Episode 97 Transcript

Banoo Behboodi: Welcome to the Professional Services Pursuit, a podcast featuring expert advice and insights on the professional services industry. I'm Banoo and very excited to have you with us today.

I have the pleasure of speaking with a fellow Kantatan who holds one of the most critical roles in any modern organization. As our Chief Information Security Officer and Data Protection Officer, Taison Kearney is leading our organization through the complex, high-stakes world of security and privacy, especially in the new era shaped by AI. This is very appropriate considering the number of sessions we've had speaking to experts around AI and its impact on the professional services industry. I'm really excited to have Taison.

He brings a wealth of insights that I think will be incredibly valuable for any IT leader navigating this rapid evolution of technology, but definitely also business leaders and business individuals within professional services. It's important to understand what our IT counterparts are thinking as we work through our business requirements and get those met.

Thank you so much for joining us, Taison. Appreciate you being on.

Taison Kearney: Thanks for having me. I’m super happy to be here. I look forward to our conversation.

Banoo Behboodi: Thank you, Taison. I think it's great to start with you introducing yourself, giving some background about where you've been, what you do at Kantata. Let's start there.

Taison Kearney: Yeah, absolutely. I've been with Kantata for, I think, coming on six years now. I've been in the IT industry for 20 plus years—I'm dating myself there.

I started on the infrastructure and services side and then came up and made a shift to security, probably about, I'd say, six years ago. What I do for the company is I’m responsible for the overall security posture, both internally for the organization as well as platform security. I also manage and lead our internal IT teams.

Banoo Behboodi: I know you interact with a lot of our existing customer prospects, IT leaders, and also through other organizations. What is top of mind in this new era of AI and cybersecurity for IT leadership?

Taison Kearney: Yeah, absolutely. I’ve heard this across the board. I think AI can really be considered almost a double-edged sword. There are so many tangible benefits to the application of the use of AI, such as code assist, task automation, etc. But on the adverse side of that, AI can be used by our bad actors to create advanced phishing and social engineering attacks, automated malware and exploits, and an increased attack surface.

How can we really recognize the benefits while mitigating risk is probably the biggest dilemma that I see most people in my position are dealing with today. I participate in CISO forums quite regularly. I connect with my industry peers from different verticals all across the various business lines. I’ve asked a simple question each time I get on there: What AI applications are in use in your environment? You may be surprised to know, but I would say 95% don't know. That’s almost a big black box of the unknown.

What’s the potential data loss there? How can we harness and get ahold of what AI applications are in use in our environment? On the flip side of that is what if we don't adopt? There are some of my industry peers who are very AI averse based on the vertical they're working in. What happens if we don't adopt AI? Are we left behind?

The biggest dilemma I think that a lot of us deal with is how do we adopt and mitigate risk along this journey to take advantage of the benefits of AI?

Banoo Behboodi: How do you think the whole role of CISO has evolved with the explosive generative AI shift that the companies have had, and how has their role evolved and how do you see or foresee it continuing to evolve in the future around cybersecurity and other aspects?

Taison Kearney: I think for CISOs like myself, you're really navigating uncharted territory. I think of back when we're moving all of our on-prem infrastructure to the cloud. There was a lot of unknown with that.

What CISOs are having to manage today is that often AI is landing across the enterprise and they might not have mature guardrails. CISOs are really responsible for securing a dynamic environment that may lack clear accountability and control. That is one thing. The CISO is going to play a critical role in navigating the journey with AI. What's coming about is shadow AI much like shadow IT. How do CISOs identify and manage the shadow AI to prevent uncontrolled exposure?

Also, what I'm seeing and what I'm having to do personally is build AI savvy teams. This is not something that two or three years ago I really had to think about. Now with AI coming into the organizations, I need a different skill set of a person to be able to not only straddle the security side of the world, but also straddle the AI side of the world. What I've been seeing is there are additional work streams that are coming about because of this.

