#580 Security vs Speed: Ben Wilcox on AI Development, DevSecOps, and Modern CTO Leadership

Mehmet: [00:00:00] Hello and welcome back to an episode of the CTO Show with Mehmet today. Very pleased joining me from the US Ben Wilcox. Ben is the CTO. And CISO are some people. They say chief information security officers. So, uh, for ProArch, um, you know, he's an expert in his domain and you know, I'm very thrilled to have him with me today.

We're gonna talk a lot about a lot of topics, all the way from this merge between. You know, cybersecurity plus, you know, being a, a Chief Technology officer. We're gonna talk of course, about DevSecOps. We're gonna talk about AI adoption and risk. We're gonna talk also about architecture, you know, and Ben's view on this, and maybe few topics here and there, and everything in between.

So without further a. First of all, Ben, thank you very much for making it. I really appreciate your time today with me. So, traditional question I always ask my guests, tell us more about you, your background, your journey, and then we can start the discussion from there. [00:01:00] So the floor is yours. 

Ben: Appreciate Mehmet.

Thank you so much for having me on. A little bit about my background. Um, I've been working with computers since the early nineties. I started as a teenager, very excited in the early internet days. Um, I built a business as a teenager. Um, ran it for probably about 10 years or so. Um, and then, uh, moved over into software development.

Uh, for a number of years after that, I made the transition to the company I'm at, um, now, which, uh, I've been at for over 18 years. Uh, came up through the engineering and the technical side. Um, it's kind of funny to think about some of the things that, um. Where, where we're different and where we're the same, but I've been almost doing cloud technologies for almost 20 years at this point.

Um, in the mid, um. 2010s. Uh, it got into security, uh, through consulting side of it and really started kind of merging all of the pieces from my [00:02:00] infrastructure development days together into security and started seeing that there's lots of opportunities for security to improve what we're doing, uh, in both the infrastructure perspective, cloud perspective.

Development side of things. And that really, um, helped me take a different kind of lens of, of approach. Um, so today I'd say I am very business technology centric and I blend my. Kind of decision making with security, right? And in areas where there is some conflict, um, because a dual role is, is a little bit of a conflict there, I rely upon some great staff members at our, our company that have more dedicated roles in one or the other to help me kind of make that judgment call, uh, of, of which direction to go.

Mehmet: Great. And thank you again, Ben, for being here with me today. You know, I gotta start from where you ended. It's about, you know, the conflict. And as someone also, like, I, I think I've been around [00:03:00] almost, uh, you know, maybe a couple of years later I came, you know, when I started to deal with, with, with the computers and systems and when I started my professional career.

So there was. Always this fight, we call it dog fight sometimes between, you know, um, like even in a small organization, let's say, between application teams and security teams, like infrastructure team and cybersecurity team. Like, you know, even at that time, 20 years back. We used to have a separate people managing the cybersecurity for us.

So this conflict, you know? And how did you manage to get both together? You know, it's a rare combination and like how did you manage to get there? 

Ben: Yeah. Well I think one thing I guess that would, that's beneficial for supporting the role is that, excuse me, if, um. If I had a deep compliance obligation, right, um, let's say I'm in financial services, um, I don't think a [00:04:00] dual rule like this would be possible.

Um, being in the tech side of things, um, certainly it is more possible, right? Um, and the. I guess the, the piece, how, how it kind of slid in together was that, um, we need as technology organizations to be able to be agile and fast with our development, but also secure. Um, so that's kind of where the, the dual role kind of came into place, um, and supporting it now for over a year.

Um. I can say that it is challenging at points. There is definitely some conflict in there and I have to, I what, typically how I address that is I look at the business, right, what is right for the business and is there a risk there associated with it? So putting on the business lens really helps. Um, kind of clarify where that is.

Like I said, like if I, if it's, if I need a tiebreaker and I'm feeling indecisive, I bring in one of our security architects. I bring in, you know, [00:05:00] some other experts from, from the development side and we, you know, hash it out and we figure out the, the best and less risky method for doing it because there's always usually a different approach that can be done if we're, if we're absolutely one of those crossroads.

Mehmet: Yeah. So I, I'm sure you find the common ground there, Ben. Now. For, for the audience, and you know, people ask me about the show. So the name, I call it CTO because I have the belief that, you know, a chief technology officer. Is the person who, exactly, as you mentioned, Ben, I can take the technology and, and see it from a business lens and, and translate it.

