subscribe and share the show with your friends if you know of anyone else that would benefit. Ideally for us, that will help us be able to grow the show, invest more in the quality, get some more exciting guests and keep bringing you some executive goodness.

Thanks everybody. Take it easy and enjoy the rest of the discussion.

Hey, Alastair. So let's dig into this. So loving the harmonic story. I think it's, as you know, because we kind of are excited to get involved with you guys and see if we can help our clients and leverage your technology and stuff. So for me, it's cool because this is, as I said a minute ago, it's the first step, right? You can't protect what you don't know about. So this is your second stint as a founder. So the first one you mentioned earlier on with digital shadows, you were A, young, B, unknown quantity, and C, in the UK. If you could do it all over again, what do you think you would do differently as a UK founder trying to break into the US?

Alastair:

Yeah, it's a topic actually I'm very passionate about. I've been setting up this thing, the UK Cyber Flywheel where I'm going back to the UK and trying to help the seed stage founders there do a better job of coming to the US because you look at how the Israelis have done it and it's incredible.

And the UK has no lack of talent. We've got incredible talent there. And I mean, even on the AI side, I mean, Google's AI capability is run out of the UK, deep mind, demisabis and team. And obviously in cybersecurity, you've got GCHQ and tons of other very, very sharp people there. The problem's always that, how do you take it out of there and scale it up on the global stage and build significant category winning companies? And so yeah, coming back to what are they doing wrong? I mean, I think there's a bunch of stuff and we could do a whole podcast on this, but I think if I could pick one thing, I would say they take far too long to get to the US typically. We're almost hamstrung by having a medium sized market at home, because you can sit in UK and try and sell to it for a while before you come over here.

If you're losing in the US because you got here too late, you're going to lose the category. You've got to win the US, you've got to get here fast. And the Israelis know that. They have no domestic market to speak of, so they just show up here on day one

And it's a well-worn path. The networks are strong. I got here, didn't know anybody, had to try and figure it out from zero. And so that was pretty hard last time around, but we did, I think, a pretty good job ultimately with digital shadows. But this time around, because I've been here 10 years, it's so much easier. So I'm still building the product in the UK to where the engineering is, but we're going to market in US on day one. And so I think the other problem with the UK, I mean there's cultural problems where there's just lack of ambition and belief sometimes compared to the Bay Area, where everyone's trying to take over the

Den:

World. Are you looking at my questions? Oh no, no. So yeah, I was just going to say, I mean, so you're saying lack of ambition. I was thinking, do we think too small and did you face that? I mean, when you were doing digital shadows, did you face that? Was that one of your things, which is why should we think bigger than London or why should we think bigger than the UK?

Alastair:

Yeah, for sure. Well, the pervasive culture at the time was really against startups as well. Back in 2011, any smart graduates were going to work for banks and consultancies. We're basically a country of bankers and consultants, and that's shifted a little bit, but by and large, most of the brightest graduates in the country were getting funneled into those big multinationals, mostly American multinationals in banking and finance, in consulting. And that kind of sucks. And I think there's like generations of talent that's probably got stuck in those institutions. I think it's shifted a bit and people are getting more into startups. And obviously you've got the big US firms are now heavily present hiring and recruiting in UK. But I think there's cultural challenge. So when you've got a startup founder in the UK, often the ambition's not quite there and the VCs are not quite as ambitious and the valuations are a bit lower.

And maybe we'll build something big enough that the Americans buy it is often the attitude a little bit. And whereas I think the attitude has to be, well, let's go and win the category. Come on, let's get out there and then we've got to get over here to do that because you're only going to win it from here.

So

That's the way I see it at least. And I think the other huge frustration I've got in the UK is the ... I invest in a few of the startups there and a couple of the ones that are pretty successful now have raised big grounds. They got all their design partners and early customers in the US despite the fact that the entire team was in the UK. So what about the UK's flag carrier companies? Why are they not engaging with the startup community? So that's a big thing I'm trying to push a little bit, is getting the UK to have a bit more of a melting pot of founders and the more innovative CISOs. So that's what I'm doing with Flywheel next.

Den:

And it's not like there's any shortage of good industry in the UK. I mean, there's a lot of manufacturing innovation. I mean, there's a lot of innovation that happens there. So it seems a bit of a shame that you can't find good innovation design partners as you're starting. Now from a psychology perspective, did you feel like you had to reinvent yourself a little bit as you tried to emerge in the US?

