‍Heather Ceylan: [00:00:00] If you still have the same humans that are looking through the same number of alerts and just doing it a lot faster, that's not really transformation. AI can often sound right and be confident, but it's also wrong in security. You cannot get these things wrong and you cannot sound right.

Caleb Sima: I don't need another scanner.

Heather Ceylan: How are you separating yourself from like another dynamic analysis scanner? Security architecture has always been designed for humans to consume it. Agents are writing the code, and if you're not designing those outputs to be consumable by. Agents, how do you fit into the software development lifecycle?

Caleb Sima: You don't. So because of AI coding, the CICD, uh, cycle becomes even more critical. The more AI coding occurs, the more tighter this pipeline going to prod should become. They

Heather Ceylan: third party risk management has been broken forever. No

Ashish Rajan: bugs,

Caleb Sima: only features

Heather Ceylan: if you're going all in on the single platform right now.

Probably a mistake

Ashish Rajan: As a ciso, probably one of the biggest challenges you have today is to increase your option of ai, but also make a call for, are you gonna buy AI security products or build them? Are you [00:01:00] gonna replace your AI SOC level one team or level one team across the board or. Uplift them for better opportunities with the new organization because they are more skilled than just an AI program.

Caleb and I had a great conversation with Heather Selan. She's a CSO of Box.com, where we spoke about the five bets she has put on AI security for her organization, how she approached the improvement of SOC level one, which she built herself, what components were. Used by other products and where she chose to build versus buy.

What do you see as the future of building security teams in a world where developer first companies are going to hire differently, including she herself is hiring differently than she what she used to six. Months ago, the expectation is a lot more different. The understanding of how the space is quickly evolving and how all of us are learning on the fly, all done.

A lot more challenges that she was able to share as she builds a program and the five bets she's putting on. Using AI to uplift her overall security programs was quite refreshing. If you know someone who is building a [00:02:00] security program almost to understand how to build a security program in a developer first world, in a developer first environment.

Where AI adoption is on skyrocketing at large volume. Then this is the episode for you. If, as always, if you have been watching our episodes and have been finding it valuable, I would really appreciate if you take a quick second to hit the subscribe or follow button as it, it doesn't cost you anything, but it helps spread the word to many more people as well.

And also thank you to everyone who came and said hello to us at RSA. We are on all podcast platforms, including Apple, Spotify, YouTube, and LinkedIn. I also want say thank you to everyone who came to us and said, hello. Shared the love that they have for the podcast and the work we do here. It really meant a lot.

Thank you so much for that and I look forward to seeing you more in future conference and events as well. I hope you enjoyed this episode with Heather and I'll talk to you soon. Peace.

Caleb Sima: Hello and welcome to another episode of AI Security

Ashish Rajan: Podcast. I have Heather with me today. Hey, thanks. Coming on the show.

Heather Ceylan: Hey, thanks for having me. Set

Ashish Rajan: the context. Uh, if you can share a bit about yourself, where you are today. So background.

Heather Ceylan: Yeah. So my name's Heather Ceylan, CISO at Box. I've been at Box for a little over a [00:03:00] year, but prior to that was at, uh, zoom. Joined Zoom during the pandemic and had a lot of fun during those four years.

But yeah, now at Box we're, you know, very AI first company leading the way. And, uh, our security program is following along with that and doing a lot of AI transformation.

Ashish Rajan: And I think talking about your security program as well you've been obviously sharing a lot about the experience and what you're seeing in the industry with newsletter.

I wanna give a shout to that as well. At what point, and we've been kind of having this theme across RSA, where we've been trying to separate signal from the noise.

Heather Ceylan: Yeah.

Ashish Rajan: And at what point, uh, is it an automation problem versus an AI problem? How are you approaching that? Because if you were to just walk the floors, it may feel like everything should be ai.

Heather Ceylan: I don't walk the floors

Caleb Sima: tip number one.

Ashish Rajan: Yeah,

Caleb Sima: yeah, yeah. CISOs do not walk the floors.

Heather Ceylan: No. Uh,

Ashish Rajan: if you, I mean, I have, honestly, I haven't either, but, um, I'm, what? I, oh, I didn't,

Caleb Sima: I actually,

Ashish Rajan: I

Caleb Sima: walked the floors. So is, are the

Ashish Rajan: rumors true

Caleb Sima: actually? So on everything being ai

Ashish Rajan: Yeah.

Caleb Sima: I don't, I couldn't hear myself think as, so.

It was very [00:04:00] difficult. Although I did see just recently, uh, one of my friends on LinkedIn did walk the floors and did stats and went and said, how many vendors have the word AI versus how many didn't? Yeah. And then what are they selling versus not who had agents versus not? And actually the stats were pretty surprising.

And that he said, I think somewhere between, and I don't remember exactly, but somebody between 30 and 40% had AI and the other 60% didn't have anything that said ai. I don't believe that. I didn't believe that either. But he went and

Ashish Rajan: did it. He did the work. Yeah. Would be AI adjacent as a criteria as well?

'cause No,

Caleb Sima: it just, he just said, did it have the word AI in it? Yeah.

Ashish Rajan: Was the Oh, okay. Was the thing. I mean, so how would you judge automation versus AI approach in the security programs that you may be looking at?

Heather Ceylan: Yeah, I think the simplest way to look at it, the way I think about it is, are we actually.

Eliminating whole pieces of work with AI. Otherwise, like it, like if you take our SOC for example, right? If, if you still have the same humans that are looking through the same number of alerts and just doing it a lot faster, that's not really [00:05:00] transformation, right? That is just accelerating what we're already doing today, right?

And creating a lot of the same noise. But once you get to the point where you're actually eliminating whole classes of work where AI or agents is. Doing all of that work for you, then I think it's actually becomes really transformative.

Caleb Sima: Can I ask, like, you know, in AI soc, you know, that is for sure one of the hottest topics.

Yep. Here, like if I were to count when I was, you know, sort of feeling it out, everything right now is AI soc. Yep. Mm-hmm. Right. I would say AI code analysis. Yes. And agents, everything. Anding as well. And

Heather Ceylan: vulnerability management. And vulnerability manage

Caleb Sima: red

Ashish Rajan: teaming somewhere in there as

Heather Ceylan: well. Yes.

Red

Caleb Sima: teaming. Yes. Yes. Although I feel, uh, smaller in the. Fringe area. Oh yeah. Than these, like larger, but, uh, okay. Take AI soc. So everyone's sort of doing this. Have you now in your organization implemented AI soc and what have you seen, like, let's get to reality like, hey, what, what were you doing before?

How do you see it now? And did it work that the way you expected it to?

Heather Ceylan: Yeah, so we definitely had a lot of good learnings along the way and it. You know, it's not like we [00:06:00] implemented this and it was just perfect magic out of the gate.

Caleb Sima: Magic. Wait.

Heather Ceylan: It doesn't work that way. It doesn't work that way.

