Matthew Chiodi (00:11)
Welcome back to the Cloud Security Today podcast. No, the podcast is not going away, but I did take a sabbatical and decided to rest. But I'm back and today's guest is none other than Kelly Bissell. Kelly is one of those rare leaders who's seen every error of cyber up close. He's led at the biggest stages. He's been the global managing director of Accenture Security, Deloitte's cyber risk leader across EMEA.

and most recently at Microsoft, spanning security engineering, deputy CISO, and leading central fraud and product abuse risk. And that part is why this episode is so timely, because we spend most of our time talking on what AI might do, right? In conversations with friends, well, it might do this, it might do that. Kelly, on the other hand, has been living through what AI is already doing. And this is why I was so excited to have him

on the show. He's done this specifically inside real operations at insane scale. We get into how agent AI and machine learning are changing fraud, abuse and sock work, where you should start automating, what not to automate and how to measure success when the goal isn't just, wow, that's cool. This is AI. It's less exposure time in fewer bad decisions. Then we go right up the spiciest question in the room.

agentic identity, what actually needs to be controlled when agents start chaining tools, APIs, and the actions across your environment. All right, let's jump in.

Matthew Chiodi (01:53)
Kelly, welcome to the show.

Kelly Bissell (01:55)
Thanks, Matt. Good to see you.

Matthew Chiodi (01:56)
It's good to see you. So I wanted to jump right in. You've had a long run in cybersecurity. Let's go all the way back though to the beginning, all the way back to the beginning. What was the moment or maybe the problem that really pulled you in and captured your attention?

Kelly Bissell (02:14)
Well, you I'll tell you that I'd sort of tripped into the world of cybersecurity because I was building way back in 1995, an ISP, an internet service business. And I was logged into one of the switches and someone else was there. And I thought, hey, who is this? And I traced them back to Romania. And at that point, they were just trying to get free email service and long distance with this telco. And so I sort of fell into it and I thought,

Wow, we have got to start focusing on securing the systems, not just building them.

Matthew Chiodi (02:51)
I love that. That sounds really familiar with, uh, what was that book? I remember it has a yellow cover that came out. Um, Oh my gosh, it's about hacking. The guy was also not in cyber security. It totally slipped my mind the name of the book, but, uh, Cliff stall, Cliff stall, right? Yeah. So he wrote this book, which the book, don't remember off top of my head. Um, something cuckoo cuckoo something. I don't remember. Right. I can see the book. It's, literally right.

Kelly Bissell (03:07)
⁓ yeah, yeah.

yeah, yeah, yeah. I know exactly what you're talking about. Yes.

Matthew Chiodi (03:19)
There on my shelf, but I can't read it from over here. Anyway, we'll, put it in the show notes, but there's a great book. He talks about essentially he was at his university, same type of thing. Who's on this Unix system, this whole cat and mouse, I call cat and mouse bit. what, so what's the end of this story? So there was somebody in your, on your switches. They were from Romania. you ever figure out what it was or just.

Kelly Bissell (03:39)
Yeah, they were just trying to get free service. And they weren't trying to do anything malicious, but I suspect they had family in this regional Bell operating company, Bell South at the time, now is AT &T. And they were just trying to get free long distance for the family, probably. That was before people realized you could make money.

Matthew Chiodi (03:42)
Okay.

before

that, and before DCMA and all the stuff that made it illegal. That's interesting. So what was it like after that for you? So that was kind of like your first taste of, somebody else is in this system. How did you, like, what was the progression for you after that first incident?

Kelly Bissell (04:03)
Yeah, exactly.

Yeah.

Well,

then it evolved with technology. Pretty soon after that, as a of I got involved with IPv6, the standards of IPv6 in 1995 and 96. And we were thinking about security in the protocol. And at the same time, my bank offered, which is new in the market, online banking. And I looked at the security, I thought, holy smokes, this is terrible.

And again, it's sort of the ball with technology. And so I moved from that sort of thing to securing networks and securing applications, in this case, banking systems. And I was really as the wild, wild west of the internet. And I was trying to keep up with securing that growth of the internet at that time.

Matthew Chiodi (05:07)
Yeah, it's exciting. And I know we're going to talk about AI in a little bit. We'll get there because this is the next thing that everybody's talking about right now for good reason. But there are quite bit of parallels to the advent of the early days of the internet. So let's go back a little bit, though. So looking back at your Microsoft years, you recently retired. What's maybe one lesson?

that you learn the hard way, that you wish every security leader would learn earlier.

