Every role in cybersecurity is changing fast, but most practitioners are still treating AI like a glorified search engine. In this solo episode of Secured, Cole Cornford shares his unfiltered take on three things on his mind right now: entrepreneurship in a tough market, the growing threat to SaaS product businesses from roll your own culture, and why the cyber industry needs a fundamentally different approach to AI.
Cole makes the case that saying "hey Claude" is the least effective way to work with AI today, and that the real conversation has nothing to do with which model you pick. It is about how you interact with it, how you build a harness around it, and how you stop letting third party wrappers make all the decisions for you. He also shares early thinking on an AI course he is building for security professionals, covering AI fundamentals, using AI for security, and securing AI products.
Along the way he tackles the rule of three as a framework for prioritising in a small business, why product moats are disappearing fast, and what qualities he is actually looking for when hiring graduates in a market where everyone is cutting them.
Transcript Synced · click any line to jump ▾
Cole Cornford: I'd say that everybody, every role in cybersecurity is changing really fast. And I know a lot of cybersecurity professionals who are just confused and don't know where to start. And their use of AI continues to be, "Hey Chat," or, "Hey Claude," which is the least effective way to be working with an AI. With this AI course, I want to get away and just teach people that it's not about the models themselves. Like, you can choose the appropriate model for the use case what you're trying to do. It's how you interact with that model. Hi everyone, I'm Cole Cornford, and you're listening to Secured, the podcast that dives deep into the world of software security. Open source now powers over 90% of the software we build, but it's also where attackers increasingly strike. ChainGuard closes that trust gap with hardened, secure, production-ready open source builds so teams can build faster, stay compliant, and eliminate risk. Get your free CVE reduction report at dayone.fm/chainguard and start shipping software with confidence. This is a solo episode, and it's a little bit of a departure away from our usual bringing guests on and asking them interesting questions. I try to do a solo episode every 2 to 3 episodes, just talk about things that are on my mind and stuff that could be useful for you all. I'm splitting it across 3 categories today because my experience is obviously in software security, but I've also got thoughts on AI and how it applies in that space, as well as entrepreneurship. Maybe I could have a little bit extra about family and stuff towards the end, but we'll see how I go for timing. Anyway, starting with entrepreneurship. It's a tough market to start a business right now unless your business happens to be an AI something firm, AI for X, or, you know, AI for like cloud operations or AI for code analysis, or I don't know, AI for logistics. If you run any other form of business and investors are not particularly interested in talking to you. I'm not gonna say that there's a bubble because I think bubbles are only really visible in hindsight. But yeah, it's, it's a tough time to raise capital right now. And it's also a tough time if you're running a services business, which a lot of bootstrap people are too, because realistically, unless you have existing customers, it's very hard to get through to GTM spend from these AI businesses. And it's very hard to get executive cut through when the only thing people want to be hearing about is affecting the bottom line, not necessarily top line revenue. So, I mean, we've been seeing masses and masses of like AI job cuts, but I'm finding that a lot of the like more innovative companies are actually spending the time to hire a lot of those people back into them. So, because the more people you have, the more like connection pathways that need to exist. And I know a lot of people will say, oh, mythical man month is, you know, dead. But realistically, um, all of the agents still need to talk to one another, and that creates communication like challenges. So— I saw a blog post a few weeks ago by someone who, um, had basically simulated different organizational structures and created agents that map to these org structures. And, um, worked out who was better at performing a reasonably simplistic task. And it was interesting to me because it showed that, like, just if you replace humans with AI agents that are emulating whatever the position of the human was before, they're still going to have the same challenges about, you know, conflicting demands, communicating, getting access to information, understanding context, all of the things that kind of— Yeah. Like we normally struggle with as humans. So in, in a larger business. So yeah, all those narratives about one man who's been able to use AI to solve all of his problems. So actually probably not that, um, you know, unlikely because one person doesn't have any communication issues. But then when they try to scale it into a larger business and you have, you know, AI agents able to talk to one another, suddenly it's like, hang on a second, we've just swapping human, like what, carbon-based life forms to silicon ones. So anyway, there's 3 kind of things I want to talk through, um, that are probably useful lessons for you