Caleb Sima: I'm pretty sure every vendor says it works that

Ashish Rajan: way.

And like hundred, hundred percent accuracy as well. Every single, there's no false positive. Totally, totally.

Heather Ceylan: Yeah. Yeah. No, it's, it's been a journey. We've been on this journey for almost a year, actually. Okay. Um, this started right before I, I came to Box and we really kind of accelerated once I joined, but we're, we're at a place right now where AI is actually triaging about.

30% of our 38% of our tier one alerts. Okay. So if we're actually seeing meaningful value, meaningful progress. But it took a while to get there, right? We had a lot of learnings around, we talked about this at one point, but AI likes to be really creative, right? When you're, yeah, engineering prompts and AI can often sound right and be confident, but it's also wrong.

So we had a lot of learning to do and how do we actually engineer our prompts to be much more deterministic? And really provide, it's almost like you're, uh, coding a policy engine and providing those very specific guardrails. So AI doesn't, hallucinate, you have to have [00:07:00] grounding.

Caleb Sima: You have to have grounding,

Heather Ceylan: right?

Because it, it's trying to be helpful. So what it's gonna try to do is it's gonna try to, if there's holes in the information, it's gonna try to fill that in. So you have to. Explicitly instruct it Yes. Not to do that because in security you cannot get these things wrong.

Yes. Um, and you cannot sound right and be wrong.

Caleb Sima: Yeah. I'd, I'd also like to point out something here that I feel like our audience should know, which is you are, uh, a real CISO with real problems dealing with this in a practical world. And when you sit there and say, Hey, we've been able to take 38% of our tier one alerts, and being able to reduce those through ai, that's a real number.

That actually is meaningful to you versus what I feel like the expectations are is if it, if it's not doing 80% or 90% in AI, like, isn't that what people are telling me? Isn't that what vendors are saying? Yeah, but understand like actually 38% is meaningful in the real world. Makes a huge difference because you can't go and say, well, oh, 90% is what AI is gonna do, and then put a product in there and say, well, it doesn't do that.

It's not worth it. Yeah. Which by the [00:08:00] way, I hear a lot of,

Heather Ceylan: I was just gonna say, and ultimately like that's not what we're trying to measure, right? We're not trying to measure is it cap. Is AI performing X percent of alerts? It's how much time is it actually freeing up and what are the outcomes that it's actually producing?

Yeah. So we're working on better measurements for how do we, how do we capture that? But the ultimate goal is to free up analyst time so we can be better and we can be more proactive and actually do things that we're not already doing today.

Caleb Sima: So almost like measure it in an an outcome of man hours Yes.

That are available Yes, that get saved.

Heather Ceylan: And what are the new things that we're doing because. Yes. Now we've eliminated this whole class of work.

Caleb Sima: Do you think that AI is at a point in your experience where you can start valuing at head count saved?

Heather Ceylan: That's not, we might be able to get there, but that's not really our ultimate objective.

Our, it's not necessarily head counts saved. It's more of what are we doing with that additional time? Okay, so it's like man hours saved. Yeah. But then how are we repurposing those? How are we reinvesting those? Okay. Okay. Because we still need like the humans in our sock. That is a very critical, important layer, [00:09:00] but it's.

They don't have to waste their time, analyzing email headers for phishing emails, right? Because ai, we have, now this agent that does that for us, and it does it really well, arguably better than human, than our humans, and makes fewer mistakes than our humans. So. Now that they're doing, that they can be doing, they don't have to waste their time with that.

We all have stuff we do in our jobs that like, man, it would, if I didn't have to do this, I could do so much more. And that walk's kind of how we're looking at It

Ashish Rajan: could walk, you could walk, you could walk the floors and walk.

Caleb Sima: That's, that's what, that's

Heather Ceylan: what I give you the

Caleb Sima: time to do is walk the floors.

Ashish Rajan: I was gonna say the 38% that you were saying is a bit of a balance of trust as well where Yes, the understanding is.

That. Oh, AI hallucinates. And to you what you said as well. Yeah. You don't want one alert to be a false positive today and five seconds later is like, actually I think it's a true positive. That's a quite a big difference for an actual incident and the risk it carries. Yeah. What was the, how did you guys get to that comfort level where you were able to say, oh, 38, I'm good with 38% and, and you can basically, I'm also curious, was that [00:10:00] because of a product or did you guys do it in-house?

'cause there's difference of what You said

Caleb Sima: buy versus build.

Ashish Rajan: Yeah, buy versus build. Yeah. Whereas, there's a whole argument about it, but I'm just curious. A how did you build the trust towards that 38% and what was the building thing like towards

Heather Ceylan: it? Yeah. Yeah. So it takes time. Yeah. It does not happen overnight.

Yeah. I, and it's, and it happens very organically, right? Analysts you know, we build the prompt and they start looking at the results, what the agents doing, how it's making decisions. And human is very, very heavily in the loop on those at the beginning. And then over time as, uh, you train the agent better, you learn from the mistakes that it's making.

Caleb Sima: Yeah.

Heather Ceylan: Over time you just become naturally more confident and you start seeing, okay, I, nope, agent made this decision. This is exactly what I would've done. And when you have that confidence built, you know, time and time again, it's

Caleb Sima: like vibe,

dirty,

Heather Ceylan: alert, after alert.

Caleb Sima: Yeah. You're like. Uh, all permissions dangerously accept all permissions.

Yo, yellow wood. Yeah. YOLO mode.

Heather Ceylan: And you have to start out with like very low risk things. Right? [00:11:00] And we, we still have a human in the loop on everything. There's certain areas where it's like, we're pretty close to being able to take a human outta the loop on certain things because our confidence level has gotten so high.

And now we're thinking about what that means. If we for some of those more inconsequential decisions, if we take a human out of the loop, do we still need to like review things and aggregate on the backend. And so we're working through what that looks like. Yeah. But we're, we're on that path.

Caleb Sima: Buy versus build.

What?

Heather Ceylan: Yeah, the buy versus build. So we have you know, there's lots of areas where we're using agents. A lot of those we've built internally. Some of them we bought. So this one is actually incorporated into our SOAR product. And so this one we, we already had in our product, this one made sense for us to buy.

Yeah. Um, in terms of, there's a lot of stuff though that makes sense for us to build. One of the things I was, you know, just saying on a panel earlier today is that space is changing so quickly.

Caleb Sima: Yep.

Heather Ceylan: And the problem that we were trying to solve yesterday is not the same problem we were trying to solve today.

Yeah. And so a lot of time, I think for now it makes sense for us [00:12:00] to build a lot of these things as we learn and as we grow until the market like figures out what is needed and everything matures a little bit. So we're a little bit in a mix of the,

Caleb Sima: it's almost hesitation on buying. Thing in the sense because we just, we feel it's moving so fast in the build that Yeah.

If we am, tell me if I'm right, but like if we can build it even at 70%

Heather Ceylan: Yep.

