Ep 32: Operational Discipline and Agentic AI for Real Risk Reduction with Dolby CISO Yaron Levi

Evan Reiser: Hi there and welcome to Enterprise AI Defenders, a show that highlights how enterprise security leaders are using innovative technologies to stop the most sophisticated cyber attacks in each episode. In each episode, Fortune 500 CISOs share how AI is change the threat landscape. Real world examples of modern attacks, and the role I will play in the future of cybersecurity. I'm Evan Reiser, the founder and CEO of admirable AI.

Mike Britton: And I'm Mike Britton, the CIO of Abnormal AI. Today on the show, we're bringing you a conversation with Yaron Levi, Chief Information Security Officer at Dolby Laboratories. Dolby is a global leader in immersive audiovisual experiences, known for pioneering sound and imaging technologies that power everything from blockbuster films to next generation consumer devices. 

There are three interesting things that stood out to me in the conversation with Yaron.

First, Yaron emphasizes that the root causes of most breaches haven't changed in decades: unpatched systems, poor asset inventory, and weak access controls. What's changed is the scale and speed of failure as companies rush to adopt cloud and AI. 

Second, Yaron believes that security can no longer behave as a gatekeeper, at Dolby, where innovation cycles are fast and teams move quickly. Security's real value comes from enabling calculated risk embedding with business units and making cybersecurity a shared responsibility across 3000 employees. 

And finally, Yaron believes AI's real near-term power is in wiping out the technical debt that slows defenders down. For Dolby, a genetic AI is a way to scale good habits and eliminate human error. Turning long-term problems into automation wins.

Evan: All right, well, you're wrong. First of all, thanks so much for making time. I know, Mike and really looking forward to chat with you today. You should give our audience a bit of background, like tell us about kind of your career, maybe how you got to where you are today.

Yaron Levi:

So, Yaron Levi. Thank you for having me on this show. Happy to be here. Currently, I'm the CISO with Dolby. I've been here Dolby for nearly five years. Before that, I was the CSO. Blue Cross Blue Shield here in Kansas City. And, my career has been in, just different industries. I worked with healthcare, Cerner Corporation, big healthcare company.

And I was part of Oracle. I was there for nearly three years. I was part of Intuit, part of eBay—one of the 22 research fellows for the Cloud Secure Alliance. So if you like or hate the CCM or the CAIQ, I was the part of the team who wrote that. And then further on, my career, just different roles. Software engineer, you know, architect, different things. So, there's multiple things. Worked across multiple countries or with multiple across multiple countries. Which is always fun and amazing to me across cultures.

Evan: Yeah. Cybersecurity Is a hard job. Right. You got to, like, late night calls, got criminals trying to hack in your business, right? It gets, you know, the threat landscape changes every day. The new technology, every day. You know, obviously, it's architecture. Never change faster. You can do it for a long time, and you're still, you know, alive and mostly sane, right?

Like what? Kind of like what motivates you, right? What keeps you going? What inspires you? Like why? You know. You know, you're so experienced. Accomplished. Like, what could someone else. Right. You you've stuck here. You tell us a little bit about kind of what what drives you.

Yaron: I think one thing about cybersecurity in general, it's the mission, I think, more than anything else, you know, again, being in it, being in, you know, on the business side. But when I really started to work and focus on cyber, I found my calling. Or find my home, if you will. One. It's the mission. I think it's a mission that is, you know, worth fighting for, worth doing work, working at,

But the other side of it is the people is there. I haven't seen any other community of people like that. In any other profession. I mean, not CIOs, not CFOs. I mean, like, who wants to hang out with them? But when you go to, like, an old security side of the elders house to go to the conferences, I mean, you know, different meetups that we have.

It's a big difference. And it's like awesome community. You can always reach out to somebody if you need help. You have questions. There's always somebody who's going to have your back. And, that's what we do. That's why I like. I think it's like the community.

Mike: When you came to Dolby, were there things that translated well from other industries, other companies? Are there things that you found that were very different in how Dolby operated versus, your last stop? How do you kind of approach that when you change industries, change companies on what works and what doesn't work when running a security program?

