Skip to content

The Wild West of AI - Cybersecurity Lessons from Pittsburgh's CUSTOS IQ

Interview by Jonathan Kersting

Artificial intelligence is racing into every corner of business, but too many organizations are still treating it like a shiny productivity toy instead of a serious cybersecurity and business-risk issue.

On this episode of TechVibe Radio, Jonathan Kersting talks with Isabelle Syring and Robert Ragan of CUSTOS IQ about how AI is changing the cybersecurity landscape, especially for companies using large language models, Microsoft Copilot, browser-based AI tools and AI-powered systems in critical industries like energy, manufacturing, oil and gas.

CUSTOS IQ breaks down why the “Wild West” phase of AI adoption is creating real exposure for organizations: employees using personal accounts, confidential data being fed into AI tools, weak or nonexistent policies, unpatched browsers, supply chain pressure and a lack of oversight around AI-generated outputs. The conversation also explores deeper risks like model poisoning, data accuracy problems, prompt hijacking and the danger of relying on AI without human expertise in the loop.

Isabelle and Robert also explain how CUSTOS IQ helps companies move from reactive cybersecurity to a business-aligned, turnkey approach that blends secure systems engineering, compliance, legal considerations and practical AI usage policies. Their message is clear: AI can be an incredible tool, but only when it is built on a strong cybersecurity foundation and guided by people who know how to question, verify and control the outputs.

From protecting intellectual property to securing OT/IT systems powering the next wave of data centers, this episode is a smart, timely look at how businesses can embrace AI without letting it run feral through the server room.

The Pittsburgh Technology Council produces TechVibe Radio to explore Pittsburgh's technology and innovation ecosystem.

Transcript:

[00:00:00] Welcome to TechVibe. So happy to have you here hanging out with us today. This is the place where we give you a front row seat to Pittsburgh's technology and innovation ecosystem. And I'm Jonathan Kersting.

I'm with the Pittsburgh Technology Council. I get to have so much fun talking to our member companies about the stuff they're building, the problems they are solving. And one thing I'm seeing out there right now that I think is just so insane, I think everyone can agree on this, is the Wild West that is AI, artificial intelligence.

We're just seeing it proliferate everywhere for really good reasons, but at the same time, we're seeing offices using it. There's no policies. There's liability. There's all types of crazy things that can really make things not so great with AI. But I have a great set of guests here today to talk about how we can unwind all this and get ourselves on the right foot, and I'm talking about Custos IQ.

We have Isabelle Syring and Rob Ragan hanging out with me today. Guys, I'm so happy to have you here in the Huntington Bank Studios. So much fun. So much fun. Thanks for being here. Yeah. Of course. Thank you, Jonathan, and thank you, Huntington [00:01:00] Bank. Yeah. I can't do this without these guys. Yeah. Simple as that.

Before we jump into everything, first off, you are- you're like the best spokeswoman for your company. Isabelle. tell me what Custos is all about because you do so much. It's more than just your help with AI with companies.

You do a lot of stuff. Give me the pitch like we're riding in an elevator or someplace, and- Yeah. Yeah ... I need to know more about you. So we're in offensive cybersecurity. We assess and manage risk for critical infrastructure and systems. We view cybersecurity holistically, so we're trying to turn IT from a-- We're trying to turn cybersecurity from an IT problem into a business advantage, which means that with our decades of experience in IT, we deliver a tur- full turnkey solution to your business, covering the engineering and securing of systems, the compliance aspect, the legal aspect.

We're really more than a risk advisory firm. When we design a secure system, we not only engineer it, but we will also build it for you. That's what I'm [00:02:00] talking about. See? I learn so much. Rob I'm glad you guys are hanging out together. We're happy to be here. Yeah. What we are is about managing digital assets.

So- you see a lot of companies who are just focused on the tech stack or some rule that they put in. We look at the whole business holistically and align the cybersecurity risk management to the business processes. Yeah. I see what- So much of what you do, I see people bringing in three or four vendors sometimes to do.

And you're trying to get them to all work together to be on the same page, where you're the one organization that can really handle across what all the different needs are so you don't have to worry about telling the other vendor what you've been working on. We are- No miscommunications going on as far as that is.

So that, I think that's very unique to what you guys do 'cause you do offer that complete coverage. Yep. We are all about delivering turnkey solutions, especially to medium-sized enterprises who a lot of times do not have all of that expertise in-house. Yeah. And the benefit, as you just said, when you do business with Custos IQ, is you don't bring in five or six [00:03:00] different vendors.