Alastair:

Yeah. I mean, I'm curious on your take on that as well, Den. I think it sort of seeps into you a little bit. I've been here 10 years now and I think everybody here has grand plans and that's absolutely fine. Whereas in the UK, if you've got a grand plan, people will tell you to pipe down a bit and know your place a bit more. And we're just less supportive of people that ... When I founded Digital Shadows, I think everyone was a bit like, "Oh, why would you do that? What are you doing? Why don't you just work for one of the consultancies or banks?" Yeah. Yeah.

Den:

And you were in London as well, which I think London ... I mean, shit, I grew up in Scotland, which is not nearly as progressive in a lot of senses as London, right?

But when I first moved to the US, I was only 28 and I didn't give a shit. I mean, I was an IT engineer, architect. They wanted me to move. I moved over with Adobe. They wanted me to move because they saw something in me. And I busted my ass over in Europe. So for me, by the time I got here, my ego was bigger than shit anyway. I was always like, "I'm better dressed than half you guys. I'm good looking. I got my shit together. I write music. I party like a rockstar. I work hard. I play..." My whole ego was just about like, "I'm Den Jones. Who are you? " And not to say that I would belittle people, but I just had this confidence that I was unbeatable and unstoppable, but that didn't come because of the UK upbringing because- Where did that come from?

Well, I think, I don't know because- You just had it. I mean, I was in school bands when I was a teenager, like 13, 14, and playing a concert for 400 people when I was 15, and

Then I played raves for 5,000 people. I was 22. So for me, I had this double life thing where I was absolutely inept in business when I was 16. I couldn't get a job to save my life. I was a postman at one point, right? And then, but I had this musical thing where I'm like, "I'm the shits." So I had this thing. So my ego and my real ambition was I just want to buy more music gear. So as I got into tech, and then I went to college and done tech and found out I was actually pretty good at this thing, then I got a job and then I was just doing my job and I wasn't like I was low in the rung of the ladder, right? So I just had to work my way up. By the time I moved here, I was already thinking, "Oh, why not drink bigger?" It's funny.

Alastair:

Yeah. I was asked recently, where did you get your drive from to do this? And my answer on the panel was my gritty Glaswegian mother because obviously that's where my family's from. Mike Kaifan is a Glaswegian and we used to play in a band together actually in London. Wow. Yeah. So that- We got a lot of shared heritage here, I think.

Den:

Yeah. I mean, that's the thing, right? It's like when you think of ... I do know a lot of musicians in tech. So yeah, we could just have a pod just on musicians and tech, but I think the reality is I think you have to have a little bit of a twisted mentality to start your own business.

I think you have to have guts and drive and ambition. And I said to my dad when I was starting 909 Cyber, I've been working for corporate for 30 plus years, why not? I mean, I had the money and I didn't do any VC or any investors. So it's like my money, my stock, my 401k, my savings, right? But the reality is I also have that unwavering confidence that myself and the people assembled, we are kick ass at what we do and we have pedigree and we know how to do it better than many other people. So the question is actually, why not?

Alastair:

I'm driven a lot by that regret, right? The famous, imagine I never did this. How would I feel about that in 10 years time? Would I regret it? Yeah, no, I probably would. Well, I'd better do it then.

Den:

Yeah. And I think, and the thing I say to people, one of my friends, actually, she started her own IT MSP 12 years ago and she just said to me, "Den, I have to be sacked 30 times before I give a shit." And after 12 years, she's now working probably like five hours a week or something and she's got a great team, assembled a great business and she's doing really well. And so for me, that's part of my inspiration. And then the other thing I think for most people is, well, if you don't do it, like you say, you'll get FOMO, but if you do do it and it crashes and burns, then we'll get a job then.

Alastair:

Exactly. What's my downside risk? I would just get another job if digital shadows hadn't worked out. And I'd probably learn something along the way. And I think that's right. It's accelerated learning in a startup environment and I thought I'd be pretty employable even if it went wrong. So yeah, I just thought the risk wasn't that big.

