Transcript of AI Productivity vs AI Security: The Human Risk Behind AI with Fable Security

When you start a business or even something like this podcast, you realize pretty quickly how many things you suddenly have to figure out. You're thinking about the product, the brand, the website, the marketing, and at the same time, you're just trying to get something out into the world. I remember those early days of building businesses where every week there was another system to learn or a tool to figure out. That's why platforms that simplify things can make such a big difference. And for a lot of entrepreneurs, That platform is Shopify. Shopify powers millions of businesses around the world and about 10% of all e-commerce in the US. From huge brands to people just launching their first product, they make it really easy to build a great-looking online store with ready-to-use templates that match your brand. Shopify also has built-in tools, including AI features that help write product descriptions, page headlines, and even improve your product photos. And everything runs in one place. Inventory, payments, analytics, shipping, returns so you're not juggling 5 different platforms just to run your business. Start your business today with the industry's best business partner, Shopify. Start hearing— sign up for your $1 per month trial today at shopify.com/ryan. That's shopify.com/ryan.

When AI processes, when you give a prompt, if you give a clear prompt, you have to process tokens. There's a cost associated with every prompt or every question. One thing OpenAI, I believe, has said is there are I'm one of those people. I'll be like, can you please do this thing for me? Thank you. And they said, if you add please and thank you, it takes up more tokens. Just be direct. Just remove all the pleasantry. That's crazy for me. I'm Canadian. I say sorry. I say thank you. I say please all the time. Turn out that's not good for AI. Turns out it's costly. This is Right About Now with Ryan Alford, a Radcast Network production. We are the number one business show on the planet with over 1 million downloads a month, taking the BS out of business for over 6 years and over 400 episodes. You ready to start snapping necks and cashing checks? Well, it starts right about now.

Companies are adopting generative AI tools faster than almost any technology we've seen. The productivity upside is real, but so are the risks. Today's guest is working at the intersection of AI adoption and cybersecurity, helping companies understand why the biggest threats aren't always hackers— they're human behavior. Nicole Zhang is the co-founder of Fable Security, and today talking about how organizations can embrace AI without accidentally exposing their most valuable data. Nicole, welcome to Right About Now.

Thanks for having me. Great to meet you.

I know you're in Boston today. We're in South Carolina. We got the East Coast covered and we're going to talk all things AI security. It's funny, Nicole, this is something that's been on my mind. I was having flashbacks when the internet started getting going and we started Googling everything and we started putting all our stuff on social media. It dawned on me, this was probably like in 2004 or '05, we sure are openly giving up a lot of information. What is happening to all this stuff? And now I've sort of had I had the same epiphany a few weeks ago, which is why I love having the opportunity to have you on the show. It's like, yeah, maybe we need to think about this a little more than we are. Not slow it down, but just be aware.

I'm sure we love looking at things we've posted 10, 15, 20 years ago. It's a good throwback, but also just like, oh wow, there's a lot of things on the internet that we shared.

Yeah, exactly. And so now we're telling AI our deepest secrets so it can help us solve puzzles, write contracts, all that stuff. And it's like, well, where is that data going? I have a feeling you might tell us. But Nicole, I'm anxious on this topic because it's like so real for me owning businesses and use it. So let's set the table, give everyone a little bit of your background, what got you into Fable Security and cybersecurity and all that good stuff.

My name is Nicole Jiang, co-founder, CEO, Fable Security. We've built a human risk platform that shapes secure employee behavior. Behind the scenes, we leverage a mix of AI, ad-tech approaches to understanding employee behavior in an enterprise. We deploy just-in-time personalized interventions when we see employees doing some things that might expose more risk than necessary for our organization. We do this better than typical typical annual security compliance training, which is what the industry status quo looks like. Our approach is relevant, personalized. It really drives at the risky behavior at time when things are happening, almost like that just-in-time coach. The reason why we started this business had a lot to do with my previous background with me and my co-founder. Sany came from an ad tech background, so making ads super relevant, super clickable, convert people from buying things, not even know that they want. Our shared background also came from Abnormal Security, another startup before that we were founding members of. We leverage AI to look for phishing attacks. Phishing became super prevalent in today's age. AI unfortunately supercharges attackers. Like they literally have the tools to send you really targeted phishing threats. And Sei and I both realized that we really want to focus on the human layer to teach people to better defend themselves from not just bad phishing, but also all sorts of social engineering attacks, all sorts of things that people may do that introduces risk, not just to enterprises, but also for themselves.