Kelly Bissell (05:40)
There's so many, I've got so many scars on my back of lessons learned. I think the most important thing is to not get caught up in the tech or in the protocol issues or in the regulations even. But really balance security and usability and that user experience. And I think it's an art as much of a science, but

time and time and time again, I really learned there's no silver bullet, the right applied security and the right situation to the right level of risk or value of that particular data. So, you know, if you're trying to secure a bank account, that's very secure. If you're trying to secure something that doesn't matter, that's benign, then maybe you apply different levels of controls.

And I think that's the most important thing is pragmatic applied security.

Matthew Chiodi (06:39)
Yeah, I think that's a good point. I'm thinking if someone is listening and they're in the GRC field, they just live in this world, this minefield, that just interweaving, especially if you're a global international company, there are all different types of standards and regulations. And it almost seems like everything is of equal importance. But there's a saying that says, when everything's important, nothing is important.

How do you, maybe let's break it down a little bit more, like, cause I fully agree with you. What are maybe, what are some examples that you can share maybe from past situations, even if you have to anonymize it, that really that you learn that lesson in?

Kelly Bissell (07:20)
Yeah, well, I think my 20 years of consulting allowed me to see hundreds and hundreds of different situations. And it's a little different from my world at Microsoft, where I was focused on the deep technical issues at the DNA level. But in my time, spent in consulting, it was around how do I look at risk in a bank?

Matthew Chiodi (07:33)
Mm.

Kelly Bissell (07:47)
And that's very different from a government agency or a retailer or a pharma company or oil and gas company. And I think what I've learned is you have to really understand how that business makes money. What motivates the bad actors to either steal the data, disrupt service, deface maybe even the website to cause embarrassment or other things.

So you gotta know what the motives are of the bad actors. And then you can start applying the right protective and detective controls, the security things in place so that business can thrive and be safe.

And maybe one thing I've sort of learned by helping a bunch of companies recover from ransomware is the single point of failure. So let me give you an example. There was a chemical company and they were dead in the water, but not all their systems were shut down. They couldn't produce chemicals. They couldn't

sell them, they couldn't ship them, only because one print server was down. Not the whole company, just the print server. So they couldn't print labels, and they couldn't sell product, and they couldn't load those products on the truck and get it out the door. And so the single point of failure in this case was pretty important. But it was targeted by that ransomware actor, not to go after all the other systems, but that one.

And I can say the same thing for a transport company. It was fuel management, not a truck or a train or whatever. So I think it's important to learn not only the motivations, but what is the single point of failure that may disrupt operations the most that you're not thinking about?

Matthew Chiodi (09:43)
It sounds like a good example of an attacker that understood their target or their ICP, their persona they wanted to go after, right? They knew it perhaps better than the cybersecurity team did at that company.

Kelly Bissell (09:57)
That's right. I think that's the thing that evolved over the five eras of cyber that I've been tracking over 30 years is the era of the attackers knowing as much, if not more, about the company that in which they're targeting. And it just means the good defenders of the world have to actually know their business well. They can't just be generic IT people.

or generic security people. They've got to be banker security people or oil and gas security people. So they have to be in the guts of that company's business.

Matthew Chiodi (10:36)
You know, over the last, I don't know how many years, seven or so years, there's been the development of the BISO role, right? The Business Information Security Officer. And I think it probably fits directly with what you're saying. If you have a large organization that has multiple lines of business, there's just specialization that's going to, that's required to really know the risk profile of that line of business, instead of just having this kind of this generic horizontal cybersecurity function. I think.

I think that's what it recognizes. Would you agree with that?

Kelly Bissell (11:07)
Yeah, I agree. I love the BISO model. And as a of fact, there are several times where a CISO or others, CIO would ask me about organizational structure. And this one debate was, should it be central or decentral? And I don't think it either is the right answer, but a hybrid is maybe the best option. And this is where a BISO comes in nicely because they're in the depth

Matthew Chiodi (11:24)
Mm.

Kelly Bissell (11:35)
of wealth management or investment banking, whatever that business function is, but they're also tied to the bigger picture. And so I think a hybrid environment is much better.

Matthew Chiodi (11:48)
I would agree with that. I would agree with that. think, you if someone's listening to this and they're in a, you know, a small to medium sized company, they may not, they may not have the, maybe they may not have the resources to have a BISO for every role, but I think where it can be made a business justification and the companies that I worked with in the past, that BISO was almost always directly funded by that line of business. That's how we typically did it at the companies I worked at. And, you know, you knew that if they were funding it,

they wanted that person involved. And that was a great, great model to get skin in the game.