Den:

Yeah. Now, when I think of this as well, right? So when you're kind of trying to build in here, so I want to jump back into some of my fancy ChatGPT questions, which I do love. And I use it for good ideas and things I probably might not have thought about, but you touched on the talent and the team in the UK versus the US, right? So it's not to belittle the people in the US, but we do have great talent in the UK. So you're blending that, but what do you think of the talent market and the difference between the talent and market in the US versus the UK? In cyber, we always say there's a shortage of talent or a shortage of good talent or there's this big problem, right? But do you see that as you're trying to find great people to build your business?

Alastair:

Yeah, I think getting the very best people is always difficult and competitive. Whatever else is going on in the market, it doesn't matter. Ups and downs, right? They're just so hard to get. I think in the Bay Area, there's a certain skillset of certain world-class people that have scaled businesses to hundreds of millions of ARR before that you just can't find in Europe. There's not enough of them. There's

Maybe a handful, but a lot of world-class people live here in the go- to-market side, which is why I've got a bunch of them around me in San Francisco. But when you're hiring a lot of very good technical talent, Bay Area is a nightmare because the salaries, I mean, this isn't hyperbole, it's true. It's just half the cost in London that it is in the Bay Area for top tier engineers. And so there's the cost base. But then the second thing is in the Bay Area, why would they join me over the thousand other really exciting, well-backed AI startups that they've got options at, or the huge big tech companies that are paying even more on top of what the top end that we would pay in stock options and all kinds of stuff. I mean, it's ridiculously competitive for the good technical talent here and particularly if you need a higher ending quantity.

London, it's not easy to get good people, but it's easier. They have fewer great options. And certainly in terms of cybersecurity, I mean, we're a bigger fish in a smaller pond over there from a hiring perspective. There's a few other really great UK cyber startups that are scaling up as well, but in terms of quantity compared to here, it's just completely different.

Den:

And I can imagine there's also an attraction to joining your company because you are considered a US-based UK founded company. Yeah.

Alastair:

Yeah, we got both.

Den:

Yeah, in the valley. So there's almost a prestige to that back home. I mean, I know when I talk to people back home over the last 25 years I've been here and I say, I work for Adobe San Jose and they're like, "Holy shit, you're so lucky." And then I'm like, "Well, luck's a piece of it. " But somewhere down the line, you got to work your ass off and get the opportunities. But I think the reality is, is back home, people look at what we get to do in the valley as this magical heart of the bloody tech scene. And I think to a degree that's true. I mean, that's why I came, that's why I stayed. The sunshine helps as well because it's shitty weather in Scotland, but I mean, I think there's no reason you can't find the opportunity and dream and stuff, and that does have that kind of prestige.

Alastair:

Yeah. And it's the culture I think as well here. In any way you walk into, there's always more successful, talented people who've done more incredible ... For things. It's just the atmosphere I think is therefore quite inspiring. Yeah.

Den:

Yeah. And then from an AI perspective, I mean, there's a couple of questions I got as we wrap up and stuff. The first one is a lot of companies are leveraging AI internally to build the products and services. So where do you guys fit on that? Are you guys deep in on that bandwagon or are you reserved on the bandwagon? I mean, where are you leveraging AI to help your business grow in scale?

Alastair:

Yeah, I think it's ... Well, first of all, from a security perspective quickly, I mentioned we got the browser. Extension was product one. Product two, we launched as an MCP gateway. We also have an endpoint agent that is coming soon as well. And the MCP gateway exists because we're trying to help companies with AI adoption from an engineering perspective as well. And again, giving visibility into engineering use cases around AI adoption and the risks and running our models there. So it's something that we think about a lot. I think from a Harmonic perspective, yeah, I think it's interesting building a startup right now because you can look at things fresh. You don't have all the baggage of existing companies. And so when you're building each function now, you can look at it and say, "Well, hey, how would I do it today given all the AI tools that are available and how do I scale this up?" And I think go- to-market is one area that we're looking heavily at at the moment.

Because we're in heavy scale mode, I've got 20 open headcount right now for scaling up and a lot of that is go- to-market related. So yeah, also if you know anyone, great, let me know. But a certain amount of that is headcount, but you want to use that headcount really efficiently and effectively. So as we're looking at demand generation and driving insights out of the calls and even sales enablement and things like that, there's so much more you can do now with the tooling out there than previously we have to look at it fresh, I think. And it's nice doing it with a clean slate and not having a load of baggage and trying to just think, "Oh, I've got all this sort of infrastructure and stuff and people in all these positions. How do I make that better?" I think that's much harder than saying, "Hey, look, if you had a blank sheet of paper, how would you do it in this era?" So I think there's real opportunity for startups to accelerate away in this era.

