Rachael Lyon:
Welcome to To the Point cybersecurity podcast. Each week, join Jonathan Knepher and Rachael Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now let's get to the point. Hello, everyone. Welcome to this week's episode of To the Point podcast. I'm Rachael Lyon here with my co host, John Knepher. John.

Jonathan Knepher:
Hi, Rachael.

Rachael Lyon:
Good evening. Hi. So I was just asking you if you watched Zero Day on Netflix with Robert De Niro, and it sounds like that was a resounding no. So we can't dig into it, but, man, I wanna know if that's actually possible. I'm a leave it at that. I don't wanna speak.

Jonathan Knepher:
Now now you're gonna make me have to go watch

Rachael Lyon:
it. So I'm like, well, that's crazy. You know, and you sometimes wonder right nowadays, right, what is so far off reality versus what what is actually impending and do they know something we don't know yet. I'll I'll leave it at that though, like I said.

Jonathan Knepher:
I'm sure there is a lot we don't know and we will be learning about over the over the next probably short period of time, to be honest.

Rachael Lyon:
Yeah. As we talked about before, it's good to be able to compartmentalize in the cyber world. Right? You just can't sometimes the stuff, you know, we just gotta gotta put it over there. Put it over there. So I'm really excited for today's guest. Please welcome to the podcast, Saaim Khan. He is founder and principal advisor at Cyber Matters, which is redefining cyber consulting with an unconsult approach, which I think is super cool. He spent two decades last two decades in cyber, and among his many certifications, he's a certified information security manager and which I think is really cool.

Rachael Lyon:
He has graduate certificates in cyber management, cyber law, and cyber warfare. How awesome was that? I I imagine that whole process. Anyway, welcome. Welcome, Saaim.

Saaim Khan:
Thanks for having me, guys. Great to be great to be here.

[02:04] Cybersecurity Talent Shortage: A Misunderstanding of Skill Versus Experience

Jonathan Knepher:
Hey, Sayim. So I guess I'll kick it off here. Let's talk about the, the cyber shortage, which I'm sure you're very well aware of in your in your, role. NIST reports that by this year, lack of talent and human failure will be responsible for for half of significant cybersecurity incidents. Do you think that that that, shortage exists and, and how are you handling it?

Saaim Khan:
Well, okay. So, I think the shortage is not a shortage of skill or a shortage of talent, if I'm being honest. I think it's a shortage of experience. And it's to put it in perspective, I I don't know how antiquated this example is. I've been using it for a few years now. But, think of cybersecurity, which is a subset of engineering, which is, you know, how old is engineering as a profession? And, you know, within engineering, how old is information technology as a as a as a field? And then within that, how old is cybersecurity? So, I mean, you can find some really experienced IT, professionals, you know, under every rock, but it'll take time for cyber to get there. So I think the, you know, the the concept of there's a skills shortage, I think it's almost like a self fulfilling prophecy at this stage. The way that we as an organization address it is, you know, we work in the realm of governance, risk, and compliance, Vis a vis the most boring of, cybersecurity as, as we, you know, vehemently deny.

Saaim Khan:
But, you know, finding good GRC consultants is hard because you need someone who understands technology, who understands, in today's day and age, web dev, and also understands, business. So how do we find someone with that experience when, a, they wouldn't wanna switch employers, or or, b, you know, they they may be lacking that experience. So what we've kind of and I guess this is part of Unconsult, which is, you know, which is kinda like the the genesis of of everything I've learned that I don't wanna do or I should not do in the last twenty years is we look for attitudes. Because knowledge can be shared, experience can be codified to a large extent, but the attitudes is what we look for. So I think the shortage is not so much of, you know, the talent, so to speak. It's really about that experience. And and and and it's just a hazard of of of being a nascent industry. So there is a shortage, but there's a shortage of attitude.

Saaim Khan:
I've had the opportunity to interview quite a lot of people. We've recently hired a few folks to join us in the business. And during that interview process, anyone who's got any of those certifications like the ones that you, you know, introduced me with, they think that, you know, that's enough, but it's actually the attitude. And I think what that attitude needs to be is we know nothing, and we need to constantly keep evolving. And we need to be able to extrapolate. So humility and the ability to extrapolate, those are the two major attitude or the two traits that we look for. So how quickly can you start riffing with the client and understand their business? And how humble are you that you may have to unlearn a little bit so that you can learn what the problem is? So I think that's the approach. And that's our our way to answer the the shortage, you know, the so called shortage.