Caleb Sima: And get it, like that's a, that's enough for us to say let's not buy

Heather Ceylan: Exactly. Yeah. Until, until there's, uh, vendors out there that are doing it materially better. Yep. Or if they, um, if they've built something that, like my team can't vibe code in a couple of weeks.

Caleb Sima: Right, right,

Heather Ceylan: um, which

Caleb Sima: is that that gap is getting smaller

and

Caleb Sima: smaller. Yes.

Ashish Rajan: Yeah. And I guess to your point, if you are, if you have a team already that can't, that is capable and open to it as well. 'cause a lot of people have the challenge that, oh, my team doesn't want to adopt ai. Or they don't. Yeah.

Heather Ceylan: There's

Ashish Rajan: a

Heather Ceylan: lot of organizations that just don't have, they're not engineering organizations, so they don't have the. Ability to build a lot of this stuff in house.

Ashish Rajan: That's right. But do you find [00:13:00] that, were there other areas outside of SOC as well where you found, or at least even if you're not using them, but there are benefits where, what you were saying earlier, the sentiment seems to be we have AI stock is the top of the ladder at the moment in terms of what people would hear the GRC use cases or

Caleb Sima: management?

Ashish Rajan: Yeah. One, three management. All these use cases. And a lot of people obviously are trying to separate the same 80 to 90% accuracy Question here as well. How much of it can be applied to other parts of cybersecurity? 'cause you're building a whole program.

Heather Ceylan: Yeah.

Ashish Rajan: So just one component of it. Are you seeing similar least?

Caleb Sima: What's your next targets? Is that sort of

Ashish Rajan: Yeah, if it's already, I didn't wanna ask. It's already happening if you didn't wanna share it. But yeah, if you are sharing it, I would love to hear as to what are you seeing as other parts in your organization that, oh, this is good enough for me to start building something here.

Are there things you found?

Heather Ceylan: Yeah, there's, there's a lot of different areas. Some of the ones we, you just mentioned. I think the one I'm most excited about and the one that's probably the most critical for us is all of our, if you take the concept of like security architecture, security design, reviews, as products get built, how are we making sure engineering is [00:14:00] building to the right security requirements and building security in from the ground up?

Yep. And I think this is an area where like if we don't make this transformation, we're going to totally fail and we're gonna become irrelevant. The security award. Yeah. Because when you think about it, security architecture has always been designed for humans to consume it. You are designing requirements.

Engineers build to the requirements. You're looking at PRDs, you're building architecture diagrams. Engineers aren't writing the code anymore. Agents are writing the code. So you have to design those outputs to be machine consumable. And if you're not designing those outputs to be consumable by agents, then how do you fit into the software development lifecycle?

You

don't.

Caleb Sima: Is what you're doing now focused on how do we get AI to do the automated sort of architecture security review Yep. In dev and then

Heather Ceylan: Yep.

Caleb Sima: Then go and produce it.

Heather Ceylan: Yep. So as our development team builds out their Agent X software development workflow all the way from, how do we design products, build PRDs all the way to deployment, what are the security agents that go along with that?

Yeah. And guide that with our security [00:15:00] requirements. So taking the PRDs, the architecture diagrams, I think one of the great things coming out of this. You know, vibe coding, spec coding, whatever you wanna call it, is you start to get really good, well thought out product requirements, documents, which is right.

Insecurity, that's what we've always wanted and never had. Yeah. Um, so you start to get some of those and those, and

Caleb Sima: hopefully code that matches those documents because Exactly. It's built by ai, built by this to match it, but yeah.

Heather Ceylan: Yeah. Hopefully. Um, but then how do your security agents play into that and then.

You're not just informing security requirements at a point in time during the software development lifecycle, the agent has those requirements. So as things iterate, as things continue to get built, it's continuously applying those security requirements.

Caleb Sima: You know, one other thought I've had, I don't know if this is something that you guys are also thinking about, but when I also think about sort of.

Threat modeling and security architecture review. We've also had this mindset, of course, well, in the old world of, when software is built at the PRD, at the design phase, this is when you do it. There's obviously an addition of scale now where you say, let's add AI [00:16:00] and agents to do this quickly.

As the product evolves, you continue to do this, make it consumable. But there's also this aspect to me about in existing architecture and in my legacy, things that are running in production already. The networks that are built, the configs, the applications that are running like. At this point, we should also be able to have agents that live on live, oh, we just got this third party SaaS, do a threat model review, do an architecture review dynamically compare it to the rest of where it's sitting inside of my organization and infrastructure.

Do a threat model review. And then can you also start doing this on even live production so that this also continues to keep in sync? Yeah. What do you think about that?

Heather Ceylan: That's. Super important. And that's one of the things that AI gives us the ability to be able to do a little bit better is like our environments are changing.

They're so dynamic. Yeah. And they're changing so quickly. Everything's ephemeral. Yeah. Services are getting spin up, shut down. And so to be able to continuously adapt and continuously update that threat model Yeah. Is so important. And especially on the third party side, like I think there's so much [00:17:00] opportunity there.

I think we all know like third party risk management, ask any ciso third party risk management has been broken for.

Ashish Rajan: We love

Heather Ceylan: it forever.

Ashish Rajan: We love it. Everyone

Caleb Sima: trying to solve it right now and it's not working.

Heather Ceylan: Yeah. '

Ashish Rajan: cause we haven't even spoken about the AI in those third parties as well. I mean,

Heather Ceylan: yeah.

Ashish Rajan: Even before AI was, uh, became a thing, it has been a problematic area to begin with.

Mm-hmm. But now we have at the added benefit of it, AI flying it itself. I'm curious to what you said about the legacy sounds weird to call it legacy, considering it just three years before

Caleb Sima: Yeah, yeah. You know, like, you know, but you know, things that are not in your purview of design review. Yeah. You know that were old school.

Yeah.

Ashish Rajan: But, but. I do want to bring it to a practicality sense as well. 'cause a lot of CISOs are probably listening or watching this. They probably won't have the question for what do I need as a framework within my organization to even start doing this? Mm-hmm. To what? To what I, what both of you said and what general sentiment has been.

It's hard to plan for say, even though I may be here trying to figure out my 2026 security plan, I don't know if it'll be the same in six months. I'll just get back home six weeks. Oh, six weeks. I'll go back home in a flight and [00:18:00] by the time my land is already a release that has changed everything, I would not know.

Right. So. What's like the, how are you approaching the framework on building security programs that enable you to say, okay, yeah, now I've done soc I can do the threat modeling after GRC, after. Like, how are you approaching that thinking?

Heather Ceylan: Yeah. I think for us that that's where we've made a lot of progress over the last six months is we were doing a lot of experimentation Yeah.

All last year. And we encourage teams to do that. Like find different ways to use ai, how can we make us better? But when you start. Experimenting very broadly and widely, you kind of lose focus. Yeah. And so what we were trying to do with these, you know, five transformative AI areas was, that was something we started internally and we said, what are the things that we think are really gonna be transformational for security?

