Udi Cohen Of Vendict On Cybersecurity Compliance in the Age of AI Threats

An Interview With David Leichner

Develop robust anonymization and sanitization scripts and tools. Your organization will adopt generative AI, whether you officially endorse it or not, and they should offer a convenient means to anonymize text that safeguards the information’s association with your organization in case of a breach.

Compliance with regulatory standards and industry-specific guidelines for product security is an indispensable part of cybersecurity. In an age where malicious AI poses a significant threat, how do organizations ensure their product security strategies are not just effective, but also fully compliant? As a part of this series, I had the pleasure of interviewing Udi Cohen.

Udi Cohen is the CEO and Co-Founder of Vendict utilizes AI NLP technology to streamline and enhance Governance, Risk, and Compliance (GRC) tasks, particularly the process of completing security questionnaires.

The Vendict linguistic model has undergone training and development by a team of experts specializing in security and AI NLP. Leveraging its understanding of the content within security questionnaires, Vendict’s AI can match questions and answers, even when the phrasing is vastly different, enabling it to respond to lengthy questionnaires within minutes. This efficiency has led to Vendict’s customers being recognized for their responsiveness and professionalism.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Hey there, I’m Udi. Just like many other parents out there, my main motivation in life is to create a brighter future for my three wonderful kids. While I’m known for my strong dedication to AI, security and technology in general, not many people realize just how deeply my passion runs for philosophy.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I’ve always had a passion for risk management. To me, technology has the potential to be a powerful force for positive change, but critically, it’s security that is the bedrock for that change. While I may not have a single specific story that ignited my career in cybersecurity, I believe in the potential of technology for good, with security as its cornerstone. By addressing the cybersecurity challenges we face, we are helping pave the way for a safer and more promising future in the digital age.

Can you share the most interesting story that happened to you since you began this fascinating career?

The most gratifying aspect of our product at Vendict is witnessing the impact it has on security professionals. As a group, security professionals face immense pressure and time constraints, often leading to burnout.

Vendict’s ability to streamline menial security tasks not only reduces their workload but also provides them with ‘time back’ which is a by-product of our efforts. One client recently shared how they could now spend more time with their family, because of the workload that Vendict lifted from their plate. It’s great to hear stories like this that highlight the real impact of our product.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Three pivotal character traits instrumental to my success as a leader are:

Transparency and humility: As a CEO, I actively seek out individuals who surpass me in intelligence and expertise. Rather than dictating directives to my team, I prefer to empower them with all the necessary information to make informed decisions. Nevertheless, if I ever encounter something that feels out of line with our company’s culture or strategy, I make it a point to share my concerns transparently. This commitment to open communication fosters trust and alignment within the organization.

Attracting exceptional talent: A key part of my success has been the capability to convince exceptionally intelligent and capable individuals to work alongside me. Moreover, I have been able to maintain these collaborations over time. It’s gratifying when employees choose to remain part of the team despite having better job offers elsewhere. Their dedication stems from a shared belief in our organization’s culture and vision. For instance, during my time at Broadcom, one employee’s story stands out. Despite her initial job search criteria not aligning with Broadcom’s location, industry, or company size, she chose to join us because of the welcoming atmosphere and the positive interactions she had during the interview process.

Cultural alignment and vision: An integral part of my leadership success is my commitment to cultivating a strong organizational culture and a clear vision. I ensure that every team member is not only aware of these values but also genuinely connected to them. This shared sense of purpose fosters a cohesive work environment, where individuals are not just employees but enthusiastic partners in our collective journey.

Are you working on any exciting new projects now? How do you think that will help people?

We are currently working to expand our security questionnaire solution by extending it to buyers. Vendict works by leveraging an organization’s compliance data, including past questionnaire responses, audit reports, policies, and procedures, using Generative AI to provide responses to security questions. As users interact with the system, it becomes more intelligent, saving considerable time for CISOs and security experts during assessments. Our technology aims to eliminate the need for sending questionnaires, benefiting both vendors and buyers. We are driven by helping more companies and CISOs to alleviate their day to day security headaches.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. How does the emergence of malicious AI threats impact compliance requirements for organizations? Are there specific regulations or standards that address the unique challenges posed by AI-related security threats?

Generative AI represents a powerful tool for both those seeking to exploit vulnerabilities and those wanting to safeguard against them. Here at Vendict, we harness Generative AI to aid companies in evaluating the security risks posed by their third-party associates. As the landscape of cyber threats becomes increasingly complex, partly due to the use of generative AI by malicious actors, it’s vital that businesses ensure their vendors are bolstering their defense measures. A crucial point to remember is that the strength of our overall security is inherently tied to the weakest link, which often lies within the vendor ecosystem.

Can you provide an example of a compliance framework or approach that organizations can adopt to effectively address security concerns arising from malicious AI? How does this framework help organizations mitigate risks and stay compliant?

The AI Risk Management Framework (AI RMF) is a great framework to help adopt and address AI security concerns. It guides organizations in addressing malicious AI concerns by emphasizing trustworthiness and addressing risks within six key areas, including risk framing and effectiveness. It ensures that organizations can better mitigate AI-related risks while staying compliant with relevant security standards.

