Ep. 45 Governing AI Sprawl Before It Governs You with Yabing Wang

00:00 - Introduction: Meet Yabing Wang, CISO & CIO at JustWorks

Matt Pacheco
And welcome to Cloud Currents, the podcast that navigates the ever-changing seas of cloud computing and cybersecurity. I'm your host Matt Pacheco from TierPoint and I help businesses understand cloud trends to better make decisions about their IT strategy. Today we're joined by Yabing Wang, Vice President of Security and IT Services at JustWorks, where she serves as both CISO and CIO. Yabing brings a fascinating perspective to cybersecurity leadership, having both started her career in an unexpected place, which we'll go into, and transitioning into software development, ending up where she is now leading a team of IT teams.

Throughout her career she's had many security leadership roles at major businesses and she's also seen a lot of the most pressing challenges facing businesses today in her current role, such as how to secure organizations when enabling IT adoptions, things like how to manage AI tool sprawl, and managing this kind of brand new world of AI as it comes to protecting your business and making your business way more efficient, especially your IT departments. So in this episode we'll dive into all of that, the convergence of IT and security under unified leadership, how to make security at our organization help drive more innovation and growth. So yeah, Bing. Welcome to Cloud Currents. I can't wait to speak to you about all this great stuff we have planned.

Yabing Wang
Thank you Matt for the introduction and having me on the call.

Matt Pacheco
Excellent. So I'm going to ask you first about your career journey. It's very interesting. We talked about it a little when we first met, but I really want you to explain to audiences where you started and how you got to where you are now.

Yabing Wang
Yeah, I started far from cyber and far from technology. I had my undergraduate and first graduate major in philosophy and now I started to move to technology. That got my master degree in computer science from University of Illinois at Urbana Champaign and that definitely, you know, changed. And after I got that degree I started as a developer as well. So not in cyber. In five years I was with the first Internet company called Netscape Communications. I know majority of young people don't remember the name but that is the first browser. But not only they had a browser, they also had a lot of server side capabilities. And imagine late 1990s it was the first wave of E commerce.

It was.com world and that's first time there was a three tier architecture meaning changing from client server side architecture to web server, app Server, Database Server, 3 tier of architecture and Netscape provided a lot of servers like web servers, portal servers, app servers, e commerce servers and I was with their professional services focusing on two things, focusing on deploy those software and also writing the code to enable the client to leverage those e commerce product. So I did that for five years and then I had my first kid. I was not able to travel every week anymore. And while I was looking for a local job in Chicago area, that's where I started my Cyber journey in 2002. Since then I never left cyber world.

04:02 - Finding Cybersecurity: Why She Chose the Riskiest Offer on the Table

Matt Pacheco
What sparked that transition from kind of the Netscape side to the cybersecurity side?

Yabing Wang
Yeah, I was looking for, even though I don't want to say anything, but I was looking for any opportunities that may attract me. I remember I got four offers in my hand. Three of them are tied to application development OR architecture. Even 1 of the offer was the company really used a lot of Netscape product. So they say, oh, you are perfect for all of those because you had the expertise. Only one of them from Allstate Insurance Company, they offered me an application security role. Imagine 2002 cyber was not hot and there was no expertise on application security. Allstate tried and then realized that if there's no one really knows this, maybe there's one alternative approach. That is they hired two of us, one from traditional security background which is network security.

Another one was me from application background which has less cyber expertise but more application development. So when I look at that opportunity, I did a little analysis one side that security is new to me, that I also feel security is not just one field, it is needed in every single field. In other words, you need to learn the field a little bit more in order for you to see how the security can be done in that field. So I thought that will keep me learning all the time. I will never get bored if I get to the security route. And then I still think that's true. And then secondly, generally when people hire, people look for skill sets, people look for experience and I did not have those.

If the company is waiting to take the risk on me, I think I should take the opportunity. So that's why I took it. I liked being challenged. I like to learn new things and I guess I never regret after that.

Matt Pacheco
So you just said you like being challenged and you like new things. You've tried many different roles, including starting in philosophy, which is really cool. How have all of these experiences changed your perspective over time as you've moved into a leadership position?

