mnemonic security podcast

Everything Is Being Recorded

mnemonic

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 38:34

In this episode of the mnemonic security podcast, we're joined by Joe Sullivan - former Chief Security Officer at Uber, Facebook, and Cloudflare, federal cybercrime prosecutor, and one of the most consequential figures in the history of the CISO role.

 

The conversation explores the security implications of AI becoming part of everyday life, from AI note-takers to wearables and humanoid robots. Joe discusses the privacy, legal, and security challenges these technologies introduce, why organisations need clear policies and stronger governance to manage them, and how the role of the CISO is expanding as AI risk moves higher up the boardroom agenda.

Send us Fan Mail

Speaker 1

From our headquarters in Oslo, Norway, and on behalf of our host, Robby Peralta, welcome to the mnemonic security podcast.

Robby Peralta

There are security leaders who manage incidents, and then there are security leaders who become the incident that everyone else studies. Today's guest started his career as a federal cybercrime prosecutor. He eventually moved on to important positions within eBay, PayPal, and Airbnb. He was the chief security officer for Facebook, advised the Obama White House on national security policy, and then he landed a job at Uber as the chief security officer. His time there has been highly publicized. I wouldn't do him justice by trying to sum it all up in a few lines. But the short version is this. Joe Sullivan became a case study that changed how security leaders think about personal risk. After Uber's 2016 breach, he found himself at the center of a legal battle that lasted years and became one of the first security executives to be criminally prosecuted over the handling of a cybersecurity incident. The case that sent a shockwave through the entire CISO community. I haven't asked him if he thinks the story had a happy ending. But the legal battle eventually concluded and a lot of lessons were learned. And one thing I can say is that he appears to be doing just fine. What a life so far. And you're not done yet.

Joe Sullivan

Nope, still working, still having fun.

Robby Peralta

Still kicking. So what are you up to these days? What are you finding fun?

Joe Sullivan

Basically, I do like three or four jobs. So I am running the security consulting business, Joe Sullivan Security. And there's really three parts to that. Part one is I help companies build out their security. Being situated here in Silicon Valley, I often get approached by startups that, you know, they've hit product market fit, they've gotten a lot of funding, and they need to grow up fast. So over the last few years, uh, I have built out a team of like five of us who will go into a fast-growing startup and will literally interview and hire people for them, set up their security foundations, and sometimes set up their IT foundations as well. Examples would be companies that you know, maybe they're just like five people, but they get 100 million in funding. Why would a VC give them 100 million in funding to grow up and build a company and kind of define a category really fast? So they they turn to us and say, build us a security and IT department in six months. So do a lot of that. That's kind of fun because we get to experiment with different technologies, different tech stacks, different types of companies. We've been doing it for companies ranging from like AI companies to next gen electric car battery companies to VTOL taxis, uh, humanoid robot companies. We've been inside all kinds of different companies helping them. And the challenges are different at each one. So that's that's a lot of fun. Also, do some mentoring and working on security strategy for companies. So less hands-on with those, more kind of spending time with the CISO and the exec team. Sometimes the exec team reaches out to me and says, Hey, Joe, can can you tell us if our security team knows what they're doing? Uh it's like they speak two different languages. The security team talks a language, the CISO talks a language. It's very technical, it's very jargon heavy. And the board and the CEO in 2026, they they can't be hands-off anymore. They need to know that the security organization has its act together. There's too much risk. And then the third thing I do in the security consulting business is I I get asked to go speak at conferences and things and talk about themes. And I really enjoy that because uh most security people are embedded inside a single organization, whether in government or the private sector, and they're they're very limited in what they can say and be opinionated about. And I have the flexibility of being an independent voice. I can say whatever I want. And uh I'm enjoying that.

Robby Peralta

Cool. Well, thank you so much again for being with us here today. You just mentioned humanoids. How do you think about security in humanoids?