Yaron: You know, every company is different and every industry is different. And sometimes, you know, companies within the same industry and they also, you know, operate differently. But I think the common theme across all of them, yes, I mean, you have some different regulations and maybe, you know, you own industry or subject to this. And the other one is subject to that.

But I think at the end of the day, what's common to everybody, it's the people. And, you know, everybody have the same challenges. You know, the same challenges internally. Everybody kind of fighting for budgets. We're fighting for attention, for priorities. And really, how do you navigate all of that? By finding, you know, what's important to them, what's important to the business.

And then what can you do from a security perspective to support and help that? And I think that's the theme, right? Because if you're in health care, so you know, the most important thing is your member or your patient or, you know, whatever the case may be, they're right. And if you think about the mission of health care, you know, they are looking to treat patients.

So we're looking, you know, to treat people. So that's the most important thing for for the business. Okay. So what do we do? How do we support that? How do we enable that? When I was at eBay, for example, we had a lot of people who are making a living off eBay, right? I mean, they're selling, their merchandise or, you know, whatever they do, auctions or whatnot.

So there's a lot of hobbies, but a lot of people who make living well, if the company is, you know, delivering on helping people to make a living, that's what's important to them. That's what's important for us to continue and protect that. So at the end of the day, I think it's always kind of the same thing. First of all, what's the business mission?

What's important for the business? What can go wrong that will prevent the business from accomplishing its mission? And then what can we do to help, so that they can continue to deliver their mission? And that's. I think it's pretty common to like every industry. Maybe the implementation is a bit different, but but the same. But but ultimately it's like the same thing for everybody.

Everybody suffer from the same challenges from the same, you know, lack of budgets, from the same technical that I mean, from the same, you know, priorities, I mean from everything else. Right? It's just how do you navigate through all of that?

Mike: And do you feel like maybe some or some organizations or some industries are better at pushing the forefront on new technology or some more laggard kind of. Do you feel like you've seen differences there?

Yaron: Yeah, it's definitely different. You think about health care organizations. They tend to be a little bit more behind for, you know, many different reasons. You think about different technology, SAS, Bay area, they're trying to stay like more forefront, trying to be more innovative. So yes, I mean, it's it's different from organization to organization. I can tell you that one is better than the other.

You know, each one, each one has its pros and cons, you know, staying on the really on the bleeding edge has a lot of advantages, but also the challenges as well. And, you know, we don't grow like white hair for nothing. So, you just your mileage may vary. Just depends on the organization.

Evan: Well, it's kind of unique about your experience outside of your day jobs, right? You've also worked with a lot of, venture capitalists and startups. Right. And, you, you you spent a lot of time not thinking about, like, what's the cutting edge of stuff, right? The new technologies, the new, the new kind of threat landscapes.

What are like the three big areas in cybersecurity that no one's talking enough about, right. Well, that's on the threat landscape with the transformation. Like, yeah, if there's a CISOs listening out there, what are like the three things you'd say, hey, here's three areas. Like, you really got to spend some more time, put some more attention.

Yaron: It's always the same thing, you know. So if you think about, I don't know, take the Verizon DBIR. They've been publishing it for what, ten, 15 years now? The OWASP top 10 hasn't changed over the last 25 years, right? I mean, and and so on and so forth. I mean, mandate approach, publishing deal reports, threat reports, I mean, every year and so on.

And then if you zoom out and you look at all the data, what you always see is almost always the same thing, how compromise of how breaches happen. Unpatched systems misconfigurations, compromised credentials. RDP, open RDP with a tiny bit of somebody left out there, right? It's always the same things, right? And somewhat we don't learn or we don't move away from that.

And then you have to ask yourself, okay, so why is that? Why do I keep kind of failing to the same, you know, for the same things. Right. And, and I would argue that for the most part, all of those cracks, if you will, that we have it's a form of technical data that's been accumulated more and more over time, mainly due to what I call a lack of operational discipline by IT, by engineering, you know, by others, you know, and so on.

But by and large, I mean, this is not security problems. And I don't mean by that is like, oh, we don't care. It's not my issue. These are security risks. And these are the things that, you know, again, we're trained and we're fighting very, very hard to defend and continuously reduce that risk. But for the most part, I mean, if most organizations, you know, will properly invest in all the time, the effort — you know what your inventory is like, know where applications are, you know properly, manage your access, properly, manage your network.