And so that's the reason why I became super interested in not just cybersecurity, but ways to protect people and ensure that we can all be more productive and more effective as we work.

I'm glad we have people like you. Some people get annoyed about tech security, back channels. Oh, they're putting the guardrails on everything. I tend to be a rule breaker, but I actually really appreciate the people that actually put the guardrails up that need to be there to help us from ourselves and especially from the bad guys. Thank you for the service to our cyber community. This stuff is, I think about about the, like, the curve of internet and then social media and then the speed with which we could do these things with bandwidth increases. AI is on all that on steroids. It's like, yeah, moving so fast. Are companies moving faster than their security frameworks?

When I look at customers that we serve today, we're seeing interesting diversions. Companies that haven't been in this industry for the past 10 years looking at cyber. I see a lot of companies going through digital transformation. So if you asked 10 years ago, it's like moving from on-prem setup to cloud, right? So that was a big shift. We're seeing companies that are forward-thinking, they're more mature, they are really technology-driven, they're getting so much more upside from AI. And then we're also seeing companies that might be generation— they've been around for over 100 years, they have a solid business, they're maybe not as tech-enabled or digital transformed, they're a bit slower. So we're seeing adoption curves in various ways. And so that's the shape of the companies. And then from a security perspective, it's also around how companies view security. Everyone needs security. There are compliance requirements, there's a baseline, there's a lot of now common languages on what needs to be done from a security level. But I do see that companies who are really thinking about investing in digital AI technology transformation, they really double, triple down in their security investments. And then some may still be checking the box.

I really see the divergence of companies based on their tech savviness, their belief in modernizing. Now, from a particular companies that are really adopting AI, you really do— I think it really depends on the people, people in the company. For example, if you're a very developer-centric company, you just see like a There's a ton of crazy things that people can do with AI. They're tinkering, they're trying, and the organization allows them to do that, right? They take on the risk for innovation, and the trade-offs might be risk. For some other ones, they're worried about, for example, healthcare companies, you're worried about HIPAA. Financial, you care about PCI, PII. There are real, like, financial business consequences if you tinker too much. We also see other companies will create playground or sandbox for people to play, and then it's a balance of letting people try things out, innovate, but also, like, not break the bottom line for the business. We're seeing all of those, but we are seeing more and more companies just their time is spent on trying AI, being more productive. And if you're in this like marathon race, some are at the beginning at one end and some are kind of trailing.

And I think that space will become larger as we go.

Some people have to go slower due to risk, risk tolerance, data, and then some are stodgy and need to be moving faster. They're going to be irrelevant. And then there's the ones that are moving really quick that are really nimble. I can speak small business, but I talk to Cisco, I mean, some of the largest corporations in the world. So I'll speak from kind of both ends of it. As a small business, I had 18 to 20 employees in 2021. I really grew faster than I wanted to. I worked in Manhattan. I had a team of 100 people directly or indirectly reporting to me. I didn't want to, I didn't start my business going entrepreneur. I just did not want to manage that many people. Part of it was intentional kind of scale back. But what the last few couple, 3 years has done is not replaced those people because I kind of scaled the business away from them. So it wasn't, oh, I just replaced all these people with AI. No, it allowed me to do some things to maybe accelerate the de-scaling because I could take on more. I now have Agentic AI throughout my businesses as a small business.