And this is why I have people who are not necessarily technical on the show. So I'm happy that I'm having this conversation with you today. Now, as a chief technology officer, like usually you are measured, you know. From the business side on the outcomes, right? So, so what did the technology achieve for us?

Like, and one of the main [00:06:00] thing, especially in the era we, we are living in currently is the speed. Like how, how fast you can deliver something now, being a chief information security officer, and we all know, and I've, I've worked, you know, as practitioner in, in both, so. We try to actually slow people down.

So we say, Hey, like, let's see the risks there. So in your current position, how you make this balance between, you know, pushing things? Because we need to shape fast, but at the same time, yeah. Make sure that we are, we are not like, you know, doing something that might expose us from, from risk perspective, I would say.

Ben: Yeah, I was actually having a really interesting conversation with a, um, principal architect, um, yesterday, and the, the challenge I think from the development realm is that. Today, right? Generative AI is allowing this [00:07:00] extreme pace, uh, of generation of features, um, and the code changes really rapidly and isn't always known to the developer.

Um, right there. It's not like the olden days where people are going through the code super. Um, they know line by line where, where our function is or where things are are.

For example, if documentation is written on the application, that documentation is outdated. You know, very quickly, uh, you know, within a week, you know, tons of new features are out, codes have been completely changed, and now how does the security team keep up to speed on that? Um, and that's kinda, I think where we are a bit from a inflection point of, you know, generative AI in development is, you know, security is always trailed.

Um, and right now our security teams, both from a coding perspective [00:08:00] and being able to address security in a rapid manner, um, are not. You know, the security isn't there yet. Um, and the tools there. So I think we, we, as you know, we'll see this year, great strides in this area. You know, mo move more towards agen security type of capabilities.

Things that can keep up with speed of the development. Um, and, you know, the security team's gonna start being orchestrators of that. And I think that we're also gonna see the development team being orchestrators of that, right? Because they're gonna ideally get feedback in real time, not having to go back and try to retrofit stuff.

Um, and maybe it's agent to agent, right? So, you know, your development agent is talking to your security agent and you know, saying, Hey, here's my latest code. And the security agent says, well, this isn't good. Go back and fix this. And, you know, maybe we get to that state. That would be ideal, right? Where they're not having to go back.

Um, we, we need to get, we need better security. Um, from what I'm seeing [00:09:00] today with, with some of our development sides of things, 

Mehmet: I, I'm, I'm happy you mentioned this, Ben, because, and, and you mentioned ai, although, like, again, ask about different aspects of AI later, but, um, I think a lot of people and. I'm not sure if I should say this, fortunately or unfortunately, you know, now we have a lot of people who jump on the bandwagon and, you know, they, they, they want to be part of this and we see them talking about security also as well.

Now, if we want to go back to the roots, right? If, if, if you want just now put, you know, your CTO hat actually, or any. Anyone who's building software, we always talk, you know, even when we talk to clients that, hey, you know, one of the main thing we are proud of doing is we do everything in a way which is secure by design, right?

Ben: Mm-hmm. 

Mehmet: So, [00:10:00] and now I'm seeing a lot of, you know. I would say diversions here because you know, the agents that started to appear, of course I can't now not mention Open Cloud and, you know, formula me alone as cloud bot and uh, mobile and all this stuff. But of course it's not the only one out there. And of course the vibe coding, which, you know, we've seen people who, yeah, they were shipping fast, but it wasn't secure.

So just, you know. Reminding people and maybe business people more than technical people, Ben, because I think they need to, to, to hear this from someone like you. What do we mean by secure, by design? Like what, how that looks from, you know, an engineering workflow perspective, not just as, you know, I call it cliche or a marketing material.

Ben: Yeah. And, and that is that, that pause state, right? Which is going in and when you're doing secure by [00:11:00] design, um, in today's world, right? You want a paved path or a paved road, right? That gives the. Engineering team, the, the parameters of which they have to operate and makes it simple from the beginning, right?

This is the way that it goes. Um, I learned early on and when I was doing the software development side of things and doing project management right, as we scoped a project. You know, don't, don't just give the engineer an open, um, line item to figure out the best way to go forth, right? Give them, give them two and let them, you know, um, pick one of those at the most.

Um, don't, don't, don't leave it, because then you'll, you'll be going back and forth forever. So, um. You know, if we give pay paths and, and methods of, you know, this is the best way to secure, right? And this is the infrastructure and the environment that you have to operate within, um, that will certainly help that quite a bit.

