EP. 29 Building Cloud Assurance & Security in Financial Services with Sameer Airyil

00:12 - Introduction to Sameer Airyil

Matt Pacheco
Hello everyone, and welcome to the Cloud Currents podcast—the podcast that navigates the ever-evolving landscape of cloud computing and its impact on modern businesses.

On this podcast, we discuss big trends around the cloud industry like AI, cybersecurity, cloud cost optimization, addressing IT talent shortages and so much more. I'm your host today, Matt Pacheco and I manage the content marketing strategy at TierPoint, a small managed cloud and data center provider.

Our guest today is Sameer Airyil, Executive Director of Cloud and Cybersecurity at JPMorgan Chase. With over 18 years of experience spanning from hands on technology roles to strategic leadership positions, Sameer currently leads the cloud risk, cloud security, risk and control assurance function at one of the world's largest financial institutions.

Today we'll explore the challenges of building a cloud security assurance function from the ground up, discuss the evolution of cloud security in heavily regulated industries, examining emerging trends in cloud risk automation, potentially talk a little bit about AI and your thoughts on that as well. So, Sameer, welcome to Cloud Currents. We're really happy to have you here today.

Sameer Airyil
Yeah, thank you Matt and I appreciate you guys having me here. I know this took a bit to organize, but glad to be here finally.

Matt Pacheco
Busy time of the year, so we're really happy to have you here. So, what I'll do is jump right in. Could you walk us through your journey from the start to where you are now working in the cloud security and ending up at JP Morgan?

01:49 - Building a Cloud Assurance Team

Sameer Airyil
Yeah, sure thing. I've not been in JP for long, it's just been two years. But I lead the cloud assurance team. I don't want to call it security because our role is much more than security in this team, but this team that I lead helps drive all the independent assurance activities that we do across the cloud ecosystem within the bank. Now what that means is we work with our first line partners, our core tech teams, product teams, to independently assess their cloud products, application deployments, identify potentially risks and issues that we see in alignment with sort of control requirements, leading practices, et cetera, and bring them that to the forefront. That is our key role, to bring that risk and control mindset to technology and help all our product teams, cloud platform teams, etc., understand what the risk is and be focused on it.

So when I joined JP, you know, JP organically always had, you know, cloud presence, right. It's not as if, you know, they just started two years ago, they always had sort of a cloud, you know, presence, whether as a private or a public cloud. Right. But it is probably two years ago when I sort of came into the Picture that is when the bank decided to really focus on public cloud and cloud migration specifically. I remember reading in the papers our CEO Jamie Tymon saying, well, we need to focus on public cloud migrations because we want to utilize all the innovation that we have in the cloud. So that has been the focus of the bank to really invest in emerging tech, emerging capabilities and slowly utilize those capabilities to offer new and better services to all our customers.

At the same time, right as an assurance function, the overall team that we have within the bank, there was also a recognition that we need to shape our focus on what the product teams, the platform teams and the tech teams are doing. And that is why I came in to help drive and set that team up. I have honestly, I have to say before this assurance was not my primary sort of book of work, so to speak. I spent a lot of time before this, around 10 plus years in one of the big four consulting firms doing a lot of different things, everything from cloud security strategy architecture to standard vulnerability management program setups and regulatory issue remediation, a whole host of things literature to cybersecurity. So, this is not something I was very used to, right, when I came across the role.

But I was at a point of time when I was looking out into the industry and trying to get into something different other than consulting. And this sort of landed in my lap, if you will, because again, the location where I am the role seems so unique. It seemed like too good an opportunity to pass on. So here I am, two years down the line. You know, we have a fully functional, you know, built out team and no looking back, I guess.

Matt Pacheco
So that's really interesting to hear and a really interesting background. I'm going to ask you a little bit more about the assurance team in a little bit. But you mentioned you worked at some of the bigger or within consulting firms in the past. How has that experience influenced your approach to your current role right now and leading a team?