Yabing Wang
Very, very good, you know, question. Because I realized later on how important was that? Seven years learning in philosophy, I think that gave me A lot of foundation of mentality, looking things from more broader view and also looking at things from different perspectives. Meaning that I really learned along the way of not stuck of what I thought. Right. Meaning look at things that from different perspective, being open and put yourself in other people's shoes. That's kind of one like a big approach. Another one is really open your mind, look far, look broad. Those things will help me see through issues. Right. Issues will be there all the time. How can you identify solution and how can you figure out among all of the issues in front of you which one is more important? Which one is more critical to the real business? Right.

What's the real business issue instead of a technical issue, instead of a purely security issue. So I think that give me a lot of foundation of looking at the things differently. And I think another thing that you know, probably it's the. It's a combination of my philosophy background and my passion as well is about people. Meaning that your humanity side of it. Computer science to me is more of static. It's zeros and ones. The real challenge comes from people because nothing is gray. Right. With the humanity aside of it, people can look at things differently. It's never be black nor white. And everybody can be right, everybody can be wrong. Depends on how you look at it. So, so when I have that I really enjoy of solving problems that from the people side of it.

And also that you know, realize, I guess also along the way of my career development that is the more responsibility you have, the more you realize you cannot do everything. You are relying on not only your team security example of it's not only security team does the security thing. You are relying on everybody else to do that for you. So the more you realize that, the more that you know how to approach things. So I think that helps a lot.

09:37 - The AI Threat Landscape: Speed, Scale, and the Attack Surface Explosion

Matt Pacheco
Yeah, that's a really interesting perspective and to help you do the things you're doing today. So let's talk about some of the things that are happening today quickly. Can you give us an overview of the company you work for? Justworks. Just let us know what you guys do.

Yabing Wang
Yeah. Justworks is a New York based company that we do payroll benefits insurance, particularly for small business. Our common vision is to really help business underrepresented small business. Our focus are the companies like below 100. Of course we still have companies beyond that and then they will start graduating from our platform. When we talk about payroll, there is a peo which is a professional employee organization. If you are using PEO services Just works in your company like co own their risk. Right. Co owners the payment and others. And then there's purely payroll. We do payroll for you. And then also we do this not only in the United States, we do this internationally as well. There's another term called employee of record eor. So basically we serve a lot of small business that have the US presence, but also have international presence as well.

Matt Pacheco
That's very interesting. Thanks for sharing. I think it'll help set up some of the context of the questions we're going to ask too. So thank you for explaining. Explaining that. So let's talk about AI a little. It. It's, it's keeping a lot of security leaders up at night. It's something people are thinking about a lot. With the complexity of attacks, the ability to simplify attacks and to make their jobs much easier. There's a lot of interesting tools out there. Can you elaborate a little bit and talk a little bit about what makes AI security so uniquely challenging today compared to previous threats and waves of technology in the past?

Yabing Wang
Yeah, like you said, the AI changed the whole world. It's not only transforming from the day to day life of every one of us, but also transforming how the business can be done. Right. So I look at how it changed the security world. I look at a few things. One is that if you think the reason, if you look at how AI today is so dramatic, different than a few years ago or even 30 or 40 years ago, because AI started long ago, but the whole reason it just became so big is because the power, right, the hardware power, the speed come out with it. Because of that, if you look at the threat landscape perspective, the skill and the speed of how the male work can come up, how the vulnerability can be exploit, it is tremendously quicker than before.

In other words, if we have the time to address things slowly, this is just like you don't get time. So if you can go back to the history of long time come up long time ago when crypto came up, right? Encryption, how long will take you to decrypt 5 digit and how can you make it more complicated and then fast forward how quick those things can be decrypted now, can be broken right now using that same way to look at AI and that's how fast it becomes. It's like the way we do that slowly like before, manually, like before. Imagine on the thread side they move just so fast. So from that perspective that because they move so fast on thread, I think overall from the control perspective, we may not even know how to go against them. Right.

The traditional controls we know can solve the things we know. But now when this issue may become unknown and we still don't have the controls or against it, I think that's a part a little scary. Right. It's a little fearful from that perspective. That's one side. The second side is like because of the all business. I think any corner I think of the business has different ways to adopt AI. In other words, if we used to have one system and we protected so well and let's assume we have 5 integrations and because of AI usage not only the 5 integrations will do quicker and better and then everyone wants to leverage different tools to do that. The 5 integrations may become 5k become 100 within 6 months from that. Just simply looking at that our attack surfaces is changing so dramatically.