Now when we start getting into, you know, the development life cycle, I do think that, you know. [00:12:00] You know, in your sprint, you do need a secure review, um, in there and, and looking back through it and, you know, you can turn on all of the other AI security pieces, right? Your, um, GitHub, you know, advanced security or whatever it is, that platform that you're leveraging, um, for that.

And those things will look for standard things, right? Secrets that are, you know, hard coded, right? We've, we've had lots of breaches over that, um, in, in the last three, four years. We'll look for, you know. Not good code practices and some of the other things, right? But quality assurance, the QA side of things, um, you know, those practices still need to be done.

Um, and looking at the quality of the code, looking at, you know, making sure that the functionalities don't, you know, expose new risks. Um, I do believe that we are at a 0.2 with, you know, this year looking at. Every single app, having some sort of generative [00:13:00] AI as part of it, um, red teaming, you know, periodically, especially on, on model changes is gonna become important.

Um, especially if you're storing any sort of sensitive or confidential information there. Right. That, and. I think people forget how easy it is to store that stuff, right? PII presented identifiable information is something that if you have a large set of records in, in the us right? 5,000 plus records get exposed, you're obligated, like in New York State to, you know, disclose that and, and contact, and you have to let everyone you know, know that this has happened.

So, PII, you know, if you're B2C or B2B, right? This stuff starts. Adding up. And you really do need to start taking, you know, concerns around your data, how you're protecting it, how you're encrypting it, um, you know, how you're sharing that information and, and so forth. And, you know, it's a combination of both tools, but people and [00:14:00] processes.

Mehmet: Right. Now we know for a fact, Ben, that we like any, you know, the way that technology evolved is that. We, of course we are gonna do mistakes down the road, which is normal. And this is why we have, you know, the guardrail that we, we, we started to use, and this is not only from security perspective, we've, we've seen it like also when people started, for example, to, to migrate to, to cloud, you know, and, you know, a whole new thing, you know, which evolved with that, like the DevOps and, and you know, the practices of, you know.

How we can enhance the software, um, you know, lifecycle when we move to the cloud. Although, like practically we were doing it in different ways back in the days. Now also we have DevSecOps, which is like developing security operations, right? So, um, it looks great, right? But is it succeeding on practice?

[00:15:00] Like, uh, are really, you know, organizations. Utilizing it in the proper way. Like, are they really embedding into their pipeline, CICD without slowing their teams? Like, what's going wrong there and how we can enhance it? 

Ben: Yeah, there, there's definitely, I think, room for enhancement there. Um, I don't see. A lot of successful DevSecOps, um, in organizations.

Um, even in presentations. I've done a few on, on DevSecOps and frankly, the maturity isn't there. Um, may maybe in some very larger, if you talk about the, you know, F 500 maybe. You know, it's, it's much more successful, but trickling down. Um, right. It's, it's especially about features, speed today, getting it out the door.

Um, the ability, you know, if we [00:16:00] think about to where, where teams are, um, I just haven't seen security become a focal point in development. Um, and the skills. Needed to assess the risk side of things, um, being done from a personnel perspective. Um. That's not something that's there. Um, I do see like, for example, in security, um, people moving towards more programmatic, you know, having those skills from a program perspective, um, and being able to, you know, start at least understanding the developer's world a bit more.

Um, but, you know, there's still definitely a, a big lack in that space and I think there's lots of room for improvement, you know, is DevSecOps, um. Um, very few people can do it at speed, right? And, and do it consistently. There's always like a roadblock there. And, um. I, I think the, you know, less friction is obviously the goal that we wanted to get to.

[00:17:00] But the problem is that some of the tools I think that we still have that are, are either not configured well or they're just not very good at it, right? And so they, they stand up the, the roadblocks rather than, you know, getting it early. It's right at the end forcing the developer to get right back.

Right now. Now we're back at a stage of, um. You know, fixing, you know, two weeks after, you know the feature is supposed to be due and no one likes that, right? If, if you're being measured on how quickly you get things done and how good your feature is, right? Being, being late all the time doesn't give you a good, you know, KPI to follow.

Mehmet: Yeah. And I think there is the rush also like to, to to ship as fast as possible. And here where I want to ask you, uh, Ben, from what you're seeing in, in the market, of course we know for a fact that AI adoption is top of mind even on, on the board level, everyone. Might be asking in their companies, Hey [00:18:00] guys, what are we doing with this AI thing?