Kelly Bissell (12:23)
Well, I love that model too because if they're paying for it, they can set priority. And they actually take on responsibility for it as well. But you're right, an SMB, a small medium business, I don't know that they need a BISO because it's, you can put your arms, one security team can put their arms around the whole business.

Matthew Chiodi (12:47)
So you posted sometime in the last two to three weeks, something that really caught my attention. So again, I knew you had retired recently and I saw this post that you did saying that you had built your first Apple app and I think like five hours, I forget what it was. And so, you know, in the pre-show you and I were talking about how, you know, it had been 10 plus years.

since you had done any hands-on software engineering. So just stepping back from that comment a little bit, besides your recent retirement from Microsoft, what changed? What got your attention? And then maybe tell us a little bit about what you built.

Kelly Bissell (13:22)
Well, yes, it has been a while, but I've written tons of code, mostly scripts to do IR or some hunting or things like that. But as far as pure application build, it's been a while. But the world is totally different in that time. Earlier this morning, I looked at that same app that I built on the Apple Store, and it had 2,800 lines of code.

2,800 lines of code. I have taken me weeks and weeks and weeks and countless hours to debug, you know, all the errors I would have made. But to build that in five hours is world changing, world changing. And again, I've been developing for, I've been in software, the software and IT world for 30 years. So I'm not a novice.

Matthew Chiodi (14:03)
Hmm.

Hmm.

Kelly Bissell (14:17)
But it would be easy now for, I asked my son to come build an app with me and he did it in a few hours and he didn't have to touch one line of code. The world is different today than it was even two years ago.

Matthew Chiodi (14:32)
So if you're a cyber professional listening, you've obviously, unless you've been hiding in a cave somewhere, you've heard about Claude, the 4.6 on it, all the new models that released in early February of 26, you've heard about it. You've heard about vibe coding. You're definitely going to hear about agents. We'll talk about that in a couple of minutes. But before we go into that topic, for you with those models, what do you see the impact?

for cybersecurity teams. Cause most of the cyber professionals I talk to right now are, they see that as a tool for like engineers. There's a very few cyber professionals right now that are, think are using Claude. A lot of them using like GPT, Gemini, Copilot, but not many yet are building in Claude. What's your impact? What's your thought on that?

Kelly Bissell (15:22)
Yeah, as a matter of fact, before I even left Microsoft, and by the way, April 2nd is my last day, so I'm still sort of there. I was using AI and machine learning to actually build better hunting capability. So forget the Apple app for a second. Using Azure ML and using Claude and Copilot, I was able to build an automated hunt function that would have taken me

hours and hours and hours of work to do manually in scripts and parsing things and downloading it and then uploading it back and building some more scripts. I was able to do that in automated way and now it's autonomous. And that has been incredible because we've been able to use that to look at trillions, trillions of transactions a month with high efficacy.

Matthew Chiodi (16:17)
Hmm.

Kelly Bissell (16:19)
And this is where ML comes into play, where our false positive rate was like 0.02%. So the accuracy was amazing. But it took a while to sort of get that tuned. But that's the power of what AI and ML can do. A combination of agentic AI and the machine learning side. It is transforming this market.

Matthew Chiodi (16:27)
Hmm.

Kelly Bissell (16:48)
My advice to the cybersecurity professional, if you're still approaching cyber things manually, you're going to be left behind. And so you've got to really learn this new realm of ML and AI.

Matthew Chiodi (17:03)
I love that. I love that. I know it's funny. think it was, I if it was before or after you and I did our, did our kind of our initial sync, but I did download Claude and built my first app, right? Just my first app, just to see like, Hey, and it was very fun. Kind of the whole iteration, I guess it's the vibe process that calling, but I was up to like version 121.

in less than like six hours, but I got it to do exactly what I wanted it to do. And it was better than a commercial product that we had better than it. And it probably cost $30 in Claude credits to do. Right. So it really is pretty amazing. So if you're listening right now and you have not tried Claude, try it, download it, just, you know, get some free credits if it's possible to get some free credits, even if it's not free.

Kelly Bissell (17:35)
Agreed.

Matthew Chiodi (17:53)
Just try it. If you have an idea, just try it. you know, Kelly said we didn't actually, what did you build? What was your first app store app that you built? What did it actually do?

Kelly Bissell (18:05)
Look, it was just a financial planner, like a budget-oriented one. I wanted to start something simple. And then I moved actually to Monte Carlo simulations, which I'm not a math economics person, but it had all those things built in and did it for you. So I started small and I started moving to far more complex sort of functions. And now it could do forecasting in what-if scenarios. And in this Monte Carlo simulation, it could do 100 different simulations to get

Matthew Chiodi (18:09)
Alright.