In our typical day-to-day, we obviously have clients that we are contractually committed to responding to security assessments, etc. These are arduous security assessments. What I’m now starting to see is that we have assessments very specific to AI, and I can give you a prime example that happened recently. I think we got a 168-item questionnaire specific to AI. Do we have the skill set in-house to be able to respond to these in a correct manner? Do I have the staff to support this additional work stream? These are all things that I'm thinking about.

From a compliance standpoint, traditionally SOC, ISO, the major compliance frameworks—I know that ISO just released a significant standardization; I think it's ISO 42001. This is all around artificial intelligence management system. Now myself, other CISO security teams have an additional compliance requirement that we've got to work through—bandwidth constraint, do we have the right resources, additional investment from the company. There is so much that has changed in the role of the CISO.

I think the CISO has to play almost a driving factor in terms of the overall AI posture for the company. What I've seen across our organization is many business units can see this efficiency gain of this one AI app. Why can't I use it? There has got to be some governance around that to ensure that we're mitigating as much risk as possible while adopting AI applications.

Banoo Behboodi: You talked about skill sets and having to evolve the skill set of the team. I'm sure there's a combination of having to go out to market and add headcount or individuals with the right skill set. What does it look like if you're changing or evolving the skill set of existing resources? How easy is this skill set expansion?

Taison Kearney: That's a great question. I think the key to it is to stay ahead of the curve. The AI landscape is changing so rapidly and drastically that you really have to have somebody that's almost passionate about AI.

They really want to investigate what it can bring, what it does. Do I have the technical acumen to really understand what is happening on the back end when I'm querying some question that I'm putting out to one of our generative AI sources? It's somebody that has the willingness and that is trainable.

The way I look at it for myself and my teams is if they've got a strong technical security skill set, it can be enhanced by the learnings—tapping into RSS feeds, participating in webinars, all those things that just feed their hunger for learning. What I've found typically is a security professional has that because the security landscape is changing quite rapidly as well.

It fits that mold, but it's really somebody that is a self-starter and somebody that really wants to grind their teeth into it and get a firm understanding of what's going on.

Banoo Behboodi: If you are generally hiring for your basic needs within the security organization, but also looking for those softer skill sets like an inquiring mind, wanting to learn, etc., that's just going to allow your team members to expand and you can just provide them the environment and then they'll run on their own and get there basically.

Taison Kearney: Absolutely. We do have a program here internally at Kantata that we’ve put together. We call it internally [AI4K? 0:09:47]. It's people that really want to participate, raise their hand, take part in this initiative. A lot of this work is being done on their own time to really get a firm understanding of AI, the capabilities, and what we can actually do with it and what we shouldn't do with it. That's quite important as well.

Banoo Behboodi: I know I'm part of our own internal programs for how you're managing AI, and I think all things that you guys are doing are extremely cool and secure and make me and our customers feel secure. Can you take everyone through what are we doing at Kantata around AI and ensuring security and privacy standpoint?

Taison Kearney: Yeah, absolutely. First and foremost, I'd like to mention that we are supportive of AI. We are not an AI adverse culture. However, me sitting in the seat that I am, I'm risk averse. We've put together some things. First and foremost, we establish an AI governance council. Any AI applications need to be vetted through this council. We put policy in place so our staff knows what they can and cannot do with AI. We provide end user training; we're real big on education of our staff around AI.

One thing that I like to really call out here is we've made investments in our AI security posture. Remember back to that question that I asked earlier—what AI is and use in your environment? Most folks don't know. We've made investments in a platform that gives us visibility into all that. We can actually dig in and see what generative AI tools are in use. We block them through policy. Take DeepSeek for example; if we feel that our organization should not be using that because of some security concern, we can block that. We see what prompts are being entered into all the generative AI sources, so we know what data is going out. We also have file scanning abilities on there. It prevents us from uploading confidential data and files.

The way this tooling works and why we feel that it's important to make this investment is we handle client data as well. We take that responsibility very seriously. One thing this application does is it obscures the data that's going out to whatever generative AI source that you're using, knowing that data is permitted outside our boundaries.

