I would like to invite all the panelists to the stage and then I will introduce each of you one by one. Do we have enough mics?
Oh, you have a mic. Okay, good.
Good, good. Hello. So the panel is about can you beat AI? And you explained to me it's not that serious, so it's a bit, right, hopefully a good last session, so to say. That's the plan. It's led by Matthias, 30 years of IT industry experience. Matthias is a young practice director at KuppingerCole Germany. So the other three gentlemen, and now it gets a bit difficult for me and it shows how old I am. They all worked for me. They all three worked for me in one or other capacities, right? So we have Max, he worked during my, when I was with Heinz Bank.
He was one of my department leads and my go-to person when we had red teaming exercises. So he knows everything about red teaming, right? So when you know, want to know about something, right? Then we have Sergej. He was a long time with Deutsche Bank when I was there, right? And you were working for one of my teams. We never had the opportunity during Deutsche Bank to work together, right? But we share Deutsche Bank experience. And Sergej was a long time chief security officer at Palo Alto Networks for the EMEA Central region, right?
And last but not least, Michael, as well, we share Deutsche history, right? You were part of one of my teams here in Germany when I was still working in the US. Michael was still recently the CISO or still the CISO of Adidas. Yeah. After Deutsche Bank, he joined ZF as head of IT security. Yeah. And became group CISO for Daimler AG as well. So thank you, gentlemen, that you are here. And I think let the panel start. Yeah. So first of all, this is a trial. We've never done that. It's never been tested. So this is really something where, yeah, it can go horribly wrong, but I hope not.
Oh, my God. Of course. Thank you. First of all, I have help. I cannot do this on my own. I have Christy with me and I have Michael with me. So consider this to be a game show with a bad game master. So the idea is the following. So we want to make sure that we solve tasks where the AI or where people have a chance to actually compete with the AI. That's the plan. And we have three rounds or four rounds. Let's try to find out how much we can make in these 20 minutes plus plus. So we have the team here. We have the participants here. So I'm looking at my at my list.
We work with high intelligence, AI powered multimedia, the flip chart. Not that good. But I think in the end, the scores don't really count. We will have the leaderboard there. We will have rounds of game. We will have individual tasks. And you have received these multimedia devices where you can actually provide your results and answers. That's great. Thank you. And we have actually, let's count, five participants in the game. So we have three CISOs. We have the audience and we have JGPT competing with each other. And that's the plan. And we have three rounds. Let's just looking at this again.
The CISOs have the piece of paper with the sharpie. Michael will be doing the multimedia wall of things. And Christy, I don't know how you want to do this. You will collect the feedback for each question for each task from the audience. So maybe with raising their hands or providing.
Yeah, for some of these. For the first, of course, not. You need to look at this thing because I will show pictures and I have questions and everybody else will have it here. So I think I'm getting close to actually doing this. What we need, final sentence is, I know it's late, some bit of discipline, because I don't want the answers to influence themselves. And we are not in those old 70s game shows where they have headphones and loud music and all this kind of stuff. Just make sure that you keep your answers to yourself, even for the audience, until we can compare those. That's the plan.
We start with the first round. I just need to check.
OK, this works. What we have, of course, here, you can see that I have to check GPT here as well. I don't know how to get it back, but that will work. Here we go. Draw.
Yeah, that works. Oh, that's interesting. We have a commercial account which does not learn from our input. At least they promised that. Do you believe them? I don't know. That's the AI engineer talking over there. Right. So the first game is, what did the machine think? So the idea is, I chose a few terms from cybersecurity. The example is here, firewall. And I asked Dali to create an image representing the concept behind that.
You know, all these stupid cybersecurity images that Dali can create, not these ones. So the question here, the prompt, illustrate the term firewall. Do not use any. And you can read it out. So the idea is, I will show you pictures like this. And you have to guess what is the cybersecurity concept behind that.
Okay, you get some 45 seconds, you write it down with your Sharpie. So it's one term, right? It's not a sentence. It's one term, one term. It can't be more than one word. But it's a term. And it's a cybersecurity term. And you should be used to that. Hopefully.
Well, of course. Let's see. Okay. Looks like a picture for my teenage son, actually.
No, no, no, it's all generated. It's all generated. We start simple. We really start simple.
And again, Christy will collect the feedback from the team. So talk to us a lot, not that loud, so that they can think about it as well. So that's it. Here we go. First round, 45 seconds or something like that. Michael is timekeeper.
Michael, you are timekeeper. Okay. But Michael takes the multimedia part. So 45 seconds starting now, it's a simple one. You've seen it already. And they get difficult and faster than you expected. Okay. Everything fine? Everything fine? Here we go. Collect the results. Starting with the CISOs. Honeypot. Honeypot. Wow. Big applause. Salary increase. And don't be worried if you don't find out some of those. I tested this with the team. It was fun. You have the other results as well?