Kelly Bissell (18:34)
better accuracy of what that budget forecast might be. And I thought it was pretty fantastic, actually.

Matthew Chiodi (18:42)
And so now you, if you're listening again, maybe if you didn't quite get it before, maybe this will help us all kind of understand a little bit why when Claude and all the entropic dropped their models a couple of weeks ago, that there was such a hit to so many software companies market caps. Just think about it, right? And I think we're, I think we're only in the first inning to use a baseball analogy.

Kelly Bissell (19:04)
That's right, we're first or second ending for sure. And this is where the efficacy of the model wins. Like the ease of use and integration of that model. So in this case, Claude built into Xcode, Apple's Xcode IDE was super easy and out of the box. As opposed to maybe another model that you would have to do it outside and then copy and paste it into the IDE, which wouldn't have worked effectively.

Matthew Chiodi (19:11)
Hmm.

Kelly Bissell (19:32)
So I think Claude, to your point, Matt has been great.

Matthew Chiodi (19:37)
So before the show, you shared with me, maybe this is what you were alluding to a couple of minutes ago, a KYC case study, right? I know your customer case study where when you were ⁓ back at Microsoft, tell us what your team built in concrete terms, like what exactly got automated, what controls, approval stayed human, like how did you measure success beyond just speed?

Kelly Bissell (20:00)
Yeah, so let me give you background to make sure everybody understands where we're coming from. So the team did a few things. One is they did vetting of all new customers on the planet. So if you're going to be a Microsoft customer and buy a PC or M365 or AI or cloud services or Xbox games or LinkedIn, anything you buy comes through this function. And with various regulations,

trade sanctions and all kinds of things, there's a KYC or Know Your Customer rule. And so we vet every customer and partner that comes on board, and we have to make sure we know who they are. And there's a whole lot behind that around things like risk scoring and so forth about who that customer is, so we can detect fraud. And then as they transact on Microsoft and use products,

there is an abuse function. So think about things like deep fakes on Teams or spam and email or crypto mining on cloud. These are an abuse of products. And so there's an abuse function that the team also built into the engineering, the fabric of the product to be able to say, hey, are they using this the right way? Are they actually doing harm? And this is where we could find all kinds of scams.

Matthew Chiodi (21:03)
Hmm.

Kelly Bissell (21:22)
fraud, abuse, and either other cyber attacks. And this is where we relied heavily on AI. And this is really important, AI and ML, to do three main things. One, we took the SOC, the Security Operations Center, and we're on a path to automate at about 60 % of those tickets.

Matthew Chiodi (21:50)
Hmm.

Kelly Bissell (21:51)
And what it means is we could actually shrink the time to detection and the time to mitigation, which means the exposure is smaller. The second thing we did was to auto-detect things like domain impersonations. You know, when someone maybe sets up a domain that looks, that's misspelled, that looks like another, we use an ML model for that. It's called a Siamese Ngram network.

Matthew Chiodi (22:18)
Fancy name.

Kelly Bissell (22:19)
And we looked at, as a matter of fact, the first time we went live, we looked at 159,000 domains with one false positive. It was fantastic. So the second thing was around how do we detect things faster? And then the third thing was that vetting process that I mentioned before. had 73 some odd people in this team that looked at, did a manual vet of this new customer.

Matthew Chiodi (22:27)
Wow.

Kelly Bissell (22:49)
And we took it down for about 48 minutes per vet if they were laser focused on that one customer. And now the AI does it in less than two minutes with 96 % efficacy. So it's better human, better than human efficacy at faster rate. And now those agents that do the vetting report to human.

And that opens up another question like identity management, right? So we're back to identity management like we have been for 20 years.

Matthew Chiodi (23:25)
Wow. what did you, so we talked about speed. You talked about accuracy. which of those can like, well, let's, let's back up a little bit. How long did it take you guys to get there? Cause I think, you know, someone could be listening and think, did they do this in a year, 18 months? Is this six months? Like what were kind of the timeframes? Cause you guys are, you know, you guys are dealing with a massive volume here. You said anybody who buys a Microsoft product, right? So massive volume.

Kelly Bissell (23:28)
Yeah.

Matthew Chiodi (23:52)
What was the, what are the timelines look like and like, you know, how long did it take you to get from like, okay, here's the idea to this end state that you're talking about.