Sameer Airyil
Yeah, I was expecting that question. The reason why I say that is whenever we do a lot of these recruitment drives and a bunch of these sort of drives where we want to get more talent in, the first question I get is how do you feel about getting to work in JMPC? So, I spend a lot of time in consulting. As you know, consulting is very dynamic. You have a lot of different roles to play as a consultant. You need to deliver, you need to sell, you need to manage your finances, metrics, a lot of things to do. So I love doing consulting for that time. I did it for around 12 years, at least. The main takeaway I had from my role, doing all of those different things in those years, was around adaptability. Right?

You need to be quickly adaptable to whatever sort of that's a technical area that you want to focus on. Or this more sort of around orienting your personality to fit a particular role. It is about adaptability. Right. And once you're able to adapt yourself to the circumstances that particular role demands, I think it is much easier. It's all about preparation. It's about being ready for that. Right. And doing the right leg work to be ready for that. So that, I think, was my biggest takeaway from all those years in consulting. And obviously, what also helps us is because you do deal with a wide variety of customers. Right. And for a role I stepped into, like jp is like, you know, multiple different clients within the bank. Right. So you have so many different personalities, so many different teams.

So that experience really helped me because it helps to maintain a very common sort of centered Persona when you step into this sort of a role where you may have certain difficult conversations with stakeholders. Right. And you need to be able to get the point across, but you don't need to be adversarial. So I think that really helps. The consulting background that I have the ability to hold a conversation really helps, and that certainly has held me in good stead in my role here.

Matt Pacheco
That's a really cool background and you can definitely hold a conversation, as you can tell right here. Excellent. So, it's really cool hearing about that and how it applies to your role. So, let's talk a little bit about the cloud assurance, because you mentioned a little bit about it. And I'm sure when you were building the team, when you started two years ago, there were some challenges. You just kind of talked about it with the personalities. But JP Morgan Chase is global as well. Like, there are a lot of functions I'm sure you have to work with and work across. What were some of your initial challenges in building that team from the ground up?

Sameer Airyil
Yeah, no, great question. You know, when I was brought in, obviously I knew we didn't have a standing team that I could take on and just drive to success. That was probably not the way the mandate was. What we had to do is the bank was on a trajectory for cloud modernization, and we, as an assurance function, had to keep pace with it. And the intent of us setting up this team is to give that additional focus that it deserves. Right. This is a critical topic for the bank and also for all the regulators and external stakeholders interested in the bank. So we decided as a function, as a team, to put more focus into it. I was the first recruit in the team per se, so to speak. So I had to bring in my own team.

I had to recruit a number of folks to join the team. So I think one of the first challenges is trying to get a lay of the land. I think was one of the first challenges I had. Even with all the experience. I worked in financial services for a long time. Right. I worked in multiple different peer banks of JP. Coincidentally, I've never worked for JP as a consultant. So that's the first thing I noticed when I joined JP. But then, you know, when you get into J, you really get to appreciate the scale and complexity of the bank. It's across, I don't know, probably all the countries in the world, multiple different geographies, wide variety of business lines, so many different teams to deal with.

So getting to appreciate the scale and getting to understand the lay of the land was sort of fundamental for me. It took me a few weeks to just get to terms with it. Second, I think the other aspect that is critical is to bring the right people in. Right? Right. So obviously I cannot be successful myself within the role. You need a strong team that is invested in your success together to be part of it. And over the last couple of years we have scaled up the team. We didn't go gung-ho and just recruited a bunch of people. We decided we would be very judicious about who we bring in. So we have a pretty sizable team supporting the core sort of products and platforms we have in the cloud arena here now.

But we organically grew that over the last couple of years. And one of the challenges for me was being able to recruit folks who can balance the assurance mindset and also the technical depth. A lot of times I feel in this sort of function, the focus is on do you know how to do assurance? Right. Do you know controls? My view is for things like emerging tech, whether it's cloud, whether it's anything else, you need to have a real product understanding and someone who has been in the weeds to be able to hold the conversation with technical stakeholders, to be able to actually dive into the specifics of what that control is, what the risk is, being able to even sort of articulate it. Right. So trying to find a unicorn, right.

