When AI process, when you give a prompt, if you give a clear prompt, you have to process tokens, there's a cost associated with every prompt or every question. One thing open AI, I believe I said, is there are people, I'm one of those people. I'll be like, can you please do this thing for me? Thank you. And they said, if you add please and thank you, it takes up more tokens. Just be direct. Just remove all the pleasantries. That's crazy for me. I'm Canadian. I say sorry. I say thank you. I say please. All the time, turn out that's not good for AI. Turn out as costly. This is right about now with Ryan Alford, a Radcast Network production. We are the number one business show on the planet with over 1 million downloads a month. Taking the BS out of business for over six years and over 400 episodes. You ready to start snapping necks and caching checks? Well, it starts right about now. Companies are adopting generative AI tools faster than almost any technology we've seen. The productivity upside is real, but so are the risks. Today's guest is working at the intersection of AI adoption and cyber security. Helping companies understand why the biggest threats aren't always hackers, they're human behavior. Nicole Zhang is the co-founder of Fable Security. And today, talking about how organizations can embrace AI without accidentally exposing their most valuable data. Nicole, welcome to write about now. Thanks for having me. Great to meet you. I know you're in Boston today. We're in South Carolina. We got the East Coast covered, and we're going to talk all things AI security. It's funny, Nicole. This is something that's been on my mind. I was having flashbacks when the internet started getting going, and we started googling everything, and we started putting all our stuff on social media. It dawned on me. This was probably like a 2004 or 5. We sure openly giving up a lot of information. What has happened to all this stuff? It now sort of had the same epiphany a few weeks ago, which is why I love having the opportunity to have you on the show. It's like, yeah, maybe we need to think about this a little more than we are. Not slow it down, but just be aware. I'm sure we love looking at things we've posted 10, 15, 20 years ago. It's a good throwback, but also just like, oh, wow. There's a lot of things on the internet that we shared. Yeah, exactly. And so now we're telling AI our deepest secrets, so it can help us solve puzzles, write contracts. All that stuff, and it's like, well, where is that data going? I have a feeling you might tell us. But Nicole, I make this on this topic because it's like so real for me, our own and businesses and use it. So let's set the table. Give everyone a little bit of your background. We've got you into fable security and cyber security and all that good stuff. My name is Nicole Zhang. Co-founder, CEO of Fable Security. We've built a human risk platform that shapes secure employee behavior. Behind the scenes, we leverage a mix of AI, at tech approaches to understanding employee behavior and enterprise. We deploy just in time personalized interventions. When we see employees doing some things that might expose more risks than necessary for organization, we do this better than typical annual security compliance training, which is what the industry status quo looks like. Our approach is relevance personalized. It really drives at the risky behavior at time when things are happening, almost like that, just in time coach. The reason why we started this business had a lot to do with my previous background, with me and my co-founder. Sandy came from a tech background. So making ads super relevant, super clickable, converts, people from buying things, not even know that they want. Our sheer background also came from abnormal securities, another startup before that we were founding members of. We leverage AI to look for phishing attacks. Fishing became super prevalent in today's age. AI unfortunately, super charges attackers. They literally have the tools to send you really targeted phishing threats. And saying I both realized that we really want to focus on a human layer to teach people to better defend themselves. From not just bad phishing, but also all sorts of social engineering attacks, all sorts of things that people may do that introduces risk, not just enterprises, but also for themselves. And so that's the reason why I became super interested in not just cybersecurity, but ways to protect people, and ensure that we can all be more productive and more effective as we work. I've got me have people like you. Some people get annoyed about tech, security, back channels. Oh, they're putting the guardrails on everything. I tend to be a rule-blaker, but I actually really appreciate the people that actually put the guardrails up that need to be there to help us from ourselves, and especially from the bad guys. Thank you for the service to our cyber community. This stuff is, I think about the like the curve of internet, and then social media, and then the speed with which we could do these things with bandwidth increases. AI is on all that on steroids. It's like moving so fast. Are companies moving faster than their security frameworks? When I look at customers that we serve today, we're seeing interesting diversions, companies that have been in this industry for the past 10 years looking at cyber. I see a lot of companies going through digital transformation, so if you asked 10 years ago, it's like moving from on-prem setup to cloud, right, so that was a big shift. We're seeing companies that are forward thinking, they're more mature, they are really technology-driven, they're getting so much more upside from AI. And now we're also seeing companies that might be the generation that they've been around for over 100 years, they have a solid business, they're maybe not as tech-enabled or digital transformed, they're a bit slower, so we're seeing adoption curves in various ways. And so that's the shape of the companies. And then from a security perspective, it's also around how companies view security. Everyone is security, there are compliance requirements, there's baseline. There's a lot of now common languages on when used to be done from a security level. But I do see that companies who are really thinking about investing in digital AI technology transformation, they really double-triple down in their security investments. And as some may still be checking the box, I really see the divergence of