Kelly Bissell (24:01)
Yeah, well, look, you know I'm super transparent, maybe to a fault. But I'll tell you that for us to get started using AI as a consumer of AI, not a creator of it, but as a user on operations, the hardest part was learning how to get started. And we sort of rolled around in it for, I would say, three months. And we could have gone faster. The second thing I'll say is,

I didn't think about this ahead of time, but there is this change control that I should have thought about, like change management, where software developers like their old systems, their old processes, and they didn't want to change. Maybe even a little bit of a fear, but if they did change, what would happen to their role? But once we got through that, to build that vetting function,

And it went through lots of iterations, but it took about two months.

Matthew Chiodi (25:01)
Wow.

Kelly Bissell (25:03)
through lots and lots of iterations, now live, and it's moving right along.

Matthew Chiodi (25:09)
That's really fast. I thought you were going to definitely say at least six to nine months, but that's really fast.

Kelly Bissell (25:15)
Well, I will tell you,

I looked at a timeline, the initial timeline, and just like everything, was stretched, the SDLC process was stretched out like nine months, and I was like, no way. And they came back and really changed the way that they thought about software development in the whole lifecycle. And that's how we got it to three months. I mean, three weeks, three weeks, yeah, yeah.

Matthew Chiodi (25:37)
that.

So let's talk about the one last piece of this and then we'll move to we'll talk a little bit more about agents. Like how did you guys think about what controls and approvals stayed human? You mentioned that you're not it's not fully autonomous. There's still I think you said one or two humans that these agents report to. How did you think about controls and approvals like that human intervention human in the loop piece?

Kelly Bissell (26:03)
Yeah, well, first of all, this is where I think the discipline of models matter. Me being a cybersecurity person, I'm highly skeptical of everything, you know, just like most of us here. so very few things are truly autonomous. So if a vet goes through and it has checks and it has also a ⁓

secondary check control to make sure that the first agent hasn't veered off or been poisoned. So there's a check of the vetter. And as long as it stays in line with the model, then good. But if it starts to drift down its efficacy score, then a human takes a look at it. Because sometimes...

Things are black and white and it's easy, an easy decision. And sometimes it's on the line. And that's why the risk score is so important because if it's a 99, it's easy. If it's a zero, it's easy. But if it's a 50, then maybe you need the judgment call from a human.

Matthew Chiodi (27:10)
So one of the things that has been talked a lot about over the last six months is you look at tech companies, there has been shedding of jobs. And it usually is at least what executives are pointing to is it's AI, right? It's efficiency gains from AI. You mentioned that this team went from somewhere in the seventies down to two managing it. And I think before the show, we had talked about that you guys had found other roles for, I think, most of those people. That's not always the case though, right? So let's talk about it from the perspective of like,

We're not going to pull AI back at this point. It's not possible. It's very far down the road. What new roles do you think become more valuable in an agent-driven organization? And obviously, there are those anthropic-based companies that are pushing the frontier of this. And then there are the Fortune 500s that are doing this. But it's still probably 10 % or less of.

Kelly Bissell (27:42)
Yeah. ⁓

Matthew Chiodi (28:05)
their organization. What new roles do you think become more valuable in an agent driven organization?

Kelly Bissell (28:11)
Well, look, in all the efficiency that our team gained, we could have given roles back to the company, but we decided to do four times the amount of work. So we just actually took on more responsibility to look at other risks in the company that maybe we didn't have time to look at before. So we actually did more with the same people, okay? 4X the work. But the roles do change.

So as part of my talent strategy, I had to think about how is my hiring and recruiting gonna change in the age of AI versus pre-AI? And it does change differently. And here's what it meant. Less operational roles, meaning human manual checking, more data science.

and more software developers, but not different kinds of suites, software engineers. Because take a look at my Apple app, right? I don't have to be the best developer, but I can actually get that app pretty good, maybe 80%, and then have the last heavy engineer do the 20%.

Matthew Chiodi (29:17)
Yeah, right.

Kelly Bissell (29:30)
And I think that's how my swees are shifting over time.

Matthew Chiodi (29:36)
I like that, I like that.

Kelly Bissell (29:37)
The

thing I'm thinking about is how do I fill the pipeline? Because I can't just hire nothing but heavy engineers, you know, that 20%. Because they, over time, they're going to graduate from university. They've got to grow and learn how to be heavy engineers. So I just think the market's going to shift a little bit to allow AI to do the mundane.

Matthew Chiodi (29:46)
Hmm.

Kelly Bissell (30:05)
You know, building all the structure of the application like I did on the Apple App Store and then allow the deep specialists to actually do the last bit, the last mile.

Matthew Chiodi (30:06)
Right.