Rachael Lyon:
So when you're thinking about, because I think a lot about, you know, the next generation coming up in cybersecurity and and how they can navigate, you know, kind of joining the industry, contributing in the industry. There's there's a there's a couple of questions that seem to come up. You know, one, what is the value of a degree versus experience kind of as you're talking about? But then within that experience, is there a lot of value in becoming a very niche player or being, you know, more of a a generalist? And is that something you're looking for maybe, a generalist that you can then train up in a niche area and train them the way that you want to? But I'd be curious of your perspective there.

Saaim Khan:
Okay. Can I ask you a question before I answer yours?

Rachael Lyon:
Okay. Okay.

Saaim Khan:
So if you were to weigh a generalist and a specialist, who would you think is the more experienced person? If I was using those two and I

Jonathan Knepher:
have the same opinion.

Rachael Lyon:
I would go with the specialist myself. It's generally you start as a generalist. Right? And then you narrow down your specialty.

Saaim Khan:
Okay.

Rachael Lyon:
My my experience.

Saaim Khan:
Respectfully, I I I disagree with that

Rachael Lyon:
definition. Okay.

Saaim Khan:
Okay. Like, think about it this way. So you know how the alt the penultimate, office bearer in an organization usually has the hyphen general appended to their title? So you've got attorney general, director general. Right? So generalization does not mean that I'm a jack of all. Generalization, in my opinion, opinion is the emphasis here, is someone who has seen so much that they have now a very deep understanding of the general view.

Rachael Lyon:
Gotcha.

Saaim Khan:
Okay. A generalist like, for example, I've been in this I've been in IT for about, you know, a little over twenty years. I've been in cyber for about fifteen. I am only just starting to feel that I could potentially call myself a generalist. Because I have worked with so many different clients, so many different industries, in so many different situations that now the culmination of that and by the way, I only work predominantly in GRC and DevOps. Those are the two areas that I work in. So, yes, I'm a specialist in those areas by some definition. But the what I'm aiming towards is becoming a generalist.

Saaim Khan:
So, you know, when when you say that, you you know, there are more generalists, actually, no. There are no generalists. They're just specialists who are really at the beginning of their career. That's that that that's how I look at it. So in terms of, you know, the new generation coming up, I think, you know, history is circular. Like, time is circular. Life is circular. It's almost kinda going back to the, you know, the thirties, the nineteen thirties style, you know, let's just build it up.

Saaim Khan:
Right? So, you know, the the the post depression, the FDR thing of let's build it up. Right? So I think we're kind of at that stage again where we need to start building up that generation by giving them, you know, that good work ethic again, by giving them all of those, things about, you know, there are no shortcuts. And the where we find ourselves at the intersection of shorter attention spans, generative AI and, you know, similar technologies and a continuously changing geopolitical techno landscape, we are literally starting from zero. Mhmm. So I think that's really what the next generation needs to fur go back to the basics of. You know? And at the risk of sounding fuddy duddy, working hard, showing up on time, being consistent, those are the things that the next generation, you know, needs to kinda work on because the technology is now kinda becoming easier to get a grasp on. So I mean, that's once again, perhaps a bit opinionated, but that's what I think.

Jonathan Knepher:
And I I like your position on generalist versus specialist as well. I think, you know, in in my experience, right, dealing with security things as well as operational things and GRC in particular, it's it's always been very good to have, you know, folks who understand not only the specifics of the security threat, but how to how to handle it. And that's a very generalist skill. So, you know, you mentioned going back to the basics, but also, like, what are kind of the broader requirements that that you think are needed in the space? And how do we how do we make sure that there isn't really a talent gap there and that industry is is basically bringing people up with more of this generalist aspiration, if you will?

Saaim Khan:
Okay. I I think those those those basic skills would be to understand core technology concepts. Core technology concepts as of 2025, not of, you know, February. And this is where I feel academic institutions really need to up their game. And it's it's almost like a trickle down effect. Right? You'll have the top tier universities kinda refresh their curriculum. And then maybe three to five years down, then the mid level universities will start kinda taking that, and then, you know, five years after that, the, you know, the the the base tier universities or the base tier educational institutes will do that. However, the the the grasp of technology needs to be as follows.

