Adam Myers

Hello and welcome to our podcast Tales from the CyberLab. My name’s Adam Myers and I’m the Sales Director here at CyberLab, and I’ll be your host for today’s podcast. I’m joined today by James from Chess, and we’ll be discussing around AI adoption and especially around Copilot, which I think is a really interesting topic. So James, can you just tell us a little bit about what you do in your day-to-day role at Chess?

James Mallalieu

Thanks, Adam. Yep. James Mallalie, I’m a consultant at Chess. My areas of specialisation are around AI and Microsoft 365 and really my kind of key focus is helping organisations understand how they can plan for deploy and adopt these technologies within their organisations.

Adam Myers

And I guess at the moment there’s kind of a real buzz around AI adoption within the workplace. We kind of saw that a SecureTour, our four venues, you were on the panel and speaking to a lot of our customers. So hopefully there’s a few listening out into the podcast now. I did plug it quite a bit, so hopefully there’s a few listeners if anyone did join us. But obviously around the adoption of Copliot is especially big at the moment, the productivity benefits. And then I guess that also comes with an element of security risk, which is where maybe we come into the fold and how we can help. So in terms of some initial topics where we’ll keep things, there’s probably a lot of rabbit holes that we can go down. Very excited to talk around this and we saw a lot of people interested in this at SecureTour. So James, I guess we’ve seen a huge surge in interest around Microsoft Copliot. Why do you think businesses are adopting it so quickly?

James Mallalieu

Well, I think it’s primarily because AI is reaching critical adoption both within the workplace and outside of the workplace.

So everyone talks about AI, it’s in the media. Any advert you see on TV that relates to a phone, they’ll be plugging AI. Every product. It’s everywhere. And I think what that means is that people as consumers i.e. in our private lives are being exposed to AI and making use of AI. And therefore there’s the question of, well, okay, how can I take these tools? How can I take these benefits and apply them within the workplace? And from my point of view, personally, I haven’t seen an uptake of a single kind of type of technology like this since lockdown. Lockdown put (Microsoft) Teams on the map, it accelerates everyone’s deployment of Teams because we needed to adapt quickly to remote working. Now AI, and in my case Copliot, we are seeing well beyond that type of adoption and I think that’s because it’s coming from everywhere. As I said, it’s coming from the consumer space, it’s coming from marketing, it’s coming from media. So it’s not a piece of that technical enthusiasts are pushing. It’s something that individuals who use it in their home life and in their private life are saying, this is great. This saves me time. I want to use this in my working day.

Adam Myers

Yeah, I’m definitely seeing that. I think I was actually reading something very recently around how quickly it has been adopted and the trust already. And I think you maybe touched upon that a little bit, is that, do you think, because it’s in Microsoft 365 and we’re already kind of familiar with that, we’ve gone through this like you said, naturally with Teams, which was a big surge as you said around the COVID period. Do you think that’s probably why it seems like that natural extension, but it is been very quick, I think for people to adopt.

James Mallalieu

Well, the trust is an interesting one because I think with AI-generated content, anyone who’s been sort of following this for a while has seen many, many examples of AI getting it wrong in many different scenarios. And probably the most common one is if you get AI to draw pictures, six fingers on a hand, all of those sort of things are well known. But what we find with something like Copilot is because it comes part of the Microsoft 365 suite, it’s integrated into the tools that you already use and you already trust. And from a technology point of view, it fits within your Microsoft 365 environment. You’re not going out and kind of putting your faith in something by a vendor or a product that perhaps you’re less familiar with. You don’t have skills with. I don’t mean just because it’s got Microsoft on it, trust it implicitly, but obviously Microsoft’s business has to be built on an element of trust. And so that puts them into the forefront of, well, if I’m going to use a tool and I’ve got to select between a few, having trust in an established player in the market is kind of a key decision.

Adam Myers

And I think you demonstrating some of the stuff at SecureTour around agents and how that all works, it’s a learning curve for everyone, isn’t it? We’re kind of jumping into the web version, but agents can do lot clever things as well. So is there any success stories that you’re seeing at early doors that you think is probably aiding that wider adoption?

James Mallalieu

Well, I think, so AI is a very broad topic and it covers many different aspects to do with AI. The bit where I see the biggest gains, it’s the wow moment from individuals who realise they can apply it for something they do in their daily working life to solve a problem or something that takes them ages to do. And these aren’t the, are we going to apply AI to all of our processes in an organisation and make ourselves ultra efficient? This is the person that says AI generated meeting recap is a big thing because actually minuiting meetings and distributing valid, useful minute notes takes someone a lot of time. So if I can assist or provide a tool that assists in that, that’s their wow moment. And I think it’s those what appear to be quite small individual gains actually combined, see the real benefits certainly that I’m seeing and that’s particularly true around Copliot.

