A recent virtual discussion featured Nir Valtman, CEO and co-founder of Arnica. Valtman brings a wealth of cybersecurity experience, having previously served as the CISO at Kabbage (acquired by American Express), led product and data security at Finastra, and managed application security at NCR. He is also an advisory board member at Salt Security.
Known as an innovative force in the industry, Valtman has contributed significantly to open-source projects and holds seven patents in software security. He is a sought-after speaker at major cybersecurity events such as Black Hat, DEF CON, BSides, and RSA.
Are you ready for AI agents? Under Valtman's guidance, Arnica is pioneering the next generation of application security tools tailored for developers.
Excerpt from the interview:
A Media: How do you envision the role of generative AI in cybersecurity evolving over the next 3-5 years?
Nir Valtman: We are beginning to understand where generative AI can offer the most benefit. It holds potential in application security by equipping developers with tools to be secure by default, especially aiding less experienced developers in achieving this goal.
A Media: What emerging technologies or methodologies are you monitoring that may impact the use of generative AI for security?
Valtman: There is a growing need for actionable remediation paths for security vulnerabilities. This process starts by prioritizing critical assets, identifying responsible remediation owners, and effectively mitigating risks. Generative AI will be instrumental in risk remediation, but it will require a clear prioritization of assets and ownership.
A Media: Where should organizations prioritize investments to maximize generative AI's potential in cybersecurity?
Valtman: Organizations should focus on addressing repetitive and complex issues, such as mitigating specific categories of source code vulnerabilities. As generative AI demonstrates additional applications, investment priorities will evolve.
A Media: How can generative AI shift the security approach from reactive to proactive?
Valtman: For generative AI to be truly predictive, it must train on highly relevant datasets. A more accurate model increases confidence in AI-driven decisions. Building this trust will take time, particularly in high-stakes areas like security. However, once robust, generative AI tools can proactively mitigate risks with minimal human intervention.
A Media: What organizational changes are needed to incorporate generative AI for security?
Valtman: Organizations must make strategic and tactical adjustments. Decision-makers need education on the benefits and risks of AI technology and alignment with the company’s security goals. Tactically, budgets and resources should be allocated for integrating AI with asset, application, and data discovery tools, along with developing a corrective action playbook.
A Media: What security challenges could generative AI present, and how can they be addressed?
Valtman: Data privacy and leakage pose significant risks. Mitigation strategies include hosting models internally, anonymizing data prior to external processing, and conducting regular audits for compliance. Additionally, concerns regarding the integrity of models, such as model poisoning, necessitate thorough vulnerability assessments and advanced penetration testing.
A Media: How could generative AI automate threat detection, security patches, and other processes?
Valtman: Generative AI can detect threats by analyzing historical behavior across various data sources, including network logs and transactions. Potential use cases may include threat modeling during software development, automated patch deployment with sufficient test coverage, and self-improving incident response protocols.
A Media: What plans or strategies should organizations adopt regarding generative AI and data protection?
Valtman: Organizations must establish clear policies for data collection, storage, usage, and sharing, ensuring defined roles and responsibilities. These policies should align with an overarching cybersecurity strategy, facilitating data protection functions like incident response, breach notification, and third-party risk management.