And it's like a lot of things just speed up the process that if you do that manually looking at hey, let's review the five now you don't get a chance to review the 50 within three weeks. So I think that skill and speed of our attack services change for the organizations is another way that I think we are really looking into how can we do better as a corporations. And there's a third side of it. The third side of is like because now think about the traditional security way we always talk about how human being also is awake as a link right now. Every one of us, not only we do more about AI and the AI itself is like we may not be able to tell that's AI.

We may not be able to really realize what's the risk behind it whether it's deep fake or not. Right. You know, traditionally we know as a security professionals do phishing campaigns, making sure you realize how you detect those phishing messages, whether it's email, whether it's a text message here with all the voice video could be deep faked. It's hard to really tell what's the difference who is fake, who is not. Right. It made it more difficult for human being to do self defense and that added together for the protection enterprise. Basically our attack surfaces becomes much more so by looking at. That's how I generally look at the AI part of it.

16:22 - Governing AI Adoption: Guardrails, Visibility, and Agentic Architecture

Matt Pacheco
That's a lot of things to consider at once. So how does an organization approach the balance between. Let's take one of your examples, enabling AI adoption. So you said a lot of employees are using different tools in different ways. How do you ensure proper security and governance while employees are doing that? You said the five turns into a 50. Yeah. What do you do about that?

Yabing Wang
We are doing something together with other companies where we are all trying our best to see what we could do. The few things I can touch on, I thought it's also probably some practice we can do more together. One is in the very beginning of the AI adoption while everybody's trying to try things out, I think there were two things that I think needs to be very clear. One is what is the philosophy this company has? Right. There are certain organizations needs to be very. What do you call that risk reverse could because of regulation, could because of complete culture. So it really needs to understand what is the general philosophy of the AI adoption from the management perspective and what is general the risk tolerance we will have on that part.

So have that knowing what's that and then come up with kind of AI governance thing. AI governance is also big term. I think that starting with what do we care? Right? What do we care? And from that talking about what will be the guardrail. So for example, if we really care about the data cannot go out. What is the recommendation for people who are trying out AI tools? What should they pay attention to? Right. And again, you know, this is part of what we want to. I don't want to use or enforce what do we want to recommend people do and what people should do or can do. Right. Because they become the enforcement point. So have that layout.

For example, you know, do you want people put companies confidential restricted information into the AI model or into the you know, ChatGPT gem like whatever other tools are. Or if you say would you feel more comfortable if we purchase commercial license, for example, if we say let's buy, you know, from OpenAI of the ChatGPT Commercial License and if you do that maybe we will allow you to do more from the data sharing perspective because they are kind of like your tenant. But don't do this for free version of ChatGPT or Cloud or others. But basically what I'm trying to do is in getting some guardrails out as quick as possible. Of course education around it too. And then second piece is related to leveraging existing process and modify existing process about bringing new tools into the environment. Right.

For example, generally you have this third party risk management process where you know what needs to be assessed when there are AI models there, right. What should be in your contract related to AI has been leveraged in that vendor's product. And also that assessing, right. Assessing that AI risks and that have the corresponding action around it. So basically that process needs to be refined to allow the AI tool assessment tool come in for acquisition purpose. But also that give you the visibility of what can be come in. This process is not only a security process, I will call that IT process as well. That's how you generally acquire the system. Except you are pay attention more to the AI part of it. So that's kind of like one process.

But of course there are so many things could be free, they don't need to go through a process. And what is the governance process? Our approach on that part is that we're putting some visibility tool, security visibility tool or AI visibility tool. Basically that while we're not blocking everything, that's not generally our philosophy. But we are able to gain the visibility of what kind of AI tools have been tried and used in our environment who are using them generally what's the purpose they use them. When we have the visibility, that's where we can look for where are the risky part of the tool or access what control. We want to add that because you can apply more access related controls, you can also apply more data loss prevention controls.