Joe Sullivan

Yeah, so there are lots of different approaches to humanoids, uh robots happening right now. I've talked to and spent some time with some companies that are taking and kind of leveraging the physical robots that were built uh in China and kind of building their own software around and in them. And then I've worked with companies that uh like OneX that are just like doing the full stack from bottom to top on their own. And there are a ton of really interesting security issues when you start talking about humanoid robots. The closest analogy would be to some of the self-driving uh car situations we have on the road. Technically, those are robots on wheels. And if you step back and think about it from a technical standpoint, you have all the same issues, except that the humanoid robots are coming inside the house. So from a physical standpoint, they have to navigate kids and dogs and human beings and not breaking glassware. And the human household is is not designed for robots that are clumsy. But there's also all kinds of risk. You know, we think about them when we bring cameras into our house for security or something like that. When we bring uh these next gen toys that talk to our kids, AI tools, voice systems, like the privacy implications that putting this technology in our house raises so many different things. So when you think about like setting up security, it's it's complicated. Of course, you need that company to have all the security that any company has. So like the enterprise security, but product security, hiring for those companies, you need people who've worked on things in the physical world. They've people who've thought about how do I communicate with the robot? How like what if the robot's only on Wi-Fi and it goes to take out the trash and it loses its Wi-Fi connectivity standing out at the street corner? You know what I mean? Like there's so many things that can happen. Uh, how do we do software updates over the air? Do we allow software updates? What type of kind of VPN are we going to use for connecting and communicating with the robot? How do we do customer support for a robot inside someone's house? Do we allow uh humans to have uh visibility into what's happening with every robot? That's pretty crazy. You know, so there's there's just a million implications. That's what makes it fun.

Robby Peralta

How far are we away from that reality, do you think?

Joe Sullivan

Oh, I think that there are multiple companies here in the Bay Area that have humanoid robots operating inside households in kind of like pilot programs and things like that.

Robby Peralta

Wow. Awesome. What a what a world to live in. Uh wearables and note takers. You spoke about it at unprompted. Would you mind just summing up what you said at that talk and where you stand on that position? Because that's a very uh that's happening right now, whether we like it or not, right?

Speaker 2

Yeah.

unknown

Yeah.

Joe Sullivan

Well, first of all, um the unprompted conference. If anybody hasn't heard of it, who's interested in AI security, all the videos from the conference are live, and there were so many better talks than my talk. It was just like so much energy. So it was in the context of that that um Gotti, who was running the whole conference, he's like, he and I had written an article a year before on AI note takers. We published it. And, you know, it was kind of like a first look at all these AI note takers are exploding across all of our meetings. You could barely ever join a conference call without somebody's AI note taker jumping in and being part of the attendee list and you know, and and dealing with that and wondering about it. I realized this is the first place where AI is actually injecting itself into our daily workflows. And it seems like the security team isn't doing anything to put controls in place. And and so Gotti and I stepped back and thought about it like, what are the risks? And it turns out it's really interesting. You know, there are a whole bunch of risks around AI note takers. Uh, you know, it's number one it's recording everything. And I live in California. Do you know if in order for me to record you, I need your consent up front. So it's like a legal issue there that like half the country has to deal with. Uh, and like, how are you being transparent about that? And then it it becomes corporate data, you know, it's like it's and it's sensitive data. Where is it being stored? Who has access to it? Who's doing the rule-based access control? And then you start thinking about the security implications. Okay, it turns out, and there are actually studies on this, that AI note-takers can be gamed. You can prompt inject them, you can manipulate the uh, you know, steer the algorithm so that it thinks that whatever you say is the most important thing from the meeting. So the takeaways. And so I started digging in, and Guy and I just realized like this this is such a simple, annoying little thing that showed up in our life, but nobody's actually doing the homework around it. And like security teams have had like in 2024 and 25 were a little like hands-off around AI. And it was like, wait a minute, here's a really easy way for you to kind of get your hands dirty, like dealing with AI from a policy and risk standpoint. So we wrote that article. I prepared the talk thinking this is just like some little meetup of all of you know a bunch of our friends and to talk about AI. I didn't realize it was going to be like the most paid attention to conference of 2026. And so I I roll in and I'm doing this little talk on AI note takers that that, you know, and I'm surrounded by these amazing talks. And I was like, I should have put more effort into this. But actually, I got a lot of positive feedback afterwards that like I've had so many people message me, like, oh, I totally gamed the note-taker at that meeting. I was the first person in that meeting. No one else was there. I told it like five minutes of my thoughts before anybody else showed up, and all my stuff got captured. Or I figured out how to uh make it so that the note taker didn't take any notes because I wanted to frustrate everybody. Like it, I inspired a bunch of people to do a bunch of annoying things, apparently.

Robby Peralta

Have you talked to any of CISOs that actually put any guardrails in place for that?