You have the one-stop shop. Yeah, 100%. And so you are no stranger to TechVibe. It's always great to have you back on. And why I love having you come on is because, A, not only do you bring your good vibes with you every single time, but you bring me great knowledge, which means you're bringing our listeners and our viewers great knowledge.

And I started this whole show off, talking about the Wild West of AI. And it's... I get a front row seat to it. You get more of a fr- you're in the trenches. I get the front row seat. Yeah. And I'm just like, "Oh my goodness." There's some craziness going on out there. Rob, what is making it so wild, for lack of a better term right now?

The thing that makes it so wild is there's, there are typically no policies that people have in place on- Yeah ... the use of AI. We have familiarity with organizations that have adopted AI, they may have employees who are using their own personal accounts people who may be using some company paid-for accounts maybe people who are using Copilot as an example that's integrated with Microsoft [00:04:00] 365.

But there's no attention being paid to the security that goes around the data that's being fed into these engines. Yeah. And it, what happens is there's also no review or qualification of the generation of the data that comes out of these engines, and people use them without considering, is this really what the company wants?

Yeah ... people are typically hired because they have a certain expertise in an area, but a lot of times it's AI that's making the decisions and not the people who are involved. See that's where Wild West begins. Correct. And I b- I think Gartner had a study recently that said, I think, more than 60% of organizations just don't even have a strategy.

Correct. Which once again is go to the Wild West, right? That, that, that- So I'm like, "Oh man, please" ... that, that is correct. There's been a couple of interesting studies also that came out of Harvard that were talking about how people are using AI and how- It's being implemented to just help them do very simple tasks, craft emails- review legal [00:05:00] contracts. However, nobody knows exactly where that's gone, and a lot of times there's a lot of confidential company information that gets into those large language models. And how that's gonna be used is depending on the level that you signed up for, as well as the legal contract that's been put in place for the service- Yeah

that you're using.

So you gotta tell me more about the technology behind this. I think it's evolving so fast that's creating some of these problems as to why people aren't putting plans together, people are just using it randomly. You see a new model and you wanna try it for something, so you get a free account real fast, but you're using it for business, and then all of a suddenly that's part of your stack and you don't even know it's part of your stack at work, right?

Is that something that you're seeing happening? Absolutely. Okay. We get brought in by organizations of, various levels of size to craft internal AI policies. For some organizations, they're not only using AI for their daily day-to-day tasks, they're now using AI in oil and gas for predictive valve maintenance, [00:06:00] in manufacturing for the OT- Yeah

IT conversions, for sensor maintenance. And it can get pretty serious, so especially with AI for predictive valve maintenance- Yeah ... in oil and gas. A pipeline could blow. That's what I'm talking about. So- Yeah ... yeah. That's why it gets real serious real fast if there's vulnerabilities. So the idea right now, the whole Wild West for me is around the fact that- - this is making things more, or should I say less secure.

I feel like now you're probably seeing a couple different things happening in the marketplace right now. A, you're probably running into some companies that maybe have been using AI for the past couple years off and on without an official policy.

They know they're using it, but they feel like they can see some dangers, so they wanna call you in to kinda help create a nice landscape where they can actually thrive and use this as a tool for good. And then you're probably seeing the other end, where you have someone who's just starting out and just has no clue what's going on.

So if there's... I hope they do this before they really get started. I feel like this is foundational. Just like your cybersecurity or anything with your business, this is the way you run your business. Help us build this platform so [00:07:00] we can use it properly and know it's being used securely and so forth.

Is that- Well, it, it's- Am I braining in the right direction there? Y- absolutely. Okay. And I think the key point is that it just is not a- all about AI. Okay. It is really about your company's foundation and cybersecurity. Yes. It... This goes well beyond the IT department's That's interesting hearing that.

Yeah, so the idea that cyber is really underpinning all of this, 'cause that's really what it comes down to. That's correct. Okay. Before you were securing your workstation, you were trying to stop viruses from getting in. You were trying to look for ways to make sure that you could detect viruses that got into a workstation.

But now we're starting to talk about data. We're talking about how your data is tagged, and a lot of organizations do not have their data tagged. So there are certain pieces of information that you don't want to leave the organization. As as I say it's your intellectual property. It, it- It's your stuff.

It's what makes you you- it, it- ... and you can't just make sure anyone gets their little hands on it. Yeah ... well, it's what you're selling, right? Right. And you wouldn't turn that over to a competitor, [00:08:00] but .. a lot of people will turn that over to AI. You say it like, relaxed and calm too, 'cause it's absolutely true.