companies based on their tech-savviness, their belief in modernizing. Now, from a particular companies that are really adopting AI, you really do, I think it really depends on the people. People in the company, for example, if you're a very developed, you just see like a ton of crazy things that we can do with AI, they're tinker and they're trying. And the organization allows them to do that, where they take on the risk for innovation and the trade-offs might be risk. For some other ones, they're worried about, for example, their healthcare companies, you're worried about HIPAA, financial, you care about PCI, API, they're real financial business consequences. If you tinker too much, we also see other companies will create playgrounds or sandbox for people to play. And then it's a balance of letting people try things out in a way, but also like not break the bottom line for the business. We're seeing all of those, but we are seeing more and more companies just their time is spent on trying AI, being more productive. And if you're in this like marathon race, some are the beginning, at one end is some are kind of trailing, and I think that space will become larger as we go. Some people have to go slower due to risk, risk tolerance, data. And then some are stodgy and need to be moving faster, they're going to be irrelevant. And then there's the ones that are moving really quick, that are really nimble. I can speak small business, but I talk to Cisco, I mean, some of the largest corporations in the world, so I'll speak from kind of both ends of it. As small business, I had 18 to 20 employees in 2021. I really grew faster than I wanted to. I worked in Manhattan. I had team of 100 people, directly or indirectly reporting to me. I didn't want to, I didn't start my business going on, I'm not sure where I just did not want to maintain as many people. Part of it was intentional kind of scale back, but what the last few couple three years has done, it's not replaced those people because I kind of scaled the business away from them, so it wasn't, oh, I just replaced all these people with AI. No, it allowed me to do some things to maybe accelerate the de-scaling because I could take on more. I now have a gentick AI throughout my businesses as a small business. And I know I'm probably ahead on the small business curve because I've worked nationally and have this background. But I also have started to pause and go, okay, where's all this data going? And I know OpenAI or chat GPT opening out. Okay, they've got security measures. I've read as much as I can stand with the legal jargon that's in all this stuff. It's funny because I own a publishing company on the podcast network side. And then I own an agency. And so I'm developing tools thinking about that data. And then I've got the podcast network side with publishing and I'm going, what about all this content? How's that being digested and then used? And why aren't we getting paid for it? That's a whole other topic. There's a lot of people asking these types of questions right now like myself at all levels, which is this is great. I'm comfortable moving fast. But sometimes you don't know what you don't know. But I know I don't know something that I might should know about where all this data is going and what I need to be thinking about. That's all we got you here in the call. What do we need to be thinking about? And what kind of sensitive information are people accidentally sharing with AI tools? Hey guys, if you've ever built a website before, you know how quickly it can turn into a time suck. Recently, I've been playing around with Wix's new hybrid editor called Wix Harmony. You basically start by telling it what you're trying to build. You prompt it to generate a professional great site just like you want it. And here's the part I like. You can easily go back and forth between AI and hands-on editing whenever you want. The AI agent ARIA is an expert in website design and business. You can answer questions or perform direct actions throughout the process, which has been huge for me when I'm trying to perfect the look of my website. You've also got built-in tools for selling, bookings, and marketing. Pretty much all the stuff you actually need once the site's live. If you're building anything right now, a side-project brand, business, whatever, Wix Harmony honestly makes it easier to get out of your own way and start making stuff happen. Go to wix.com, backslashharmony. That's wix.com, backslashharmony. Start your website today. I have a couple of thoughts on this and I've been thinking quite a bit about it. If you think about AI in its like purest, purest form, not even technical gardens, what does AI do for you? AI is running. AI is giving you insights faster than a human analyst. For you to reach 20 block posts, surface to insight, you can now say, read all of them, give me the insight, ask me questions, pain palm, be my reasoning partner. AI can automate certain things for you. Before you have to do step one through 20 to get you a task, now you can automate those things, running the background. These things are argument instructed. The way you want some things to be done requires hyper clarity on the outcome you're looking for. And AI is just extracting data, content, information that you have in your system today. So when I think about the two risks, if you don't know what you're looking for and you ask this stupid question, that exposes risk in ways that you may not get an employee does this, you go, why are they asking this question? Can they should they be asking this question? Damn, if the answer's question, then I get the answers now. And the answer's so easy. So this is like a net new set of things that folks are worried about. The other piece is, I think AI also makes it. If you think about it right, every AI service want faster adoption. So they say, integrate with all your tool stack, we can do all these things. People don't think no one thinks about permissioning, no one thinks about data. But they think about adoption, easy click, one click. If your house is not clean, like if your database is not clean, if your systems are not clean, a lot of companies don't think about that. You can ask a question, you get the answers because the underlying data is chaotic on its own. When I see our customers and maybe for you, Ryan, getting your drops done, getting your tasks done, it's awesome. But then who did the data clean up in the first place? There's also just this