Joe Sullivan

Yeah, quite a bit. And I'm seeing it more and more in different contexts. Like organizations are becoming much more thoughtful and disciplined about like selecting an AI note taker that's going to be their official note taker, prohibiting all the other ones, developing policies for how are you going to deal with when the other company has a note taker, get making sure you request a copy of everything, set it up in such a way that you automatically get those copies. So you keep your own independent version of it, giving the teams guidelines on which types of meetings are okay for note takers and not. You know, like I work at a VC part-time, helping them on investing, and they have very clear policies around what you can and cannot use note takers for. Yeah, they don't run note takers during board meetings, they don't run note takers during situations where there's attorney-client privilege. You know, they they have to be thoughtful about this stuff because we're discovering that like attorney-client privilege gets blown up when AI gets involved sometimes. And, you know, the the law in court cases is evolving very quickly there. So um not an expert on that side, but it's another example of a situation where we need to when we work on our policies for security, we need to loop in legal and have them part of the process because they're not paying attention to all these AI note takers and the risks that happen with them unless we pull them into the conversation. So I I think that we're uh we're getting much more uh official and thoughtful about the use of these note takers. Come companies that are in the defense defense tech space that have to comply with CMMC and some of these other really strict government standards have to have even more careful policies around what is and what isn't recorded, how and whether they have to segregate their recordings for you know for the different environments and keep them in separate places and have role-based access control. Like there's a lot going on, I think, as as companies have gotten more mature about this stuff.

Robby Peralta

I've been in meetings where right when you see it's being recorded, you get kind of scared, but then you also kind of become more professional, at least me. That's just like, okay, I'm being recorded. Uh what is the worst that can happen, just so that that point is covered.

Joe Sullivan

I always remember the Sony case from like 12 or 13 years ago when North Korea hit uh Sony in response to them putting out that movie that was uh viewed as derogatory towards their leader. Two things happened there, right? It was a destructive malware situation where they wiped out a bunch of their systems, but they also dumped all of their email publicly. And I remember talking to executives at the time from different companies and talking about like what was the most shocking thing about that to you? To me, it was very clearly the destructive attack. You know, we weren't in the world of ransomware that we're in right now. There had only been a few destructive attacks in history, you know, Saraudi Ramco and uh Las Vegas Sands and maybe the Maersk stuff. Like there just wasn't a lot of intentional destruction situations in cybersecurity. And and so to me, the Sony case stood for, wow, this is a scary new world. I need to be responsible for operational resilience and and really make sure that we we have this together. But then I would I talked to a bunch of other executives, like COOs, and I think I even talked to the woman who was the president of Sony who said who she lost her job over the pub public exposure of her emails. We say things in meetings, we say things in email that that uh are embarrassing and that we wish never would be seen. And so I think, you know, to a lot of executives, that's the scariest thing about these note-taking recordings. Uh it's the New York Times test. Would you feel comfortable if everything that was in said in all your meetings was put on the front cover of the New York Times? And a lot of companies have a lot of notes that have been recorded now that are subject to exposure and litigation and other things, or they could just be leaked or hacked. You know, if granola gets hacked, there's gonna be a lot of embarrassed executives in Silicon Valley because they all are using granola to record everything. You know, I was experimenting with the limitless uh app. I mentioned it. Uh I was wearing it on me, even though I didn't have it turned on when I gave that talk. Uh I also, you know, I have a plod now, which is a different wearable, because I'm always experimenting with and learning about these things. And and everything that they record can be exposed. And so there's a lot of risk in that. It might be might trigger reporting obligations because it's PII. It might trigger reporting obligations because you have contracts with your customers. And it it it might just be really embarrassing. So there's lots of different risks with this uh anytime we get into a new type of content being stored in our enterprise servers.

Robby Peralta

I feel like note takers, that's a very business context. And then you have the wearable side, which is, I guess, your whole entire life. What is your how do you look at the security or the insecurity around that?