We see it all the time. I know. Exactly. And it's crazy, and there's all sorts of different implications that go on with that from, "Oh, my IP's now out on the internet, and my competition can go pull it up in ChatGPT or Copilot or whatever." There's also the issue of that these large language models have recently had some very serious hacks done to them.

I haven't heard about that. Okay. Which Isabelle can talk about. Yeah. Tell me. So we were talking about LLMs being hacked now. Yeah. It's like, once again, a new target for people to completely, you know- Correct. Yeah. Okay. So tell me, please, Izzy. You know this stuff. So in, in our two biggest fields, which is energy and manufacturing, so the biggest attack surface that we see with AI is either model poisoning- Or data accuracy.

So either an attacker is going to reframe questioning and reposition questioning so many times [00:09:00] until they have been able to poison a model, and they can then extract the data out of it. This recently happened with one of the very well-known LLMs that I'm not gonna mention here. But they were able to gain privilege escalation into the model.

They wrote a Python script, and they were able to- ... extract 200 million tax returns- Oh my goodness ... out of a government agency that was using this AI model to, to enumerate these tax returns. Oh my goodness. See, that's the type of thing when I hear that, it's- Yeah ... like, yeah oh. And then in energy or in manufacturing, what we're also seeing is for this predictive maintenance that people are trying to utilize for their sensors where it's applicable if your data isn't right and you're, there's in- the data is being targeted and it's being destroyed or it's- wrong and it then it g- it gets fed into these AI-powered sensors, predictive maintenance could be off. You could be wasting a lot of time. In, the case of oil and gas for a valve, a for lack of a better word, a pipeline could blow up, right? Exactly right. Yeah. No, it's- So for a lot of [00:10:00] people, what we're really recommending is saying, "Hey, use this as a tool," but you are still the technician, and you still need to practice the oversight over this.

So- I, I love you saying that 'cause I've been hearing that a lot, too, and I think it's important for us to keep talking about this, is the fact that, yes, any level of AI is interesting and fun, but at the end of the day, you make, as the human, makes- Yeah ... the final decision and has the full control.

You just can't leave it carte blanche and just let it think everything's gonna be fine because of it. That really is it's a tool for a human, not a replacement for a human. Well, what you have is a typical case. Yeah. Goes, dates back from the very first eons of bits flying into computers.

Okay. Yeah. Garbage in, garbage out. Garbage out. Okay. Yeah. Yeah. Yeah. Yeah. That's like a great bumper sticker I could put on my car. Yes. Yeah, e- exactly, but y- just because it's a new piece of technology, there are a lot of rules that still apply. Okay. And it really takes an intelligent user and somebody who can critically think.

We, I wi- I will freely admit, we use AI in a lot of times to solve technical problems, [00:11:00] and we were on a case with a situation that we had and- Isabel here was cranking it through, trying to get the answers. How can we fix this really quick? Okay. And finally, it came back with an answer that said, "Open a Microsoft support case."

The funny ending to that story is five minutes later, I just figured it out myself. I would look at it like by doing all that prompting back and forth, breaking AI- Yes, I- It made the gears in your brain turn there, Isabel, The humans still solved it. Yes, exactly ... but it's fascinating to see. Yeah. And a lot of the information that this whole chat was producing was woefully wrong. However, if you don't know this because of your experience you would be off in the weeds and probably making things a thousand times worse.

Times worse. Oh, absolutely, yeah. It was quite a fascinating exercise to go through and it was funny. And our particular problem that we had was related to a TPM key in the TPM- What's a TPM key? I knew you were gonna [00:12:00] ask. Yeah. I need to know these things. I'm here to be educated.

It, the TPM key is a key that's built into either a virtual machine- ... or a physical piece of hardware that keeps the device secure. Okay. And I won't go into any more of the gory details on this particular situation, but we ran into an issue with a system that crashed, and the TPM keys were related to the old system and not in the new system.

Okay. And the machines weren't behaving properly. It... I would imagine there'd be a little mutiny going on- Yes, there was ... at that point. Yeah. But it's a prime example of how you really can't rely on AI 100%. Exactly. You still need people who are experienced and someone to watch the AI, if you will.

Exactly. Aside from the security perspective, so we're talking about practical use within a business, information, data, but then you get down to the security aspects of this. So you wanna start watching, the prompts. There can be prompt hijacks. There can be lots of different things that can happen [00:13:00] just in interaction with the ChatGPT model-

Copilot, whatever it is. And one of the other attack surfaces is really your browser because a lot of people are interacting with this stuff via the browser. Everything... I would say it has- Yeah. I feel like every- That's probably 90% of these cases. Right. You're on your browser using this, so- Right

of course that's the easiest thing for folks to hack. So if they're in there, they can- Well, yeah, un- unpatched browsers are a big risk, and we talk to people about, "Oh how often have you patched the zero-days in your browser?" And they look at us like, Like, "What are you talking about?"