We talked about the [AI4K? 0:12:18]. It's AI idea submission. Our staff is really good at asking before doing. One thing we've asked all the Kantatans to do is consider where you see AI as beneficial in your business unit. We've asked them to put together a business case, what this actually does, what the ROI gains may be, and what the potential investment is. It has to go through approval and review cycle. It goes through a security review. All those things are safeguards that we've put in place to help us leverage AI while mitigating risk.

Banoo Behboodi: On our customer side, we see that all the time as well where they are approaching us, because we are positioning our AI capabilities within Kantata, and they're looking into wanting to get more information, making sure that things are kosher from their own internal security perspective.

It's a complete loop of what we're doing internally and how we're servicing our customers with respect to the AI offerings within Kantata as well.

That being said, moving to that vendor-customer relationship, how do we switch that so that we're more effective as a trusted partner providing security advice to our clients?

Taison Kearney: Yeah, absolutely. I think first and foremost, we have open-ended conversations with our clients. You touched on what are we doing about AI? A lot of times our clients are asking us what we're doing internally. Sometimes the clients that we're talking to, their security posture is not as mature as ours. We can provide some guidance in that area.

One thing I would say is don't just do the minimum. A lot of vendors out there will tout the fact that they have SOC compliance or ISO compliance. That's it. Are you making continued investments in your security posture and taking a proactive approach to security? It costs us money, but we find extreme value in ensuring that we are almost on the cutting edge of security for not only our platform but our internal staff as well, taking a proactive approach.

I think a firm understanding of our client's business is important because based on what vertical they're operating in, they may have different security requirements or regulations such as health care may have HIPAA, GLBA, or PCI. Know your customer. How can we support their journey? What can we do to support their journey? They are trusting us with their most valuable asset, their data. I refer to it as the oil of the company. Understanding the business that they operate in and being able to support them on that journey is key.

I would be remiss not to mention data privacy. We operate globally. If you were thinking about data privacy regulations based on the geography you're operating in, it's going to have different legislation that we need to follow. It’s understanding where the clients are operating in as well. I think all of those are key to becoming a trusted advisor to our client.

Banoo Behboodi: We've focused a lot on AI, but clearly you've been supporting ours and our customers’ security for a very long time here even before AI was a [unclear 0:16:02]. I wanted to focus a little bit on what are some of the other risks that we see at professional services firms, from your perspective, that needs to continue to have momentum behind it?

Taison Kearney: I think professional services firms are considered high value targets for our attackers due to the sensitive client data that they may have. It’s really looking at centralizing data consolidation. What I mean by that is less data sources, having overall centralized management of that, but not having redundant data and various sources, because you're only increasing your attack vector when you do that.

I think another risk that is posed to PS firms is client trust and reputation. If I'm a PS firm and I'm doing work on behalf of a client and my backend systems aren't as secure as I thought they may be, and we potentially have unauthorized data access or a breach, that's my reputation. That's the client's reputation. Those are things that we take very seriously.

The ability to adhere—and I touched on this earlier—to strict privacy regulations, especially as it relates to cross-border data transfer. Noncompliance of these can lead to hefty fines, legal challenges, reputational damage. I think those are some of the fundamental risks that resonate with PS firms as it relates to security.

Banoo Behboodi: With that, I think it's important to touch maybe on a practical example to bring the idea home. Can you share an example of a business justification that you were involved in recently around justifying a PSA due to security concerns?

Taison Kearney: I can actually. I think historically, PS firms have tracked the resources and projects in spreadsheets. A lot of the data is housed locally on machines. Based on the maturity of the security posture of the organization, do they have appropriate endpoint management? You've got risky data that is on personal machines. Is the ability to use removable media disabled? That's all areas where there is the ability to have data leakage.

One thing to keep in mind is that centralized management piece. We had a firm that we talked to that was actually operating in that manner. They wanted more overall visibility into what their resources are doing. They wanted a centralized, secure repository for project related data. It was a perfect fit for a PSA tool to come in and augment their process in a more secure manner for them to have the ability to continue to work and thrive.

