Welcome to "Securing the Future," the podcast dedicated to navigating the complex world of AI security. In this episode, we unpack the vital role of AI security frameworks—acting as instruction manuals—in safeguarding AI systems for multinational corporations.

These frameworks provide uniform guidelines for implementing security measures across diverse nations with varying legal requirements, from Asia-Pacific to Europe and North America.

We explore how these blueprints help organizations find weak spots before bad actors do, establish consistent rules, meet laws and regulations, and ultimately build trust with AI users. Crucially, they enable compliance and reduce implementation costs through standardization.

This episode delves into four leading frameworks:
NIST AI Risk Management Framework (AI RMF): We break down its comprehensive, lifecycle-wide approach, structured around four core functions: Govern, Map, Measure, and Manage.

This widely recognized framework is often recommended for beginners due to its clear steps and available resources. Its risk-based approach is adaptable for specific sectors like healthcare and banking, forming the backbone of their tailored safety frameworks.

Microsoft’s AI Security Framework: This framework focuses on operationalizing AI security best practices. It addresses five main parts: Security, Privacy, Fairness, Transparency, and Accountability. While integrating with Microsoft tools, its principles are broadly applicable for ensuring AI is used correctly and protected.

MITRE ATLAS Framework for AI Security: Discover this specialized framework that catalogues real-world AI threats and attack techniques. We discuss attack types like data poisoning, evasion attacks, model stealing, and privacy attacks, which represent “novel attacks” on AI systems. ATLAS is invaluable for threat modelling and red teaming, providing insights into adversarial machine learning techniques.

Databricks AI Security Framework (DASF) 2.0: Learn about this framework, which identifies 62 risks and 64 real use-case controls. Based on standards like NIST and MITRE, DASF is platform-agnostic, allowing its controls to be mapped across various cloud or data platform providers.

It critically differentiates between traditional cybersecurity risks and novel AI-specific attacks like adversarial machine learning, and bridges business, data, and security teams with practical tools.

We discuss how organizations can use parts from different frameworks to build comprehensive protection, complementing each other across strategic risks, governance, and technical controls.

Case studies from healthcare and banking illustrate how these conceptual frameworks are tailored to meet strict government rules and sector-specific challenges, ensuring robust risk management and governance.

Ultimately, AI security is an ongoing journey, not a one-off project. The key takeaway is to start small and build up your security over time.


For more information, read our “Best AI Security Frameworks for Enterprises” blog:

Discover how a global financial institution transformed its security posture and achieved massive cost savings through targeted threat modeling training.

Facing challenges like inconsistent practices, difficulty scaling training across 50 countries, and keeping pace with evolving threats, this bank needed a new approach beyond infrequent, in-person workshops.

Their solution? Leveraging the Certified Threat Modeling Professional (CTMP) course from Practical DevSecOps. This program offered a practical learning approach with extensive hands-on labs simulating real banking scenarios and crucial 24/7 expert support via Mattermost.

It covered key methodologies like STRIDE and PASTA and integrated threat modeling into their DevSecOps pipeline. Structured, role-specific training ensured everyone, from developers to core system engineers, received relevant education.

The results were remarkable:

• $0.5 million annually saved on training and logistics.
• Estimated $10 million reduction in potential breach costs.
• 40% reduced time for threat modeling sessions.
• 30% more potential threats mitigated in the design phase.
• 45% reduction in high-severity production vulnerabilities.
• 150% increase in systems undergoing threat modeling.

Achieved 100% compliance with security assessment regulations.
This success story highlights the power of a scalable, practical, and continuously supported security education programme like the CTMP course in fostering a cultural shift and embedding threat modeling into a global bank's DNA, truly embracing the Shift-left culture.

Learn how practical training, hands-on experience, and expert guidance can lead to significant efficiency gains, cost reductions, and enhanced security in complex financial environments.

Welcome to the show! Today, we share an inspiring story of career transformation. We're talking to Kelly, who went from being a traditional system administrator focused on managing legacy systems to becoming a Certified DevSecOps Engineer.

However, a major security incident – a vulnerable container image making it into production despite perimeter defences – was a real eye-opener. It showed her that traditional security methods weren't quite cutting it for modern, cloud-native applications. This pivotal moment sparked her interest in DevSecOps, but figuring out the next step wasn't immediately obvious. While she had solid Linux and basic Python skills, the world of DevSecOps demanded new expertise: thinking about secure CI/CD pipelines, understanding containers, and mastering tools for SAST, DAST, SCA, Infrastructure as Code, and Compliance as Code.

Seeking a path forward, Kelly stumbled upon Practical DevSecOps through their extensive YouTube content. What really resonated wasn't just the technical depth, but their practical, real-world approach to security automation. As Kelly puts it, the free YouTube tutorials were "eye-opening". They didn't just show how to use tools, but explained why certain security controls were vital and how they fit into the overall picture of secure software delivery. She found the instructor's ability to explain complex concepts like Container Security Scanning and GitOps using real-world scenarios made everything "click".

Even with such valuable free content, Kelly knew a structured learning path was essential to achieve her career goals. That’s why she made the decision to invest in the Practical DevSecOps Certification Course. Her study routine became intense but strategic: two hours dedicated to course materials every weekday evening and four to six hours on weekends for hands-on labs and practicing with open-source tools. Time management was her biggest challenge, juggling a full-time job with this intensive learning. But the course's modular structure helped her progress steadily, and the hands-on labs ensured she built practical skills every step of the way.