You know, and there are, there are corollaries there with cloud. was talking with someone else about this from one of the big four consulting firms. And, know, when cloud first kind of burst onto the scene in the early two thousands, um, the idea was that everybody who was an IT admin was going to lose their job. That's it. That was the fear. It was a very real fear. Now that it didn't, didn't use, it didn't happen. What happened was, is that you didn't have to rack servers anymore, which let's be honest, very few people enjoyed that part.

Kelly Bissell (30:46)
That's right.

Matthew Chiodi (30:46)
of the job,

chasing cables, getting RAID array set up right and all that kind of stuff. So I think that I don't know. I've talked to lot of people about this. I tend to have a lot of opinions on things. This is one that I don't have a crystallized opinion on yet. what's how is this going to change? What are cyber roles going to look like? They are going to change. They're always changing. But this is one that, you when I look at the last 26 years that I've been in cyber, I've not seen anything like this. And this is why

Kelly Bissell (30:53)
That's right.

Matthew Chiodi (31:16)
I think that, you know, agents are such a hot topic, which, is what I want to dive into here real quick on the topic of agents.

and identity, right? So agents and identity. This is a really hot topic. So I think it was last week, Mike Johnson, the CISO at Rivian posted on this and it just, it blew up. asked really great questions and he was basically like, don't, I don't have an answer for this. Does anybody have a thought? And of course, boom, there it went. So this is what he said. So this is the next story. said, agent identity is unsolved because on behalf of a human falls apart once you have chains of agents calling tools and APIs.

Okay, so from your seat, what's the real control problem here? Is it identity? Is it delegation? Is it intent? Is it provenance? And maybe what's a ⁓ mental model you want CISOs to adopt before they start buying agent security products? How do you think about this?

Kelly Bissell (32:14)
Look, I actually think I love the debate because I think it's important for us to hash through this a bit. I'm a little bit more relaxed on it. Only because we've been, from an identity standpoint, we've been securing things like system accounts, service accounts for many, many, many, many years. An agent is somewhat similar to that. The thing that we have to be careful about, so if I have an agent that reports to me,

then that agent should have only rights and privileges that align to that role, the duties of that agent. And I think that's normal and we've been doing that for a long time. That's one. The second thing, I am against building another tool with agent control. I believe the current identity structure needs to go to an inheritance model.

So things like conditional access. And that if you can set up conditional access to know what the agent can and cannot see and train on, that's good. And that's not another tool, but the current tools that we have. Same thing with user attestation or IGA. And so I just think that we have to inherit the current tool structures that we have and model, like with system accounts and service IDs,

like we've been doing before and apply it to this world of AI agents. Here's the difference. Agents can drift over time because the data changes, maybe their learning isn't as refined, and this is where the agents and the models have to make sure they're adhering to the efficacy score. Again, back to those false positives, false negatives, and efficacy of that agent.

We have to stay in there. So that's where the data scientists sort of monitor those agents also over time. So I think the summary is, I think we got the right tools. I think we have to adjust them a little bit and just make sure that we include the efficacy of those agents into their user attestation process.

Matthew Chiodi (34:26)
Most of the organizations that I speak with, they don't have a strategy for agents and identity, right? ⁓ They don't, they're they're usually using, they're acting on behalf of a human's identity. A lot of times it's not even like a service account. They've literally given, here's my permissions, go and do this, right? Which is dangerous in many different ways, but this is the state of most organizations, agent security today. You know,

Kelly Bissell (34:32)
Yeah. Yeah. Yeah.

Yeah. Yeah.

Matthew Chiodi (34:53)
What are, what are maybe some practical ways you would encourage today? Cause there's, there's not really a standard. So cloud security Alliance back, think it was late last year and late 25 did come out with an initial model on this. And I know there's, there's a standard out there. It's called AIUC one, the agent standard. I just learned about this in last couple of weeks. So there are some emerging standards out there, but if you're a CISO and you are, you know, kind of bewildered by all this.

Kelly Bissell (35:12)
Yeah. Yeah.

Matthew Chiodi (35:23)
Where where should they start?

Kelly Bissell (35:25)
Yeah, I think they should look to those frameworks, those emerging frameworks like you're describing, Matt. But those frameworks need to be embodied in the controls of the current identity management functions that they already have. Whether you have Okta or Ping or SailPoint or Microsoft or Paolo or whatever control vendor, those need to be updated with a new AI agent framework. That's it. That way they don't have to...

buy another tool, integrate another tool to add to their complexity. That's my position on this.

Matthew Chiodi (36:00)
I think that's wise. Again, going back to the closest corollary I can think of this, which was a decade ago was cloud, right? Where everybody thought, oh, everything we've done in cybersecurity no longer applies, right? Like we got to write the book from scratch. And it seemed like that maybe for the first couple of months. And then it was like, well, wait a second, there's still a least privilege, still matters. Staying up to date on your patches, your configuration management, it all still matters.