Yeah, good. Okay, the next one. 45 seconds. I'm standing in the way to the evening reception, so I have to speed up. And this is not created by me. This is really the result from the AI. Yeah. I see puzzled faces. Time? Time's up.
Okay, where do we start? Password safe. Nope.
No, Max. It was Max. Max. Just me. Just me. Okay. So I thought it was looking like pen testing, trying to open something. That's one, but wrong. But closer. I have brute force attack. Yes. Here we go. Brute force attack. But that's three words, no? That's a good one. How is it in the audience? I don't ask JetGPT because it created it, so. Yep.
Okay, good one. No. Michael did. And Max and Sergey did not. Yep. Here we go. Is this live streamed? I'm fearing my boss is looking. Of course. Next one. 45 seconds to go. Time? Eight seconds. Okay. Okay. Okay.
MITM, man in the middle. Man in the middle. Man in the middle. Man in the middle. Good. Audience? Okay. Multimedia is done.
Okay, good. Next one. We have seven of those. Oh. Must be a watch. You complained about the old one. It's a very fancy type of clock. It's going in the wrong direction upwards. Yep.
Okay, then. Here we go. Altogether?
One, two, three. Sandboxing. Yes.
So, not much left for the AI. Was the AI right? I'm guessing that.
No, no. It created that. Here's the next one. Okay. Ready.
Okay, good. Then collect the results. Packet inspection. Packet inspection. Deep packet inspection. Yes. With the clock. I added the deepest. But it was very clearly from the picture because, you know, they were looking very, very carefully. Exactly. But I accept both.
Yes, exactly. Exactly. The next one I have to explain a bit because I gave the term and I was surprised.
Okay, but if you are into IAM, maybe that makes sense. If not, don't worry. Nobody got it. Except for Philip.
Remember, I gave the term to the AI and said visualize it. That's the hard one. Okay. Okay. Okay.
Okay, now I'm really curious if somebody got that. You start.
Well, we have two options. We can't throw out both. Wormhole or tunneling. I've heard tunneling once before, but it's not that what has been created.
Okay, so no audience. No Macs. Unauthorized cloud access. Nice try.
No, no, I have not yet asked Michael. Identity Federation. I have heard that before as well. It's actually, okay, I know it, of course, impossible travel. Impossible travel. We should actually ask the AI to guess this picture, right? So if you generate this with shared GPT, let's ask Claude.
Yeah, that's true. You know, to be fair. That's true. That's true.
Final one, quick one. I've been told it's difficult. I thought not. Here we go. It's hard. Don't contradict me. Could be a lot. Audience is locked in. Don't be worried. And that's the final one. I think. Okay. Quick round. Anyone? Nice one.
I mean, I thought something about, you know, initially about password safe or whatever, but then perhaps it could be zero trust done wrong. Indirectly, yes, but no. I have secrets vault. But then the door would not be open. Because that is the back door.
Yeah, of course. Then a big round of applause. The back door wouldn't be in the middle of the service. I couldn't make it do it from the outside. I just cannot. He was the one who found out. So he has to defend it. Great. Collect the results. We've done that. First round over. They're counting. I think the results don't matter anyway. Next one. Who said it personally? I had a set of 60 quotes. They are either generated by a GPT or they are real quotes by cybersecurity authors, professionals, journalists, et cetera. We have 10 of those much quicker.
If you maybe make two pieces of paper and say, AI and person or A and P or something like that, then we are much faster and I think we should do it voting. 20 seconds. How much do we give them? 20. It's not easy, but it's a quick decision. Everybody good to go? Evening reception. I mentioned that once again. Good to go? Do you really want them to scream that? Yeah. Right. That's a good thing. Okay. Let's go. Who said it? A person or a GPT? Human. Human. Guys. Nice. I thought you had the results already. Sorry. That would be nice. Make the right decision. Here we go.
The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards. Person or GPT? We have one AI with Michael and the others are people. May I? Of course. Human. Human. Human AI. Michael said AI. Okay. Next one. Phishing isn't a technical problem. It's a human one. Human. Human AI. Okay. We all get a human. Come on. You got it?
Of course, but you're not quoted with that. Person. What I did this morning is I checked it again if this is really a quote that is attributed to somebody. We all had human.
Yeah, we were all wrong. Okay. Speed up.
Oh, he did? It's a semicolon. The greatest threat to cybersecurity is overconfidence. That sounds very human. I'm sure there's somebody who said that. There are lots of people who said that, but they are not attributed to that. That's the main thing here. I'm pretty sure I've read it somewhere in the book. Sure.