So the reason I'm mentioning this one is to say before you jump on, you know, putting all the security controls in place, at least have the visibility which will support you. Like not everybody goes through your process. You'll support you from that end have a holistic view of what's in my environment and how can we do better as the next steps from that perspective. So visibility is very important. And then there's one more thing I think that I also want to add is and there's one general use case of using ChatGPT perplexity or whatever those tools as a normal productivity tool, workflow improvement. But also a lot of things are happening around agentic AI creation leverage of MCP in your cloud environment.

On that note, I think it's also a key for the company to look into what is the right architecture security or non security architecture such that you want to encourage people coming into this way. Whether it's register into your repository, whether it's proxy going through all the agenda going through that have a preferred architecture on our end implement architecture and merged with the visibility, merged with the monitoring. I think that's what we generally are doing right now.

Matt Pacheco
So doing a lot. All these AI tools bring cost to an organization. Have you guys given any thought to like how to I guess centralize or take an inventory of all of the costs that are coming from all of these individual AI instances? Not from just like an individual but like from tools you're implementing throughout the business and all that. Very curious about that one. Because costs could balloon and get out of control pretty quickly with AI.

Yabing Wang
Absolutely. Let me start with. I think we're still in this journey. I don't think we fully solve this one but I want to talk about how were trying to do one is going back to the governance. Actually we build a tool kind of like a console. The first console is really about enablement console which is like it Security HR team and also our core AI team. We're trying to figure out ways to educate everyone. What tools do we have, what do we want people to use. In other words, we introduced tool A. If you don't know you are looking for tool B. Right. So it's more of like let's make sure we teach people everything we have here.

Again, that's a direction where I'm not saying we have everything in play, but that's how we want to do using the enablement council of how we want to enable training not only train how you use prompt better but also train here. Our tools can do ABCD order in our environment. We also have another AI governance council that also it's more of security IT engineering data. And this council not only look at general tools too but also about in our development. Right. So back to the point of like what things we can develop that way that thing it's a little more easier under our control because we know what we're doing building. So because we have a core engineer leaders, infrastructure leaders and together and data leaders. So we know how to plan that better.

So we know what agentic AI is in you know, in play or at actors. We're also looking at and how the MCP will come to play. So this organization plays more governor's role about putting architecture in place. Apply that and then route everybody come to this where again security is also implementing vis the tool together. So again it's also in the early journey. But unless you pull the right people together the shadow it and things will grow. One more thing to add here is that take an example of productivity tools. Every tool doesn't matter what does this tool provide from a capability perspective they can provide more AI features. And whether it's marketing leads generation tool or workflow improvement or Slack or JIRA or Zoom, everybody will do certain things and of course there is overlap. Right. If you look at the productivity.

So that's something I don't think we solve 100%. There are two parts to it, I would say one is whenever those tools needs more like investment. Because certain tools, oh, you need to add this $30 per month person. If that's the case, we really look harder to disable. Right. To not approve for this role if we already have existing one. But when you have all the things come with it, you don't have to pay anything but it just part of the tool. That's where from our IT perspective, we're really looking at what will be the one we want to promote people to do more. Yes, the XYZ tool may have come with it, but we don't encourage people to always do that. And we have not done, hey, you can only do ABC block xyz.

So we're still in the middle of trying to figure out, do we need to block those or still allow people to do that. Back to the point. The more we educate people, what's the main thing we recommend to do and people see the value to that, the more they will do that better.

Matt Pacheco
Yeah. And it made me think of something from another episode that we've talked about in the past was that sometimes these tools you adopt it, you're saying it has a certain cost, like, oh, you had $30 here, or it's free with this tool. As AI companies, as this kind of golden era of not making a profit on some of the AI tools, some of these AI tool companies might turn around in the next few years and need to make a profit or show profit. And that might be increases to the charges of the tools you're using as an IT organization. How do you prepare for something like that too? Where it's like, I have X amount of licenses for all these tools. You said marketing leads, marketing tools.

I use that example because we use that at your point where it's like, oh, this is free, but all of a sudden now it's an extra charge. How do you, how do you as an organization account for that and prepare for that and make sure you have the right tools in the first place?

