Greg Schaffer: Hi, I’m Greg Schaffer, and welcome to the Virtual CISO Moment. Dr. Natalia Sivanova joins us today. She is a globally experienced cybersecurity architect and trusted advisor working at the intersection of cloud security, identity governance and AI risk. And she brings more than fifteen years of hands on experience across organizations like Google, Microsoft, Mercedes Benz and Deloitte. She holds a really rare blend of credentials. This will be the first time she has a Ph.D. in applied mathematics. I’ve never had someone with a doctorate in mathematics before on the podcast, so I’m excited about that. An MBA. and certifications, including the CISSP, CCSP and ISO twenty seven thousand one and ISO forty two thousand one lead auditor. So we’re going to get into some A.I. stuff. She’s also deeply involved with the Cloud Security Alliance, where she contributes to cutting edge work on the A.I. threat modeling, security, the genetic identity and A.I. governance. That’s a lot to talk about. Thank you so much for joining me today, Natalia.
Natalia: Thank you for inviting me. I’m excited to be here.
Greg: So I have to ask, because I like to let folks know where the guests are from. So you are coming to us from Berlin today and we’re recording this. My local time is nine thirty in the morning. What time is it over there?
Natalia: For me, it’s almost five p.m. So not that late.
Greg: Yeah, well, that means that your work week is done. And I still have to finish the workday today, so oh well. But I’d love to hear about your path. How did you get started in security? And really, I know you pivoted. Just take us through your entire security path or your entire career path and bring us up to where you are today.
Natalia: So originally I wasn’t thinking much about cybersecurity because I’m old enough when it was enough for IT technologies just to work. Amen. So it works. It’s good. Right. And I was always interested in mathematics. I was fascinated by numbers and how you can describe everything as a number. And luckily, my school provided opportunities to concentrate on advanced mathematics. And it was no question I would continue my education in the university on that speciality. And I was lucky enough to still see Nokia as a strong company with world-known smartphones and I was working for them helping their research groups on some encryption algorithms for for mobile connection protocols. Later Nokia was acquired by Microsoft and that’s how I started my journey in the commercial industry. Yes, at first, of course, it was something totally new from academic environment. But then I really liked the colleagues because they were very talented and they showed me how I can apply my knowledge to interesting projects while constantly learning. And I said, yes, I’m staying. And here I am now.
Greg: So you’re a I’m just curious from the standpoint of actually transitioning from mathematics to security. First of all, I can appreciate the idea of understanding that numbers really define so many things that you don’t think about. There’s a guitar behind me here. And I was talking, I was mentioning this on the last episode that we recorded that I’m not really the best guitar player, but I learned how to play because I understood that there was sort of a real mathematical basis to everything musical. And I wanted to try to understand that. And I think I half understand it. But from the perspective of security, how has your mathematics foundation shaped how you think about security and risk architecture today?
Natalia: I like to… translate everything in a model. So some kind of schema, dependencies between the schema, building some graphs. So that’s why I’m also very much into threat modeling.
Greg: Go ahead.
Natalia: So when you just see a list of components and a list of actors, a list of software components, it’s hard to understand what is actually going on in the system, ins and outs. A little bit like military… operation when you say, okay, we are stationed here and our opponent is stationed there, and we have such and such tools, and let’s see how we can make it work to protect ourselves and gain advantage.
Greg: So let’s dive just a little bit deeper into the idea of modeling. Let’s just say for those who have never really worked with threat modeling or maybe have seen the word modeling how would you describe it what what are you trying to do um with modeling in general
Natalia: So i’m trying to translate uh uh any kind of system that i’m uh working with uh into a set of um objects subjects and uh the rules that those uh subjects uh are applying when they work on the object so that is uh nothing new uh um if you look at older uh standards uh all those uh access control models that were uh invented uh for me department uh of defense uh you would see exactly this So you have you have, let’s say, a browser user that’s a subject and you have some application which is a set of objects. So users can do certain operations there. And then there is admin who can do the set of different operations. And you can always describe this as a matrix of what is allowed and what is not.
Greg: So we’ve we’re pretty familiar with application threat modeling. But I’m thinking about AI, because obviously AI has become much more of a prominent feature in companies’ operations today. Does that generally follow the same course, the same idea as if you were going to do application threat modeling, or are there some nuances involved when you’re talking about agentic AI?