If you will, someone who can do both, be more control, mindset, focus, but also have a real solid understanding of the cloud products. So that is a challenge for Us, we had to go through a number of different sort of resumes and different folks interviewing to get to land the right set of folks. And we did land on the right sort of folks. Now we have a great team and who really work well together. But it took time, right? It took patience. And, you know, I will admit sometimes I was like, this is taking too long to get someone in. But that is part of the challenge we had. I would though, say one thing.

One of the things that really helped us was a lot of attention and focus has been on the bank since Jamie said, you know, we are going cloud first and we'll have a lot of technology modernization happening. So selling this was not a tough job. It is about finding the right people who would fit into the culture within the bank and would be the right fit. Because dealing with all these different teams, the stakeholders, is not an easy job, as you can imagine. Right. You need a personality to manage all these different.

Matt Pacheco
Yeah, you're spot on by saying it's a unicorn. That, that set of skills is pretty like one to do the technical but to also be a people person. I could imagine it was difficult then to set up the team. Often we hear when we have these conversations is that from a security perspective, it's very hard to find talent. How has that evolved for you? As you know, people move on, you hire, your team grows. How are you addressing those challenges? A shortage, as you will, of good talent, who can do these things?

Sameer Airyil
Yeah. So I think that is, it is a multifaceted answer, if you will. I think the talent has always been there, right. One thing that we probably did not do a good job, right. And I guess historically maybe it's about selling the role. Right. You need to position to the candidate what are the opportunities that you will get in the role, Right. If you tell someone, oh, you need to do just an assurance activity, you'll do this day to day, nobody's going to care about it, right. Like, I don't like, if you tell a technical sort of a person who has been an architect for, I don't know, 10, 15 years, I'm just making a case here.

If you tell them, oh, this is what you will do day to day, you will assess their environment, you will identify issues, will write them up, you'll do an architectural review, they may not be as keen because they are not really hands on the tech. So our role is not to be hands on the tech, right. But our role is to be sort of the risk and control evangelist, right. So to speak for our stakeholders and tech teams. Now if you position that role appropriately, I'm sure you know a lot of the candidates would be much more interested in applying and being part of the process. So I think that certainly we have improved in how we are positioning the roles and how we are sort of disseminating that in the LinkedIn post and whatnot. Right. I think that definitely has helped.

The other part also is once you sort of bring someone in, right. What you need to do is sort of give them time to bed in and be able to quickly integrate into the environment. Because what I found is if you bring someone in and throw them into day-to-day work immediately, they probably are going to do really the fast fail scenario. Right. Fast fail is good, but not always. You need to have a plan behind the fast fail is what I feel in my team, any person that we bring into the team, we have a period of time where we let them just observe and just drink from the fire hose a bit. We don't let them do reviews, we don't let them do actually touch hands on keyboard until we are comfortable.

They are good on their basics, they know the environment well, they can hold the conversation, all of that. So I think it's that bringing up to speed is also critical for success of the team. And then once you have a team, then obviously all the team management aspects sort of come into play.

Matt Pacheco
That's good insights into seeing how you built that team together and then the kind of a peek into the culture of what you're trying to building is what you're building there as well. Back to the assurance team overall. So large organization across many countries, many different departments, just started two years ago. What strategies have you found effective for kind of standardizing security and assurance across such a large organization?

16:31 - Standardizing Security Across a Large Organization

Sameer Airyil
Yeah, so that is not an easy job at all, I can tell you. So part of the challenge for us is the scope of coverage that we have within the bank. We have, as I said earlier, quite a different lot of geographies with specific regional regulatory and jurisdictional requirements to meet as relates to cloud migration, cloud adoption, et cetera. What we also have a wide variety of teams that support each line of businesses within the bank which really adopt the business applications that move to cloud. Right. So we have a two faceted approach here. We have the core capabilities that get managed sort of centrally. Right. Core products, core services. This core team that I have sort of manages coverage of all those products and services.

