Dr. Mirman's Accelerometer

AI in Cybersecurity: Sten Sjöberg's Vision for the Future

Matthew Mirman

What if AI could revolutionize not just how we defend our systems, but also how we anticipate and counteract threats? This week's episode of the Accelerometer features Sten Schoberg, the pioneering founder of Remy Security, who shares his journey from a secure role at Microsoft to launching a startup at the cutting edge of AI security design review. Discover how his company empowers large organizations to seamlessly integrate security and privacy measures into their development processes, ensuring new features and services are built on a solid, secure foundation.

Tune in as Sten takes us behind the scenes of his impactful work at Microsoft, revealing the challenges of scaling security across a myriad of services. He uncovers the pivotal moment that ignited his passion to use AI as a force for good in cybersecurity, leading to the inception of Remy Security. Get ready for an illuminating conversation that explores the future of AI in security, the necessity of proactive strategies, and the unwavering determination it takes to forge a new path in this critical field. Dr. Matthew Merman, CEO and founder of Anarchy, hosts this riveting discussion you won't want to miss.

Accelerometer Podcast
Accelerometer Youtube

Anarchy
Anarchy Discord
Anarchy LLM-VM
Anarchy Twitter
Anarchy LinkedIn
Matthew Mirman LinkedIn

Speaker 1:

Being founders is not about being any sort of genius. It's just about not making the stupid decision. A big problem with security is the relationship between product teams and security teams.

Speaker 2:

Hello and welcome to another episode of the Accelerometer. I'm Dr Matthew Merman, ceo and founder of Anarchy. Today we're going to be discussing AI security with Sten Schoberg, the founder of Remy Security, an AI security design review company. Sten, can you tell us a little bit more about what AI security design review is?

Speaker 1:

Absolutely so. Basically it's just a matter of any time a product team or engineering team changes a product like, adds a new service or a new feature. You know there's all kinds of opportunities to get that wrong from a security and privacy perspective and so we just enable the security and privacy teams at large companies to see all of those risky changes and get in and do helpful reviews so that engineering teams can just build securely and fast right, without knowing all of these details. How did you get involved with this? I mean, basically it was my experience at Microsoft, so I was at one of their security teams. You know Microsoft is enormous. Of course they have a bunch of security teams and scale is just a fundamental problem. How can you possibly you know if you're working against, say, 2,000 different services? How can you possibly know that all of them are being built in a secure way? Really, really difficult if you're trying to scale with people.

Speaker 2:

So what exactly were you working on at Microsoft?

Speaker 1:

At Microsoft, I was part, really difficult if you're trying to scale with people. So what exactly were you working on at Microsoft? At Microsoft, I was part, yeah, so one of the security team that I was part of was kind of for internal services, so anything from like time and reporting to you know some Azure core stuff. There was like this broad swath of different services and so I was a PM there, mainly working with how we could improve those existing review processes that we had and then kind of automating them as well.

Speaker 2:

Because you were doing review processes. Does that mean that you didn't have that much exposure to attacks as they were coming on? Or like? Were these review processes? Did they get updated every time, you guys, every time there was an attack or something like that?

Speaker 1:

Great question. I mean, you know I can't speak to like the overall security strategy of how Microsoft does this, but I can tell you that you know I worked quite intimately with some of the folks over at Threat Intelligence to understand the sort of TTPs techniques, tactics, procedures that attackers are using right. But you know somewhat, thankfully, internal right, so the attack surface is just a little bit more hidden right. It's not quite as exposed as something like you know, an Azure service that's being used every day by customers.

Speaker 2:

So you had like a comfy job at Microsoft before deciding to, like you know, jump ship and build a startup. Yes, what led to that moment where you're just like, yeah, I have enough conviction, I can do this and I want to do this. Yeah totally.

Speaker 1:

I mean, you know, I just want to jump on and just say like I'm incredibly grateful for my time at Microsoft, like I really think it was deeply helpful to understand, you know, all the great things and all the difficult things about doing security today at an enterprise. You know, you know, fundamentally for me, um, I was looking at everything that was happening here in nsf. I was in seattle, um, seeing all these incredible changes with lms and um, what I was noticing was that there was a lot of focus on, well, this new ai thing is dangerous. How do we secure it? How do we ensure that? Um, that this doesn't become a whole new problem for security people?

Speaker 1:

And the thing that I was really passionate about was like, well, what if we can use this to our advantage as the defenders? And so that quite quickly snowballed into doing a bit of a kind of a hackathon, just kind of on our free time, me and my co-founder, Kevin. And when that actually started working, we kind of felt that it would be a mistake not to at least try. We just kind of sometimes have to just take the plunge and just say, well, we think this technology is going to change the way basically everyone in security does their job, and we want to be part of that positive change.

Speaker 2:

So what exactly did you build for your hackathon?

Speaker 1:

Oh, yeah, so those were in the early days. So I mean, a big problem with security and all these kinds of risk reviews is the relationship between product teams and security teams At legacy corporations. We generally see security being kind of an adversary, right, we're trying to stop you, we're trying to slow you down being kind of an adversary, right, we're trying to stop you, we're trying to slow you down. And that is not how most forward thinking people want that work and that industry to function. And so what we did was we kind of called it a CRM for security teams. So how can we just like manage?

People on this episode