28:51 - Vendor Risk in the AI Era: Third Parties, Contracts, and Non-Human Identity

Yabing Wang
It is a tough one. I think it can go to true path from two path from vendor perspective. And correct me right or wrong. One path could be, you know, people are charging more on AI. I'm talking about the other tools with the AI feature on it. Let's not talk about AI tools only from that. If somebody is charging more. Like for example, if Google says, hey, YouTube extra thing for Gemini, because you know, you're even Google Shop or Microsoft pay more for a copilot. You know, one path Actually I'm thinking is that because every company is going to have AI feature enabled, if you keep charging and other company are not charging, you may actually lose the business because AI becomes one of the things you have to do. If you cannot compete with others, you may lose your business.

So from that perspective, I don't know if five years later everybody's charging AI or everybody's free for AI. So that's the one. It's hard to say vice versa. You are saying if it's a free, will that get a charge in the future? I don't know from each, but from my vendor. For example, if you are security, event, incident, event management tool, I'm expecting you will apply AI in your capability and free because if you are charging more, most likely we can look for another one. Because the whole point of the whole tool is about detecting quicker, right? Responding quicker, investigating quicker. And AI helps on that piece. If you cannot do that, someone else can do it. So there are certain times that we will push more on the vendor side to make sure you play AI to gain efficiency and effectiveness.

So I don't have to look for AI tool for that piece. Of course, like for AI tools, I think right now, if it's a specific AI tools for certain things, I'd rather to use the one, what do you call the enterprise commercial. Because I think security matters. I don't want to use a free version and all the data goes out. Right. From that perspective, we'd rather to really evaluate you formally. If you needed to charge, you know, extra to look at it, you know, do that part. As far as how we can really manage that AI cost, I think it's a hard one. It's a hard one.

Matt Pacheco
Definitely. It's definitely something I think over the next few years we might all struggle with as we try to figure it out and that seems to be theme. Everyone's trying to figure all this out. Like you said, we're, you're producing guidelines, you're not making hard and fast rules about this stuff. So it's really interesting.

Yabing Wang
So you know, the general, if I call that direction or objective philosophy we always have is like you want to reduce the similar or over that overlap product capabilities in your world. Right. Not only for reducing attack services for security, but also, you know, helping on the finance cost, helping on the operation perspective. Right. So if you look at how IT in general evolve into solve this system management, IT service management world, we try to get there and then the AI came in. We all want to Try things out because you want to fail fast. You want to fail fast. You cannot just let three things in, right? Because you know, you want different people to try that. That's where we try to play as well.

We have like you know, really dedicated small team trying a lot of AI things out, but we also allow certain other people try things out as well. We're still trying to see where the governance can play, the security can play. In other words, where is the true mothership rules in the practice? Where are the innovation? Right? And then the fail fast part, where do we more of that line?

Matt Pacheco
I love it. So we briefly talked about AI vendors. I'm curious about the other vendors that you have. So not only are you trying out all these AI tools and dealing with vulnerabilities, but your vendors and your technology partners might also be doing those things. How do you ensure security of your important data and your systems when working with your vendors as well? Because that can be a potential attack service as well.

Yabing Wang
It is, it is. So back to the statement. I think the attack surfaces are much bigger more than before and I think the risk of each vendor, including us, where the vendor to others as well, that the potential of exploitment because of AI, you know, it's also more than before. I don't think I have any silver bullets, but I can touch on a few things were really looking to. One is again this is transitional control called tprm. Third party risk management. Is that contractual wise, you want to hold your vendor accountable for what they do for you and also your data in their environment. Meaning that make sure that call out clearly what each of us wanted the other vendor to do from that perspective.

Like if you don't have any, I hate to say that AI addendum part of like things in the contract, you know, do that, make sure you do that part. The second piece is that something we can do. That is, you know, when you do a lot of you have more vendors and a lot of like using those vendors to integrate with others. There is an integration point that whether you call that non human identity management, whether you call that API management, whether you call that agentic AI didn't matter. Is that making sure those integrations, number one have proper access management, right? Do not just randomly give them super admin for all the integration. You know, a few months ago, you know, there was incident ready to drift in the salesforce. That's example of, you know, you may implement things wrong like that.