But what we also function is as a sort of subject matter solution sort of consultation team to enable some of our LOB partners, right, some of our regional partners to provide the right sort of coverage of those cloud products and services. So we function like, for lack of a better term, COE center of Excellence for Cloud Assurance. We do our own work, right? But we also help others achieve objectives of cloud coverage appropriately. So there's a lot of backend effort that goes into defining what are the things that you need to consider. For example, if I were to stand up a Google Cloud platform, these are the things that you need to cover, bare minimum, right? These are the things that you would need to cover at a product level.

These are the things that you would need to cover at an application that gets onto that platform. So defining those requirements, those control sort of expectations based on what JPMC's control standards are, right, is sort of the fundamental thing that we do as a team here. Then we have those conversations with our teams, partner teams within regions, within a line of businesses to make sure they understand this, right? You can just throw them this huge set of artifacts and tell them, have at it. You would need to have sort of a very good socialization process so that they can ask questions. We sort of have those interactive discussions on coverage, et cetera. And I do feel the process that we have in the bank currently also helps quite a bit.

It's about continuous conversations on coverage and what risk and control considerations should be baked into our activities. That is a continuous process. It never stops. Obviously, there is a certain set of things that we need to do in a year, and every time a team has to do that, they will reach out to us and have this conversation. So we provide that input to help shape our coverage. And that has certainly helped in standardizing some of our coverage itself. Now to your second part of the question. The variety of things that every regulation, every jurisdiction, even the products themselves, right? Within the bank itself, we have a wide plethora of cloud platforms. We have all the big ones, Let me just say that, right? So our coverage has to be across all the big ones, all the big platforms.

So we do have our own sort of focused view of what we need to cover for, let's say AWS what we will need to do for Azure and what we will need to do for GCP. And it is all driven by how we use a platform. We don't use each platform in a common way. Not everything is standardized in every single platform. So based on how we use each platform, we sort of shape our assurance coverage and what our focus areas and then that gets sort of funneled down to our sort of tech teams that do some of the additional coverage.

Matt Pacheco
So earlier you mentioned new cloud innovations, adopting new cloud tech and overseeing some of that. And then you just mentioned some of the major cloud providers, like I mentioned when we talked before we started. I was at Re invent a few weeks ago. And all of these new technologies and new ways of doing things are coming out on these platforms. And you're in a heavily regulated industry. You have a lot of groups that you oversee or you work with and collaborate with. How do you maintain that agility with all of that regulation and that assurance, enable these teams to do all these new things and keep them.

21:10 - Balancing Agility and Regulation

Sameer Airyil
Yeah, keep them consistent.

Matt Pacheco
Yeah, yeah.

Sameer Airyil
No, I think, you know, what is good with the bank. And this may not be true of firms outside financial services which may be increasingly getting regulated. Right. Financial services always had a very focused, you know, attention on this is what things that we need to comply to. Right. And JP obviously has been doing this forever. So there is an established process in which teams both within the specific regulatory regimes, whether it's Europe, whether it's EMEA, that's UK now India or Asia, a lot of these different jurisdictions are within the US for that matter. We have a team that would identify what those common set of requirements are and provide sort of guidance to all the tech teams on how they should think about complying or ensuring compliance within their products and services.

Now, our job as an assurance function is obviously to sort of independently assess that and see if those requirements are appropriately being met by the products and services. Right. So in our work that we do, typically what we do is when we have global sort of things that we need to cover, let's say a global platform that runs on, I don't know, Azure, for example, every jurisdiction will have requirements around. This is what we should do. Right. If I need to deploy to this particular platform within, let's say, a particular country, I may need to get an approval from the local authority. So we have an established process within which the cloud adoption process has built those gates in. Now, as an assurance team, we would go in and independently check whether those process in itself is robust. Right.