Right? Um, so are you seeing people or organizations currently just trying to build AI into whatever product they have? Or are they trying to find a way to, to just again. Say like, yeah, we have adopted some AI here. We, we, we, we, we did this, we did that. Uh, and, and now we are fine. So what's the difference really between using an AI tool?

Like we have seen, like I've seen like someone the other day saying, Hey, like, yeah, we, we adopted ai. And we gave Chad GPT access to everyone. And you know, you talk to someone else then telling you like, Hey, no, we are building actually AI into our products. Like we are trying to in enhance, you know, things using ai.

So what leaders miss here? Exactly. Ben? Like what, what's the, what are you seeing in the [00:19:00] marketplace? 

Ben: Those are definitely two different buckets. Um, you know, I would call the, the copilot or chat GPT side, right? It's, it's AI for, for personal productivity. Um, the other bucket that you're describing, building it into the apps is, you know, AI for enterprise or building those enterprise types of apps.

Um, different customers are in different stages on that. Um, you know, we see organizations that, um. You know, it's often starting out on that personal productivity side, right? It's hard to envision what, how things can change sometimes if you don't have access to those tools. Um, so change adoption's a very big thing when it comes to personal.

Use of ai, um, like the copilots, um, when, when moving into like the enterprise, um, app space, you know, you got a whole different realm of things. You got things that are just kind of bolt-ons and, you know, hey, we've decided to enable, you know, queries from, you know, uh, instead of going to the [00:20:00] user interface, you just type in what you want and, you know, maybe, maybe you get the answer that you want.

Other ones are completely redesigned, rethought, right. Different data sets on there, and they're, they're actually building more, you know, it's not just about getting a response. It's about, Hey, maybe I can do something else with this, right? And manipulate it and create a report, or whatever it is, right? So moving towards those ability to, to create something, um, through tools on that side.

So we see a, a gamut on there. Um. But I, I think that this year is the year that when we look at apps, whether, you know, I'm not certain I believe that SaaS is necessarily dead, but you know, SaaS products will have, uh, AI components, and I don't like people talk about this thing called shadow ai. Right. You don't know.

Mehmet: Yeah. 

Ben: AI is being used in your organization. Well, this year. You know, just assume that every single app that anyone is using is gonna have some sort of AI in it. I think that's safe to say, [00:21:00] right? Yeah. There's not really gonna be a tool like out there that, you know, doesn't have AI in it. That's, um, you know, 

Mehmet: right.

Ben: They can build it 

Mehmet: in. There is no escape from from that. And, you know, just this, uh, debate for the SaaS, uh, and I think. I maybe I mentioned a couple of times in my recent discussions and you know, I think no harm of, of repeating my own, you know, opinion on this. And I'm think people, it's not like about SaaS is dead, is SaaS going to continue or not?

It's about, you know, the, the, you know, going back to basic and this is why, you know, when, for example, I ask you like secure by design and always I go and ask people like even if you today, you are able to. Let's say just people are talking about the CRM, they take it as the simple example, and they say like, we vibe coded a CRM system.

Fine, good for you. Is it secure? Right? Like, you know, uh, how, how are you, how are you going to maintain it? Like, you know who, [00:22:00] who's gonna be the product manager for this? You know, in-house built CRM, right? And this is why. Yeah, people might become creative and this is where there will be a collaboration with the, with the SaaS vendors actually.

And I, I read a very great article, you know, I'm sorry, because I'm not remembering the, the author. Uh, but, but I, I reposted. Uh, his, his article on my LinkedIn and he talks about, you know, SaaS is not that, but probably, you know, the outcome based ROI would be like more reasonable than just the seed based licensing and these kinds of stuff.

So now still talking here about using AI and, you know, agent, agent AI in, in coding and as someone who did this for a long time, man. I had to guess maybe one year and a half. And we, we discussed this, um, about, you know, the code that is generated by these AI tools. Now, I know [00:23:00] like things changed way, way, way, way fast and a lot, a lot, a lot of better.

But as a CTO, like if, if you, I want you to put your CTO hat plus maybe you can borrow the, the, the governance risk hat also as well. In practice, the code generated here? Like is it an IP code? Like let's say a client, you know, you deal with Ben is trying to do something, maybe an idea, which is, I'm not saying in completely innovative, maybe they are enhancing certain product in the market and let's say they utilize.