fundamental regardless of AI, regardless of how we use, there is still a fundamental data hygiene, security hygiene thing that we got to figure out. All these advancements, it's putting the security foundation into a massive test. An attacker knows that and so they really try to exploit now with additional vectors in a faster way, through AI through prompting. That's why when I think about security practitioners, it might feel stressed knowing that their house needs to be in order to support all these evolution of technology. Superhero movies, it's like, well, who has the superpowers? Who are the mutants? The good guys, the other bad guys have the same superpowers. Who's using them best? The bad guys are using these tools to take all these other stuff to advance their criminal behavior or they're sneaking around or whatever they're doing, no matter how nefarious or non nefarious it is, as the good guys, we gotta use these same superpowers to both protect it and to use it for what we're ultimately using it for. It's like anything else. The bad guys seem to always be at least even and sometimes one step ahead of us and not that we're all perfect. I'm 100% sure I'm not a criminal. I'd be called a cheater in a few board games every now and then, but as I mean, it was true, Nicole. I just like to win. It's like, I feel like we're playing chess, right? The attackers can be offensive, we're defensive, and it's just the mindset is kind of different, and so that's why in cyber, you also see offensive teams who's trying to break systems ahead of time. We can think like attackers too, and actually AI unlocks that, really. I think it's a huge value ad for security teams, but also, unfortunately, attack surface expands. We also just have to work really hard and be very creative when it comes to how to better protect. You mentioned something about how direct what outcomes we want, and usually it's my own lack of clarity that causes the AI's bad behavior or bad outcome that I didn't want. But anyway, I digress. I just wanted to come on here on this episode of Batesense. I admit that sometimes I mean to my AI person trying to get it to be more efficient. When AI process, when you give a prompt, if you give a clear prompt, you have to process tokens, there's a cost associated with every prompt or every question. One thing open AI, I believe I said, is there are people, I'm one of those people. I'll be like, can you please do this thing for me? Thank you. And they said, if you add please, and thank you, it takes up more tokens. Just be direct. Just remove all the pleasantries. That's crazy from me. I'm Canadian. I say sorry. I say thank you. I say please. All the time. Turn out, that's not good for AI. Turn out it's costly. And I'm from the south, so I kind of do the same thing. I do, I had the pleasantries on the front end, but then when I'm mad at it, I'm like, you know, this is really causing me more time and hours today. Your whole purpose in life is to save me time and energy and all you've done is call it anyway. What I'm here from you is, that's great, maybe you felt better. It's just costing you more money because you're just using tokens. It's costing you money, but hey, if it works, it works for you. Like ultimately, it's about you. It's less about the AI, but yeah, just say too many prompts, make a short, be efficient, walk me through what you're going to do differently. I love it. Hey, good tip for anyone out there. I'm not the only one. I'm the only one that mits things. As we close out here in Nicole, always like quick tips, action will stuff. For anyone that's listening, small, medium, we got executives, we got big companies, we got entrepreneurs running startups, maybe a handful of things, easy things people could do to maybe have a little more AI hygiene in their cybersecurity. We're all going to be superior promters as we acquire skills in the AI world. My recommendation is, number one, totally find it be curious, but number two is also just ask a question if should I be concerned about the data? AI, can you please sanitize my data, sanitize my queries, and make sure that the AI can do the security mind at work for someone? I think the second thing is remember, don't give out your credit card information, don't give out your passport, don't give out your blood type, Ryan. Let's just do the same thing in the AI world and make sure that the information you care about just ask for it to omit, and AI would do the job for you. Regularity goes through, hey, our thing, share that AI really shouldn't be. AI can probably find out about that really quickly for you too, and they can take action. Those are good hygiene to just ask and prompt, almost like part of your regular workflow. Those are good. It's so funny. Everything's meta with this, because AI can assist in whatever thing we're trying to solve that might be related to AI. It's sort of, I don't know, this meta circle. I always find myself, and I'm like, I'm trying to worry about this with AI, but can AI help me, and it seems like it can. AI's like your reasoning partner, and just does so much. I'm really excited about the outcome, the future of where this technology can go. Nicole, tell everyone where they can learn more about fable security yourself, and stay in touch or learn any of the sharing you might be having universally. You can learn about us. I've fable security.com. Our website shows a lot about what we do when it comes to protecting human risk, understanding employee behavior, and figuring out ways to share target interventions. I can elevate your overall security hygiene, whether it's AI, adoption, whether it's sharing sensitive data, whether it's also just defending against external threat actors. We are based in San Francisco, California, our office is running the heart of downtown. We work in person, we love being there to collaborate. So if you're ever in town, our door is open. I really appreciate you for coming on. Let's do it again soon. Absolutely. Let's stay in touch, Nicole. I'd love to have you on every now and then. This is a very topical thing. Real thing is things evolve. Yeah. Have a fabulous rest of the day. Thank you. Great to meet you. Thank you for having me on the show. Yeah. You're a good time. Take care. Thanks, see you. This has been right about now with Ryan Alford, a Radcast Network production. Visit RyanisRite.com for full audio and video versions of the show. Order one choir about sponsorship opportunities. Thanks for listening.