All human, right? On stage? Yeah. Yeah. All wrong. All wrong. But these are points for chat GPT afterwards, of course. Then it was good in fooling you. Cybersecurity is not about building walls, but understanding threats. You're getting cautious, right? We have AI, person AI.
So, Sergey is person and the other two are AI. I mean, the AI learned it somewhere, right?
So, somebody must have said that. Yep. Max and Michael. Four to go. Next one. Security is always excessive until it's not enough. Sounds very AI-like. But you're tricking us, I guess. The only human factor is the order that I applied. The real kicker would have been just using chat GPT for this. No human. AI? What do we have?
AI, AI, AI? Poor Robby. Changed my strategy. All wrong. Next one. My favorite one. If you think technology can solve your security problems, then you don't understand the problems and you don't understand technology. Person. Human. Human. Can you say the name? Almost. All human. The Internet is the first thing that humanity has built that humanity doesn't understand. The largest experiment in anarchy that we have ever had. What do we have in the audience?
Okay, then let them vote. Yeah, what? Have we got it? Christie. AI. AI? Eric Schmidt. Nice. Bought his new book. Data isn't just information. All right. All good. Data isn't just information, it's power. And with power comes responsibility. It's not Spider-Man.
AI, AI? And? I'm pretty sure that. AI? Yep. I think that's the first time that AI is right everywhere.
You know, I feel we are like in a security operations center, right? One AI is throwing alerts or something, and then 50 security experts are trying to guess if it's the false positive or not. Final one. Final one. The Internet didn't invent crime, but it did globalize it. Okay. We have human, human, AI, human. It's unknown, but it's a person. It's attributable. Wait. That's cheating. That's cheating. You said it should be attributed. There's more than one. So that's the. So. Now we can decide. But this was the first two rounds.
And for every correct answer, chat GPT got deducted one point, half a point. And you have added one point. So because it was fighting more than that was the idea. Willing to spend eight more minutes or? Nope. Yep. Okay. Now. I'm on the clock here. I need one minute to explain the task. And then we have four tasks that will take one and a half minute, a minute each. So that's the plan. If you ask something that is factual, you will lose because it will look it up. And it most probably will know. So what I did yesterday, maybe some of you have seen me and maybe some of you have been answering me.
I went around with a list of five questions. And asked the group of people here to give an estimate of figures. Not the correct answer. The estimate. That's the important part. Because the estimate, chat GPT does not know. That's the plan. So I took 17. It says 20 in this thing. I have 17 estimates for each question. And then I did just the average. And now I ask you what this group of cyber security professionals estimated as the answer to the question. So estimate the estimate. Get it? You know that humans are by nature terribly bad at guessing and estimating. Exactly.
And that's what I aimed for. Because I wanted to make sure how good is chat GPT at guessing. That's the part. Questions to that challenge? Yes. Questions to that challenge? So it's really not answering the question correctly. It's answering what you think that this group of people, and it was read by vendors, analysts, end users, everybody, is in this not representative group of people. I think we should have maybe a team of two or three that volunteer or something like that. Otherwise it might be difficult. So we end up with 20 results. Okay. Let's make it that way.
And I give you some time because it's not that easy. These are figures that are not easy to calculate or to estimate. Of course. So this will be the prompt. This is already prepared in my browser. So we'll do that live, of course. So if you want to read it, I just explained the situation. So we are at a cyber security conference. We play the game, estimate the estimation. You as the AI will compete against the human CISOs. And if you enter that prompt, something like that comes back. And I will do that in parallel while people are estimating that. Final questions?
Otherwise I start with the next first question. How many active IoT devices will be there by the end of 2024?
Worldwide, of course. Globally. Do something like that. When they complain, they have nothing to do and it left. I need to pull this over to my screen. Here we go. So just for you, that's what I've entered the prompt. And here we go. It says I'm ready. What's the question? Okay. So now I enter the question. And of course, the GPT needs to... Audience is ready? CISO is ready. AI is ready.
Okay, what do we have? I got between 15 and 30 billion. Make it more narrow because we will compare. Stay with the lower one. 20 billion. Thank you. My guess was it will try to extremely provide a very extreme number, 400 billion. Okay. 25 billion.
Okay, thank you. So that's the audience, but in the end we need the estimate. So here's the result from GPT. It says 38? 35? Okay. That was GPT? 35? Yeah. The actual estimation is... Here we go.
Yeah, but that's the average, of course. Oh, you're more than 50% off. Don't celebrate. You have 400 billion.
Yeah, you're like... That we are closer. Who's closest? Make the closest one. So I'm the closest one, although I'm wrong.