Kelly Bissell (36:21)
Right. Yep.

Matthew Chiodi (36:27)
Well, here we are a decade later and, know, the, you go about doing those things is different, right? The calling APIs versus, you know, going there and clicking around, which would have been before. Um, it'll be curious. I'll be curious to really see how this emerges. Cause again, as we said, this is first or second inning. And if you look at any of major vendors, they've all updated their messaging. In fact, at RSA last year, everything was AI wash. So I can't even imagine at RSA coming up later this month in March, how that will be.

Kelly Bissell (36:33)
⁓ Yep.

Matthew Chiodi (36:57)
even more so. But I agree with you. I think that there are emerging models. I will put a link in the show notes to the AIUC one agent standard. There are quite a number of large companies that are coming out behind that, but it's still very new. So if you're a consumer of AI tech, this is something for you to look at and perhaps ask your vendor of choice, hey, are you guys building towards this? What do you think of this? Oh, I see you're not on the list.

maybe this is something you might want to consider getting involved with. But this is the same thing happened with Cloud Security Alliance. The whole reason actually the Cloud Security Alliance started was that there were no standards around cloud security.

Kelly Bissell (37:39)
We have to be brilliant at the basics and apply those controls in this new environment of AI as opposed to cloud or mobile before that. So I think we've got the right standards. We just need to update them and tweak them and then update our tools also.

Matthew Chiodi (38:00)
So for a CISO listening and who wants to be practical, what are the maybe the first one or two agent employees that you'd want to build right away? what would this, where should they start? Maybe they haven't done anything with the agency and their team. They've heard a lot about AI. Like what are the first one or two agent employees that they should think about building?

Kelly Bissell (38:22)
Well, okay, so let's put aside the company business and just focus on the CISOs organization. I actually believe the first thing I would do again is work on agents for the SOC for faster detection and mitigation. And then I would build an agent for secure software development. So how can we do runtime and source code protection faster?

and better, more effective. And just like my Apple app, I actually can build security into it as a software developer for little effort. So I hope we're gonna build safer products. So the first one was SOC, the second was app dev. And I think the third one that I would do is around trying to automate metrics. Most CISOs, their metrics are not very good because it's complicated.

Matthew Chiodi (39:15)
Hmph.

Kelly Bissell (39:18)
But I think

AI in this case, the agentic side, can help you correlate and make sense in natural language. The complicated models, I mean, the complicated data that the CSO has. So the third one I would do is around metrics and dash.

Matthew Chiodi (39:36)
I love that. You know, one of the platforms that so we're, think everyone's familiar with Zapier. Zapier has been around for a number of years. There's a startup called Relay, Relay.app that I've been using for probably the last year. And it makes it really easy to go out and build these different agent tech workflows. Maybe another one that I would add to that list would be automating threat intelligence, right? There are so many good open source feeds. And if you take a tool like Relay,

You can pretty quickly build something. If you power it together, use Relay as kind of the gofer to go get the information, string AI models together, and then take something maybe that you've custom developed in Claw as the front end. You can build something that is almost just as good as what you might be paying tens to hundreds of thousands of dollars a year for.

Kelly Bissell (40:27)
Matt, I'm with you. Okay, you've convinced me to change my top three because the biggest frustration I think with most CISOs is sifting through the signal from the noise of threat intel. But to take all that open source or other intel and apply it to me, like which ones apply to me and where and what does it mean to my business? I think AI can help them do that in a very good way.

Matthew Chiodi (40:31)
No.

Kelly Bissell (40:55)
So maybe my top three might change. Thanks for that.

Matthew Chiodi (41:00)
So let's switch topics. Again, I've been following your post pretty closely for the last couple of weeks. You posted, I think it was right during the Olympics, about Alyssa Liu's performance. And you said this, quote, leaders who intentionally cultivate a culture of joy and teamwork are consistently the ones achieving lasting success. Leaders who lead with joy inspire, breathe life into their teams. They also hold people accountable, expect excellence, and genuinely celebrate.

shared success. Give us maybe some practical examples, right? You've been a leader for many, years. How do you do this in your team? Cybersecurity can be a very stressful. It can also be very serious practice, right? It's almost as serious as being an actuary, right? Give us some practical examples of how do you lead with joy? How do you build that culture into your team?