all. The first one is the rule of 3. Now this is common in public speaking, common in writing, common in basically everything. It's that if you have more than 3 things, it's like you're distracted. You have too many things going on and it's hard to convey your message because it's too much to remember. If you have less than 3 things, then you, there's not enough. People feel like they need more. So I'd kind of stick to talking about things in rules, in, in threes. And I guess the reason I wanted to bring up the rule of 3 is because that's a big part of how I run my business. I speak to a lot of other entrepreneurs and they have a lot of plates That they're like spinning. And then I ask which plates are the most important ones. And oftentimes they haven't been able to answer that question because they've been too busy spinning plates to actually sit back and think about what the most important plates to be spinning are. In fact, you can drop a bunch of those plates and, you know, if nobody's watching you at the circus, then it doesn't matter if you, if you drop a couple of plates. So now Going back to the rule of 3 really helps me prioritize. You could do it in many ways. You could have as a macro theme. So like, these are the objectives for the quarter or for the year. You can have it as operational things and say that these are the things I want to get done today or this week. But sticking it to 3, it means that you can timebox yourself, keep yourself accountable, and you actually make meaningful progress. I've seen people push it back to like just just pick one thing and focus only on the one priority. But I think that that's hard to do because you could end up getting deadlocked where you can't progress that one thing. So what do you do next? Whereas at least if you've got 3 priorities, you can kind of juggle between them if one of them is waiting on some kind of external async process, like a customer responding to a statement of work or to a sales proposal. Can't do much other than annoy the customer to get back to you. But then you can go focus on Marketing or doing a delivery activity like writing an SDLC assessment or something. Next thing I want to talk through, I don't think that products have much moat anymore, and that's, that's going to be very interesting. Most of the businesses that have been successful in the last 10 to 15 years have been based on raising capital. And then using that capital to expand at all costs, like acquire as much market share as possible and then figure out how to monetize it down the track. And there was a lot of reasons why it was successful, 'cause it could grow globally immediately. You had very low overheads. It was a tried and trusted playbook that VCs were happy to back. And the, the intention was to just get to the next round over and over again instead of focusing on things like goodwill or assets or managing inventory or, you know, like staff hiring, et cetera. I think that that's going to shift quite dramatically. And the business model is like really, really under threat, not so much from competitors, but from the concept of roll your own. Like a product business, like let's just take Sneak, for example. Sneak was the darling child in the 2020s. And then basically focused exclusively on GTM after about 2021. And that's when we started to see competitors popping up like Aikido Security and Endor Labs and so on, because they were, you know, innovating and doing things differently that Snyk was really struggling with. Because Snyk's focus was on targeting the enterprise buyer. So let's add SSO, let's get the right security qualifications, let's get integrations to, let's like AD and Azure and Bitbucket and so on and all, and then just focusing on bringing on more salespeople and marketing and so on. But realistically, the core product offering didn't change all that much for 4 to 5 years. And even if you, if you look today, the people have been able to in, in weeks, like sometimes days, create a reasonable replacement to what Snyk's capability is, which is, effectively getting a package manifest, comparing it to a known list of vulnerabilities, and then reporting the results back to a user, as well as like analyzing source code against like known patterns that are vulnerable. And I believe it does taint analysis, but the thing is, so again, all of these LLMs and, um, AI-assisted systems nowadays, you can teach them to create a call graph, you can teach them to due to package manifest comparisons, and they have access to source code to do things like that already. So I don't see it as a conversation between, do I choose Snyk or Veracode or Fortify, which one's more feature-rich? I see it more as a, um, do I go by a commercial offering provided to me, or do I choose to roll my own one? Now I've, I've, um, previously done lots of roll my own in companies and it's usually gone badly. And that's because like the, the IP and the knowledge stays in the engineer's head who has built this like, you know, whiz-bang new system. I remember I was working at a large bank in the past. We built something called Secure Code as a Service. And effectively it would be— Whenever there would be a change to a codebase, we would pull the codebase into a Docker container, execute a scan against the differential, and then send the results back to the dev team quickly. And we'd have the precompiled previous results for that. And it'd basically be like, you know, polling to see if