I mean, things like that probably 78% of our job is going to be gone. So then you have to ask yourself like, like, so why don't they do that? What are we going. It's hard. I mean, it's hard. It's time consuming. It's expensive. Right. And, to get it right, I mean, and then the more and more complexity that we see over the years, I mean, this, you know, thing called cloud that was introduced 15-ish years ago, what did that to our industry.

And then like, you know, virtualization and Kubernetes. And now we have agents and AI, right? I mean, so the complexity is continuously growing. And to do all of that, it's speed at scale super super difficult. But ultimately I mean the concepts are the same. Do you know what the inventory is? Back when it was devices, then cloud workloads and virtual machines and other Kubernetes or whatnot.

And now it's like agents, okay, if we're going to suck at managing the agents inventory the same way we sucked at managing old device inventory, we are going to have a big problem. So essentially it's focus on those foundational that operational discipline kind of the same way I think it applies the same across the board. I'm not saying it's easy.

It's super hard. But I think that's, you know, a lot of the focus that, that we need to bring. And then all of the focus that we have to have.

‍Mike: Bad guys don't seem to be burdened by the same issues. They move fast. They're latching on to things like generative AI and automation and things that they can move it at the speed of machines now. Do you think it's going to create a bigger gap with security teams, where the attackers are moving fast and able to scale faster with fewer humans and more automation, like, is it only going to be widening that gap?

And if so, like how do we fix that?

Yaron: So yes, I think on one hand it may load about for entry and therefore we may see an increase in more attacks or potential attacks, you know, or whatnot. But the other side of it is…

You said you live in the Midwest and, I would assume that your house is mostly like, you know, wood and sheetrock and the front door on your house probably have a deadbolt and, you know, have, a lock, but it's not a very different lock to open. If you really want to write. More than likely, I don't need a cruise missile to send through your door to open it and just get into your house.

So why would I spend money and effort on a cruise missile, which is really hard. And you know, you have to have like all the materials and everything else. If I just going to walk in with a lock, pick something that's going to open the door, right. So I think the analogy is kind of the same. If you go back and we say, look, we're still failing at the same things inventory management, configuration management, patch management, access control, network segmentation, etc..

Do we really need much I mean, to help break into that? No, I mean the guy backers have been successful like every year even without it. 

So I guess the truth is probably somewhere in the middle. I think we need to be able to embrace and, figure out how we can automate more, how we can leverage those technologies to help us define better and really tackle that technical debt mountain that we have that was so difficult for us. I mean, to, you know, to deal with what are called manually

Maybe with some AI agenda guy, maybe we have some chances to deal with the better.

Evan: One of the challenges that we face, the industry right now, is that there's way more tools that are more accessible, more powerful for criminals, right? ChatGPT is one of them. There's other ones. Summer AI some are not. So like, what is it? What does that mean for like the industry, right. Where we're, we're kind of like still losing.

We're just playing more breaches for phishing last year or this year than last year. It's quite the same stuff. Everyone's working hard, right? But we're all kind of short, strapped, low on budget, low and head counts. But the criminals are getting, you know, all these tools and all we have to, like, make sure I never get it wrong.

They just have to get it right once. Right. And so like, what does that mean for kind of the the feet of cybersecurity. Are we on like a dead end path or like what's the opportunity for the good guys. Use these tools. And what would be your kind of thoughts and advice there to you know, maybe NBC is listening.

Yaron: For me, it goes back to two things. First of all, we can talk about the business and talk about business goals, what's important to the business. Right. And once we understand that threat model, that how do we know or like how things can go wrong so that it will prevent the business from, you know, delivering its job to living its mission?

This is where you need to start. So if you think about it again in a very, pragmatic way, right. You go to the business, you say, okay, what are the goals then I can model, okay. What can go wrong in other can figure? I know they know what can go wrong, how can it go wrong. And other I know what can go wrong and how it can go wrong.