Adam Myers

Yeah, we see it also just in our general day-to-day life. I use ChatGPT just to find the source quicker and it gets me to the thing that I need to look at and the source a lot faster and I’m using it and I’ve kind of started out there, I’m kind of getting my toe into the shallow end of the pool as such if using an analogy and I’m kind of learning a bit. And then that naturally led into me using Copliot within our organisation to start to maybe use it in a work life. So I guess it comes from a place of me kind of testing out a little bit and then when you see the benefit very quickly, it’s like, wow, this is that wow moment. It kind of makes me sit up and realise that I can do things a lot faster with probably a higher quality level, I feel anyway, in terms of the way that I’m looking at this as a technology.

James Mallalieu

I think and many organisations I speak to, the conversation usually comes from a place of a little bit of concern, a little bit of a of a doubt and a little bit of a mixed message as to what AI is. And I think it’s important to kind of strip that back slightly and think about Copliot particularly is focused on personal productivity. So if an organisation looks to invest in Copliot and roll it out, they’ll get zero return if their users don’t actually use it. And so one of the key factors that will influence ultimately the success or the return on investment of rolling out Copliot will be making sure that individuals see the value in their daily working life. And I’m a great believer in building that daily habit. What are the things that will help someone to utilise Copliot to support them on a daily basis, not just they see it once they have a go and think, “oh, that’s quite cool, but I’m never going to use it.” But building that daily habit. For all of us, it’s different. So for me, I produce quite a lot of content or review a lot of content. So it’s massively useful for me in terms of addressing the short comes in my writing skills, things like that. How can I help it to take what I’ve written And just polish it, right? It’s not writing it for me. I’ve still put the essence of what I want to say, but the thing about writing a paragraph and then condensing it into a really readable relevant piece of copy that the target audience will get, that’s a real skill and takes a lot of time. And for technical people, which I am, that can be a bit of a challenge. So Copliot really, really helps with that. It really helps with, for me, meetings, I attend many, many meetings and over the years of being in it, I think I’ve lost the ability to write with a pen unless it’s blocked capital. So it means that if I’m facilitating a meeting, I cannot take meeting minutes, right? I’m trying to concentrate on what people are saying. I’m trying to look at people and all the things that I need to do in a meeting. So turning away and making a load of notes doesn’t help. So turning on the Copilot, not only in terms of the recap, but using Copliot during the meeting just for me to ask, are there any unanswered questions? What was the answer to this point,, etc really helps in my day-to-day job, but as I said, what I do for a day-to-day job is very different in other people. So it’s finding those things that we plug into our activities.

Adam Myers

Yeah, I like that. How you bring it into your day-to-day life in the way you can benefit into the behaviour side of thin. And that’s really interesting and a good takeaway from I guess that first topic. So just flipping a little bit around security posture in the age of AI, I guess with rapid adoption, what are the biggest security concerns you’re seeing right now?

James Mallalieu

Well, there’s probably, broadly I’m going to categorise them into two things. Firstly, the person, the person is always the biggest security concern. So we’ll talk a little bit about user adoption and how you help people use AI responsibly.

But the other thing is what has AI got access to? What is it going to do with, its what got access to and what risks does that present to an organisation? And I think most people I speak to who are at their early days of looking at things like Copliot think that when they turn on Copliot, suddenly it’s going to go off on its own and do lots of things with their data, and it’s going to be sharing the data and providing access to content that people maybe not otherwise have access to. And that’s not strictly true. So Copliot itself isn’t the issue when it comes to data security. It’s the organization’s existing data security, governance, protection and compliance policies that present the problem. Copilot simply magnifies an issue that may already exist. So that doesn’t mean there’s not a risk. Of course there is a risk, but it’s understanding the risk isn’t the introduction of Copliot. The risk is, well, our data. Is our data currently classified to highlight content that is sensitive and therefore should be handled with care?

A common example I would use is that I may already have access to some sensitive information within the organisation I work and therefore Copliot, which inherits my access, it doesn’t have its own access, it’s my access can go away and use that sensitive content to generate new content. Now it’s important that the sensitive content is tagged as sensitive because then Copliot will say, ah, this is sensitive. So anything I generate based on it is also going to be classed as sensitive. And therefore the policies that an organisation has in place are important to think about, understand, recognise, unless you’re one of the very few fortunate companies that say, we’ve all got this perfect nothing to see here. The reality is most organisations will recognise there is improvements they can make in their information governance and data protection stance, and there’s work to be done there and it’s understanding the risk that Copliot brings prior to doing that remediation work, what risks that would present.