Den:

Yeah. I mean, totally agree. And it's interesting. I was even just looking for us, like CRM, it's like traditional HubSpot, it's like after you got 2000 contacts, then all of a sudden it goes like crazy price. And I was just like, why would I pay that? Actually, there's nothing to say. We use Monday we moved over to Monday, but as I look at it now, I'm like, well, wait a minute, there's nothing to say we don't use AI to just build our own thing. It's like we can do that. Well, for my business, it's not that complicated. For some other businesses, maybe that's not the right answer. But like you say, you get to really ponder on those things and say there's way better opportunities with AI. Now, where do you see the AI security market going over the next 12 months? I mean, that for me is, I mean, you guys are right in the middle of this.

So what's your perspective?

Alastair:

Yeah, you see all these huge market maps with 20 subcategories and 400 logos and everyone trying to make sense of AI security. And I just try to simplify it all because that's the only way my brain can handle it. And so I think ultimately you can break it down just by saying, "Well, what problem are you solving?" And go from there. And I think there's only really four problems and one of them we want to own with Harmonic. So I think the first one is really the threats from AI, like deep fakes, phishing attacks and things like that. So that is a huge area. I don't think there's many compelling defenses this starts building in that area, but it's a bit of a mess. Right now, I don't think we've really seen many of the attacks yet, but they are obviously starting to come and we're going to see more in that area.

The second one on the more positive side I think is AI for security. So SOC automation, you're seeing an involved management and a bunch of other areas, a lot of startups in that area. I think that's great. I think maybe some of the hopes were a little overblown initially and a little over-hyped, but- Just a little. Yeah, there's certainly some stuff that will be done in that space that I think is quite exciting. Then the third one, which again is not us, is helping companies build their own AI applications and protect them and monitor them and roll them out and all of their red teaming and all that kind of stuff. And that's a big old mess of a space. And again, we're not in that one, but it's got lots of startups in it solving different little bits of that challenge. I think that's too messy for me.

And then the final one is obviously one that I like the best, which is really the workforce adoption of AI and enabling that and securing that. And that's really what we're trying to own with Harmonic. And so I think in that area, which is what I'm spending all the time, I think, as I said, we've gone from the initial use of ChatGPT and things like that, which is going to continue to be a big thing, of course. But I'm spending a bit of time thinking about citizen developers and the way ... Because we're hiring 20 people, one of my first hires is ideally a recruiter. So I interviewed a recruiter last week who's using Cursa as part of her recruiter job. And it's really interesting. I met actually someone in events marketing at another Bay Area tech company was using Cursor as well with a bunch of MCP servers.

And so I'm sort of looking at this and it's sort of really interesting to me how that sort of evolution of tooling is going. And it's mostly like Shadow. So the first example is basically Shadow AI because no one knew that she's using Kursa for a recruiter job. For the events marketing one, they were provisioning her with Kursa and a bunch of MCP servers because it's a super tech forward company. And so, I mean, that's just cursor, right? But you've got this Copilot Studio, Google launched their tools recently. There's tons of pick your, pick your tool, right? I think it's super interesting how this is evolving and almost the employee interface with their work is shifting in a way I've not seen before. And that's really where we're positioning Harmonicas to deal with all of that.

Den:

Yeah. I mean, it's funny just, yeah, I've heard of a lot of people in the marketing space and I know recruiters are heavily leveraging AI now to screen through around stuff. Yeah. I'll need to make sure. So on the show notes, we'll need to make sure we add the links to your jobs page so People Can see that. I mean, also your main website, but we'll give them the direct link to the jobs thing. And then, yeah, I mean, it's interesting. I look at this like people over ... I mean, I think there was the excitement about AI in the last year or a couple of years ago when ChatGPT really came out everyone was like, "I'm like this and that. " And then I think the realities begun to hit and I think for most large organizations, they're already behind the eight ball on knowing who's using AI in their company. So that's one of the reasons I think you guys are going down a great path because I think you will help solve that problem really quickly. And I kind of look at it like there's the AI for employees and workforce and then that backend, like you're talking about like agents that are doing work on behalf of running apps and services, that backend piece.