Saaim Khan:
We are working towards having a completely decentralized infrastructure. We are working towards personalized technology. We are working towards things being based on metadata, things being based on hyper personalization. That is the future of technology. Whether you wanna go down the path or the rabbit hole, in my opinion, of agentic AI or whatever, that's that's irrelevant. Whatever that is, it is really pursuit of hyper personalization. So the skill set that the new generation needs to come, come equipped with is an understanding of that. The second thing, which is both a boon and a curse in my opinion, is truly understanding how the world is grappling with short term gratification, and that is most prevalent in technology.

Saaim Khan:
So understand that people are not getting dumber. People are actually looking for the TLDR of the TLDR of the TLDR. So understanding that we need to communicate very quickly. And and this sounds almost counterintuitive. How do you get the message across because we are bombarded with stimuli from all directions? So case in point, and I'm gonna go into a very specific technology, discussion here. When you talk about security operation centers, In today's context, there are billions of events being recorded, and you're getting notification upon notification upon notification, and you have notification fatigue. Then you have all these next generation scene tools, which says we will cut the noise. Well, they are cutting the noise, but then you're adding complexity because now you're getting a different category of notifications, but then fatigue isn't going down.

Saaim Khan:
So the the the next generation, the talent that comes in, needs to start thinking about how do we cut through the noise and one and that kinda goes back to that comment I made on your on our previous discussion point about going back to basics. And at the risk of sounding vague, that is kind of, like, you know, where it is it is it is unfortunately, you know, a point where we find ourselves at, where you do need to have new entrance to the industry, being able to, understand that, look. I need to get these things right. Everything else is gonna happen. And then to your point, Jonathan, about aspirations to becoming a generalist, I believe every new entrant to the to the to the workplace is still filled with hope. So when you're filled with hope, if you can nurture that in an environment which allows multiple experiences whilst kinda reining in the short term gratification aspect, then I think people don't get distracted. It's and it's a balancing act. I don't think anyone can get it right a % of the time where we wanna offer our our staff multiple opportunities, but then we also don't wanna inundate them with so much choice that they kinda like, I don't feel like doing this anymore, but wait.

Saaim Khan:
You're in the middle of a project. Yeah. But I'm not feeling it. Right? That that sounds very familiar of the newer generation.

Jonathan Knepher:
Exactly. There's definitely a balancing act of giving people the opportunity to take the tour versus, you know, focus and get the work done. Right?

[15:06] Mentorships and the Influence of Tech Idols

Saaim Khan:
One one more thing I'll say on this is this is one thing that I also, suffered, at at different points in my career till the point I made the decision to start my own firm, is there is actually a dearth of mentorship available. I mean, people can claim to be mentors, but, like, a genuine mentor who can actually come and help you build a path, that is not very, very common. You know, I've had perhaps two individuals I can think of that immediately come in my head. Like, you know, their names come in my head, who actually sat me down and actually talked to me about, what do you wanna do? Or do you have a general direction of where you wanna go? Okay. Now these are the things you need to do. So, you know, that is really important, and that's that and that's a point that should should resonate with, someone regardless of whether you are gen alpha, gen z, gen x, or a millennial or a zillennial or whatever. Right? Whatever the anthropologists are calling those those those terms. But that is clearly missing, and which is why so many people feel a bit lost, if you will.

Saaim Khan:
And that's why there's such a huge surge in personal coaching businesses these days.

Rachael Lyon:
Yeah. Yeah.

Jonathan Knepher:
I think that's

Rachael Lyon:
good point. Yeah.

Jonathan Knepher:
Yeah. I think that's key too. Like, I I have seen that where there's people just haven't thought about where they wanna go and what's their direction. And I think it's very important to to set a goal even if it's not the goal you end up going for, but just to have to have a vision.