Adam Myers

Yeah, interesting. Because I think at SecureTour, so we got talking quite a bit with Stuart from Forcepoint, and that was around DFPM and data classification and you talking around. Well, I think it personally, it knits very closely with what you do is preparing for that move to AI and just making sure the classification of data, I guess AI would be a great tool to classify. The way I classify to you would be different. And if you have that organisation of a hundred people, suddenly you’ve got policies that are going to be very different where that tool, I think they’ve got something on our website which can help you with that process of looking at a sample of data and you can then look at the classification process and who has access to it and write. And I think that was really great to see you both talking around that and maybe who knows, Stuart is a previous guest on the podcast and maybe we’ll get you both together. I think you bounce off each quite nicely and there was a really good conversation going where we can maybe get that going. So yeah, very interesting. And then just quickly as well, just I guess Shadow AI – employees using tools without the oversight of IT. What’s your view on that, I guess?

James Mallalieu

Well, it’s something that’s always been and something that will always be in my view in respect of AI. Well, my talk to organisations, I’m a great believer in saying, look, if you’re using Microsoft 365, you already have available to you Copliot Chat, which effectively provides you a secure protected way of using generative AI for everyone that already has a Microsoft 365 licence. Now, isn’t that better than not having a policy within your organisation?

And those people who are enthusiasts who want to use AI, they’re just going to go off and use ChatGPT, the consumer edition, they’re going to use any tool that they want to use. And I get the fact you can lock down desktops and devices, but at the end of the day, I’ve got my own device, so I can go away, I can use ChatGPT to do things based on content that I might have taken out of the organisation that’s sensitive. So I think whilst you can put efforts in place to stop people using Shadow IT, I’m a great believer in ‘encourage them to do the right thing’, which is provide a set of tools that you as an organisation govern, you manage, you audit, give them those tools, AI is not going to go away. So if you don’t provide a tool that someone can use as a kind of basic generative AI tool, a proportion of your users will demand that. And over the next few years as new people join your organisation, they will expect it. It’s like all of these technologies, if I joined an organisation tomorrow and they said we’re not using Teams or we’re not using Microsoft 365, then there would be a slight raised eyebrow in terms of well, what are you providing as an alternative?

Adam Myers

I think you’re right. There is now an expectation isn’t there, where that is probably becoming the norm around. And I think as we go through the next two to three to five years especially, I think AI within the business is going to be, I guess people expect it like you said. And it’s very interesting that sort of, because it obviously comes at a cost as well and how do businesses budget for that? And the IT budget is always, you are always asking for more budget. So I guess how do we prepare for that? But yeah, definitely interesting conversation there. So I guess just building out some governance and guardrails, I think that’s an important part and that definitely is where some of the conversations were previously. So how, I guess, can organisations strike the right balance embracing AI, I guess while still staying secure?

James Mallalieu

So I definitely would focus on the people aspect. When we think about Copliot, how, the analogy I use is Copliot exists as my personal assistant, so it’s sitting on my shoulder…

Adam Myers

…a parrot!

James Mallalieu

A parrot, it can be a parrot!

Adam Myers

Yeah!

James Mallalieu

It can be whatever voice you want it to be.

(17:08):

So you can ask it to do something, it will do something, generate some content, summarise something, whatever you’ve asked it to do, and it will give that information back to you. You though will decide what to do with it. Okay. And this is the fundamental thing. It’s very much like if I join an organisation tomorrow and I think I need to ask a question, who do I ask? Someone says, go and ask Jane. So I call Jane up, ask the question of Jane. Jane gives me an answer. How do I validate or how do I know with confidence that the answer that Jane’s given me is accurate? And I think AI is the same that as a human, you need to decide is what I’m being told credible? Is it valid? Is it authoritative, is it irrelevant? Is it relevant? Etc. And AI gives you things like citations to help you do that, but ultimately I’m going to decide and therefore if I’m producing a piece of copy that I’m then going to share with other people, it’s no excuse if AI’s generated it right? It’s still come from James. So the fact I might’ve used AI to help me in the process, when I share it with Adam, it comes from me. So it reflects on me so that the people is very, very important, that key thing to help them understand their role in using AI responsibly.

