EP 14 — ruby’s George Al-Koura on Why Your Third-Party Security Audits Aren't Enough

"If you aren't investing in penetration testing, if you aren't investing in having external auditing and third party reporting like gray and black box type testing, you're leaving your program extremely exploitable because you're just admiring the beauty of your own ideas." This blunt assessment from George Al-Koura, CISO at ruby, encapsulates his refreshingly practical approach to data security. 

In this episode of The Future of Data Security, George challenges conventional wisdom by predicting a major shift back to controlled data centers as organizations struggle with securing AI implementations in the cloud. He reflects on why no one has successfully created secure LLMs that can safely communicate with the open web, exposes the growing threat of "force-enabled" AI tools being integrated without proper consent, and explains why technical skills are actually the easiest part of building an effective security team. With threat actors now operating with enterprise-level organization and sophistication," George also shares battle-tested strategies for communicating risk effectively to boards and establishing security programs that can withstand sophisticated attacks.

Topics discussed:

• How skills from signals intelligence directly transfer to cybersecurity leadership, particularly the ability to provide concise risk-based analysis and make decisive decisions under pressure.
• The challenge of getting organizations to invest in data security beyond compliance standards, while facing increasingly sophisticated threat actors who operate with enterprise-level organization.
• The importance of establishing clear leadership accountability with properly designated roles (RACI), investing in appropriate technology, and implementing rigorous third-party auditing beyond certification standards.
• The gradual shift in board attitudes toward cybersecurity as a top-level concern, and how security leaders can effectively articulate business risk to secure necessary resources.
• How privacy requirements are increasingly driving security investments, creating a data-centric risk management framework that requires security leaders to articulate both concerns.
• The struggle to securely deploy LLMs that can communicate with the open web while protecting sensitive data, paired with the trend of returning to controlled data center environments.
• How major platforms are integrating AI capabilities with minimal user consent, creating shadow AI risks and forcing security teams to develop agile assessment processes.
• Looking beyond technical skills to prioritize integrity, work ethic, problem-solving ability, and social integration when forming security teams that can handle high-pressure situations.