Natalia: Especially agentic AI is very close to the model of subjects and objects, because agentic AI is clearly a subject. It performs certain actions on behalf of its owner, so the human user. It uses certain tools, it talks to other agents. And this is almost ideal situation for describing it as a part of some existing model templates. Here by model, I mean the mathematical model and not machine learning model.
Greg: OK, right, right. And and I know you do. So ISO forty two thousand one, that’s correct me if I’m wrong. That is the AI risk management standard from ISO organization, right?
Natalia: Yes, that’s correct.
Greg: And I think that was the first one from standards bodies, and certainly it’s international. So it was actually the first one that I recall working with. But you actually are a ISO fourty two thousand one auditor, is that correct?
Natalia: I got this certification, but the reason why I got it, because I’m responsible for welcoming external auditors to my company. So I need to understand what they are doing, if they are asking the right questions, if they are maybe missing something. I need to be able to see the quality of the output, because if you don’t know or you don’t have understanding of what they are doing, you may be left with a report, which maybe looks good on paper, but doesn’t bring you the level of confidence that you need to advertise that now you are ISO fourty two thousand one certified.
Greg: I always like to… I love that. So you actually went… Yeah, no, I think that that’s great. You actually went and got a certification in order to understand what auditors, external auditors were doing as far as auditing against that certification. And that’s a very rare thing for security professionals to do. Is that something that that you decided to do just for forty two thousand one? Or is it is it an approach that you would affect that you would suggest for other standards and other folks? Because I had the reason why I’m going down this rabbit hole. I have never thought about, well, OK, I’m being audited over here in the States. I’ll just pick for HIPAA high trust. OK, so that’s a health care framework regulation. And I’ve read the books, I’ve read the regulation, I’ve read the advice, but I never thought about getting certified as a high trust auditor in order to understand better the high trust audit. I know I’m rambling, but how do you think that it’s benefited you getting that certification. I know from a high level you were saying it helps you understand better what the auditors are saying. But can you give like specific drill down a little bit more how that specifically has helped?
Natalia: So it helped me a lot with twenty seven thousand one, because that’s a long established standard. Because I face situation when auditors do not define the scope of audit correctly. So they propose a scope. And if I don’t understand what does it actually mean, what they are evaluating there, when I get the resulting report, it says, okay, we evaluated this and this, but the most important systems are out of scope. So the report is as good as non-existing. If I compare it to Let’s say doing some work in the house, it’s like auditors change the curtains, but the kitchen sink is still leaking. The kitchen looks good, but you cannot really use it.
Greg: Right. That would be a measure, I guess, of like security theater. So you’re very well versed in forty two thousand one. What does forty two thousand one get right when it comes to governance? Because, well, specifically, obviously for governance and because I think that one of the larger risks of AI use, whatever, whatever it’s being used for, because it’s exploding, we have we have problems of governance. um where where there aren’t the guardrails in place the rules within corporations to to talk about how to use it and people get money in their minds they don’t understand um how does forty two thousand one address governance does it is it actually more effective say than what you would see in some of the other other standards
Natalia: The standards, for example, NIST risk management framework has lots of overlaps with ISO. ISO just streamlines the audit process and it translates it to the same language that is familiar to auditing and certification bodies from twenty seven thousand one. So they have the same language. They just have different targets of evaluation and some additional criteria because what’s different with AI is that it’s not only the IT system, like something you would evaluate against a twenty seven thousand one, but it’s also a massive amount of data. So there is a big emphasis on how data is being prepared, how it’s being processed. Does it even make sense? Because maybe data is not accurate or not up to date. So it reflects a dualism of AI systems.
Greg: You mentioned NIST, and that brought a question to mind that has nothing to do with AI. But being in Europe, how prevalent is NIST? I would think it’s not really referenced all that often.
Natalia: So, of course, it’s not mandatory. But the bodies that issue all those frameworks, of course, they look at each other. So they are exchanging ideas. Why would somebody invent a bicycle if there is already a set of ready-made components and in European Union the requirements for AI are stricter and there should be reference to existing legislation for personal data protection. And I can even feel it as a LinkedIn user with a profile set in European Union. Some features that are enabled by default for non-European users are usually disabled by default in my profile.