Adam Myers

Yeah. And do you think that comes from training as well? You mentioned the citation part, that was something I kind of learned from watching one of your demos that you do and sort of part your webinars. That was quite an interesting take at the source of where that pulling from because I think we touched upon it a little bit from a security perspective where if it’s within the realms of maybe the HR department that it’s going to come from maybe company data, but you could equally have a file on your desktop, which you’ve created a similar document and it could pull either in that way. So I guess the human element is understanding I guess the source and how it’s doing that. I think that’s quite clever that you’ve done a little bit of, I think you’ve raised my awareness especially of that, of how to use it.

James Mallalieu

I think it’s particularly true, but yes, it’s very true. But when it comes to all of us have used the internet for however many years, we already do that. So when you do an internet search and you’re looking through search results, we consciously or subconsciously click on results that we believe either tell us what we want to hear or come from an authoritative source, and we all have our preferences and we all have our biases and things, but we do that anyway. We sift through information subconsciously and remove the stuff that we don’t believe is to be true becoming increasingly difficult these days on the internet. But the same is true with AI and I think that the person just needs to apply the same principles to what the AI is generating for them, that ultimately where did it get its content from? Is this an authoritative source and therefore can I wholeheartedly rely on it or do I need to do some additional checks of validation?

Adam Myers

And I think just what I think Chess do really well is these early adoption packs of how to introduce AI into the business. And again, that goes back to that human element of how the adoption and change management of introducing Copliot. I dunno if you want to expand just a little bit on that, but I think that’s a really good starting point for a lot of businesses to take that step of putting their foot in the shallow end and they’re about to swim. And I think there’s a really good piece of work that you can do there and help them on that journey, I think.

James Mallalieu

Very true. And I think your analogy stepping in the shallow end because you’re ready to swim is a good analogy. I see a lot of people just milling around the edge of the pool, not even sure whether they should put their foot in and getting kind of pressure from around them in, well, we need to use AI. The media’s telling them to need to use AI or people in the business are requesting AI. And what I feel can be beneficial is to focus on what we call an accelerator, which is a way of taking someone from that. I’m kind of milling around the pool and I’m wondering how and where I should get in and how far I should swim, etc. And what we’re trying to do is saying, okay, this is how we suggest you get going. And this is an exercise where we provide the support, the motivation, armbands, whatever it is that the person needs to get into the pool confidently so that they know what they’re getting into to help the other people around them benefit from, right, okay, we’re going to do something with Copliot. And also to understand the challenges and risks and lay the foundations to mitigate those risks. And I think a common issue I’ve certainly seen over the last six, 12 months is people within organisations from the business want to use AI and IT typically, which is already a very stretch resource, and it’s a resource comprised of people that have many, many plates to spin an IT are really concerned because they don’t feel they have the knowledge, the experience, or the confidence to say that to business “yet let’s do this.” So sometimes it’s easier just to say we are not ready for this and that we can help that part of the equation as well in providing the support to those people to help them roll out or define the rollout in a way that builds the confidence, knowledge, and experience in their team. So as they move forward, they don’t just think, okay, we’re going to roll out AI and it’s going to be the end of the world. It’s the start of Skynet.

Adam Myers

Yeah, the Terminator for any people that were obscured flashed up quite a bit from the 1980s just for Stuart if he’s listening, but it goes back to, yes, I’m not the best swimmer, so arm band’s definitely needed there. So all the analogy is a good one. I like walking around the pool, it’s just, please don’t push me in the deep end. I can just about do 25 metres. But anyway, so just pivoting slightly. So what does secure by design look like when rolling out Copliot?

James Mallalieu

So we think about three key steps, planning, enablement, and adoption. And just to be clear, we typically say think about that in terms of an initial wave of early adopters or a pilot, then early adopters, then broader rollout. So it’s not a, we’re going to do all of this in one go. When we think about the planning, depending on your organisation, depending on the content that you store within Microsoft 365 depending on your policies in place, we typically want to help you understand your data as it currently is, how the policies you have in place impact the data in respect of Copliot, the licencing that you have available, which a lot of people will be surprised at how many capabilities they have available. That can go some way to mitigate the risks in respect of data. So we kind of put together a, this is a starting point. These are things that we suggest you address immediately. These are things that we suggest you address, but realistically it’s going to be a much longer term thing. And to compliment the work that we do around the technical enablement and the policies around information governance, the users. So think about who are the people involved now by people involved, it’s who are the people that are going to help make this happen? So pick your stakeholders, pick people from the business that can drive change. Obviously security people need to be involved, technical people need to be involved, but this isn’t a technology kind of led initiative. What you really want is people in the organisations that are going to be early adopters and come out of it as, call them whatever you want, flag barriers, champions, AI ninjas, doesn’t matter, right? Whatever you want to call them, because those people will actually do the legwork of driving the adoption. That’s so important when you think about a wider rollout.