Whether those gates are integrated well enough, whether we have the right sort of checks and balances around, do we get the right approvals from the regulator? Have we done the right security testing? All the standard guardrails that you need to look for, whether it's regulatory, technical process, we would go through all those steps as part of our assurance review. We will look at the process in itself. And we'll also look at applications that have gone through the process. Right. So it's twofold to make sure the end to end life cycle of this appropriately works. But as you can imagine, given sort of the dynamic nature of how some of these things evolve, new products come into play. Right. The business demand is to always get products pretty quickly and be ready to sell.

So it is a bit of a balancing act for the tech teams and for us. Right. To make sure we have the right coverage. The products don't go out without basic control expectations being met. And also making sure we have regulatory expectations appropriately addressed as well. So it's a combination of what the tech teams do to build controls in as part of their migration journey along with us, sort of coming independently and providing that comfort so that, you know, they can see whether these expectations are being met when we review them.

Matt Pacheco
That sounds like a monumental task that your team is responsible for. Yeah.

Sameer Airyil
And I have to say, it is not all my core team. Right. We will partner with a lot of our teams within our line of business.

Matt Pacheco
Right.

Sameer Airyil
Assurance teams to do this because a lot of the business applications sit within the line of business. Right. So we need their help, but we'll help guide them and sort of point them in the right direction.

Matt Pacheco
So everyone, it's a collaborative effort to. For assurance. How do you streamline some of that? So let's talk a little bit about automation. Do you use automation and how does that help in your assurance work?

25:20 - Automation in Cloud Assurance

Sameer Airyil
Yeah, no, I think automation is. So I would love a situation where I don't really have to do a focused activity for three months, throw a bunch of team members on there. And also the tech teams are also getting impacted heavily. It's going to be an intense effort where you are really focusing on deep diving on a particular product and getting to understand where the control expectations are being met. Now, I would love a scenario where we are able to automatically get a sense of how these controls are operating without really doing that every three months, just making a case. But I think it is a bit of a journey. Right.

We are as a team really focused on reducing the toil for both us internally as a team, for all the manual routines that we need to do, but also reducing the toil for our tech teams and product teams. Right. They probably don't want to do this for a quarter of the year. They would rather focus on getting products and services out. So our focus has been over the last two years to slowly build our automation sort of strength in Enabling assurance coverage. We are in the early phases of that. We have some elements of IT already embedded in how we do reviews of say cloud environments, how we pull certain data sets for assessing and risk reviewing.

So we have elements of IT really covered currently, but we really have a vision of at least for the core cloud sort of coverage, we should be able to automate at least a large percentage of what we are reviewing and it should be on a continuous basis. What we don't want is ideally in an ideal utopian scenario, what we want would being able to look at certain metrics or certain data sets consistently. It could be metrics like, I don't know, maybe certain. What is the volume of number of, you know, critical applications within the bank which don't have appropriate resiliency set up. Right. They are not configured appropriately across regions or availability zones or what. Or it could be as simple as, you know, do you have excessive drift for certain type of resources? Right.

So we are sort of moving towards slowly identifying, defining what this core sort of risk metrics are for us. Right. And building that into our sort of automation process. But more importantly, just to reduce the toil, the business as usual toil, we are trying to also reduce the amount of stakeholder involvement that we need to get the data. A lot of the effort is really around getting the production data and getting to understand what the environment is. Right. So we need access to that data to really provide a risk analysis on what the environment is now getting. That telemetry is critical for us and we are trying to build a process in which we can get that telemetry independently, but also we can do the analysis independently and maybe with minimal manual involvement.

So I would not say we have figured out all of it. Right. It's is a huge environment. We have identified certain use cases that we really want to focus on from an automation standpoint and we are working through it. Matter of fact, I just finished discussing something related to automation with one of my colleagues just yesterday. So it's a process. My hope is by end of this year, if you are able to automate at least 50% of what we are doing for certain key activities, that is a big win. Right. And then we'll go step by step from there. But we have a job, we have a process as a roadmap that we want to be working towards.