Not these side projects, we're doing more than just these five areas, and we're doing lots of other things here and there, but these are the five that we think are truly gonna transform how we work. And these are really where we need to put our resources in our investment. So I would start with, you know, rather than trying to tackle everything, what are those [00:19:00] areas that are either like gonna help you so much that you have to do?

That will really like provide you a lot of efficiency gain right now? Or what are those things you have to do now? Um, or you're gonna get left behind. Uh, some kinda like security architecture discussion we are having.

Caleb Sima: Yeah. Yeah.

Heather Ceylan: And what are the things that you need to do to keep up with the adversaries and what they're doing?

So that's kind of how we looked at it and we said, what are those things that are gonna be. So critically important, and that's where we should pour our investment, our resources.

Caleb Sima: Can you ask what are those things? What, what sort of that list of things?

Heather Ceylan: Yeah. Yeah. So the first one was AI SOC. That's the one where we're probably furthest along.

The other one that kind of ties closely to that is threat intelligence and detection engineering. So using AI to kind of close that intelligence. To detection gap. Yeah. Where you have AI creating those detections for you. This is validating to my heart by detections. Yes. We've had lots of discussions.

Caleb Sima: Yeah. We have lots of discussions. This is very close to my heart. Yeah,

Heather Ceylan: go ahead. Yeah. Uh, third one is vulnerability management. So using AI to get better context and better attack path mitigation. Because I think the thing we've all seen with AI powered attacks is that [00:20:00] time to exploit window is shrinking.

Yeah. Dramatically. That's like the numbers, six hours. Hours. The numbers change day to day.

Ashish Rajan: Right.

Caleb Sima: Six hours is what the latest

Heather Ceylan: CrowdStrike told me. 29 seconds yesterday.

Ashish Rajan: I was gonna say that,

Caleb Sima: I don't know, zero day clock. I go by zero day clock.com.

Heather Ceylan: It depends on who you talk to, but um, but yeah, it's getting, it's.

Shrinking exponentially. Yeah. And you can no longer be on this path of like, Hey, we're gonna remediate critical vulnerabilities in 10 days or 30 days. It's like you gotta cut that attack path off immediately. Yes. You still need to remediate it and you still have compliance requirements you have to hit, but you gotta do it within hours, not within days.

Ashish Rajan: One of the things people have struggled with is the adoption as a whole. So one of the conversations that I've had with people is that I have all the enterprise license to OpenAI, Claude, whatever.

Heather Ceylan: Yep.

Ashish Rajan: And it's the. I dunno if it's some motivation, but getting people to adopt AI is also a challenge for a lot of people.

And maybe because I may have been a Java person for such a long time, I just feel uncomfortable talking about Python or whatever is the reason to insert another reason for why I don't wanna change. I'm curious as to what's your recommendation to other people [00:21:00] for, I guess a, I love the example that you said, no, don't be left behind, but what have you found as a way to encourage more team members to start adopting ai?

Thinking about use cases? Not boil the ocean in the process of, uh, building use cases. I'm curious if you tried any experiments or you,

Caleb Sima: or is there is or is there motivational things that you can do that? Yeah, I mean,

Heather Ceylan: it's interesting. I've gotten, uh, this question from a lot of CISOs that are like, you know, our SOC is a little bit hesitant to transform because it's.

Analysts may view it as it's taking their jobs. It's so, and they're a little bit hesitant. We have not experienced that. Part of it is, I think Box is very AI first company across, like everybody has to use ai and you know, it's just a very AI first company, which is great. But also I never fully understood the hesitation because for SOC analysts, like, they don't like doing that work that AI is doing right now.

Like they don't wanna sit in the alert queue every day. It's actually much more exciting for them if they can learn those. Skills on how to build the agents to do that work for them. Then they can go do the more creative work, the threat [00:22:00] hunting work that is actually higher level work and helps get them to the next place.

Now, I think the concern about like how do you train the next, tier one SOC analysts? Yeah. That's, that's a very real concern that I don't think we've solved yet. Yeah. There's been nothing but excitement from our team and trying to think about how do we work ourselves out. A boring job, boring

Caleb Sima: I don't suffer from that problem

So the other CISOs are good. They're the ones that have to figure that out.

Ashish Rajan: It's you,

Caleb Sima: sorry.

Ashish Rajan: Yeah. Well, I'm, I'm curious, are you, the way you are hiring people, has that changed for you as well? Then there's another sentiment that's been coming up in what a lot of conversations is that people are hiring differently to what they were hiring, say six months ago, one year ago.

They're for the same teams. The expectation is a lot different. Are you looking at hiring differently as well?

Heather Ceylan: A little bit. I mean, the skill sets might shift Yeah, a little bit. But to be honest, we're at a point where like everybody's kind of learning these skill sets. So when I'm hiring, I actually, it's less important to actually have.

Done a lot of the transformational things that we're doing. It's more important that we have someone who has the right skillset and who really [00:23:00] is gonna like push us forward in how we think about things. And if you have that energy and that drive for how do we think about things differently?

Ashish Rajan: Yep.

Heather Ceylan: That's what.

We're looking for.

Ashish Rajan: I thought you,

Caleb Sima: uh, she by the way, only went through three out of the five.

Ashish Rajan: So yeah, we should

Caleb Sima: finish,

Ashish Rajan: but one of the other

Caleb Sima: two, we'll have to recap it in in the podcast. Yeah. There's soc

Heather Ceylan: detection,

Caleb Sima: engineering

Heather Ceylan: detection, engineering,

Caleb Sima: vulnerability management,

Heather Ceylan: threat intelligence, vulnerability management.

Um,

Caleb Sima: threat intelligence was in detection engineer. Oh yeah. Maybe it's,

Heather Ceylan: no, no, that's right. Um, and then the fourth one is security architecture and design reviews, which we talked about.

Caleb Sima: That's right.

Heather Ceylan: And the fifth one is continuous. Pen testing or continuous adversarial validation is what we're approach calling it.

Ashish Rajan: Continuous pen testing. How are you approaching

Heather Ceylan: it? Um, we, so this is one where we are looking to buy

Ashish Rajan: Okay.

Heather Ceylan: Tools and I will say the amount of POCs we've done Yeah. Is. Literally insane. Yes. We, there's a lot of, there's a lot of noise out there and this is one we didn't wanna do it just to say that we do it right.

Right. If we're gonna do this, it needs to [00:24:00] actually provide meaningful value. Yeah. And it needs to provide better results than what our. Human pin testers are doing. Yeah. And I wanna clarify this one. This doesn't replace, like, we have a dedicated offensive security team that is still gonna be doing their, more the creative, you know,

Caleb Sima: this allows to, the, the continuous allows 'em to, to, you know, go and automate a lot of their stuff while they focus on the deep things.

Heather Ceylan: Exactly. Similar to your so hours. Right? This is, and this is a lot of like the pre-release stuff that. A lot of teams offensive security teams just moved away from doing because it holds up release cycles. You know, you do like a two week pin test, now you're holding up the release cycle. You find something big at the end and you have to go back.