Kelly Bissell (41:55)
Well, I've been part of teams that were more cutthroat, and it wasn't fun. And so when I built this team, the very first thing was not our strategy. It was who do we want to be? What kind of team do we want to be in? Because I firmly believe the people who are committed to the mission at hand and committed to each other, like a team or a family, those are the ones who

go the extra mile and are not stressed by it. They actually long for it. They clamor to help each other. And so I think it reduces stress and it provides long-term sustainable performance. I you can, I've been part teams where you could get whipped every day and get short-term performance, but it's not sustainable. And so,

I will tell you that the team that I'm in at Microsoft loves working with each other. And that is when you get real, you get incredible ideas without complaining or jockeying for position or any of that. When we have a shared mission for our goal and each other, that's where wild, cool ideas happen. And it's fun.

You know? So all the stuff that we did with all the AI models that we built and the automated autonomous ML that we've got going on never could have been done without the culture of this team.

And by the way, the culture of the team doesn't always have to match the culture of the company. Most big companies are a culture of cultures. Each team can be who they want to be within their own realm of responsibility. And I would encourage everyone to first figure out who do you want to be and what kind of team do you want to be part of. And then you can go from there and do incredible stuff.

Matthew Chiodi (43:58)
think that's really wise. was just talking with someone earlier, I think it was last week actually about them looking at their next role and they were asking for advice. And a lot of people tend to focus, I think mostly on the income part of it and they don't spend enough time in the interview process interviewing the organization on the culture that they might be walking into that maybe isn't compatible with who they are and what they value. And that's a big mistake. I've done it.

I mean, you could probably look at my LinkedIn. There's one company that you can see I was at very short period of time early in my career where I focused almost exclusively on income. And boy, I remember two weeks in going, what did I join? What did I join? Cause that paycheck was not worth it.

Kelly Bissell (44:41)
Yes.

It's not worth it at all. And I think most of this affects our whole being. know, if we're frustrated, we're not performing well, we go home, we're not nice to the dog or whatever. So I just think if you get the right teamwork and culture, everything else comes together, even the comp, because you perform better and you get valued for it.

Matthew Chiodi (45:14)
Wise words, wise words. Well, last question. So you will soon no longer be an FTE with a defined stop and start time to your day. How are you going to stay sharp? Like, what's your routine look like? What will it look like?

Kelly Bissell (45:23)
Yes.

Yeah, make no mistake,

I'm still in the game. But I'm already sort of dabbling in a handful of things. I'm working with a couple of PE firms on M &A due diligence on cybersecurity companies, which I'm having a blast at. I'm part of a VC who I'm going to help shepherd a few companies so we can really fill a gap in this marketplace that we still have. And then I believe as a good steward,

I need to prepare the next generation. So I'm happy to, you know, guest lecture at UT Austin, University of Texas Austin, whatever Mike Wyatt allows me to, or Seton Hall Law School or some other places. that's really my day. And then, you know, I get to spin the gaps, walking Hank, my dog, or...

exploring and learning, kind of like with the Apple app that I did. And to me, that's a very nice balance. So I'm not caught up in the daily operations of a team, you know, managing 16,000 people or 500 people or whatever the number is. I just sort of get to really help the next generation of leaders get ready.

Matthew Chiodi (46:46)
I love that. And I always appreciate it about you. You've always done a great job on LinkedIn and various other places, just really being open about sharing your knowledge, your wins, your losses. And I've always appreciated that about you.

Kelly Bissell (46:58)
Well, I think I have more losses to share, as you've seen on LinkedIn, I'm not shy about sharing the grumpy stuff too, you know?

Matthew Chiodi (47:06)
Kelly, this has been great. Is there anything else I should have asked you that you wanted to cover?

Kelly Bissell (47:12)
You I don't think so. think that you've covered the gambit. But my last sort of parting statement is, as I look over my 30 something year career, you from 1988 to now, and I've seen the internet grow because I sort of was lucky to be come out of university at that time. And then I so we went from mainframes to PCs to client server to to really the internet and

than mobile apps and cloud. I believe now in the age of AI, I wish I was 21 again, because this is the most revolutionary change that I've seen in the market in 30 years. So if you're young, or even if you're old like me, you can still take advantage of this new and this what the

second inning that we're in this game and really do some incredible stuff. But you gotta start now. If you don't start now, you might be left behind. So that's my encouragement to whoever's listening.

Matthew Chiodi (48:08)
Yeah.

There's that ancient proverb that says, when's the best time to plant a tree? Yesterday. When's the second best time? Today. Well, Kelly, it was great having you on the show. Thanks for coming on.

Kelly Bissell (48:22)
Exactly.

Thanks Matt, appreciate it.