Saaim Khan:
Yeah. I mean, also, we we we don't have any any, like, you know, we don't have any tech idols to kind of think about beyond the run of the mill jobs and Musk and, you know, maybe a few names. But, like, for example, I mean, I'm sure if I asked you, Jonathan, or if I asked you, Rachael, you can at least name 10 people who are, like, rock stars. And a lot of people listening to this wouldn't know them. Like, for example, you know, people love Wozniak, but when you ask them, why do you love Wozniak? Oh, he founded Apple. It's like, no. That's not why. Yeah.

Saaim Khan:
Wozniak is a tech genius. Right? Right? He's really, like, you know, like, the the the amount of techno technological innovations he's done, the amount of patents he has, that's why he's the rock star, not just because he's he's, like, the chubbier of the two and the cuter of the two. Right? That's not the reason. You know? A lot of people, you know, don't even give, you know, Tim Berners Lee credit. Right? And these are names, like I mean, ask any 25 year old about that, and they'll be like, who? Right? So we don't have those characters. Like, the who we have now are just unfortunately and and, you know, not to throw shade on anyone. You just have people who've got incredible pull with social media influence. That's what's missing.

Saaim Khan:
That's why you don't really have good mentors. Like, everyone's saying, hey. This happens, and I post this, and I post that. And then, you know what? The fifth post will be, hey. Guess what? I've just started my own private coaching business. If you sign up with me now for ten bucks a month, you're gonna get one on one coaching from me, or you're gonna get access to my private blogs. Really, that's not really setting anyone up for success, but I digress.

Rachael Lyon:
I love it. But it's so true. The the whole influencer thing, I mean, you're a hundred percent right. And, you know, you look at kind of these stalwarts, you know, publications, right? Like a Washington Post or, you know, lots of the places we're looking at influencers as reporters, you know, and so a lot of it starts becoming kind of this perceived reality to a particular lens, right? So it's like how do you navigate in that environment, right? Because, you know, unless you're going to put in the effort, I think, to, you know, I like when I read something on TikTok, because I love TikTok, before I've, like, accepted this truth, I go look at several different sources, you know, that I trust and try to get a barometer of, okay, how accurate is this information? 

Like, you know, the report when Gene Hackman died. I was like, did he really know? Let me go double check this out and and see if it's being validated elsewhere just as an example. You know, but a lot of people don't it takes time to do that and and I I think that's that's a really good point, right? And and yeah, what what does that do for the future and and how does that shape us? I think that's a very fascinating question.

Saaim Khan:
And it's also like I think one phrase you used kind of sums up that because that's probably the, that's the poisonous cherry on top of the cake, right, which is perceived reality. Now, when you take short term gratification or immediate gratification, you take easy access to a multitude of sources. Let's not even go into veracity of those sources. And then you take perceived reality because you've got perception, you've got echo chamber, and you've got the ability to generate, content at scale. So, you know, using tools which you which now, you know, can take your likeness. I mean, we're experimenting with a couple of things internally, and, you know, we were looking at, do we for example, one of the things I wanna do is I wanna be able to go and talk about hard topics. How realistic is it to run a business, deliver consulting work, and also then sit in front of camera and then produce content. So we explored the idea of generative AI.

[20:26] The Ouroboros Problem: AI’s Self-Referencing Data Loop

Saaim Khan:
It was so scary we stopped because there's no veracity in that. And, I mean, you know, sat in front of a camera for five minutes or I think I think it was like eight minute video, uploaded it, and then suddenly, I've got a likeness and I can just make it say anything I want. But now imagine someone who is pumping our content upon content without checking it because and I think and I think at some point we will get into the ouroboros nature of the whole thing. It's just it's just like more, you know, filler upon filler upon filler and there's no substance. So going back to how we got here with that whole mentorship thing, experiences come from being, you know, allow being allowed to fail, being given a bit of a plan, deviating from the plan, arriving at some destination where you have no idea, and then learning. How much are we doing that? How much of that are we doing? Not really. I mean, everyone's given this little narrow thing that, yeah, just do this. And then, you know, they they don't really have that depth of experience.