In the context of compliance and regulatory requirements, what are the key considerations for organizations when deploying AI systems? How can organizations ensure that their AI deployments align with relevant compliance standards and guidelines?

There are 4 main considerations for organizations when deploying AI systems in compliance with regulatory requirements include:

1.) Transparency and Accountability: Ensure transparency in AI decision-making processes and establish clear accountability structures.

2.) Data Privacy and Security: Safeguard sensitive data and comply with data protection regulations.

3.) Bias Mitigation: Implement measures to detect and mitigate biases in AI models.

4.) Documentation and Reporting: Maintain records and reports to demonstrate compliance with relevant standards and guidelines.

Overall, the most important technology that organization should be able to maintain in the short term is the ability to anonymize and sanitize their information before sharing it with 3rd parties tools and APIs.

1. Are there any specific compliance challenges that organizations commonly face when dealing with malicious AI threats? How can these challenges be overcome, and what steps can organizations take to enhance their compliance efforts in this area?
2. As regulations often lag behind evolving technology, organizations often face compliance challenges in identifying and mitigating malicious AI threats.
   To overcome these challenges, they can lean on the AI RMF framework we referenced earlier to establish proactive AI security measures, regularly update policies, and engage in industry collaboration to stay ahead of emerging threats and regulatory changes, enhancing compliance efforts. The final point of industry collaboration is particularly important, to allow experts and industry leaders to come together and support the industry as a whole in shaping, defining and implementing robust AI policies. That said, the crucial aspect, in my view, is ensuring that security and risk management teams have a solid grasp of AI. They don’t need to delve into math or technology but should possess a solid understanding of AI’s potential and constraints.

Collaboration between compliance teams and cybersecurity professionals is crucial in ensuring effective security measures against malicious AI. How can organizations foster collaboration between these two teams to address AI-related threats while maintaining compliance with relevant regulations?

Organizations can foster collaboration between compliance teams and cybersecurity professionals to address AI-related threats while maintaining compliance by creating a unified, cross-functional approach involving various teams, departments, and vendors. This collaborative effort should be driven by the CISO, GRC, and security teams, who possess the necessary knowledge and risk awareness to drive the initiative, making themselves approachable for effective communication. Additionally, organizations should continuously update policies to adapt to the evolving AI landscape, ensuring that AI capabilities are effectively integrated and aligned with the company’s security and compliance objectives.

What are your “5 Things We Must Do To Protect From AI-Powered Cyberattacks” and why?

1. Develop robust anonymization and sanitization scripts and tools. Your organization will adopt generative AI, whether you officially endorse it or not, and they should offer a convenient means to anonymize text that safeguards the information’s association with your organization in case of a breach.
2. I am a strong believer of the principle that you have to fight fire with fire. To counteract AI-powered cyberattacks, we must enhance our defenses with AI and ML as the foundation. This approach enables companies to proactively adapt to evolving threats. For example, many compliance and risk management tasks can be done 10x better with tools that use linguistic generative AI, such as Vendict.
3. Train your security and risk management teams in AI & Generative AI, urging them to employ ChatGPT and other AI tools. It is crucial for them to comprehend the technology and its capabilities in order to safeguard the organization against AI-powered threats. When engaging with the industry’s leading GRC and security experts on generative AI, they exhibit enthusiasm for further learning. Nevertheless, some security and GRC professionals appear to still find this technology intimidating and are attempting to steer clear of it entirely.
4. Investing in a highly skilled team to collaborate with Gen AI systems is crucial. Right now AI operates as a co-pilot rather than an auto-pilot, requiring human expertise for effective guidance. This team will then ensure that your setup is aligned with our objectives and can adapt swiftly to emerging challenges, boosting the overall cybersecurity posture.
5. Foster collaboration and information sharing to stay ahead of AI-driven threats. By working collectively, it’s possible to effectively pool intelligence on emerging attack techniques and vulnerabilities.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I believe that AI will have a profound impact on the world, both positively and negatively. I hope that AI researchers will dedicate their efforts to projects and organizations that strive to bring about positive change in the world. If I could initiate a movement, it would aim to inspire AI researchers to make ethical decisions that prioritize the well-being of humanity.

How can our readers further follow your work online?

The best way to follow me is through my LinkedIn profile, where I occasionally share my thoughts and developments on the industry. You can also keep an eye on Vendict, either through the developments on our website or by checking out our blog, authored not only by me but also by our talented Vendict team.

Thank you so much for the time you spent doing this interview. This was very inspirational, and we wish you continued success.

About The Interviewer: David Leichner is a veteran of the Israeli high-tech industry with significant experience in the areas of cyber and security, enterprise software and communications. At Cybellum, a leading provider of Product Security Lifecycle Management, David is responsible for creating and executing the marketing strategy and managing the global marketing team that forms the foundation for Cybellum’s product and market penetration. Prior to Cybellum, David was CMO at SQream and VP Sales and Marketing at endpoint protection vendor, Cynet. David is the Chairman of the Friends of Israel and Member of the Board of Trustees of the Jerusalem Technology College. He holds a BA in Information Systems Management and an MBA in International Business from the City University of New York.