Welcome to "Securing the Future," the podcast dedicated to navigating the complex world of AI security. In this episode, we unpack the vital role of AI security frameworks—acting as instruction manuals—in safeguarding AI systems for multinational corporations.

These frameworks provide uniform guidelines for implementing security measures across diverse nations with varying legal requirements, from Asia-Pacific to Europe and North America.

We explore how these blueprints help organizations find weak spots before bad actors do, establish consistent rules, meet laws and regulations, and ultimately build trust with AI users. Crucially, they enable compliance and reduce implementation costs through standardization.

This episode delves into four leading frameworks:
NIST AI Risk Management Framework (AI RMF): We break down its comprehensive, lifecycle-wide approach, structured around four core functions: Govern, Map, Measure, and Manage.

This widely recognized framework is often recommended for beginners due to its clear steps and available resources. Its risk-based approach is adaptable for specific sectors like healthcare and banking, forming the backbone of their tailored safety frameworks.

Microsoft’s AI Security Framework: This framework focuses on operationalizing AI security best practices. It addresses five main parts: Security, Privacy, Fairness, Transparency, and Accountability. While integrating with Microsoft tools, its principles are broadly applicable for ensuring AI is used correctly and protected.

MITRE ATLAS Framework for AI Security: Discover this specialized framework that catalogues real-world AI threats and attack techniques. We discuss attack types like data poisoning, evasion attacks, model stealing, and privacy attacks, which represent “novel attacks” on AI systems. ATLAS is invaluable for threat modelling and red teaming, providing insights into adversarial machine learning techniques.

Databricks AI Security Framework (DASF) 2.0: Learn about this framework, which identifies 62 risks and 64 real use-case controls. Based on standards like NIST and MITRE, DASF is platform-agnostic, allowing its controls to be mapped across various cloud or data platform providers.

It critically differentiates between traditional cybersecurity risks and novel AI-specific attacks like adversarial machine learning, and bridges business, data, and security teams with practical tools.

We discuss how organizations can use parts from different frameworks to build comprehensive protection, complementing each other across strategic risks, governance, and technical controls.

Case studies from healthcare and banking illustrate how these conceptual frameworks are tailored to meet strict government rules and sector-specific challenges, ensuring robust risk management and governance.

Ultimately, AI security is an ongoing journey, not a one-off project. The key takeaway is to start small and build up your security over time.


For more information, read our “Best AI Security Frameworks for Enterprises” blog:

Discover how a global financial institution transformed its security posture and achieved massive cost savings through targeted threat modeling training.

Facing challenges like inconsistent practices, difficulty scaling training across 50 countries, and keeping pace with evolving threats, this bank needed a new approach beyond infrequent, in-person workshops.

Their solution? Leveraging the Certified Threat Modeling Professional (CTMP) course from Practical DevSecOps. This program offered a practical learning approach with extensive hands-on labs simulating real banking scenarios and crucial 24/7 expert support via Mattermost.

It covered key methodologies like STRIDE and PASTA and integrated threat modeling into their DevSecOps pipeline. Structured, role-specific training ensured everyone, from developers to core system engineers, received relevant education.

The results were remarkable:

• $0.5 million annually saved on training and logistics.
• Estimated $10 million reduction in potential breach costs.
• 40% reduced time for threat modeling sessions.
• 30% more potential threats mitigated in the design phase.
• 45% reduction in high-severity production vulnerabilities.
• 150% increase in systems undergoing threat modeling.

Achieved 100% compliance with security assessment regulations.
This success story highlights the power of a scalable, practical, and continuously supported security education programme like the CTMP course in fostering a cultural shift and embedding threat modeling into a global bank's DNA, truly embracing the Shift-left culture.

Learn how practical training, hands-on experience, and expert guidance can lead to significant efficiency gains, cost reductions, and enhanced security in complex financial environments.

Welcome to the show! Today, we share an inspiring story of career transformation. We're talking to Kelly, who went from being a traditional system administrator focused on managing legacy systems to becoming a Certified DevSecOps Engineer.

However, a major security incident – a vulnerable container image making it into production despite perimeter defences – was a real eye-opener. It showed her that traditional security methods weren't quite cutting it for modern, cloud-native applications. This pivotal moment sparked her interest in DevSecOps, but figuring out the next step wasn't immediately obvious. While she had solid Linux and basic Python skills, the world of DevSecOps demanded new expertise: thinking about secure CI/CD pipelines, understanding containers, and mastering tools for SAST, DAST, SCA, Infrastructure as Code, and Compliance as Code.

Seeking a path forward, Kelly stumbled upon Practical DevSecOps through their extensive YouTube content. What really resonated wasn't just the technical depth, but their practical, real-world approach to security automation. As Kelly puts it, the free YouTube tutorials were "eye-opening". They didn't just show how to use tools, but explained why certain security controls were vital and how they fit into the overall picture of secure software delivery. She found the instructor's ability to explain complex concepts like Container Security Scanning and GitOps using real-world scenarios made everything "click".

Even with such valuable free content, Kelly knew a structured learning path was essential to achieve her career goals. That’s why she made the decision to invest in the Practical DevSecOps Certification Course. Her study routine became intense but strategic: two hours dedicated to course materials every weekday evening and four to six hours on weekends for hands-on labs and practicing with open-source tools. Time management was her biggest challenge, juggling a full-time job with this intensive learning. But the course's modular structure helped her progress steadily, and the hands-on labs ensured she built practical skills every step of the way.

Key technical skills she gained included building her first secure CI/CD pipeline using GitLab, learning to build container images, automating SCA and SAST tools, implementing automated vulnerability scanning with OWASP ZAP, setting up Infrastructure as Code security scanning with Checkov. She also gained an understanding of Compliance as Code and Vulnerability Management. She also absorbed the 'DevSecOps Gospel' – best practices for picking and automating tools.

Just six months later, Kelly's enhanced skill set attracted attention, leading to opportunities at a major fintech company. Her interviews involved practical demonstrations of the skills she’d honed, like setting up secure pipelines in GitLab and Jenkins and building enterprise-level DevSecOps pipelines. The outcome? A senior DevSecOps engineer position with a remarkable 65% salary increase and the chance to lead security automation initiatives.

Today, Kelly leads a team, implementing automated security testing in CI/CD, cloud-native controls, Compliance as Code frameworks, and security metrics. Beyond the technical wins, she finds the cultural change most rewarding. Developers now grasp security better, security teams appreciate automation, and secure features are delivered faster. Kelly firmly states her transformation "wouldn’t have been possible without the solid foundation I got from Practical DevSecOps".

Kelly’s advice for aspiring DevSecOps professionals? Start with the right training, particularly through a Certified DevSecOps Professional course, to gain practical skills within a span of 3 months.