Key technical skills she gained included building her first secure CI/CD pipeline using GitLab, learning to build container images, automating SCA and SAST tools, implementing automated vulnerability scanning with OWASP ZAP, setting up Infrastructure as Code security scanning with Checkov. She also gained an understanding of Compliance as Code and Vulnerability Management. She also absorbed the 'DevSecOps Gospel' – best practices for picking and automating tools.

Just six months later, Kelly's enhanced skill set attracted attention, leading to opportunities at a major fintech company. Her interviews involved practical demonstrations of the skills she’d honed, like setting up secure pipelines in GitLab and Jenkins and building enterprise-level DevSecOps pipelines. The outcome? A senior DevSecOps engineer position with a remarkable 65% salary increase and the chance to lead security automation initiatives.

Today, Kelly leads a team, implementing automated security testing in CI/CD, cloud-native controls, Compliance as Code frameworks, and security metrics. Beyond the technical wins, she finds the cultural change most rewarding. Developers now grasp security better, security teams appreciate automation, and secure features are delivered faster. Kelly firmly states her transformation "wouldn’t have been possible without the solid foundation I got from Practical DevSecOps".

Kelly’s advice for aspiring DevSecOps professionals? Start with the right training, particularly through a Certified DevSecOps Professional course, to gain practical skills within a span of 3 months.

Are you a DevOps professional, Software Engineer, or Security Engineer looking to level up your skills in 2025? Ever wondered how top tech companies ship new features fast while keeping their apps super-safe? It's all about DevSecOps – where security meets speed! This episode dives into the DevSecOps roadmap, your guide to success for building faster and safer.

We'll outline a clear path for professionals to integrate security within the development process. Discover key certifications like the Certified DevSecOps Professional (CDP) for beginners and the Certified DevSecOps Expert (CDE) for experienced practitioners. Learn about essential skills such as building secure pipelines, vulnerability management, compliance implementation, and security integration.

Understand the core technologies covered, including Cloud Environments, Docker Containerization, Ansible Automation, and Infrastructure as Code (IaC). We'll explore critical security testing methods like Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). For experienced professionals, we'll touch on advanced skills like implementing the DevSecOps Maturity Model, managing vulnerabilities at scale, and creating hardened golden images using Packer and Ansible.

Explore how to transition to DevSecOps from other roles, focusing on DevOps basics like CI/CD and containerization, learning security fundamentals, and gaining practical experience.

Is DevSecOps a good career choice? Absolutely! DevSecOps is a promising career in 2025 due to its growing demand, competitive salaries, and opportunities for growth in this high-demand field. As technology evolves and cyber threats rise, DevSecOps Engineers are increasingly sought after. We'll even look at average salary ranges in different regions like the United States, United Kingdom, and India.

Following this roadmap and pursuing certifications can transform beginners into valuable team members capable of implementing secure pipelines and vulnerability management.

Graduates of the Certified DevSecOps Professional program have reported seeing 20-30% salary increases within months. For experienced practitioners, the Certified DevSecOps Expert certification has helped many steps into senior leadership roles with expanded security architecture responsibilities.

Gain real skills, pursue real certifications, and achieve real career growth in the cybersecurity industry.

Tune in to learn more about this practical path to grow your career in DevSecOps!

Explore the critical and rapidly evolving field of AI security in 2025 and beyond. With AI now used in 40% of cyberattacks and 93% of companies facing these smart threats daily, the demand for skilled professionals to defend against them is soaring.

This episode dives into the essential role of the AI Security Engineer, a vital position that combines expertise in both AI systems and security methods.

We discuss the urgent need for AI security experts, driven by the significant financial costs of cybercrime and the use of AI in critical sectors like finance and healthcare. Learn about the unique vulnerabilities of AI systems and why traditional security approaches are often insufficient.

Discover the diverse responsibilities of an AI Security Engineer, who works to secure machine learning systems throughout their entire lifecycle.
Their key duties include:

Protecting AI systems from attacks targeting data, models, and infrastructure.

• Conducting vulnerability assessments against AI models.
• Building defences against sophisticated AI-based attacks.
• Enforcing data privacy protocols.
• Performing threat modelling and testing AI for weaknesses.
• Developing incident response plans.
• Collaborating with Data Scientists and Developers to integrate security early in the AI product lifecycle.

Understand the critical technical and soft skills necessary to excel. Technical skills include understanding various AI threats, security risks in AI models and LLMs, and specific attacks like OWASP Top 10 LLM attacks, adversarial attacks, data poisoning, and prompt injection. Expertise in securing applied AI areas like NLP and computer vision is also vital.

Security professionals often use frameworks like MITRE ATLAS to map risks. Alongside technical prowess, critical thinking and collaboration with diverse teams are essential soft skills.

We also explore pathways into AI security. While academic degrees in Computer Science or Cybersecurity provide a strong foundation, AI Security Specializations and certifications are increasingly important. The Certified AI Security Professional or CAISP certification is highlighted as an industry standard, validating practical skills in securing AI systems. Gaining practical experience through projects or hands-on labs is crucial for mastering detection and defence techniques.

Finally, hear about the high demand and attractive career prospects in this field, with the average salary for an AI Security Engineer in the US reported at approximately $152,773 per year as of April 2025.

Tune in to learn about the AI Security Engineer roadmap, the skills employers seek, and how you can secure your future in this vital and growing field. Help maintain the integrity of the AI technology that is shaping our world.