Matt Pacheco
That's impressive. And I can't say automation without also following up with the question of the year. I guess, how does AI and machine learning potentially play into some of those activities?

29:35 - AI and Machine Learning in Cloud Security

Sameer Airyil
Yeah. So I don't want to be coy and say we don't, you know, we are bank, we'll have very restricted use of AI. But we do use AI. I guess I'll speak about it just from a business standpoint. Right. I think the bank has a really good process around evaluating what are use cases for AI. Right. And putting them through a proper governance process to identify the risks, what the business value is, the ethical use of data, for example, and evaluating all those dimensions and then understanding if this business case is appropriate for deployment and production. Right. So the bank is a process, we have gone through that process as well as an assurance team.

When I think about my team specifically, I think the simplest use cases of things that we could potentially leverage include if you need to write up a report, for example, are we able to summarize things in as succinct and in an executive fashion without someone spending six hours on it? Right. ChatGPT or some flavor of it could quickly summarize some of our findings into a much more cogent format and be able to provide a good view of this. So summarization is probably one area that we can quickly use that. The other could be data sourcing, being able to source some of our data sets from live environments, being able to build that automation sort of view that we talked about. Right. The metrics, the real time telemetry. Can we use some of the AI capabilities for that? Absolutely.

But I would not say we are there yet. Right. That is the opportunity part of it. But the summarization aspects, the report writing aspects, the ability to do research. Right. That is certainly something these tools absolutely will provide more broadly within the bank. I think the bank has been very judicious in rolling out what it considers as high value sort of AI use cases. Some of the use cases I talked about earlier, the summarization research that applies across the bank, everyone could use some of those capabilities. But then we are slowly evaluating what additional sort of AI use cases could be put to test. And this is all in the context of LLMs. Right. The bank already had a large sort of AI sort of implementations even before ChatGPT was a thing.

So, you know, the bank has always been pushing the envelope in terms of AI implementations, but now there's an explicit focus on LLMs and all the models that come with it.

Matt Pacheco
So we're going to switch gears because we kind of talked about the fun new technologies like AI. But I'm curious, from an assurance and security perspective, cloud security, what are some of the things or threats externally that keep you up at night, that people listening to this podcast who may be responsible for security should know or be prepared for.

32:40 - Key Cloud Security Concerns

Sameer Airyil
Now, I wish I could say, you know, I'm really worried about some of the APTs and the Russian threat actors and all of that. And that is true. Right. You know, for a bank this size, we are probably subject to a lot of attacks from some of the national suites and some of the other, you know, big threat actors out there. But you know, what I find typically through a lot of our work is that some of the foundational risks are still fundamental to how you manage risk, whether it's in cloud, whether it's on prem. It's just the way you manage the controls change based on the product, whether it's on premise or on the cloud. And obviously because cloud is already external to you, the risk poster is elevated because it's already out there.

So I think in the context of your question, some of those fundamental risks around privilege access management, making sure you have the drift deviations kept to a minimum for your cloud resources, being able to quickly fix things when you detect them and not let them fester, and being able to do that in a fashion which does not impact production or environments, that's one of the key things. I would also say in the context of cloud, a lot of depending on how you use a lot of the services, lifecycle management is key. It's important to not only be able to patch your systems, if you're using Terraforming, then how are you able to make sure your application instances are on the latest terraform modules, they're upgraded to the right set of updates that Amazon sometimes provides. Right. For certain key services.

So being on top of that is also sort of a key thing for me, at least from some of the work that we have done and just broadly some of the hygiene things around. Are you encrypting your most critical data sets as appropriately? Right. If you are not encrypting them, are you able to detect that and then send that information to your stakeholders so that they can fix it? Being able to identify those fundamental things is probably still key. Then you can come to all the fun stuff around. Do you have the right cloud detection and response capabilities? Do you have the right telemetry feeding into the right sort of sem? Do you even have a good discovery or a view of privilege access and human and non-human identities on cloud?