Greg: Yeah, and now you just answered a question before I asked it. The question I was going to ask, if the standards bodies talk to each other, why don’t we just have one global standard? But you just pinged on different geographic entities, countries have different regulations that have to be followed. As you mentioned, Europe focuses more on privacy than the United States, for example. So I guess that was good. You answered two questions with one statement. I appreciate that. It makes a lot of sense. Sometimes I get a little bit, we have so many frameworks out there. Do you think we’re overwhelmed with frameworks or do you think that we’re we’re at a pretty good space as far as the number of different frameworks for different things out there.
Natalia: Usually those frameworks focus on different aspects of protection. Some are more privacy focused, others are more risk management focused. Yet NIST is usually public agencies or even government agencies focused, which implies they have to have different levels of protection. up to the highest level, which is good for military. So depending on the nature of the business and the industry, different frameworks can be used. And for example, in automotive, in addition to this ISO forty two thousand, we have lots of ISOs that are specific to automotive industry, to self-driving cars. to cars in general.
Greg: Yeah, I don’t know about the self-driving cars, so I’ll tell you the truth. I get kind of scared about that. I want to drive myself. I don’t know. But some people say that that’s the future and they’re working out pretty well. I’ve got a friend who, their Tesla drives them to work every day. Of course, he doesn’t have to go too far, but I just don’t know. Anyway, I don’t want to go down that rabbit hole. But you were talking about different types of businesses. And, of course, one of the things I talk about on this podcast is about small and mid-sized businesses. And you also have worked as a virtual CISO before too, right?
Natalia: Yes, that’s correct.
Greg: So I’m curious, from your point of view, how are the smaller businesses that you’ve worked with, How are they dealing with AI implementation and governance? It seems to me that forty two thousand one might be a little bit heavy for like a smaller business to try to implement. But I’m not sure I haven’t done that. What are your thoughts on that?
Natalia: So as just as some other ISO standards, so like twenty seven thousand, the forty two thousand depends on the scope. So if the business is small, maybe the footprint and that scope would be also small. And the business mostly relies on third party software as a service, AI agents or personal assistants. In that case, what they are doing is mostly vendor assessment and checking if vendors are compliant. and if they are, then it’s enough to train the company personnel on how to use AI responsibly and make sure that if any data comes in and out of those third-party systems, it’s reasonably protected and kept in Jelena Kovacevic- up to date, and if the subject of rights in that case GDP are is requesting to delete it, they have some procedures, how to delete it.
Greg: And how to provide evidence because it’s not enough to do something you have to provide evidence that you did.
Natalia: That’s right. If it’s not written, if it’s not documented, it never happened. That’s almost like a truth in everything that we do.
Greg: If somebody wanted to transition to being a virtual CISO, what skill sets would you recommend that they would need to have in place? in order to be successful. Because being a CISO is not the same as being a virtual CISO. There are obviously a lot of commonalities, but there are some things that make being a virtual CISO a little bit different. You’re a part-time, you’re a consultant. If you were to give someone advice, like they wanted to transition from being a CISO to a virtual CISO, what would you suggest they focus on?
Natalia: And focus on building trust with the customers, because if they know they can trust you, just like with any consulting business, they would come to you when they need something else to be done. And if it goes really well, you would be almost the same as a full-time CISO. But the good thing about virtual CISOs, they cannot be made accountable to the same degree as the full-time employed CISOs. Some companies forget this and they think that would be as bad for the CISO as Uber. You know that story with Uber CISO?
Greg: Absolutely, yeah, yeah.
Natalia: But Virtual CISO is only as responsible as a regular consultant.
Greg: Right. And that’s something I think that a lot of people don’t understand because I get that question a lot that they say, well, how do you deal with the liability? And my reaction at first is, I mean, what liability? The liability that I have is I’m responsible for providing accurate, complete, knowledgeable advice and experience to an officer of the company, but I’m not an officer of the company. So my liability ends with, okay, unless it’s like gross negligence. And I say something like, no, you don’t really need multi-factor authentication. I mean, obviously that would be gross negligence for discounting a simple control requirement. But yes, as opposed to a CISO, the virtual CISO is a consultant. and is not an officer of the company and therefore does not have that liability. You should carry insurance, of course, with it. But do you ever get questions about that, concerns or pushback? It’s like, well, no, I think that there is some more liability there. And if so, how do you handle that?