Saaim Khan:
I'll I'll sorry to kind of, I guess, ramble, but I'll give you an example of this. Right? Just before COVID hit, the last there there was a workshop I was invited to. And, they had some, like, you know, really young, vibrant people sitting, on the panel with me. And we were talking about some challenges in cybersecurity. And and and a member of the audience asked a question about, how does one respond to an incident around a data breach? Because it was a pretty, topical thing at the time. There was some high profile breach that happened in Australia at the time. Of the five of us, four spoke at length, and I'm talking about fifteen minute monologues, but without any substance. And the you know, it was almost like and then that question came up again, and then the moderator was like, well, Simon, what do you think? And and I immediately said, well, with the incident, do you wanna save your job? Do you wanna save the company? Do you wanna look good? What's the what's the core goal? Right? I can give you an example from each.

Saaim Khan:
And immediately, that shifted the conversation. And I think I probably spoke for about six, seven minutes on on on like, they wanted to know how do we save the company without, you know, doing that. So I talked about over communicating, under communicating, the the nontechnical aspects of incident response. But that the dearth of experience with the other people and, by the way, all of these four are, like, so called household names in terms of those if, you know, I guess they were influencers version one. There's we don't have, like, people having these these these good conversations. I saw this thing the other day on LinkedIn. GRC thought leadership as a pie chart. There there are these two guys.

Saaim Khan:
So I don't know if you've heard of this gentleman called Troy Fine. He works a lot in the in the in the GRC space. He's a he's a he's an auditor, and he posts a lot of memes, you know, poking fun at SOC two and, you know, how SOC two is kind of being overused. And then there's this young guy who works, as a DevOps GRC engineer called Ayub Fandi, and he posts a lot of these hard hitting points. So GRC thought leadership, if you're on LinkedIn, is 50 is like, you know, 49%, you know, Troy find memes and 49%, you know, Are You Fundy posts and then that little sliver, that's the rest of us.

Jonathan Knepher:
That's interesting.

Rachael Lyon:
I'm writing this down.

Jonathan Knepher:
So I'm thinking, you know, you you brought up the Ouroboros problem. I I I wanna take a look at that from kind of the standpoint of of AI and kind of what you were talking with earlier on, like, the lack of experience. Right? If you if you think about that, how how does AI kind of both enhance security, but also, like, it's going to introduce new vulnerabilities as well. You know, and that kind of feels like a loop here of attack and defense and expertise and synthetic information. How how do you how do you leverage this for the right things in a positive manner and and hopefully break that cycle?

Saaim Khan:
Okay. So, you know, you talked about vulnerabilities, right? And how it could enhance or deter security. Let's look at it from two perspectives, a nontechnical and a technical perspective. And we'll go with the nontechnical first. Now let's suppose you're a mid level consultant or a mid level security practitioner, and you've been asked to prepare a briefing on the impact that a new legislation has on the company. Now you traditionally, you would go look up, you mean, you'd go to the the government website, you'd download a copy of that legislation, you'd either print it out or, you know, put it on some easy reference, you know, media for your for yourself and you'd read through and you'd start thinking about it. What is what would this mean for us? What would this mean for us? And you make your notes and then you do your analysis and things like that. Now, you basically open up your LLM of choice, enable web search, and say, what would the impact of this legislation be on a company that produces widgets? And, you know, that is gospel then.

Saaim Khan:
You take that, you regurgitate it, and, you know, wow. Amazing. You were able to turn around this research in such a small amount of time. You're doing really good. You know, that guy gets it. He is really leveraging the power of AI, except three months down the line, you used that anal you used that analysis to make a financial decision, and the CFO takes a look at the numbers, and you're like, hold up. Why are we spending so much on this again? And then it turns out that half the information that you posted was hallucinated by the AI, and you've been kinda doing a lot of, you know, garbage out. Therefore, you know, there's just there's just a lot of, you know, garbage going around.

Saaim Khan:
That's the nontechnical side. We don't tend to fact check. And even if new AI tools add that little, you know, footnote saying this is the source of this information, the inference is not something you can rely on. From a, technical side, I'm gonna take you on a slight story time, and I think you guys might realize that you might not want me on again because I like to tell a lot of stories.

Jonathan Knepher:
Give us the story. No. We like it.

Saaim Khan:
So you would have seen this huge surge in these AI assisted, code generation tools. Like, Vercel's got one. They're like everyone's got one now. And it's so the concept is amazing. Right? Build me an app because that's what all the demos show you. Right? Build me an app, which is a to do list, which is Internet connected and blah blah blah, and then suddenly just generate a piece of code. You're like, wow. That's amazing.