Joe Sullivan

Well, I think that um we're moving in this direction of being monitored all the time. And it's really, I think, uncomfortable to a lot of us who grew up in a privacy first era. The idea that um something is gonna be recording everything we do at work. Like if you if you look closely, that's the direction the AI first companies are going. Like I talk to CEOs who say, I want real-time monitoring of everything that's happening on every machine at my company and every meeting at my company, because we as humans lose a lot of that history and context. We talk about stuff and then we forget about it. And if I have AI recording everything, then we will get the power and benefit of that. You know, I like the call I had before this, I was talking with the head of application security, a company, and we're talking about the implications of AI on how AppSec is changing. And one of the things we were talking about is how PRDs uh documentation that we create before we write code, you can't train the AI on it because what we actually built with code for the last 20 years isn't reflected in the PRD or the Jira ticket. You know, that's aspirational, and then we go build. And so uh we can't actually learn that much from like our history of documentation. And so the AI first folks are saying, well, we should be recording everything in real time so we know what actually happened, and then we will be much more effective. And you see these stories of companies, you know, like Meta has been in the news for the last couple of weeks. This story keeps coming up about how the company asked employees to allow them to be monitored 24, you know, their entire time on the machine so that we can train AI based on its learnings from them. And I've heard variations of that from lots of different companies. But um, you know, we're moving towards computer vision models that are running, uh, capturing everything that happens on my screen all the time, not just the words being recorded. So that's their direction we're going. So I I think we're also coming at it at the same time from a consumer standpoint where multiple companies are putting out these glasses. Obviously, you know, the Meta Ray Band glasses and the Oakley's, you know, Snap has their spectacles, and there are a bunch of other ones that are coming out. We've heard that uh Apple wants to have cameras on the AirPods. Like there's lots of different wearable things happening coming at us from different directions with the idea that AI needs to consume all of this. And then remember, we started this conversation talking about robots. Uh humanoid robots, they need to function in the physical 3D world. Something I've been thinking about a lot is how every data center is full of 2D data. You know, most of the stuff that's been stored in data centers for the last couple of decades is about code. It's about words, it's about videos, it's about things we watch on a screen. Um, there's not a lot of data in data centers about how a waiter moves through a restaurant or how a waitress brings coffee to a table. But if we want to bring humanoid robots into restaurants, we need to actually map out all of that stuff and create the training data. There's only so far you can get with synthetic data. And so we're gonna see, you know, at restaurants, they're gonna start wearing wearable glasses to record more of what's happening. And so every time you sit in a restaurant, you're gonna be recorded. How are you gonna feel about that? You know, in the same way as we go through airports, we're recorded constantly now, or certain cities are we recorded all the time. Like the amount that we're recorded uh is gonna go up and up and up. And, you know, I was reading an article last night about Flock, which is capturing data on vehicle traffic and its impact on reducing crime, is like the statistics are overwhelmingly positive when you roll it out, how much uh crime goes down. But on the flip side, uh the communities are backlashing against products like that right now because it feels like we're moving more into surveillance state. I think meeting note takers are just like scratching the surface of this new world that we're heading into, where society hasn't really put down its foot and said, like, here's the line. And in fact, as someone who spent a lot of time traveling around the planet and being in different countries, like we all philosophically, on a country by country basis, have very different perspectives on government uh visibility into our private lives. In the United States, I think we we are absurdly comfortable with letting corporations take access to a lot of our personal data, and we are very uncomfortable with our government. Whereas I found like it's a gross generalization, but I found the opposite to be true in Europe, where we're much more comfortable with government access to our data and very uncomfortable with corporate access to our data. And it's a sliding scale in every country where it's slightly different. But AI is going to force us to have a bigger conversation about this more consistently because the ground's shifting beneath our feet right now really quickly.

Robby Peralta

Is anybody having those conversations? This is the first conversation I'm having about it.