So continues

Caleb Sima: regression testing on new ones. Like, oh, we found these vulnerabilities previous in this, yeah, we should check it again. Like offensive teams don't want to do that. Exactly.

Ashish Rajan: This two warning that Exactly. It's too boring. That what? Yeah. But do you find. I'm curious, where do they fall off? That May made you go, not for us.

Caleb Sima: Yeah, yeah. Or actually, or Yeah. What's the, yeah, give us the,

Ashish Rajan: you don't name companies. I, at least companies. I'm curious as to how are you going? 'cause you obviously you're, you're doing quite a bit of [00:25:00] it. Yeah. You've seen other parts of your organization adopt ai, so you kind see what's possible. So when you looked at all these POCs that you did, what was something that, 'cause actually that, you know, you could see, you could see through the smoke, I guess.

Heather Ceylan: Yeah, I think the ones where it's. Actually creating more noise. 'cause as security teams, especially product security teams, like the last thing you want is more noise. And that's one thing, you know, when human pin testers, you have your security engineers doing this, they understand the context, they understand the attack surface.

And so having agents that can, first of all, they need to be able to understand the attack surface better than humans can. Yeah. And I think they can do that in some instances and they can detect changes to the attack surface. More quickly than humans can in on that continuous basis. So that's super important for us.

And then just being able, like I said, find things. It doesn't do me any good to find things that like my humans already find with their automated, with the tooling that they have today.

Caleb Sima: Right. I don't need another scanner.

Heather Ceylan: Yes, exactly. So how do you, how are you separating yourself from like a, another dynamic analysis scanner?

Caleb Sima: Can I ask you maybe in a different, what [00:26:00] have you seen? So out of all these things that have disappointed you, right? That you're like, man, okay. And then what are, you know, maybe the opposite question of that is yeah, the things that you say what, wow, you were kind of like impressed.

Heather Ceylan: I think the thing that disappointed me, most and this is less a tooling thing and more of a, you know, just how it's approach thing, you know, a lot of the companies, a lot of the kind of, 'cause most of these are like early stage

Caleb Sima: yes.

Heather Ceylan: Companies. A lot of them came with just like, oh, hey, look at our tool. Here's what it does. Like no one asked what problem we're trying to solve or like, where are we struggling? Where have other past POCs failed? What weren't we happy with? Like all these questions that we were just talking about today.

Caleb Sima: Yep.

Heather Ceylan: That's probably like the most disappointing.

Caleb Sima: The The disappointing. Yeah.

Heather Ceylan: Because one, like how are you gonna help me if you don't understand what problem I'm trying to solve? Yeah. Right. And two, that's just a really missed opportunity for some of the startups out there to learn about the problem space you're trying to.

To solve

Caleb Sima: and then massage their messaging to you to clearly angle towards the problems. Exactly.

Heather Ceylan: It sounds so basic, but um, yeah. And

Ashish Rajan: what's, what's excited you about something you found?

Heather Ceylan: I think [00:27:00] what's exciting is especially a lot of these new AI startup vendors, there's. They're very passionate about what they're doing and what they're building, and that's really refreshing and exciting.

And when they actually are like solving a new and novel problem space, that's what gets me more excited. It's are you building something that like, CrowdStrike's not gonna build, or Palo Alto Networks isn't gonna build in the next, you know, quarter.

Caleb Sima: Yeah. Fair.

That, yeah. That's a hard question.

Yeah. That's gonna becoming a harder and harder question to answer. Yes.

Ashish Rajan: Uh, we had a conversation yesterday. We were talking about if the code is now being created and putting, put straight into production, if that's a new form of code, we are moving towards, what's the point of a CI ICD pipeline?

What's the point of a static?

Caleb Sima: Where is this topic? Why? I've heard this multiple times today. Well, or in the conference that there's no CI ICD anymore. I don't understand. Gimme

Ashish Rajan: are, think where, so where are they going with this? Is that, say as. The fund foundation was maturing with the code.

Caleb Sima: Yeah.

Ashish Rajan: Lovable.

And so the world are also maturing. Those prototypes, I'll just say prototype for now. Those at the [00:28:00] moment stand where you would not put down your production straight away because A, the person creating it may not have No how define what production looks like. 'cause you know, I just go, I just want to prototype for whatever X product card

Heather Ceylan: Yeah.

Ashish Rajan: X that I'm making. The argument that they're making is. Slowly as foundational models improve, like thought codes improve. Mm-hmm.

Heather Ceylan: Sure.

Ashish Rajan: The other part, comport should improve as well as they continue to mature. Their understanding is that we would get a stage where when we have a perfect PRD, it should be high quality code that comes out of it.

That could go straight into a, at least a preport environment without the need for us. Without A-C-D-C-C-I-C-D pipeline.

Caleb Sima: Well, see, this is where I'm confused at. Yeah, I'm confused because these feel like two very distinct things. A-C-I-C-D pipeline has always meant to me. This is your gateway to production.

Heather Ceylan: Mm-hmm.

Caleb Sima: Right? So you can build perfect code.

Ashish Rajan: Yeah.

Caleb Sima: It doesn't mean that it goes well. It it to go straight to production. It still has to go through the. CICD pipeline. Yeah. In the sense that, hey, this thing is built. This thing goes through gates. It gets tested, it gets reviewed, it gets analyzed. It gets pushed into the infrastructure.

Yeah. It has all the operat. You can build

Heather Ceylan: perfect code that's [00:29:00] still gonna break something. Exactly.

Ashish Rajan: The question is a paradigm. Are we thinking about this wrong way? Mm-hmm. I mean, the question is the fact that are we thinking about new problems for the song same, or things we knew from before? That's where they, they're challenging this, and it's not saying it's gone away.

It's more saying that these are newer problems, new kinds of software. We see a software is being developed, but obvious, still trying to map that to what we know from before as the way forward. That's kind of where the arguments coming from. It's not from the fact that, oh, it's not

Caleb Sima: required. Yeah. I mean, engineering or the building of apps has changed.

Now is the question is how we get them to production. Is that going to change? Yes. Yeah,

Ashish Rajan: so that's where CSCD is no longer. Okay. Relevant. That's why SaaS is not relevant. Uh,

Caleb Sima: no one has said it is no longer relevant, but something may change there.

Ashish Rajan: That's right. We just don't know what it is. We just know that people want to put this into production straight away and because

Heather Ceylan: I also think. We're far from being able to write perfect code.

Ashish Rajan: Oh yeah. Oh yeah. Yeah. I mean

Heather Ceylan: that is, um,

Ashish Rajan: yeah I'm glad you added the caveat. Yeah. Alright. I mean, we can be sitting in Silicon Valley and talk about the future.

Heather Ceylan: Yeah, yeah. I have, uh, you know, in [00:30:00] practicality, it, it sounds right.

