A(I) Blueprint for Modern Cybersecurity

Cybersecurity titan Neil Daswani was this week’s guest on ”What the Hack?” where we shot the gamut, landing on a critical question: How much harder will cybersecurity be as AI technologies evolve?

Author of Big Breaches and former CISO of LifeLock, Daswani and I started with early days: The click farms where he got his start in the catch-and-kill world of early cyber before leaning into a discussion of the challenges we face today. 

My takeaway? Cybersecurity today succeeds or fails on the correct calibration of the CISO’s paranoia. In the age of AI, where personally identifying information (PII) and the data collected from our digital lives (both publicly available and sold by data brokers of all stripe) is the key to fraud, survival depends on right-sized paranoia. Every moment of attention online is a potential, “mission critical” security breach waiting to happen, which is why the CISO mindset matters.

The wisdom driving this paranoia dates back to Daswani’s early work at Google combating click fraud—in particular an industrial-scale click operation that triggered a Code Yellow emergency. The strategic fix: Make fraud more difficult. The problem: wherever there are humans there is vulnerability. 

For Neil Daswani, the journey from combating click fraud to protecting personal information revealed a chilling reality about our collective vulnerability. The compromise of foundational data, Daswani notes, didn’t stop with the Equifax breach (when half the country’s SSNs were stolen). A subsequent, breach at an organization called National Public Data resulted in the theft of every American’s Social Security number.

This PII—your name, phone number, address, and digital fingerprint along with your SSN—is the raw material used by cybercriminals because your Social Security number doesn’t come with multi-factor authentication or password protection (though you can get a PIN code from the IRS). Our PII exists as a fixed, unchangeable dossier used by criminals to create a convincing pretexts for fraud.

This terrifying inevitability of data loss is why the identity protection industry has had to evolve. Since prevention is not 100% effective against massive, ongoing data leaks, recovery has become an essential pillar of defense. 

Daswani explains that a significant advancement has been the advent of identity theft insurance. This progression, first championed by LifeLock, includes stolen funds reimbursement insurance, acknowledging that because breaches are inevitable, victims need a guaranteed way to become financially whole again after they have been targeted by crime built on compromised PII.

But back to the kinds of behavior that keep bad things from happening…

AI provides the latest evolution in human vulnerability. Generative AI turbo-charges social engineering, creating virtually flawless phishing messages and hyper-realistic deepfakes as well as workable pretexts and other modes of attack making it increasingly difficult, if not impossible, to discern what is real and what is fake, a factor that drives exploits such as wire fraud and romance scams. Since money and information are often willingly given in these scenarios, traditional defenses fail.

The pragmatic solution for high-value transactions is to remember this: AI can’t shake your hand. 

For any significant financial transaction, the best defense is to meet in person or verify the recipient through a strong, non-digital, and secondary channel. If a voice or face on a screen is asking for money, you must rely on a defense that AI cannot breach.

The rapid, unchecked advancement of AI brings us to the question of systemic security and the need for a regulatory guardrail system for AI. 

Daswani advocates for smart regulation, using the analogy of the German Autobahn. It is the fastest highway in the world because it has well-engineered lanes and user guardrails. Smart regulation, he argues, allows industry to move faster, not slower, by forcing companies to build stable, secure infrastructure from the start.

Ultimately, the blueprint for modern cybersecurity needs to solve for technological guardrails that are missing. AI can exploit that vacuum. Until effective oversight exists, survival depends on the adoption of the CISO worldview, which means accepting the fact that our data is in the wind. 

The way forward is to get busy compromising the raw material of fraud—your publicly exposed PII—thereby neutralizing the threat actor’s primary weapon and establishing a necessary defense perimeter for survival.