Joe Sullivan

Well, I I I I go back to, you know, when I wrote uh Gaudi and I wrote the original article, we were thinking about it in this very micro context of like all of our meetings are suddenly becoming recorded. And as you said, it's the first few times you roll into a meeting and you pop open the uh the video recording conf stuff and you realize you're being recorded. For like a second there, you're like, uh Should I say something? Should I say something? Should I block it? Should I be opposed to it? What's the what how should I feel about this? And then five minutes later you forget and you're just doing your meeting, right? And then you get the meeting notes and you're like, oh, this was useful. Oh, and then you're like, oh, I'm glad that it didn't capture those for that five-minute chat at the beginning where we were talking about my weekend and how hungover I was, or whatever it was. You know what I mean? Like, there's a lot of us just kind of like flipping through it really fast and accepting the new normal because it's incremental. And it's but it's gonna keep being incremental until it's massive in in terms of the amount of change that's happened. In the corporate context, it's easy for the CEO and everyone to see like this is like increasing our productivity and our throughput as an organization. We got to do this. If we don't if if our competitors are doing it and we're not, then we're gonna lose. And so, like everything tilts towards adoption of these things. Uh and um, you know, in the personal wearables, I think we're a little bit behind the you. You know, the effective corporate wearables, if we call these meeting note takers wearables to a certain extent, we got a ways to go on the on the non-business side. But lots of people are embracing and using these technologies. And you know, a lot of these cars that are around us, think about how many cameras are on a Tesla that are recording us all the time. How frequently does Tesla get subpoenaed by law enforcement for a crime that happened within a a a distance of a Tesla, even though the Tesla had nothing to do with the crime. Uh, you know, storekeepers with their cameras are getting subpoenaed all the time. Like a lot of of our life around us is being recorded already. You know, the ring doorbells, the nest doorbells, lots of data is starting to accumulate around us. Uh, and it's it's not slowing down. So it's kind of scary. And it and it just means that we have to be intentional about it. And that's what was the the core point. Like, we didn't set out to write like the uniform policy for all companies. What we were trying to do is just get everybody to pay attention to what's happening. And that was the point of the talk, too. Uh, you know, when I did the talk at unprompted, I probably spent like a third of the talk at the beginning and end just trying to like zoom out and say, like, no-takers is is our first opportunity to exercise our brain around risk and and and culture. But like, this is a much bigger conversation that we need to be having over the next couple of years.

Robby Peralta

AI kind of got dumped on security, I feel like. I'm not sure. Would you would you agree on that? That AI sort of has fallen in the hands or the responsibility of security leaders, or how's that look for you?

Joe Sullivan

Yeah, I would say two years ago, CISOs were in the AI is not my problem. Uh, and that it's done a it's been a 180 degree swing in 2026. And it was fairly predictable. I was telling everybody this that, you know, security leaders should be owning AI risk. Uh, like look at it from a CEO standpoint. Yeah, if I'm a CEO of a company, I need somebody who's driving innovation, so I've got a CTO and a CIO. I've I need somebody who's driving revenue, so I've got my business leaders, my chief revenue officer, my salespeople. I need people who are like keeping track of what's working and not. And that's HR and finance and legal. Uh, you know, and legal and finance also are responsible for managing sites of risk. But like the typical business in 2026 has a lot more technical risk than ever before. Like one of the biggest risks for companies is uh a ransomware takedown. Look what happened to Jaguar Land Rover last year, Marks and Spencer or Kupang. There's so many of these companies that have been hit by ransomware, and the operational impact is that their factories shut down, their supply chain uh went out of business, uh, their customers were left unable to get their cars repaired or even buy a car. And so security has become much more important, cybersecurity. And then you look at all this AI transformation stuff. The CEO doesn't want to hire another technical risk leader to manage AI risk. So they're turning to the CISO because that's been their job. Your job is to make sure that all the technology doesn't destroy us. Like it's it shouldn't be like, I need to hire someone who makes sure that the AI technology doesn't destroy us is different from cybersecurity. It's not that different in the in the eyes of the board and the CEO. It's a form of technical risk. I want one person, one neck to choke. And so that's become the security leader. The interesting twist, I think, that we didn't anticipate as much is that CEOs are also turning to the CISOs and the security leaders to help drive the innovative change in AI, because a lot more security leaders also own IT than did a decade ago. That is 100% a trend that we see in Silicon Valley is that young companies, like when I go in and build help build security, I'm typically building IT as well, and it's all sitting under a technical security person. Many of the IT leaders and modern companies grew up in security rather than IT and have responsible responsibility for both now. Uh traditional larger companies still have that CIO, but they've been getting squeezed uh and their roles have gotten narrower with, you know, the SaaS and cloud infrastructure. So those um CIOs have smaller organizations and less budget for innovation. Uh and yet in 2026, the biggest pressure on every company is to integrate AI and evolve how your workforce uses technology to be, you know, effective. So a lot happening right now and a lot of pressure on CISOs.

Robby Peralta

You make me realize come to a lot of realizations today. We've always been, I mean, I've only been security for like 10 years. But when I started in security, it was like, yeah, nobody listens to us. We deserve more power or more influence. And boom, I did I just realized now one of my clients, the, you know, my the CISO now became the CTO. Uh I guess my question to you now is having been through what you've been through, how do you, for those that aren't comfortable with taking that responsibility and that risk, like how should a CISO handle their new job responsibility that they weren't that they aren't aware that they have or haven't been given or paid for?