It sounds like AI should be able to do that. It should be able to code without vulnerabilities. It should be able to understand what's happening downstream eventually, and put all that back in. We are so far. From being able to, that's not to say we'll never get there.

Ashish Rajan: Yeah.

Heather Ceylan: But again, it's that confidence thing.

Until AI is consistently writing code with no vulnerabilities, with nothing that can be exploited, no bugs, like no bugs,

Ashish Rajan: only features,

Heather Ceylan: only features that work perfectly and don't break anything. That

Ashish Rajan: t-shirt is no bugs. Only features,

Caleb Sima: like to me, like, uh, actually, you know, the way I angle this is because of AI coding, the CICD.

Cycle becomes even more critical. Yes. 'cause what generally is in the CICD is you have boundaries, bumpers, you have consistency. These things, checks and gates that are in place, that the more AI coding occurs, the more crazy it becomes. Yep. The more tighter this pipeline going to prod should become. Yeah, exactly.

Heather Ceylan: And as we saw earlier this week, the identity [00:31:00] of the pipeline. Yeah.

Caleb Sima: Yes. Yeah. You know, this is like, it's funny you bring that, 'cause I've been hearing this. Through this week about this? Yeah. Yeah. And there's no, and I just like, I'm so

Ashish Rajan: confused when I dug into it, what I took away was that where the question is coming from, obviously this to what you said as well, not everyone's there.

Caleb Sima: Mm-hmm.

Ashish Rajan: But are we, if we are not producing the code the same way as we used to, being a software engineer is not just a, I have an engineer title. I produce code. I could be a product manager producing code. I could be a UX person producing code. They have no idea what CSCD, they have no idea what production is, but just,

Caleb Sima: yeah,

Ashish Rajan: I just wanna make it available to Caleb and everyone else who's on my customer base.

I don't care how it gets there.

Caleb Sima: Right. Production is just a link that now gets shared everywhere,

Ashish Rajan: literally. Yeah. It says Share link. I go share link and I pass it to my friends and customers and everyone.

Caleb Sima: Yeah. Actually I have a good question for you as so like, you know, there is this world now where obviously we're talking about engineers and software engineers.

But now the workforce is starting to become, quote unquote, engineering, right? Mm-hmm. Oh, I can now use Claude [00:32:00] code at work. You know, not Claude Code that is, but Claude at work, the app. Mm-hmm. Or like perplexity computer, if you haven't seen or used that. Yeah, yeah. Yep. So now the AD for everyday person can build their own applications, produce them, and they, they do need a way to share them.

And so now there is no equivalent in the workforce of A-C-S-C-D pipeline.

Heather Ceylan: Mm-hmm.

Caleb Sima: Right? Where in engineering we've got those gates. Yeah. We're used to this. This concept, do you see this? Do you think that has to then be created in the workforce? Or are you seeing this even happening, is maybe a bigger question.

Heather Ceylan: Definitely seeing it happening, and I kind of equate it back to the SaaS sprawl, the early two thousands, right? Yes. You are taking applications out of it, putting them into the business. Now we're doing very similar, like the business is actually not just buying their own applications now, but they're actually building,

Caleb Sima: building

Heather Ceylan: their own applications.

So giving them a, yeah. Secure and safe way to do that

Caleb Sima: Yeah.

Heather Ceylan: Is really important. And you know, for us, a, a lot of the internal development is actually happening on Box. We have a platform for developing agents. So a lot of the stuff that our [00:33:00] business units are doing are, is on Box, but there's some stuff that's not on Box, right?

Yeah. And you have to make sure that they've got the right guardrails in place and only doing it through approved tools. And that's a real challenge. And you know, I talked to a lot of CISOs this week. Everybody's facing this challenge because. One day, claw and cowork is, is the new thing. And the next day it's perplexity, and then right.

Ashish Rajan: Open claw is another one

Heather Ceylan: we're not gonna talk about. Open.

Ashish Rajan: I, I, I touched the know there.

Caleb Sima: I've had enough.

Ashish Rajan: I, I mean, we are going to a meetup after this for OpenClaw, like,

Heather Ceylan: um. But yeah, there's all these new things and you know, someone talks to a friend at another company, they use this tool to do that. Now they wanna use this tool to do the same thing.

And again, it's this line that we always have to tow with security is like, how do you balance letting the team innovate and experiment without letting it go too far and with the right guardrails in place. So we're investing a lot in like sandboxing, and how do we allow [00:34:00] for some of that safe experimentation?

Because we're in a world right now where it's, it's really hard to make long-term investment decisions and like, yes, we're gonna invest. In Claude Cowork for the whole company, and that's gonna be our go-to for the next two years.

Ashish Rajan: Yeah.

Caleb Sima: Yeah. That's a

very

Heather Ceylan: difficult change.

Caleb Sima: Yeah. In

Heather Ceylan: a week.

Caleb Sima: Like how like, and I've talked to a lot of CISOs also about this problem, and they don't really have a clear answer as to.

The person in marketing who actually did create a nice app that solves a really customized flow problem for them, that now needs to be shared between finance, marketing, mm-hmm. And someone else. Where does that go? How is that managed? Yeah, and I have not, like, I haven't seen anyone actually I talked to, they're like, we don't know what that answer is right now.

Yeah. The closest I've heard is. You need some equivalent of like an app store. Yeah. Right. In in the, in the workforce. They're doing app store as well. Yeah. Yeah. That does this. But you know, no one's got answers on this.

Heather Ceylan: Yeah. Our approach is to, we've been almost like treating them like applications, right?

Yeah. And I, I think the challenge again is. There's been so much [00:35:00] experimentation and it's like, which agents are we actually going to invest in as a company? So one of the things we did as a company is we, went through and said, okay, what is every department's like core agents? Yeah. And how do we get an understanding of these are the agents we're going to invest in.

And these are the ones that we're going to productize internally across the team. So then they can get the right level of like deployment, support it. Support, yes. Security,

Caleb Sima: yeah. Yeah.

Heather Ceylan: Support. Um, so that, that's kind of where we're starting. I wouldn't say we're all the way through that journey yet, but it's a, it's a very active problem we're trying to solve.

Caleb Sima: So I'd love to ask this hard question to you, which I think this is everyone asking CISOs this exact question, what is it that you are absolutely not going to build?

Heather Ceylan: I don't know if I have a very specific answer, but I think those things that there's certain things that other companies are always going to do better.

Like if you think about malware scanning for like your third party repo or your third party code, right? Like we're never gonna have the yes, we could open source some threat intelligence feeds and we could do that. We could, but that's [00:36:00] not really where we wanna spend our time. These third parties

Caleb Sima: are materially better in that.

Intelligence

Heather Ceylan: together. Exactly. They're always gonna have that, that capability that's gonna be better than us. Yep. Yeah. So that's where we definitely buy.

Caleb Sima: I had another couple seasons, so here's some sum up of some of the answers, and I think one season said it best, which is, listen, like I am never going to build Okta, however, I'm open to replacing Okta.