AI to, to, to write the code. So is there a IP here? Is there intellectual property here that that can be protected? Uh, how safe is the code that is coming out in your opinion nowadays? Like how safe is it to use it? W. I'm not against or with, but I'm not sure how much also hype around, you know, the, [00:24:00] the, the job of software engineers.

And I want to hear your opinion about this because, you know, every single CEO of these AI companies, they're saying like, open ai, they say like. Actually, you know, GPT helped with the five point, the 5.3 codex. Uh, tropic, you know, they're saying the same thing about clo and they, they, they're code, they, they don't try code a lot nowadays, of course.

Like, we don't know, I, I'm saying I'm denying or accepting, but with all these, like, where's the. Governance risks, you see where is also, you know, how much trust we can put in these in these lines and lines, of course. 'cause we're talking sometimes about millions, maybe. 

Ben: Sure. So I think the, the big challenging piece here is like, let's start with the quality.

Um, the quality of the code. You know, it creates functional, you know, [00:25:00] features, right? So, so from a feature perspective, yeah, it's working great. Um, now if you kind of start digging in, right, there's still a lot of junk, right? You'll start seeing emojis, you'll start seeing things that aren't necessarily optimized.

And if we go back to thinking about like, how LLMs work, right? And LLM is gonna make a decision around how it. Out based off of, you know, the prompt that is provided. So if you're putting in prompts that aren't really optimized and you're not being very, um, prescriptive on the guidance that you're providing, right?

The quality that you're gonna get back is not gonna be nearly as high as what you could potentially be getting back. So part of it's gonna be around user education. Um, I think that there's a lot. To, to say about like, if you are a software development company or a company that is, um, buildings ip, [00:26:00] right?

Your, your secret sauce may not be, excuse me. Your secret sauce may not be the, um, the product that you have. Um, it might actually be your prompts. Help you, um, create great products or, um, you know, deliver that service. So, um, you know, I, I think that's kind of where, where your IP is going is, you know, it's gonna be what are, what are the prompts that, that allow you to be really super great on that.

Now, from a security perspective, you know. I would still treat it as like, Hey, this is an intern, right? Are you gonna trust everything that an intern says? Um, and has, has doing it right. They don't have 20 years of experience. They might have, you know, some better practices, but this is still learned code right off of if, if the, if the thing that it's putting in there is learned and it's junk already, then.

You know, that's what you're getting out. So I would say still need to do your, your [00:27:00] code reviews. Look at the quality of it, um, you know, build, build your MVP, but make sure that you do, definitely do your d due diligences in there and make sure that you get your, um, security reviewed early on. 

Mehmet: Right. Uh, what I have experienced, and I, I'm not a developer by any means.

I used to write code long time ago, like, you know, just for fun and I never been, but. The thing which excites me is like for someone like myself who didn't go the route of learning new languages and all these new frameworks, like if I have an idea, yeah, now I can go to one of these tools and I can just build this skeleton, I would say an MVP show it to people and it's working, by the way, which is good.

Don't get me wrong. I, I like it sometimes, but I'm sure that I need. An expert eye for the [00:28:00] architecture because I come from infrastructure background, so I work a lot time with, with infrastructure, so I know there must be some optimization over there. And I remember when, when I took my first programming, uh, course at, at the university, the ma first thing they told us.

You can write a code in different ways, but there's a way that would be more optimized, whether it's for speed, whether it's like, uh, you know, reusability and so on. So I'm sure you need the expert. I maybe they, I will get there one day. I'm not sure. But yeah, like, this is my, my own opinion. And this will bring me to ask you about also now in the age of, of AI and customers, uh, around the, the globe.

Although like they didn't finish yet, what, you know, we, we, we call the digital transformation and moving to the cloud, and now we have this new generation of, of applications and AI is a, I'm not saying must have, but majority of the time, AI is a, is is an important [00:29:00] aspect of this. And AI has its own architecture, whether, you know, on, on cloud or, or maybe sometimes still in a hybrid environment.

So. Here. What are you seeing changing? Because we used to talk about multi-cloud for, you know, it's for resiliency. We used to talk about like, yeah, we need to have like kind of this hybrid thing. Just again, some, some part of the data should stay, you know, or on-prem and should not leave. You know, the data center.

Now they are added the. I would say weave mix, because also now we have the LLM itself. We have also like the processing and also people, I think stop talking about, uh, the egress charges that, you know, the cloud providers used to put on that. So now in a world of AI development and integrations with LLM.