Adam Myers

That’s very interesting. I like that. And then there’s a little bit just on people working to various existing compliance standards like ISO 27001. I know that 42001 is next around AI, Cyber Essentials. There’s a lot there that happening. So I guess aligning with that and just making sure you’re working with those standards to deliver for that.

James Mallalieu

Yes. And also issuing if you don’t have them or if you don’t have them, issue them if you do have them, update them if required. Issue AI usage guidelines to people. Make sure people are clear on what it is they can do, what it is they may not be allowed to do, and make sure that those always reflect where you are in your journey of rolling out this technology.

Adam Myers

And if anyone does need any help, any our listeners need help, then reach out to myself or James. We can help from the security perspective around (ISO) 27001, we do have various packs that we can provide there just to help you on that journey. Just final topic. So looking ahead, how do you see AI evolving in the workplace, especially in security?

James Mallalieu

What we are typically seeing around Copliot is continual improvements in respect of personal productivity, so really helping people achieve more and more with the tools they have available. In conjunction with that, we are seeing evolution in the way that agents will support organisations. And so the principle at the moment that a lot of agents are powerful, but relatively simplistic, they allow me to ask questions of a specific set of data and it will respond and assist me on that specific set of data. But the sort of emerging area now is the ability for agents to be very much more sophisticated and particularly agent to agent working. So this is where you have a scenario where I talk to one agent and it allowed the agent can trigger another agent on its behalf to go and perform other processes. And so the, I suppose vision is a network of connected agents that can talk to each other in ways that allow them to achieve tasks without a very prescriptive, pre-defined process that has to take into account any combination in the way that those tasks need to be performed. Now, obviously we’re not necessarily there today. The technology is evolving to support that, but we are seeing a lot of investments, certainly from Microsoft in the tools to allow organisations to govern the creation of agents, to manage the cost of the agents, and to provide the auditability and reportability of what those agents are doing and how much they’re costing an organisation. So that’s one of the key areas I see a big change and from a change in terms of the way traditionally organisations would think about building processes and building integration. This concept of using agentic working to think about building solutions is really where the focus is.

Adam Myers

And I think just things like managed SOC, knitting things together, the threat detection response element of security and how that might be able to do more prompts and automation in that side of things. I think we’re seeing more and more security vendors especially willing to collaborate and work together for helping the human element do things on scale on mass. But I do really like the idea of the agent side of things. I think that’s something you taught me again very recently is how you can use agents and the benefits of that. I think you do quite a few webinars. I would highly recommend to check some of those out because you’re getting a very short snapshot of information, which really helps just how you can use your advantage as well, which I think has been brilliant to see. So James, if I was to ask you to summarise just in one benefit, I guess it’s a bit of a bonus question, but if there was one piece of advice that you would give to people listening today, what would that be? One takeaway from this podcast right now on the adoption of AI

James Mallalieu

So one piece of advice I would say: AI is here. It’s not going away. And organisations that kind of say, “we’re not ready for it, it’s not relevant for it, it’s not relevant for us, it’s not relevant for our sector” etc. Then look, again, I know many people that work within organisations that they use AI on an individual level to help what they do, and they get a great deal of benefits out of it. And I would say that you don’t have to go a hundred percent for AI, that’s not what I’m saying, but don’t push it to the end of the agenda because I think organisations that start to embrace it and they get the people within their organisation onboard understanding it, using it, which means you remove some of that kind of human fear element because people kind of, okay, I get this, I get this, I get it. It’s not quite as bright as I thought it was and it’s not quite ready to take over the world. But I think that’s it. I would say embrace it as something that can really benefit people within organisations to improve their productivity and allow them to produce higher quality output results.

Adam Myers

What a great takeaway. Yeah, I think that’s a really good answer. So yeah, I’ve kind of chuck that in at the end just to put you on the spot. So – amazing. And I would highly recommend to check out those AI adoption packs, is a really good starting point. If we use the pool analogy, I guess it’s putting on the armbands and jumping in with a rubber ring off. You’re probably in the shallow end where you can still compete, touch the floor.

So I just want to thank our listeners for joining us today. I want to thank James. I think that’s one of the most insightful podcasts we’ve done. I’ve found that really beneficial and especially at SecureTour as well. I think a lot of our listeners who joined us in person really benefited from your knowledge. I think it’s 25 years in the industry? So you were brilliant at both in person and on the podcast. I hope everyone has enjoyed this episode. Please join us next time. And if you can like and subscribe, it does really help the channel grow.

So until then, Stay Secure.