Heather Ceylan: Yeah.

Caleb Sima: I'm never going to build one password, however, I'm open to replacing that. Yep. You know, so there are like things like I'm never going to, you know, build my crypto stuff, but I'm definitely open to them having something that's better that comes in place. Right, totally. So there's some of these like.

Core things that are like, listen, my team isn't gonna go build that thing. Yeah. But I'm definitely open to, uh, better versions of, uh, these things that exist. Exist. Yeah. And then in the AI native world for the next versions of it

Heather Ceylan: especially. Yeah. And especially things like when you're talking about what we're gonna deploy on users machine.

Right. Like I don't wanna deploy a bunch of agents on user devices. [00:37:00] The goal is to get fewer of those. So like if Yes. If there's an agent that can do it better than CrowdStrike Sure. And if they can do more things, but like you want a single agent to be able to do Yeah. Get the most out of you can.

Yes. Most you can. Out of a, a single agent.

Caleb Sima: The question is then, uh, do you feel actually, you know, do you feel that your security team should or could. Replace CrowdStrike on an end point.

Heather Ceylan: I think we're a long way,

Caleb Sima: we're a long way long away from that. We're a long, yeah. Okay. We're a long way for that.

Ashish Rajan: One of the hypothesis is that I've been getting into a lot of conversations have been the fact that as we kind of do the best, you've been putting on the five things

Heather Ceylan: Uhhuh and

Ashish Rajan: a a lot of other people have, were doing the same thing as well.

The idea that we spoke about the other panel as well, where the idea is that there would be an ecosystem of AI agents, AI capability will build inside our own security teams. Mm-hmm. Which would be quote unquote AI enabled, but vendors would just be this plug and play where, because yes, you would never give your internal context to say another third party.

Yep. It just does not make sense. But also at the same time, they cannot make something [00:38:00] that is really specific to box.com as well. Yeah. There is this juxtaposition of, the natural summation of this is that would be you also, and at least the way I see it, is that there would be, uh, the word being thrown around is harness.

But I would say it's more like we have then our, our, our own AI agent. Let's just say mega agent, whatever you wanna call it. Four security teams where each of the departments or each of the verticals has their own AI capability that plugs into any AI forward vendor that you may come across because they're the flavor of the season and they seem to be,

Caleb Sima: is this forward deployment model, is that sort

Ashish Rajan: of Yeah.

Forward deployment model, having your own personal software as a, like the, the security as your, as a software in the organization where you're connecting it to different vendors rather than, Hey, I am a XI don't know, EDR solution only. I don't do anything else. But then now I'm looking for a platform where I can do EDR, I can do AppSec, I can do whatever, but all I'm doing is me.

My internal context is with me, with my AI agent.

Caleb Sima: Is is this sort of like, um, this example of where, you know, today as [00:39:00] opposed to sort of like, these vertical, tell me if, if I'm going down the right path of what you're saying, which is I can come to you with this product. Mm-hmm. Like I know, let's pick AI socks, this AI socks.

Product that has the interface, the thing it does this AI SOC product, and you're like, well, great. But you know, in reality we want to continue to build, wait, wait, we're entering the world of personalized software. Right? And so actually what I want from you AI soc vendor, is I want all the Lego bricks

Heather Ceylan: Yep.

Caleb Sima: That are making up of the hard pieces. Of AI soc, but then I want to be able to provide now my own build of the platform and the flow.

Ashish Rajan: Yeah.

Caleb Sima: That I can then use

Ashish Rajan: your, that's right.

Caleb Sima: Lego bricks. Yeah. You can come help me integrate that into my customized workflow that is now my personalized platform. But I don't need your very, you know, black box segment that's, I need your Legos behind.

Yeah. And then we'll, we'll connect the rest of the things we need. That's sort of what you're

Ashish Rajan: 20%, and we do this already with every software buy as well. We have to add our context for what's my high, medium, low. But they don't know that. Yeah. So I, and yeah, Lego Box is a great example of this [00:40:00] as well. Yeah.

They're, we're just building a, it looks like a plane from the outside, but the Lego pieces are maybe CrowdStrike bags or

Caleb Sima: something. Yeah. And I sock the ven the vendor may have a Lego break that says, this is our threat intel, uh, Lego and I only subscribe to, and you can use it whatever way we want.

That's right. Yeah. Then I can sort of, I'm

Ashish Rajan: subscription. Because

Caleb Sima: gimme four. What's your thoughts on, on that? Yeah,

Heather Ceylan: I definitely think that's kind of the model we're moving towards. Um, I wouldn't say we have a fully baked out point of view on that yet. Yeah. But what we're, how we're thinking about it is if you look at, you know, one example like our software development lifecycle, right?

Yeah. We have different agents that are going to, do the design agents that are going to code agents that are going to do the testing and the QA agents that are gonna do the security design. Like all in the way we're thinking about that is. Kind of a plug and play model. Yeah. Whereas like we have some that we've built and there's some that we can buy, but we need, things are moving so quickly we need to be able to pull stuff out.

Add stuff in. Yeah. And like you said, kind of these Lego bricks approach, which Correct. Any security practitioner when they hear that like [00:41:00] cringes a little bit, we already have a like security Jenga in our tool stack already. But I think that's kind of where we have to be right now. I think if you're going all in on one thing right now Yeah.

Or on like a single platform right now, that's probably a mistake because we're still very much in this experimentation phase and there's still so much we have to learn. Yeah,

Caleb Sima: yeah. Yeah.

Ashish Rajan: Awesome. Well, unless you have any final questions, I have another round. Okay. Uh, she's been through this before, so we've got fun questions.

Oh boy. So I'll, I'll, I'll say this. So we have other issues. Wow. Thank you. Wow. Oh,

Heather Ceylan: fun.

Ashish Rajan: I would, as she does that, I will let you know that the crowd favorite has been crocodile in kangaroo, but there's feeder options too. So essentially it's like snack war. We have British and Australia snacks.

Caleb Sima: Wait, wait, wait,

Heather Ceylan: wait, wait.

You always come with food?

Ashish Rajan: Yeah, I mean, that's, that's my thing.

Caleb Sima: Wait, can I just, just to make sure I heard you right. So out of all of the things that you've done so far, you said everyone likes the crocodile

Ashish Rajan: and kangaroo

Caleb Sima: and kangaroo the

Ashish Rajan: best. Yeah. Some of them gone for both.

Heather Ceylan: Really? I don't believe that. I think

Caleb Sima: he's lying.

I don't believe this at all. We,

Ashish Rajan: we, I have video proof of [00:42:00] all of this so I can show you guys.

Heather Ceylan: Oh man.

Ashish Rajan: So caramel is what kids grew up in, in the UK with, uh, it's like, uh, do, uh, jam dos are also very British. Snacks. Okay. Shapes are very Australian. So she's Australian. Obviously this kangaroo, you, you guys can go against the grain and not take the crowd favorite, but.