Banoo Behboodi: Perfect. With that, what is the biggest opportunity for IT teams, to be more the leader and in the forefront, with respect to AI and security within their companies?

Taison Kearney: Well, I think it's whether it's an opportunity that if they want to, I think they're going to have to become more involved. I think typically when you purchase a piece of software or you're bringing on a new vendor, it's the business unit that is requesting that and was leading that charge.

Now with data, AI, and data governance, the IT teams need to become more involved in that conversation or almost lead that conversation rather than trying to deal with it after the fact. I think what I've seen more and more is even the conversations that I'm having with our clients, one of the key stakeholders is your IT and security teams, and that's becoming more prevalent as we go along this journey.

Banoo Behboodi: You've provided a lot of great information and tidbits for IT professionals, but also business owners to take away. If we had to horn it in on this one great tip to leave everyone with, or IT leaders at minimum with, what would that be?

Taison Kearney: Double click. What I mean by that is when you're evaluating a software vendor, look at the subprocesses that they're leveraging to provide you the overall solution. A way to look at this is like buying a new car. I go to look at the car; the car looks fantastic. I would be remiss if I didn't look in the hood and check the engine or maybe the exhaust.

Many of your SaaS vendors leverage subprocessors to provide the overall solution to you. What that means is there is data transfer from your core vendor that you're purchasing to those subprocessors. Make sure that you've done diligence on those subprocessors. Make sure that vendor has contractual commitments with those subprocessors that specifically state what they can and can't do with data.

Be in the know. Know where your data is going. Don't just take it for face value when you're looking for a vendor. That would probably be my one tip to throw out there that may enhance your overall security posture and provide a little more comfort when purchasing a new piece of software.

Banoo Behboodi: Perfect, I love it. I always like to bring it home with more of a personal experience or advice. I thought it'd be very fitted to ask you to share what are the sources you use in pieces of knowledge? Where do you go to as your source? Obviously this is a fast-paced, changing environment that you need to stay up with. What is it that you rely on to make sure that happens?

Taison Kearney: Yeah, that's a great question. It's a multi-layered approach for me. I wish there was one book that I could go read, and it would give me all the answers, but obviously we're not at that point in time now. I go to multiple sources.

First and foremost, I participate in CISO industry forums. I get to connect with people that are doing my job across various verticals and industries. We get to talk about the challenges we're facing in our environments and how we are addressing those challenges, what's new and emerging that's coming, and what we should know about. I think that's a great avenue to connect with other peers and really talk to the boots on the ground about what they're seeing.

I also subscribe to a lot of RSS feeds. I get daily news, much relating to AI, so I get to stay in the know and really understand what is happening in the news. How is AI evolving? There are legal RSS feeds that I subscribe to because the framework and the regulations are continually changing or being created. Being in the know of that, I always try to stay one step ahead rather than fall behind and having to be in a reactive nature.

I think those things coupled together—oh, and webinars as well. I participate in a lot of webinars from industry thought leaders about how they see AI, how they see the changing landscape, and what they're doing about it. I've always been a big believer in many minds being better than one mind.

Banoo Behboodi: Yeah. Half the battle is staying in front of it all. I hope our podcast is helping our listeners, to some extent, do that as well. Taison, your insights have been extremely valuable. Thank you for making the time to be with us today.

Taison Kearney: Thank you for having me. It's been an absolute pleasure.

Banoo Behboodi: As always, thank you everyone. We know your time is valuable. I hope you found this session useful. We're happy to hear your feedback. Any questions for myself or Taison, any future sessions that you want to have, any suggestions you have, if you are interested in participating, please reach out to us at podcast@kantata.com. Happy to hear from you.

Brent Trimble: If you enjoyed this podcast, let us know by giving the show a five-star review on your favorite podcast platform and leaving a comment. If you haven't already subscribed to the show, you could do so anywhere you get podcasts on any podcast app. To learn more about the power of Kantata’s purpose-built technology, go to kantata.com. Thanks again for listening.