Like, are you, are-" If you're asking me that, I'd be like, "I don't know. You tell me." We are Martians from Mars." Exactly right So tell me a little bit about how you work with a company as they bring you on to maybe just set the ground rules and kinda get a good foundation running.

So actually, the majority of cases where we've now been brought in- Yeah ... and I think a lot of people are not aware of this yet, but a lot of the bigger players in the market are now starting to crack down on their supply chain when it comes- Oh ... to AI use. That makes a lot of sense. They now want- Interesting

they're [00:14:00] now requesting additional information from their vendors. Okay. And the vendors are now like, "Oh, maybe we all need to hit the pause button here real quick and see what we're doing before, we could get into trouble down the road." That makes 100% sense, yes. So what we deliver to organizations is, as we mentioned earlier, the turnkey solution where we walk in, we assess how AI's being used, we assess the security practices, and we provide them with a comprehensive internal policy that will not only cover the security and the AI use aspects of it, but also the compliance and legal aspects, if there are any.

Yeah. And once again, that goes back to when we were originally talking, the idea that sounds like something you could call on a couple different places to do. Yeah. And people often do, but the idea that you can c- you can do that through one engagement, I think is just really effective and probably saves a ton of time, and just keeps things a little smoother.

You at least then have c- cohesive knowledge. Yeah. And people who have the expertise to deliver the end result- Exactly ... as opposed to f- five or six different teams of people who maybe dabble in this or that. Right. Y- you're bringing the whole thing to [00:15:00] the table, which is really cool.

One thing I think has been so much fun watching you guys over the years is we've talked about various topics around cybersecurity. I know last time we talked about phishing and some things like that. This whole thing we've been talking about today I feel like has really risen in the past 18 months or so.

Oh, yeah. As people have really just doubled down on all things AI. So it's gotta be really exciting to see this come in and know that you've got the technology and the answers behind this to be helpful. I think that's gotta be a lot of fun to be riding this wave and keeping people and companies and their data safe while this all kinda transpires.

It, it certainly is a is a great time to be in, involved with security, and the, one of the, one of the biggest issues that organizations really have to come to terms with is that they can't disregard this. Yeah. And that's something that I think a- I've always talked about with you guys, w- just with cybersecurity in general, has always been this isn't, like, something that you think you wanna do or you'll get to it.

It's just part of how you do business, right? You have to have the cybersecurity stuff and policies in place, which once again, underpins [00:16:00] anything you're gonna be doing with AI on top of that, yep. I'm also curious about some of the other things that, that Custos does because, and you were mentioning earlier, you have some customers that are, like, in the energy space.

It's gotta be so much fun to be, in the manufacturing space, which I think is just so crucial to Pittsburgh and what we have traditionally done. Tell me more. Yeah, right now we're s- especially with the conventional natural oil and gas producers here in Western Pennsylvania, a lot of them are now getting their feet into producing energy for data centers.

Yes. So we are now getting involved in that aspect, which is super cool. We get to play with a lot of the OT and IT convergence, so in deploying SCADA systems, securing networks, building DMZs. We're really big champions of that industry, and we think it's awesome that, this is coming together for Western Pennsylvania.

Absolutely. No, it's just Pennsylvania in general. The state really has a great opportunity- Oh, yeah ... with the natural resources that we have here and that we have producers that can actually jump on the [00:17:00] bandwagon. And a lot of them are also not just data centers. That's the big hot tip these days, but there are a lot of people who are investing in generators that are natural gas-powered to help y- conquer the deficit of power that we have.

I have learned so much. It's why I love hanging out with you I encourage everybody, go to custosiq.com. Your website's fantastic. It really ratchets out all the service you have, goes over a lot of what we talked about today, which to me is just key stuff, and so much fun hanging out with you guys as well- Yeah. Thanks, Jonathan ... at Huntington Bank Studios. You're so much fun.

Cannot wait to have you guys back on, because there's always something changing in this field. And I like saying attack surface. So once again, thanks, guys, for hanging out with me.

Oh, thank you. Jonathan. We, we appreciate you and the Tech Council. Oh. And thank you, Huntington Bank, for, this wonderful space. . Man, they're gonna love you guys, man. Simple as that. In case you forgot, this is Jonathan Kersting with the Pittsburgh Technology Council, and I look forward to seeing you on the next one.