Florence Mottay began her profession in cyber safety, researching exploits for safety vulnerabilities in a small US startup. Right now, she is the group chief info safety officer (CISO) at Zalando, a high-tech on-line vogue retailer that boasts over 50 million prospects in 26 markets.
Zalando, she says, is extra of a know-how firm than a retailer, providing its buyers synthetic intelligence (AI)-powered apps that may assist them select the best outfit for an event or take their measurements by capturing a picture on a cell phone.
The corporate’s transfer to generative AI (GenAI) has created distinctive challenges for Mottay and her 100-strong IT staff. There have been no blueprints, so it was a matter of working it out from scratch whereas working carefully with different components of the enterprise.
Mottay says she “fell into” a profession in laptop safety after receiving a proposal from a college in Florida, the place she was learning maths throughout an change programme.
“I met a professor of software program engineering who should have seen some potential as a result of he stated he would sponsor the remainder of my bachelor’s diploma and my grasp’s diploma if I agreed to change from arithmetic to software program engineering and to work on a few of the analysis grants he was getting,” she says.
Beginning at a safety startup
In 2003, Mottay was supplied a job in a small startup that specialised in creating safety exploits for US authorities contractors, corresponding to Raytheon and Northrup Gruman. “I used to be worker quantity seven.”
Safety Innovation, as the corporate turned recognized, developed proof-of-concept exploits to point out how safety vulnerabilities in software program could possibly be misused by hackers or dangerous actors in the event that they had been left unfixed.
It was a steep studying curve, says Mottay in an interview with Laptop Weekly at a SANS cyber leaders summit in London. “For six months, I used to go residence after work and examine till 3am on the right way to create exploits, and I turned fairly good.”
Two years later, she was requested to open a department of the corporate within the Netherlands to develop exploits for European corporations. The department grew and was taken over by a bigger firm. Different safety posts adopted.
Making a swap to retail
After 10 years, Mottay modified route, taking on a submit as director of IT safety at Dutch retailer Ahold, proprietor of the Albert Heijn grocery store chain. Quickly after, Ahold merged with the Belgian multinational retailer Delhaize. By 2019, Mottay had risen to grow to be its international CISO and vice-president for info safety.
“We’re right here to assist the enterprise and we’re right here to allow, so we have to discover methods to allow what the enterprise ambition is, and I feel that’s the way you construct belief”
Florence Mottay, Zalando
“I rapidly discovered that stakeholder administration and partnering with the enterprise was the way in which to success,” she says. “I began constructing relationships.”
Ahold and Delhaize had related historical past, tradition and approaches to enterprise, however their IT techniques had been completely different. When the businesses got here collectively, some IT techniques had been merged, and in different circumstances, every firm saved its personal distinct know-how.
“For us in safety, we discovered methods to safe whichever alternative was made,” she says.
From vulnerabilities to vogue
In 2022, on-line vogue retailer Zalando was in search of somebody to rework its safety operations and made an strategy.
Zalando had an “entrepreneurial spirit” and a give attention to revolutionary digital know-how that was immediately enticing to Mottay. “It was like, ‘Oh my god!’”
Her transient was to reposition cyber safety from a vertical operation that sat alongside different enterprise items within the organisation to a horizontal operation that runs by way of each a part of Zalando.
For Mottay, it was again to constructing trusted relationships along with her new staff and the board. That meant discovering methods to assist the corporate’s targets and to navigate round any safety points that arose relatively than seeing them as blockages.
“We’re right here to assist the enterprise and we’re right here to allow, so we have to discover methods to allow what the enterprise ambition is, and I feel that’s the way you construct belief,” she says.
Mottay says she is lucky that each enterprise chief at Zalando has an excellent understanding of know-how and cyber safety. “It’s uncommon, however it’s really fairly thrilling,” she says. “It’s very cool.”
Performing quick with AI
Managing safety has grow to be extra of a problem for CISOs like Mottay as GenAI begins to pose new challenges.
“If you concentrate on ransomware, AI is an accelerator,” she says. “It makes assaults extra accessible to individuals, and it makes them quicker as nicely. So meaning as a cyber safety perform, we’ve got to be quicker than ever earlier than.”
When there may be an assault, I perceive the way it was created. I can dive deep the place I have to, due to my technical background Florence Mottay, Zalando
It’s extra vital than ever for organisations to have visibility of all the pieces that’s occurring on their laptop networks, she says.
Take the Log4j safety vulnerability found in 2021, which uncovered a variety of purposes throughout the enterprise to distant code execution assaults. The huge distribution of susceptible software program in cloud providers and on-premise made it troublesome for organisations to detect and patch.
“In the event you had a invoice of supplies, you possibly can rapidly see the place all of the situations that had been susceptible had been and tackle them. So, it’s the identical considering – if one thing is happening, can we glance and determine the place we have to act as quick as doable?” she says.
Zalando is utilizing AI to triage safety alerts, however protecting on high of the threats requires “fixed upskilling” of the safety staff and continuous monitoring of menace intelligence.
Mottay’s expertise creating exploits and learning vulnerabilities has stood her in good stead. “When there may be an assault, I perceive the way it was created,” she says. “I can dive deep the place I have to, due to my technical background.”
Adapting to the GenAI dynamic
On the identical time, Mottay and her 100-strong safety staff are supporting Zalando’s bold generative AI programme.
Zalando started work on GenAI-powered buying assistants to assist its prospects with their buying quickly after the launch of ChatGPT in late 2022.
Mottay was requested to assist cope with a few of the dangers posed by AI, together with bias, hallucination and misinformation, which fall outdoors the pure remit of IT safety.
A number of the safety staff had been already enthused by generative AI and had begun experimenting with it, so Mottay turned to them first.
“Once I bought the decision, I went to them … and I stated, ‘Hey guys, do you wish to assist? Do you wish to companion? Let’s simply do it’,” she says. “And they also began working with the enterprise.”
Zalando’s AI-powered vogue assistant helps prospects select the best outfit for any event
There have been some clear dangers. For instance, an AI system may conform to let prospects return garments for a refund even when they’d worn them for a number of years. Or they might supply the identical merchandise at completely different costs to completely different individuals.
Mottay’s staff assembled 80,000 prompts to coach the mannequin in a safe manner. They categorised every immediate into three classes: business-related enquiries about, for instance, gadgets on the market; non-business-related enquiries, corresponding to an irrelevant query about substances for a recipe; and malicious enquiries, corresponding to a request to run laptop code.
The corporate launched its AI-powered Zalando vogue assistant in chosen markets in 2024. The software can reply questions corresponding to: “I’ve been invited to a marriage in Barcelona, in October, and the reception begins within the church and finishes on the seaside. I’m struggling to discover a good outfit. Might you counsel one for me?”
The subsequent problem will likely be the right way to handle the safety of agentic AI, which in future will be capable to carry out automated duties for patrons and the corporate.
Whereas it doesn’t make sense to manage AI brokers, which by definition have the power to take motion autonomously, Mottay is working with the corporate to develop overarching guidelines that can act as safeguards.
The principles will embrace making certain {that a} human is accountable for every AI agent, making certain that every agent has a transparent mandate and that it doesn’t have capabilities that transcend its mandate, making certain there may be an audit path of every agent’s actions, and ensuring a human is at all times concerned in any high-risk choices.
“We’re not good, however we’ve got one thing good in place, and we’re repeatedly bettering. We’re taking a look at agentic safety and what we have to put in place to be prepared when the enterprise is prepared,” she says.