And I know I'm probably ahead on the small business curve because I've worked nationally and have this background. But I also have started to pause and go, okay, where's all this data going? And I know OpenAI or ChatGPT, OpenAI, okay, they've got security measures. I've read as much because I can stand with the legal jargon that's in all this stuff. And it's funny because I own a publishing company on the podcast network side, and then I own an agency. And so I'm developing tools, thinking about that data. And then I've got the podcast network side with publishing, and I'm going, what about all this content? How's that being digested and then used? And why aren't we getting paid for it? That's a whole other topic. There's a lot of people asking these types of questions right now, like myself, at all levels, which is, this is great, I'm comfortable moving fast, but sometimes you don't know what you don't know. But I know I don't know something that I might should know about where all this data's going and what I need to be thinking about. That's why we got you here, Nicole. What do we need to be thinking about and what kind of sensitive information are people accidentally sharing with AI tools?

Hey guys, if you've ever built a website before, you know how quickly it can turn into a time suck. Recently I've been playing around with Wix's new hybrid editor called Wix Harmony. You You basically start by telling it what you're trying to build. You prompt it to generate a professional-grade site just like you want it. And here's the part I like. You can easily go back and forth between AI and hands-on editing whenever you want. The AI agent Aria is an expert in website design and business. She can answer questions or perform direct actions throughout the process, which has been huge for me when I'm trying to perfect the look of my website. They've also got built-in tools for selling, booking, and marketing. Pretty much all the stuff you actually need once the site's live. If you're building anything right now, a side project, brand, business, whatever, Wix Harmony honestly makes it easier to get out of your own way and start making stuff happen. Go to wix.com/harmony. That's wix.com/harmony. Start your website today.

I have a couple of thoughts on this, and I've been thinking quite a bit about it. If you think about AI in its like purest, purest form, not even technical jargon, what does AI do for you? AI is running Ray is giving you insights faster than a human analyst. For you to read 20 blog posts, surface the insight, you can now say, read all of them, give me the insight, ask me questions, ping pong, be my reasoning partner. AI can automate certain things for you. Before, you have to do step 1 through 20 to get to a task. Now you can automate those things running in the background. These things are human-instructed. The way you want some things to be done requires hyper-clarity on the outcome you're looking for. And AI is just extracting data, content, information that you have in your system today. So when I think about the the two risks. If you don't know what you're looking for and you ask a stupid question, that exposes risk in ways that, you know, an employee does this, you go, why are they asking this question? Can they— should they be asking this question?

Damn, if they ask this question, they might get the answers now. And the answer is so easy. This is like a net new set of things that folks are worried about. The other piece is I think AI also makes it— if you think about it, right, every AI service wants faster adoption. So they say integrate with all your tool stack. We can do all of these things. People don't think— no one thinks about permissioning. No one thinks about data. They think about adoption. Easy click, one click. If your house is not clean, like if your database is not clean, if your systems are not clean, a lot of companies don't think about that. You can ask a question and you get the answers because the underlying data is chaotic on its own. When I see our customers and maybe for you, Ryan, getting your jobs done and getting your tasks done, it's awesome. But then who did the data cleanup in the first place? There's also just this fundamental— regardless of AI, regardless of how we use, there is still a fundamental data hygiene, security hygiene thing that we've got to figure out. All these advancements, it's putting the security foundation into a massive test.

And attackers know that. And so they really try to exploit now with additional vectors in a faster way through AI, through prompting. That's why when I think about security practitioners, they might feel stressed knowing that their house needs to be in order to support all these evolution of technology.

Superhero movies, it's like, well, who has the superpowers? Who are the mutants? The good guys and the bad guys have the same superpowers. Who's using them best? The bad guys are using these tools to take all this other stuff to advance their criminal behavior or their sneaking around or whatever they're doing, no matter how nefarious or not, and as far as it is, as the good guys, we gotta use these same superpowers to both protect it and to use it for what we're ultimately using it for. It's like anything else. The bad guys seem to always be at least even and sometimes one step ahead of us. And not that we're all perfect. I'm 100% sure I'm not a criminal. I've been called a cheater in a few board games every now and then, but that doesn't mean it was true, Nicole. I just like to win.