Uh, what is in your op? Of [00:30:00] course there is no one single answer like, but what a ultimate design would look like from architecture perspective. 

Ben: Yeah. I think what we see more customers leaning towards is trying to contain the all those risks and keeping 'em in one cloud at this time. So where possible, right?

Whether it's, you know, we're a big Microsoft shop right in, in Azure. The idea is that, you know, your Foundry tool, right? Hosts all the models, right? It's a platform there that, you know, doesn't matter if you're an open ai, andro, whatever, right? Go, go pick your model that you want. It stays within that ecosphere.

You don't have the. Egress, you don't have, uh, concerns about privacy, where it's going. Um, and we see more orgs wanting to at least, you know, feel like they have more control around where it's going. Um, you know, and [00:31:00] leveraging the resiliency within that single cloud as the, um, the platform for it. Now, when it comes to, I guess, the development of that, right, we're seeing.

People wanting to do new ground up builds for ai. Um, and, and leveraging it from a well architected, uh, framework because the things that you described right of multi-cloud, you know, complexities around that, some orgs still wanna do that stuff. Um, but at the, at the end of the day, they want everything in a secure footprint as much as possible, because there's just so many focal points of security risks when you start looking at enterprise AI and, you know, building it right, you still have your traditional risks of infrastructure.

You still have your, your risks of, you know. What you're doing from a security code perspective in your APIs, you still then also are now adding on your LLMs, right? And, and what could happen from a model poisoning [00:32:00] perspective there. Um, and then you're also adding on additional things from a, you know, user interactive perspective, right?

Or, um, you know, start adding on agent capabilities. Right now, this agent can go out to the internet. You have a whole nother set of risks. So you have all these egress ingress points, you have all of these other areas that, um. Could potentially add those security risks to your business. Having him in one single spot makes it way easier to contain than trying to deal with a multi-cloud type of situation.

Mehmet: Right now I gotta, you know, I can't, I can't put my comments here because you are the expert, because, you know, things are moving really fast, Ben. And uh, in some countries, you know, they're focusing a lot on data sovereignty, right? So. They, they want, you know, these LLMs and the processing of the data to be within the country.

And this is where sometimes we are seeing even people buying [00:33:00] these, uh, you know, very powerful, uh, you know, chips like the GPUs, you know, to put them on prem and they're saying, yeah, let's put everything here. I've seen some. Actually, I, I talked to some startups and what they're doing is that they're offering a hybrid approach, but yeah, they're keeping it, they're trying as much as they can when it comes to data and metadata to put it into one place.

So we don't have, you know, fragmentation and latency issues and all this, but I'm seeing like it's getting more and more complex. And this is where I want to ask you, Ben. In this age, you know, like I think we're same generation when it comes to, to, to the technology. And for us, like things were okay, exciting changes always used to come, right?

Like from, um, you know, how computers actually came, how, you know, the cloud then developed like mobile and all this stuff. And you know, also the, [00:34:00] the, the coding frameworks and you know. We passed through multiple stages, but I would say like there was a kind of pace that we were able to grasp what's happening, but now it's changing very fast.

So if someone today, you know, they're planning in the future to become CTOs, so what do you think the kind of skills that they should have to develop, uh, you know, a these, uh. I would say skills to be relevant in fast changing, you know, world of course. Where also AI is, is moving fast. We talked about security risks also as well, and they should be aware of that.

So, so what kind of skills a modern CTO in European should have? 

Ben: Yeah, modern CTO, that's a, that's a great question. Um. How I try to keep myself relevant. I'll, I can't speak to everyone, but I'll just give you my example. Um, 

Mehmet: sure. 

Ben: You know, [00:35:00] I, I attend major conferences. Um. Um, and, and look at the landscape and, and the landscape isn't necessarily just what you know, the conference.

Let's, so let's take Ignite for example. Microsoft shared a lot of kind of where vision things are happening. Across, um, them, right? And you, you could see where they're making investments, right? If you start looking at where the investments are gonna be made, you can see, start seeing where the gaps are today, right?

That they're identifying. Um, other pieces, right? Go out on the vendor floor, go talk to the smallest vendors out there. Those are the ones that are really interesting. Um, don't. I, I think skip over the big ones, right? If you're at a security show, skip over the big, big vendors. Go talk to the ones that are in the back that are doing the innovation because they see the gaps there too, right?