The second piece is that we again putting this responsibility on us is we have to do a better job not only on the access management, but on the configuration as well. Right. So basically is that how much do we know about our third parties? Even though. Yeah, there were. There are further fourth party, fifth party, but starting with the third parties, do we feel comfortable that we know the configuration? Do we know those access? Right. So those kind of things I would say more prominent than before. Right, yeah. SaaS security has been called out, third party has been called out. Now I think AI just expanded this more. If we have not done enough on this, we should do more on that part.

36:50 - The CISO + CIO Convergence: Running IT and Security Under One Roof

Matt Pacheco
That's very interesting. Thank you for that answer. So let's talk a bit about the culture of security and IT in general. So you recently took on IT responsibilities in addition to your CISO role.

Yabing Wang
Yes.

Matt Pacheco
Congratulations, by the way. That's really cool. What drove this decision to do something like that? What are the benefits that come from that?

Yabing Wang
Yeah, I think that not only in our situation, I think somehow it became a trend for the past two years. Ish or maybe even more in many companies that I think one of the things triggered by, I think I mentioned this in the very beginning of this call that it's not just the security organization doing security. We are relying on so many other teams to do security and almost everyone in your company to step up to do security. So from that angle that we rely on IT a lot, for example to do risk remediation, exposure remediation or like we just talk about how the tools being introduced in the environment to do better from the tool governance perspective. So we rely on IT a lot to do many things.

And I think this synergy come from that when IT by itself or being part of different organization, of course there are a lot of different priorities and their priority definitely is looking at of course its enablement of the business, but also efficiency, for example, efficiency where the risk and goal may not be big enough. When the cyber leader, the CISO in particular also look at enablement and also looking at the risk management. So from that angle that there will be more benefits that when the IT actually is under the CISO that will apply the risk and go to it. So this actually brings me to mention one more thing. That is if I go back to look for the people I know who took on the IT role that I think there are two common quality.

One is this leader, as I say so is a technology driven person, meaning that it's not purely grc. You know how cyber has three pillars. The GRC risk angle, architecture, engineering angle and also the operation where Generally this leader take on that's more of technology driven. The second piece is like the philosophy of the CISO leader got to be a technology enablement. You cannot take the IT group and make them say no to everyone. Right. You need the IT group at the end to support the business. So I see those leaders who take another role actually have that good philosophy. Therefore, when they move the IT role to you, they don't feel like, oh my God, you are going to shut down everything. Right. You are going to take more of a risk reverse approach.

So that's how can kind of like evolve into this.

Matt Pacheco
Yeah. I was going to ask what kind of challenges does an organization that's combined the two create? And you kind of just talked about it kind of are you going to be an obstacle rather than a partner? Like how do you build trust with your business units or your departments within your organization to kind of make sure they see that you're trying to add value and not. Yes, be in the way?

Yabing Wang
Yeah, definitely. I think that's a, that, that's a big part of like my belief is like I mentioned what justworks is a payroll benefits insurance company. We're not a security company. We can do security very well. But if we cannot do payroll, why do we exist? Right. So if CISO's leaders realize that piece, I think that's very key to say, what can we do to enable the business? Right. What can we do to be partner and what can we do from articulating risk and also educating others to understand that why we need to pick a win situation. Right. It may not be perfect on your end, it may not be perfect on our end, but our overall goal is this common goal of serving small business need to figure out a middle ground.

Matt Pacheco
That's cool. It sounds like you have a culture of confidence, I guess in your security operation to kind of build it into it. It's kind of cool to hear that.

Yabing Wang
Yeah, that's a good call out to say when I transition into this role. Right. I think there were two fundamental things. Our SVP of engineer was saying that too. That is we feel comfortable. You are not going to say no. Right. Basically we create our credibility. How security is trying to help others be part of others. Therefore that inform them and feel comfortable says yeah, putting the IT under you, that will continue the same path. Not going to be very much roadblock. But they also realize we are the organization. If we don't even play the risk person, risk organization, just purely let it go. Right. That's, that but they know we are going to look at from that angle.

Matt Pacheco
That's really cool. How does owning both IT and security kind of influence your approach to adopting things like AI? Does it change anything?

Yabing Wang
I didn't think it's changing anything, you know, because my even without it, you know, the philosophy we have is always like that. I guess the I team just probably let all of us secure to see how important we're moving towards it, I guess. And also this give us advantage of merging those two process be, you know, more holistic, I think.