It's like, I feel like we're playing chess, right? The attackers can be offensive, we're defensive, and it's just the mindset is kind of different. And so that's why in cyber you also see offensive teams who's trying to break systems ahead of time. We can think like hackers too, and actually AI unlocks that. Really, I think it's a huge value add for security teams, but also unfortunately attack surface expands. We also just have to work really hard and be very creative when it comes to how to better protect.

You mentioned something about how direct— what outcomes we want, and usually it's my own lack of clarity that causes the AI's bad behavior or bad outcome that I didn't want. But anyway, I digress. I just wanted to come on here on this episode, it made sense. And admit that sometimes I'm mean to my AI person trying to get it to be more efficient.

When AI processes, when you give a prompt, if you give a clear prompt, you have to process tokens. There's a cost associated with every prompt or every question. One thing OpenAI, I believe, has said is there are people— I'm one of those people— I'll be like, can you please do this thing for me? Thank you. And they said if you add please and thank you, it takes up more tokens. Just be direct. Just remove all the pleasantry. That's crazy for me. I'm Canadian. I say sorry. I say thank you. I say please. All the time. Turn out that's not good for AI. Turn out it's costly.

And I'm from the South, so I kind of do the same thing. I do. I have the pleasantries on the front end, but then when I'm mad at it, I'm like, you know, this is really costing me more time and hours today. Your whole purpose in life is to save me time and energy, and all you've done is cost— anyway, what I'm hearing from you is that's great. Maybe you felt better. It's just costing you more money because you're just using tokens.

It's costing you money, but hey, if it works, it works for you. Like, ultimately it's about you. It's less about the AI. But yeah, just say too many prompts, make it short, be efficient, walk me through what you're going to do differently.

I love it. Hey, good tip for anyone out there. I'm not the only one. I'm just the only one that admits things. As we close out here, Nicole, I always like quick tips, actionable stuff for anyone that's listening, small, medium. We got executives running big companies. We got entrepreneurs running startups. Maybe a handful of things, easy things people could do to maybe have a little more AI hygiene in their cybersecurity.

We're all going to be superior prompters as we acquire skills in the AI world. My recommendation is number one, it's totally fine to be curious, but Number 2 is also just ask the question of, should I be concerned about the data? AI, can you please sanitize my data, sanitize my queries, and make sure that the AI can do the security-minded work for someone? I think the second thing is remember, don't give out your credit card information. Don't give out your passport. Don't give out your blood type, right? Let's just do the same thing in the AI world and make sure that the information you care about, just ask for it to omit, and AI would do the job for you. Regularly go through, hey, are things shared that it really shouldn't be? AI can probably find out about that really quickly for you too, and then you can take action. Those are good hygiene to just ask and prompt almost like part of your regular workflow.

Those are good. It's so funny. Everything's meta with this because AI can assist in whatever thing we're trying to solve that might be related to AI. It's sort of, I don't know, this meta circle I always find myself in. I'm like, I'm trying to worry about this with AI, but can AI help me? And it seems like it can.

AI is like your reasoning partner and just does so much. I'm really excited about the outcome, the future of where this technology can go.

Nicole, tell everyone where they can learn more about Fable Security yourself and stay get in touch or learn any of the sharings you might be having universally?

You can learn about us at fablesecurity.com. Our website shows a lot about what we do when it comes to protecting human risk, understanding employee behavior, and figuring out ways to share targeted interventions that can elevate your overall security hygiene, whether it's AI adoption, whether it's sharing sensitive data, whether it's also just defending against external threat actors. We are based in San Francisco, California. Our office is right in the heart of downtown. We work in person. We love being there to collaborate. So if you're ever in town, our door is open.

I really appreciate you for coming on. Let's do it again soon.

Absolutely.

Let's stay in touch, Nicole. I'd love to have you on every now and then. This is a very topical thing, real thing, as things evolve.

Yeah.

Have a fabulous rest of the day.

Thank you. Great to meet you. Thank you for having me on the show. Yeah, you're a good time. Take care.

Thanks. See ya.

This has been Right About Now with Ryan Alford, a Radcast Network production. Visit ryanisright.com for full audio and video versions of the show or to inquire about sponsorship opportunities. Thanks for listening.