So there's a lot of fun stuff that you can do, but I think the fundamentals are still key. And then you obviously need to, once you have them locked down, continue to work on your more esoteric sort of capabilities as well.

Matt Pacheco
And how do you see the cloud security landscape and financial services changing over the next five to ten years?

35:45 - Future of Cloud Security in Financial Services

Sameer Airyil
Let's say I think there are a few things at play. Probably one in the context of. I'll talk in the context of the bank and probably just financial services industry because that is where I've been for the longest part of my life. I think a lot of the cloud providers themselves, right, there's a whole set of options out there in terms of what cloud services to use with the AI explosion. Every product is coming with AI, I suppose. So being able to evaluate the risks and benefits of each of those products and being able to adopt them in a risk management is key for an institution like us. Right? I think that is probably one thing to think about. You have all these different options. What do you choose right?

What is the right business case for me to use this service and can I adopt it in a very risk managed fashion? The other thing I would think is when you think about all these massive cloud modernization efforts, whether it's within Chase or any other bank, you will still have a lot of things left within your data centers. It's not as if you're going to completely take off data centers offline and will be only fully cloud. Well, you could do that, but I doubt we would ever go down that route just given the regulatory attention and focus. But also you don't want potentially certain very critical workloads to be running systemically critical work, right. Market vertical workloads to be running on the cloud.

So there is a bit of a hybrid architecture to manage between on premise, between one public cloud provider and maybe another cloud provider because you have multiple architectures spanning multiple clouds. So there is a question of how we effectively manage operational aspects of such complex architectures. Things like resilience, how do you recover effectively, how do you manage capacity across these different architectures? And also how do you manage just monitoring and response across these architects? I think those would be important as more institutions and even my bank adopts these hybrid architectures. The other thing I would definitely say is the regulatory piece. It continues to evolve and change. Cloud is one thing for someone in the US and something slightly different or interpreted slightly differently in terms of how to meet these requirements in another jurisdiction.

So being able to consistently identify those and being able to meet all those requirements consistently is probably a challenge. One example is if you have a global application within a bank and you want to migrate that to cloud. But then the question is one jurisdiction says I cannot have my user data on the cloud, then what do you do? It's a global application that spans the bank. So do you stop your migration? Do you just hold that data locally? There are a lot of design and architecture considerations to think about when you meet these regulatory expectations. That is going to be interesting as this continues to evolve and a lot of these data sovereignty requirements come into play. The other thing I think we talked about, the AI services, right.

Obviously a lot of these different models and how they use the data, how they give you the output, it's all still a very black box for any consumer, for any. This probably similar to sort of the conundrum we face when we look at cloud service providers as a third party. They would say security of the cloud is my job. Right? You guys figured out security in the cloud. But for a regulated institution like ours, it's not as easy to tell our regulators, oh these guys got it. We need to provide appropriate governance and oversight over how they are providing that control environment. So that transparency and that has been a challenge for us right over the many years and I think that's an industry wide challenge. I think we still need to solve.

There have been some sort of efforts around pooled audits and reviews of CSPs, how we can leverage some common utilities to review CSPs, et cetera. But I think there needs to be a position in the industry on how we can get more transparency around how CSPs manage their controls. And that goes back to all these new AI specific products and services as well. How do we get assurance that this is what they do, that they say they do? I think those are the main themes. I guess the one thing I would also add is, and I don't think there is a solution to it quite candidly given that we are going to rely on a few set of cloud providers within the US if you think about it, we probably have only the big three providers realistically.

So the concentration question comes how do you solve that concentration question of being able to deploy either just to AWS or to Azure, Right. And being able to stay cloud neutral I think is probably key for us to manage that risk of concentration, which is also again coming up in regulatory discussions.

Matt Pacheco
So you've talked about a lot of interesting technologies, trends in your industry, trends at JP Morgan Chase. I'm curious from a personal perspective, what technology gets you the most excited about?