And those are the gaps that are going to be in your next generation of development that you're gonna have to address. [00:36:00] So, um, it's gonna start showing you the risks. It's gonna start showing you where, um. You know, they're, they're starting to see that there's opportunity. A lot of the startups, right? If, um, you know, they are talking to the enterprises and they're the ones who are building an app for the enterprise, maybe at no cost or little cost, but Right.

You always wonder how these startups get this big name. Well, they're doing a pretty cheap for to get that big name right and Right. They're trying to grab some part of the market share there. Um, that's, that's emerging. So. I would start looking at that, that space. Um, so I, I call that eyes up, right?

Looking at the next horizon of where things are. Um, I think it's also retrospective to look at where we are in, um, you know, what your peers are doing at this point, right? So if you're in a certain industry, right, what's a standard there, right? Not saying you necessarily need to always push the boundaries, right?

Look at. Could we be doing things that [00:37:00] are, you know, more modern, more approachable, something that would help, you know, the business accomplish more, um, without introducing more risk? Because in certain industries, like financial sectors, they've had a great security maturity. But that security maturity base sometimes can be limiting in what they can, can do, um, in regards.

So, you know, it really takes A-A-A-C-T-O or a CIO with great foresight and the ability to kind of shift the momentum, right? If, if. You know, it took a long time for the financial services firms to start doing much more cloud. Now we're seeing it pretty common, right? There's not the questions. Right? 10 years ago, I had to fight for every single financial service firm to do anything in the cloud.

Um, now, now it's, and that was justification to, you know, the c, the CISO justification to the security people, justification to the developers, because. There weren't skills that they [00:38:00] necessarily had, but, um, don't leave your people behind, right. As, as a force. You know, A-A-C-T-O, right? You wanna make sure that you're also educating your team and making sure that they're gonna be prepared to be able to deliver these things, right?

Change takes a long time, right? Change is a one to three year process. Yeah. So if you think that you wanna get somewhere down the horizon. That's gonna make a difference, right? Leveraging more AI and your team's not, you know, an AI expert. Start investing in them. Start building those capabilities. Start um, encouraging them to say yes to something more challenging to do.

Um, and start looking at that view from, you know, an organizational change. How do I really get them so excited about, you know, this, this change and, and buy into the vision that I have. Not my vision's not to make it more hard, my vision's to bring more value to the business. Right. Which benefits everyone.

Mehmet: Absolutely. Absolutely. Yeah. And, you know, staying relevant, talking to, uh, to [00:39:00] startups is, is, is, you know, very good actually, uh, strategy to stay relevant, to see like what people are seeing in the marketplace that needs improvement, that the big guys are not doing it. So this is a very good strategy. Of course, attending, as you said, conferences.

And, you know, uh, I've been, honestly, from my perspective, I've been selective because I go to the ones which I think, you know, they have value. Like they're not over hype because also, like sometime we, we see, especially with the ai, you know, a lot of over hype, and I'm not, and I'm the big, you know, I'm one of the biggest, uh, you know, defender of, of the AI when it comes to saying it.

A bubble. It's true. But yeah, like there are like some, some people who trying to overhype it, but yeah. So to to, to know exactly what's happening. Which is absolutely perfect. And to your point, Ben, uh, which I think this is the core, what's, what's the, the, the, the, the, the outcome to the business? Like how, how we can take the business from point A to point B using the [00:40:00] technology.

I think this is what matters at the end of the day. And call the technology what, whatever you want to call it, like, yeah. So you want to call it, you know, it's a cloud. It's cloud, it's ai. It's ai, like whatever it is. Now as we're coming close to the end. I know we talked about ai, we talked about agents, but you know, from, from what you're watching also as well, any other trends you're expecting also to emerge in, in maybe in this area?

I'll not ask you about three, four years from now. No one knows, of course, but I mean, it looks like now everyone talking about the agent ai like using, uh, agents and uh, now we start to see like not only agents as. Co-pilot, like it's, it's as you said, like it's like we, we crossed that, but other than this, any other areas that you personally, maybe you are watching and you're expecting some breakthroughs in in them.

Ben: Yeah, I think the AI governance and the visibility in there [00:41:00] from a security perspective is gonna be really big this year. Um, I've already seen Microsoft making the investments on that side. Um, and when I say governance, right, it's treating these agents as if they are a coworker, right? Giving 'em full identities.