anything new would happen, and you'd pull it in when something new happened. And that was kind of preferential for a lot of the dev teams as opposed to packaging source code and sending it to the security team for review. Yeah. Because they could trigger the security scan whenever they wanted to. But at that time, the engineering effort was rather substantial and used new technology that was kind of hard to replicate. The main one being Docker Compose and Docker Swarm was the underpinning infrastructure. And like that bank was not set up to have a production system running these kind of things at that point in time. So I have always advocated away from, you know, like rolling your own because I know that the ongoing engineering effort to maintain a system like that is like quite substantial as opposed to the license costs of purchasing a static analysis tool or an SCA tool or so on. And like that, there are open source tools available as well. But the thing with the open source tools is if you work in a regulated environment, it's quite unlikely that the regulator's going to accept that you cheaped out and are just running like Bandit or Brakeman and saying that this is good enough. So usually to cover the ass of the executives, they go out and buy some of these bigger tools so that they could say, yep, we are investing in the capability and we've spent money to try to address the risk. So, but yeah, it doesn't look good if you go out to those same people and say, yeah, we've just been relying on Dependabot free alerts to patch things. And I'll say, well, you, what? No, you should be doing something else. Right. So. Anyway, going back to that product versus like where we were in the past. Today though, the cost to maintain an engineer system has like changed dramatically. You don't need that, the same level of expertise, and you can actually engineer the system in a way so that it can manage itself, right? Like, it's not, it's not going to be perfect. It's not going to know what it needs to do, but, and it's not going to be as good as a lot of these, like, you know, commercial products. But if you pay nothing for it and engineering costs are minimal, ongoing because agents have learned how to, how to do that task, then I think it's quite worthwhile to be looking at rolling your own. And a lot of the people I've spoken to, uh, you know, tech businesses primarily, they've been saying things like, I don't know why we need penetration testing, or I don't know why we need Shannon or Expo, when realistically I could just get myself like you know, my own penetration testing harness that I built over a weekend and just get it to target all our repos on like a, you know, daily cadence or something. And like, there's a lot of logic to that. Like, I don't know how— what's the value? Is it worth millions of dollars to buy the capability as opposed to just using something that some guy's mucked around with on a weekend? So. Well, I do think that there are good reasons that the commercial players will still stick around and still be effective. But roll your own is definitely the biggest threat. Like if you're, I know I mentioned this before, but if you're in a regulated industry, there's the free lines of risk and it's very like, while you can roll your own to help you identify and manage risk, almost certainly you'll want to have audit done independently of your company. And so like, if you've got an assurance product, like a penetration testing tool or a code review tool that is owned and maintained and operated by a third-party entity, then that seems quite reasonable to be able to check that compliance and risk box. Another thing is just core competencies. If you've got one thing that you're really good at, Then spending effort on like this little piece over here of security, as opposed to spending effort on like whatever your core business is, may not make much sense. Like, you may be able to reduce the bottom line a little bit, but you know, you're— by spending the time engineering a system, you're not actually doing your core role. So like, it's— as a security professional, is your job to be building software internally, or is it easier to just pay like 20 or $30,000 for a software product? Don't know. So, um, I find software businesses tend to like, you know, build their own products instead of buying the ones off the shelf. But by the same token, I think it's because they have an excess capacity of headcount, which is why they've been, you know, laying off people left, right, and center. So who's to say? But yeah, that's, um, that's gonna be like a big thing for all of the product businesses and startups that I know is how do you get in front of a buyer and then convince them it's worthwhile to pay money when a lot of those buyers can come back to you and say, like, I don't know why I would buy this when there's a good chance that I can just make it myself if I put some effort into it. So I'd go back to those people, talk about, um, that you can't mark your own homework, that the effort that they put into building a security tool's not as important as them focusing on, say, risk or finance or whatever else. And, um, yeah, just, your depth of expertise matters too. Another thing I've seen coming up that people are not so aware of is the cash crunch that's coming around end of June, July for most business owners because we will have at that point paid superannuation guarantee and end of like end of financial