And that's where I put my expertise. You know, as a cybersecurity professional. Now I need to think about controls. I e countermeasures right. So specific controls that relevant to what I need I don't care I mean they could map to needs to ISO to whatever you want. I mean there are many frameworks out there. The fabulous just right to use whatever kind of rights for you and other I know what can go wrong, how it can go wrong, what controls I e countermeasures I have now, I need capabilities, people process technology to accomplish that control.

And this is all theoretical exercise. And maybe now I am going to end up with a list of like 700 things. Right now I go back to the business and say, okay, business, how much can you afford? What? You know, how much budget do I have? What can you let me in? I need to keep in mind that you know, the business.

The business, by and large, doesn't exist to be secure. They exist, I mean, to deliver a mission, and they have to take risks to deliver their mission. So based on that risk, based on that budget, based on whatever I'm in the business can afford, they say, oh, you can have so much money. Okay, cool. With so much money, I can out of the 700 things I could do five and everything else to 695 things, these are the gap that we're managing, I think where we often see or we run into challenges is that organizations, by and large, you know, are not very proactive about cybersecurity.

Oftentimes, like, you know, if I look at some of the systems that they have before and, you know, and, other systems that I know, oftentimes it's like there was a trigger, there was a trigger that brought the company to build security to bring a C. So, you know, whatever, right? Customers were asking for if they had a breach.

I mean, you know, something, but there is a trigger, okay. For whatever reason, fine.

Evan: The CEO read some random article on the internet, support it around.

Yaron Levi: Could they? Gardner told it whatever. But I mean, just, you know, could do something, right? There was a trigger. But now when there is a trigger, it's very reactionary. So it's like, oh, there's a problem. Let me bring somebody and I just want them to make the problem kind of go away and then, okay, he or she did like a great job.

‍Yaron: You know, building a program, building a practice based security. The problem kind of went away, you know, they don't want to hear about it. So back make sure of secure but don't bother us too much. Right. I'm exaggerating a little bit, but I mean by large I mean, you see that with a lot of organizations as opposed to this is not an IED problem.

This is not a security problem. This is part of the business mission. It's how do we help the business take risk. And I'll do how the business manage risk. And that dialog has to be there. That dialog, the partnership has to be there with the business. And as a CSO, you know, my role is to spend a lot of time integrating and talking to different people in the business.

Evan: What are the next three attacks? Right. That sounds good to face, right? That they're maybe not expecting and like maybe even kind of give the verbal triggers now. So I have to experience the the real thing. But if you if you do like the one tweet or like three tweets, well, we like the three things you think people should be thinking about and getting ahead of and being proactive versus waiting for that, you know, reflexive response.

Yaron: Is the same things. You know, somebody is going to not have MFA, somebody is going to ignore a credential, somebody is going to give. I mean, their, you know, their credentials away. You know, there's going to be some system out to somebody forgot about. There's going to be tons of agents running around with not proper off and everything else.

They're the people forget about.

Evan: Are there any of those you mentioned that you feel like, where the the risk is accelerating may disproportionately do to AI, where it's like, hey, this one's like it's it's a problem now, but it's about the kind of shoot up vertical, right. Like any, any areas you think are particularly worrisome?

Yaron: I think yeah, I think so. Data leakage. If you will. And whatever you kind of put into AI, that's one area. So kind of the insider threat of that, the other one is, the proliferation of various, let's call it AI agenda, guys. You know, I think I, you know, capabilities that again, everybody wants to go and everyone wants to do that, and there's a great promise there.

But let's not forget them. It's a very, very new technology. I mean, until two years ago, nobody even heard. What about ChatGPT? Now everybody's kind of using it, right? I mean, so, I think we definitely would like to adopt, but we also have to be mindful about the risks and how we address them. And, you know, if it's difficult enough for us today to manage, you know, access controls and things like that and the inventory at scale, or let's say virtual machines or virtual components, you know, and so on.

Think about the work of AI, when actually now it's now doing even more stuff almost independently. Right. So how do we going to manage that? So I think that's going to accelerate. I think a lot of it's going to accelerate, not necessarily because of the bad guys, but mostly because of the part of it is because of the hype.

And nobody wants to get left behind. And the businesses, you know, kind of hear the great promise of doing more with less. So, sure, I mean, definitely, I mean, that's they want to pursue that. But they're going to question, how do you do that? Are you just going to go all in for the blinders on, don't care what's going to happen, you know, take off the rear view mirror and just going to drive into the traffic.