Giving your security team visibility into the actions. So the, the, the piece around LLMs, and I think everyone forgets about this, um, and this also goes kind of back to the, the, maybe a new challenge in a DevSecOps that is coming out right, is that these LLMs have a lifespan for like the model versions of like.

Nine months. Right? And, and then you get like, uh, what was it? Um, you know, they're just retiring, you know, 4.4 0.0, um, in, in, in chat GPT. So these are not long time, right? And so if you're using these large public models, right, you now have to upgrade and change. To a different model. Now, these models, [00:42:00] right, improve, but do they improve your business outcome that you've designed your AI app for?

Now, everyone has a different reason why they're doing this, right? What if I don't want a really creative, knowledgeable, um, you. Capability in my app and the new model, right? They've, they've tweaked it and they've improved that ability for it to be really creative. Now, you know, I, I, I want, um, a high level of accuracy and, you know, I think the LMS are getting more accurate, but, you know, is it in the context of how I've designed my, my application to use it?

So we're not in the mindset of testing those types of outcomes yet. And so that is an emerging area I think that we're gonna start seeing. It's not, not a problem that people are running into. People are just kind of ignoring it right now. It's very interesting. More, more challenges I think around, Hey, I, I just upgraded this framework and now things are really [00:43:00] broken in my app.

So, you know, people are retrospectively going back on that front. 

Mehmet: Yeah, it, it remind it, you know, what you just mentioned, remind me, you know, in, in the age when, uh, I'm sure you remember this, um, you know, in, in the late nineties and early two thousands when, when people were like. Have to change their CPUs because, you know, the CPUs are coming faster and, you know, have better performance every, literally, sometime three to six months.

And you know, like, yeah, I, I remember virtually, you know, like my first, you know, pc that was like a, I think it was in 4 86, you know, Intel CPU and just. In, in two month. Hey, like we have the Pentium one at that time and like just in three, four month Pentium two. And you know, like people are saying me like, what should we buy?

And you know, I think the LM to your point with the lms, I think, and I was talking to someone the other day to just to, to put some context to what you mentioned, man. So I was talking to, to a startup and what they told [00:44:00] me that, for example, they use from chat GPT. If I'm not mistaken, like 4.1. Uh, because based on the benchmarks, it does well in the area where they are building around and they said, this is why we didn't even went to 4.2 and we didn't even go to five and 5.1 and now almost 5.3.

Of course, it's in the Codex is there, but as charge GT 5.3 is not there yet, at least at the time of the recording. So. This is, I think, a real challenge and how people, they're gonna keep unplugging and plugging these LMS in their application. I think, yeah, this is an area definitely worth watch and see the governance around it.

So, so a hundred percent agree with you. Well, Ben, as we almost came, uh, to the end of this episode, traditional question, a cliche question I know, but where people can, you know, get in touch and find out more. 

Ben: Yeah, two places. So, [00:45:00] um, at Procs website, it's P-R-O-A-R-C h.com. Um, we have a blog there and I'm an active contributor to the blog.

Also, please feel free to connect with me on LinkedIn. It's Ben, BEN dash Wilcox. Um, and, and I'm here in, uh, in upstate New York. Um, and you know, please feel free to connect from there. 

Mehmet: Great. And uh, again, thank you Ben for being here with me today for the links. The audience, they don't have to go search manually.

Everything will be in the show notes. So if you're listening on your favorite podcasting app, you'll find the links to the website and Ben's link it in profile in the show notes. And of course, same thing if you're watching this on YouTube and at the end, I can't thank you enough, Ben, for this, you know, insightful and very.

You know, knowledge rich episode. Uh, and I think we covered great topics with you today, so I hope also the audience will find them useful and beneficial. So thank you again for your time and this is how I had my episodes. This [00:46:00] is for the audience. If you just discovered us by luck, thank you for passing by.

I hope you enjoyed If you did, so give us a small favor by subscribing and share it with friends and colleagues. And if you are one of the people the. People who keep listening to the podcast and actually they recommend it to others. So thank you for doing so. You're doing fantastic. I can see this from the statistics, the, you know, again, since last year, I'm repeating this at the end of each episode.

I can't have these statistics without you. So being on the top 200 upper podcast charts in different countries, so every. Every two or three weeks, we, we shift from one country to another. So this cannot happen without, of course, a great fan based like yourself. So thank you very much for this, and as I say, always stay tuned for a new episode very soon.

Thank you. Bye-bye. 

[00:47:00]