Yeah, I think so. And I'm not letting you influence me in the future to choose the lower number. It doesn't matter. My strategy was there's definitely somebody in the world who is trying to overestimate this very, very extremely. Exactly. And then CGPT is going to learn from that and just do that.
No, it's 500 billion. It's an IP address. You're right. I'm still struggling with the eight, but okay. Point for Michael.
Yeah, closest. I have anonymized the raw material. I can give it to you. But it's anonymized. Okay. An easier one, presumably. How many cybersecurity professionals, people that are earning money with cybersecurity are in the EU? Earning money could be tricky. It's not about how much money. It's about the mission, right? Need to pull this over again. Right. CISOs. Interesting. Starting with Michael this time.
250,000. 350?
250,000. 401. 401? 250 as well. 250 as well? Yes.
So first, the estimation of the estimation by CGPT. Here we go. Okay. How much did you have? 400. 401. 400 billion, right? Yeah. Or just 400. And the answer that is the correct one for us, because it's the estimate, it's 1.3 million. What? Audience. Yeah. Audience. And the correct answer is 1.3 million, which is weird. The complete EU. Yeah. I've checked it twice. Pardon? Estimated correctly. This is the weird thing about that, right? Wild. Okay. Next one. Two more to go, then it's really reception time. How many cybersecurity incidents are reported daily worldwide according to CERTs?
So reported, the important part is reported. So it was worth reporting, and they did report it, and that globally per day. You know what I'm aiming at with these questions? Should define what is a security incident, right? Yeah. Can I just answer not enough? That would be the right answer also for the cybersecurity problems. Incidents are reported daily worldwide. Was hat in Deutschland letztens? Ich weiß nicht, ob es Events sind oder sowas.
Yeah, eben. Two CERTs.
Yeah, eben. A million reported, reported. Ja. Something that is worth reporting to a CERT. You need to do that.
Yeah, yeah. By a person, by... Yeah. No. Do we have figures? Wir können hier anfangen.
Ach nee, wir können noch nicht anfangen. Das macht ja keinen Sinn. Das ist ein bisschen kompetitiv. Ich hatte mir vorhin die falsche Zahl gemerkt. Tut mir leid. Alles gut. Denn die echte Zahl sind 18. Das ist die echte Zahl. Die habe ich mir gemerkt. How about this side of the house?
400,000. Higher or lower? Lower. Lower. Yellow. Higher or lower? Lower. Then what?
400,000. I'm just kidding.
You know, we're stuck between higher and lower 400,000. Should we stay at 400,000? Yeah? Yeah. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Okay. Fair enough. So we have.
Okay 400,000. So we have 400,000, we have the figures from Marx. Quarter million? Quarter million. Okay. Okay. Cycle? Since the question is so unspecific, you don't know security events, et cetera, I choose the answer for all the questions in the universe and that's 42. Yeah.
42, the answer is 42. Okay. So the estimate is, this is the estimate of the cybersecurity pros in this room or in this event. What? 17 of those. And the correct answer is JGPT failed. It could not do that. So it did not answer. So the question is only we, who is the one who, the audience, the audience, okay. Right. Okay. Final one. You've heard this number. This is not even something, the question is what did they estimate? This is the good one. It's the overall economic impact of cybercrime in a whole year globally, right? Not Germany.
No, not globally. But again, it's the estimation of the people, so. It is a billion, but that does not mean it cannot be a trillion, so. We should have got a report, but that's not allowed. Okay. Here we go. So where we are? So. 210 billion. 210 billion. Okay. 400 billion. 400 billion. 230 billion. 230 billion. Yeah. Okay. Okay. So 210 billion is max. Okay. 400 billion is Zage, and 200, oh, 230 is Michael. And here's JGPT. It says exactly one trillion. What did the, what did the audience say? One trillion. And here we go. This is the estimate of the, it's not even an IP address. IPv6 too.
And here we go. Yeah, right. I think that would be fine. I said 400. Yeah. Billion. No. So just have to check this. This does not work.
Oh, this is difficult. On that screen. I have the Excel sheet somewhere.
Oh, come on. Leaderboard surveys here. The correct answer is. Here we go. So now we go back to the multimedia wall. So now we go back to the multimedia wall taken care of by Michael. Who's the overall winner?
No, the moment is over. No, that's it. The winner is the audience. That's good. There would have been one more game, and that would be the question. Can you give me a prompt that JetGPT cannot answer? Yes. That was what I expected, so I skipped that. Spell the name David Mayer. Exactly. Okay. So nothing to win. Nothing has really won, except for the audience, of course. Thank you for the time. I hope you liked it, and see you tomorrow with more decent topics again. Thank you. Thank you.