year, IS and BAS, which is your tax on individuals who are employed at your business and your GST payments as well. But come next financial year, we'll be moving from having like monthly or quarterly superannuation payments as well as individual income tax payments to having to do them per pay run. And that suddenly creates a bit of an ongoing cash flow problem who, for people that may be focused on collecting on a on a regular basis as opposed to collecting, what do you call it, just upfront so that they can meet these obligations. So just think about liquidity and having options available for next FY for yourself before it comes up. So I know a lot of entrepreneurs do listen to this. Moving on. So artificial intelligence. Now I've been umming and ahhing and I've kind of like almost decided that it's time for me to build some kind of AI course. I think I would like to structure it as AI fundamentals, using AI for security, and securing AI products as kind of different modules that build on one another. And then maybe working out whether this should be a 1-day course, a 3-day course, or a 5-day course. I'm inclined to do 5 days or to modularize it and make it available online with homework. And the intention behind it is that I think that a lot of the stuff that I'm teaching in the Foundations of Application Security course, which I've, you know, it's been my flagship for a number of years, it's changing very, very fast. I'd say that everybody, every role in cybersecurity is changing really fast. And I know a lot of cybersecurity professionals who are just confused and don't know where to start. And their use of AI continues to be, hey Chat, or hey Claude, which is the least effective way to be working with an AI, um, today. Like most folk aren't even talking about harness engineering. They're like even reading an article by, um, Sisso Lens recently, they said that the Mephisto problem is here for everybody and To me, that implies that like most of the security leaders who contributed to that article don't have a technical grasp on what MiFOS really means for the industry, right? Because MiFOS is a model and it may be very good at things, but a model is interacted with via a harness like Claude or Copilot or Cursor. And that's where the real challenge is because all of the ways that you interact with the model are now gatekept by what a third party allows you to do using their proprietary wrapper for the model itself. So I think that I would not be surprised if in the next month or two we start to see a hell of a lot more businesses, like big tech companies especially, come out and say, hang on a second, why are we focusing on models and obliteration and like small language models and like parameters and so on, when that's like going to be, it's already reasonably commoditized with like Gemma 4 and MinMax and Mistral and so on. It's the interaction with these models. That's the problem. That's why I'm a, like with this AI course, I want to get away and just teach people that it's not about the models themselves. Like you can, you know, choose the appropriate model for the use case that you're trying to do. It's how you interact with that model. And you can interact with it the way that Anthropic tells you to, or the way OpenAI tells you to, but then you completely lose all control and have to, like, effectively pay for all utilization of that model. Whereas you can now design a harness to help significantly reduce the amount of money that you spend on that model. And, um, control which models you're interacting with. And even do stuff locally on your workstation if you're like thinking about that system architecture, right? So it's like, it's like that, those kind of misconceptions that I really want to be addressing by having like some kind of fundamentals course to be like, this is a model, this is a harness, this is like why we're doing this engineering, here are the, here are the reasons that you would want to do it, here's the reasons that you'd want to just use Claude, etc., etc. So— But yeah, like that's on my radar. I'd love to chat to people who are interested in like the kind of content you think would be value for your organizations because I have a good zero to hero pathway in my head for how I want to be doing the content. And I want all of the content to have practical exercises rather than just be like a bunch of theory. But yeah, just let me know if you've got feedback about you know, what you would like to see in an AI course. Now, speaking of AI, um, let's move to cyber quickly. Now, the cyber industry is changing a lot, and in a very short period of time as well. I know most of the people I speak to are still doing things the traditional way and saying stuff like 'Why are you still using Burp Suite?' usually is very offensive to penetration testers because, like, that's the way we've always known how to do things. Um, 'Why, why are you using Word documents when you should be using Markdown files, like, and storing in a Git repository? Why are you, like, spending the time on, like, you know, reviewing everything when you could have a, um, a GAN set up with LLM as judge and then just get it to, like, test which of the outputs is the most appropriate before you review it. So like, it's, it's a different kind of attitude and skillset to approaching security than learning just traditional tech. I've been hiring graduates still, which is, I think, an encouraging sign. I think a lot of