Natalia: I think it’s like an elephant in the room. So the companies see it as a way to save some money because most companies do not need full-time CISO unless they are looking for the responsible. So they may go either to manage security services provider if they need a broader range of services like security operations center, or security patching or secure threat intelligence, or if they need specifically CISO, more like consulting services, they may hire a virtual CISO. In my experience, sometimes the company do not even understand that difference between somebody being in-house as an employee, And the company that that is essentially a third party, which they should treat as a third party risk and which they should assess as a part of their audits. So sometimes I have to remind them.
Greg: Yeah, I understand. I understand. Well, a lot of this can be very stressful in our field. I know keeping up with like different technologies we talked about. the proliferation of AI and then the different standards that have to come along with it and then being proficient in those standards. And I love your idea of your approach of getting certified in something that you know that you’re going to have to understand auditing about. But that doesn’t take away the stress. Sometimes the stress is good because we learn new stuff. It’s very exciting in our field. Each day is never different as time goes on. but we need a way to decompress from the stress in a way that’s healthy. What’s one of the things that you do to get away from the stress of everything cyber related?
Natalia: I do all things outdoors. So hiking, skiing, I even do scuba diving. Oh, my. Yes, I believe that there is nothing better than connect with nature and leave the busy city and all the gadgets behind you, at least for a few days.
Greg: Currently, I’m into mountain biking, and I’ve been watching the weather here, and it looks like for the first time in several weeks, actually, probably in I’m gonna have the opportunity to go to go biking at one of our parks about forty five minutes away tomorrow morning So I’m really excited about that because I do the same thing to get away from the gadgets get away from the From the conversation get away from the contact and just embrace nature I don’t think that there’s anything better than that to decompress it so and it and it can be free So, you know, it doesn’t cost anything to walk. No unless you buy some good hiking shoes like this or something So what future plans do you have coming down the road?
Natalia: Future plans? I like what I’m doing right now. And I’m excited about all the new technologies that are about to come, about the development. So every day I’m learning something new. I would like to keep it that way. Not like I’m looking forward to become a full-time CISO, which is considered the top of the tops of the positions you can have in cybersecurity. I absolutely enjoy being an architect, looking at different systems, designing something, mentoring younger colleagues, because everybody says we have still some gaps. So the junior roles are being threatened by generative AI. And some in the middle, they feel threatened from the level of competence you have to stay competitive. And I really enjoy mentoring and seeing how people are growing. And some of my mentees are already mentoring their own mentees. I always love to see that.
Greg: Yeah. You’re like a grand mentee at that point in time. I always love to see that. And you mentioned about some folks are worried that generative AI or AI in general is going to take away some of the jobs. But on the flip side, I think that we’re seeing more and more that the prevalence of AI-backed vibe coding A lot of people are embracing it more, but they’re also introducing vulnerabilities because it looks like that in a lot of instances, vibe coding is like, it’ll tell you, it’ll tell you how to do something and it’ll work. But if you don’t tell it to make sure that you create this workflow or this, whatever for me, uh, uh, securely, then there’s going to be holes in it. And I say that from experience, because I’ve had that happen to me. And since I’ve got a security mindset, I went looking for this stuff, but a lot of people won’t do that. And then. people who think in security that AI is going to be taking away jobs. Well, we need people to be able to come after AI and make sure everything is still secure. So I think everything’s going to level out okay.
Natalia: Yes, that is also my experience. So whenever we were trying to apply any vibe coding to actual development of the systems or creating infrastructure as a code so that Kubernetes configuration, we still had to use one or even two people to have a look at if that generated configuration makes sense. I do not see how we significantly reduced efforts.
Greg: Yeah, I don’t think we can ever, nothing against the AI force out there, so don’t get mad at me, you know, thinking about them becoming like, you know, self-evident, but I don’t think that there’s ever going to be a time when humans can’t or won’t be needed in the whole process, so. Natalia, thank you so much for joining me today in conversation. I wish we had more time to chat, but there’s so many things to unpack with all of this and really appreciate you sharing your wisdom with us today.
Natalia: Thank you so much for inviting me and I’m looking forward to see this. I’ve been a longtime follower of your podcasts and thank you. I really appreciate to be part of this.
Greg: Oh, well, thank you, too. I appreciate it. Appreciate you being part now of the virtual CISO family. And everybody stay secure.