So it's still kind of like a workforce, but it goes back to the account, like almost like the old identity problem where you had human identities and non-human identities.

And

I look at it almost a little bit kind of similar to that problem. And after 25 plus years of talking about least privileged, we never solved that shit to begin with.

Alastair:

Now it's getting magnified with your agentic workforce.

Den:

Yeah. So now we didn't solve least privilege in the last 20 years, although some companies would think they did, but they didn't. And I'm friends with many of them, but they didn't. And the AI side of this now is just going to compel it even worse. I mean, I think for me as a consultant, it's great because we know that that keeps us in the job. There's a lot of companies going to struggle with this. And luckily enough, our team have got some good experience there. Actually, I want to close with a shameless plug for my shit for a minute. We are of the opinion that with AI, because of COVID and AI, there's going to be a shift in how the workforce operates. I've got a sneaky suspicion rather than this Monday to Friday, nine till five nonsense, we're going to have a huge influx of gig workers.

I think AI is going to push some people out of work, and that's going to force some people to try and get work. And while they're doing it, they're going to pick up some gig work because they'll need money. And I think some people who are already working still do some gig work on the side. And there is stuff like Upwork, but we're now focused on, I'm going to say, updating our platform 99IC to become 99 RCS, which is all about resources. So we're getting to the point now where basically companies like you guys or anybody else with a credit card can swipe their card, they can get someday for four hours here, eight hours there. And we've got freelancers that would register all the way from students to all the way to CISOs or other types of people, engineers and such. And I just see, I'd love your taking this as I sound out even more, but I just see that being something which is a huge opportunity in the future.

Alastair:

Yeah. It's really interesting how this is evolving. I mean, you've got all the phase of AI getting rid of all the jobs. And I sort of feel like it's, I think it's going to be very uneven how it's felt. There's some jobs that I think, yeah, cool center workers, things like that, that is going to be a very challenging space to work in. But I think there's so much opportunity with people that get plugged into AI. It's being more effective. I think for those that do get good at using it, this world's going to get a lot more interesting and exciting, I think. And there's new professions spinning up like go to market engineer is a big one now that we hiring people like that. So yeah, I think it's going to be very interesting how this evolves. And to your point, when there is some displacement going on and people are looking around for things to do, they will be plugging in where they can, I'm sure.

And so yeah, it sounds like an interesting platform that you're building there.

Den:

Yeah. And I've got that hypothesis that companies that maybe needed a full-time person before, they don't now, but they maybe need some day with skills that can do a four-hour hour to just review stuff that AI is even churning out because I do think there's a problem with churning out some AI code and blindly thinking it's all great and not having a human that's skilled reviewing it. I mean, I think there's still going to have to be something there.

Alastair:

Yeah. It's companies like a DPO role if you have that sort of thing. There's a lot of companies need part-time DPOs on the security side, right?

Den:

Yeah.

Alastair:

So yeah, I think there's a bunch of things like that.

Den:

That's great. Yeah. Yeah. So it's funny because it's not a big shift for us to go from where we were at the start of the year with 909IC to where we're going to be. It's still freelancing at the end of the day. So yeah. So hey, Alistair, great catching up. I know you and I, we're in the same British network, so we get to hang out on Friday for a fancy lunch, which I've been told it's my first time. I've been told it really starts about 11:00 and by 2:00 PM, there's just a lot of drunk British people walking about San Francisco.

Alastair:

You were not misled. Yeah. I'm pleased to report. So I'll hopefully jump into you there.

Den:

I will see you there. Yeah. I think I hear there's like 700 or something, like a crazy number like that. So yeah, you'll see me. I'll be the loud Scottish guy with the loud jacket, so I'll be there. I'll look out for that. Hey man, thank you very much. Great having you on. I know we're going to plan a LinkedIn live session about AI security in January and certainly there's opportunity for other pods and discussions in the future. So thank you, sir, for spending close to 40 minutes here.

Alastair:

My pleasure, Dan. Thanks for having me. I'll look forward to seeing you soon.

Den:

Thanks,

Narrator:

Man. Thanks for listening to 909 Exec. Subscribe wherever you get your podcasts and don't miss an episode of your source for wit and wisdom in cybersecurity and beyond.

‍