Okay. You can do that. There's risk involved. But I think these are the things that we're going to start seeing more and more.

Evan: Well, I got about ten minutes left. So at the end episodes, let's do a bit of a lightning round where we ask you questions and we try to look for like the, the one tweet response to questions that, archive unfair to ask for sure answer to. But, Mike think you can offer us. Sure. So what one piece of advice would you give a security leader stepping into their very first Cisco role?

Mike: Maybe it's something they might overestimate or underestimate about the role.

Yaron: It's focused on, on building relationship and focus on the people. Really focus on building trusting relationship and building the trust, you know, with your peers, with the people above you, people you know, below you, all across, and find what's important to them and focus on what's important to them. That's, that's probably half of your success in that role.

Evan: What's your advice for maybe other CISOs, security leaders out there to help them stay up to date with, like, the latest technologies specifically around how AI is affecting cyber?

‍Yaron: So definitely, there's a lot of, sources out there you can learn from, actually, you can use AI to learn from, you know, to help you kind of learn. And that's how I do it. I leverage some tools to help me, synthesize information and read information. Talk to your peers. I think a lot of that conversation that is happening, you know, with the community.

Hey, what do you guys are doing about this? What you guys are doing about that? What are you use for? I don't know if this technology, that technology, I mean, for this service, you know, what have you really kind of learn from others and, you know, share with others also what you do. That's, you know, how we learn.

Mike: So on the more personal side, what's a book that you've read that's had a big impact on you and why?

Yaron: The psychology of money. It's one of the recent ones that I read. I don't know, I'm reading a bunch of different books, and I sometimes we like 3 or 4 at the same time. So I'm reading a book about Buddhism now. I'm reading a book about intelligence. Like I, I just finished the, Psychology of Money, and I just was driving back home earlier, and I start to listen to Harry Potter again for the 79th time.

So I don't know. Just depends on the mood.

Evan: What do you think will be true about the future of AI in cybersecurity that most people consider science fiction?

Yaron: I think there's definitely a hype, and I think there's definitely, way bigger hype at the moment of like, you know, what will happen and what will not happen, you know, and so on. I don't think I is like, you know, this God all knowing thing that will eventually kind of give us all the answers and lead us to salvation.

I think by and large, you know, AI is great in synthesizing data, recognizing patterns, but it doesn't have a gut feel. And I think a lot of, you know, what we do as humans oftentimes depends on the gut feel, even though you know all the instruments, all the data, everything will tell you don't go there. And despite all of that, we are because we have a different gut feel.

Yaron: And that's how we make progress. That's how we innovate. That's why we do different things. So I think that, you know, ingenuity, just, it's kind of built into us in such a way that I'm hoping that, you know, we can leverage AI for the things that we've struggled with for a long time and getting technical that all the boring stuff or the mountains of things that, you know, we struggled with and help us to take care of that so that we can be more innovative, that we can be more, you know, find those different things that, or go to the places that we were on were blocked from going from before.

I don't think we can imagine how much I can potentially unlock, in the future, the same way we couldn't imagine Uber, you know, rideshare, back in 2008 nine, when cloud came out. Right? Nobody thought about it. But a lot of things kind of happened because of cloud. And therefore, can we imagine our life now without it?

So I don't think we can really imagine what today I was going to generate from us five, ten, 15 years down the road. Hopefully we're not going to destroy ourselves between now and then. But I think it's will definitely unlock a lot of interesting things for us in the future.

Evan: I love that answer, Yaron. Thanks so much for making time to chat with us today. Looking forward to a part two episode, The Future, but thanks for joining us.

Yaron: Thank you for having me.

Mike: That was Yaron Levi, Chief Information Security Officer at Dolby Laboratories. 

I'm Mike Britton, the CIO of abnormal AI

Evan: And I'm Evan Reiser, the founder and CEO of abnormal AI. Thanks for listening. To Enterprise AI Defenders. Please be sure to subscribe so you never miss an episode. Learn more about how AI is transforming cybersecurity and enterprise software dot blog.

This show is produced by Josh Meer. See you next time.