people, like, I know that law, big law firms have been saying that they've been cutting off the graduate hiring pool because a lot of the tasks can be automated, but I think that's all well and good to reduce opex, but like the broader economy is like shrinking as well. So I'm not seeing as graduate positions disappear, I think people are just a bit more selective about which types of graduates they're bringing on to respond to the amount of supply there is. And yeah, like I, I still think that the, the most important qualities I've had in these like grads and younger people is just systems thinking and humanities attitudes really. Like if you can understand how a business or how a process operates end to end and be able to reason about things like performance or complexity or about like caching or just all of these traditional computer science concepts, which we've all seemed to have forgotten because with cloud computing you could just auto-scale in a response to it. I think that's still a super valuable skillset because, well, if you scale your AI systems through just using cloud, then what you end up with is spending heaps of money on token utilization in a consumption model. And so if you go back to things like, hey, what type of data structure should we use? Should we be caching results? Should we be trying to store stuff locally in a repository? Should we be using indexing? You know, um, it's reasonably straightforward approaches to, you know, standard memory and like performance things. I think you'll go far. What I'm more concerned about are the people that said, hey, I'm going to go do some, um, you know, learn how to write policy standards and frameworks, or I'm going to be an ISO lead implementer or masters in cyber and pen testing. And all they've done is like run Nessus or run Nmap. Which you can ask an agent to do for you and feed that back in, or you can ask an agent to run subagents and then get those subagents to collate the results and get it digestible for you. That, that's the kind of stuff, the monotonous parts of the job that's going away. And yeah, if you've only learned the monotony or like the, the rigid stuff, as opposed to thinking, why are we doing the things we're doing and how do we make it so that we can, you know, think differently. There was an old, um, story I read ages ago called Grandma's Pot, and it was like the daughter asked the mom, Mom, why do we use this pot? And then mom says, oh, it's like Grandma's pot, it's like been in the family forever. And then the daughter asks the, you know, Grandma, Grandma, like, we've been using this pot for ages and it kind of sucks, so I'd like to You know, bite, try something new. And Grandma says, oh yeah, that makes sense. The reason we use this pot is because it was the only pot that fit into the oven at my old house. But now you've got a bigger oven, so may as well try something differently. And so we have these like, you know, preconceived processes or ideas or opinions about things that we've learned over the years and then we fail to question. I think that cyber is going through this now and asking questions of itself, like You know, what is, what is the value of an assurance activity if the code that we write, like, is changing every 2 to 3 minutes? How do we even do assurance? Like, does that mean that we need to be doing it every 2 to 3 minutes?
Cole Cornford: Hmm.
Cole Cornford: What about with certifications? Like, is anyone going to be reading the policies and standards, or are we going to assume that someone who's reading them is doing it through an agent. And then if that's the case, does— is the agent— does it have appropriate guardrails in place to stop it from confabulating what it thinks those standards and policies say? So yeah, I'd say that one of the biggest skills is to like still learn the existing criteria, but to be quite curious and open-minded about how things could be done differently. Anyway, that's coming up to the end of my solo episode today. I hope you've had fun, and I will speak to you all next time. Thanks a lot for listening to this episode of Secured. If you got any feedback at all, feel free to hit us up and let us know. If you'd like to learn more about how Glass Cyber can help keep your business secured, go to glasscyber.com.au.
Cole Cornford: If you're new to the show, a seasoned veteran, I want to hear from you.
Cole Cornford: I'm always looking to do better as a podcast host and as a person.
Cole Cornford: So tell me about what I can do better. Tell me about the types of people you want on my podcast. Tell me about if the format's working for you or styles need to be switched up. Do I need to interview differently? So on and so forth. I appreciate you sticking with me for almost 30 episodes at this stage, and I hope I can keep learning and you can keep learning and being entertained for many more episodes to come. Thank you. So please shoot me feedback. I want the good, the bad, and the ugly to pod@glasscyber.com.au. And if you don't like email, hit me up on LinkedIn.
Cole Cornford: Quick update. I'm launching a new course for 2025. It's Foundations of Application Security. It's a 2-day bootcamp covering everything you need to become a well-rounded AppSec practitioner. There's both public and private courses available, and the best part about it all is taught by me. So if you're interested, just send me an email, col@galaxycyber.com.au, or say hi on LinkedIn if you can have a chat about it.