Joe Sullivan

Yeah, I I think that uh it's a huge opportunity and we have to rise up to it. This is uh you're right, it's what we've always been asking for is to get a seat at the table and to be able to have influence in the direction that the whole organization goes. So this is our this is our chance. We have to step up. And if we do, the rewards are will be there. If we don't, someone else is gonna step up. Uh it's just a it companies need people, governments need people who are gonna step up and and and take responsibility in the space. And if the if our best people don't do it, then blessed good people are gonna do do it, and that's not gonna be good for anybody. Because, you know, there's always somebody who's willing to take the role, even if they're not qualified. And I'd rather have the people who have the experience uh and the judgment uh have the confidence to take the role and and believe in themselves.

Robby Peralta

What are you talking to CISOs all the time in your in your through a company? What are they asking me of you? Is it more personal or more technical, the the questions you're being asked?

Joe Sullivan

It's both. Um it's both, you know, when I first started, we would I would get together with other CISOs and they'd be like, I don't get to present to the board. I never even talk to my CFO. I I'm buried under the CIO, and I just get a budget that's not good enough, and nobody asks me my opinion. Like that world's long gone. Now you see um the Treasury Department called the CEOs of all the biggest banks to Washington, D.C. two or three weeks ago. And why were they called to DC? To talk about cybersecurity. If you're the CEO of a bank, are you gonna show up and say, I don't even know who my CISO is. I've never met them. You're gonna show up and you will have you're gonna have your CISO on speed dial because you're you need to be fully briefed for that meeting. You need to come across as having your act together and that this so, like, uh it's funny, a couple of years ago I wrote uh an article kind of like as a retrospective on my case. I said the CEO is next. Because I was talking about how regulatory scrutiny is moving from the CISO to the CEO and the board. It's happened. CEOs are the one, you know, when when United Healthcare had their situation, it was the CEO who got yelled at before Congress, not the CISO. Uh when Treasury called the the large banks, they didn't ask for the CISOs, they asked for the CEOs. The expectation is that the CEO has a trusted conciliary for security, that they are working closely with them, making sure that they're supported and resourced, and the CEO is calibrating risk against all the other risks to the company. So it's a it's just a fundamentally different world in 2026. And it's uh and I think it's a great time to be in security because of that.

Robby Peralta

I know a guy who has uh contributed to that new world we live in where the CISOs aren't getting yelled at anymore, it's a CEO. Uh I'm looking at him right now. So thank you for taking that one on the chin for all the CISOs out there. Uh one last question for you. Since I and you're a part of all these really cool startups that are revolutionalizing a part of the security stack using new AI technologies. Is there any area of the portfolio that you think AI is especially outperforming that anybody listening should go take a look at? I know that you're working with like AppSec and a bunch of different areas.

Joe Sullivan

Yeah. I it's one of the questions I uh ask every security leader when I'm working with them is are you f are you changing who you're hiring uh in 2026? Have you changed the job descriptions for your roles in 2026 because of AI? And in 2025, the answer was mostly no, I'm still hiring, you know, I'm I'm hiring detection engineers, I'm hiring AppSec engineers, I'm hiring compliance people. In 2026, the answer is changing. I'm hiring I'm hiring people who are really good using AI. I'm rethinking we're everyone's a builder now. I heard that on my last meeting. Everyone, you know, that was a security leader. So everyone is a builder now. Uh because and AppSec is a really great example. Like if we step back and and if I said to you or you said to me, what job has fundamentally changed more because of AI than any other job, I would say software engineer. Like so far, software engineer's job in 2026 is is more different than it was in 2023 than any other job because of AI, right? A lot of jobs like we're 20% better, we're using these like very cut still kind of primitive AI tools, we're we're experimenting with agentic solutions, but coding is so far ahead. Like the software engineer role at most companies has changed a lot. And so if you're the security team that's doing application security, what have you seen in 2026? You've seen that the volume of code that engineering is cranking out has gone up by like it hasn't doubled, it hasn't tripled, it's gone from like 250,000 lines of code to 2.5 million lines of code in a month. That's that's how significant the the volume change has been. And it's not like engineering has hired 10 times more people, they're just like cranking out 10 times more code. So how does the security team deal with that? The old kind of like, all right, we're gonna do our scanners, we're gonna do some manual code review, we're gonna like try and do some threat modeling, we're gonna hire some pen testers and we'll rely on bug bounty to find the rest. Like every every part of that is being stressed and reimagined right now. And like I'm on the board of an app sec company, and it feels like uh what customers want from an app security tool is uncertain in 2026. Like everything's evolving there. Uh what are the frontier model companies that are building these AI coding solutions? What are they gonna kind of like suck into their uh kind of solution? What's gonna be left for AppSec companies and AppSec teams to do? It's not it's not clear yet. Whereas the coding tools have gotten really good at coding, they haven't gotten really good at vulnerability remediation yet. And in fact, we're finding more vulnerabilities than ever, but the we're not getting any more efficient at fixing them yet. And so every security team is like throwing a lot, like pulling a lot of resources off of other things and putting them in vulnerabil vulnerable remediation in 2026, but it's still too manual. Uh and it's still on unclear like what you should what stack you should have for your app sec team in 2027.