Sameer Airyil
I mean I have to say Chat GPT does give you a lot of fun way to do different things. So my son has been, he's a big fan of using it to generate fun images of his friends or himself or, you know, what are he builds a narrative. He has learned to really do prompt engineering in a very nice way. He has learned to write prompts to say, you know, this is what you should do. Don't consider this. He has learned all those techniques. So I think what it has done is it has democratized the use of AI for a lot of us. Right? Typically we would for a lot of the consumers.

When you think about AI, it's something that stands behind all these fancy products that we use, whether it be the Facebooks or some of the social media platforms or any of the banking platforms or applications we use. We don't generally use that in day to day life, but getting that use of AI in your day to day life is fun. And I think as much as I work in a very regulated industry and as much as I know the adoption within the industry will be very measured, I feel like AI really has a, it's a transformational technology in terms of how it will change our lives. It might take some time, right. In terms of how it really provides, you know, value in a cost-efficient way which all of us can consume.

But I do feel like that is the biggest transformational change of our year and I guess the decade probably. But I do also, you know, play around a lot with, you know, just being in the space. You have to be savvy around the cloud products and services that you are working on. So I do have to stay close to those products and services as they continue to evolve because Amazon itself introduces, I don't know, 10 new services every year. So you got to stay close to the products to understand them and being able to sort of technically, you know, evaluate them. So I would say, you know, still chat enabled AI agents. That'll be great. We'll still continue to give us a lot of opportunities to use them effectively. And then cloud obviously is something you'll have to deal with day to day.

Matt Pacheco
Very cool. Thanks for your answer. Final question as we wrap this up. So this one's more for our listeners, anyone who's in cloud security or in cloud. What advice? One piece of advice would you give organizations beginning their cloud assurance and security journey to help them get started in thinking through a cool organization like yours that does all of these things for many other parts of your.

Sameer Airyil
So my advice given. So my advice, it depends on who we are targeting this to. Because given that within the bank, what has been helpful for the bank, right. In this cloud adoption journey is there has been a lot of systemic processes already established security, tech ops, all of those things which could be leveraged to shift to cloud. I think a lot of the, let's say, smaller company which is trying to move to cloud may not have that systemic rigor around risk and controls and security as much as like JP would have. Right. And that is to be expected. Right. You don't invest as much. So I think from my vantage point, I don't need to advise all the big ones. They all know what they do.

It's a smaller organizations which would need to take a more measured approach in terms of what and how they adopt these services. I think the best way to think about it would be to make sure you don't need to know everything on day one. But what you need to do is to start with the baseline set of control expectations. You cannot let your applications or your deployments really be in production without any guardrails. So be mindful of identifying what is your baseline set of services and products that you really want to go with first. Have a good understanding of what that baseline is. Try to use some of the native capabilities within the cloud if you can, instead of trying to bolt on separate security products.

If that is a problem for us to manage because you have smaller security teams and if all this is a problem for you, if you're such a smaller team, think about some of these managed service providers. You don't need to do everything yourself. What you need is someone who does it for you operationally and providing you the right sort of insights and information so that you can make security decisions or operational decisions. So I know it's not a one size fits all answer, but I feel like all the big guns know what they do. It's sort of the smaller teams which would always struggle to sort of prioritize security over tech delivery.

Matt Pacheco
So, yeah, that was perfect. Thank you so much for that advice and then definitely. Great. And I would like to thank you for being on the podcast today. It was great hearing about cloud assurance security, how you built your team, the culture, your journey. Really interesting. So I appreciate you taking the time today to speak with us.

Sameer Airyil
Yeah, no, I appreciate Matt, you know, bringing me onto this podcast and it was a pleasure talking to you as well.

Matt Pacheco
Thanks. And for our listeners, we appreciate you listening in today. Stay tuned for more conversations like this one about security, AI, cloud, anything cloud. And you can listen to us anywhere you get your podcasts, Spotify, YouTube, Apple, anywhere, everywhere. So we appreciate you listening. Stay tuned for another episode. I'm Matt Pacheco, your host, and I hope you have a great day.