Saaim Khan:
I should get on top of that right away and start coding. Or you have all of these different repo platforms that provide some kind of a copilot that helps you co create code. Right? What people aren't talking about is the fact that, yes, it can build the code, but it's not been optimized to do it in the most efficient fashion. And what happens is when you start building these these codes, like and and and, by the way, this insight, I wish I could take credit for it. I was speaking to a, a friend of mine who's, who is a CTO, you know, fractional CTO, and he's like, this is great for me because all these founders and all these, you know, you know, business owners go and use these tools to build out version one of their software, then the the the MVP or the prototype works great. But then when they start bringing it into production and when they start getting clients and they do security testing, they realize it's such bloated code and it's impossible to fix. It's impossible to change, and then they gotta go back and rewrite it and actually, at this time, bring in a human to build it out for them. So that's introducing vulnerabilities and extra complexity all in the name of, hey.

Saaim Khan:
We're just building it out. I mean, I I recently read that one of the one of the larger, well known AI brands is now bringing out agentic AI offerings where you can get a developer for about 3,000 or $2,000 a month. But that developer is gonna be building that that so called AI developer is gonna be building code that's not particularly efficient. Yes. It'll do the job, but it's not really gonna be efficient, and it'll introduce vulnerabilities. And the other thing also is we've also internally in the company tested some AI powered pen testing tools. The POCs are really nice to watch, but in reality, we got a vulnerable app from a client, and we got permission from them to use the AI tool and then, obviously, have one of our testers do it. The AI found 35 vulnerabilities.

Saaim Khan:
The pen tester found seven. Those 35 vulnerabilities that the AI found, look, the numbers might slightly be off, but, like, it's like in a, like, a factor of five. The AI found vulnerabilities were, like, really small things, like, what you would get akin to, like, running a Von scan. Each one of the vulnerabilities that the pen tester found would potentially have some kind of data x will scenario happening or some kind of authorization bypass. So, you know, what's the value? And AI does cost I mean, like, it it's not free. It does cost money. And, you know, I don't think you're getting your bang for buck. So now with the ouroboros problem, right, you mentioned, like, the so, you know, for for someone who's not aware, ouroboros is is a methodological reference to a snake eating its own tail.

Saaim Khan:
Right? So what does you know, why why why do I call it Ouroboros problem? Once again, I wish I could take the claim for it. I think I read it in, the New Yorker or, it was one of those. Basically, the idea is if you wanted to build out marketing copy, you'd build out marketing copy using AI, for example. Mhmm. And then you'd publish it. Then someone else in a similar industry to you would wanna build marketing copy. And that AI engine is trained on parsing the entire web and then finding the best copies, you know, the best version of copy or, like, generate the best copy possible. But a lot of its data over time is just gonna be AI generated content.

Saaim Khan:
So using AI generated content to generate more AI generate content to generate more content by AI. And as a consequence, it's just regurgitating the same thing, and the overall quality comes down. This is another issue that happens with AI tools where, I don't know if you've personally experienced it, but any of these new models that get released by these AI companies, you use it for about six months and then it starts just it just, like, becomes useless for some reason. So there's like some level of plateauing that happens. So that's what's happening at scale now.

Rachael Lyon:
And I'm so sorry to do this everybody, but, we've come to the end of today's discussion. We're having so much fun speaking with Saeem. We are going to continue next week with a part two. So be sure to tune in, for part two with Saeem Khan who is the founder of Cyber Matters next week. And as always, thank you so much for joining us. And don't forget, smash that subscription button and you get a fresh new podcast episode every single Tuesday. Until next time everyone, stay safe. 

About Our Guest

Saaim Mazher Khan, Founder & Principal Advisor, Cyber Matters

Saaim has over 18 years of experience in cybersecurity, IT, training, finance and business management. Working mostly in client-facing roles, he has worked with organizations in Asia, Australia and New Zealand, ranging from small businesses, all the way up to the ASX 100.

He is a Certified Information Security Manager (CISM), Certified Lead Implementor for ISO 27001 (CLIP) and Certified Technical Trainer (CTT+), with degrees in Computer Science and Project Management and graduate certificates in Cybersecurity Management, Cyber Law and Cyber Warfare.

Check out his LinkedIn