Robby Peralta

Have you met anybody that's done anything novel there?

Joe Sullivan

Yeah. I most of the companies that are doing it well are investing in building kind of harnesses, I think is the terminology everyone's using right now. But think of it as basically the the structure around the model to make the model effective in your environment. Uh that's part one. Part two is building out kind of like some sense of internal context. Like looking at code in the abstract after it's written, you're not going to identify all the most important vulnerabilities. It's only in the context of like the infrastructure and the environment that you really come to understand. Like it's one thing to identify there's a vulnerability. It's another thing to understand where where the fix should be applied. Should it be applied right down, you know, right there in the code right there, or is this something that should be fixed as a systemic level? That's where the app sec engineers, you know, with experience are adding a lot of value and that we're gonna have to continue to see that like people aren't stopping hiring app sec engineers. It's the opposite. AppSec engineering roles are uh becoming even harder to fill, and the people who are good at that are getting paid more than ever. So there are definite things that organizations can do. Like that, you know, Cloudflare came out with a blog post earlier this week that a lot of people thought was interesting because it talked about essentially how they built the harness for Mitos. Uh that's exactly the type of thing that lots of companies should have been doing and should be doing. And I I saw somebody else just took Cloudflare's blog post and threw it in Claude and said, build me what Cloudflare has. I don't know that you're gonna get there with with that, but uh you that's the direction that people should be thinking, you know, instead of just waiting for for someone else to solve the problem for them.

Robby Peralta

Do you have any other closing thoughts that you'd like to leave whoever's listening to this with?

Joe Sullivan

Yeah. I I I think if you you could take this conversation and you could be like, wow, this is a scary place. 2026, AI is disrupting everything that's happening in in the business world, and you could be like discouraged by that. Or you could listen to the conversation and then think, wow, this is a great opportunity. You know, AI uh is is opening up opportunities for a lot of us to do things that we haven't done before. Like, like that person said to me this morning, um, my whole team is builders now. Security people didn't get to think of themselves as builders before, but being a builder is is is fun. It's exciting. Uh, you know, oftentimes the security team is culturally not aligned with the rest of the company because the rest of the company is building something and the rest of the company gets excited when they ship a product. Security team feels like unrecognized, uh, disconnected from like the business success. Uh, this is our chance to be part of the team that's building for the company uh and to reframe where we sit uh in in a way that's positive and that will get us more resources and more support and ultimately more secure products that can you know distribute out to the world, which is what we that's why we get up every day. So uh I think in 2026, we can't get discouraged by the pace of change. We should get excited, we should be embracing it, we should find our curiosity, uh, and we should be uh setting aside time every week to explore and experiment and to grow and not just do work.

Robby Peralta

Man, it's Friday. It's the first day of summer out here in London. I just had a podcast for Joe Sullivan and ended on a lovely, great, happy note. Thank you so much for your time today and for everything you do for your Ukraine, everything you do for the security community and everything you've done for CISOs out there. Thank you so much, Joe, and take care of yourself and have a lovely weekend. You too. Thanks for having me on. Thanks. Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you'd like us to discuss on future episodes, please feel free to hit me up on LinkedIn or to send us a mail to podcastnemonic.no. Thank you for listening. We'll see you next time.