Matt Pacheco
Let's talk about the future. Kind of the fun stuff coming in, coming down the line. So the first one beyond AI or you could talk about AI if you want. But what emerging technologies or trends are you keeping an eye on that could impact security significantly in the next five, 10 years?

Yabing Wang
I probably at this moment can only talk about AI.

Matt Pacheco
That's fine.

Yabing Wang
Yeah. I personally just don't know yet about quantum computing. What does exactly mean to change the whole world. But when we talk about AI change and I talk about it was the underlying hardware being able to the compute, right? The compute change, the skill change, the impact. Maybe quantum computing could really double, triple that and then that will push AI more and more.

Matt Pacheco
Yeah, it's definitely something to look out for. How do you see your role as an IT leader, security leader, evolving with the advancements of AI? Because the AI and gen AI from what, six months ago or 12 months ago is not the same as what IT is today. It's advancing at a rapid pace. How do you see your role evolving considering the rapid pace of technology acceleration?

Yabing Wang
I'm looking at maybe two parts. One short term, one long term thing. The short term thing is like we've never before hired AI resources. Now both security and IT are hiring AI resources and the part is really about I'd love to have at least experts in security and an expert in IT really spend more time on that. Whether you call them a researcher of everything security and IT related, but also help guide the team on AI security, guide the team on the AI usage for it. So that's like a first change. We've never had those before. And then that I would say will let us feel more tighter to the business because I know at the end we can see the speed right to make things happen long term, whether AI or not.

Yabing Wang
Long term that I'm playing a chief Information Security officer role more of towards internal where I would say somewhere, I don't know when, but I think my role will probably evolve into a Chief Trust Officer. I mean again this is just like a thinking in general. I'm not talking about adjustworks. I'm talking about overall in the CISOS world where we try to ensure and customers about. Right. You put your information, your payment into our hands. Right. How can we shield the trust. So it's really, you know, you are in good hands per se. I think that's the evolvement that I'm seeing. There are probably few companies already do that. Right. They see so role start to evolve into the chief Trust officer role and AI will. I think we play a lot in that as well.

I don't know when that may happen here or different places, but I see that trend too.

Matt Pacheco
So sort of playing into this but not the leadership role. But for everybody else. What skills do you think will be most critical for the next generation of IT and security workers coming into the workforce? Like what do they need to know? What do you think is going to be really important?

Yabing Wang
Yeah. It's no longer about you can code or you can, you know abcd, you can all get that answer from AI. Right. I think that there are a few things I think it's very important I chat with my kids on that. That is the ability to learn things quick. You know, train yourself that you can learn things quick, find the tools can help you on that part. So doesn't matter how the technology evolves. Right. Your ability carries all the time. And then the second one is more of be flexible, mindset wise. Be flexible, be adaptable. I think that whether it's a fail fast philosophy or your field no longer valid is being replaced by an AI but you are always waiting to learn something else. You have the ability to learn fast and you have a willingness to learn.

I think those two things will help a lot. That's what I'm told my kids.

Matt Pacheco
That's great advice. That's great. And that applies to probably professionals in the security space too right now because things are changing in the IT space in general. Cloud everything the world is changing quickly and it's good to be learning all the time.

As you've said throughout your talking about your career, always learning and challenging yourself. That was a common theme. As you were you're telling me earlier. So.

Yabing Wang
Yeah. And you know going back to 20 something years ago, I knew nothing about security and I got in right. And I knew nothing about AI when we started. Now we learn more. You know, it's there as long as you are you desire to be challenged and didn't add too much fear, but more like passion and happiness, you know, through learning. And then that helps.

Matt Pacheco
I love it. Well, Yao Bing, thank you for taking the time for being on the episode with us today. We learned a lot. We got a lot of great, unique perspectives, and we really like talking to you.

Yabing Wang
Thank you for having me. And hopefully my perspectives, like, resonated with someone.

Matt Pacheco
I think so. I think it'll be much appreciated. So thank you for that. Thank you. And thank you for our listeners for listening into the episodes. Stay tuned for more episodes. You can find the podcast wherever you get your podcasts, and we will see you soon. Thank you.