I'll just be open and say,

Heather Ceylan: just don't make me eat Vegemite. Like you didn't

Ashish Rajan: bring Vegemite. Well, I think it's like a milder version of Vegemite, like a super mild version of

Heather Ceylan: Vegemite.

Ashish Rajan: Yeah. There is Vegemite crocodile or kangaroo. Oh, you can have both.

Heather Ceylan: He took the kangaroo, so I guess, oh,

Ashish Rajan: you should have both.

You can have that as well,

Caleb Sima: man. I don't know about

Heather Ceylan: it. Is this like,

Caleb Sima: okay, I just

Heather Ceylan: want like a

Ashish Rajan: Oh, it's jerky. It's, yeah, it's a jerky for, it's not an actual, uh, you wanna pass one if in case she wants to try the kangaroo as well.

Caleb Sima: It tastes like regular beef Turkey,

Ashish Rajan: but before game, you.

You don't look happy?

Caleb Sima: I would definitely not happy. I definitely know [00:43:00] this is not the favorite. What was

Ashish Rajan: the crocodile

Caleb Sima: like? What? Did you like this one? No, not at all. Right. I mean,

Heather Ceylan: it's not horrible. It's not the worst thing I've eaten.

Caleb Sima: Okay. I'm gonna, I'm gonna,

you already tricked us already.

Ashish Rajan: Yeah. Well, let me ask you this. 'cause a lot of people said that it tasted like chicken.

Caleb Sima: It doesn't taste

Heather Ceylan: like chicken. It doesn't, it doesn't taste like,

Ashish Rajan: no, I mean, I'm talking with the crocodile, not, not the, not the

Heather Ceylan: roo. It doesn't taste like chicken.

Caleb Sima: I'm trusting it.

Ashish Rajan: Ah,

Caleb Sima: I'm not, these are the chocolate bars, right?

Ashish Rajan: Yeah. So this, I'm not gonna eat ball. You should, you should do. I'll have a

Heather Ceylan: 10 tam.

Ashish Rajan: Yeah. Yeah, you should. You should go. You should. I'm going extras. You guys should fry the 10 tam slim. You see

Caleb Sima: what I do with this? I took like a super tiny

Heather Ceylan: Yeah.

Caleb Sima: I'm not Pick it

Heather Ceylan: out. At least my mouth's not on fire

Ashish Rajan: saying you guys should try the uh, tin tam slam some or extra tin tams.

Have you guys had tin tam slams the

Heather Ceylan: tin? Wait, what's the.

Ashish Rajan: So Chin champ Slam is basically you bite it on each end, take a small bite at each end, you dip it into your coffee or chi or whatever, and you basically suck through it so it melts the chocolate as it comes through. Oh

Heather Ceylan: wow.

Caleb Sima: Okay. Now this,

Heather Ceylan: this, I can get behind

Caleb Sima: this.

This is good.

Heather Ceylan: Yeah. [00:44:00]

Ashish Rajan: Yeah, well that's, that's two. Or you can

Heather Ceylan: bring more of these.

Ashish Rajan: I have more of these if this works. I have more of these, but these works, these are, you, you, you start with the hardest challenge. You come to a sweeter art, but that's that. Alright, I've got three questions.

Heather Ceylan: All right.

Ashish Rajan: First one, what do you spend most time on when you're not trying to solve security?

Ai, ai security problems in the world, in organizations?

Heather Ceylan: Oh, I'm trying to survive my, my two young boys,

Ashish Rajan: but, but

Heather Ceylan: you draw, bike shop. I wish I could say I had some really cool hobbies, but, you know, I've got two small boys that keep me pretty busy. Fair, uh, and, and have a lot of fun too.

Ashish Rajan: Second question. Uh, what's your, um, what is something that you're proud of that is not on your social media?

Heather Ceylan: Oh, that's not on my social media. I don't know, like, to be, to be honest, I'm just really proud of like, surviving. I told, I told someone the other day, you know, I, yes, my work is, my job is crazy. It's busy. I love it. My home life is crazy. It's busy. I love it. And I'm glad I have one to distract me from the other.

Um, but yeah I'm just proud of. Survive. So

Ashish Rajan: surviving the chaos.

Heather Ceylan: Yeah.

Ashish Rajan: [00:45:00] Wine. The chaos. That's a good one. Yeah. Uh, third one. Favorite restaurant or cuisine you can show.

Heather Ceylan: Oh, my favorite cuisine. So my husband's Turkish that, so we eat a lot of Turkish food. So I would say Turkish food is probably my favorite best Turkish restaurant here in the Bay Area is May House.

In Palo Alto, so Wow. If you haven't had that there, you highly recommend it.

Ashish Rajan: What's your favorite Turkish dish? That is that what, what we uh,

Heather Ceylan: I probably don't know the names, so my favorite like mee appetizer is called Colu. Okay. It's like an eggplant yogurt, garlic. Sounds, sounds fantastic. Fantastic. If you go to May House, have it there.

Yeah.

Ashish Rajan: Lunchtime, uh, recommendation

Heather Ceylan: and then all the cheese. They have so much good cheese, so

Ashish Rajan: Yeah, we should, we should give a shout out to you and use that as well. You've been building the five beds actually. Why, why is it five beds? So is that the five beds we just spoke about?

Heather Ceylan: Yeah.

Ashish Rajan: Alright, that, so

Heather Ceylan: it, yeah, it actually started as exactly what I told you was like, Hey, we need to put some focus around all the AI stuff we're building and what's actually gonna be truly transformational for us.

So it started as a total internal exercise and we were like, Hey, maybe. We, we tend to I think we're pretty far [00:46:00] along in this journey compared to some of the, our peers that I talked to. I'm like, we should share what we've learned. Yeah, great idea.

Ashish Rajan: Like

Heather Ceylan: we've been building this stuff for a while and there's some organizations that are just starting to get their feet wet.

Like, let's share what we're doing and create a conversation. And that's, and we're gonna learn more from that too.

Ashish Rajan: Yeah. I'll put the link in the shorts as well, but we can be able find you LinkedIn.

Heather Ceylan: Yeah. Find me on LinkedIn.

Ashish Rajan: I'll put the, I'll put the link in there as well, but thank

Heather Ceylan: you. Thank

Ashish Rajan: you for coming on the show.

Really

Heather Ceylan: appreciate that. Thank you. Yeah, thanks for having me. It's always fun. Thank

you.

Ashish Rajan: Okay, all.

Heather Ceylan: All right. Thanks

Ashish Rajan: everyone.

Heather Ceylan: Thank you.

Ashish Rajan: Thank you for watching or listening to that episode of AI Security Podcast. This was brought to you by Tech riot.io. If you want to hear or watch more episodes of AI security, check that out on ai security podcast.com.

And in case you're interested in learning more about cloud security, you should check out a sister podcast called Cloud Security Podcast, which is available on Cloud Security Podcast tv. Thank you for tuning in, and I'll see you in the next episode. Peace.

‍